blob: 8675c9375634f166cda682a3f59e9b948907e034 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#!/bin/sh
# Check if ldap can be connected to
ldap_host=$(awk -F'/' '/idp.authn.LDAP.ldapURL=/ {print $3}' /opt/shibboleth-idp/conf/ldap.properties)
if ! nc -w 3 -z $ldap_host 636; then
echo "Unable to connect to ldaps://$ldap_host"
exit 1
fi
# if there is a metadata file for the test sp, enable it.
if [ -f /metadata/sp-metadata.xml ]; then
sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
fi
IDP_PROPERTIES=${IDP_PROPERTIES:-/opt/shibboleth-idp/conf/idp.properties}
if [ -n "$IDP_HOSTNAME" ]; then
sed -i -e "s/idp.nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
fi
if [ -n "$IDP_SCOPE" ]; then
sed -i -e "/idp.scope=/ s/nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
fi
# log to /opt/data/logs
if [ -e /opt/data ]; then
if ! grep -q "idp.logfiles=" $IDP_PROPERTIES; then
mkdir /opt/data/logs
echo "idp.logfiles=/opt/data/logs" >> $IDP_PROPERTIES
fi
fi
# Set sessiontimeout
if [ -n "$IDP_SESSION_TIMEOUT" ]; then
sed -i -e "/#idp.session.timeout\s*=/ s/^#//" \
-e "/#idp.authn.defaultLifetime\s*=/ s/^#//" "$IDP_PROPERTIES"
sed -i -e "/idp.session.timeout\s*=/ s/=.*/= $IDP_SESSION_TIMEOUT/" \
-e "/idp.authn.defaultLifetime\s*=/ s/=.*/= $IDP_SESSION_TIMEOUT/" "$IDP_PROPERTIES"
fi
if [ -n "$IDP_AUTHN_TIMEOUT" ]; then
sed -i -e "/#idp.authn.defaultTimeout\s*=/ s/^#//" "$IDP_PROPERTIES"
sed -i -e "/idp.authn.defaultTimeout\s*=/ s/=.*/= $IDP_AUTHN_TIMEOUT/" "$IDP_PROPERTIES"
fi
# Default property changes
# Use secure cookies (https only)
sed -i -e "/idp.cookie.secure/ s/^#//" -e "/idp.cookie.secure/ s/false/true/" $IDP_PROPERTIES
# Make encrytping optional (some SPs don't have encryption)
if [ $IDP_ENCRYPTION_OPTIONAL ]; then
sed -i -e '/idp.encryption.optional/ s/^#//' -e '/idp.encryption.optional/ s/false/true/' $IDP_PROPERTIES
fi
# FTICKS
if [ -n "$FTICKS_FEDERATION" ]; then
sed -i -e '/idp.fticks.federation=/ s/^#//' \
-e "/idp.fticks.federation=/ s/MyFederation/$FTICKS_FEDERATION/" \
-e '/idp.fticks.algorithm=/ s/^#//' $IDP_PROPERTIES
if [ -n "$FTICKS_SALT" ]; then
sed -i -e '/idp.fticks.salt=/ s/^#//' \
-e "/idp.fticks.salt=/ s/=.*/=$FTICKS_SALT/" $IDP_PROPERTIES
fi
if [ -n "$FTICKS_HOST" ]; then
sed -i -e '/idp.fticks.loghost=/ s/^#//' \
-e "/idp.fticks.loghost=/ s/=.*/=$FTICKS_HOST/" $IDP_PROPERTIES
fi
if [ -n "$FTICKS_PORT" ]; then
sed -i -e '/idp.fticks.logport=/ s/^#//' \
-e "/idp.fticks.logport=/ s/=.*/=$FTICKS_PORT/" $IDP_PROPERTIES
fi
fi
# PersistentID
if [ -n "$IDP_PERSISTENTID_SALT" ]; then
if ! grep -q '<ref bean="shibboleth.SAML2PersistentGenerator" />' /opt/shibboleth-idp/conf/saml-nameid.xml ; then
sed -i -e '/<util:list id="shibboleth.SAML2NameIDGenerators">/ a <ref bean="shibboleth.SAML2PersistentGenerator" />' /opt/shibboleth-idp/conf/saml-nameid.xml
fi
source_attr=${IDP_PERSISTENTID_SOURCE:-uid}
sed -i -e '/idp.persistentId.sourceAttribute/ s/^#//' \
-e "/idp.persistentId.sourceAttribute/ s/changethistosomethingreal/$source_attr/" \
-e '/idp.persistentId.salt/ s/^#//' \
-e "/idp.persistentId.salt/ s/changethistosomethingrandom/$IDP_PERSISTENTID_SALT/" /opt/shibboleth-idp/conf/saml-nameid.properties
# add xml conf to attribute-resolver
if ! grep -q "%{idp.persistentId.sourceAttribute}" /opt/shibboleth-idp/conf/attribute-resolver.xml ; then
sed -i '/<!-- eduPersonTargetdID placeholder -->/r /opt/templates/config/edupersontargetdid.xml.add' /opt/shibboleth-idp/conf/attribute-resolver.xml
fi
fi
if [ -n "$IDP_DEBUG" ]; then
if ! grep -q "idp.loglevel.messages=DEBUG" $IDP_PROPERTIES ; then
echo "idp.loglevel.messages=DEBUG" >> $IDP_PROPERTIES
echo "idp.loglevel.encryption=DEBUG" >> $IDP_PROPERTIES
fi
fi
DATADIR=/opt/data
# overwrite signing keys if present
if [ -f ${DATADIR}/credentials/idp-signing.key -a -f ${DATADIR}/credentials/idp-signing.crt ]; then
cp ${DATADIR}/credentials/idp-signing.key /opt/shibboleth-idp/credentials/idp-signing.key
cp ${DATADIR}/credentials/idp-signing.crt /opt/shibboleth-idp/credentials/idp-signing.crt
fi
# overwrite encryption keys if present
if [ -f ${DATADIR}/credentials/idp-encryption.key -a -f ${DATADIR}/credentials/idp-encryption.crt ]; then
cp ${DATADIR}/credentials/idp-encryption.key /opt/shibboleth-idp/credentials/idp-encryption.key
cp ${DATADIR}/credentials/idp-encryption.crt /opt/shibboleth-idp/credentials/idp-encryption.crt
fi
# overwrite idp-metadata if present
if [ -f ${DATADIR}/idp-metadata.xml ]; then
cp ${DATADIR}/idp-metadata.xml /opt/shibboleth-idp/metadata/
fi
if [ -e ${DATADIR}/messages ]; then
cp $DATADIR/messages/* /opt/shibboleth-idp/messages/
fi
# SP add
if [ -e ${DATADIR}/sp-metadata ]; then
cp ${DATADIR}/sp-metadata/*.xml /opt/shibboleth-idp/metadata/
for sp_file in ${DATADIR}/sp-metadata/*.xml; do
SP_XML=$(basename "$sp_file")
SP_NAME=${SP_XML%.*}
ENTITY_ID=$(grep -o 'entityID=".*"' "$sp_file" | sed -e 's/entityID="//' -e 's/".*$//')
if ! grep -q "$SP_XML" /opt/shibboleth-idp/conf/metadata-providers.xml ; then
sed -i '/<!-- local SPs -->/r /opt/templates/config/sp.xml.add' /opt/shibboleth-idp/conf/metadata-providers.xml
sed -i -e "s/SP_NAME/$SP_NAME/" -e "s/SP_XML/$SP_XML/" /opt/shibboleth-idp/conf/metadata-providers.xml
# Release attributes
sed -i "/<!-- local SPs -->/a <Rule xsi:type=\"Requester\" value=\"$ENTITY_ID\" />" /opt/shibboleth-idp/conf/attribute-filter.xml
fi
done
fi
# Start jetty
exec /docker-entrypoint.sh java -jar /usr/local/jetty/start.jar
|
