git: 287db69a8e72 - main - security/shibboleth-idp: new port:
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Nov 2022 15:58:20 UTC
The branch main has been updated by zi:
URL: https://cgit.FreeBSD.org/ports/commit/?id=287db69a8e7299e0984890e416fed4e30e406556
commit 287db69a8e7299e0984890e416fed4e30e406556
Author: Ryan Steinmetz <zi@FreeBSD.org>
AuthorDate: 2022-11-15 15:55:34 +0000
Commit: Ryan Steinmetz <zi@FreeBSD.org>
CommitDate: 2022-11-15 15:57:59 +0000
security/shibboleth-idp: new port:
A simple Single Sign-On solution for any organisation with complex
identity management requirements. With excellent scaling capabilities
and customisable user-related data, the Identity Provider equips
workforces with a personalised user experience.
* Widely adaptable to support custom scenarios
* Built-in support for a range of authentication systems
* Handles millions of authentication requests per day
WWW: https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631498/Home
---
security/Makefile | 1 +
security/shibboleth-idp/Makefile | 65 +++
security/shibboleth-idp/distinfo | 7 +
security/shibboleth-idp/files/index.html | 8 +
.../files/jetty-base/etc/jetty-requestlog.xml | 30 +
.../files/jetty-base/modules/idp-logging.mod | 9 +
.../files/jetty-base/modules/idp.mod | 18 +
.../files/jetty-base/resources/logback-access.xml | 13 +
.../files/jetty-base/resources/logback.xml | 18 +
.../files/jetty-base/start.d/http.ini | 14 +
.../files/jetty-base/start.d/idp.ini | 35 ++
.../files/jetty-base/start.d/start.ini | 24 +
.../files/jetty-base/webapps/idp.xml | 12 +
.../files/jetty-base/webapps/static.xml | 16 +
security/shibboleth-idp/files/pkg-message.in | 42 ++
security/shibboleth-idp/files/shibboleth-idp.in | 87 +++
security/shibboleth-idp/files/shibboleth-idp.sh | 628 +++++++++++++++++++++
security/shibboleth-idp/files/shibboleth.in | 64 +++
security/shibboleth-idp/pkg-descr | 8 +
security/shibboleth-idp/pkg-plist | 272 +++++++++
20 files changed, 1371 insertions(+)
diff --git a/security/Makefile b/security/Makefile
index dfcf1c84c852..276b83d3a083 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1179,6 +1179,7 @@
SUBDIR += setaudit
SUBDIR += sha1collisiondetection
SUBDIR += sha2wordlist
+ SUBDIR += shibboleth-idp
SUBDIR += shibboleth-sp
SUBDIR += sig2dot
SUBDIR += signify
diff --git a/security/shibboleth-idp/Makefile b/security/shibboleth-idp/Makefile
new file mode 100644
index 000000000000..2c9a0034823f
--- /dev/null
+++ b/security/shibboleth-idp/Makefile
@@ -0,0 +1,65 @@
+PORTNAME= shibboleth
+PORTVERSION= 4.2.1
+CATEGORIES= security www
+MASTER_SITES= http://shibboleth.net/downloads/identity-provider/${PORTVERSION}/ \
+ http://shibboleth.net/downloads/identity-provider/latest4/${PORTVERSION}/ \
+ http://shibboleth.net/downloads/identity-provider/archive/${PORTVERSION}/ \
+ https://repo1.maven.org/maven2/ch/qos/logback/logback-core/${LOGBACKVER}/:logback_core \
+ https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/${LOGBACKVER}/:logback_classic
+PKGNAMESUFFIX= -idp
+DISTFILES= shibboleth-identity-provider-${PORTVERSION}.tar.gz \
+ logback-classic-${LOGBACKVER}.jar:logback_classic \
+ logback-core-${LOGBACKVER}.jar:logback_core
+EXTRACT_ONLY= shibboleth-identity-provider-${PORTVERSION}.tar.gz
+
+MAINTAINER= zi@FreeBSD.org
+COMMENT= Shibboleth Identity Provider (Internet2)
+WWW= http://shibboleth.internet2.edu/
+
+LICENSE= APACHE20
+
+BUILD_DEPENDS= jetty10>=0:www/jetty10
+RUN_DEPENDS= bash:shells/bash \
+ jetty10>=0:www/jetty10
+
+USE_RC_SUBR= shibboleth-idp
+CPE_VENDOR= shibboleth
+WRKSRC= ${WRKDIR}/shibboleth-identity-provider-${PORTVERSION}
+
+NO_ARCH= yes
+NO_BUILD= yes
+
+LOGBACKVER= 1.4.0
+SHIBUSER= shibd
+SHIBGROUP= shibd
+LOGDIR= /var/log/${PORTNAME}
+RUNDIR= /var/run/${PORTNAME}
+USERS= ${SHIBUSER}
+GROUPS= ${SHIBGROUP}
+
+SUB_FILES= shibboleth
+
+SUB_LIST+= SHIBUSER=${SHIBUSER} SHIBGROUP=${SHIBGROUP} \
+ RUNDIR=${RUNDIR} LOGDIR=${LOGDIR}
+PLIST_SUB+= SHIBUSER=${SHIBUSER} SHIBGROUP=${SHIBGROUP} \
+ RUNDIR=${RUNDIR} LOGDIR=${LOGDIR} LOGBACKVER=${LOGBACKVER}
+
+do-install:
+ @${MKDIR} ${STAGEDIR}${DATADIR} ${STAGEDIR}${ETCDIR}
+ @${MKDIR} ${STAGEDIR}${LOGDIR} ${STAGEDIR}${RUNDIR}
+ @${MKDIR} ${STAGEDIR}${WWWDIR}/lib/logging
+ @${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+.for dir in conf credentials etc modules resources start.d webapps/ROOT
+ @${MKDIR} ${STAGEDIR}${WWWDIR}/${dir}
+.endfor
+ (cd ${WRKSRC} && ${COPYTREE_SHARE} . ${STAGEDIR}${DATADIR})
+ (cd ${FILESDIR}/jetty-base && ${COPYTREE_SHARE} . ${STAGEDIR}${EXAMPLESDIR})
+ @${FIND} ${STAGEDIR}${DATADIR} -type f -name '*.sh' -exec ${CHMOD} +x {} \;
+.for jar in logback-classic-${LOGBACKVER}.jar logback-core-${LOGBACKVER}.jar
+ ${INSTALL_DATA} ${DISTDIR}/${jar} ${STAGEDIR}${WWWDIR}/lib/logging
+.endfor
+ ${INSTALL_DATA} ${WRKDIR}/shibboleth ${STAGEDIR}${ETCDIR}/shibboleth-idp
+ ${INSTALL_DATA} ${FILESDIR}/index.html ${STAGEDIR}${EXAMPLESDIR}/index.html
+ ${INSTALL_SCRIPT} ${FILESDIR}/shibboleth-idp.sh ${STAGEDIR}${PREFIX}/sbin
+
+.include <bsd.port.mk>
diff --git a/security/shibboleth-idp/distinfo b/security/shibboleth-idp/distinfo
new file mode 100644
index 000000000000..2d19c4209bac
--- /dev/null
+++ b/security/shibboleth-idp/distinfo
@@ -0,0 +1,7 @@
+TIMESTAMP = 1666726432
+SHA256 (shibboleth-identity-provider-4.2.1.tar.gz) = fa5e46d160f6b1bc50326c1a31627a05b5d0847b8f620d7f4c0251999b806474
+SIZE (shibboleth-identity-provider-4.2.1.tar.gz) = 55960112
+SHA256 (logback-classic-1.4.0.jar) = 9ce4cfee4834195753b5be5016ded641e8456d9e82995821838dc662e866e212
+SIZE (logback-classic-1.4.0.jar) = 262118
+SHA256 (logback-core-1.4.0.jar) = 14e09a7896bee6ef2e005b48fc5560fe2299a57a826bc4c1f1c6d43002f0512c
+SIZE (logback-core-1.4.0.jar) = 559203
diff --git a/security/shibboleth-idp/files/index.html b/security/shibboleth-idp/files/index.html
new file mode 100644
index 000000000000..7f517dede1eb
--- /dev/null
+++ b/security/shibboleth-idp/files/index.html
@@ -0,0 +1,8 @@
+<HTML>
+ <HEAD>
+ <TITLE>Shibboleth</TITLE>
+ </HEAD>
+ <BODY>
+ <H1>Shibboleth</H1>
+ </BODY>
+</HTML>
diff --git a/security/shibboleth-idp/files/jetty-base/etc/jetty-requestlog.xml b/security/shibboleth-idp/files/jetty-base/etc/jetty-requestlog.xml
new file mode 100644
index 000000000000..660f7b368199
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/etc/jetty-requestlog.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+
+<!-- =============================================================== -->
+<!-- Configure the Jetty Request Log -->
+<!-- =============================================================== -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+ <!-- =========================================================== -->
+ <!-- Configure Request Log for Server -->
+ <!-- Use RequestLogHandler for a context specific RequestLog -->
+ <!-- =========================================================== -->
+ <Set name="RequestLog">
+ <New id="RequestLog" class="org.eclipse.jetty.server.CustomRequestLog">
+ <!-- Writer -->
+ <Arg>
+ <New class="org.eclipse.jetty.server.Slf4jRequestLogWriter" />
+ </Arg>
+
+ <!-- Format String -->
+ <Arg>
+ <Property name="jetty.requestlog.formatString" deprecated="jetty.customrequestlog.formatString">
+ <Default>
+ <Get class="org.eclipse.jetty.server.CustomRequestLog" name="EXTENDED_NCSA_FORMAT"/>
+ </Default>
+ </Property>
+ </Arg>
+ </New>
+ </Set>
+</Configure>
diff --git a/security/shibboleth-idp/files/jetty-base/modules/idp-logging.mod b/security/shibboleth-idp/files/jetty-base/modules/idp-logging.mod
new file mode 100644
index 000000000000..dccc34ae12b7
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/modules/idp-logging.mod
@@ -0,0 +1,9 @@
+[description]
+Shibboleth IdP Logging
+
+[depend]
+console-capture
+logback-access
+
+[files]
+/var/log/shibboleth/
diff --git a/security/shibboleth-idp/files/jetty-base/modules/idp.mod b/security/shibboleth-idp/files/jetty-base/modules/idp.mod
new file mode 100644
index 000000000000..57a601105222
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/modules/idp.mod
@@ -0,0 +1,18 @@
