Build shibboleth-idp for testing purposes (#91216) (#91293)

We currently use unicon/shibboleth-idp:3.4.2 to help test our SAML integration.
That container is no longer actively supported and does not support
ARM architectures.

This commit is a partial clone from Unicon/shibboleth-idp-dockerized 3.4.3.

Changes from upstream include:

    Use openjdk:11.0.16-jre as the base image for support for ARM architectures
    Handle missing keystore download from Jetty
    Fix URL paths for artifacts to download

Changes to this repository include:

    Copied required Jetty configuration files from upstream project
    Updates to docker compose
    Placed the missing keystore Jetty downloads in a separate location (jetty-custom)

The final result is a bit messy. Mixing cloned files with custom files and mixing
Jetty and IDP concerns. However, it is not much messier than prior and now
that we control building the image we can more easily upgrade shibboleth IDP
The upgrade to the latest version is fairly involved and as such we will need to
deviate more from the clone which should allow some additional clean up.

part of: #71378
related: #91144
supersedes: #89674

Author: jakelandis

x-pack/qa/saml-idp-tests/build.gradle

@@ -1,5 +1,3 @@
-import org.elasticsearch.gradle.Architecture
-
 Project idpFixtureProject = xpackProject("test:idp-fixture")
 
 apply plugin: 'elasticsearch.internal-java-rest-test'
@@ -13,17 +11,17 @@ dependencies {
 testFixtures.useFixture ":x-pack:test:idp-fixture"
 
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
-def copyIdpFiles = tasks.register("copyIdpFiles", Copy) {
+def copyIdpFiles = tasks.register("copyIdpFiles", Sync) {
   from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml',
     'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt');
   into outputDir
+  outputs.upToDateWhen { false } //ensure this copy is always done to prevent stale configuration
 }
 
 def setupPorts = tasks.register("setupPorts") {
   dependsOn copyIdpFiles, idpFixtureProject.postProcessFixture
   // Don't attempt to get ephemeral ports when Docker is not available
-  // Also, shibboleth fixture is not available on aarch64
-  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false && Architecture.current() == Architecture.X64 }
+  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false }
   doLast {
     String portString = idpFixtureProject.postProcessFixture.ext."test.fixtures.shibboleth-idp.tcp.4443"
     int ephemeralPort = Integer.valueOf(portString)
@@ -43,7 +41,7 @@ project.sourceSets.javaRestTest.output.dir(outputDir, builtBy: [copyIdpFiles])
 
 tasks.named("javaRestTest").configure {
   dependsOn setupPorts
-  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false && Architecture.current() == Architecture.X64 }
+  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false }
 }
 
 testClusters.matching { it.name == "javaRestTest" }.configureEach {

x-pack/test/idp-fixture/docker-compose.yml

@@ -137,22 +137,20 @@ services:
       - ./openldap/certs:/container/service/slapd/assets/certs
 
   shibboleth-idp:
-    image: "unicon/shibboleth-idp:3.4.2"
+    build:
+      context: .
+      dockerfile: ./idp/Dockerfile
     depends_on:
       - openldap
     environment:
       - JETTY_MAX_HEAP=64m
-      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret
-      - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
     ports:
-      - "4443"
+      - 4443
+    expose:
+      - 4443
     links:
       - openldap:openldap
-    volumes:
-      - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
-      - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
-      - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
-      - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
+    restart: always #ensure ephemeral port mappings are properly updated
 
   oidc-provider:
     build:

x-pack/test/idp-fixture/idp/Dockerfile

@@ -0,0 +1,92 @@
+FROM openjdk:11.0.16-jre AS javabase
+
+ENV JAVA_HOME=/usr/local/openjdk-11
+
+# below is mostly a fork from https://github.com/Unicon/shibboleth-idp-dockerized/blob/master/Dockerfile
+# building entire image to allow for easier upgrades since published image has not been updated for years
+ENV jetty_version=9.3.27.v20190418 \
+    jetty_hash=7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa \
+    idp_version=3.4.3 \
+    idp_hash=eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db \
+    dta_hash=2f547074b06952b94c35631398f36746820a7697 \
+    slf4j_version=1.7.25 \
+    slf4j_hash=da76ca59f6a57ee3102f8f9bd9cee742973efa8a \
+    logback_version=1.2.3 \
+    logback_classic_hash=7c4f3c474fb2c041d8028740440937705ebb473a \
+    logback_core_hash=864344400c3d4d92dfeb0a305dc87d953677c03c \
+    logback_access_hash=e8a841cb796f6423c7afd8738df6e0e4052bf24a
+
+ENV JETTY_HOME=/opt/jetty-home \
+    JETTY_BASE=/opt/shib-jetty-base \
+    PATH=$PATH:$JAVA_HOME/bin \
+    JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret \
+    JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
+
+# Manually override the jetty keystore otherwise it will attempt to download and fail
+RUN mkdir -p /opt/shib-jetty-base/modules
+COPY ./idp/jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod
+COPY ./idp/jetty-custom/keystore /opt/shib-jetty-base/etc/keystore
+
+# Download Jetty, verify the hash, and install, initialize a new base
+RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
+    && echo "$jetty_hash  jetty-distribution-$jetty_version.tar.gz" | sha1sum -c - \
+    && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt \
+    && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home
+
+# Config Jetty
+RUN mkdir -p /opt/shib-jetty-base/modules /opt/shib-jetty-base/lib/ext  /opt/shib-jetty-base/lib/logging /opt/shib-jetty-base/resources \
+    && cd /opt/shib-jetty-base \
+    && touch start.ini \
+    && java -jar ../jetty-home/start.jar --add-to-startd=http,https,deploy,ext,annotations,jstl,rewrite
+
+# Download Shibboleth IdP, verify the hash, and install
+RUN wget -q https://shibboleth.net/downloads/identity-provider/archive/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
+    && echo "$idp_hash  shibboleth-identity-provider-$idp_version.tar.gz" | sha256sum -c - \
+    && tar -zxvf  shibboleth-identity-provider-$idp_version.tar.gz -C /opt \
+    && ln -s /opt/shibboleth-identity-provider-$idp_version/ /opt/shibboleth-idp
+
+# Download the library to allow SOAP Endpoints, verify the hash, and place
+RUN wget -q https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty9/jetty9-dta-ssl/1.0.0/jetty9-dta-ssl-1.0.0.jar \
+    && echo "$dta_hash  jetty9-dta-ssl-1.0.0.jar" | sha1sum -c - \
+    && mv jetty9-dta-ssl-1.0.0.jar /opt/shib-jetty-base/lib/ext/
+
+# Download the slf4j library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
+    && echo "$slf4j_hash  slf4j-api-$slf4j_version.jar" | sha1sum -c - \
+    && mv slf4j-api-$slf4j_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback_classic library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
+    && echo "$logback_classic_hash  logback-classic-$logback_version.jar" | sha1sum -c - \
+    && mv logback-classic-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-core library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
+    && echo "$logback_core_hash logback-core-$logback_version.jar" | sha1sum -c - \
+    && mv logback-core-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-access library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
+    && echo "$logback_access_hash logback-access-$logback_version.jar" | sha1sum -c - \
+    && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+## Copy local files
+COPY idp/shib-jetty-base/ /opt/shib-jetty-base/
+COPY idp/shibboleth-idp/ /opt/shibboleth-idp/
+COPY idp/bin/ /usr/local/bin/
+
+# Setting owner ownership and permissions
+RUN useradd jetty -U -s /bin/false \
+    && chown -R root:jetty /opt \
+    && chmod -R 640 /opt \
+    && chown -R root:jetty /opt/shib-jetty-base \
+    && chmod -R 640 /opt/shib-jetty-base \
+    && chmod -R 750 /opt/shibboleth-idp/bin
+
+RUN chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh
+RUN chmod +x /opt/jetty-home/bin/jetty.sh
+
+# Opening 4443 (browser TLS), 8443 (mutual auth TLS)
+EXPOSE 4443 8443
+
+CMD ["run-jetty.sh"]

