From 9c382611b69cf48e4063395b6bd84c8733b9dc67 Mon Sep 17 00:00:00 2001 From: Johan Lundberg Date: Tue, 28 Apr 2015 16:18:24 +0200 Subject: Docker image now installing and running. --- .dockerignore | 1 + .gitignore | 2 + Dockerfile | 6 ++ README | 10 +- edit-webapp/css/consent.css | 150 +++++++++++++++++++++++++++++ edit-webapp/css/main.css | 163 ++++++++++++++++++++++++++++++++ edit-webapp/images/dummylogo-mobile.png | Bin 0 -> 8208 bytes edit-webapp/images/dummylogo.png | Bin 0 -> 13742 bytes edit-webapp/index.jsp | 31 ++++++ edit-webapp/x509-prompt.jsp | 111 ++++++++++++++++++++++ jetty_conf/idp.xml | 3 +- jetty_conf/ssl.mod | 6 +- start.sh | 17 +++- 13 files changed, 490 insertions(+), 10 deletions(-) create mode 100644 edit-webapp/css/consent.css create mode 100644 edit-webapp/css/main.css create mode 100644 edit-webapp/images/dummylogo-mobile.png create mode 100644 edit-webapp/images/dummylogo.png create mode 100644 edit-webapp/index.jsp create mode 100644 edit-webapp/x509-prompt.jsp diff --git a/.dockerignore b/.dockerignore index 5cf8dae..6c89c49 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,3 +2,4 @@ conf credentials edit-webapp +logs diff --git a/.gitignore b/.gitignore index 454b655..e980fb7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ credentials +conf +logs/* diff --git a/Dockerfile b/Dockerfile index 11bee0f..7b5902f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,12 @@ RUN apt-get update && \ apt-get update --fix-missing && \ apt-get install -y wget +# Add UnlimitedJCEPolicy +# You manually have to download and unzip jce_policy-8.zip from Oracle, +# http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html +ADD UnlimitedJCEPolicyJDK8/local_policy.jar ${JAVA_HOME}/jre/lib/security/ +ADD UnlimitedJCEPolicyJDK8/US_export_policy.jar ${JAVA_HOME}/jre/lib/security/ + # Download and install jetty ENV JETTY_VERSION 9.2.10 ENV RELEASE_DATE v20150310 diff --git a/README b/README index bf20a2e..3fa37d7 100644 --- a/README +++ b/README @@ -1,5 +1,11 @@ +How to create p12 keystore + +Set JETTY_TLS_PASSWORD as keystore password +openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt + How to run: -docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install +docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e IDP_TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install + +docker run -d -e JETTY_TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp -docker run -d -e PKCS12_PASSWORD=pkcs12pass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp diff --git a/edit-webapp/css/consent.css b/edit-webapp/css/consent.css new file mode 100644 index 0000000..129bb19 --- /dev/null +++ b/edit-webapp/css/consent.css @@ -0,0 +1,150 @@ +.box { + width:600px; + margin-left: auto; + margin-right: auto; + margin-top: 50px; + background-color: white; + -webkit-box-shadow: 1px 1px 15px #999999; + -moz-box-shadow: 1px 1px 15px #999999; + box-shadow: 1px 1px 15px #999999; + -webkit-border-radius: 8px; + -moz-border-radius: 8px; + border-radius: 8px; + overflow: auto; + padding: 1.268em; +} + +body { + font-family:Verdana, Geneva, sans-serif; + font-size: 12px; +} + +h1 { + font-size: 13px; + padding-bottom: 12px; +} + +a { + color: #00247D; + text-decoration: underline; +} + +a:visited { + color: #00247D; + text-decoration: underline; +} + +a:focus, a:hover, a:active { + color: #F39800; + text-decoration: underline; +} + +#tou-content { + font-family:monospace; + width: 95%; + border: solid 1px #666; + margin: 4px; + padding: 10px; + overflow: hidden; +} + +#tou-content li{ + margin-bottom:10px; +} + +#tou-acceptance { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + padding: 10px; + text-align: left; + overflow: hidden; +} + +.service_name { + font-weight: bold; +} + +.service_description { + font-style: italic; +} + +.organization_name { +} + +#attributeRelease-consent { + width: 95%; + border: solid 1px #666; + background-color: #F0F0F0; + margin: 4px; + overflow: hidden; +} + +#attributeRelease { + width: 95%; + margin: 4px; + border: solid 1px black; + overflow: hidden; +} + +#attributeRelease table { + border-collapse: collapse; + border: none 0px white; + width: 100%; +} + +#attributeRelease td { + padding: 3px 