+[description]
+Shibboleth IdP
+
+[depend]
+annotations
+deploy
+ext
+#https
+jsp
+jstl
+plus
+resources
+server
+servlets
+#ssl
+
+[files]
+tmp/
diff --git a/security/shibboleth-idp/files/jetty-base/resources/logback-access.xml b/security/shibboleth-idp/files/jetty-base/resources/logback-access.xml
new file mode 100644
index 000000000000..cec9236337fa
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/resources/logback-access.xml
@@ -0,0 +1,13 @@
+<configuration>
+ <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" />
+ <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>/var/log/shibboleth/access.log</file>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>/var/log/shibboleth/access-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+ </rollingPolicy>
+ <encoder>
+ <pattern>combined</pattern>
+ </encoder>
+ </appender>
+ <appender-ref ref="FILE" />
+</configuration>
diff --git a/security/shibboleth-idp/files/jetty-base/resources/logback.xml b/security/shibboleth-idp/files/jetty-base/resources/logback.xml
new file mode 100644
index 000000000000..9a530677c4a9
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/resources/logback.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration scan="true">
+ <appender name="jetty" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <File>/var/log/shibboleth/jetty.log</File>
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <FileNamePattern>/var/log/shibboleth/jetty-%d{yyyy-MM-dd}.log.gz</FileNamePattern>
+ </rollingPolicy>
+ <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <charset>UTF-8</charset>
+ <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n</Pattern>
+ </encoder>
+ </appender>
+ <root level="INFO">
+ <appender-ref ref="jetty" />
+ </root>
+ <logger name="org.springframework" level="OFF" />
+ <logger name="ch.qos.logback" level="WARN" />
+</configuration>
diff --git a/security/shibboleth-idp/files/jetty-base/start.d/http.ini b/security/shibboleth-idp/files/jetty-base/start.d/http.ini
new file mode 100644
index 000000000000..fd91753eb783
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/start.d/http.ini
@@ -0,0 +1,14 @@
+# ---------------------------------------
+# Module: http
+# Shibboleth IdP
+# ---------------------------------------
+
+--module=http
+--module=http-forwarded
+
+# Allows use of default IdP command line tools.
+jetty.http.host=127.0.0.1
+jetty.http.port=8080
+
+# Hide server version
+jetty.httpConfig.sendServerVersion=false
diff --git a/security/shibboleth-idp/files/jetty-base/start.d/idp.ini b/security/shibboleth-idp/files/jetty-base/start.d/idp.ini
new file mode 100644
index 000000000000..e87aa186019d
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/start.d/idp.ini
@@ -0,0 +1,35 @@
+# ---------------------------------------
+# Module: idp
+# Shibboleth IdP
+# ---------------------------------------
+--module=logging-logback
+--module=idp
+
+## Keystore file path (relative to $jetty.base)
+jetty.sslContext.keyStorePath=credentials/idp-userfacing.p12
+## Truststore file path (relative to $jetty.base)
+jetty.sslContext.trustStorePath=credentials/idp-userfacing.p12
+
+## Keystore type
+jetty.sslContext.keyStoreType=PKCS12
+## Truststore type and provider
+jetty.sslContext.trustStoreType=PKCS12
+
+## Keystore password
+jetty.sslContext.keyStorePassword=%%KEYSTORE%%
+## Truststore password
+jetty.sslContext.trustStorePassword=%%KEYSTORE%%
+## KeyManager password
+jetty.sslContext.keyManagerPassword=%%KEYSTORE%%
+
+## Deny SSL renegotiation
+jetty.sslContext.renegotiationAllowed=false
+
+## Connector host/address to bind to
+jetty.ssl.host=127.0.0.1
+
+## Connector port to listen on
+jetty.ssl.port=443
+
+# logging
+etc/jetty-requestlog.xml
diff --git a/security/shibboleth-idp/files/jetty-base/start.d/start.ini b/security/shibboleth-idp/files/jetty-base/start.d/start.ini
new file mode 100644
index 000000000000..f83bcf36389e
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/start.d/start.ini
@@ -0,0 +1,24 @@
+# Any other required Jetty modules...
