Skip to content

Commit

Permalink
Merged in feature/SHIBUI-1751 (pull request #542)
Browse files Browse the repository at this point in the history 
Feature/SHIBUI-1751
  • Loading branch information
Jonathan Johnson committed Oct 18, 2021
2 parents 1cfcb47 + 05e7a12 commit 006b7fb
Show file tree
Hide file tree
Showing 35 changed files with 6,824 additions and 0 deletions.
110 changes: 110 additions & 0 deletions testbed/integration/cheat.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
<html>
<body>
<h2>Reload Service</h2>
<form action="https://idp.unicon.local/idp/profile/admin/reload-service" target="_blank" method="get">
<label for="id">id</label>
<select name="id" id="id">
<option value="shibboleth.LoggingService">LoggingService</option>
<option value="shibboleth.AttributeFilterService">AttributeFilterService</option>
<option value="shibboleth.AttributeResolverService">AttributeResolverService</option>
<option value="shibboleth.AttributeRegistryService">AttributeRegistryService</option>
<option value="shibboleth.NameIdentifierGenerationService">NameIdentifierGenerationService</option>
<option value="shibboleth.RelyingPartyResolverService">RelyingPartyResolverService</option>
<option value="shibboleth.MetadataResolverService">MetadataResolverService</option>
<option value="shibboleth.ReloadableAccessControlService">ReloadableAccessControlService</option>
<option value="shibboleth.ReloadableCASServiceRegistry">ReloadableCASServiceRegistry</option>
</select>
<input type="submit" />
</form>
<h2>Attribute Resolution</h2>
<form action="https://idp.unicon.local/idp/profile/admin/resolvertest" target="_blank" method="get">
<table>
<tr>
<td>
<label for="requester">Requester</label>
</td>
<td>
<input name="requester" id="requester" type="text" />
</td>
</tr>
<tr>
<td>
<label for="principal">Principal</label>
</td>
<td>
<input name="principal" id="principal" type="text" />
</td>
</tr>
<tr>
<td>
<label for="acsIndex">acs index</label>
</td>
<td>
<input name="acsIndex" id="acsIndex" type="number" />
</td>
</tr>
<tr>
<td>
<label for="saml1">SAML1</label>
</td>
<td>
<input name="saml1" id="saml1" type="checkbox" />
</td>
</tr>
<tr>
<td>
<label for="saml2">SAML2</label>
</td>
<td>
<input name="saml2" id="saml2" type="checkbox" />
</td>
</tr>
</table>
<input type="submit" />

</form>
<form action="https://idp.unicon.local/idp/profile/admin/mdquery" target="_blank" method="get">
<h2>Metadata Query</h2>
<table>
<tr>
<td>
<label for="entityID">Entity ID</label>
</td>
<td>
<input name="entityID" id="entityID" type="text" />
</td>
</tr>
</table>
<input type="submit" />
</form>
<form action="https://idp.unicon.local/idp/profile/admin/reload-metadata" target="_blank" method="get">
<h2>Reload Metadata</h2>
<table>
<tr>
<td>
<label for="id">provider id</label>
</td>
<td>
<input name="id" id="provider" type="text" />
</td>
</tr>
</table>
<input type="submit" />
</form>
<form action="https://idp.unicon.local/idp/profile/SAML2/Unsolicited/SSO" target="_blank" method="get">
<h2>Unsolicited SSO</h2>
<table>
<tr>
<td>
<label for="providerId">provider id</label>
</td>
<td>
<input name="providerId" type="text" />
</td>
</tr>
</table>
<input type="submit" />
</form>
<a href="https://idp.unicon.local/idp/profile/admin/metrics" target="_blank">metrics</a>
</body>
</html>
103 changes: 103 additions & 0 deletions testbed/integration/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
version: "3.8"