7px; + vertical-align: top; +} + +#attributeRelease th { + text-align: left; + font-size: 18px; + padding: 5px 7px; + background-color:#00247D; + color: white; +} + +#attributeRelease tr:nth-of-type(even) { + background-color: #E4E5E3; +} + +.federation_logo +{ + width: 50%; + float: left; + padding-top: 35px; + border: 0; +} +.organization_logo +{ + width: 50%; + float: right; + border: 0; +} + +.form-error { + padding: 0; + color: #B61601; +} + +/* Device specific styles */ +@media only screen and (max-device-width: 721px){ + .box { + width: auto; + box-shadow: none; + border-radius: 0; + -webkit-box-shadow: none; + -webkit-border-radius: 0; + -moz-box-shadow: none; + -moz-border-radius: 0; + padding: 0; + margin-top:0; + } + #tou-content, #tou-acceptance{ + /*width:87%;*/ + width:auto; + } +} diff --git a/edit-webapp/css/main.css b/edit-webapp/css/main.css new file mode 100644 index 0000000..8b02328 --- /dev/null +++ b/edit-webapp/css/main.css @@ -0,0 +1,163 @@ +* { + margin: 0; + padding: 0; +} +header, footer, section, nav { + display: block; +} +html, body { + height: 100%; +} +body { + font-family:Verdana, Geneva, sans-serif; + font-size: 12px; + line-height: 1.5; + color: #717171; + background: #717171; +} +a:link, +a:visited { + text-decoration: none; + color: #717171; +} +img { + max-width: 100%; + margin-bottom: 12px; +} + +.wrapper { + background: #ffffff; +} + +.container { + position: relative; + left: 34%; + width: 540px; + margin-left: -270px; +} +.container-footer { + padding-top: 12px; +} +@media only screen and (max-width: 1020px) { + .container { + left: 45%; + } +} +@media only screen and (max-width: 650px) { + .container { + position: static; + margin: 0 auto; + width: 280px; + } +} + +header { + padding: 20px 0; +} + +.logo img { + border: none; +} +@media only screen and (max-width: 650px) { + .logo img { + display: none; + } + .logo { + background: url(images/dummylogo-mobile.png) no-repeat top center; + display: block; + height: 115px; + width: 100px; + margin: 0 auto; + } +} + +.content { + padding-bottom: 80px; + overflow: hidden; +} + +.column { + float: left; +} +.column.one { + width: 50%; + margin-right: 48px; +} + +form { + width: 240px; + padding-bottom: 21px; +} +form label { /* labels are hidden */ + font-weight: bold; +} +form legend { + font-size:1.2em; + margin-bottom: 12px; +} +.form-element-wrapper { + margin-bottom: 12px; +} +.form-element { + width: 100%; + padding: 13px 12px; + border: none; + font-size: 14px; + border-radius: 4px; + -webkit-border-radius: 4px; + -moz-border-radius: 4px; +} +.form-field { + color: #B7B7B7; + border: 1px solid #B7B7B7; +} +.form-field-focus { + color: #333333; + border-color: #333; +} +.form-button { + background: #B61601; + box-sizing: content-box; + -moz-box-sizing: content-box; + color: #ffffff; + cursor: pointer; +} +.form-button:hover { + background: #FF6400; +} +.form-error { + padding: 0; + color: #B61601; +} + +.list-help { + margin-top: 40px; /* offset padding on first anchor */ + list-style: none; +} +.list-help-item a { + display: block; + padding: 6px 0; +} +.item-marker { + color: #be0000; +} + +footer { + color: #ffffff; + font-size: 11px; + background: #717171; +} +.footer-text { + margin-bottom: 12px; +} +.footer-links a:link, +.footer-links a:visited { + color: #ffffff; + font-weight: bold; +} +.footer-links a:after { + content: "\00a0\00a0\00a0|\00a0\00a0"; +} +.footer-links a.last:after { + content: ""; +} diff --git a/edit-webapp/images/dummylogo-mobile.png b/edit-webapp/images/dummylogo-mobile.png new file mode 100644 index 0000000..8ba3c95 Binary files /dev/null and b/edit-webapp/images/dummylogo-mobile.png differ diff --git a/edit-webapp/images/dummylogo.png b/edit-webapp/images/dummylogo.png new file mode 100644 index 0000000..e89ede6 Binary files /dev/null and b/edit-webapp/images/dummylogo.png differ diff --git a/edit-webapp/index.jsp b/edit-webapp/index.jsp new file mode 100644 index 0000000..2206fe3 --- /dev/null +++ b/edit-webapp/index.jsp @@ -0,0 +1,31 @@ +<%@ page pageEncoding="UTF-8" %> +<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %> + + + + + <spring:message code="${root.title}" text="Shibboleth IdP" /> + + + + +
+
+
+ +
+ +
+

+
+
+ +
+
+

+
+
+
+ + + diff --git a/edit-webapp/x509-prompt.jsp b/edit-webapp/x509-prompt.jsp new file mode 100644 index 0000000..51b0e02 --- /dev/null +++ b/edit-webapp/x509-prompt.jsp @@ -0,0 +1,111 @@ +<%@ taglib uri="urn:mace:shibboleth:2.0:idp:ui" prefix="idpui" %> +<%@ page import="javax.servlet.http.Cookie" %> +<%@ page import="org.opensaml.profile.context.ProfileRequestContext" %> +<%@ page import="net.shibboleth.idp.authn.ExternalAuthentication" %> +<%@ page import="net.shibboleth.idp.authn.context.AuthenticationContext" %> +<%@ page import="net.shibboleth.idp.profile.context.RelyingPartyContext" %> +<%@ page import="net.shibboleth.idp.ui.context.RelyingPartyUIContext" %> + +<% +final Cookie[] cookies = request.getCookies(); +if (cookies != null) { + for (final Cookie cookie : cookies) { + if (cookie.getName().equals("x509passthrough")) { + response.sendRedirect(request.getContextPath() + "/Authn/X509?" + + ExternalAuthentication.CONVERSATION_KEY + "=" + + request.getParameter(ExternalAuthentication.CONVERSATION_KEY)); + return; + } + } +} + +final String key = ExternalAuthentication.startExternalAuthentication(request); +final ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(key, request); +final AuthenticationContext authnContext = prc.getSubcontext(AuthenticationContext.class); +final RelyingPartyContext rpContext = prc.getSubcontext(RelyingPartyContext.class); +final RelyingPartyUIContext rpUIContext = authnContext.getSubcontext(RelyingPartyUIContext.class); +final boolean identifiedRP = rpUIContext != null && !rpContext.getRelyingPartyId().contains(rpUIContext.getServiceName()); +%> + + + + + Example Login Page + + + + +
+
+
+ +
+ +
+
+
+ + + + <% if (identifiedRP) { %> + + Log in to + + <% } %> + +
+ Please make sure that your user certificate is properly configured in your web browser + and click on the Certificate Login button. +
+ +
+ + Do not show this page in the future. + + +
+
+ + <% + // + // SP Description & Logo (optional) + // These idpui lines will display added information (if available + // in the metadata) about the Service Provider (SP) that requested + // authentication. These idpui lines are "active" in this example + // (not commented out) - this extra SP info will be displayed. + // Remove or comment out these lines to stop the display of the + // added SP information. + // + // Documentation: + // https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPassLoginPage + // + // Example: + %> + <% if (identifiedRP) { %> +

+ default + SP description +

+ <% } %> + +
+
+ +
+
+
+ +
+
+

Insert your footer text here.

+
+
+
+ + + diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml index cdeed1e..6d88f3d 100644 --- a/jetty_conf/idp.xml +++ b/jetty_conf/idp.xml @@ -1,7 +1,6 @@ - - /war/idp.war + /war/idp.war /idp false diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod index 77ceb76..e9bc03e 100644 --- a/jetty_conf/ssl.mod +++ b/jetty_conf/ssl.mod @@ -8,13 +8,17 @@ server [xml] etc/jetty-ssl.xml +[files] +/opt/shibboleth-idp/credentials/idp-browser.p12 + [ini-template] ### SSL Keystore Configuration # define the port to use for secure redirection jetty.secure.port=8443 -## Setup a demonstration keystore and truststore +## Setup a keystore jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12 +jetty.keystore.type=PKCS12 ## Set the demonstration passwords. ## Note that OBF passwords are not secure, just protected from casual observation diff --git a/start.sh b/start.sh index 5c341f5..5d5a879 100644 --- a/start.sh +++ b/start.sh @@ -5,19 +5,26 @@ cd /opt/shibboleth-identity-provider-${IDP_VERSION} case "$*" in start) - # Upgrade/Recreate war + # Start/Recreate war + mkdir -p /opt/shibboleth-idp/war ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp # Set Jetty tls cert password - sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$PKCS12_PASSWORD" /opt/jetty/modules/ssl.mod + sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$JETTY_TLS_PASSWORD" /opt/jetty/modules/ssl.mod # Start Jetty cd /opt/jetty/ && /usr/bin/java -jar start.jar ;; install) - # Fresh install -cat>/tmp/entity_id</tmp/entity_id<