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
+-Didp.home=/usr/local/www/shibboleth
+
+# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
+# for handling larger (> 25M) metadata files but you will need to test on
+# your particular metadata configuration. If MDQ metadata on demand is used,
+# requirements may be much lower.
+-Xmx1500m
+
+# Prevent blocking for entropy.
+-Djava.security.egd=file:/dev/urandom
+
+# Set Java tmp location
+-Djava.io.tmpdir=/tmp
+
+# Where to put logs
+-Didp.logfiles=/var/log/shibboleth
diff --git a/security/shibboleth-idp/files/jetty-base/webapps/idp.xml b/security/shibboleth-idp/files/jetty-base/webapps/idp.xml
new file mode 100644
index 000000000000..f5ba928e0b73
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/webapps/idp.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<!-- =============================================================== -->
+<!-- Configure the Shibboleth IdP webapp -->
+<!-- =============================================================== -->
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Set name="war"><SystemProperty name="idp.war.path" default="war/idp.war" /></Set>
+ <Set name="contextPath"><SystemProperty name="idp.context.path" default="/idp" /></Set>
+ <Set name="extractWAR">false</Set>
+ <Set name="copyWebDir">false</Set>
+ <Set name="copyWebInf">true</Set>
+</Configure>
diff --git a/security/shibboleth-idp/files/jetty-base/webapps/static.xml b/security/shibboleth-idp/files/jetty-base/webapps/static.xml
new file mode 100644
index 000000000000..3c53036abb35
--- /dev/null
+++ b/security/shibboleth-idp/files/jetty-base/webapps/static.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+<!-- =============================================================== -->
+<!-- Configure static content delivery -->
+<!-- =============================================================== -->
+<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
+ <Set name="contextPath">/</Set>
+ <Set name="handler">
+ <New class="org.eclipse.jetty.server.handler.ResourceHandler">
+ <Set name="resourceBase">
+ <Property name="jetty.base"/>/<Property name="jetty.static.data.path" default="../static"/>
+ </Set>
+ <Set name="directoriesListed">false</Set>
+ </New>
+ </Set>
+</Configure>
diff --git a/security/shibboleth-idp/files/pkg-message.in b/security/shibboleth-idp/files/pkg-message.in
new file mode 100644
index 000000000000..156826d76bcf
--- /dev/null
+++ b/security/shibboleth-idp/files/pkg-message.in
@@ -0,0 +1,42 @@
+[
+{ type: install
+ message: <<EOM
+This package makes the following assumptions:
+- The idP listens on 127.0.0.1
+- Another webserver (such as nginx or apache) will handle TLS termination
+- This is the only jetty-based application on this host
+- idP backchannel communication is not required
+
+To get started:
+ # sysrc shibboleth_idp_scope="example.com"
+ # sysrc shibboleth_idp_hostname="shibboleth.example.com"
+ # sysrc shibboleth_idp_entityid="shibboleth.example.com/idp/shibboleth"
+ # sysrc shibboleth-idp_enable="YES"
+
+Upgrade/create the deployment by running:
+ # service shibboleth-idp initupgrade
+
+Review the configuration files in %%WWWDIR%%:
+- start.d/idp.ini
+- start.d/http.ini
+
+Start Shibboleth:
+ # service shibboleth-idp start
+EOM
+}
+{ type: upgrade
+ message: <<EOM
+You must run the following to complete the upgrade:
+ # service shibboleth-idp initupgrade
+ # service shibboleth-idp restart
+EOM
+}
+{ type: remove
+ message: <<EOM
+If Shibboleth is removed, and no longer needed, you can
+safely delete this directory:
+
+ %%WWWDIR%%
+EOM
+}
+]
diff --git a/security/shibboleth-idp/files/shibboleth-idp.in b/security/shibboleth-idp/files/shibboleth-idp.in
new file mode 100644
index 000000000000..c8904167e00c
