diff options
author | Johan Lundberg <lundberg@nordu.net> | 2015-04-28 16:18:24 +0200 |
---|---|---|
committer | Johan Lundberg <lundberg@nordu.net> | 2015-04-28 16:18:24 +0200 |
commit | 9c382611b69cf48e4063395b6bd84c8733b9dc67 (patch) | |
tree | b6974a423dc92117f7607ffa3574df413dc8d399 | |
parent | eadb0ebe5eb0d1e5fcff88e8322f5e3a44d6c93f (diff) |
Docker image now installing and running.
-rw-r--r-- | .dockerignore | 1 | ||||
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Dockerfile | 6 | ||||
-rw-r--r-- | README | 10 | ||||
-rw-r--r-- | edit-webapp/css/consent.css | 150 | ||||
-rw-r--r-- | edit-webapp/css/main.css | 163 | ||||
-rw-r--r-- | edit-webapp/images/dummylogo-mobile.png | bin | 0 -> 8208 bytes | |||
-rw-r--r-- | edit-webapp/images/dummylogo.png | bin | 0 -> 13742 bytes | |||
-rw-r--r-- | edit-webapp/index.jsp | 31 | ||||
-rw-r--r-- | edit-webapp/x509-prompt.jsp | 111 | ||||
-rw-r--r-- | jetty_conf/idp.xml | 3 | ||||
-rw-r--r-- | jetty_conf/ssl.mod | 6 | ||||
-rw-r--r-- | start.sh | 17 |
13 files changed, 490 insertions, 10 deletions
diff --git a/.dockerignore b/.dockerignore index 5cf8dae..6c89c49 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,3 +2,4 @@ conf credentials edit-webapp +logs @@ -1 +1,3 @@ credentials +conf +logs/* @@ -6,6 +6,12 @@ RUN apt-get update && \ apt-get update --fix-missing && \ apt-get install -y wget +# Add UnlimitedJCEPolicy +# You manually have to download and unzip jce_policy-8.zip from Oracle, +# http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html +ADD UnlimitedJCEPolicyJDK8/local_policy.jar ${JAVA_HOME}/jre/lib/security/ +ADD UnlimitedJCEPolicyJDK8/US_export_policy.jar ${JAVA_HOME}/jre/lib/security/ + # Download and install jetty ENV JETTY_VERSION 9.2.10 ENV RELEASE_DATE v20150310 @@ -1,5 +1,11 @@ +How to create p12 keystore + +Set JETTY_TLS_PASSWORD as keystore password +openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt + How to run: -docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install +docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e IDP_TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install + +docker run -d -e JETTY_TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp -docker run -d -e PKCS12_PASSWORD=pkcs12pass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp diff --git a/edit-webapp/css/consent.css b/edit-webapp/css/consent.css new file mode 100644 index 0000000..129bb19 --- /dev/null +++ b/edit-webapp/css/consent.css @@ -0,0 +1,150 @@ +.box { + width:600px; + margin-left: auto; + margin-right: auto; + margin-top: 50px; + background-color: white; + -webkit-box-shadow: 1px 1px 15px #999999; + -moz-box-shadow: 1px 1px 15px #999999; + box-shadow: 1px 1px 15px #999999; + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; + overflow: auto; + padding: 1.268em; +} + +body { + font-family:Verdana, Geneva, sans-serif; + font-size: 12px; +} + +h1 { + font-size: 13px; + padding-bottom: 12px; +} + +a { + color: #00247D; + text-decoration: underline; +} + +a:visited { + color: #00247D; + text-decoration: underline; +} + +a:focus, a:hover, a:active { + color: #F39800; + text-decoration: underline; +} + +#tou-content { + font-family:monospace; + width: 95%; + border: solid 1px #666; + margin: 4px; + padding: 10px; + overflow: hidden; +} + +#tou-content li{ + margin-bottom:10px; +} + +#tou-acceptance { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + padding: 10px; + text-align: left; + overflow: hidden; +} + +.service_name { + font-weight: bold; +} + +.service_description { + font-style: italic; +} + +.organization_name { +} + +#attributeRelease-consent { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + overflow: hidden; +} + +#attributeRelease { + width: 95%; + margin: 4px; + border: solid 1px black; + overflow: hidden; +} + +#attributeRelease table { + border-collapse: collapse; + border: none 0px white; + width: 100%; +} + +#attributeRelease td { + padding: 3px 7px; + vertical-align: top; +} + +#attributeRelease th { + text-align: left; + font-size: 18px; + padding: 5px 7px; + background-color:#00247D; + color: white; +} + +#attributeRelease tr:nth-of-type(even) { + background-color: #E4E5E3; +} + +.federation_logo +{ + width: 50%; + float: left; + padding-top: 35px; + border: 0; +} +.organization_logo +{ + width: 50%; + float: right; + border: 0; +} + +.form-error { + padding: 0; + color: #B61601; +} + +/* Device specific styles */ +@media only screen and (max-device-width: 721px){ + .box { + width: auto; + box-shadow: none; + border-radius: 0; + -webkit-box-shadow: none; + -webkit-border-radius: 0; + -moz-box-shadow: none; + -moz-border-radius: 0; + padding: 0; + margin-top:0; + } + #tou-content, #tou-acceptance{ + /*width:87%;*/ + width:auto; + } +} diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css new file mode 100644 index 0000000..8b02328 --- /dev/null +++ b/edit-webapp/css/main.css @@ -0,0 +1,163 @@ +* {
+ margin: 0;
+ padding: 0;
+}
+header, footer, section, nav {
+ display: block;
+}
+html, body {
+ height: 100%;
+}
+body {
+ font-family:Verdana, Geneva, sans-serif;
+ font-size: 12px;
+ line-height: 1.5;
+ color: #717171;
+ background: #717171;
+}
+a:link,
+a:visited {
+ text-decoration: none;
+ color: #717171;
+}
+img {
+ max-width: 100%;
+ margin-bottom: 12px;
+}
+
+.wrapper {
+ background: #ffffff;
+}
+
+.container {
+ position: relative;
+ left: 34%;
+ width: 540px;
+ margin-left: -270px;
+}
+.container-footer {
+ padding-top: 12px;
+}
+@media only screen and (max-width: 1020px) {
+ .container {
+ left: 45%;
+ }
+}
+@media only screen and (max-width: 650px) {
+ .container {
+ position: static;
+ margin: 0 auto;
+ width: 280px;
+ }
+}
+
+header {
+ padding: 20px 0;
+}
+
+.logo img {
+ border: none;
+}
+@media only screen and (max-width: 650px) {
+ .logo img {
+ display: none;
+ }
+ .logo {
+ background: url(images/dummylogo-mobile.png) no-repeat top center;
+ display: block;
+ height: 115px;
+ width: 100px;
+ margin: 0 auto;
+ }
+}
+
+.content {
+ padding-bottom: 80px;
+ overflow: hidden;
+}
+
+.column {
+ float: left;
+}
+.column.one {
+ width: 50%;
+ margin-right: 48px;
+}
+
+form {
+ width: 240px;
+ padding-bottom: 21px;
+}
+form label { /* labels are hidden */
+ font-weight: bold;
+}
+form legend {
+ font-size:1.2em;
+ margin-bottom: 12px;
+}
+.form-element-wrapper {
+ margin-bottom: 12px;
+}
+.form-element {
+ width: 100%;
+ padding: 13px 12px;
+ border: none;
+ font-size: 14px;
+ border-radius: 4px;
+ -webkit-border-radius: 4px;
+ -moz-border-radius: 4px;
+}
+.form-field {
+ color: #B7B7B7;
+ border: 1px solid #B7B7B7;
+}
+.form-field-focus {
+ color: #333333;
+ border-color: #333;
+}
+.form-button {
+ background: #B61601;
+ box-sizing: content-box;
+ -moz-box-sizing: content-box;
+ color: #ffffff;
+ cursor: pointer;
+}
+.form-button:hover {
+ background: #FF6400;
+}
+.form-error {
+ padding: 0;
+ color: #B61601;
+}
+
+.list-help {
+ margin-top: 40px; /* offset padding on first anchor */
+ list-style: none;
+}
+.list-help-item a {
+ display: block;
+ padding: 6px 0;
+}
+.item-marker {
+ color: #be0000;
+}
+
+footer {
+ color: #ffffff;
+ font-size: 11px;
+ background: #717171;
+}
+.footer-text {
+ margin-bottom: 12px;
+}
+.footer-links a:link,
+.footer-links a:visited {
+ color: #ffffff;
+ font-weight: bold;
+}
+.footer-links a:after {
+ content: "\00a0\00a0\00a0|\00a0\00a0";
+}
+.footer-links a.last:after {
+ content: "";
+}
diff --git a/edit-webapp/images/dummylogo-mobile.png b/edit-webapp/images/dummylogo-mobile.png Binary files differnew file mode 100644 index 0000000..8ba3c95 --- /dev/null +++ b/edit-webapp/images/dummylogo-mobile.png diff --git a/edit-webapp/images/dummylogo.png b/edit-webapp/images/dummylogo.png Binary files differnew file mode 100644 index 0000000..e89ede6 --- /dev/null +++ b/edit-webapp/images/dummylogo.png diff --git a/edit-webapp/index.jsp b/edit-webapp/index.jsp new file mode 100644 index 0000000..2206fe3 --- /dev/null +++ b/edit-webapp/index.jsp @@ -0,0 +1,31 @@ +<%@ page pageEncoding="UTF-8" %> +<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %> +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title><spring:message code="${root.title}" text="Shibboleth IdP" /></title> + <link rel="stylesheet" type="text/css" href="<%= request.getContextPath()%>/css/main.css"> + </head> + + <body> + <div class="wrapper"> + <div class="container"> + <header> + <a class="logo" href="../images/dummylogo.png"><img src="<%= request.getContextPath() %>/images/dummylogo.png" alt="Replace or remove this logo"></a> + </header> + + <div class="content"> + <h2><spring:message code="${root.message}" text="No services are available at this location." /></h2> + </div> + </div> + + <footer> + <div class="container container-footer"> + <p><spring:message code="${root.footer}" text="Insert your footer text here." /></p> + </div> + </footer> + </div> + + </body> +</html> diff --git a/edit-webapp/x509-prompt.jsp b/edit-webapp/x509-prompt.jsp new file mode 100644 index 0000000..51b0e02 --- /dev/null +++ b/edit-webapp/x509-prompt.jsp @@ -0,0 +1,111 @@ +<%@ taglib uri="urn:mace:shibboleth:2.0:idp:ui" prefix="idpui" %> +<%@ page import="javax.servlet.http.Cookie" %> +<%@ page import="org.opensaml.profile.context.ProfileRequestContext" %> +<%@ page import="net.shibboleth.idp.authn.ExternalAuthentication" %> +<%@ page import="net.shibboleth.idp.authn.context.AuthenticationContext" %> +<%@ page import="net.shibboleth.idp.profile.context.RelyingPartyContext" %> +<%@ page import="net.shibboleth.idp.ui.context.RelyingPartyUIContext" %> + +<% +final Cookie[] cookies = request.getCookies(); +if (cookies != null) { + for (final Cookie cookie : cookies) { + if (cookie.getName().equals("x509passthrough")) { + response.sendRedirect(request.getContextPath() + "/Authn/X509?" + + ExternalAuthentication.CONVERSATION_KEY + "=" + + request.getParameter(ExternalAuthentication.CONVERSATION_KEY)); + return; + } + } +} + +final String key = ExternalAuthentication.startExternalAuthentication(request); +final ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(key, request); +final AuthenticationContext authnContext = prc.getSubcontext(AuthenticationContext.class); +final RelyingPartyContext rpContext = prc.getSubcontext(RelyingPartyContext.class); +final RelyingPartyUIContext rpUIContext = authnContext.getSubcontext(RelyingPartyUIContext.class); +final boolean identifiedRP = rpUIContext != null && !rpContext.getRelyingPartyId().contains(rpUIContext.getServiceName()); +%> +<!DOCTYPE html> +<html> + <head> + <meta charset="utf-8"> + <title>Example Login Page</title> + <link rel="stylesheet" type="text/css" href="<%= request.getContextPath()%>/css/main.css"> + </head> + + <body> + <div class="wrapper"> + <div class="container"> + <header> + <a class="logo" href="../images/dummylogo.png"><img src="<%= request.getContextPath() %>/images/dummylogo.png" alt="Replace or remove this logo"></a> + </header> + + <div class="content"> + <div class="column one"> + <form id="loginform" action="<%= request.getContextPath() %>/Authn/X509" method="post"> + + <input type="hidden" name="<%= ExternalAuthentication.CONVERSATION_KEY %>" + value="<%= request.getParameter(ExternalAuthentication.CONVERSATION_KEY) %>"> + + <% if (identifiedRP) { %> + <legend> + Log in to <idpui:serviceName uiContext="<%= rpUIContext %>"/> + </legend> + <% } %> + + <section> + Please make sure that your user certificate is properly configured in your web browser + and click on the <strong>Certificate Login </strong> button. + </section> + + <section> + <input type="checkbox" name="x509passthrough" value="true" tabindex="2"> + Do