eclipse-pass · markpatton · Sep 11, 2024 · Aug 16, 2024 · Aug 16, 2024 · Sep 6, 2024
diff --git a/.eclipse-pass.JHUAWSdemo_env b/.eclipse-pass.JHUAWSdemo_env
@@ -12,3 +12,10 @@ PASS_CORE_SP_ACS=https://demo.eclipse-pass.org/login/saml2/sso/pass
 
 IDP_HOST=https://demo.eclipse-pass.org:9080
 SP_LOGIN=https://demo.eclipse-pass.org/login/saml2/sso/pass
+
+###################################################
+# LDAP config #######################
+###################################################
+
+DS_DM_PASSWORD=password
+DS_SUFFIX_NAME="dc=pass"
diff --git a/.eclipse-pass.local_env b/.eclipse-pass.local_env
@@ -65,31 +65,8 @@ IDP_HOST=http://localhost:9080
 SP_LOGIN=http://localhost:8080/login/saml2/sso/pass
 
 ###################################################
-# LDAP / Mail server config #######################
+# LDAP config #######################
 ###################################################
-MAIL_SMTP=11025
-MAIL_IMAPS=11993
-MAIL_MSP=11587
-OVERRIDE_HOSTNAME=mail.jhu.edu
-ENABLE_SPAMASSASSIN=0
-ENABLE_CLAMAV=0
-ENABLE_FAIL2BAN=0
-ENABLE_POSTGREY=0
-SMTP_ONLY=0
-ONE_DIR=1
-DMS_DEBUG=0
-ENABLE_LDAP=1
-TLS_LEVEL=intermediate
-LDAP_SERVER_HOST=ldap
-LDAP_SEARCH_BASE=ou=People,dc=pass
-LDAP_BIND_DN=cn=admin,dc=pass
-LDAP_BIND_PW=password
-LDAP_QUERY_FILTER_USER=(&(objectClass=posixAccount)(mail=%s))
-LDAP_QUERY_FILTER_GROUP=(&(objectClass=posixAccount)(mailGroupMember=%s))
-LDAP_QUERY_FILTER_ALIAS=(&(objectClass=posixAccount)(mailAlias=%s))
-LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))
-ENABLE_SASLAUTHD=0
-POSTMASTER_ADDRESS=root
-SSL_TYPE=manual
-SSL_CERT_PATH=/tmp/docker-mailserver/cert.pem
-SSL_KEY_PATH=/tmp/docker-mailserver/key.rsa
+
+DS_DM_PASSWORD=password
+DS_SUFFIX_NAME="dc=pass"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:
         required: true
         description: Next development version (e.g. 0.5.0-SNAPSHOT)
       runtests:
-        description: 'Run acceptance tests against release version before pushing images?'
+        description: 'Run acceptance tests against release version?'
         type: boolean
 
 jobs:
@@ -42,18 +42,12 @@ jobs:
         with:
           version: $RELEASE
 
-      - name: Build new images
-        run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml build idp ldap
-
       - name: Acceptance tests
         if: ${{ inputs.runtests }}
         uses: ./.github/actions/acceptance-test
         with:
           pullimages: 'missing'
 
-      - name: Push release images
-        run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml push idp ldap
-
       - name: Bump image versions to next development version
         uses: ./.github/actions/update-pass-version
         with:
@@ -65,7 +59,3 @@ jobs:
 
       - name: Push release tag to GitHub
         run: git push origin $RELEASE
-
-      - name: Build and push next development image tags
-        run: docker compose -f docker-compose.yml -f eclipse-pass.local.yml build --push idp ldap
-
diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
diff --git a/README.md b/README.md
@@ -52,10 +52,10 @@ docker compose -p pass-docker -f docker-compose.yml -f eclipse-pass.local.yml -f
 
 ## Services:
 
-### [`idp`](https://github.com/eclipse-pass/pass-docker/idp)
+### `idp`
 
-Repository: https://github.com/eclipse-pass/pass-docker
-Package: https://github.com/orgs/eclipse-pass/packages/container/package/idp
+This service runs a Shibboleth Identity Provider using an image from [https://spaces.at.internet2.edu/display/ITAP/InCommon+Trusted+Access+Platform+Release].
+Configuration files in the image are overridden on startup by using files in `idp/`.
 
