From c1dfb7a07de85ef6ade622b674dac50fec6edde2 Mon Sep 17 00:00:00 2001
From: Ethan Kromhout <ethan@unc.edu>
Date: Tue, 15 Dec 2020 15:29:29 -0500
Subject: [PATCH] More work on wordpress shibboleth integration

---
 .../wordpress/httpd/shib.conf                 |   2 +-
 .../wordpress/shibboleth/shibboleth2.xml      |   4 +-
 Workbench/docker-compose.yml                  |   5 +
 .../container_files/system/setservername.sh   |   2 +-
 .../conf/metadata-providers.xml               |   1 +
 .../shibboleth-idp/metadata/wordpress-sp.xml  | 110 ++++++++++++++++++
 Workbench/ssh-tunnel-redir-fix.sh             |   1 +
 Workbench/wordpress_server/Dockerfile         |  26 +----
 8 files changed, 125 insertions(+), 26 deletions(-)
 create mode 100644 Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml

diff --git a/Workbench/configs-and-secrets/wordpress/httpd/shib.conf b/Workbench/configs-and-secrets/wordpress/httpd/shib.conf
index 069a29b..5e8a357 100644
--- a/Workbench/configs-and-secrets/wordpress/httpd/shib.conf
+++ b/Workbench/configs-and-secrets/wordpress/httpd/shib.conf
@@ -22,7 +22,7 @@ ShibCompatValidUser Off
 #
 # Ensures handler will be accessible.
 #
-<Location /wordpresssSSO/Shibboleth.sso>
+<Location /wordpressSSO/Shibboleth.sso>
   AuthType None
   Require all granted
   SetHandler shib
diff --git a/Workbench/configs-and-secrets/wordpress/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/wordpress/shibboleth/shibboleth2.xml
index 9efdc25..cb307f6 100644
--- a/Workbench/configs-and-secrets/wordpress/shibboleth/shibboleth2.xml
+++ b/Workbench/configs-and-secrets/wordpress/shibboleth/shibboleth2.xml
@@ -25,8 +25,8 @@
         "false", this makes an assertion stolen in transit easier for attackers to misuse.
         -->
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/wordpressSSO/Shibboleth.sso"
-                  checkAddress="false" handlerSSL="true" cookieProps="https"
-                  redirectLimit="exact">
+                  checkAddress="false"  handlerSSL="true" cookieProps="https"
+                  redirectLimit="none">
 
             <!--
             Configures SSO for a default IdP. To properly allow for >1 IdP, remove
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index 42b7ee6..830385a 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -300,6 +300,7 @@ services:
     command: bash -c 'if [ ! -s /var/www/html/wp-config.php ];  then while ! nc -z  wordpress_data 3306 ; do echo waiting for mysql on wordpress_data to start; sleep 3; done; /root/wp core download --allow-root && sleep 10 && /root/wp config create --dbname=wordpress --dbuser=wordpress --dbpass=54y6RxN7GfC7aes3 --dbhost=wordpress_data --allow-root; sleep 3 && /root/wp core install --url="http://localhost/" --title="wordpress" --admin_user="admin" --admin_password="54y6RxN7GfC7aes3" --admin_email="sentrifugo.container@gmail.com" --allow-root && /root/wp --allow-root rewrite structure "/%postname%" --hard --debug; /root/wp  rewrite flush --hard --debug --allow-root && sed -i "s/<\/IfModule>/RewriteCond \%{HTTP:Authorization} \^\(\.\*\)\nRewriteRule \^\(\.\*\) - [E=HTTP_AUTHORIZATION:\%1]\n<\/IfModule>\nSetEnvIf Authorization "\(\.\*\)" HTTP_AUTHORIZATION=\$$1/" /var/www/html/.htaccess && /root/sed.sh && /root/wp plugin install jwt-authentication-for-wp-rest-api  --activate --allow-root && /root/wp plugin install wp-rest-api-log --activate --allow-root && /root/wp plugin install shibboleth --activate --allow-root; fi; /usr/local/bin/startup.sh;'
     ports:
       - "80:80"
+      - "12443:443"
     healthcheck:
       test: curl -s wordpress_server:80
       interval: 30s
@@ -318,6 +319,10 @@ services:
       - type: bind
         source: ./configs-and-secrets/wordpress/shibboleth/sp-cert.pem
         target: /etc/shibboleth/sp-cert.pem
+      - type: bind
+        source: ./configs-and-secrets/wordpress/httpd/shib.conf
+        target: /etc/httpd/conf.d/shib.conf
+
     secrets:
       - source: w_sp-key.pem
         target: shib_sp-key.pem
diff --git a/Workbench/idp/container_files/system/setservername.sh b/Workbench/idp/container_files/system/setservername.sh
index 2c32d77..8ad2d0e 100644
--- a/Workbench/idp/container_files/system/setservername.sh
+++ b/Workbench/idp/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
 
 for file in $files
   do
diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
index fed3387..57701fe 100644
--- a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -28,6 +28,7 @@
     <MetadataProvider id="GrouperSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
     <MetadataProvider id="MidpointSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
     <MetadataProvider id="ComanageSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
+    <MetadataProvider id="WordpressSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
     <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
 
     <!-- Example HTTP metadata provider.  Use this if you want to download
diff --git a/Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml b/Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml
new file mode 100644
index 0000000..f73b4aa
--- /dev/null
+++ b/Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml
@@ -0,0 +1,110 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_9d0ae95ee88f2396b39d245b74751e04b8508425" entityID="https://wordpressdemo/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>1f84026f1f87</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=1f84026f1f87</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAKlkm2CJBUzxMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDFmODQwMjZmMWY4NzAeFw0yMDA0MjExOTAwMzlaFw0zMDA0MTkxOTAwMzla
+MBcxFTATBgNVBAMTDDFmODQwMjZmMWY4NzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAPHOVkU6Zu4Q0Mpx1/YpGa+iDG3e8boT5D4ptJldP80cmh13MoA3
+AyeQac86EC8dO1Z8XFmnwsSwT246kBVfLgr6gQgMy7Ql4zLpnFzhKFBPgHBCT/5e
+or9qdn/b/ZPBC2sAeRecS7gFox66/s3+/FJ/XNHErrEDZi3XnDIz6UpOPFWR5WE1
+IUWMnEY27GFX4dAqIaXGBELwvPKsyZYpJLGjovi0beFVlN6B39dDmZn5yUD00ekX
+WSnYPSIYgXo5M1iM7tn5jRoaRo/KGbCK0q4/F3cCbzMSgfwkMAJ5GY0yhPUUXQGQ
+5ieLPawBV5QCiNNF4+SJIdGuASTYiZr7o51bmcMTqjAxTqPRL34cd+Cddndf+sGU
+24zPHfmjB79C0Xn+QgKmvkhujoi+n/pCgEtF1M75IsGY1djipqplOiph9vjQsD2x
+HGe5Vi1RDPqCIMgbxARJh3NodbgLeM92SiJur6VDpOVgdVOich1JYBsL5O3Vlb5v
+xKA6Sol8TneRywIDAQABozowODAXBgNVHREEEDAOggwxZjg0MDI2ZjFmODcwHQYD
+VR0OBBYEFOxhICWI1bbhgXsMW4DNuNHLB4g4MA0GCSqGSIb3DQEBCwUAA4IBgQBU
+0gKlnY0GzzFuYyWoF+tbLPKT9i3InG320A4H9V+VJ3ZgnXy+3kG2rIg09j04mgWF
+YSrWb7BUwYk8WMLD5fbhQ99vpFpKiJnhWvISc3wstgo18k9xr09n4lVU2aYDwgoD
+GTVj59KPu+KlwULvIMnvFbWZm3z2JqGzBMFv8zkID3YCGzyz1Ej7W05A12qcga+o
+Pu5/PLuVY2iRRI2cYpbxG5+kYejNXqiNHph5ROmEEpfnMFHyfMZrpH+BUxVfSTkJ
