EOX GitLab Instance

Commit 0e4c10dc authored by Lubomir Doležal's avatar Lubomir Doležal
Browse files

initial commit

parents
Pipeline #18853 passed with stage
in 4 minutes and 3 seconds
[bumpversion]
current_version = 1.0.0
commit = True
tag = True
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?P<build>\d+))?
serialize =
{major}.{minor}.{patch}-{release}.{build}
{major}.{minor}.{patch}
tag_name = release-{new_version}
[bumpversion:part:release]
optional_value = final
first_value = alpha
values =
alpha
beta
rc
final
[bumpversion:file:.bumpversion.cfg]
search = current_version = {current_version}
[bumpversion:glob:Dockerfile*]
search = version="{current_version}"
replace = version="{new_version}"
stages:
- publish
variables:
DOCKER_TLS_CERTDIR: ""
publish_latest:
image: docker:20.10.8
services:
- docker:20.10.8-dind
stage: publish
script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- docker build -t $CI_REGISTRY_IMAGE .
- docker push $CI_REGISTRY_IMAGE:latest
only:
- main
publish:
image: docker:20.10.8
services:
- docker:20.10.8-dind
stage: publish
script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- docker build --cache-from $CI_REGISTRY_IMAGE:latest -t $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
only:
- tags
#------------------------------------------------------------------------------
#
# Project: prism view server
# Authors: Stephan Meissl <stephan.meissl@eox.at>
#
#------------------------------------------------------------------------------
# Copyright (C) 2021 EOX IT Services GmbH <https://eox.at>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies of this Software or works derived from this Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#-----------------------------------------------------------------------------
FROM unicon/shibboleth-sp:3.0.4
LABEL name="prism view server shibauth" \
vendor="EOX IT Services GmbH <https://eox.at>" \
license="MIT Copyright (C) 2021 EOX IT Services GmbH <https://eox.at>" \
type="prism view server shibauth"
RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
RUN yum -y update \
&& yum -y install shibboleth-3.2.0-2.1 \
&& yum -y clean all
ENV APACHE_SERVERNAME= \
USER_CATEGORY_ALLOW_RENDERER= \
USER_CATEGORY_ALLOW_CACHE= \
SPEntityID= \
IDPEntityID=
WORKDIR /opt/shibauth
COPY configure.sh \
shibboleth2_template.xml \
pass_accessrules_template.xml \
run-shibboleth.sh \
./
RUN chmod -v +x \
./configure.sh \
./run-shibboleth.sh
CMD ["./run-shibboleth.sh"]
LABEL version="1.0.0"
The MIT License (MIT)
Copyright (c) 2021 EOX IT Services GmbH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
# Introduction
This repository holds the shibauth service
### shibauth
* based on shibauth image derived from the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth SP3 image
* Overwritten by an install of 3.2.1 version.
* provides authentication and authorization via SAML2
* environment variables are expanded and via configure.sh override the template values to set access control rules
* traefik labels in the deployment determines which services are protected via Shib
Currently all deployments use the same certificates for **shibauth** service. If more need to be created, for each new stack, two more secrets need to be created, where **shibauth** is deployed. These ensure that the SP is recognized and its identity confirmed by the IDP. They are configured as **stack-name-capitalized_SHIB_KEY** and **stack-name-capitalized_SHIB_CERT**. In order to create them, use the attached **keygen.sh** command-line tool.
```bash
SPURL="https://emg.pass.copernicus.eu" # service initial access point made accessible by traefik
./keygen.sh -h $SPURL -y 20 -e $SPURL/shibboleth -n sp-signing -f
docker secret create EMG_SHIB_CERT sp-signing-cert.pem
docker secret create EMG_SHIB_KEY sp-signing-key.pem
```
Additionally a docker config `idp-metadata` containing the metadata of the used IDP needs to be added:
```bash
docker config create idp_metadata idp-metadata-received.xml
```
#!/bin/bash -e
echo "Running configure.sh" >&2
# substitute template values
cat /shibboleth2_template.xml \
| sed -e "s/{{SPEntityID}}/$(echo ${SPEntityID} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
| sed -e "s/{{IDPEntityID}}/$(echo ${IDPEntityID} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
> /etc/shibboleth/shibboleth2.xml
# split apache access env var separated by | to list separated by spaces for access.xml
create_xml_user_category_rules () {
IFS='|'
xml_access=" <OR>"
for usergroup in $1; do
# either spField2 is equal to usergroup or spField3 contains "CDSLicense=usergroup"
xml_access="${xml_access} <Rule list=\"false\" require=\"spField2\">${usergroup}</Rule>"
xml_access="${xml_access} <RuleRegex require=\"spField3\">.*CDSLicense=${usergroup}.*</RuleRegex>"
done
xml_access="${xml_access} </OR>"
echo $xml_access
}
USER_CATEGORY_ALLOW_LIST=$(create_xml_user_category_rules "$USER_CATEGORY_ALLOW_RENDERER")
# renderer access rules template fill
cat /pass_accessrules_template.xml \
| sed -e "s/{{USER_CATEGORY_ALLOW_LIST}}/$(echo ${USER_CATEGORY_ALLOW_LIST} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
> /etc/shibboleth/pass-ac.xml
# cache access rules template fill
USER_CATEGORY_ALLOW_LIST=$(create_xml_user_category_rules "$USER_CATEGORY_ALLOW_CACHE")
cat /pass_accessrules_template.xml \
| sed -e "s/{{USER_CATEGORY_ALLOW_LIST}}/$(echo ${USER_CATEGORY_ALLOW_LIST} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
> /etc/shibboleth/pass-ac-cache.xml
#! /bin/sh
while getopts n:h:u:g:o:e:y:bf c
do
case $c in
u) USER=$OPTARG;;
g) GROUP=$OPTARG;;
o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
n) PREFIX=$OPTARG;;
\?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]"
exit 1;;
esac
done
if [ -z "$OUT" ] ; then
OUT=.
fi
if [ -z "$PREFIX" ]; then
PREFIX="sp"
fi
if [ -n "$FORCE" ] ; then
rm $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
if [ -s $OUT/${PREFIX}-key.pem -o -s $OUT/${PREFIX}-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
echo The files $OUT/${PREFIX}-key.pem and/or $OUT/${PREFIX}-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
if [ -z "$FQDN" ] ; then
FQDN=`hostname`
fi
if [ -z "$YEARS" ] ; then
YEARS=10
fi
DAYS=`expr $YEARS \* 365`
if [ -z "$ENTITYID" ] ; then
ALTNAME=DNS:$FQDN
else
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
SSLCNF=$OUT/${PREFIX}-cert.cnf
cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating keypair
[req]
prompt=no
default_bits=3072
encrypt_key=no
default_md=sha256
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
x509_extensions=ext
[dn]
CN=$FQDN
[ext]
subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF
touch $OUT/${PREFIX}-key.pem
chmod 600 $OUT/${PREFIX}-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem
else
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem 2> /dev/null
fi
rm $SSLCNF
if [ -s $OUT/${PREFIX}-key.pem -a -n "$USER" ] ; then
chown $USER $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
if [ -s $OUT/${PREFIX}-key.pem -a -n "$GROUP" ] ; then
chgrp $GROUP $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
<AccessControl
type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
<AND>
<Rule require="spField1">CDSLicense</Rule>
{{USER_CATEGORY_ALLOW_LIST}}
</AND>
</AccessControl>
#!/bin/bash -e
/configure.sh >&2
#### Copied over from the source Dockerfile ####
# Apache and Shibd gets grumpy about PID files pre-existing from previous runs
rm -f /etc/httpd/run/httpd.pid /var/lock/subsys/shibd
# Make sure /etc/shibboleth/shibd-redhat is executable
chmod +x /etc/shibboleth/shibd-redhat
# Start Shibd
/etc/shibboleth/shibd-redhat start
# Start httpd
exec httpd -DFOREGROUND
#################################################
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults entityID="{{SPEntityID}}"
REMOTE_USER="eppn uid persistent-id targeted-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" sameSiteSession="None"
checkAddress="false" handlerSSL="true" cookieProps="https">
<SSO entityID="{{IDPEntityID}}"> SAML2 </SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="admin@eox.at" helpLocation="/about.html"/>
<MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment