Complete first Docker development for ECCS

Dockerfile-dev

@@ -22,7 +22,7 @@ WORKDIR /root
 
 RUN mkdir eccs
 WORKDIR eccs
-COPY api.py clean7daysOldFiles.sh cleanAndRunEccs.sh eccs.ini eccs.py eccs_properties.py eccs-sps-md-cron eccs-wsgi.py get-sps-metadata.sh retryFailedChecks.py runEccs.py utils.py .
+COPY api.py clean7daysOldFiles.sh cleanAndRunEccs.sh eccs.ini eccs.py eccs_properties.py eccs-wsgi.py get-sps-metadata.sh retryFailedChecks.py runEccs.py utils.py .
 COPY html/ html/
 COPY input/ input/
 COPY logs/ logs/
@@ -45,7 +45,7 @@ RUN wget $AMAZON_JDK_KEY -O /tmp/amazon-corretto.pub \
  && gpg --no-default-keyring --keyring /tmp/temp-keyring.gpg --export --output /etc/apt/keyrings/amazon-corretto.gpg \
  && rm /tmp/temp-keyring.gpg
 COPY amazon-corretto.list /etc/apt/sources.list.d/amazon-corretto.list
-COPY eccs-sps-md-cron /etc/cron.d/eccs_get_sps_metadata
+COPY eccs_cron /etc/cron.d/eccs_cron
 RUN apt-get update && apt-get install -y java-11-amazon-corretto-jdk \
     && curl "https://shibboleth.net/downloads/tools/xmlsectool/$XMLSECTOOL_VERSION/xmlsectool-$XMLSECTOOL_VERSION-bin.zip" --output xmlsectool-$XMLSECTOOL_VERSION-bin.zip \
     && unzip xmlsectool-$XMLSECTOOL_VERSION-bin.zip \
@@ -70,9 +70,9 @@ EXPOSE 443
 
 #SUPERVISOR
 COPY supervisord.conf /etc/supervisor/supervisord.conf
-RUN mkdir -p /var/log/supervisor \
-    && mkdir -p /var/run/supervisord \
-    && chmod -R 0755 /var/log/supervisor
+RUN  mkdir -p /var/run/supervisord
+#RUN mkdir -p /var/log/supervisor \
+#    && chmod -R 0755 /var/log/supervisor
 
 COPY start.sh /start.sh
 RUN chmod +x /start.sh

README-SPS-METADATA-Docker.md

+# HOWTO Automating ECCS SPs Metadata download with XMLSecTool and Cron
+
+1. [Introduction](#introduction)
+3. [Configure](#configure)
+5. [Authors](#authors)
+
+## Introduction
+
+The eduGAIN Connectivity Check Service (ECCS), uses two Service Provider belonging to different NREN that are members of eduGAIN interfederation.
+The ECCS Python script gets the SPs' HTTP-Post AssertionConsumerService URL from the "sps-metadata.xml" file placed into "input" directory.
+The mechanism chosen to update regularly the "sps-metadata.xml" file involves the XMLSecTool & Cron that allow to validate the NREN SPs metadata downloaded the metadata certificate provided and create the "sps-metadata.xml" file as output.
+
+## Configure
+
+Customize the script `get-sps-metadata.sh` to provide your SPs. 
+
+## Authors
+
+### Original Author
+
+   * Marco Malavolti (marco.malavolti@garr.it)

cleanAndRunEccs.sh

@@ -4,8 +4,6 @@
 
 BASEDIR=$HOME
 
-#source $HOME/.bash_profile
-
 # Remove old IdP and Fed List
 rm -f $BASEDIR/eccs/input/*.json
 
@@ -14,3 +12,6 @@ $BASEDIR/eccs/runEccs.py
 
 # Run again ECCS2 for those IdPs who failed check
 $BASEDIR/eccs/retryFailedChecks.py
+
+# Remove useless files
+rm -rf /tmp/.com.google.Chrome* /tmp/chromium-*

eccs-sps-md-cron

-0 3 * * * /bin/bash $HOME/eccs/get-sps-metadata.sh

eccs_cron

+0 3 * * * /usr/bin/touch $HOME/eccs/eccs.ini
+0 3 * * * /bin/bash $HOME/eccs/get-sps-metadata.sh
+0 4 * * * /bin/bash $HOME/eccs/cleanAndRunEccs.sh > /dev/stdout
+0 10 * * * /bin/bash $HOME/eccs/clean7daysOldFiles.sh > /dev/stdout

get-sps-metadata.sh

 #!/bin/bash
 
-sp_md_1="input/sp_md_1.xml"
-sp_md_2="input/sp_md_2.xml"
-output_file="input/sps-metadata.xml"
+eccs_dir="$HOME/eccs"
+
+sp_md_1="$eccs_dir/input/sp_md_1.xml"
+sp_md_2="$eccs_dir/input/sp_md_2.xml"
+output_file="$eccs_dir/input/sps-metadata.xml"
+cert="$eccs_dir/idem-mdx-service-crt.pem"
 
 # Download SPs metadata only if they are changes since last download
-curl -z $sp_md_1 -o $sp_md_1 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fattribute-viewer.aai.switch.ch%2Finterfederation-test%2Fshibboleth"
-curl -z $sp_md_2 -o $sp_md_2 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fsp-demo.idem.garr.it%2Fshibboleth"
+curl -o $sp_md_1 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fattribute-viewer.aai.switch.ch%2Finterfederation-test%2Fshibboleth"
+curl -o $sp_md_2 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fsp-demo.idem.garr.it%2Fshibboleth"
 
 # Check the existance of the metadata files
 if [ ! -f "$sp_md_1" ] || [ ! -f "$sp_md_2" ]; then
@@ -14,8 +17,13 @@ if [ ! -f "$sp_md_1" ] || [ ! -f "$sp_md_2" ]; then
   exit 1
 fi
 
-sp_md_1_is_valid=$(bash xmlsectool/xmlsectool.sh --verifySignature --certificate idem-mdx-service-crt.pem --inFile input/sp_md_1.xml | grep "XML document signature verified." | wc -l)
-sp_md_2_is_valid=$(bash xmlsectool/xmlsectool.sh --verifySignature --certificate idem-mdx-service-crt.pem --inFile input/sp_md_2.xml | grep "XML document signature verified." | wc -l)
+# Remove previous sps-metadata.xml
+if [ -f "$output_file" ]; then
+   rm $output_file
+fi
+
+sp_md_1_is_valid=$(bash $eccs_dir/xmlsectool/xmlsectool.sh --verifySignature --certificate $cert --inFile $sp_md_1 | grep "XML document signature verified." | wc -l)
+sp_md_2_is_valid=$(bash $eccs_dir/xmlsectool/xmlsectool.sh --verifySignature --certificate $cert --inFile $sp_md_2 | grep "XML document signature verified." | wc -l)
 
 # Check the validity of both SP metadata files
 if [ $sp_md_1_is_valid -eq 0 ] || [ $sp_md_1_is_valid -eq 0 ]; then
@@ -24,9 +32,8 @@ if [ $sp_md_1_is_valid -eq 0 ] || [ $sp_md_1_is_valid -eq 0 ]; then
 fi
 
 # Remove XML declaration from both SP Metadata files
-sed -i '1d' "$sp_md_1"
-sed -i '1d' "$sp_md_2"
-
+sed -i '/<?xml/d' "$sp_md_1"
+sed -i '/<?xml/d' "$sp_md_2"
 
 header='<?xml version="1.0" encoding="UTF-8"?>
 <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">'

requirements.txt

-click==8.1.2
-Flask==2.1.1
-Flask-RESTful==0.3.9
-requests==2.27.1
-selenium==4.1.3
-urllib3==1.26.9
-uWSGI==2.0.20

supervisord.conf

+# Doc: http://supervisord.org/configuration.html
 [supervisord]
 nodaemon=true
 pidfile=/var/run/supervisord/supervisord.pid
+logfile=/dev/stdout
+logfile_maxbytes = 0
+loglevel=info
 user=root
 
 [unix_http_server]