templating shibboleth2.xml same way as mapcache.xml

10c664c5 · Lubomir Dolezal · 2de2004c · 10c664c5 · 2de2004c · 10c664c5
Commit 10c664c5 authored 4 years ago by Lubomir Dolezal
--- a/config/shibboleth/emg-shibboleth2.xml
+++ b/config/shibboleth/emg-shibboleth2.xml
@@ -4,21 +4,18 @@
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
-    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+    <ApplicationDefaults entityID="{{SPEntityID}}"
                         REMOTE_USER="eppn uid persistent-id targeted-id">
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" sameSiteSession="None"
                  checkAddress="false" handlerSSL="true" cookieProps="https">
-            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
-              SAML2
-            </SSO>
+            <SSO entityID="{{IDPEntityID}}"> SAML2 </SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
-        <Errors supportContact="admin@eox.at"
-            helpLocation="/about.html"/>
+        <Errors supportContact="admin@eox.at" helpLocation="/about.html"/>
        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
@@ -27,5 +24,4 @@
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
 </SPConfig>
--- a/config/shibboleth/vhr18-shibboleth2.xml
+++ b/config/shibboleth/vhr18-shibboleth2.xml
-<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
-    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-    clockSkew="180">
-    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
-                         REMOTE_USER="eppn uid persistent-id targeted-id">
-        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="true" cookieProps="https">
-            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
-              SAML2 
-            </SSO>
-            <Logout>SAML2 Local</Logout>
-            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
-            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
-        </Sessions>
-        <Errors supportContact="admin@eox.at"
-            helpLocation="/about.html"/>
-        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
-        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        <AttributeResolver type="Query" subjectMatch="true"/>
-        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
-    </ApplicationDefaults>
-    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
-</SPConfig>
\ No newline at end of file
--- a/docker-compose.emg.staging.yml
+++ b/docker-compose.emg.staging.yml
@@ -179,6 +179,8 @@ services:
      APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
      PROXY_USER_CATEGORY_ALLOW_RENDERER: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
      PROXY_USER_CATEGORY_ALLOW_CACHE: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
+      SPEntityID: "https://emg.pass.copernicus.eu/shibboleth"
+      IDPEntityID: "https://umssoidp.cdsv3.eu:443/shibboleth"
    secrets:
      - source: EMG_SHIB_CERT
        target: SHIB_CERT
@@ -212,7 +214,7 @@ services:
      - source: shib-access-control-conf-cache
        target: /etc/shibboleth/pass-ac-cache.xml
      - source: shib-shibboleth2
-        target: /etc/shibboleth/shibboleth2.xml
+        target: /shibboleth2_template.xml
      - source: shib-apache
        target: /etc/httpd/conf.d/shib.conf
      - source: shib-attribute-map
@@ -233,7 +235,7 @@ configs:
  shib-access-control-conf-cache:
    file: ./config/shibboleth/emg-ac-cache.xml
  shib-shibboleth2:
-    file: ./config/shibboleth/emg-shibboleth2.xml
+    file: ./config/shibboleth/shibboleth2_template.xml
  shib-apache:
    file: ./config/shibboleth/shib-apache.conf
  shib-attribute-map:

--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
@@ -36,3 +36,13 @@ LABEL name="prism view server shibauth" \
 RUN yum -y update \
    && yum -y install shibboleth-3.2.0-2.1 \
    && yum -y clean all
+
+ADD configure.sh \
+    shibboleth2_template.xml \
+    run-shibboleth.sh \
+    /
+RUN chmod -v +x \
+ /configure.sh \
+ /run-shibboleth.sh
+
+CMD ["/run-shibboleth.sh"]
--- a/shibauth/configure.sh
+++ b/shibauth/configure.sh
+#!/bin/bash -e
+echo "Running configure.sh" >&2
+
+# substitute template values
+cat /shibboleth2_template.xml \
+    | sed -e "s/{{SPEntityID}}/$(echo ${SPEntityID} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
+    | sed -e "s/{{IDPEntityID}}/$(echo ${IDPEntityID} | sed -e 's/[]\/$*.^[]/\\&/g')/g" \
+     > /etc/shibboleth/shibboleth2.xml
--- a/shibauth/run-shibboleth.sh
+++ b/shibauth/run-shibboleth.sh
+#!/bin/bash -e
+
+/configure.sh >&2
+
+#### Copied over from the source Dockerfile ####
+
+# Apache and Shibd gets grumpy about PID files pre-existing from previous runs
+rm -f /etc/httpd/run/httpd.pid /var/lock/subsys/shibd
+
+# Make sure /etc/shibboleth/shibd-redhat is executable
+chmod +x /etc/shibboleth/shibd-redhat
+
+# Start Shibd
+/etc/shibboleth/shibd-redhat start
+
+# Start httpd
+exec httpd -DFOREGROUND
+
+#################################################
--- a/config/shibboleth/dem-shibboleth2.xml
+++ b/config/shibboleth/dem-shibboleth2.xml
 <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
-    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
+    <ApplicationDefaults entityID="{{SPEntityID}}"
                         REMOTE_USER="eppn uid persistent-id targeted-id">
-        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" sameSiteSession="None"
                  checkAddress="false" handlerSSL="true" cookieProps="https">
-            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
-              SAML2 
-            </SSO>
+            <SSO entityID="{{IDPEntityID}}"> SAML2 </SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
-        <Errors supportContact="admin@eox.at"
-            helpLocation="/about.html"/>
+        <Errors supportContact="admin@eox.at" helpLocation="/about.html"/>
        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+        <CredentialResolver type="File" use="signing"
+            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
+        <CredentialResolver type="File" use="encryption"
+            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
-
-</SPConfig>
\ No newline at end of file
+</SPConfig>