diff --git a/provision.yml b/provision.yml index 870b66a50..3fe68a22b 100644 --- a/provision.yml +++ b/provision.yml @@ -181,6 +181,7 @@ - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } + - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/diyidp/defaults/main.yml b/roles/diyidp/defaults/main.yml index 6d240c194..f2d9ddae0 100644 --- a/roles/diyidp/defaults/main.yml +++ b/roles/diyidp/defaults/main.yml @@ -1,18 +1,16 @@ --- -diyidp_fpm_user: diyidp -simplesamlphp_version: 1.19.5 -diyidp_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-diyidp" diyidp_domain: diyidp."{{ base_domain }}" diyidp_cert: "diyidp.crt" -diyidp_welcome_text: | - "Congratulations<\/strong>, you have successfully installed SimpleSAMLphp. This is the start page of your installation, where you will find links to test examples, diagnostics, metadata and even links to relevant documentation." diyidp: db_host: "{{ mysql_host }}" db_name: diyidp db_user: diyidprw - dp_password: "{{ mysql_passwords.diyidp }}" + db_password: "{{ mysql_passwords.diyidp }}" + secretsalt: "{{ diyidp_secret_salt }} " + admin_password: "{{ diyidp_secret }}" +diyidp_secret_salt: secretsecret +diyidp_secret: secret diyidp_remotesp: - name: "{{ instance_name }} SP metadata" metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata" acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion" - diff --git a/roles/diyidp/handlers/main.yml b/roles/diyidp/handlers/main.yml index 7c4a7364e..1ef1d0ed4 100644 --- a/roles/diyidp/handlers/main.yml +++ b/roles/diyidp/handlers/main.yml @@ -1,5 +1,3 @@ --- -- name: restart apache - service: - name: "{{ 'apache2' if ansible_os_family == 'Debian' else 'httpd' }}" - state: restarted +- name: restart diyidp + command: docker restart diyidp diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 74f936337..3e0fb2948 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -1,127 +1,106 @@ --- -- name: Add group {{ diyidp_fpm_user }} - group: - name: "{{ diyidp_fpm_user }}" - state: present - -- name: Add user {{ diyidp_fpm_user }} - user: - name: "{{ diyidp_fpm_user }}" - group: "{{ diyidp_fpm_user }}" - createhome: no - state: present - -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/diyidp" - state: directory - owner: "{{ diyidp_fpm_user }}" - group: root - mode: 0770 - -- name: Download and unarchive the latest release - unarchive: - src: "https://github.com/simplesamlphp/simplesamlphp/releases/download/v{{ simplesamlphp_version }}/simplesamlphp-{{ simplesamlphp_version }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - creates: "/opt/openconext/simplesamlphp-{{ simplesamlphp_version }}" - remote_src: yes - -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - diyidp.conf - notify: - - "restart httpd" - -- name: Clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/diyidp-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - diyidp-pool-72.conf - notify: - - "restart php72-fpm" - -- name: Activate new DIY IDP release - file: - src: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}" - dest: "{{ diyidp_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - name: Create directories - file: - path: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/{{ item }}" + ansible.builtin.file: + path: "/opt/openconext/diyidp/{{ item }}" state: directory owner: root group: root - mode: 0775 + mode: "0775" with_items: - - config + - www - metadata - - data - cert - name: Put metadata certificate in place - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/{{ diyidp_cert }}" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.crt" + dest: "/opt/openconext/diyidp/cert/server.crt" + owner: root + group: root + mode: "0644" - name: Put metadata key in place - copy: + ansible.builtin.copy: content: "{{ diyidp_private_key }}" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.key" - owner: "{{ diyidp_fpm_user }}" - mode: 0400 + dest: "/opt/openconext/diyidp/cert/server.key" + owner: root + group: root + mode: "0444" + notify: restart diyidp - name: Copy simplesamlphp configuration files - template: + ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/config/{{ item }}" + dest: "/opt/openconext/diyidp/{{ item }}" + mode: "0644" with_items: - - config.php + - config-override.php - authsources.php + notify: restart diyidp - name: Copy simplesamlphp metadata files - template: + ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/metadata/{{ item }}" + dest: "/opt/openconext/diyidp/metadata/{{ item }}" + mode: "0644" with_items: - saml20-idp-hosted.php - saml20-sp-remote.php + notify: restart diyidp - name: Copy showusers php script - template: + ansible.builtin.template: src: "showusers.php.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/www/showusers.php" + dest: "/opt/openconext/diyidp/www/showusers.php" owner: root - mode: 0644 + mode: "0644" + notify: restart diyidp -- name: Copy frontpage definitions - template: - src: "frontpage.definition.json.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/modules/core/dictionaries/frontpage.definition.json" - -- name: Copy login page definition - template: - src: "login.definition.json.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/dictionaries/login.definition.json" - -- name: Copy the database dump file - copy: - src: diyidp.sql - dest: "{{ openconext_releases_dir }}/builds/" - register: copy_diyidp_script - -- name: Import the database - shell: mysql -u {{ diyidp.db_user }} -p{{ diyidp.db_password }} -h {{ diyidp.db_host }} -D {{ diyidp.db_name }} < {{ openconext_releases_dir }}/builds/diyidp.sql - args: - creates: /var/lib/mysql/{{diyidp.db_name}}/users.frm +- name: Copy the apache config + ansible.builtin.template: + src: "000-default.conf.j2" + dest: "/opt/openconext/diyidp/000-default.conf" + owner: root + group: root + mode: "0644" + notify: restart diyidp + +- name: Create the container + community.docker.docker_container: + name: diyidp + image: cirrusid/simplesamlphp:v2.0.7 + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.diyidp.rule: "Host(`diyidp.{{ base_domain }}`)" + traefik.http.routers.diyidp.tls: "true" + traefik.enable: "true" + hostname: diyidp + mounts: + - source: /opt/openconext/diyidp/config-override.php + target: /var/simplesamlphp/config/config-override.php + type: bind + - source: /opt/openconext/diyidp/authsources.php + target: /var/simplesamlphp/config/authsources.php + type: bind + - source: /opt/openconext/diyidp/metadata + target: /var/simplesamlphp/config/metadata + type: bind + - source: /opt/openconext/diyidp/cert + target: /var/simplesamlphp/config/cert + type: bind + - source: /opt/openconext/diyidp/www/showusers.php + target: /var/simplesamlphp/public/showusers.php + type: bind + - source: /opt/openconext/diyidp/000-default.conf + target: /etc/apache2/sites-enabled/000-default.conf + type: bind + env: + SSP_ENABLED_MODULES: "sqlauth themesurf" + SSP_LOG_HANDLER: stderr + COMPOSER_REQUIRE: "simplesamlphp/simplesamlphp-module-sqlauth surfnet/simplesamlphp-module-themesurf:dev-main" + SSP_ENABLE_IDP: "true" + SSP_SECRET_SALT: "{{ diyidp.secretsalt }}" diff --git a/roles/diyidp/tasks/main_config.yml b/roles/diyidp/tasks/main_config.yml deleted file mode 100644 index b87f280b7..000000000 --- a/roles/diyidp/tasks/main_config.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: Copy default config - shell: cp -r {{ simplesamlphp_dir }}/config-templates {{ simplesamlphp_dir }}/config - -- name: Copy default metadata - shell: cp -r {{ simplesamlphp_dir }}/metadata-templates {{ simplesamlphp_dir }}/metadata - -- name: Generate secretsalt - shell: tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo - register: secretsalt_raw - -- name: Getting hash of the secretsalt - set_fact: simplesamlphp_secretsalt={{ secretsalt_raw.stdout }} - -- template: - src: simplesaml_config_php.conf - dest: "{{ simplesamlphp_dir }}/config/config.php" diff --git a/roles/diyidp/tasks/vhost.yml b/roles/diyidp/tasks/vhost.yml deleted file mode 100644 index 218822bda..000000000 --- a/roles/diyidp/tasks/vhost.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- template: - src: simplesamlphp.conf - dest: /etc/apache2/sites-available/simplesamlphp.conf - backup: true - when: ansible_os_family == 'Debian' - -- template: - src: simplesamlphp.conf - dest: /etc/httpd/conf.d/simplesamlphp.conf - backup: true - when: ansible_os_family == 'RedHat' - notify: restart apache - -- command: a2ensite simplesamlphp.conf - when: ansible_os_family == 'Debian' - notify: restart apache diff --git a/roles/diyidp/templates/000-default.conf.j2 b/roles/diyidp/templates/000-default.conf.j2 new file mode 100644 index 000000000..84fa26b05 --- /dev/null +++ b/roles/diyidp/templates/000-default.conf.j2 @@ -0,0 +1,7 @@ + + DocumentRoot /var/simplesamlphp/public + + + Require all granted + + diff --git a/roles/diyidp/templates/authsources.php.j2 b/roles/diyidp/templates/authsources.php.j2 index f89d144dd..769b4939d 100644 --- a/roles/diyidp/templates/authsources.php.j2 +++ b/roles/diyidp/templates/authsources.php.j2 @@ -12,6 +12,9 @@ $config = array( 'sql_user' => array( + 'core:loginpage_links' => [ + 'users' => ['href' => '/showusers.php', 'text' => 'List of available users'], + ], 'sqlauth:SQL', 'dsn' => 'mysql:host={{ diyidp.db_host}};port=3306;dbname={{ diyidp.db_name }}', 'username' => '{{ diyidp.db_user}}', diff --git a/roles/diyidp/templates/config-override.php.j2 b/roles/diyidp/templates/config-override.php.j2 new file mode 100644 index 000000000..7418d5bfa --- /dev/null +++ b/roles/diyidp/templates/config-override.php.j2 @@ -0,0 +1,6 @@ + '/', - 'certdir' => 'cert/', - 'loggingdir' => 'log/', - 'datadir' => 'data/', - - /* - * A directory where simpleSAMLphp can save temporary files. - * - * SimpleSAMLphp will attempt to create this directory if it doesn't exist. - */ - 'tempdir' => '/tmp/simplesaml', - - - /* - * If you enable this option, simpleSAMLphp will log all sent and received messages - * to the log file. - * - * This option also enables logging of the messages that are encrypted and decrypted. - * - * Note: The messages are logged with the DEBUG log level, so you also need to set - * the 'logging.level' option to LOG_DEBUG. - */ - 'debug' => FALSE, - - - 'showerrors' => TRUE, - - /** - * Custom error show function called from SimpleSAML_Error_Error::show. - * See docs/simplesamlphp-errorhandling.txt for function code example. - * - * Example: - * 'errors.show_function' => 'sspmod_exmaple_Error_Show::show', - */ - - /** - * This option allows you to enable validation of XML data against its - * schemas. A warning will be written to the log if validation fails. - */ - 'debug.validatexml' => FALSE, - - /** - * This password must be kept secret, and modified from the default value 123. - * This password will give access to the installation page of simpleSAMLphp with - * metadata listing and diagnostics pages. - */ - 'auth.adminpassword' => '{{ diyidp_secret }}', - 'admin.protectindexpage' => true, - 'admin.protectmetadata' => false, - - /** - * This is a secret salt used by simpleSAMLphp when it needs to generate a secure hash - * of a value. It must be changed from its default value to a secret value. The value of - * 'secretsalt' can be any valid string of any length. - * - * A possible way to generate a random salt is by running the following command from a unix shell: - * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo - */ - 'secretsalt' => '{{ diyidp_secret_salt }}', - - /* - * Some information about the technical persons running this installation. - * The email address will be used as the recipient address for error reports, and - * also as the technical contact in generated metadata. - */ - 'technicalcontact_name' => '{{ instance_name }} Administrator', - 'technicalcontact_email' => '{{ admin_email }}', - - /* - * The timezone of the server. This option should be set to the timezone you want - * simpleSAMLphp to report the time in. The default is to guess the timezone based - * on your system timezone. - * - * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php - */ - 'timezone' => '{{ timezone }}', - - /* - * Logging. - * - * define the minimum log level to log - * LOG_ERR No statistics, only errors - * LOG_WARNING No statistics, only warnings/errors - * LOG_NOTICE Statistics and errors - * LOG_INFO Verbose logs - * LOG_DEBUG Full debug logs - not reccomended for production - * - * Choose logging handler. - * - * Options: [syslog,file,errorlog] - * - */ - 'logging.level' => LOG_NOTICE, - 'logging.handler' => 'syslog', - - /* - * Choose which facility should be used when logging with syslog. - * - * These can be used for filtering the syslog output from simpleSAMLphp into its - * own file by configuring the syslog daemon. - * - * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available - * facilities. Note that only LOG_USER is valid on windows. - * - * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not. - */ - 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER, - - /* - * The process name that should be used when logging to syslog. - * The value is also written out by the other logging handlers. - */ - 'logging.processname' => 'simplesamlphp', - - /* Logging: file - Logfilename in the loggingdir from above. - */ - 'logging.logfile' => 'simplesamlphp.log', - - - - /* - * Enable - * - * Which functionality in simpleSAMLphp do you want to enable. Normally you would enable only - * one of the functionalities below, but in some cases you could run multiple functionalities. - * In example when you are setting up a federation bridge. - */ - 'enable.saml20-idp' => true, - 'enable.shib13-idp' => false, - 'enable.adfs-idp' => false, - 'enable.wsfed-sp' => false, - 'enable.authmemcookie' => false, - - /* - * This value is the duration of the session in seconds. Make sure that the time duration of - * cookies both at the SP and the IdP exceeds this duration. - */ - 'session.duration' => 8 * (60*60), // 8 hours. - 'session.requestcache' => 4 * (60*60), // 4 hours - - /* - * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for - * login and logout requests, thid option will control the maximum time these operations can take. - * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations. - */ - 'session.datastore.timeout' => (4*60*60), // 4 hours - - - /* - * Expiration time for the session cookie, in seconds. - * - * Defaults to 0, which means that the cookie expires when the browser is closed. - * - * Example: - * 'session.cookie.lifetime' => 30*60, - */ - 'session.cookie.lifetime' => 0, - - /* - * Limit the path of the cookies. - * - * Can be used to limit the path of the cookies to a specific subdirectory. - * - * Example: - * 'session.cookie.path' => '/simplesaml/', - */ - 'session.cookie.path' => '/', - - /* - * Cookie domain. - * - * Can be used to make the session cookie available to several domains. - * - * Example: - * 'session.cookie.domain' => '.example.org', - */ - 'session.cookie.domain' => NULL, - - /* - * Set the secure flag in the cookie. - * - * Set this to TRUE if the user only accesses your service - * through https. If the user can access the service through - * both http and https, this must be set to FALSE. - */ - 'session.cookie.secure' => TRUE, - - /* - * Options to override the default settings for php sessions. - */ - 'session.phpsession.cookiename' => null, - 'session.phpsession.savepath' => null, - 'session.phpsession.httponly' => true, - - /* - * Languages available and what language is default - */ - 'language.available' => array('en'), - 'language.default' => 'en', - - /* - * Extra dictionary for attribute names. - * This can be used to define local attributes. - * - * The format of the parameter is a string with :. - * - * Specifying this option will cause us to look for modules//dictionaries/.definition.json - * The dictionary should look something like: - * - * { - * "firstattribute": { - * "en": "English name", - * "no": "Norwegian name" - * }, - * "secondattribute": { - * "en": "English name", - * "no": "Norwegian name" - * } - * } - * - * Note that all attribute names in the dictionary must in lowercase. - * - * Example: 'attributes.extradictionary' => 'ourmodule:ourattributes', - */ - 'attributes.extradictionary' => NULL, - - /* - * Which theme directory should be used? - */ - //'theme.use' => 'default', - 'theme.use' => 'surfconext-diy:diytheme', - - /* - * Default IdP for WS-Fed. - */ - 'default-wsfed-idp' => 'urn:federation:pingfederate:localhost', - - /* - * Whether the discovery service should allow the user to save his choice of IdP. - */ - 'idpdisco.enableremember' => TRUE, - 'idpdisco.rememberchecked' => TRUE, - - // Disco service only accepts entities it knows. - 'idpdisco.validate' => TRUE, - - 'idpdisco.extDiscoveryStorage' => NULL, - - /* - * IdP Discovery service look configuration. - * Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box - * gives the best use experience. - * - * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown. - * This makes it easier for the user to choose the IdP - * - * Options: [links,dropdown] - * - */ - 'idpdisco.layout' => 'links', - - /* - * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication - * responses. - * - * The default is to sign the assertion element, but that can be overridden by setting this - * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the - * same name to the metadata of the SP. - */ - 'shib13.signresponse' => TRUE, - - - - /* - * Authentication processing filters that will be executed for all IdPs - * Both Shibboleth and SAML 2.0 - */ - 'authproc.idp' => array( - /* Enable the authproc filter below to add URN Prefixces to all attributes - 10 => array( - 'class' => 'core:AttributeMap', 'addurnprefix' - ), */ - /* Enable the authproc filter below to automatically generated eduPersonTargetedID. - 20 => 'core:TargetedID', - */ - - // Adopts language from attribute to use in UI - 30 => 'core:LanguageAdaptor', - - /* Add a realm attribute from edupersonprincipalname - 40 => 'core:AttributeRealm', - */ - 45 => array( - 'class' => 'core:StatisticsWithAttribute', - 'attributename' => 'realm', - 'type' => 'saml20-idp-SSO', - ), - - /* When called without parameters, it will fallback to filter attributes ‹the old way› - * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. - */ - 50 => 'core:AttributeLimit', - - /* - * Search attribute "distinguishedName" for pattern and replaces if found - - 60 => array( - 'class' => 'core:AttributeAlter', - 'pattern' => '/OU=studerende/', - 'replacement' => 'Student', - 'subject' => 'distinguishedName', - '%replace', - ), - */ - - /* - * Consent module is enabled (with no permanent storage, using cookies). - - 90 => array( - 'class' => 'consent:Consent', - 'store' => 'consent:Cookie', - 'focus' => 'yes', - 'checked' => TRUE - ), - */ - // If language is set in Consent module it will be added as an attribute. - 98 => 'core:LanguageAdaptor', - ), - /* - * Authentication processing filters that will be executed for all IdPs - * Both Shibboleth and SAML 2.0 - */ - 'authproc.sp' => array( - /* - 10 => array( - 'class' => 'core:AttributeMap', 'removeurnprefix' - ), - */ - - /* When called without parameters, it will fallback to filter attributes ‹the old way› - * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote. - */ - 50 => 'core:AttributeLimit', - - /* - * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. - */ - 60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'), - // All users will be members of 'users' and 'members' - 61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')), - - // Adopts language from attribute to use in UI - 90 => 'core:LanguageAdaptor', - - - ), - - - /* - * This option configures the metadata sources. The metadata sources is given as an array with - * different metadata sources. When searching for metadata, simpleSAMPphp will search through - * the array from start to end. - * - * Each element in the array is an associative array which configures the metadata source. - * The type of the metadata source is given by the 'type' element. For each type we have - * different configuration options. - * - * Flat file metadata handler: - * - 'type': This is always 'flatfile'. - * - 'directory': The directory we will load the metadata files from. The default value for - * this option is the value of the 'metadatadir' configuration option, or - * 'metadata/' if that option is unset. - * - * XML metadata handler: - * This metadata handler parses an XML file with either an EntityDescriptor element or an - * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote - * web server. - * The XML hetadata handler defines the following options: - * - 'type': This is always 'xml'. - * - 'file': Path to the XML file with the metadata. - * - 'url': The url to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE. - * - * - * Examples: - * - * This example defines two flatfile sources. One is the default metadata directory, the other - * is a metadata directory with autogenerated metadata files. - * - * 'metadata.sources' => array( - * array('type' => 'flatfile'), - * array('type' => 'flatfile', 'directory' => 'metadata-generated'), - * ), - * - * This example defines a flatfile source and an XML source. - * 'metadata.sources' => array( - * array('type' => 'flatfile'), - * array('type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'), - * ), - * - * - * Default: - * 'metadata.sources' => array( - * array('type' => 'flatfile') - * ), - */ - 'metadata.sources' => array( - array('type' => 'flatfile'), - ), - - - /* - * Configure the datastore for simpleSAMLphp. - * - * - 'phpsession': Limited datastore, which uses the PHP session. - * - 'memcache': Key-value datastore, based on memcache. - * - 'sql': SQL datastore, using PDO. - * - * The default datastore is 'phpsession'. - * - * (This option replaces the old 'session.handler'-option.) - */ - 'store.type' => 'phpsession', - - - /* - * The DSN the sql datastore should connect to. - * - * See http://www.php.net/manual/en/pdo.drivers.php for the various - * syntaxes. - */ - 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', - - /* - * The username and password to use when connecting to the database. - */ - 'store.sql.username' => NULL, - 'store.sql.password' => NULL, - - /* - * The prefix we should use on our tables. - */ - 'store.sql.prefix' => 'simpleSAMLphp', - - - /* - * Configuration for the MemcacheStore class. This allows you to store - * multiple redudant copies of sessions on different memcache servers. - * - * 'memcache_store.servers' is an array of server groups. Every data - * item will be mirrored in every server group. - * - * Each server group is an array of servers. The data items will be - * load-balanced between all servers in each server group. - * - * Each server is an array of parameters for the server. The following - * options are available: - * - 'hostname': This is the hostname or ip address where the - * memcache server runs. This is the only required option. - * - 'port': This is the port number of the memcache server. If this - * option isn't set, then we will use the 'memcache.default_port' - * ini setting. This is 11211 by default. - * - 'weight': This sets the weight of this server in this server - * group. http://php.net/manual/en/function.Memcache-addServer.php - * contains more information about the weight option. - * - 'timeout': The timeout for this server. By default, the timeout - * is 3 seconds. - * - * Example of redudant configuration with load balancing: - * This configuration makes it possible to lose both servers in the - * a-group or both servers in the b-group without losing any sessions. - * Note that sessions will be lost if one server is lost from both the - * a-group and the b-group. - * - * 'memcache_store.servers' => array( - * array( - * array('hostname' => 'mc_a1'), - * array('hostname' => 'mc_a2'), - * ), - * array( - * array('hostname' => 'mc_b1'), - * array('hostname' => 'mc_b2'), - * ), - * ), - * - * Example of simple configuration with only one memcache server, - * running on the same computer as the web server: - * Note that all sessions will be lost if the memcache server crashes. - * - * 'memcache_store.servers' => array( - * array( - * array('hostname' => 'localhost'), - * ), - * ), - * - */ - 'memcache_store.servers' => array( - array( - array('hostname' => 'localhost'), - ), - ), - - - /* - * This value is the duration data should be stored in memcache. Data - * will be dropped from the memcache servers when this time expires. - * The time will be reset every time the data is written to the - * memcache servers. - * - * This value should always be larger than the 'session.duration' - * option. Not doing this may result in the session being deleted from - * the memcache servers while it is still in use. - * - * Set this value to 0 if you don't want data to expire. - * - * Note: The oldest data will always be deleted if the memcache server - * runs out of storage space. - */ - 'memcache_store.expires' => 36 * (60*60), // 36 hours. - - - /* - * Should signing of generated metadata be enabled by default. - * - * Metadata signing can also be enabled for a individual SP or IdP by setting the - * same option in the metadata for the SP or IdP. - */ - 'metadata.sign.enable' => FALSE, - - /* - * The default key & certificate which should be used to sign generated metadata. These - * are files stored in the cert dir. - * These values can be overridden by the options with the same names in the SP or - * IdP metadata. - * - * If these aren't specified here or in the metadata for the SP or IdP, then - * the 'certificate' and 'privatekey' option in the metadata will be used. - * if those aren't set, signing of metadata will fail. - */ - 'metadata.sign.privatekey' => NULL, - 'metadata.sign.privatekey_pass' => NULL, - 'metadata.sign.certificate' => NULL, - - - /* - * Proxy to use for retrieving URLs. - * - * Example: - * 'proxy' => 'tcp://proxy.example.com:5100' - */ - 'proxy' => NULL, - - 'trusted.url.domains' => array(), - 'module.enable' => [ - 'sqlauth' => true, - ], - -); diff --git a/roles/diyidp/templates/diyidp-pool-72.conf.j2 b/roles/diyidp/templates/diyidp-pool-72.conf.j2 deleted file mode 100644 index 33da0c132..000000000 --- a/roles/diyidp/templates/diyidp-pool-72.conf.j2 +++ /dev/null @@ -1,225 +0,0 @@ -; Create a new pool named diyidp. -[diyidp] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/diyidp-pool-72.sock -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ diyidp_fpm_user }} -group = {{ diyidp_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 20 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -;pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.max_spare_servers = 5 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 300 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/diyidp-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/diyidp -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/diyidp/templates/diyidp.conf.j2 b/roles/diyidp/templates/diyidp.conf.j2 deleted file mode 100644 index c055f3b82..000000000 --- a/roles/diyidp/templates/diyidp.conf.j2 +++ /dev/null @@ -1,30 +0,0 @@ -Listen {{ apache_app_listen_address.diyidp }}:{{ loadbalancing.diyidp.port }} - - ServerName https://{{ diyidp_domain }} - ServerAdmin {{ admin_email }} - DirectoryIndex index.php - DocumentRoot {{ diyidp_current_release_symlink }}/www - - SetEnv HTTPS on - Alias /simplesaml "{{ diyidp_current_release_symlink }}/www" - - Require all granted - - Options -MultiViews - RewriteEngine On - - - Redirect permanent /simplesaml/showusers.php /showusers.php - - # Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/diyidp-pool-72.sock|fcgi://localhost/{{ diyidp_current_release_symlink }}/www/$1 - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-DIYIDP'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-DIYIDP'" combined - diff --git a/roles/diyidp/templates/frontpage.definition.json.j2 b/roles/diyidp/templates/frontpage.definition.json.j2 deleted file mode 100644 index b42c6eb6f..000000000 --- a/roles/diyidp/templates/frontpage.definition.json.j2 +++ /dev/null @@ -1,146 +0,0 @@ -{ - "page_title": { - "en": "SimpleSAMLphp installation page" - }, - "intro": { - "en": {{ diyidp_welcome_text }} - }, - "useful_links_header": { - "en": "Useful links for your installation" - }, - "metadata_header": { - "en": "Metadata" - }, - "doc_header": { - "en": "Documentation" - }, - "checkphp": { - "en": "Checking your PHP installation" - }, - "about_header": { - "en": "About SimpleSAMLphp" - }, - "about_text": { - "en": "This SimpleSAMLphp thing is pretty cool, where can I read more about it? You can find more information about it at the SimpleSAMLphp web page <\/a> over at UNINETT<\/a>." - }, - "required": { - "en": "Required" - }, - "required_ldap": { - "en": "Required for LDAP" - }, - "required_radius": { - "en": "Required for Radius" - }, - "optional": { - "en": "Optional" - }, - "reccomended": { - "en": "Recommended" - }, - "warnings": { - "en": "Warnings" - }, - "warnings_https": { - "en": "You are not using HTTPS<\/strong> - encrypted communication with the user. HTTP works fine for test purposes, but in a production environment, you should use HTTPS. [ Read more about SimpleSAMLphp maintenance<\/a> ]" - }, - "warnings_secretsalt": { - "en": "The configuration uses the default secret salt - make sure you modify the default 'secretsalt' option in the simpleSAML configuration in production environments. [Read more about SimpleSAMLphp configuration<\/a> ]" - }, - "warnings_suhosin_url_length": { - "en": "The length of query parameters is limited by the PHP Suhosin extension. Please increase the suhosin.get.max_value_length option to at least 2048 bytes." - }, - "link_saml2example": { - "en": "SAML 2.0 SP example - test logging in through your IdP" - }, - "link_shib13example": { - "en": "Shibboleth 1.3 SP example - test logging in through your Shib IdP" - }, - "link_openidprovider": { - "en": "OpenID Provider site - Alpha version (test code)" - }, - "link_diagnostics": { - "en": "Diagnostics on hostname, port and protocol" - }, - "link_phpinfo": { - "en": "PHP info" - }, - "link_meta_overview": { - "en": "Metadata overview for your installation. Diagnose your metadata files" - }, - "link_meta_saml2sphosted": { - "en": "Hosted SAML 2.0 Service Provider Metadata (automatically generated)" - }, - "link_meta_saml2idphosted": { - "en": "Hosted SAML 2.0 Identity Provider Metadata (automatically generated)" - }, - "link_meta_shib13sphosted": { - "en": "Hosted Shibboleth 1.3 Service Provider Metadata (automatically generated)" - }, - "link_meta_shib13idphosted": { - "en": "Hosted Shibboleth 1.3 Identity Provider Metadata (automatically generated)" - }, - "link_xmlconvert": { - "en": "XML to SimpleSAMLphp metadata converter" - }, - "link_doc_install": { - "en": "Installing SimpleSAMLphp" - }, - "link_doc_sp": { - "en": "Using SimpleSAMLphp as a Service Provider" - }, - "link_doc_idp": { - "en": "Using SimpleSAMLphp as an Identity Provider" - }, - "link_doc_shibsp": { - "en": "Configure Shibboleth 1.3 SP to work with SimpleSAMLphp IdP" - }, - "link_doc_googleapps": { - "en": "SimpleSAMLphp as an IdP for Google Apps for Education" - }, - "link_doc_advanced": { - "en": "SimpleSAMLphp Advanced Features" - }, - "link_doc_maintenance": { - "en": "SimpleSAMLphp Maintenance and Configuration" - }, - "link_configcheck": { - "en": "SimpleSAMLphp configuration check" - }, - "link_cleardiscochoices": { - "en": "Delete my choices of IdP in the IdP discovery services" - }, - "welcome": { - "en": "Welcome" - }, - "configuration": { - "en": "Configuration" - }, - "metadata": { - "en": "Metadata" - }, - "tools": { - "en": "Tools" - }, - "show_metadata": { - "en": "Show metadata" - }, - "login_as_admin": { - "en": "Login as administrator" - }, - "loggedin_as_admin": { - "en": "You are logged in as administrator" - }, - "auth": { - "en": "Authentication" - }, - "federation": { - "en": "Federation" - }, - "authtest": { - "en": "Test configured authentication sources " - }, - "deprecated": { - "en": "Deprecated" - } -} diff --git a/roles/diyidp/templates/login.definition.json.j2 b/roles/diyidp/templates/login.definition.json.j2 deleted file mode 100644 index a7c0969e9..000000000 --- a/roles/diyidp/templates/login.definition.json.j2 +++ /dev/null @@ -1,68 +0,0 @@ -{ - "error_header": { - "en": "Error" - }, - "user_pass_header": { - "en": "Enter your username and password" - }, - "user_pass_text": { - "en": "A service has requested you to authenticate yourself. Please enter your username and password in the form below.

