Disable Shib if not needed; add env var checks

If AUTHENTICATION=internal we avoid loading mod_shib and starting shibd.
Also added environment variable checks so if some are missing due to
wrong Docker composition, midPoint will inform user in a reasonable way.

Dockerfile

@@ -35,6 +35,10 @@ RUN chmod 755 /opt/tier/setenv.sh \
     && chmod 755 /usr/local/bin/healthcheck.sh
 
 RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+    && mv /etc/httpd/conf.d/shib.conf shib.conf.auth.shibboleth \
+    && touch /etc/httpd/conf.d/shib.conf.auth.internal \
+    && mv /etc/httpd/conf.modules.d/00-shib.conf 00-shib.conf.auth.shibboleth \
+    && touch /etc/httpd/conf.modules.d/00-shib.conf.auth.internal \
     && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
     && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
     && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
@@ -82,7 +86,7 @@ ENV AUTHENTICATION internal
 ENV SSO_HEADER uid
 ENV AJP_ENABLED true
 ENV AJP_PORT 9090
-ENV MP_LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
+ENV LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
 
 # Other parameters
 

container_files/mp-dir/repository-url

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function resolvePort() {
-    if [ $REPO_PORT == "default" ]; then
+    if [[ $REPO_PORT == "default" ]]; then
         case $REPO_DATABASE_TYPE in
             mariadb)
               echo 3306
@@ -26,7 +26,7 @@ function resolvePort() {
     fi
 }
 
-if [ $REPO_JDBC_URL == "default" ]; then
+if [[ $REPO_JDBC_URL == "default" ]]; then
   REPO_PORT=$( resolvePort )
   case $REPO_DATABASE_TYPE in
 	mariadb)

container_files/usr-local-bin/start-httpd.sh

@@ -4,5 +4,21 @@ echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
 ln -sf /run/secrets/mp_sp-key.pem /etc/shibboleth/sp-key.pem
 ln -sf /run/secrets/mp_host-key.pem /etc/pki/tls/private/host-key.pem
 ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf
+ln -sf /etc/httpd/conf.d/shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/shib.conf
+ln -sf /etc/httpd/conf.modules.d/00-shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.modules.d/00-shib.conf
 
-httpd-shib-foreground
+case $AUTHENTICATION in
+  shibboleth)
+    echo "*** Starting httpd WITH Shibboleth support"
+    httpd-shib-foreground
+    ;;
+  internal)
+    echo "*** Starting httpd WITHOUT Shibboleth support"
+    rm -f /etc/httpd/logs/httpd.pid /run/httpd/httpd.pid
+    httpd -DFOREGROUND
+    ;;
+  *)
+    echo "*** Couldn't start httpd: unsupported AUTHENTICATION variable value: '$AUTHENTICATION'"
+    sleep infinity
+    ;;
+esac

container_files/usr-local-bin/start-midpoint.sh

@@ -1,5 +1,28 @@
 #!/bin/bash
 
+function check () {
+    local VARNAME=$1
+    if [ -z ${!VARNAME} ]; then
+        echo "*** Couldn't start midPoint: $VARNAME variable is undefined. Please check your Docker composition."
+        exit 1
+    fi
+}
+
+# These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
+# The composer or user has to make sure they are well defined.
+
+check MP_MEM
+check MP_DIR
+check REPO_DATABASE_TYPE
+check REPO_USER
+check REPO_PASSWORD_FILE
+check REPO_MISSING_SCHEMA_ACTION
+check REPO_UPGRADEABLE_SCHEMA_ACTION
+check MP_KEYSTORE_PASSWORD_FILE
+check SSO_HEADER
+check AJP_ENABLED
+check AJP_PORT
+
 java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
        -Dmidpoint.home=$MP_DIR/var \
        -Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
@@ -17,8 +40,7 @@ java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
        -Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
        -Dmidpoint.logging.alt.timezone=UTC \
        -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
-       -Dauth.sso.header=$SSO_HEADER \
-       $(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$MP_LOGOUT_URL"; fi) \
+       $(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$LOGOUT_URL -Dauth.sso.header=$SSO_HEADER"; fi) \
        -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
        -Dserver.tomcat.ajp.port=$AJP_PORT \
        -Dlogging.path=/tmp/logtomcat \