[#IDP-706] command line idp.scope not observed
advertisement
[IDP-706] command line idp.scope not observed and applied from installer as
expected Created: 24/Apr/15 Updated: 27/Jun/15 Resolved: 27/Jun/15
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
Identity Provider
Installer
3.1.1
Type:
Reporter:
Resolution:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
Chris Phillips
Fixed
0 minutes
3.2.0
Priority:
Assignee:
Major
Rod Widdowson
2 minutes
Not Specified
CentOS7, Oracle JdK
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17
Description
When attempting to set idp.scope as a switch on the command line, it is not being observed and
not updating idp.properties as expected.
Here's my test on CentOS7:
1. more shib-inst.sh
cd /opt/shibboleth-identity-provider
export JAVA_HOME=/usr/java/default
sh bin/install.sh -Didp.src.dir=./ -Didp.target.dir=/opt/shibboleth-idp Didp.host.name=fakehost.example.com -Didp.scope=TESTSCOPE.example.com Didp.keystore.password=changeme
-Didp.sealer.password=changeme2
2. ./shib-inst.sh
SAML EntityID: https://fakehost.example.com/idp/shibboleth
Warning: /opt/shibboleth-idp/bin does not exist.
Warning: /opt/shibboleth-idp/dist does not exist.
Warning: /opt/shibboleth-idp/doc does not exist.
Warning: /opt/shibboleth-idp/system does not exist.
Warning: /opt/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating Encryption Key, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating TLS keystore, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 12 seconds
1. ls -la /opt
total 12
drwxr-xr-x. 4 root root 103 Apr 23 20:36 .
drwxr-xr-x. 17 root root 4096 Apr 23 16:07 ..
lrwxrwxrwx. 1 root root 40 Apr 23 20:21 shibboleth-identity-provider ->
/opt/shibboleth-identity-provider-3.1.1/
drwxr-xr-x. 14 root root 4096 Apr 23 20:37 shibboleth-identity-provider-3.1.1
drwxr-xr-x. 17 root root 4096 Apr 23 20:37 shibboleth-idp
2. more /opt/shibboleth-idp/conf/idp.properties
3. Load any additional property resources from a comma-delimited list
idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties,
/conf/services.properties
1. Set the entityID of the IdP
idp.entityID= https://fakehost.example.com/idp/shibboleth
1. Set the scope used in the attribute resolver for scoped attributes
idp.scope= example.org
1. General cookie properties (maxAge only applies to persistent cookies)
#idp.cookie.secure = false
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
1. Set the location of Velocity view templates
#idp.views = % {idp.home}/views
# Settings for internal AES encryption key
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource= %{idp.home}
/credentials/sealer.jks
idp.sealer.versionResource= %
{idp.home}
/credentials/sealer.kver
idp.sealer.storePassword= password
idp.sealer.keyPassword= password
1. Settings for public/private signing and encryption key(s)
2. During decryption key rollover, point the ".2" properties at a second
[root@chris-dev ~]# /usr/java/default/bin/java -version
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
[root@chris-dev ~]#
When the idp.merge.properties is used, THAT appears to work.
When -Didp.scope is ABSENT on the commandline install, but present in a idp.mergeproperty
file, the user is interrogated on the command line to offer a scope. (one would expect the merge
to superceded this and render asking the user for the value unnecessary..)
I am claiming this is a problem because I feel that:
A) if I specify a switch on the commandline that it should be observed and applied.(it is not
right now)
B) If I specify an entry in the merge file that it should be applied since it was there and I should
not be asked for the value to be entered by hand.
C) the mechanism of applying -D switches AND a merge file to set a variable feels a bit odd if
A or B were ok.
I can work around this for now with applying the switch on the commandline AND an
idp.merge.properties file, but a general user would expect this to work with just one setting.
I have not checked this style of problem against other variables.
If I'm in error in my report, please advise what I should use on the command line to set the
idp.scope.
Thanks!
Comments
Comment by Chris Phillips [ 24/Apr/15 ]
wow, the pound sign from my cut and past really screwed things up in the report. Here it is
quoted:
When attempting to set idp.scope as a switch on the command line, it is not
being observed and not updating idp.properties as expected.
Here's my test on CentOS7:
# more shib-inst.sh
cd /opt/shibboleth-identity-provider
export JAVA_HOME=/usr/java/default
sh bin/install.sh -Didp.src.dir=./ -Didp.target.dir=/opt/shibboleth-idp Didp.host.name=fakehost.example.com -Didp.scope=TESTSCOPE.example.com Didp.keystore.password=changeme
-Didp.sealer.password=changeme2
# ./shib-inst.sh
SAML EntityID: [https://fakehost.example.com/idp/shibboleth]
Warning: /opt/shibboleth-idp/bin does not exist.
Warning: /opt/shibboleth-idp/dist does not exist.
Warning: /opt/shibboleth-idp/doc does not exist.
Warning: /opt/shibboleth-idp/system does not exist.
Warning: /opt/shibboleth-idp/webapp does not exist.
Generating Signing Key, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating Encryption Key, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating TLS keystore, CN = fakehost.example.com URI =
https://fakehost.example.com/idp/shibboleth ...
...done
Creating cookie encryption key files...
...done
Rebuilding /opt/shibboleth-idp/war/idp.war ...
...done
BUILD SUCCESSFUL
Total time: 12 seconds
# ls -la /opt
total 12
drwxr-xr-x. 4 root root 103 Apr 23 20:36
drwxr-xr-x. 17 root root 4096 Apr 23 16:07
lrwxrwxrwx. 1 root root
40 Apr 23 20:21
/opt/shibboleth-identity-provider-3.1.1/
drwxr-xr-x. 14 root root 4096 Apr 23 20:37
.
..
shibboleth-identity-provider ->
shibboleth-identity-provider-3.1.1
drwxr-xr-x. 17 root root 4096 Apr 23 20:37 shibboleth-idp
# more /opt/shibboleth-idp/conf/idp.properties
# Load any additional property resources from a comma-delimited list
idp.additionalProperties= /conf/ldap.properties, /conf/samlnameid.properties, /conf/services.properties
# Set the entityID of the IdP
idp.entityID= https://fakehost.example.com/idp/shibboleth
# Set the scope used in the attribute resolver for scoped attributes
*idp.scope= example.org*
# General cookie properties (maxAge only applies to persistent cookies)
#idp.cookie.secure = false
#idp.cookie.httpOnly = true
#idp.cookie.domain =
#idp.cookie.path =
#idp.cookie.maxAge = 31536000
# Set the location of Velocity view templates
#idp.views = %{idp.home}/views
# Settings for internal AES encryption key
#idp.sealer.storeType = JCEKS
#idp.sealer.updateInterval = PT15M
#idp.sealer.aliasBase = secret
idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
idp.sealer.storePassword= password
idp.sealer.keyPassword= password
# Settings for public/private signing and encryption key(s)
# During decryption key rollover, point the ".2" properties at a second
[root@chris-dev ~]# /usr/java/default/bin/java -version
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
[root@chris-dev ~]#
When the idp.merge.properties is used, THAT appears to work.
When -Didp.scope is ABSENT on the commandline install, but present in a
idp.mergeproperty file, the user is interrogated on the command line to offer
a scope. (one would expect the merge to superceded this and render asking the
user for the value unnecessary..)
I am claiming this is a problem because I feel that:
A) if I specify a switch on the commandline that it should be observed and
applied.(it is not right now)
B) If I specify an entry in the merge file that it should be applied since it
was there and I should not be asked for the value to be entered by hand.
C) the mechanism of applying -D switches AND a merge file to set a variable
feels a bit odd if A or B were ok.
I can work around this for now with applying the switch on the commandline
AND an idp.merge.properties file, but a general user would expect this to
work with just one setting.
I have not checked this style of problem against other variables.
If I'm in error in my report, please advise what I should use on the command
line to set the idp.scope.
Thanks!
Comment by Rod Widdowson [ 24/Apr/15 ]
Something very odd here. I know that the windows installer uses the properties file with no
issue.
However it does also set set idp.noprompt, and after a quick squint, I may have my degoedelization wrong here. Is it easy to try running this with idp.noprompt set (you could run
with all on the command line or all in the merge properties file - or best do both)?
I'll look further tomorrow.
I'll target this at 3.2.0 gotta get this fixed.
Comment by Rod Widdowson [ 27/Apr/15 ]
Simple enough analysis. I just missed that case.
If no scope is supplied and we are allowed, asked for it and write to the merge file
If no scope is supplied and we are not allowed we infer it and write to the merge file
What I missed was
If scope is supplied (no no merge file) write it to the merge file.
I've fixed it and checked in as r7486
If you want to test it the changed can be found at
http://svn.shibboleth.net/view/java-identity-provider/trunk/idpdistribution/src/main/resources/bin/build.xml?view=co
Comment by Rod Widdowson [ 27/Jun/15 ]
Not sure why this wasn't resolved earlier.
Generated at Tue Feb 09 10:55:57 EST 2016 using JIRA 7.0.10#70120sha1:37e3d7a6fc4d580639533e7f7c232c925e554a6a.