x-pack/test/idp-fixture/idp/bin/init-idp.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+cd /opt/shibboleth-idp/bin
+
+echo "Please complete the following for your IdP environment:"
+./ant.sh -Didp.target.dir=/opt/shibboleth-idp-tmp -Didp.src.dir=/opt/shibboleth-idp/ install
+
+find /opt/shibboleth-idp-tmp/ -type d -exec chmod 750 {} \;
+
+mkdir -p /ext-mount/customized-shibboleth-idp/conf/
+chmod -R 750 /ext-mount/customized-shibboleth-idp/
+
+# Copy the essential and routinely customized config to out Docker mount.
+cd /opt/shibboleth-idp-tmp
+cp -r credentials/ /ext-mount/customized-shibboleth-idp/
+cp -r metadata/ /ext-mount/customized-shibboleth-idp/
+cp conf/{attribute-resolver*.xml,attribute-filter.xml,cas-protocol.xml,idp.properties,ldap.properties,metadata-providers.xml,relying-party.xml,saml-nameid.*} /ext-mount/customized-shibboleth-idp/conf/
+
+# Copy the basic UI components, which are routinely customized
+cp -r views/ /ext-mount/customized-shibboleth-idp/
+mkdir /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/css/ /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/images/ /ext-mount/customized-shibboleth-idp/webapp/
+rm -r /ext-mount/customized-shibboleth-idp/views/user-prefs.js
+
+echo "A basic Shibboleth IdP config and UI has been copied to ./customized-shibboleth-idp/ (assuming the default volume mapping was used)."
+echo "Most files, if not being customized can be removed from what was exported/the local Docker image and baseline files will be used."

x-pack/test/idp-fixture/idp/bin/run-jetty.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#set -x
+
+if [ -e "/opt/shibboleth-idp/ext-conf/idp-secrets.properties" ]; then
+  export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty.backchannel.sslContext.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+  export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty\.sslContext\.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+fi
+
+export JETTY_ARGS="jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD jetty.backchannel.sslContext.keyStorePassword=$JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD"
+sed -i "s/^-Xmx.*$/-Xmx$JETTY_MAX_HEAP/g" /opt/shib-jetty-base/start.ini
+
+exec /opt/jetty-home/bin/jetty.sh run

x-pack/test/idp-fixture/idp/jetty-custom/keystore

@@ -0,0 +1,102 @@
+#
+# SSL Keystore module
+#
+
+[name]
+ssl
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+etc/jetty-ssl-context.xml
+
+[files]
+# keystore originally sourced from https://github.com/eclipse/jetty.project/raw/jetty-9.3.x/jetty-server/src/main/config/etc/keystore
+/opt/shib-jetty-base/etc/keystore
+
+[ini-template]
+### TLS(SSL) Connector Configuration
+
+## Connector host/address to bind to
+# jetty.ssl.host=0.0.0.0
+
+## Connector port to listen on
+# jetty.ssl.port=8443
+
+## Connector idle timeout in milliseconds
+# jetty.ssl.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.ssl.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.ssl.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.ssl.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.ssl.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.ssl.acceptorPriorityDelta=0
+
+## Whether request host names are checked to match any SNI names
+# jetty.ssl.sniHostCheck=true
+
+## max age in seconds for a Strict-Transport-Security response header (default -1)
+# jetty.ssl.stsMaxAgeSeconds=31536000
+
+## include subdomain property in any Strict-Transport-Security header (default false)
+# jetty.ssl.stsIncludeSubdomains=true
+
+### SslContextFactory Configuration
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+
+## Keystore file path (relative to $jetty.base)
+# jetty.sslContext.keyStorePath=etc/keystore
+
+## Truststore file path (relative to $jetty.base)
+# jetty.sslContext.trustStorePath=etc/keystore
+
+## Keystore password
+# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Keystore type and provider
+# jetty.sslContext.keyStoreType=JKS
+# jetty.sslContext.keyStoreProvider=
+
+## KeyManager password
+# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
+
+## Truststore password
+# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Truststore type and provider
+# jetty.sslContext.trustStoreType=JKS
+# jetty.sslContext.trustStoreProvider=
+
+## whether client certificate authentication is required
+# jetty.sslContext.needClientAuth=false
+
+## Whether client certificate authentication is desired
+# jetty.sslContext.wantClientAuth=false
+
+## Whether cipher order is significant (since java 8 only)
+# jetty.sslContext.useCipherSuitesOrder=true
+
+## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
+## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
+
+## Set the size of the SslSession cache
+# jetty.sslContext.sslSessionCacheSize=-1
+
+## Set the timeout (in seconds) of the SslSession cache timeout
+# jetty.sslContext.sslSessionTimeout=-1
+
+## Allow SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=true
+# jetty.sslContext.renegotiationLimit=5