not show this page in the future. + + <button class="form-element form-button" type="submit" name="login" value="1" + tabindex="1" accesskey="l">Certificate Login</button> + </section> + </form> + + <% + // + // SP Description & Logo (optional) + // These idpui lines will display added information (if available + // in the metadata) about the Service Provider (SP) that requested + // authentication. These idpui lines are "active" in this example + // (not commented out) - this extra SP info will be displayed. + // Remove or comment out these lines to stop the display of the + // added SP information. + // + // Documentation: + // https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPassLoginPage + // + // Example: + %> + <% if (identifiedRP) { %> + <p> + <idpui:serviceLogo uiContext="<%= rpUIContext %>">default</idpui:serviceLogo> + <idpui:serviceDescription uiContext="<%= rpUIContext %>">SP description</idpui:serviceDescription> + </p> + <% } %> + + </div> + <div class="column two"> + <ul class="list list-help"> + <li class="list-help-item"><a href="#"><span class="item-marker">›</span> Need Help?</a></li> + <li class="list-help-item"><a href="https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPassLoginPage"><span class="item-marker">›</span> How to Customize this Skin</a></li> + </ul> + </div> + </div> + </div> + + <footer> + <div class="container container-footer"> + <p class="footer-text">Insert your footer text here.</p> + </div> + </footer> + </div> + + </body> +</html> diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml index cdeed1e..6d88f3d 100644 --- a/jetty_conf/idp.xml +++ b/jetty_conf/idp.xml @@ -1,7 +1,6 @@ <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Set name="war"> - <SystemProperty name="idp.home" /> - /war/idp.war + <SystemProperty name="idp.home" />/war/idp.war </Set> <Set name="contextPath">/idp</Set> <Set name="extractWAR">false</Set> diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod index 77ceb76..e9bc03e 100644 --- a/jetty_conf/ssl.mod +++ b/jetty_conf/ssl.mod @@ -8,13 +8,17 @@ server [xml] etc/jetty-ssl.xml +[files] +/opt/shibboleth-idp/credentials/idp-browser.p12 + [ini-template] ### SSL Keystore Configuration # define the port to use for secure redirection jetty.secure.port=8443 -## Setup a demonstration keystore and truststore +## Setup a keystore jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12 +jetty.keystore.type=PKCS12 ## Set the demonstration passwords. ## Note that OBF passwords are not secure, just protected from casual observation @@ -5,19 +5,26 @@ cd /opt/shibboleth-identity-provider-${IDP_VERSION} case "$*" in start) - # Upgrade/Recreate war + # Start/Recreate war + mkdir -p /opt/shibboleth-idp/war ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp # Set Jetty tls cert password - sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$PKCS12_PASSWORD" /opt/jetty/modules/ssl.mod + sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$JETTY_TLS_PASSWORD" /opt/jetty/modules/ssl.mod # Start Jetty cd /opt/jetty/ && /usr/bin/java -jar start.jar ;; install) - # Fresh install -cat>/tmp/entity_id<<EOF + # Fresh install/upgrade + cat>/tmp/entity_id<<EOF idp.entityID= ${ENTITY_ID} EOF - ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt + mkdir -p /opt/shibboleth-idp/war + ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${IDP_TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt + # Set sealer password + sed -i "/idp.sealer.storePassword= password/c\idp.sealer.storePassword= $COOKIE_PASSWORD" /opt/shibboleth-idp/conf/idp.properties + sed -i "/idp.sealer.keyPassword= password/c\idp.sealer.keyPassword= $COOKIE_PASSWORD" /opt/shibboleth-idp/conf/idp.properties + # Set scope + sed -i "/idp.scope= example.org/c\idp.scope= ${SCOPE}" /opt/shibboleth-idp/conf/idp.properties ;; debug) /bin/bash |