From d75ecf68d121760421bd0732749a87fa272079a5 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Fri, 8 Mar 2024 11:57:39 -0700 Subject: [PATCH 1/6] IDP-892 - enable modules using module.enable in config.php --- development/idp-local/config/config.php | 6 ++++++ development/idp2-local/config/config.php | 6 ++++++ development/sp-local/config/config.php | 6 ++++++ development/sp2-local/config/config.php | 6 ++++++ dockerbuild/ssp-overrides/config.php | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/development/idp-local/config/config.php b/development/idp-local/config/config.php index 4dcfac9d..5494f11a 100644 --- a/development/idp-local/config/config.php +++ b/development/idp-local/config/config.php @@ -595,6 +595,12 @@ 'module.enable' => [ // Setting to TRUE enables. 'authgoogle' => $GOOGLE_ENABLE, + 'expirychecker' => true, + 'material' => true, + 'mfa' => true, + 'profilereview' => true, + 'silauth' => true, + 'sildisco' => true, ], diff --git a/development/idp2-local/config/config.php b/development/idp2-local/config/config.php index 4d3aeb1a..51596669 100644 --- a/development/idp2-local/config/config.php +++ b/development/idp2-local/config/config.php @@ -327,6 +327,12 @@ 'module.enable' => [ // Setting to TRUE enables. 'authgoogle' => $GOOGLE_ENABLE, + 'expirychecker' => true, + 'material' => true, + 'mfa' => true, + 'profilereview' => true, + 'silauth' => true, + 'sildisco' => true, ], /* diff --git a/development/sp-local/config/config.php b/development/sp-local/config/config.php index 2470d2ab..c5815a99 100644 --- a/development/sp-local/config/config.php +++ b/development/sp-local/config/config.php @@ -297,6 +297,12 @@ 'module.enable' => [ // Setting to TRUE enables. 'authgoogle' => $GOOGLE_ENABLE, + 'expirychecker' => true, + 'material' => true, + 'mfa' => true, + 'profilereview' => true, + 'silauth' => true, + 'sildisco' => true, ], /* diff --git a/development/sp2-local/config/config.php b/development/sp2-local/config/config.php index 52102c46..d26855df 100644 --- a/development/sp2-local/config/config.php +++ b/development/sp2-local/config/config.php @@ -297,6 +297,12 @@ 'module.enable' => [ // Setting to TRUE enables. 'authgoogle' => $GOOGLE_ENABLE, + 'expirychecker' => true, + 'material' => true, + 'mfa' => true, + 'profilereview' => true, + 'silauth' => true, + 'sildisco' => true, ], /* diff --git a/dockerbuild/ssp-overrides/config.php b/dockerbuild/ssp-overrides/config.php index 6f630d70..2702bc17 100644 --- a/dockerbuild/ssp-overrides/config.php +++ b/dockerbuild/ssp-overrides/config.php @@ -595,6 +595,12 @@ 'module.enable' => [ // Setting to TRUE enables. 'authgoogle' => $GOOGLE_ENABLE, + 'expirychecker' => true, + 'material' => true, + 'mfa' => true, + 'profilereview' => true, + 'silauth' => true, + 'sildisco' => true, ], From d0f45902e6f38d50e19eb4d874029b4cb3dd2139 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Fri, 8 Mar 2024 12:06:23 -0700 Subject: [PATCH 2/6] set COMPOSER_ALLOW_SUPERUSER=1 in Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ed25a14e..9027aca3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ RUN apt-get update -y \ php-gmp \ php-memcached \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* # Create required directories RUN mkdir -p /data @@ -41,7 +41,7 @@ COPY composer.lock /data/ # It is not well understood what changed in composer, but since the overrides will need to be redesigned during # the SimpleSAMLphp 2.x upgrade, this issue is deferred until then. #RUN composer self-update --no-interaction -RUN composer install --prefer-dist --no-interaction --no-dev --optimize-autoloader --no-scripts --no-progress +RUN COMPOSER_ALLOW_SUPERUSER=1 composer install --prefer-dist --no-interaction --no-dev --optimize-autoloader --no-scripts --no-progress # Copy in SSP override files ENV SSP_PATH /data/vendor/simplesamlphp/simplesamlphp From e4502ff7852ed4e202ba64db09e8e8549a5a8e21 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Fri, 8 Mar 2024 12:14:15 -0700 Subject: [PATCH 3/6] re-enable the composer self-update in Dockerfile --- Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9027aca3..95e011f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,11 +36,7 @@ WORKDIR /data # Install/cleanup composer dependencies COPY composer.json /data/ COPY composer.lock /data/ -# TODO/FIXME: Disabled the self-update due to a breaking change between composer 2.6.6 and 2.7.1 that affects the -# loading of the simplesamlphp/simplesamlphp/modules folder. The Docker build fails on the sildisco/sspoverrides line. -# It is not well understood what changed in composer, but since the overrides will need to be redesigned during -# the SimpleSAMLphp 2.x upgrade, this issue is deferred until then. -#RUN composer self-update --no-interaction +RUN composer self-update --no-interaction RUN COMPOSER_ALLOW_SUPERUSER=1 composer install --prefer-dist --no-interaction --no-dev --optimize-autoloader --no-scripts --no-progress # Copy in SSP override files From 7046e16018560730f8529ab0e055abfb36839e4b Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:40:15 -0600 Subject: [PATCH 4/6] pull config from AppConfig if APP_ID is not empty --- Dockerfile | 3 +++ README.md | 20 ++++++++++++++++++++ dockerbuild/run.sh | 6 +++++- local.env.dist | 16 ++++++++++++++++ 4 files changed, 44 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 95e011f4..af1012b3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,6 +55,9 @@ COPY tests /data/tests RUN cp $SSP_PATH/modules/sildisco/sspoverrides/www_saml2_idp/SSOService.php $SSP_PATH/www/saml2/idp/ RUN chmod a+x /data/run.sh /data/run-tests.sh +ADD https://github.com/silinternational/config-shim/releases/latest/download/config-shim.gz config-shim.gz +RUN gzip -d config-shim.gz && chmod 755 config-shim && mv config-shim /usr/local/bin + EXPOSE 80 ENTRYPOINT ["/usr/local/bin/s3-expand"] CMD ["/data/run.sh"] diff --git a/README.md b/README.md index 79f62f12..19c2e4dc 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,26 @@ must be installed. [Vagrant](https://www.vagrantup.com) for Windows users. +## Configuration +By default, configuration is read from environment variables. These are documented +in the `local.env.dist` file. Optionally, you can define configuration in AWS AppConfig. +To do this, set the following environment variables to point to the configuration in +AWS: + +* `AWS_REGION` - the AWS region in use +* `APP_ID` - the application ID or name +* `CONFIG_ID` - the configuration profile ID or name +* `ENV_ID` - the environment ID or name + +In addition, the AWS API requires authentication. It is best to use an access role +such as an [ECS Task Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). +If that is not an option, you can specify an access token using the `AWS_ACCESS_KEY_ID` and +`AWS_SECRET_ACCESS_KEY` variables. + +The content of the configuration profile takes the form of a typical .env file, using +`#` for comments and `=` for variable assignment. Any variables read from AppConfig +will overwrite