 Environment variables:
 * `IDP_HOST=http://localhost:9080`
@@ -65,6 +65,15 @@ Separately there is a non-container environment variable `IDP_INTERNAL_PORT` whi
 The default is 8080. This can be used to make 9080 support https by setting it to 4443 in the docker compose environment. One way to do this is by adding
 `IDP_INTERNAL_PORT=4443` to the docker compose command. Note that `-e` should not be used because it is for container environment variables.
 
+This service is intended for testing only.
+
+### `ldap`
+
+This service runs the 389 Directory Server which is a LDAP server. It is used by the IDP as a source of information on users.
+The users in ` ldap/pass.ldif` are loaded on startup.
+
+This service is intended for testing only.
+
 ### [`pass-core`](https://github.com/eclipse-pass/pass-core)
 
 Repository: https://github.com/eclipse-pass/pass-core
@@ -124,39 +133,6 @@ Environment variables:
 
 A basic Docker image where we can run a `curl` command to bootstrap the environment with data from `demo_data.json`
 
-### `idp`, `ldap`
-
-Other related images that work together with `pass-auth` to handle authentication. Based on services of the same name in the older `docker-compose` environment.
-
-Environment variables:
-
-* `MAIL_SMTP=11025`
-* `MAIL_IMAPS=11993`
-* `MAIL_MSP=11587`
-* `OVERRIDE_HOSTNAME=mail.jhu.edu`
-* `ENABLE_SPAMASSASSIN=0`
-* `ENABLE_CLAMAV=0`
-* `ENABLE_FAIL2BAN=0`
-* `ENABLE_POSTGREY=0`
-* `SMTP_ONLY=0`
-* `ONE_DIR=1`
-* `DMS_DEBUG=0`
-* `ENABLE_LDAP=1`
-* `TLS_LEVEL=intermediate`
-* `LDAP_SERVER_HOST=ldap`
-* `LDAP_SEARCH_BASE=ou=People,dc=pass`
-* `LDAP_BIND_DN=cn=admin,dc=pass`
-* `LDAP_BIND_PW=password`
-* `LDAP_QUERY_FILTER_USER=(&(objectClass=posixAccount)(mail=%s))`
-* `LDAP_QUERY_FILTER_GROUP=(&(objectClass=posixAccount)(mailGroupMember=%s))`
-* `LDAP_QUERY_FILTER_ALIAS=(&(objectClass=posixAccount)(mailAlias=%s))`
-* `LDAP_QUERY_FILTER_DOMAIN=(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))`
-* `ENABLE_SASLAUTHD=0`
-* `POSTMASTER_ADDRESS=root`
-* `SSL_TYPE=manual`
-* `SSL_CERT_PATH=/tmp/docker-mailserver/cert.pem`
-* `SSL_KEY_PATH=/tmp/docker-mailserver/key.rsa`
-
 ## Running Acceptance Tests
 
 Repository: https://github.com/eclipse-pass/pass-acceptance-testing

diff --git a/eclipse-pass.local.yml b/eclipse-pass.local.yml
@@ -15,7 +15,8 @@ services:
       - .eclipse-pass.local_env
     healthcheck:
       test: 'curl -u "$$PASS_CORE_BACKEND_USER:$$PASS_CORE_BACKEND_PASSWORD" -f http://pass-core:8080/data/user || exit 1'
-      start_period: 30s
+      start_period: 60s
+      interval: 5s
     ports:
       - 8080:8080
     extra_hosts:
@@ -39,46 +40,59 @@ services:
       - ./postgres/demo/init_postgres.sh:/docker-entrypoint-initdb.d/init_postgres.sh
 