x-pack/test/idp-fixture/idp/jetty-custom/ssl.mod

@@ -0,0 +1,90 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+ 
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  
+ <!-- ============================================================= -->
+  <!-- TLS context factory with optional client auth                 -->
+  <!-- and no container trust (delegate to application)              -->
+  <!-- for backchannel (SOAP) communication to IdP                   -->
+  <!-- ============================================================= -->
+  <New id="shibContextFactory" class="net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory">
+    <Set name="KeyStorePath"><Property name="jetty.backchannel.sslContext.keyStorePath" /></Set>
+    <Set name="KeyStoreType"><Property name="jetty.backchannel.sslContext.keyStoreType" /></Set>
+    <Set name="KeyStorePassword"><Property name="jetty.backchannel.sslContext.keyStorePassword" /></Set>
+    <!-- This is a tweak to work around a bug in Jetty when using the PKCS12 keystore type. -->
+    <Set name="TrustStoreType"><Property name="jetty.backchannel.sslContext.keyStoreType" /></Set>
+    <Set name="EndpointIdentificationAlgorithm"></Set>
+    <Set name="renegotiationAllowed">false</Set>
+    <Set name="useCipherSuitesOrder">true</Set>
+    <Set name="excludeProtocols">
+      <Array type="String">
+        <Item>SSL</Item>
+        <Item>SSLv2</Item>
+        <Item>SSLv3</Item>
+      </Array>
+    </Set>
+    <Set name="IncludeCipherSuites">
+      <Array type="String">
+        <Item>TLS_ECDHE.*</Item>
+        <Item>TLS_RSA.*</Item>
+      </Array>
+    </Set>
+    <Set name="ExcludeCipherSuites">
+      <Array type="String">
+        <Item>.*NULL.*</Item>
+        <Item>.*RC4.*</Item>
+        <Item>.*MD5.*</Item>
+        <Item>.*DES.*</Item>
+        <Item>.*DSS.*</Item>
+      </Array>
+    </Set>
+  </New>
+ 
+  <New id="shibHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Arg><Ref refid="httpConfig"/></Arg>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
+          <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
+        </New>
+      </Arg>
+    </Call>
+  </New>
+ 
+  <!-- ============================================================= -->
+  <!-- IdP SOAP protocol connector                                   -->
+  <!-- ============================================================= -->
+  <Call id="shibConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server"><Ref refid="Server" /></Arg>
+        <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" default="-1"/></Arg>
+        <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" default="-1"/></Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory"><Ref refid="shibContextFactory"/></Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config"><Ref refid="shibHttpConfig"/></Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="host"><Property name="jetty.backchannel.host" default="0.0.0.0" /></Set>
+        <Set name="port"><Property name="jetty.backchannel.port" default="8443"/></Set>
+        <Set name="idleTimeout"><Property name="jetty.ssl.timeout" default="30000"/></Set>
+        <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" default="-1"/></Set>
+        <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" default="0"/></Set>
+        <Set name="selectorPriorityDelta"><Property name="jetty.ssl.selectorPriorityDelta" default="0"/></Set>
+        <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" default="0"/></Set>
+      </New>
+    </Arg>
+  </Call>
+ 
+</Configure>