New docker image, dockerfile and cie integration

Dockerfile

@@ -1,19 +1,6 @@
-FROM alpine:3.12.3
-MAINTAINER Giuseppe De Marco <demarcog83@gmail.com>
-
-RUN apk update
-RUN apk add xmlsec libffi-dev libressl-dev python3 py3-pip python3-dev procps git openssl build-base gcc wget bash
+FROM alpine:3.13.5
 
 ENV BASEDIR="/satosa_proxy"
-COPY example/ $BASEDIR/
-COPY requirements.txt $BASEDIR/
-
-# demo certificates
-RUN mkdir $BASEDIR/pki/
-COPY oids.conf $BASEDIR/pki/
-COPY build_spid_certs.sh $BASEDIR/pki/
-WORKDIR $BASEDIR/pki/
-RUN chmod 755 $BASEDIR/pki/build_spid_certs.sh
 
 ENV COMMON_NAME="SPID example proxy"
 ENV LOCALITY_NAME="Roma"
@@ -24,24 +11,51 @@ ENV SPID_SECTOR="public"
 ENV URI="https://spid.proxy.example.org"
 ENV DAYS="7300"
 
-RUN $BASEDIR/pki/build_spid_certs.sh
+ENV SATOSA_DISCO_SRV="https://localhost:9999/disco.html"
 
-WORKDIR $BASEDIR/
-RUN pip3 install -r requirements.txt --ignore-installed
+RUN apk add --update --no-cache tzdata \
+ && cp /usr/share/zoneinfo/Europe/Rome /etc/localtime \
+ && echo "Europe/Rome" > /etc/timezone \
+ && apk del tzdata
 
-# Metadata
-RUN mkdir -p metadata/idp
-RUN mkdir -p metadata/sp
+COPY example/ $BASEDIR/
+COPY requirements.txt $BASEDIR/
+COPY oids.conf $BASEDIR/pki/
+COPY build_spid_certs.sh $BASEDIR/pki/
 
-# COPY Metadata
-ARG SP_METADATA_URL
-ARG IDP_METADATA_URL
-RUN wget $SP_METADATA_URL -O metadata/sp/my-sp.xml --no-check-certificate
-RUN wget $IDP_METADATA_URL -O metadata/idp/my-idp.xml --no-check-certificate
-RUN wget https://registry.spid.gov.it/metadata/idp/spid-entities-idps.xml -O metadata/idp/spid-entities-idps.xml
+RUN apk add --update xmlsec libffi-dev libressl-dev python3 py3-pip python3-dev procps git openssl build-base gcc wget bash jq \
+&& cd $BASEDIR/pki/ \
+&& chmod 755 $BASEDIR/pki/build_spid_certs.sh \
+&& $BASEDIR/pki/build_spid_certs.sh \
+&& cd $BASEDIR/ \
+&& pip3 install --upgrade pip \
+&& pip3 install yq \
+&& pip3 install -r requirements.txt --ignore-installed \
+&& wget https://registry.spid.gov.it/metadata/idp/spid-entities-idps.xml -O metadata/idp/spid-entities-idps.xml \
+&& adduser --disabled-password wert \
+&& chown -R  wert . \
+&& chmod +x run.sh
+
+USER wert
 
-RUN adduser --disabled-password wert
-RUN chown -R  wert .
+WORKDIR $BASEDIR/
 
-COPY demo-run.sh .
-CMD bash demo-run.sh
+CMD bash run.sh
+
+# Metadata params
+ARG BUILD_DATE
+ARG VERSION
+ARG VCS_URL="https://github.com/IDEM-GARR-AAI/Satosa-Saml2Spid.git"
+ARG VCS_REF
+ARG AUTHORS
+ARG VENDOR
+
+# Metadata : https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.authors=$AUTHORS \
+      org.opencontainers.image.vendor=$VENDOR \
+      org.opencontainers.image.title="Satosa-Saml2Spid" \
+      org.opencontainers.image.created=$BUILD_DATE \
+      org.opencontainers.image.version=$VERSION \
+      org.opencontainers.image.source=$VCS_URL \
+      org.opencontainers.image.revision=$VCS_REF \
+      org.opencontainers.image.description="Docker Image di Satosa-Saml2Spid."

compose-Satosa-Saml2Spid/docker-compose.yml

@@ -0,0 +1,151 @@
+version: '3'
+services:
+
+  satosa-mongo:
+    image: mongo
+    container_name: satosa-mongo
+    restart: always
+    environment:
+      MONGO_INITDB_DATABASE: oidcop
+      MONGO_INITDB_ROOT_USERNAME: satosa
+      MONGO_INITDB_ROOT_PASSWORD: thatpassword
+    volumes:
+      - mongodata:/data/db
+      - /usr/share/zoneinfo/Europe/Rome:/etc/localtime:ro
+      - ./init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
+    ports:
+      - '27017-27019:27017-27019'
+
+  satosa-mongo-express:
+    image: mongo-express
+    container_name: satosa-mongo-express
+    restart: always
+    ports:
+      - 8082:8081
+    environment:
+      ME_CONFIG_BASICAUTH_USERNAME: satosauser
+      ME_CONFIG_BASICAUTH_PASSWORD: satosapw
+      ME_CONFIG_MONGODB_ADMINUSERNAME: satosa
+      ME_CONFIG_MONGODB_ADMINPASSWORD: thatpassword
+      ME_CONFIG_MONGODB_URL: mongodb://satosa:thatpassword@satosa-mongo:27017/
+
+  satosa-saml2spid:
+    image: scolagreco/satosa-saml2spid
+    container_name: satosa-saml2spid
+    depends_on:
+      - satosa-mongo
+    environment:
+      - SATOSA_BY_DOCKER=1
+
+      - SATOSA_BASE=https://$HOSTNAME
+      # - SATOSA_CONTACT_PERSON_EMAIL_ADDRESS=support.example@organization.org
+      # - SATOSA_CONTACT_PERSON_FISCALCODE=01234567890
+      # - SATOSA_CONTACT_PERSON_GIVEN_NAME=Name
+      # - SATOSA_CONTACT_PERSON_TELEPHONE_NUMBER=06123456789
+      - SATOSA_DISCO_SRV=https://$HOSTNAME/static/disco.html
+      # - SATOSA_ENCRYPTION_KEY=
+      # - SATOSA_MONGODB_PASSWORD=
+      # - SATOSA_MONGODB_USERNAME
+      # - SATOSA_ORGANIZATION_DISPLAY_NAME_EN=Resource provided by Example Organization
+      # - SATOSA_ORGANIZATION_DISPLAY_NAME_IT=Resource provided by Example Organization
+      # - SATOSA_ORGANIZATION_NAME_EN=Resource provided by Example Organization
+      # - SATOSA_ORGANIZATION_NAME_IT=Resource provided by Example Organization
+      # - SATOSA_ORGANIZATION_URL_EN=https://example_organization.org
+      # - SATOSA_ORGANIZATION_URL_IT=https://example_organization.org
+      # - SATOSA_PRIVATE_KEYS=
+      # - SATOSA_PUBLIC_KEY=
+      # - SATOSA_SALT=
+      # - SATOSA_STATE_ENCRYPTION_KEY
+      # - SATOSA_UI_DESCRIPTION_EN=Resource description
+      # - SATOSA_UI_DESCRIPTION_IT=Resource description
+      # - SATOSA_UI_DISPLAY_NAME_EN=Resource Display Name
+      # - SATOSA_UI_DISPLAY_NAME_IT=Resource Display Name
+      # - SATOSA_UI_INFORMATION_URL_EN=https://example_organization.org/information_url_en
+      # - SATOSA_UI_INFORMATION_URL_IT=https://example_organization.org/information_url_en
+      # - SATOSA_UI_LOGO_HEIGHT=60
+      # - SATOSA_UI_LOGO_URL=https://example_organization.org/logo.png
+      # - SATOSA_UI_LOGO_WIDTH=80
+      # - SATOSA_UI_PRIVACY_URL_EN=https://example_organization.org/privacy_en
+      # - SATOSA_UI_PRIVACY_URL_IT=https://example_organization.org/privacy_en
+      - SATOSA_UNKNOW_ERROR_REDIRECT_PAGE=https://$HOSTNAME/static/error_page.html
+      # - SATOSA_USER_ID_HASH_SALT
+    expose:
+      - 10000
+      - 9999
+    ports:
+      - "10000:10000"
+      - "9999:9999"
+    volumes:
+       - /usr/share/zoneinfo/Europe/Rome:/etc/localtime:ro
+       - ./run.sh:/satosa_proxy/run.sh
+#       - satosa_base_static:/satosa_proxy/static/:ro    # Togliere il commento a questo volume se nel container satosa-nginx si vuole utilizzare la directory interna con i file statici. 
+#       - ./oidc_op_frontend.yaml:/satosa_proxy/plugins/frontends/oidc_op_frontend.yaml
+#      - satosa_certs:/satosa_pki
+#      - satosa_conf:/satosa_proxy
+#      - satosa_logs:/satosa_logs
+
+  satosa-nginx:
+    image: nginx:alpine
+    container_name: satosa-nginx
+    depends_on:
+      - satosa-saml2spid
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf_uwsgi_pass:/etc/nginx/nginx.conf:ro
+      - ./nginx/50x.html:/usr/share/nginx/html/50x.html:ro
+      - ./nginx/404.html:/usr/share/nginx/html/404.html:ro
+      - ./nginx/403.html:/usr/share/nginx/html/403.html:ro
+      - ./nginx/certs/:/etc/nginx/certs/:ro
+      - satosa_static:/var/www/html/:ro        # Monta la directory static locale, esterna ai container, può essere customizzata.
+#      - satosa_base_static:/var/www/html/:ro    # Monta la directory static del volume interno al container satosa-saml2spid.
+#    environment:
+#      - NGINX_HOST=foobar.com
+#      - NGINX_PORT=80
+
+volumes:
+
+  satosa_base_static:
+
+  satosa_static:
+    driver_opts:
+      type: none
+      device: $PWD/nginx/satosa_static/
+      o: bind
+
+  mongodata:
+    driver_opts:
+      type: none
+      device: $PWD/mongodata/
+      o: bind
+
+  nginx_certs:
+    driver_opts:
+      type: none
+      device: $PWD/nginx/certs/
+      o: bind
+
+#  satosa_certs:
+#    driver_opts:
+#      type: none
+#      device: $PWD/satosa/certs/
+#      o: bind
+
+#  satosa_conf:
+#    driver_opts:
+#      type: none
+#      device: $PWD/satosa/conf/
+#      o: bind
+
+#  satosa_logs:
+#    driver_opts:
+#      type: none
+#      device: $PWD/satosa/logs/
+#      o: bind
+
+#  nginx_conf:
+#    driver_opts:
+#      type: none
+#      device: $PWD/nginx/
+#      o: bind