services:
reverse-proxy:
image: library/traefik:v2.5.2
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web-secure.address=:443"
- "--providers.file.directory=/configuration/"
- "--providers.file.watch=true"
# - "--log.level=DEBUG"
networks:
reverse-proxy:
aliases:
- idp.unicon.local
ports:
- "80:80"
- "8080:8080"
- "443:443"
- "8443:8443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ../reverse-proxy/:/configuration/
- ../reverse-proxy/certs/:/certs/
directory:
build: ../directory
networks:
- idp
volumes:
- directory_data:/var/lib/ldap
- directory_config:/etc/ldap/slapd.d
- ../directory/certs:/container/service/slapd/assets/certs
environment:
LDAP_BASE_DN: "dc=unicon,dc=local"
LDAP_DOMAIN: "unicon.local"
HOSTNAME: "directory"
LDAP_TLS_VERIFY_CLIENT: "try"
idp:
build: ./shibboleth-idp
labels:
- "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)"
- "traefik.http.services.idp.loadbalancer.server.port=8080"
- "traefik.http.routers.idp.tls=true"
- "traefik.docker.network=integration_reverse-proxy"
- "traefik.enable=true"
depends_on:
- directory
- reverse-proxy
networks:
- reverse-proxy
- idp
volumes:
- ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
- dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
- dynamic_config:/opt/shibboleth-idp/conf/dynamic
healthcheck:
disable: true
shib-idp-ui:
image: unicon/shibui:latest
labels:
- "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)"
- "traefik.http.services.shibui.loadbalancer.server.port=8080"
- "traefik.http.routers.shibui.tls=true"
- "traefik.docker.network=integration_reverse-proxy"
- "traefik.enable=true"
networks:
- reverse-proxy
- backend
volumes:
- ./shibui:/conf
- ./shibui/application.yml:/application.yml
- dynamic_metadata:/var/shibboleth/dynamic_metadata
- dynamic_config:/var/shibboleth/dynamic_config
- ./shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem
environment:
- "IDP_HOME=/opt/shibboleth-idp"
database:
image: postgres:14-alpine
environment:
POSTGRES_PASSWORD: shibui
POSTGRES_USER: shibui
POSTGRES_DB: shibui
networks:
- backend
volumes:
- database_data:/var/lib/postgresql/data
networks:
reverse-proxy:
idp:
backend:
volumes:
directory_data:
driver: local
directory_config:
driver: local
dynamic_metadata:
driver: local
dynamic_config:
driver: local
database_data:
driver: local
25 changes: 25 additions & 0 deletions testbed/integration/shibboleth-idp/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
FROM i2incommon/shib-idp:4.1.4_20210802

# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
ARG TOMCERT=credentials/tomcat
ARG TOMWWWROOT=wwwroot
ARG SHBCFG=config/shib-idp/conf
ARG SHBCREDS=credentials/shib-idp
ARG SHBVIEWS=config/shib-idp/views
ARG SHBEDWAPP=config/shib-idp/edit-webapp
ARG SHBMSGS=config/shib-idp/messages
ARG SHBMD=config/shib-idp/metadata

# copy in the needed config files
ADD ${TOMCFG} /usr/local/tomcat/conf
ADD ${TOMCERT} /opt/certs
ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
ADD ${SHBCFG} /opt/shibboleth-idp/conf
ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
#ADD ${SHBVIEWS} /opt/shibboleth-idp/views
#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
#ADD ${SHBMSGS} /opt/shibboleth-idp/messages
ADD ${SHBMD} /opt/shibboleth-idp/metadata

EXPOSE 8080
68 changes: 68 additions & 0 deletions testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
Map of access control policies used to limit access to administrative functions.
The purpose of the map is to label policies with a key/name so they can be reused.
-->

<!--
Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
The ranges provided MUST be CIDR network expressions. To specify a single address,
add "/32" or "/128" for IPv4 or IPv6 respectively.
The additional examples below demonstrate how to control access by username
and by attribute(s), in the case of authenticated access to admin functions.
-->

<util:map id="shibboleth.AccessControlPolicies">

<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
</entry>

<!--
<entry key="AccessByAdminUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
</constructor-arg>
</bean>
</entry>
-->

<!--
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/idpadmin</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
-->

</util:map>

</beans>
Loading

0 comments on commit 006b7fb

Please sign in to comment.