Added Dockerfiles and Docker Compose demo

Dockerfile

-FROM ubuntu:18.10
-
-# To fix "configuring tzdata" interactive input during apt install
-ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && \
-    apt-get install -yq --no-install-recommends \
-    apache2 \
-    libapache2-mod-php7.2 \
-    php7.2-xml \
-    php7.2-mbstring \
-    php-mysql \
-    php-curl \
-    libapache2-mod-shib2 \
-    make \
-    wget \
-    ca-certificates \
-    ssl-cert \
-    vim
-
-# Copying Shibboleth SP configuration
-COPY docker/shibboleth/shibboleth2.xml /etc/shibboleth/
-COPY docker/shibboleth/sp-key.pem /etc/shibboleth/
-COPY docker/shibboleth/sp-cert.pem /etc/shibboleth/
-    
-# Installing Embedded Discovery Service
-WORKDIR /usr/local/src
-
-RUN wget https://shibboleth.net/downloads/embedded-discovery-service/1.2.1/shibboleth-embedded-ds-1.2.1.tar.gz -O shibboleth-eds.tar.gz
-RUN tar xzf shibboleth-eds.tar.gz
-
-WORKDIR shibboleth-embedded-ds-1.2.1
-RUN make install
-
-RUN mv /etc/shibboleth-ds/shibboleth-ds.conf /etc/apache2/conf-available/shibboleth-ds.conf
-RUN sed -i 's/Allow from All/Require all granted/g' /etc/apache2/conf-available/shibboleth-ds.conf
-RUN a2enconf shibboleth-ds.conf
-
-# Adding RAP Apache configuration
-COPY docker/rap.conf /etc/apache2/conf-available/
-RUN a2enconf rap.conf
-
-# Enable mod_rewrite (for Flight framework)
-RUN a2enmod rewrite
-RUN a2enmod ssl
-RUN a2ensite default-ssl
-
-# Copying RAP php files
-WORKDIR /var/www/html
-COPY . rap-ia2
-
-WORKDIR /var/www/html/rap-ia2
-RUN mkdir -p logs
-RUN chown -R www-data logs
-
-# Starting shibd & Apache
-CMD service shibd start && apachectl -D FOREGROUND

docker/Dockerfile

+FROM git.ia2.inaf.it:5050/ia2/rap-ia2/composer
+
+FROM git.ia2.inaf.it:5050/ia2/rap-ia2/base
+
+# add RAP Apache configuration
+COPY docker/rap.conf /etc/apache2/conf-available/
+RUN a2enconf rap.conf
+
+# enable mod_rewrite and mod_headers (for Flight framework)
+RUN a2enmod rewrite
+RUN a2enmod headers
+
+ARG RAP_DIR=/var/www/html/rap-ia2/
+
+# create RAP directory
+RUN mkdir $RAP_DIR
+COPY --from=0 /rap-ia2 $RAP_DIR
+
+WORKDIR $RAP_DIR
+
+# create logs directory
+RUN mkdir -p logs
+
+RUN chown -R www-data $RAP_DIR
+
+# allow apache2 to stop gracefully
+STOPSIGNAL SIGWINCH
+
+EXPOSE 80
+CMD ["apachectl", "-D", "FOREGROUND"]

docker/base-Dockerfile

+# Base Docker image for running RAP inside Apache server
+
+FROM debian:buster
+
+RUN apt-get update && \
+    apt-get install -yq --no-install-recommends \
+    apache2 \
+    libapache2-mod-php \
+    php-xml \
+    php-mbstring \
+    php-mysql \
+    php-curl \
+    php-yaml \
+    ca-certificates \
+    ssl-cert

docker/composer-Dockerfile

+# Docker image containing composer and RAP source code
+
+FROM debian:buster
+
+RUN apt-get update && \
+    apt-get install -yq --no-install-recommends \
+    php-zip php-yaml php-curl php-xml php-mysql \
+    composer git unzip
+
+COPY composer* /rap-ia2/
+
+WORKDIR /rap-ia2
+
+RUN composer install --no-dev --no-autoloader
+
+# copy RAP php files
+COPY auth /rap-ia2/auth
+COPY classes /rap-ia2/classes
+COPY css /rap-ia2/css
+COPY exec /rap-ia2/exec
+COPY img /rap-ia2/img
+COPY include /rap-ia2/include
+COPY js /rap-ia2/js
+COPY service-logos /rap-ia2/service-logos
+COPY views /rap-ia2/views
+COPY config-example.yaml index.php version.txt .htaccess /rap-ia2/
+
+RUN composer install --no-dev
+
+COPY tests /rap-ia2/tests
+
+ARG INCLUDE_TESTS=false
+
+RUN if [ "$INCLUDE_TESTS" = 'true' ]; then composer install; else rm -Rf /rap-ia2/tests; fi

docker/db-Dockerfile

@@ -2,6 +2,8 @@ FROM mariadb:10.5
 
 ENV MYSQL_ALLOW_EMPTY_PASSWORD yes
 ENV MYSQL_DATABASE rap
+ENV MYSQL_USER rap
+ENV MYSQL_PASSWORD rap
 
 COPY sql/setup-database.sql /docker-entrypoint-initdb.d/01-setup-database.sql
 COPY sql/delete-user-procedure.sql /docker-entrypoint-initdb.d/02-delete-user-procedure.sql

docker/demo-config.yaml

+---
+contextRoot: "/rap-ia2"
+serviceLogFile: "/var/www/html/rap-ia2/logs/rap-service.log"
+auditLogFile: "/var/www/html/rap-ia2/logs/rap-audit.log"
+timeZone: "Europe/Rome"
+logLevel: "DEBUG"
+jwtIssuer: "http://rap-ia2/rap-ia2"
+contactEmail: "ia2@inaf.it"
+contactLabel: "IA2 Team"
+
+databaseConfig:
+  dbtype: "MySQL"
+  hostname: "rap-db"
+  port: 3306
+  username: "rap"
+  password: "rap"
+  dbname: "rap"
+
+authenticationMethods:
+  test: true
+
+gms:
+  id: "gms"
+  joinEndpoint: "http://gms:8080/gms/join"
+
+tokenIssuer:
+  services:
+  - id: gms
+    label: GMS
+    aud: [gms, rap]
+    scope: read:gms write:gms read:rap
+  lifespans: [1, 6, 12, 24]
+
+clients:
+  - label: "GMS"
+    id: gms
+    secret: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
+    redirect: http://localhost:8081/gms/login
+    scope: "openid email read:rap"
+    home: http://localhost:8081/gms
+    icon: 
+    showInHome: true
+    methods: [eduGAIN, Google, Facebook, LinkedIn, X.509, LocalIdP]
+
+cliClients:
+  - id: rap_cli
+    secret: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
+    scope: "read:rap write:rap"

docker/docker-compose.yml

+---
+version: '3.0'
+services:
+  rap:
+    image: git.ia2.inaf.it:5050/ia2/rap-ia2
+    volumes:
+      - ./demo-config.yaml:/var/www/html/rap-ia2/config.yaml
+    ports:
+      - "8080:80"
+  rap-db:
+    image: git.ia2.inaf.it:5050/ia2/rap-ia2/database
+  gms:
+    build: ./gms
+    environment:
+      - server.port=8081
+      - spring.datasource.url=jdbc:postgresql://gms-db:5432/postgres
+      - spring.datasource.username=gms
+      - spring.datasource.password=
+      - AUTH_CONFIG_PATH=/etc/gms/auth.properties
+    volumes:
+      - ./gms/gms-auth.properties:/etc/gms/auth.properties
+    ports:
+      - "8081:8081"
+  gms-db:
+    image: git.ia2.inaf.it:5050/ia2/ia2-gms/database

docker/gms/Dockerfile

+FROM git.ia2.inaf.it:5050/ia2/ia2-gms
+
+RUN apk add socat
+ADD gms-entrypoint.sh /
+
+ENTRYPOINT ["/gms-entrypoint.sh"]

docker/gms/gms-auth.properties

+client_id=gms
+client_secret=test
+rap_uri=http://localhost:8080/rap-ia2
+store_state_on_login_endpoint=true
+scope=openid email profile read:rap
+rap_client_class=it.inaf.ia2.gms.authn.ServletRapClient

docker/gms/gms-entrypoint.sh

+#!/bin/sh
+
+# workaround for making http://localhost:8080/rap-ia2 works also inside container
+socat TCP-LISTEN:8080,fork TCP:rap:80 &
+
+exec java -jar /gms.jar

docker/rap.conf

+# RAP directory configuration
+<Directory /var/www/html/rap-ia2>
+
+    # Allow .htaccess override
+    AllowOverride All
+
+    # Set cookies to HTTP Only for better security
+    php_flag session.cookie_httponly on
+
+    # Protect config file
+    <Files "config.yaml">
+        Order allow,deny
+        Deny from all
+    </Files>
+</Directory>
+
+# X.509 client certificate authentication (needs SSL enabled)
+
+<IfModule mod_ssl.c>
+    <Directory /var/www/html/rap-ia2/auth/x509/>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Order allow,deny
+        allow from all
+        SSLVerifyClient require
+        SSLVerifyDepth 10
+        SSLOptions +ExportCertData
+    </Directory>
+</IfModule>
+
+# Shibboleth authentication (needs Shibboleth module installed and enabled)
+
+<IfModule mod_shib.c>
+    <Directory /var/www/html/rap-ia2/auth/saml2/>
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        Require valid-user
+    </Directory>
+</IfModule>