From 5d88728843857c503f3a51953ffd368bd9b7d8a5 Mon Sep 17 00:00:00 2001
From: Jim Van Fleet <jim.van.fleet@levvel.io>
Date: Wed, 26 Jul 2017 17:06:04 -0400
Subject: [PATCH] Every tests passes

---
 Dockerfile                                    | 13 ++++++--
 container_files/bin/httpd-shib-foreground     |  7 ++++
 .../etc/apache2/conf-available.txt            |  0
 .../conf-available}/log.conf                  |  0
 .../conf-available}/shib.conf                 |  0
 .../apache2/sites-available/siteadmin.conf    | 24 ++++++++++++++
 .../etc/docker_config/docker_config.sh        |  4 +--
 container_files/etc/docker_config/proxy.conf  |  2 --
 .../etc/shibboleth/attribute-map.xml          | 32 +++++++++++++++++++
 .../etc/shibboleth/inc-md-cert.pem            | 21 ++++++++++++
 .../mfa-proxy.incommon.org-metdata.xml        |  0
 tests/image.bats                              |  8 +++++
 12 files changed, 103 insertions(+), 8 deletions(-)
 create mode 100755 container_files/bin/httpd-shib-foreground
 create mode 100644 container_files/etc/apache2/conf-available.txt
 rename container_files/etc/{httpd/conf.d => apache2/conf-available}/log.conf (100%)
 rename container_files/etc/{httpd/conf.d => apache2/conf-available}/shib.conf (100%)
 create mode 100644 container_files/etc/apache2/sites-available/siteadmin.conf
 mode change 100644 => 100755 container_files/etc/docker_config/docker_config.sh
 delete mode 100644 container_files/etc/docker_config/proxy.conf
 create mode 100644 container_files/etc/shibboleth/attribute-map.xml
 create mode 100644 container_files/etc/shibboleth/inc-md-cert.pem
 rename container_files/etc/{docker_config => shibboleth}/mfa-proxy.incommon.org-metdata.xml (100%)

diff --git a/Dockerfile b/Dockerfile
index 0b1f6f9..a988329 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,14 +10,21 @@ RUN apt-get install -y dirmngr gnupg && \
       apache2-threaded-dev \
       apache2-mpm-worker \
       libapache2-mod-passenger \
+      libapache2-mod-shib2 \
       odbc-postgresql \
       passenger \
       shibboleth-sp2-utils
       
 ADD ./container_files /opt
 
-RUN cp /opt/etc/httpd/conf.d/*.conf /etc/apache2/conf-available/. && \
+RUN cp /opt/etc/apache2/conf-available/*.conf /etc/apache2/conf-available/. && \
+    cp /opt/etc/apache2/sites-available/*.conf /etc/apache2/sites-available/. && \
     cp /opt/etc/shibboleth/* /etc/shibboleth/. && \
-    a2enconf log && a2enconf shib
+    a2enconf log && a2enconf shib && \
+    a2enmod shib2 && a2ensite siteadmin && \
+#    mv /etc/shibboleth/console.logger /etc/shibboleth/shibd.logger && \
+    chmod +x /opt/etc/docker_config/docker_config.sh && \
+    shib-keygen
       
-EXPOSE 80 443
\ No newline at end of file
+EXPOSE 80 443
+CMD [ "/opt/etc/docker_config/docker_config.sh" ]
\ No newline at end of file
diff --git a/container_files/bin/httpd-shib-foreground b/container_files/bin/httpd-shib-foreground
new file mode 100755
index 0000000..e73a1b0
--- /dev/null
+++ b/container_files/bin/httpd-shib-foreground
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /etc/httpd/logs/httpd.pid
+
+(/usr/sbin/shibd) & apachectl -D FOREGROUND
diff --git a/container_files/etc/apache2/conf-available.txt b/container_files/etc/apache2/conf-available.txt
new file mode 100644
index 0000000..e69de29
diff --git a/container_files/etc/httpd/conf.d/log.conf b/container_files/etc/apache2/conf-available/log.conf
similarity index 100%
rename from container_files/etc/httpd/conf.d/log.conf
rename to container_files/etc/apache2/conf-available/log.conf
diff --git a/container_files/etc/httpd/conf.d/shib.conf b/container_files/etc/apache2/conf-available/shib.conf
similarity index 100%
rename from container_files/etc/httpd/conf.d/shib.conf
rename to container_files/etc/apache2/conf-available/shib.conf
diff --git a/container_files/etc/apache2/sites-available/siteadmin.conf b/container_files/etc/apache2/sites-available/siteadmin.conf
new file mode 100644
index 0000000..c1a3c5d
--- /dev/null
+++ b/container_files/etc/apache2/sites-available/siteadmin.conf
@@ -0,0 +1,24 @@
+<VirtualHost *:80>
+    ServerName siteadmin.example.com
+
+    # Tell Apache and Passenger where your app's 'public' directory is
+    DocumentRoot /var/www/html
+
+    PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
+    PassengerDefaultRuby /usr/local/bin/ruby
+
+    Alias /siteadmin /app/public
+      <Location /siteadmin>
+          PassengerBaseURI /siteadmin
+          PassengerAppRoot /app/public
+      </Location>
+
+    # Relax Apache security settings
+    <Directory /app/public>
+      Allow from all
+      Options -MultiViews
+      # Uncomment this if you're on Apache > 2.4:
+      Require all granted
+      RailsEnv staging
+    </Directory>
+</VirtualHost>
\ No newline at end of file
diff --git a/container_files/etc/docker_config/docker_config.sh b/container_files/etc/docker_config/docker_config.sh
old mode 100644
new mode 100755
index d637eb0..cf294f7
--- a/container_files/etc/docker_config/docker_config.sh
+++ b/container_files/etc/docker_config/docker_config.sh
@@ -1,4 +1,4 @@
-#/bin/sh
+#!/bin/sh
 entityID_file="/etc/docker_config/entity_id.txt"
 dicoveryURL_file="/etc/docker_config/discovery_url.txt"
 if [ -f $entityID_file ]; then
@@ -17,8 +17,6 @@ else
     fi
 fi
 