variables set in the execution environment. + ## Local testing 1. `cp local.env.dist local.env` within project root and make adjustments as needed. diff --git a/dockerbuild/run.sh b/dockerbuild/run.sh index 8fa2f08f..748fc0b6 100755 --- a/dockerbuild/run.sh +++ b/dockerbuild/run.sh @@ -17,7 +17,11 @@ cd /data cat /etc/*release | grep PRETTY php -v | head -n 1 -apache2ctl -k start -D FOREGROUND +if [[ -z "${APP_ID}" ]]; then + apache2ctl -k start -D FOREGROUND +else + config-shim --app $APP_ID --config $CONFIG_ID --env $ENV_ID apache2ctl -k start -D FOREGROUND +fi # endless loop with a wait is needed for the trap to work while true diff --git a/local.env.dist b/local.env.dist index 7f1a46cc..eba75656 100644 --- a/local.env.dist +++ b/local.env.dist @@ -17,6 +17,22 @@ HUB_MODE=false IDPDISCO_LAYOUT= ENABLE_DEBUG= + +# === AWS AppConfig (optional) === + +# The AWS region in use +#AWS_REGION= + +# The AppConfig Application ID (or name) +#APP_ID= + +# The AppConfig Configuration Profile ID (or name) +#CONFIG_ID= + +# The AppConfig Environment ID (or name) +#ENV_ID= + + # LOGGING_LEVEL default is NOTICE, or may be one of: ERR, WARNING, NOTICE, INFO, DEBUG LOGGING_LEVEL= From 49a2de189429ab8bdbae7666e8e10c6c4cba9a1f Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 28 Mar 2024 16:05:14 -0600 Subject: [PATCH 5/6] remove IDPDISCO_LAYOUT config option --- development/idp-local/config/config.php | 4 +--- development/idp2-local/config/config.php | 3 +-- development/sp-local/config/config.php | 3 +-- development/sp2-local/config/config.php | 3 +-- dockerbuild/ssp-overrides/config.php | 4 +--- local.env.dist | 1 - 6 files changed, 5 insertions(+), 13 deletions(-) diff --git a/development/idp-local/config/config.php b/development/idp-local/config/config.php index 5494f11a..685f66f1 100644 --- a/development/idp-local/config/config.php +++ b/development/idp-local/config/config.php @@ -56,8 +56,6 @@ // Options: https://github.com/silinternational/simplesamlphp-module-material/blob/develop/README.md#branding $THEME_COLOR_SCHEME = Env::get('THEME_COLOR_SCHEME', null); -$IDPDISCO_LAYOUT = Env::get('IDPDISCO_LAYOUT', 'links'); // Options: [links,dropdown] - $SECURE_COOKIE = Env::get('SECURE_COOKIE', true); $SESSION_DURATION = (int)(Env::get('SESSION_DURATION', (60 * 60 * 10))); // 10 hours. $SESSION_STORE_TYPE = Env::get('SESSION_STORE_TYPE', 'phpsession'); @@ -1072,7 +1070,7 @@ * * Options: [links,dropdown] */ - 'idpdisco.layout' => $IDPDISCO_LAYOUT, + 'idpdisco.layout' => 'links', /************************************* diff --git a/development/idp2-local/config/config.php b/development/idp2-local/config/config.php index 51596669..ac0501e0 100644 --- a/development/idp2-local/config/config.php +++ b/development/idp2-local/config/config.php @@ -56,7 +56,6 @@ $SESSION_REMEMBERME_LIFETIME = (int)(Env::get('SESSION_REMEMBERME_LIFETIME', (14 * 86400))); // 14 days $SECURE_COOKIE = Env::get('SECURE_COOKIE', true); $THEME_USE = Env::get('THEME_USE', 'default'); -$IDPDISCO_LAYOUT = Env::get('IDPDISCO_LAYOUT', 'dropdown'); // Options: [links,dropdown] $SAML20_IDP_ENABLE = Env::get('SAML20_IDP_ENABLE', true); $GOOGLE_ENABLE = Env::get('GOOGLE_ENABLE', false); @@ -547,7 +546,7 @@ * Options: [links,dropdown] * */ - 'idpdisco.layout' => $IDPDISCO_LAYOUT, + 'idpdisco.layout' => 'links', /* * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication diff --git a/development/sp-local/config/config.php b/development/sp-local/config/config.php index c5815a99..4bd8af87 100644 --- a/development/sp-local/config/config.php +++ b/development/sp-local/config/config.php @@ -38,7 +38,6 @@ $SESSION_REMEMBERME_LIFETIME = (int)(Env::get('SESSION_REMEMBERME_LIFETIME', (14 * 86400))); // 14 days $SECURE_COOKIE = Env::get('SECURE_COOKIE', true); $THEME_USE = Env::get('THEME_USE', 'default'); -$IDPDISCO_LAYOUT = Env::get('IDPDISCO_LAYOUT', 'dropdown'); // Options: [links,dropdown] $SAML20_IDP_ENABLE = Env::get('SAML20_IDP_ENABLE', true); $GOOGLE_ENABLE = Env::get('GOOGLE_ENABLE', false); @@ -517,7 +516,7 @@ * Options: [links,dropdown] * */ - 'idpdisco.layout' => $IDPDISCO_LAYOUT, + 'idpdisco.layout' => 'links', /* * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication diff --git a/development/sp2-local/config/config.php b/development/sp2-local/config/config.php index d26855df..3c42682a 100644 --- a/development/sp2-local/config/config.php +++ b/development/sp2-local/config/config.php @@ -38,7 +38,6 @@ $SESSION_REMEMBERME_LIFETIME = (int)(Env::get('SESSION_REMEMBERME_LIFETIME', (14 * 86400))); // 14 days $SECURE_COOKIE = Env::get('SECURE_COOKIE', true); $THEME_USE = Env::get('THEME_USE', 'default'); -$IDPDISCO_LAYOUT = Env::get('IDPDISCO_LAYOUT', 'dropdown'); // Options: [links,dropdown] $SAML20_IDP_ENABLE = Env::get('SAML20_IDP_ENABLE', true); $GOOGLE_ENABLE = Env::get('GOOGLE_ENABLE', false); @@ -517,7 +516,7 @@ * Options: [links,dropdown] * */ - 'idpdisco.layout' => $IDPDISCO_LAYOUT, + 'idpdisco.layout' => 'links', /* * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication diff --git a/dockerbuild/ssp-overrides/config.php b/dockerbuild/ssp-overrides/config.php index 2702bc17..7f0280c6 100644 --- a/dockerbuild/ssp-overrides/config.php +++ b/dockerbuild/ssp-overrides/config.php @@ -56,8 +56,6 @@ // Options: https://github.com/silinternational/simplesamlphp-module-material/blob/develop/README.md#branding $THEME_COLOR_SCHEME = Env::get('THEME_COLOR_SCHEME', null); -$IDPDISCO_LAYOUT = Env::get('IDPDISCO_LAYOUT', 'links'); // Options: [links,dropdown] - $SECURE_COOKIE = Env::get('SECURE_COOKIE', true); $SESSION_DURATION = (int)(Env::get('SESSION_DURATION', (60 * 60 * 10))); // 10 hours. $SESSION_STORE_TYPE = Env::get('SESSION_STORE_TYPE', 'phpsession'); @@ -1072,7 +1070,7 @@ * * Options: [links,dropdown] */ - 'idpdisco.layout' => $IDPDISCO_LAYOUT, + 'idpdisco.layout' => 'links', /************************************* diff --git a/local.env.dist b/local.env.dist index eba75656..c847edfd 100644 --- a/local.env.dist +++ b/local.env.dist @@ -14,7 +14,6 @@ COMPOSER_AUTH={"github-oauth":{"github.com":"token-here"}} COMPOSER_CACHE_DIR=/composer GOOGLE_ENABLE= HUB_MODE=false -IDPDISCO_LAYOUT= ENABLE_DEBUG= From e911725383da890b6956bdd60bc4b1ffa169714c Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Fri, 5 Apr 2024 11:18:15 -0600 Subject: [PATCH 6/6] use github.event.repository.name for docker image name --- .github/workflows/test-and-publish.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/test-and-publish.yml b/.github/workflows/test-and-publish.yml index 01250e19..05245c7b 100644 --- a/.github/workflows/test-and-publish.yml +++ b/.github/workflows/test-and-publish.yml @@ -3,9 +3,6 @@ name: Test and Publish on: push: -env: - IMAGE_NAME: ${{ vars.DOCKER_ORG }}/ssp-base - jobs: tests: name: Tests @@ -38,7 +35,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.IMAGE_NAME }} + images: ${{ vars.DOCKER_ORG }}/${{ github.event.repository.name }} - name: Build and push Docker image uses: docker/build-push-action@v5 with: