cleanup, separate shibboleth2.xml for collections

4743176b · Lubomir Dolezal · b729deeb · 4743176b · 4743176b · 4743176b
Commit 4743176b authored 4 years ago by Lubomir Dolezal
--- a/README.md
+++ b/README.md
@@ -47,6 +47,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels
+### shibauth
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
 ### database
 * based on external postgis:10 image

--- a/config/shibboleth/shibboleth2.xml
+++ b/config/shibboleth/shibboleth2.xml
@@ -4,7 +4,7 @@
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
-    <ApplicationDefaults entityID="https://emg.pdas.prism.eox.at/shibboleth"
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
                         REMOTE_USER="eppn uid persistent-id targeted-id">
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">
@@ -23,7 +23,7 @@
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+        <CredentialResolver type="File" key="/run/secrets/DEM_SHIB_KEY" certificate="/run/secrets/DEM_SHIB_CERT"/>
    </ApplicationDefaults>
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

--- a/config/shibboleth/emg-shibboleth2.xml
+++ b/config/shibboleth/emg-shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/EMG_SHIB_KEY" certificate="/run/secrets/EMG_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
\ No newline at end of file
--- a/config/shibboleth/index.html
+++ b/config/shibboleth/index.html
@@ -2,9 +2,10 @@
 <html lang="en">
 <head>
    <meta charset="UTF-8">
-    <title>APACHE TEST</title>
+    <title>Authentication Success</title>
 </head>
 <body>
-    <h1>TESTING APACHE</h1>   
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
 </body>
 </html>
--- a/config/shibboleth/native.logger
+++ b/config/shibboleth/native.logger
 # set overall behavior
-log4j.rootCategory=DEBUG, native_log
+log4j.rootCategory=INFO, native_log
 # fairly verbose for DEBUG, so generally leave at WARN/INFO
 log4j.category.XMLTooling.XMLObject=WARN

--- a/config/shibboleth/shibd.logger
+++ b/config/shibboleth/shibd.logger
 # set overall behavior
-log4j.rootCategory=DEBUG, shibd_log, warn_log
+log4j.rootCategory=INFO, shibd_log, warn_log
 # fairly verbose for DEBUG, so generally leave at INFO
 log4j.category.XMLTooling.XMLObject=INFO

--- a/config/shibboleth/vhr18-shibboleth2.xml
+++ b/config/shibboleth/vhr18-shibboleth2.xml
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/VHR18_SHIB_KEY" certificate="/run/secrets/VHR18_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
\ No newline at end of file
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -170,8 +170,8 @@ services:
    environment:
      APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
    secrets:
-      - SHIB_CERT
+      - DEM_SHIB_CERT
-      - SHIB_KEY
+      - DEM_SHIB_KEY
      - BASIC_AUTH_USERS_AUTH
    deploy:
      replicas: 1
@@ -226,8 +226,8 @@ configs:
    file: ./config/shibboleth/dem_pass-ac.xml
  shib-access-control-conf-cache:
    file: ./config/shibboleth/dem_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
+  shib-shibboleth2:
-    file: ./config/shibboleth/shibboleth2.xml
+    file: ./config/shibboleth/dem-shibboleth2.xml
  shib-apache:
    file: ./config/shibboleth/shib-apache.conf
  shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
  idp-metadata:
    external: true
 secrets:
-  SHIB_CERT:
+  DEM_SHIB_CERT:
    external: true
-  SHIB_KEY:
+  DEM_SHIB_KEY:
    external: true
  BASIC_AUTH_USERS_AUTH:
    external: true
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -170,8 +170,8 @@ services:
    environment:
      APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
    secrets:
-      - SHIB_CERT
+      - EMG_SHIB_CERT
-      - SHIB_KEY
+      - EMG_SHIB_KEY
      - BASIC_AUTH_USERS_AUTH
    deploy:
      replicas: 1
@@ -226,8 +226,8 @@ configs:
    file: ./config/shibboleth/emg_pass-ac.xml
  shib-access-control-conf-cache:
    file: ./config/shibboleth/emg_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
+  shib-shibboleth2:
-    file: ./config/shibboleth/shibboleth2.xml
+    file: ./config/shibboleth/emg-shibboleth2.xml
  shib-apache:
    file: ./config/shibboleth/shib-apache.conf
  shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
  idp-metadata:
    external: true
 secrets:
-  SHIB_CERT:
+  EMG_SHIB_CERT:
    external: true
-  SHIB_KEY:
+  EMG_SHIB_KEY:
    external: true
  BASIC_AUTH_USERS_AUTH:
    external: true
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -170,8 +170,8 @@ services:
    environment:
      APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
    secrets:
-      - SHIB_CERT
+      - VHR18_SHIB_CERT
-      - SHIB_KEY
+      - VHR18_SHIB_KEY
      - BASIC_AUTH_USERS_AUTH
    deploy:
      replicas: 1
@@ -226,8 +226,8 @@ configs:
    file: ./config/shibboleth/vhr18_pass-ac.xml
  shib-access-control-conf-cache:
    file: ./config/shibboleth/vhr18_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
+  shib-shibboleth2:
-    file: ./config/shibboleth/shibboleth2.xml
+    file: ./config/shibboleth/vhr18-shibboleth2.xml
  shib-apache:
    file: ./config/shibboleth/shib-apache.conf
  shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
  shib-idp-metadata:
    external: true
 secrets:
-  SHIB_CERT:
+  VHR18_SHIB_CERT:
    external: true
-  SHIB_KEY:
+  VHR18_SHIB_KEY:
    external: true
  BASIC_AUTH_USERS_AUTH:
    external: true
--- a/traefik.yml
+++ b/traefik.yml
@@ -19,7 +19,7 @@ providers:
 api:
  dashboard: true
 log:
-  level: DEBUG
+  level: INFO
 accessLog: {}
 certificatesResolvers:
  default: