idp/shib-entrypoint.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

#!/bin/sh

# Check if ldap can be connected to
ldap_host=$(awk -F'/' '/idp.authn.LDAP.ldapURL=/ {print $3}' /opt/shibboleth-idp/conf/ldap.properties)
if ! nc -w 3 -z $ldap_host 636; then
  echo "Unable to connect to ldaps://$ldap_host"
  exit 1
fi
 
# if there is a metadata file for the test sp, enable it.
if [ -f /metadata/sp-metadata.xml ]; then
  sed -i -e '/sp.nordu.dev/ s/<!--//' -e '/sp.nordu.dev/ s/-->//' /opt/shibboleth-idp/conf/metadata-providers.xml
fi

IDP_PROPERTIES=${IDP_PROPERTIES:-/opt/shibboleth-idp/conf/idp.properties}
if [ -n "$IDP_HOSTNAME" ]; then
  sed -i -e "s/idp.nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
fi
if [ -n "$IDP_SCOPE" ]; then
  sed -i -e "/idp.scope=/ s/nordu.dev/$IDP_HOSTNAME/" $IDP_PROPERTIES
fi
# log to /opt/data/logs
if [ -e /opt/data ]; then
  if ! grep -q "idp.logfiles=" $IDP_PROPERTIES; then
    mkdir /opt/data/logs
    echo "idp.logfiles=/opt/data/logs" >> $IDP_PROPERTIES
  fi
fi

# Default property changes
# Use secure cookies (https only)
sed -i -e "/idp.cookie.secure/ s/^#//" -e "/idp.cookie.secure/ s/false/true/" $IDP_PROPERTIES

# Make encrytping optional (some SPs don't have encryption)
if [ $IDP_ENCRYPTION_OPTIONAL ]; then
  sed -i -e '/idp.encryption.optional/ s/^#//' -e '/idp.encryption.optional/ s/false/true/' $IDP_PROPERTIES
fi

# FTICKS
if [ -n "$FTICKS_FEDERATION" ]; then
  sed -i -e '/idp.fticks.federation=/ s/^#//' \
         -e "/idp.fticks.federation=/ s/MyFederation/$FTICKS_FEDERATION/" \
         -e '/idp.fticks.algorithm=/ s/^#//' $IDP_PROPERTIES
  if [ -n "$FTICKS_SALT" ]; then
    sed -i -e '/idp.fticks.salt=/ s/^#//' \
           -e "/idp.fticks.salt=/ s/=.*/=$FTICKS_SALT/" $IDP_PROPERTIES
  fi

  if [ -n "$FTICKS_HOST" ]; then
    sed -i -e '/idp.fticks.loghost=/ s/^#//' \
           -e "/idp.fticks.loghost=/ s/=.*/=$FTICKS_HOST/" $IDP_PROPERTIES
  fi
  if [ -n "$FTICKS_PORT" ]; then
    sed -i -e '/idp.fticks.logport=/ s/^#//' \
           -e "/idp.fticks.logport=/ s/=.*/=$FTICKS_PORT/" $IDP_PROPERTIES
  fi
fi

# PersistentID

if [ -n "$IDP_PERSISTENTID_SALT" ]; then
  if ! grep -q '<ref bean="shibboleth.SAML2PersistentGenerator"  />' /opt/shibboleth-idp/conf/saml-nameid.xml ; then
    sed -i -e '/<util:list id="shibboleth.SAML2NameIDGenerators">/ a <ref bean="shibboleth.SAML2PersistentGenerator"  />' /opt/shibboleth-idp/conf/saml-nameid.xml
  fi

  source_attr=${IDP_PERSISTENTID_SOURCE:-uid}
  sed -i -e '/idp.persistentId.sourceAttribute/ s/^#//' \
         -e "/idp.persistentId.sourceAttribute/ s/changethistosomethingreal/$source_attr/" \
         -e '/idp.persistentId.salt/ s/^#//' \
         -e "/idp.persistentId.salt/ s/changethistosomethingrandom/$IDP_PERSISTENTID_SALT/"  /opt/shibboleth-idp/conf/saml-nameid.properties
  # add xml conf to attribute-resolver
  if ! grep -q "%{idp.persistentId.sourceAttribute}" /opt/shibboleth-idp/conf/attribute-resolver.xml ; then
    sed -i '/<!-- eduPersonTargetdID placeholder -->/r /opt/templates/config/edupersontargetdid.xml.add' /opt/shibboleth-idp/conf/attribute-resolver.xml
  fi
fi

if [ -n "$IDP_DEBUG" ]; then
  if ! grep -q "idp.loglevel.messages=DEBUG" $IDP_PROPERTIES ; then
    echo "idp.loglevel.messages=DEBUG" >> $IDP_PROPERTIES
    echo "idp.loglevel.encryption=DEBUG" >> $IDP_PROPERTIES
  fi
fi

DATADIR=/opt/data
# overwrite signing keys if present
if [ -f ${DATADIR}/credentials/idp-signing.key -a -f ${DATADIR}/credentials/idp-signing.crt ]; then
  cp ${DATADIR}/credentials/idp-signing.key /opt/shibboleth-idp/credentials/idp-signing.key
  cp ${DATADIR}/credentials/idp-signing.crt /opt/shibboleth-idp/credentials/idp-signing.crt
fi
# overwrite encryption keys if present
if [ -f ${DATADIR}/credentials/idp-encryption.key -a -f ${DATADIR}/credentials/idp-encryption.crt ]; then
  cp ${DATADIR}/credentials/idp-encryption.key /opt/shibboleth-idp/credentials/idp-encryption.key
  cp ${DATADIR}/credentials/idp-encryption.crt /opt/shibboleth-idp/credentials/idp-encryption.crt
fi

# overwrite idp-metadata if present
if [ -f ${DATADIR}/idp-metadata.xml ]; then
  cp ${DATADIR}/idp-metadata.xml /opt/shibboleth-idp/metadata/
fi

if [ -e ${DATADIR}/messages ]; then
  cp $DATADIR/messages/* /opt/shibboleth-idp/messages/
fi

# SP add
if [ -e ${DATADIR}/sp-metadata ]; then
  cp ${DATADIR}/sp-metadata/*.xml /opt/shibboleth-idp/metadata/
  for sp_file in ${DATADIR}/sp-metadata/*.xml; do
    SP_XML=$(basename "$sp_file")
    SP_NAME=${SP_XML%.*}
    ENTITY_ID=$(grep -o 'entityID=".*"' "$sp_file" | sed -e 's/entityID="//' -e 's/".*$//')

    if ! grep -q "$SP_XML" /opt/shibboleth-idp/conf/metadata-providers.xml ; then
      sed -i '/<!-- local SPs -->/r /opt/templates/config/sp.xml.add' /opt/shibboleth-idp/conf/metadata-providers.xml
      sed -i -e "s/SP_NAME/$SP_NAME/" -e "s/SP_XML/$SP_XML/" /opt/shibboleth-idp/conf/metadata-providers.xml

      # Release attributes
      sed -i "/<!-- local SPs -->/a <Rule xsi:type=\"Requester\" value=\"$ENTITY_ID\" />" /opt/shibboleth-idp/conf/attribute-filter.xml
    fi
  done
fi

# Start jetty
/docker-entrypoint.sh java -jar /usr/local/jetty/start.jar