--- /dev/null
+++ b/security/shibboleth-idp/files/shibboleth-idp.in
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# PROVIDE: shibboleth-idp
+# REQUIRE: NETWORKING SERVERS
+# KEYWORD: shutdown
+
+#
+# Add the following line to /etc/rc.conf to enable shibboleth_idp:
+#
+# shibboleth_idp_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=shibboleth_idp
+rcvar=shibboleth_idp_enable
+
+command="%%PREFIX%%/sbin/shibboleth-idp.sh"
+command_args="start"
+extra_commands="idpstatus initupgrade"
+start_precmd="shibboleth_idp_start_precmd"
+initupgrade_cmd="shibboleth_idp_initupgrade"
+
+# set defaults
+shibboleth_idp_enable=${shibboleth_idp_enable:-"NO"}
+shibboleth_idp_entityid=${shibboleth_idp_entityid:-""}
+shibboleth_idp_hostname=${shibboleth_idp_hostname:-""}
+shibboleth_idp_keysize=${shibboleth_idp_keysize:-"3072"}
+shibboleth_idp_scope=${shibboleth_idp_scope:-""}
+shibboleth_idp_user=${shibboleth_idp_user:-"%%SHIBUSER%%"}
+shibboleth_idp_group=${shibboleth_idp_group:-"%%SHIBGROUP%%"}
+
+load_rc_config ${name}
+
+if test -n "${shibboleth_idp_java_version}" ; then
+ JAVA_HOME=$(JAVA_VERSION="${shibboleth_idp_java_version}" JAVAVM_DRYRUN=1 %%LOCALBASE%%/bin/java | grep JAVA_HOME | cut -d= -f2)
+ procname=$(JAVA_VERSION="${shibboleth_idp_java_version}" JAVAVM_DRYRUN=1 %%LOCALBASE%%/bin/java | grep JAVAVM_PROG | cut -d= -f2)
+else
+ JAVA_HOME=$(JAVAVM_DRYRUN=1 %%LOCALBASE%%/bin/java | grep JAVA_HOME | cut -d= -f2)
+ procname=$(JAVAVM_DRYRUN=1 %%LOCALBASE%%/bin/java | grep JAVAVM_PROG | cut -d= -f2)
+fi
+
+export JAVA_HOME
+
+shibboleth_idp_precmd() {
+ if [ -z ${shibboleth_idp_scope} ]; then
+ echo "$0: WARNING: shibboleth_idp_scope is not defined in rc.conf."
+ echo "$0: Example: sysrc shibboleth_idp_scope=\"example.com\""
+ exit 1
+ fi
+ if [ -z ${shibboleth_idp_entityid} ]; then
+ echo "$0: WARNING: shibboleth_idp_entityid is not defined in rc.conf."
+ echo "$0: Example: sysrc shibboleth_idp_entityid=\"https://shib.example.com/idp/shibboleth\""
+ exit 1
+ fi
+ if [ -z ${shibboleth_idp_hostname} ]; then
+ echo "$0: WARNING: shibboleth_idp_hostname is not defined in rc.conf."
+ echo "$0: Example: sysrc shibboleth_idp_hostname=\"shibboleth.example.com\""
+ exit 1
+ fi
+}
+
+shibboleth_idp_start_precmd() {
+ shibboleth_idp_precmd
+
+ if [ ! -r "%%WWWDIR%%/war/idp.war" ]; then
+ echo "$0: WARNING: /usr/local/www/shibboleth/war/idp.war is not readable."
+ echo "$0: You must run: service $(basename $0) initupgrade first"
+ exit 1
+ fi
+}
+
+shibboleth_idp_initupgrade() {
+ shibboleth_idp_precmd
+
+ KEYSTORE=`/usr/bin/openssl rand -base64 32`
+ COOKIE=`/usr/bin/openssl rand -base64 32`
+
+ /usr/bin/sed -i'.bak' -e "s|%%KEYSTORE%%|${KEYSTORE}|g" -e "s|%%KEYMANAGER%%|${KEYMANAGER}|g" %%WWWDIR%%/start.d/idp.ini
+ /bin/rm -f %%WWWDIR%%/idp.ini.bak
+
+ PATH="${PATH}:%%LOCALBASE%%/bin"
+ %%DATADIR%%/bin/install.sh -Didp.keysize=${shibboleth_idp_keysize} -Didp.target.dir=%%WWWDIR%% -Didp.src.dir=%%DATADIR%% -Didp.conf.credentials.group=%%SHIBUSER%% -Didp.conf.credentials.filemode=640 -Didp.keystore.password=${KEYSTORE} -Didp.sealer.password=${COOKIE} -Didp.host.name=${shibboleth_idp_hostname} -Didp.scope=${shibboleth_idp_scope} -Didp.entityID=${shibboleth_idp_entityid} -Didp.noprompt
+ /usr/bin/sed -i'.bak' -e "s|:8443||g" %%WWWDIR%%/metadata/idp-metadata.xml
+}
+
+run_rc_command "$1"
diff --git a/security/shibboleth-idp/files/shibboleth-idp.sh b/security/shibboleth-idp/files/shibboleth-idp.sh
new file mode 100755
index 000000000000..70a9ef3276a6
--- /dev/null
+++ b/security/shibboleth-idp/files/shibboleth-idp.sh
@@ -0,0 +1,628 @@
+#!/usr/bin/env bash
+
+# LSB Tags
+### BEGIN INIT INFO
+# Provides: jetty
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Jetty start script.