compose-Satosa-Saml2Spid/init-mongo.js

@@ -0,0 +1,29 @@
+// create satosa user grants
+// use oidcop
+db.createUser(
+  {
+    user: "satosa",
+    pwd:  "thatpassword",
+    roles: [
+        { role: "readWrite", db: "oidcop" }
+    ]
+  }
+)
+
+// make client_id unique
+db.client.createIndex( { "client_id": 1 }, { unique: true } )
+db.client.createIndex( { "registration_access_token": 1 }, { unique: true } )
+
+// make access_token and sid unique
+db.session.createIndex( { "sid": 1 }, { unique: true } )
+
+// create expired session deletion
+db.session.createIndex(
+  { expires_at: 1 },
+  { expireAfterSeconds: 0, partialFilterExpression: { count: { $gt: 2 } } }
+);
+
+// insert a test client like this
+db.client.insertOne(
+    {"client_id": "jbxedfmfyc", "client_name": "ciro", "client_salt": "6flfsj0Z", "registration_access_token": "z3PCMmC1HZ1QmXeXGOQMJpWQNQynM4xY", "registration_client_uri": "https://localhost:10000/registration_api?client_id=jbxedfmfyc", "client_id_issued_at": 1630952311.410208, "client_secret": "19cc69b70d0108f630e52f72f7a3bd37ba4e11678ad1a7434e9818e1", "client_secret_expires_at": 1662488311.410214, "application_type": "web", "contacts": ["ops@example.com"], "token_endpoint_auth_method": "client_secret_basic", "redirect_uris": [["https://localhost:8090/authz_cb/satosa", {}]], "post_logout_redirect_uris": [["https://localhost:8090/session_logout/satosa", null]], "response_types": ["code"], "grant_types": ["authorization_code"], "allowed_scopes": ["openid", "profile", "email", "offline_access"]}
+)

compose-Satosa-Saml2Spid/mongodata/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

compose-Satosa-Saml2Spid/nginx/403.html

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Forbidden</title>
+<style>
+html { color-scheme: light dark; }
+body {
+  width: 35em;
+  margin: 0 auto;
+  font-family: Tahoma, Verdana, Arial, sans-serif;
+}
+h1 {
+  display: block;
+  font-size: 4em;
+  margin-top: 0.67em;
+  margin-bottom: 0.67em;
+  margin-left: 0;
+  margin-right: 0;
+  font-weight: bold;
+}
+</style>
+</head>
+<body>
+<h1 style="text-align:center">403</h1>
+<h3 style="text-align:center">Forbidden</h3>
+<p>You don't have permission to access.</p>
+<br/>
+<p><em>Faithfully yours, nginx.</em></p>
+</body>
+</html>

compose-Satosa-Saml2Spid/nginx/404.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Page not found</title>
+<style>
+html { color-scheme: light dark; }
+body {
+  width: 35em;
+  margin: 0 auto;
+  font-family: Tahoma, Verdana, Arial, sans-serif;
+}
+h1 {
+  display: block;
+  font-size: 4em;
+  margin-top: 0.67em;
+  margin-bottom: 0.67em;
+  margin-left: 0;
+  margin-right: 0;
+  font-weight: bold;
+}
+</style>
+</head>
+<body>
+<h1 style="text-align:center">404</h1>
+<h3 style="text-align:center">Page not found</h3>
+<p>Sorry, the page you are looking doesn't exist,<br/>
+or other error occured.</p>
+<p>If you are the system administrator of this resource then you should check
+the error log for details.</p>
+<h3 style="text-align:center">Pagina non trovata</h3>
+<p>La pagina che stava cercando non esiste su questo server,<br/>
+oppure e' occorso un'altro tipo di errore.</p>
+<p>Se sei l'amministratore di questa risorsa magari puoi
+trovare dettagli interessanti nei log.</p>
+<br/>
+<p><em>Faithfully yours, nginx.</em></p>
+</body>
+</html>

compose-Satosa-Saml2Spid/nginx/50x.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Error</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>An error occurred.</h1>
+<p>Sorry, the page you are looking for is currently unavailable.<br/>
+Please try again later.</p>
+<p>If you are the system administrator of this resource then you should check
+the error log for details.</p>
+<p><em>Faithfully yours, nginx.</em></p>
+</body>
+</html>