+K62rduZQabp4qKhIibyXw5fuANIXoGxsSC2IbBKl1jJ23j4aY1OUOqW7YBYkk94Q
+hp77m7JILWdulKtE314/Iy+/5V0k05FsVnWdeRLFW08NK5klt7+x6zG5gTFczN4I
+X+znZJ9LQKrr5VRwEx8aGBbpJ1OVXc5U5ARdtSMz/Nl+yRgZJD3kxID/1sjFRwmq
+OGk1Wid/0g2ZjXSiVMjTi8WrUzw9OyyCi4w9AkBPVNHRvBy1qVjZIlCzcso4gEQ=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>1f84026f1f87</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=1f84026f1f87</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAOqc+LvB4m+VMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDFmODQwMjZmMWY4NzAeFw0yMDA0MjExOTAwNDBaFw0zMDA0MTkxOTAwNDBa
+MBcxFTATBgNVBAMTDDFmODQwMjZmMWY4NzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAKcbX9lvwcBpG9qmza970xI4Vj537Aad7Fq7XNJfxRsXbPK+sRYV
+0TwRok2HhCPt2fKrzE03JZtqA7GemihvDDgWiW/KiSU8mFiFeGap0JkxoRnNQOLu
+y7AcZ9NrSh5jts+ko9SrJkVerNI7tF8njlmCR/19R1g/yp/ThLzr6PwfNg9zkFdo
+RXDtzYd1Qq4GPMaHqC8VMKwnaiv2s4KPU/sKN0sEea4XaaziCI6Cf2iZR/rHLNHe
+x9ST0VpuVODz/BOWmxsgTgeYrY3aGAwrB3lXlRkJL6KKabgC5cvrza1MfilzEart
+ngT0ckzCiLoRp10P3pVINqM7unyDdSwgElWvH3AcI3zJDblNyzL0eZp9F/pudNSN
+V4HVyqWPsGhRnDpLW/TS+Fnxv2DQqEe2Srxh61Un+8jZK7IWGeuCgPPuQrwzxq5c
+X98oyNqeys5X3yHkor42RbX4qYQzjfbvjDg4ewcNpNtu9RKfgUXAaMSS6dH5wdrZ
+fwo4Nuv0lCZB/QIDAQABozowODAXBgNVHREEEDAOggwxZjg0MDI2ZjFmODcwHQYD
+VR0OBBYEFCG6Hg40T0gRUyl4IQdW3pcoOIvTMA0GCSqGSIb3DQEBCwUAA4IBgQCM
+wJIMbAtcShEHhPOeZ72rGycR9Z7+yC72uSXyScgHME/kcLVqwzsHXvw37IkfbuvH
+D9Gz34OI4gg5QZtbarp4GpSycnoNJDT5IRNKkFrPyv3QWvyiTBtFguSAr6xOO8Py
+tBWetorrCcpqvnmiEDHIfs6g8vFq1HUDS1etDkrOk/e5RyHW7Yys3CBfRtLoRX/c
+iiEcuQg/HPqlCTFlHFbaSFMjklomSfSYFytdFkqGNNgZobUCAaj3L2Zw3FEBVn0o
+G0CcW9X3s+L+C3CAyofZBY0Nto2AOrAyaRW0wbGkcI3hI744f9rHArUyonTIe0hG
+SS1pwkfzFbpWZmiBMnoA7CB1ma/xVF+ln/gEn1LS7yKIdHO84/etJ3Ve8yjZKSBD
+e1TRefMMT5McNwoKEZdD0OhD8CBk95Pkhcl2limOzy6R7ekBlak2PclSLXyD6Hda
+m1lmTwWWHX/Jt8iVZsV85PlLIbZC0PJaJk90yMtMTBVxyLTU+iNcdhD9qnjwVb8=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>
diff --git a/Workbench/ssh-tunnel-redir-fix.sh b/Workbench/ssh-tunnel-redir-fix.sh
index 42409a9..8a55495 100755
--- a/Workbench/ssh-tunnel-redir-fix.sh
+++ b/Workbench/ssh-tunnel-redir-fix.sh
@@ -9,6 +9,7 @@ declare -a fileList=(
 "idp/shibboleth-idp/metadata/grouper-sp.xml"
 "idp/shibboleth-idp/metadata/midpoint-sp.xml"
 "idp/shibboleth-idp/metadata/midpoint-sp-new.xml"
+"idp/shibboleth-idp/metadata/wordpress-sp.xml"
 )
 