+# Description: Start Jetty web server.
+### END INIT INFO
+
+# Startup script for jetty under *nix systems (it works under NT/cygwin too).
+
+##################################################
+# Set the name which is used by other variables.
+# Defaults to the file name without extension.
+##################################################
+NAME=$(echo $(basename $0) | sed -e 's/^[SK][0-9]*//' -e 's/\.sh$//')
+
+# To get the service to restart correctly on reboot, uncomment below (3 lines):
+# ========================
+# chkconfig: 3 99 99
+# description: Jetty 9 webserver
+# processname: jetty
+# ========================
+
+# Configuration files
+#
+# /etc/default/$NAME
+# If it exists, this is read at the start of script. It may perform any
+# sequence of shell commands, like setting relevant environment variables.
+#
+# $HOME/.$NAMErc (e.g. $HOME/.jettyrc)
+# If it exists, this is read at the start of script. It may perform any
+# sequence of shell commands, like setting relevant environment variables.
+#
+# /etc/$NAME.conf
+# If found, and no configurations were given on the command line,
+# the file will be used as this script's configuration.
+# Each line in the file may contain:
+# - A comment denoted by the pound (#) sign as first non-blank character.
+# - The path to a regular file, which will be passed to jetty as a
+# config.xml file.
+# - The path to a directory. Each *.xml file in the directory will be
+# passed to jetty as a config.xml file.
+# - All other lines will be passed, as-is to the start.jar
+#
+# The files will be checked for existence before being passed to jetty.
+#
+# Configuration variables
+#
+# JAVA
+# Command to invoke Java. If not set, java (from the PATH) will be used.
+#
+# JAVA_OPTIONS
+# Extra options to pass to the JVM
+#
+# JETTY_HOME
+# Where Jetty is installed. If not set, the script will try go
+# guess it by looking at the invocation path for the script
+# The java system property "jetty.home" will be
+# set to this value for use by configure.xml files, f.e.:
+#
+# <Arg><Property name="jetty.home" default="."/>/webapps/jetty.war</Arg>
+#
+# JETTY_BASE
+# Where your Jetty base directory is. If not set, then the currently
+# directory is checked, otherwise the value from
+# $JETTY_HOME will be used.
+#
+# JETTY_RUN
+# Where the $NAME.pid file should be stored. It defaults to the
+# first available of /var/run, /usr/var/run, JETTY_BASE and /tmp
+# if not set.
+#
+# JETTY_PID
+# The Jetty PID file, defaults to $JETTY_RUN/$NAME.pid
+#
+# JETTY_ARGS
+# The default arguments to pass to jetty.
+# For example
+# JETTY_ARGS=jetty.http.port=8080 jetty.ssl.port=8443
+#
+# JETTY_USER
+# if set, then used as a username to run the server as
+#
+# JETTY_SHELL
+# If set, then used as the shell by su when starting the server. Will have
+# no effect if start-stop-daemon exists. Useful when JETTY_USER does not
+# have shell access, e.g. /bin/false
+#
+# JETTY_START_TIMEOUT
+# Time spent waiting to see if startup was successful/failed. Defaults to 60 seconds
+#
+
+usage()
+{
+ echo "Usage: ${0##*/} [-d] {start|stop|run|restart|check|supervise} [ CONFIGS ... ] "
+ exit 1
+}
+
+[ $# -gt 0 ] || usage
+
+
+##################################################
+# Some utility functions
+##################################################
+findDirectory()
+{
+ local L OP=$1
+ shift
+ for L in "$@"; do
+ [ "$OP" "$L" ] || continue
+ printf %s "$L"
+ break
+ done
+}
+
+running()
+{
+ if [ -f "$1" ]
+ then
+ local PID=$(cat "$1" 2>/dev/null) || return 1
+ kill -0 "$PID" 2>/dev/null
+ return
+ fi
+ rm -f "$1"
+ return 1
+}
+
+started()
+{
+ # wait for 60s to see "STARTED" in PID file, needs jetty-started.xml as argument
+ for ((T = 0; T < $(($3 / 4)); T++))
+ do
+ sleep 4
+ [ -z "$(tail -1 $1 | grep STARTED 2>/dev/null)" ] || return 0
+ [ -z "$(tail -1 $1 | grep STOPPED 2>/dev/null)" ] || return 1
+ [ -z "$(tail -1 $1 | grep FAILED 2>/dev/null)" ] || return 1
+ local PID=$(cat "$2" 2>/dev/null) || return 1
+ kill -0 "$PID" 2>/dev/null || return 1
+ echo -n ". "
+ done
+
+ return 1;
+}
+
+
+readConfig()
+{
+ (( DEBUG )) && echo "Reading $1.."
+ source "$1"
+}
+
+dumpEnv()
+{
+ echo "JAVA = $JAVA"
+ echo "JAVA_OPTIONS = ${JAVA_OPTIONS[*]}"
+ echo "JETTY_HOME = $JETTY_HOME"
+ echo "JETTY_BASE = $JETTY_BASE"
+ echo "START_D = $START_D"
+ echo "START_INI = $START_INI"
+ echo "JETTY_START = $JETTY_START"
+ echo "JETTY_CONF = $JETTY_CONF"
+ echo "JETTY_ARGS = ${JETTY_ARGS[*]}"
+ echo "JETTY_RUN = $JETTY_RUN"
+ echo "JETTY_PID = $JETTY_PID"
+ echo "JETTY_START_LOG = $JETTY_START_LOG"
+ echo "JETTY_STATE = $JETTY_STATE"
+ echo "JETTY_START_TIMEOUT = $JETTY_START_TIMEOUT"
+ echo "RUN_CMD = ${RUN_CMD[*]}"
+}
+
+
+
+##################################################
+# Get the action & configs
+##################################################
+CONFIGS=()
+NO_START=0
+DEBUG=0
+
+while [[ $1 = -* ]]; do
+ case $1 in
+ -d) DEBUG=1 ;;
+ esac
+ shift
+done
+ACTION=$1
+shift
+
+##################################################
+# Read any configuration files
+##################################################
+ETC=/etc
+if [ $UID != 0 ]
+then
+ ETC=$HOME/etc
+fi
+
+for CONFIG in {/etc,~/etc}/default/${NAME}{,9} $HOME/.${NAME}rc /usr/local/etc/shibboleth/${NAME}{,9}; do
+ if [ -f "$CONFIG" ] ; then
+ readConfig "$CONFIG"
+ fi
+done
+
+
+##################################################
+# Set tmp if not already set.
+##################################################
+TMPDIR=${TMPDIR:-/tmp}
+
+##################################################
+# Jetty's hallmark
+##################################################
+JETTY_INSTALL_TRACE_FILE="start.jar"
+
+
+##################################################
+# Try to determine JETTY_HOME if not set
+##################################################
+if [ -z "$JETTY_HOME" ]
+then
+ JETTY_SH=$0
+ case "$JETTY_SH" in
+ /*) JETTY_HOME=${JETTY_SH%/*/*} ;;
+ ./*/*) JETTY_HOME=${JETTY_SH%/*/*} ;;
+ ./*) JETTY_HOME=.. ;;
+ */*/*) JETTY_HOME=./${JETTY_SH%/*/*} ;;
+ */*) JETTY_HOME=. ;;
+ *) JETTY_HOME=.. ;;
+ esac
+
+ if [ ! -f "$JETTY_HOME/$JETTY_INSTALL_TRACE_FILE" ]
+ then
+ JETTY_HOME=
+ fi
+fi
+
+##################################################
+# No JETTY_HOME yet? We're out of luck!
+##################################################
+if [ -z "$JETTY_HOME" ]; then
+ echo "** ERROR: JETTY_HOME not set, you need to set it or install in a standard location"
+ exit 1
+fi
+
+RUN_DIR=$(pwd)
+cd "$JETTY_HOME"
+JETTY_HOME=$(pwd)
+
+##################################################
+# Set JETTY_BASE
+##################################################
+export JETTY_BASE
+if [ -z "$JETTY_BASE" ]; then
+ if [ -d "$RUN_DIR/start.d" -o -f "$RUN_DIR/start.ini" ]; then
+ JETTY_BASE=$RUN_DIR
+ else
+ JETTY_BASE=$JETTY_HOME
+ fi
+fi
+cd "$JETTY_BASE"
+JETTY_BASE=$(pwd)
+
+#####################################################
+# Check that jetty is where we think it is
+#####################################################
+if [ ! -r "$JETTY_HOME/$JETTY_INSTALL_TRACE_FILE" ]
+then
+ echo "** ERROR: Oops! Jetty doesn't appear to be installed in $JETTY_HOME"
+ echo "** ERROR: $JETTY_HOME/$JETTY_INSTALL_TRACE_FILE is not readable!"
+ exit 1
+fi
+
+##################################################
+# Try to find this script's configuration file,
+# but only if no configurations were given on the
+# command line.
