This repository has been archived by the owner on May 8, 2023. It is now read-only.
forked from CSCfi/shibboleth-idp-dockerized
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathDockerfile
92 lines (77 loc) · 4.71 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
FROM jetty:9-jdk11-slim as base
ARG idp_version=4.2.1
ARG idp_hash=fa5e46d160f6b1bc50326c1a31627a05b5d0847b8f620d7f4c0251999b806474
ARG idp_oidcext_version=3.2.1
ARG idp_oidc_common_version=2.1.0
ARG slf4j_version=1.7.29
ARG slf4j_hash=47b624903c712f9118330ad2fb91d0780f7f666c3f22919d0fc14522c5cad9ea
ARG logback_version=1.2.9
ARG logback_classic_hash=ad745cc243805800d1ebbf5b7deba03b37c95885e6bce71335a73f7d6d0f14ee
ARG logback_core_hash=4a9ef7ed809b1fbc6992bf87d404087c247e7a9766e25bb84377b58ed5c9eb58
ARG logback_access_hash=4db03561790664b823181cf8db78260c675464741372459ecba4fadf6d5538d2
## IDP env values
ENV IDP_SRC=/opt/shibboleth-identity-provider-$idp_version \
IDP_SCOPE=example.org \
IDP_PUBLIC_URL=https://idp.example.org/idp/shibboleth \
IDP_HOME=/opt/shibboleth-idp \
IDP_HOST_NAME=idp.example.org \
IDP_KEYSTORE_PASSWORD=idpkstorepwd \
IDP_SEALER_PASSWORD=idpsealerpwd \
JETTY_KEYSTORE_PASSWORD=storepwd \
JETTY_KEYSTORE_PATH=etc/keystore
# Switch to root during installations and configurations
USER root
RUN apt update
RUN apt install -y curl gnupg
# JETTY Configure
RUN mkdir -p $JETTY_BASE/modules $JETTY_BASE/lib/ext $JETTY_BASE/lib/logging $JETTY_BASE/resources \
&& java -jar $JETTY_HOME/start.jar --create-startd --add-to-start=http2,http2c,annotations,rewrite --approve-all-licenses
# Shibboleth IdP - Download, verify hash and install
RUN curl -sO https://shibboleth.net/downloads/identity-provider/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
&& echo "$idp_hash shibboleth-identity-provider-$idp_version.tar.gz" | sha256sum -c - \
&& tar -zxvf shibboleth-identity-provider-$idp_version.tar.gz -C /opt \
&& $IDP_SRC/bin/install.sh \
-Didp.scope=$IDP_SCOPE \
-Didp.target.dir=$IDP_HOME \
-Didp.src.dir=$IDP_SRC \
-Didp.scope=$IDP_SCOPE \
-Didp.host.name=$IDP_HOST_NAME \
-Didp.noprompt=true \
-Didp.sealer.password=$IDP_SEALER_PASSWORD \
-Didp.keystore.password=$IDP_KEYSTORE_PASSWORD \
-Didp.entityID=$IDP_PUBLIC_URL \
&& rm shibboleth-identity-provider-$idp_version.tar.gz \
&& rm -rf /opt/shibboleth-identity-provider-$idp_version
# slf4j - Download, verify and install
RUN curl -sO https://repo1.maven.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
&& echo "$slf4j_hash slf4j-api-$slf4j_version.jar" | sha256sum -c - \
&& mv slf4j-api-$slf4j_version.jar $JETTY_BASE/lib/logging/
# logback_classic - Download verify and install
RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
&& echo "$logback_classic_hash logback-classic-$logback_version.jar" | sha256sum -c - \
&& mv logback-classic-$logback_version.jar $JETTY_BASE/lib/logging/
# logback-core - Download, verify and install
RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
&& echo "$logback_core_hash logback-core-$logback_version.jar" | sha256sum -c - \
&& mv logback-core-$logback_version.jar $JETTY_BASE/lib/logging/
# logback-access - Download, verify and install
RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
&& echo "$logback_access_hash logback-access-$logback_version.jar" | sha256sum -c - \
&& mv logback-access-$logback_version.jar $JETTY_BASE/lib/logging/
# Install plugins
# See: https://stackoverflow.com/questions/34212230/using-bouncycastle-with-gnupg-2-1s-pubring-kbx-file
RUN curl -s https://shibboleth.net/downloads/PGP_KEYS | gpg --import && \
gpg --export > /root/.gnupg/pubring.gpg && \
${IDP_HOME}/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/$idp_oidc_common_version/oidc-common-dist-$idp_oidc_common_version.tar.gz --truststore /root/.gnupg/pubring.gpg --noPrompt && \
${IDP_HOME}/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-op/$idp_oidcext_version/idp-plugin-oidc-op-distribution-$idp_oidcext_version.tar.gz --truststore /root/.gnupg/pubring.gpg --noPrompt
EXPOSE 8080 8443
COPY jetty-base/ $JETTY_BASE/
#establish a healthcheck command so that docker might know the container's true state
HEALTHCHECK --interval=1m --timeout=30s \
CMD curl -k -f http://127.0.0.1:8080/idp/status || exit 1
CMD \
"$IDP_HOME"/bin/build.sh -Didp.target.dir="$IDP_HOME" && \
"$JAVA_HOME"/bin/java -jar "$JETTY_HOME"/start.jar \
jetty.home="$JETTY_HOME" jetty.base="$JETTY_BASE" \
-Djetty.sslContext.keyStorePassword="$JETTY_KEYSTORE_PASSWORD" \
-Djetty.sslContext.keyStorePath="$JETTY_KEYSTORE_PATH"