CSCfi · klaalo · Apr 20, 2021 · Jul 27, 2021 · Jul 27, 2021 · Jul 27, 2021
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,11 @@
 FROM alpine:latest as temp
 
-ENV jetty_version=9.4.29.v20200521 \
-    jetty_hash=71b572d99fe2c1342231ac3bd2e14327f523e532dd01ff203f331d52f2cf2747 \
-    idp_version=4.0.1 \
-    idp_hash=832f73568c5b74a616332258fd9dc555bb20d7dd9056c18dc0ccf52e9292102a \
-    idp_oidcext_version=2.0.0 \
-    idp_oidcext_hash=304eb4e58eadc3377fae02209f8eef6549fd17ac5fd9356ad1216869b75bb23a \
+ENV jetty_version=9.4.43.v20210629 \
+    jetty_hash=01fae654b09932e446019aa859e7af6e05e27dbade12b54cd7bae3249fc723d9 \
+    idp_version=4.1.3 \
+    idp_hash=3aed4aadab89de1560559df4df433e79b9be4731b9235b4557f4198734bad64f \
+    idp_oidcext_version=3.0.1 \
+    idp_oidc_common_version=1.1.0 \
     slf4j_version=1.7.29 \
     slf4j_hash=47b624903c712f9118330ad2fb91d0780f7f666c3f22919d0fc14522c5cad9ea \
     logback_version=1.2.3 \
@@ -33,10 +33,10 @@ LABEL maintainer="CSCfi"\
       idp.jetty.version=$jetty_version \
       idp.version=$idp_version
 
-RUN apk --no-cache add wget tar openjdk11-jre-headless bash gawk
+RUN apk --no-cache add tar openjdk11-jre-headless bash gawk gnupg curl
 
 # JETTY - Download, verify and install with base
-RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
+RUN curl -sO https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
     && echo "$jetty_hash  jetty-distribution-$jetty_version.tar.gz" | sha256sum -c - \
     && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt \
     && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home \
@@ -49,7 +49,7 @@ RUN mkdir -p $JETTY_BASE/modules $JETTY_BASE/lib/ext $JETTY_BASE/lib/logging $JE
     && $JAVA_HOME/bin/java -jar $JETTY_HOME/start.jar --create-startd --add-to-start=http2,http2c,deploy,ext,annotations,jstl,rewrite,setuid
 
 # Shibboleth IdP - Download, verify hash and install
-RUN wget -q https://shibboleth.net/downloads/identity-provider/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
+RUN curl -sO https://shibboleth.net/downloads/identity-provider/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
     && echo "$idp_hash  shibboleth-identity-provider-$idp_version.tar.gz" | sha256sum -c - \
     && tar -zxvf  shibboleth-identity-provider-$idp_version.tar.gz -C /opt \
     && $IDP_SRC/bin/install.sh \
@@ -66,50 +66,39 @@ RUN wget -q https://shibboleth.net/downloads/identity-provider/$idp_version/shib
     && rm -rf shibboleth-identity-provider-$idp_version
 
 # slf4j - Download, verify and install
-RUN wget -q https://repo1.maven.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
+RUN curl -sO https://repo1.maven.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
     && echo "$slf4j_hash  slf4j-api-$slf4j_version.jar" | sha256sum -c - \
     && mv slf4j-api-$slf4j_version.jar $JETTY_BASE/lib/logging/
 
 # logback_classic - Download verify and install
-RUN wget -q https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
+RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
     && echo "$logback_classic_hash  logback-classic-$logback_version.jar" | sha256sum -c - \
     && mv logback-classic-$logback_version.jar $JETTY_BASE/lib/logging/
 
 # logback-core - Download, verify and install
-RUN wget -q https://repo1.maven.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
+RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
     && echo "$logback_core_hash  logback-core-$logback_version.jar" | sha256sum -c - \
     && mv logback-core-$logback_version.jar $JETTY_BASE/lib/logging/
 
 # logback-access - Download, verify and install
-RUN wget -q https://repo1.maven.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
+RUN curl -sO https://repo1.maven.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
     && echo "$logback_access_hash  logback-access-$logback_version.jar" | sha256sum -c - \
     && mv logback-access-$logback_version.jar $JETTY_BASE/lib/logging/
 
 # mariadb-java-client - Donwload, verify and install
-RUN wget -q https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$mariadb_version/mariadb-java-client-$mariadb_version.jar \
+RUN curl -sO https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$mariadb_version/mariadb-java-client-$mariadb_version.jar \
     && echo "$mariadb_hash  mariadb-java-client-$mariadb_version.jar" | sha256sum -c - \
     && mv mariadb-java-client-$mariadb_version.jar $IDP_HOME/edit-webapp/WEB-INF/lib/
 