+##################################################
+if [ -z "$JETTY_CONF" ]
+then
+ if [ -f $ETC/${NAME}.conf ]
+ then
+ JETTY_CONF=$ETC/${NAME}.conf
+ elif [ -f "$JETTY_BASE/etc/jetty.conf" ]
+ then
+ JETTY_CONF=$JETTY_BASE/etc/jetty.conf
+ elif [ -f "$JETTY_HOME/etc/jetty.conf" ]
+ then
+ JETTY_CONF=$JETTY_HOME/etc/jetty.conf
+ fi
+fi
+
+#####################################################
+# Find a location for the pid file
+#####################################################
+if [ -z "$JETTY_RUN" ]
+then
+ JETTY_RUN=$(findDirectory -w /var/run /usr/var/run $JETTY_BASE /tmp)/jetty
+ [ -d "$JETTY_RUN" ] || mkdir $JETTY_RUN
+fi
+
+#####################################################
+# define start log location
+#####################################################
+if [ -z "$JETTY_START_LOG" ]
+then
+ JETTY_START_LOG="$JETTY_RUN/$NAME-start.log"
+fi
+
+#####################################################
+# Find a pid and state file
+#####################################################
+if [ -z "$JETTY_PID" ]
+then
+ JETTY_PID="$JETTY_RUN/${NAME}.pid"
+fi
+
+if [ -z "$JETTY_STATE" ]
+then
+ JETTY_STATE=$JETTY_BASE/${NAME}.state
+fi
+
+case "`uname`" in
+CYGWIN*) JETTY_STATE="`cygpath -w $JETTY_STATE`";;
+esac
+
+
+JETTY_ARGS=(${JETTY_ARGS[*]} "jetty.state=$JETTY_STATE")
+
+##################################################
+# Get the list of config.xml files from jetty.conf
+##################################################
+if [ -f "$JETTY_CONF" ] && [ -r "$JETTY_CONF" ]
+then
+ while read -r CONF
+ do
+ if expr "$CONF" : '#' >/dev/null ; then
+ continue
+ fi
+
+ if [ -d "$CONF" ]
+ then
+ # assume it's a directory with configure.xml files
+ # for example: /etc/jetty.d/
+ # sort the files before adding them to the list of JETTY_ARGS
+ for XMLFILE in "$CONF/"*.xml
+ do
+ if [ -r "$XMLFILE" ] && [ -f "$XMLFILE" ]
+ then
+ JETTY_ARGS=(${JETTY_ARGS[*]} "$XMLFILE")
+ else
+ echo "** WARNING: Cannot read '$XMLFILE' specified in '$JETTY_CONF'"
+ fi
+ done
+ else
+ # assume it's a command line parameter (let start.jar deal with its validity)
+ JETTY_ARGS=(${JETTY_ARGS[*]} "$CONF")
+ fi
+ done < "$JETTY_CONF"
+fi
+
+##################################################
+# Setup JAVA if unset
+##################################################
+if [ -z "$JAVA" ]
+then
+ JAVA=$(which java)
+fi
+
+if [ -z "$JAVA" ]
+then
+ echo "Cannot find a Java JDK. Please set either set JAVA or put java (>=1.5) in your PATH." >&2
+ exit 1
+fi
+
+#####################################################
+# See if Deprecated JETTY_LOGS is defined
+#####################################################
+if [ "$JETTY_LOGS" ]
+then
+ echo "** WARNING: JETTY_LOGS is Deprecated. Please configure logging within the jetty base." >&2
+fi
+
+#####################################################
+# Set STARTED timeout
+#####################################################
+if [ -z "$JETTY_START_TIMEOUT" ]
+then
+ JETTY_START_TIMEOUT=60
+fi
+
+#####################################################
+# Are we running on Windows? Could be, with Cygwin/NT.
+#####################################################
+case "`uname`" in
+CYGWIN*) PATH_SEPARATOR=";";;
+*) PATH_SEPARATOR=":";;
+esac
+
+
+#####################################################
+# Add jetty properties to Java VM options.
+#####################################################
+
+case "`uname`" in
+CYGWIN*)
+JETTY_HOME="`cygpath -w $JETTY_HOME`"
+JETTY_BASE="`cygpath -w $JETTY_BASE`"
+TMPDIR="`cygpath -w $TMPDIR`"
+;;
+esac
+
+BASE_JETTY_SYS_PROPS=$(echo -ne "-Djetty.home=$JETTY_HOME" "-Djetty.base=$JETTY_BASE" "-Djava.io.tmpdir=$TMPDIR")
+JETTY_SYS_PROPS=(${JETTY_SYS_PROPS[*]} $BASE_JETTY_SYS_PROPS)
+
+#####################################################
+# This is how the Jetty server will be started
+#####################################################
+
+JETTY_START=$JETTY_HOME/start.jar
+START_INI=$JETTY_BASE/start.ini
+START_D=$JETTY_BASE/start.d
+if [ ! -f "$START_INI" -a ! -d "$START_D" ]
+then
+ echo "Cannot find a start.ini file or a start.d directory in your JETTY_BASE directory: $JETTY_BASE" >&2
+ exit 1
+fi
+
+case "`uname`" in
+CYGWIN*) JETTY_START="`cygpath -w $JETTY_START`";;
+esac
+
*** 554 LINES SKIPPED ***