The list of known users and their attributes is available here.

" - }, - "login_button": { - "en": "Login" - }, - "processing": { - "en": "Processing..." - }, - "username": { - "en": "Username" - }, - "organization": { - "en": "Organization" - }, - "password": { - "en": "Password" - }, - "help_header": { - "en": "Help! I don't remember my password." - }, - "help_text": { - "en": "Too bad! - Without your username and password you cannot authenticate yourself for access to the service. There may be someone that can help you. Consult the help desk at your organization!" - }, - "error_nopassword": { - "en": "You sent something to the login page, but for some reason the password was not sent. Try again please." - }, - "error_wrongpassword": { - "en": "Incorrect username or password." - }, - "select_home_org": { - "en": "Choose your home organization" - }, - "next": { - "en": "Next" - }, - "change_home_org_title": { - "en": "Change your home organization" - }, - "change_home_org_text": { - "en": "You have chosen %HOMEORG%<\/b> as your home organization. If this is wrong you may choose another one." - }, - "change_home_org_button": { - "en": "Choose home organization" - }, - "help_desk_link": { - "en": "Help desk homepage" - }, - "help_desk_email": { - "en": "Send e-mail to help desk" - }, - "contact_info": { - "en": "Contact information:" - }, - "remember_username": { - "en": "Remember my username" - }, - "remember_me": { - "en": "Remember me" - } -} diff --git a/roles/diyidp/templates/saml20-idp-hosted.php.j2 b/roles/diyidp/templates/saml20-idp-hosted.php.j2 index 22cfaff44..6b8577f55 100644 --- a/roles/diyidp/templates/saml20-idp-hosted.php.j2 +++ b/roles/diyidp/templates/saml20-idp-hosted.php.j2 @@ -5,7 +5,7 @@ * See: https://rnd.feide.no/content/idp-hosted-metadata-reference */ -$metadata['__DYNAMIC:1__'] = array( +$metadata['https://diyidp.{{ base_domain}}'] = array( /* * The hostname of the server (VHOST) that will use this SAML entity. * @@ -49,23 +49,6 @@ $metadata['__DYNAMIC:1__'] = array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), 200 => array('class' => 'core:AttributeMap', 'name2urn'), - 300 => array('class' => 'saml:PersistentNameID', 'attribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' ), + 300 => array('class' => 'saml:PersistentNameID', 'identifyingAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' ), ), - - /* - * Uncomment the following to specify the registration information in the - * exported metadata. Refer to: - * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html - * for more information. - */ - /* - 'RegistrationInfo' => array( - 'authority' => 'urn:mace:example.org', - 'instant' => '2008-01-17T11:28:03Z', - 'policies' => array( - 'en' => 'http://example.org/policy', - 'es' => 'http://example.org/politica', - ), - ), - */ ); diff --git a/roles/diyidp/templates/showusers.php.j2 b/roles/diyidp/templates/showusers.php.j2 index 8aa11b589..ad13e89b0 100644 --- a/roles/diyidp/templates/showusers.php.j2 +++ b/roles/diyidp/templates/showusers.php.j2 @@ -4,17 +4,30 @@ $dbuser = "{{ diyidp.db_user }}"; $dbpass = "{{ diyidp.db_password }}"; $dbhost = "{{ diyidp.db_host }}"; - -function doQuery($qryString, $dbuser, $dbpass, $dbhost) { - - // Make a MySQL Connection - mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error()); - - // Retrieve the data - $setUTF8 = mysql_query("SET NAMES utf8"); - $result = mysql_query($qryString) or die(mysql_error()); - - return $result; +$dbname = "{{ diyidp.db_name }}"; + +function doQuery($qryString, $dbuser, $dbpass, $dbhost, $dbname) { + try { + // Create a new PDO connection + $dsn = "mysql:host=$dbhost;dbname=$dbname;charset=utf8"; + $pdo = new PDO($dsn, $dbuser, $dbpass); + $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + + // Prepare and execute the query + $stmt = $pdo->prepare($qryString); + $stmt->execute(); + // Return the rows + $rows = []; + while ($r = $stmt->fetch(PDO::FETCH_ASSOC)) { + $rows[] = $r; + } + + return $rows; + + } + catch (PDOException $e) { + die("PDO Error: " . $e->getMessage()); + } } /** @@ -206,14 +219,7 @@ GROUP BY diy.uid ORDER BY LPAD(lower(username), 2,0), LPAD(lower(username), 10,0)"; // Run the query - $qryrset = doQuery($sqlString, $dbuser, $dbpass, $dbhost); - - //var_dump($qryrset); - - $rows = array(); - while($r = mysql_fetch_assoc($qryrset)) { - $rows[] = $r; - } + $rows = doQuery($sqlString, $dbuser, $dbpass, $dbhost, $dbname); $htmlTable = array2table($rows); print_r($htmlTable);