   idp:
-    build:
-      context: ./idp
-      args:
-        TENANT: jhu
-    image: "ghcr.io/eclipse-pass/idp:${PASS_VERSION}"
+    image: "tier/shib-idp:4.3.3_20240415"
     container_name: idp
     depends_on:
-      - ldap
-    environment:
-      - JETTY_MAX_HEAP=64m
-      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
-      - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=password
-    ports:
-      - 9080:${IDP_INTERNAL_PORT-8080}
+      ldap:
+        condition: service_healthy
     env_file:
       - .env
       - .eclipse-pass.local_env
+    ports:
+      - 9080:${IDP_INTERNAL_PORT-8080}
+    command:
+      - /bin/bash
+      - -c
+      - |
+        cp /idp-config/config/tomcat/* /usr/local/tomcat/conf
+        cp /idp-config/credentials/tomcat/* /opt/certs
+        cp /idp-config/config/shib-idp/conf/* /opt/shibboleth-idp/conf
+        cp /idp-config/credentials/shib-idp/* /opt/shibboleth-idp/credentials
+        cp /idp-config/config/shib-idp/metadata/* /opt/shibboleth-idp/metadata
+        cp /idp-config/dummylogo.png /opt/shibboleth-idp/edit-webapp/images/placeholder-logo.png
+
+        sed -i "s#IDP_HOST#$$IDP_HOST#g" /opt/shibboleth-idp/metadata/idp-metadata.xml
+        sed -i "s#IDP_HOST#$$IDP_HOST#g" /opt/shibboleth-idp/conf/idp.properties
+        sed -i "s#SP_LOGIN#$$SP_LOGIN#g" /opt/shibboleth-idp/metadata/sp-metadata.xml
+
+        /usr/bin/startup.sh
     healthcheck:
-      test: 'curl -f http://idp:8080/idp/shibboleth || exit 1'
-      start_period: 10s
+      start_period: 60s
+      interval: 5s
+    volumes:
+      - ./idp:/idp-config
     networks:
       - back
-    secrets:
-      - source: idp_backchannel
-      - source: idp_browser
-      - source: idp_encryption
-      - source: idp_signing
-      - source: idp_sealer
-      - source: idp_cert
 
   ldap:
-    build:
-      context: ./ldap
-      args:
-        TENANT: jhu
-    image: "ghcr.io/eclipse-pass/demo-ldap:${PASS_VERSION}"
+    image: "389ds/dirsrv:3.1"
     container_name: ldap
     env_file:
       - .env
       - .eclipse-pass.local_env
+    # Start the container, wait for it to start, create the suffix, and then load users
+    command:
+      - /bin/bash
+      - -c
+      - |
+        set -m
+        /usr/lib/dirsrv/dscontainer -r &
+        while !(/usr/lib/dirsrv/dscontainer -H) >/dev/null 2>&1; do sleep 5; done;
+        dsconf -D "cn=Directory Manager" localhost backend create --suffix="$$DS_SUFFIX_NAME" --be-name="pass"
+        ldapadd -f /pass.ldif -H ldap://localhost:3389 -w "$$DS_DM_PASSWORD" -D "cn=Directory Manager"
+        fg
+    volumes:
+      - ./ldap/pass.ldif:/pass.ldif
     networks:
       - back
 
@@ -110,21 +124,3 @@ services:
       - "./localstack/aws_bootstrap.sh:/etc/localstack/init/ready.d/init-aws.sh"
     networks:
       - back
-
-secrets:
-  idp_cert:
-    file: ./secrets/idp/idp-signing.crt
-  sp_key:
-    file: ./secrets/sp/sp-key.pem
-  sp_cert:
-    file: ./secrets/sp/sp-cert.pem
-  idp_backchannel:
-    file: ./secrets/idp/idp-backchannel.p12
-  idp_browser:
-    file: ./secrets/idp/idp-browser.p12
-  idp_encryption:
-    file: ./secrets/idp/idp-encryption.key
-  idp_signing:
-    file: ./secrets/idp/idp-signing.key
-  idp_sealer:
-    file: ./secrets/idp/sealer.jks
diff --git a/idp/Dockerfile b/idp/Dockerfile
diff --git a/idp/common/shib-jetty-base/start.d/backchannel.ini b/idp/common/shib-jetty-base/start.d/backchannel.ini
diff --git a/idp/common/shib-jetty-base/start.d/ssl.ini b/idp/common/shib-jetty-base/start.d/ssl.ini