-# idp-oidc-extension - Donwload, verify and install
-RUN wget -q https://shibboleth.net/downloads/identity-provider/extensions/java-idp-oidc/$idp_oidcext_version/idp-oidc-extension-distribution-$idp_oidcext_version-bin.tar.gz \
-    && echo "$idp_oidcext_hash  idp-oidc-extension-distribution-$idp_oidcext_version-bin.tar.gz" | sha256sum -c - \
-    && tar -zxvf idp-oidc-extension-distribution-$idp_oidcext_version-bin.tar.gz -C /opt/shibboleth-idp --strip-components=1 \
-    && rm idp-oidc-extension-distribution-$idp_oidcext_version-bin.tar.gz \
-    && $IDP_HOME/bin/build.sh -Didp.target.dir=$IDP_HOME
-
-# idp-oidc-extension - Configuration 
-RUN grep -q 'oidc-relying-party.xml' $IDP_HOME/conf/relying-party.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"oidc-relying-party.xml\" />\n"; n++}' $IDP_HOME/conf/relying-party.xml \
-    && grep -q 'global-oidc.xml' $IDP_HOME/conf/global.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"global-oidc.xml\" />\n"; n++}' $IDP_HOME/conf/global.xml \
-    && grep -q 'credentials-oidc.xml' $IDP_HOME/conf/credentials.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"credentials-oidc.xml\" />\n"; n++}' $IDP_HOME/conf/credentials.xml \
-    && grep -q 'services-oidc.xml' $IDP_HOME/conf/services.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"services-oidc.xml\" />\n"; n++}' $IDP_HOME/conf/services.xml \
-		&& grep -q 'schac.xml' $IDP_HOME/conf/attributes/default-rules.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"schac.xml\" />\n"; n++}' $IDP_HOME/conf/attributes/default-rules.xml \
-		&& grep -q 'funetEduPerson.xml' $IDP_HOME/conf/attributes/default-rules.xml || gawk -i inplace '{print} /-->/ && !n {print "    <import resource=\"funetEduPerson.xml\" />\n"; n++}' $IDP_HOME/conf/attributes/default-rules.xml \
-    && grep -q 'oidc-subject.properties' $IDP_HOME/conf/idp.properties || sed -i '/^idp.additionalProperties=/ s/$/\, \/conf\/oidc-subject.properties\, \/conf\/idp-oidc.properties/' $IDP_HOME/conf/idp.properties \
-    && gawk -i inplace '/^#?idp.oidc.issuer/ {$0="idp.oidc.issuer = $IDP_HOST_NAME"} 1' $IDP_HOME/conf/idp-oidc.properties \
-    && INI=jetty.setuid.groupName;VALUE=root; sed -i 's/.*'$INI'=.*/'$INI'='$VALUE'/' $JETTY_BASE/start.d/setuid.ini \
-    && cp $IDP_HOME/conf/attribute-filter-oidc.xml $IDP_HOME/conf/attribute-filter.xml \
-    && cp $IDP_HOME/conf/attribute-resolver-oidc.xml $IDP_HOME/conf/attribute-resolver.xml \
-    && cp $IDP_HOME/conf/authn/authn-comparison-oidc.xml $IDP_HOME/conf/authn/authn-comparison.xml
+# Run Jetty with suid
+RUN INI=jetty.setuid.groupName;VALUE=root; sed -i 's/.*'$INI'=.*/'$INI'='$VALUE'/' $JETTY_BASE/start.d/setuid.ini
+
+# Install plugins
+# See: https://stackoverflow.com/questions/34212230/using-bouncycastle-with-gnupg-2-1s-pubring-kbx-file
+RUN curl -s https://shibboleth.net/downloads/PGP_KEYS | gpg --import && \ 
+    gpg --export > /root/.gnupg/pubring.gpg && \
+    ${IDP_HOME}/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/$idp_oidc_common_version/oidc-common-dist-$idp_oidc_common_version.tar.gz --truststore /root/.gnupg/pubring.gpg --noPrompt && \
+    ${IDP_HOME}/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-op/$idp_oidcext_version/idp-plugin-oidc-op-distribution-$idp_oidcext_version.tar.gz --truststore /root/.gnupg/pubring.gpg --noPrompt
 
 COPY opt/shibboleth-idp/ /opt/shibboleth-idp/