From e59b272755351564f688b69cb28ffb02ef5b5d7b Mon Sep 17 00:00:00 2001 From: Marco Malavolti <marco.malavolti@garr.it> Date: Sun, 30 Jul 2023 16:41:54 +0200 Subject: [PATCH] Complete first Docker development for ECCS --- Dockerfile-dev | 10 +++++----- README-SPS-METADATA-Docker.md | 21 +++++++++++++++++++++ cleanAndRunEccs.sh | 5 +++-- eccs-sps-md-cron | 1 - eccs_cron | 4 ++++ get-sps-metadata.sh | 27 +++++++++++++++++---------- requirements.txt | 7 ------- supervisord.conf | 4 ++++ 8 files changed, 54 insertions(+), 25 deletions(-) create mode 100644 README-SPS-METADATA-Docker.md delete mode 100644 eccs-sps-md-cron create mode 100644 eccs_cron delete mode 100644 requirements.txt diff --git a/Dockerfile-dev b/Dockerfile-dev index c881d1a..c87f068 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -22,7 +22,7 @@ WORKDIR /root RUN mkdir eccs WORKDIR eccs -COPY api.py clean7daysOldFiles.sh cleanAndRunEccs.sh eccs.ini eccs.py eccs_properties.py eccs-sps-md-cron eccs-wsgi.py get-sps-metadata.sh retryFailedChecks.py runEccs.py utils.py . +COPY api.py clean7daysOldFiles.sh cleanAndRunEccs.sh eccs.ini eccs.py eccs_properties.py eccs-wsgi.py get-sps-metadata.sh retryFailedChecks.py runEccs.py utils.py . COPY html/ html/ COPY input/ input/ COPY logs/ logs/ @@ -45,7 +45,7 @@ RUN wget $AMAZON_JDK_KEY -O /tmp/amazon-corretto.pub \ && gpg --no-default-keyring --keyring /tmp/temp-keyring.gpg --export --output /etc/apt/keyrings/amazon-corretto.gpg \ && rm /tmp/temp-keyring.gpg COPY amazon-corretto.list /etc/apt/sources.list.d/amazon-corretto.list -COPY eccs-sps-md-cron /etc/cron.d/eccs_get_sps_metadata +COPY eccs_cron /etc/cron.d/eccs_cron RUN apt-get update && apt-get install -y java-11-amazon-corretto-jdk \ && curl "https://shibboleth.net/downloads/tools/xmlsectool/$XMLSECTOOL_VERSION/xmlsectool-$XMLSECTOOL_VERSION-bin.zip" --output xmlsectool-$XMLSECTOOL_VERSION-bin.zip \ && unzip xmlsectool-$XMLSECTOOL_VERSION-bin.zip \ @@ -70,9 +70,9 @@ EXPOSE 443 #SUPERVISOR COPY supervisord.conf /etc/supervisor/supervisord.conf -RUN mkdir -p /var/log/supervisor \ - && mkdir -p /var/run/supervisord \ - && chmod -R 0755 /var/log/supervisor +RUN mkdir -p /var/run/supervisord +#RUN mkdir -p /var/log/supervisor \ +# && chmod -R 0755 /var/log/supervisor COPY start.sh /start.sh RUN chmod +x /start.sh diff --git a/README-SPS-METADATA-Docker.md b/README-SPS-METADATA-Docker.md new file mode 100644 index 0000000..8ba2737 --- /dev/null +++ b/README-SPS-METADATA-Docker.md @@ -0,0 +1,21 @@ +# HOWTO Automating ECCS SPs Metadata download with XMLSecTool and Cron + +1. [Introduction](#introduction) +3. [Configure](#configure) +5. [Authors](#authors) + +## Introduction + +The eduGAIN Connectivity Check Service (ECCS), uses two Service Provider belonging to different NREN that are members of eduGAIN interfederation. +The ECCS Python script gets the SPs' HTTP-Post AssertionConsumerService URL from the "sps-metadata.xml" file placed into "input" directory. +The mechanism chosen to update regularly the "sps-metadata.xml" file involves the XMLSecTool & Cron that allow to validate the NREN SPs metadata downloaded the metadata certificate provided and create the "sps-metadata.xml" file as output. + +## Configure + +Customize the script `get-sps-metadata.sh` to provide your SPs. + +## Authors + +### Original Author + + * Marco Malavolti (marco.malavolti@garr.it) diff --git a/cleanAndRunEccs.sh b/cleanAndRunEccs.sh index bc5af67..641279f 100755 --- a/cleanAndRunEccs.sh +++ b/cleanAndRunEccs.sh @@ -4,8 +4,6 @@ BASEDIR=$HOME -#source $HOME/.bash_profile - # Remove old IdP and Fed List rm -f $BASEDIR/eccs/input/*.json @@ -14,3 +12,6 @@ $BASEDIR/eccs/runEccs.py # Run again ECCS2 for those IdPs who failed check $BASEDIR/eccs/retryFailedChecks.py + +# Remove useless files +rm -rf /tmp/.com.google.Chrome* /tmp/chromium-* diff --git a/eccs-sps-md-cron b/eccs-sps-md-cron deleted file mode 100644 index 749b217..0000000 --- a/eccs-sps-md-cron +++ /dev/null @@ -1 +0,0 @@ -0 3 * * * /bin/bash $HOME/eccs/get-sps-metadata.sh diff --git a/eccs_cron b/eccs_cron new file mode 100644 index 0000000..a5db465 --- /dev/null +++ b/eccs_cron @@ -0,0 +1,4 @@ +0 3 * * * /usr/bin/touch $HOME/eccs/eccs.ini +0 3 * * * /bin/bash $HOME/eccs/get-sps-metadata.sh +0 4 * * * /bin/bash $HOME/eccs/cleanAndRunEccs.sh > /dev/stdout +0 10 * * * /bin/bash $HOME/eccs/clean7daysOldFiles.sh > /dev/stdout diff --git a/get-sps-metadata.sh b/get-sps-metadata.sh index 7db93e3..b23ea9a 100755 --- a/get-sps-metadata.sh +++ b/get-sps-metadata.sh @@ -1,12 +1,15 @@ #!/bin/bash -sp_md_1="input/sp_md_1.xml" -sp_md_2="input/sp_md_2.xml" -output_file="input/sps-metadata.xml" +eccs_dir="$HOME/eccs" + +sp_md_1="$eccs_dir/input/sp_md_1.xml" +sp_md_2="$eccs_dir/input/sp_md_2.xml" +output_file="$eccs_dir/input/sps-metadata.xml" +cert="$eccs_dir/idem-mdx-service-crt.pem" # Download SPs metadata only if they are changes since last download -curl -z $sp_md_1 -o $sp_md_1 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fattribute-viewer.aai.switch.ch%2Finterfederation-test%2Fshibboleth" -curl -z $sp_md_2 -o $sp_md_2 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fsp-demo.idem.garr.it%2Fshibboleth" +curl -o $sp_md_1 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fattribute-viewer.aai.switch.ch%2Finterfederation-test%2Fshibboleth" +curl -o $sp_md_2 "https://mdx.idem.garr.it/edugain/entities/https:%2F%2Fsp-demo.idem.garr.it%2Fshibboleth" # Check the existance of the metadata files if [ ! -f "$sp_md_1" ] || [ ! -f "$sp_md_2" ]; then @@ -14,8 +17,13 @@ if [ ! -f "$sp_md_1" ] || [ ! -f "$sp_md_2" ]; then exit 1 fi -sp_md_1_is_valid=$(bash xmlsectool/xmlsectool.sh --verifySignature --certificate idem-mdx-service-crt.pem --inFile input/sp_md_1.xml | grep "XML document signature verified." | wc -l) -sp_md_2_is_valid=$(bash xmlsectool/xmlsectool.sh --verifySignature --certificate idem-mdx-service-crt.pem --inFile input/sp_md_2.xml | grep "XML document signature verified." | wc -l) +# Remove previous sps-metadata.xml +if [ -f "$output_file" ]; then + rm $output_file +fi + +sp_md_1_is_valid=$(bash $eccs_dir/xmlsectool/xmlsectool.sh --verifySignature --certificate $cert --inFile $sp_md_1 | grep "XML document signature verified." | wc -l) +sp_md_2_is_valid=$(bash $eccs_dir/xmlsectool/xmlsectool.sh --verifySignature --certificate $cert --inFile $sp_md_2 | grep "XML document signature verified." | wc -l) # Check the validity of both SP metadata files if [ $sp_md_1_is_valid -eq 0 ] || [ $sp_md_1_is_valid -eq 0 ]; then @@ -24,9 +32,8 @@ if [ $sp_md_1_is_valid -eq 0 ] || [ $sp_md_1_is_valid -eq 0 ]; then fi # Remove XML declaration from both SP Metadata files -sed -i '1d' "$sp_md_1" -sed -i '1d' "$sp_md_2" - +sed -i '/<?xml/d' "$sp_md_1" +sed -i '/<?xml/d' "$sp_md_2" header='<?xml version="1.0" encoding="UTF-8"?> <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">' diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 0f2ab2a..0000000 --- a/requirements.txt +++ /dev/null @@ -1,7 +0,0 @@ -click==8.1.2 -Flask==2.1.1 -Flask-RESTful==0.3.9 -requests==2.27.1 -selenium==4.1.3 -urllib3==1.26.9 -uWSGI==2.0.20 diff --git a/supervisord.conf b/supervisord.conf index 288cab2..a7cb1c2 100644 --- a/supervisord.conf +++ b/supervisord.conf @@ -1,6 +1,10 @@ +# Doc: http://supervisord.org/configuration.html [supervisord] nodaemon=true pidfile=/var/run/supervisord/supervisord.pid +logfile=/dev/stdout +logfile_maxbytes = 0 +loglevel=info user=root [unix_http_server] -- GitLab