-
 sed -e "s/\${entityID}/$entityID/"  -e "s/\${discoveryURL}/$discoveryURL/"  /etc/docker_config/shibboleth2.xml > /etc/shibboleth/shibboleth2.xml
-cp /etc/docker_config/mfa-proxy.incommon.org-metdata.xml /etc/shibboleth/
 ln -s /etc/docker_config/proxy.conf /etc/httpd/conf.d/proxy.conf
 /opt/bin/httpd-shib-foreground
diff --git a/container_files/etc/docker_config/proxy.conf b/container_files/etc/docker_config/proxy.conf
deleted file mode 100644
index 0f2289b..0000000
--- a/container_files/etc/docker_config/proxy.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-ProxyPass        /siteadmin/	http://siteadmin-svc:3000/
-ProxyPassReverse /siteadmin/    http://siteadmin-svc:3000/
diff --git a/container_files/etc/shibboleth/attribute-map.xml b/container_files/etc/shibboleth/attribute-map.xml
new file mode 100644
index 0000000..12c4019
--- /dev/null
+++ b/container_files/etc/shibboleth/attribute-map.xml
@@ -0,0 +1,32 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+
+</Attributes>
diff --git a/container_files/etc/shibboleth/inc-md-cert.pem b/container_files/etc/shibboleth/inc-md-cert.pem
new file mode 100644
index 0000000..5ec4ec6
--- /dev/null
+++ b/container_files/etc/shibboleth/inc-md-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJAJRJzvdpkmNaMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQKDAxJbkNvbW1vbiBMTEMxMTAvBgNVBAMMKEluQ29tbW9u
+IEZlZGVyYXRpb24gTWV0YWRhdGEgU2lnbmluZyBLZXkwHhcNMTMxMjE2MTkzNDU1
+WhcNMzcxMjE4MTkzNDU1WjBXMQswCQYDVQQGEwJVUzEVMBMGA1UECgwMSW5Db21t
+b24gTExDMTEwLwYDVQQDDChJbkNvbW1vbiBGZWRlcmF0aW9uIE1ldGFkYXRhIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Chdkrn+
+dG5Zj5L3UIw+xeWgNzm8ajw7/FyqRQ1SjD4Lfg2WCdlfjOrYGNnVZMCTfItoXTSp
+g4rXxHQsykeNiYRu2+02uMS+1pnBqWjzdPJE0od+q8EbdvE6ShimjyNn0yQfGyQK
+CNdYuc+75MIHsaIOAEtDZUST9Sd4oeU1zRjV2sGvUd+JFHveUAhRc0b+JEZfIEuq
+/LIU9qxm/+gFaawlmojZPyOWZ1JlswbrrJYYyn10qgnJvjh9gZWXKjmPxqvHKJcA
+TPhAh2gWGabWTXBJCckMe1hrHCl/vbDLCmz0/oYuoaSDzP6zE9YSA/xCplaHA0mo
+C1Vs2H5MOQGlewIDAQABo1AwTjAdBgNVHQ4EFgQU5ij9YLU5zQ6K75kPgVpyQ2N/
+lPswHwYDVR0jBBgwFoAU5ij9YLU5zQ6K75kPgVpyQ2N/lPswDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAaQkEx9xvaLUt0PNLvHMtxXQPedCPw5xQBd2V
+WOsWPYspRAOSNbU1VloY+xUkUKorYTogKUY1q+uh2gDIEazW0uZZaQvWPp8xdxWq
+Dh96n5US06lszEc+Lj3dqdxWkXRRqEbjhBFh/utXaeyeSOtaX65GwD5svDHnJBcl
+AGkzeRIXqxmYG+I2zMm/JYGzEnbwToyC7yF6Q8cQxOr37hEpqz+WN/x3qM2qyBLE
+CQFjmlJrvRLkSL15PCZiu+xFNFd/zx6btDun5DBlfDS9DG+SHCNH6Nq+NfP+ZQ8C
+GzP/3TaZPzMlKPDCjp0XOQfyQqFIXdwjPFTWjEusDBlm4qJAlQ==
+-----END CERTIFICATE-----
diff --git a/container_files/etc/docker_config/mfa-proxy.incommon.org-metdata.xml b/container_files/etc/shibboleth/mfa-proxy.incommon.org-metdata.xml
similarity index 100%
rename from container_files/etc/docker_config/mfa-proxy.incommon.org-metdata.xml
rename to container_files/etc/shibboleth/mfa-proxy.incommon.org-metdata.xml
diff --git a/tests/image.bats b/tests/image.bats
index 057f8f0..d0337a4 100644
--- a/tests/image.bats
+++ b/tests/image.bats
@@ -15,6 +15,14 @@ load ../common
   docker run -i $maintainer/$imagename /usr/bin/passenger-config validate-install --auto
 }
 
+@test "MFA Proxy Metadata in place" {
+  docker run -i $maintainer/$imagename find /etc/shibboleth/mfa-proxy.incommon.org-metdata.xml
+}
+
+@test "Shib SP key in place" {
+  docker run -i $maintainer/$imagename find /etc/shibboleth/sp-key.pem
+}
+
 @test "shibboleth2.xml not using a TCP Listener configuration" {
   docker run -i $maintainer/$imagename grep -v TCPListener /etc/shibboleth/shibboleth2.xml
 }