From 47122bc018e4cf32618580a71cc149523e12463a Mon Sep 17 00:00:00 2001
From: Jim Van Fleet <jim.van.fleet@levvel.io>
Date: Thu, 13 Jul 2017 12:05:45 -0400
Subject: [PATCH] Adding extra validations, running in foreground and
 startability test

---
 Dockerfile                                    |   5 +-
 bin/ci-run.sh                                 |   6 +
 bin/ci-stop.sh                                |   8 ++
 .../etc/shibboleth/shibboleth2.xml            | 114 +++++++++++++++++-
 container_files/usr/sbin/httpd-foreground     |   7 ++
 tests/image.bats                              |   8 ++
 tests/running.bats                            |  10 ++
 7 files changed, 154 insertions(+), 4 deletions(-)
 create mode 100755 bin/ci-run.sh
 create mode 100755 bin/ci-stop.sh
 create mode 100755 container_files/usr/sbin/httpd-foreground
 create mode 100644 tests/running.bats

diff --git a/Dockerfile b/Dockerfile
index 9e3aeec..a9581ab 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,6 +18,7 @@ ADD ./container_files /opt
 # This SP will connect via the TCP listener
 RUN rm /opt/bin/httpd-shib-foreground /etc/httpd/conf.d/ssl.conf && \
     cp /opt/etc/httpd/conf.d/*.conf /etc/httpd/conf.d/. && \
-    cp /opt/etc/shibboleth/* /etc/shibboleth/.
+    cp /opt/etc/shibboleth/* /etc/shibboleth/. && \
+    cp /opt/usr/sbin/httpd-foreground /usr/sbin/. && chmod +x /usr/sbin/httpd-foreground
 EXPOSE 80 443
-CMD ["/usr/sbin/httpd"]
+CMD ["/usr/sbin/httpd-foreground"]
diff --git a/bin/ci-run.sh b/bin/ci-run.sh
new file mode 100755
index 0000000..532ece0
--- /dev/null
+++ b/bin/ci-run.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# This file will run a container in the background
+source common.bash .
+
+docker run -d --name=$imagename $maintainer/$imagename
\ No newline at end of file
diff --git a/bin/ci-stop.sh b/bin/ci-stop.sh
new file mode 100755
index 0000000..54ab019
--- /dev/null
+++ b/bin/ci-stop.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# This file will run a container in the background
+source common.bash .
+
+echo "Cleaning up Docker image($maintainer/$imagename)"
+docker stop $imagename >> /dev/null
+docker rm $imagename
diff --git a/container_files/etc/shibboleth/shibboleth2.xml b/container_files/etc/shibboleth/shibboleth2.xml
index 916eae9..1dbe2fc 100644
--- a/container_files/etc/shibboleth/shibboleth2.xml
+++ b/container_files/etc/shibboleth/shibboleth2.xml
@@ -5,6 +5,116 @@
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
 
-	<TCPListener address="shibd" port="1600" acl="0.0.0.0"/>
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+		
 
-</SPConfig>
\ No newline at end of file
+	<TCPListener address="172.18.0.3" port="1600" acl="0.0.0.0"/>
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+<ApplicationDefaults entityID="https://fmdev.inc.testbed.tier.internet2.edu/shibboleth" REMOTE_USER="eppn persistent-id targeted-id">
+
+
+	<!--
+	Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+	You MUST supply an effectively unique handlerURL value for each of your applications.
+	The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+	a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+	the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+	Note that while we default checkAddress to "false", this has a negative impact on the
+	security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+	-->
+	<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="http">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+		<SSO discoveryURL="https://service1.internet2.edu/shibboleth-ds/index.html" discoveryProtocol="SAMLDS">
+			SAML2 SAML1
+		</SSO>
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+	<Errors supportContact="chubing@internet2.edu"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- InCommon Metadata -->
+	<MetadataProvider type="XML" validate="true"
+		uri="http://md.incommon.org/InCommon/InCommon-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+		<MetdataFilter type="Signature" certificate="inc-md-cert.pem"/>
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+              attributeName="http://macedir.org/entity-category"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="http://refeds.org/category/hide-from-discovery" />
+        </MetadataProvider>
+
+	<!-- Cirrus Multi-factor authentication proxy -->
+	<MetadataProvider type="XML" file="mfa-proxy.incommon.org-metdata.xml"/> 
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/container_files/usr/sbin/httpd-foreground b/container_files/usr/sbin/httpd-foreground
new file mode 100755
index 0000000..feb1ae2
--- /dev/null
+++ b/container_files/usr/sbin/httpd-foreground
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/httpd/httpd.pid
+
+exec httpd -DFOREGROUND
\ No newline at end of file
diff --git a/tests/image.bats b/tests/image.bats
index b6924eb..66f28f8 100644
--- a/tests/image.bats
+++ b/tests/image.bats
@@ -13,4 +13,12 @@ load ../common
 
 @test "shibboleth2.xml using a TCP Listener configuration" {
   docker run -i $maintainer/$imagename grep TCPListener /etc/shibboleth/shibboleth2.xml
+}
+
+@test "Shibboleth configuration is well formed" {
+  docker run -i $maintainer/$imagename xmlwf /etc/shibboleth/shibboleth2.xml
+}
+
+@test "Shibboleth configuration is valid" {
+  docker run -i $maintainer/$imagename /usr/sbin/shibd -tc /etc/shibboleth/shibboleth2.xml
 }
\ No newline at end of file
diff --git a/tests/running.bats b/tests/running.bats
new file mode 100644
index 0000000..4161d23
--- /dev/null
+++ b/tests/running.bats
@@ -0,0 +1,10 @@
+#!/usr/bin/env bats
+
+load ../common
+
+# These tests assume the pipeline will start and stop the container.
+
+@test "Leaves running process" {
+  result="$(docker ps | grep $imagename)"
+  [ "$result" != '' ]
+}
\ No newline at end of file