Permalink
Browse files
Disable Shib if not needed; add env var checks
If AUTHENTICATION=internal we avoid loading mod_shib and starting shibd.
Also added environment variable checks so if some are missing due to
wrong Docker composition, midPoint will inform user in a reasonable way.
Loading branch information
@@ -35,6 +35,10 @@ RUN chmod 755 /opt/tier/setenv.sh \
&& chmod 755 /usr/local/bin/healthcheck.sh
RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
&& mv /etc/httpd/conf.d/shib.conf shib.conf.auth.shibboleth \
&& touch /etc/httpd/conf.d/shib.conf.auth.internal \
&& mv /etc/httpd/conf.modules.d/00-shib.conf 00-shib.conf.auth.shibboleth \
&& touch /etc/httpd/conf.modules.d/00-shib.conf.auth.internal \
&& sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\n ErrorLogFormat \" httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\" " >> /etc/httpd/conf/httpd.conf \
&& sed -i 's/CustomLog "logs\/ access_log"/CustomLog "\/ tmp\/ loghttpd"/g' /etc/httpd/conf/httpd.conf \
@@ -82,7 +86,7 @@ ENV AUTHENTICATION internal
ENV SSO_HEADER uid
ENV AJP_ENABLED true
ENV AJP_PORT 9090
ENV MP_LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
ENV LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
# Other parameters
@@ -1,7 +1,7 @@
#! /bin/bash
function resolvePort() {
if [ $REPO_PORT == " default" ; then
if [[ $REPO_PORT == " default" ] ]; then
case $REPO_DATABASE_TYPE in
mariadb)
echo 3306
@@ -26,7 +26,7 @@ function resolvePort() {
fi
}
if [ $REPO_JDBC_URL == " default" ; then
if [[ $REPO_JDBC_URL == " default" ] ]; then
REPO_PORT=$( resolvePort )
case $REPO_DATABASE_TYPE in
mariadb)
@@ -4,5 +4,21 @@ echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
ln -sf /run/secrets/mp_sp-key.pem /etc/shibboleth/sp-key.pem
ln -sf /run/secrets/mp_host-key.pem /etc/pki/tls/private/host-key.pem
ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf
ln -sf /etc/httpd/conf.d/shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/shib.conf
ln -sf /etc/httpd/conf.modules.d/00-shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.modules.d/00-shib.conf
httpd-shib-foreground
case $AUTHENTICATION in
shibboleth)
echo " *** Starting httpd WITH Shibboleth support"
httpd-shib-foreground
;;
internal)
echo " *** Starting httpd WITHOUT Shibboleth support"
rm -f /etc/httpd/logs/httpd.pid /run/httpd/httpd.pid
httpd -DFOREGROUND
;;
* )
echo " *** Couldn't start httpd: unsupported AUTHENTICATION variable value: '$AUTHENTICATION '"
sleep infinity
;;
esac
@@ -1,5 +1,28 @@
#! /bin/bash
function check () {
local VARNAME=$1
if [ -z ${! VARNAME} ]; then
echo " *** Couldn't start midPoint: $VARNAME variable is undefined. Please check your Docker composition."
exit 1
fi
}
# These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
# The composer or user has to make sure they are well defined.
check MP_MEM
check MP_DIR
check REPO_DATABASE_TYPE
check REPO_USER
check REPO_PASSWORD_FILE
check REPO_MISSING_SCHEMA_ACTION
check REPO_UPGRADEABLE_SCHEMA_ACTION
check MP_KEYSTORE_PASSWORD_FILE
check SSO_HEADER
check AJP_ENABLED
check AJP_PORT
java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
-Dmidpoint.home=$MP_DIR /var \
-Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
@@ -17,8 +40,7 @@ java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
-Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
-Dmidpoint.logging.alt.timezone=UTC \
-Dspring.profiles.active=" ` $MP_DIR /active-spring-profiles` "
-Dauth.sso.header=$SSO_HEADER \
$( if [ " $AUTHENTICATION " = " shibboleth" ; then echo " -Dauth.logout.url=$MP_LOGOUT_URL " ; fi)
$( if [ " $AUTHENTICATION " = " shibboleth" ; then echo " -Dauth.logout.url=$LOGOUT_URL -Dauth.sso.header=$SSO_HEADER " ; fi)
-Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
-Dserver.tomcat.ajp.port=$AJP_PORT \
-Dlogging.path=/tmp/logtomcat \
Toggle all file notes