 if [ $# -eq 0 ]
diff --git a/Workbench/wordpress_server/Dockerfile b/Workbench/wordpress_server/Dockerfile
index 374255b..652235d 100644
--- a/Workbench/wordpress_server/Dockerfile
+++ b/Workbench/wordpress_server/Dockerfile
@@ -19,37 +19,19 @@ RUN yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm \
     && yum-config-manager --enable remi-php72 \
     && yum install -y php php-gd mariadb wget php-mysql postfix nc
 RUN echo 'date.timezone="UTC"' >> /etc/php.ini
-#RUN echo 'nameserver 127.0.0.11' > /etc/resolv.conf
-#RUN /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-encrypt -f \
-#     && /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-signing -f
-
-#RUN cd /root \
-#    && wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \
-#    && chmod +x wp-cli.phar
 
 RUN cat /etc/resolv.conf
 WORKDIR /var/www/html
-#RUN /root/wp-cli.phar core download 
-#    && sleep 3 \
-#    && cat /etc/resolv.conf \
-#    && cat /etc/hosts \
-#    && /root/wp-cli.phar  config create --dbname=wordpress --dbuser=wordpress --dbpass=54y6RxN7GfC7aes3 --dbhost=wordpress_data2 \
-#    && sleep 15 \
-#    && /root/wp-cli.phar core install --url="http://localhost/" --title="wordpress" --admin_user="admin" --admin_password="54y6RxN7GfC7aes3" --admin_email="sentrifugo.container@gmail.com" --allow-root \
-#    && /root/wp-cli.phar  plugin install jwt-authentication-for-wp-rest-api  --activate --allow-root \
-#    && /root/wp-cli.phar  plugin install shibboleth --activate --allow-root \
-#    && /root/wp-cli.phar  plugin install wp-rest-api-log --activate --allow-root
-
-#RUN sed -i "s/<\/IfModule>/RewriteCond \%{HTTP:Authorization} \^\(\.\*\)\nRewriteRule \^\(\.\*\) - [E=HTTP_AUTHORIZATION:\%1]\n<\/IfModule>\nSetEnvIf Authorization "\(\.\*\)" HTTP_AUTHORIZATION=\$$1/" /var/www/html/.htaccess \
-#    && sed -i "s/define( 'DB_COLLATE', '' );/define( 'DB_COLLATE', '' );\ndefine('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\ndefine('JWT_AUTH_CORS_ENABLE', true);\n/" /var/www/html/wp-config.php \
-#    && sed -i "s/RewriteBase \//RewriteBase \/\nRewriteRule \^wp-json\/\(\.\*\) \/?rest_route=\/\$1 \[L\]\n/" /var/www/html/.htaccess 
 
 RUN ln -sf /run/secrets/shib_sp-key.pem /etc/shibboleth/sp-key.pem
 RUN chown -R apache:apache /var/www/html
 COPY container_files/system/setservername.sh /usr/local/bin/
-RUN chmod 755 /usr/local/bin/setservername.sh && rm -f /etc/httpd/conf.d/ssl.conf
+RUN chmod 755 /usr/local/bin/setservername.sh #&& rm -f /etc/httpd/conf.d/ssl.conf
 
 #set hostname
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
 RUN /usr/local/bin/setservername.sh