Merged in feature/shibui-2393-testbed (pull request #626)

Feature/shibui 2393 testbed
TIER · Nov 16, 2022 · 38ce6f8 · 38ce6f8
2 parents 82e247c + 3346d9d
commit 38ce6f8
Show file tree

Hide file tree

Showing 22 changed files with 943 additions and 22 deletions.
diff --git a/testbed/authentication/shibboleth-idp/Dockerfile b/testbed/authentication/shibboleth-idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:4.0.0_20200518
+FROM i2incommon/shib-idp:4.2.1_20220624
 
 # The build args below can be used at build-time to tell the build process where to find your config files.  This is for a completely burned-in config.
 ARG TOMCFG=config/tomcat

diff --git a/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml b/testbed/authentication/shibboleth-idp/config/shib-idp/conf/relying-party.xml
@@ -40,7 +40,7 @@
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML2.SSO" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--

diff --git a/testbed/integration/docker-compose.yml b/testbed/integration/docker-compose.yml
@@ -48,9 +48,11 @@ services:
     depends_on:
       - directory
       - reverse-proxy
+      - database
     networks:
       - reverse-proxy
       - idp
+      - backend
     volumes:
       - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
       - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
@@ -86,6 +88,8 @@ services:
       - backend
     volumes:
       - database_data:/var/lib/postgresql/data
+      - ./shibboleth-idp/db/oidc_dynreg.sql:/docker-entrypoint-initdb.d/oidc_dynreg.sql
+
 networks:
   reverse-proxy:
   idp:

diff --git a/testbed/integration/shibboleth-idp/Dockerfile b/testbed/integration/shibboleth-idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp:4.1.4_20210802
+FROM i2incommon/shib-idp:4.2.1_20220624
 
 # The build args below can be used at build-time to tell the build process where to find your config files.  This is for a completely burned-in config.
 ARG TOMCFG=config/tomcat
@@ -10,16 +10,28 @@ ARG SHBVIEWS=config/shib-idp/views
 ARG SHBEDWAPP=config/shib-idp/edit-webapp
 ARG SHBMSGS=config/shib-idp/messages
 ARG SHBMD=config/shib-idp/metadata
+ARG OIDCREG=config/shib-idp/static
+ARG TOMREWRITE=config/tomcat/rewrite.config
+
+#enable OIDC plugins and generate needed keys
+ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
+RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/2.1.0/oidc-common-dist-2.1.0.tar.gz --noPrompt
+RUN /opt/shibboleth-idp/bin/plugin.sh -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-op/3.2.1/idp-plugin-oidc-op-distribution-3.2.1.tar.gz --noPrompt
+RUN /opt/shibboleth-idp/bin/module.sh -e idp.authn.RemoteUserInternal
+RUN /opt/shibboleth-idp/bin/jwtgen.sh -t RSA -s 2048 -u sig -i defaultRSASign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-rs.jwk
+RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t EC -c P-256 -u sig -i defaultECSign | tail -n +2 > /opt/shibboleth-idp/credentials/idp-signing-es.jwk
+RUN /opt/shibboleth-idp/bin/jwtgen.sh	-t RSA -s 2048 -u enc -i defaultRSAEnc | tail -n +2 > /opt/shibboleth-idp/credentials/idp-encryption-rsa.jwk
 
 # copy in the needed config files
 ADD ${TOMCFG} /usr/local/tomcat/conf
 ADD ${TOMCERT} /opt/certs
 ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
 ADD ${SHBCFG} /opt/shibboleth-idp/conf
-ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
 #ADD ${SHBVIEWS} /opt/shibboleth-idp/views
-#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
+ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
 #ADD ${SHBMSGS} /opt/shibboleth-idp/messages
 ADD ${SHBMD} /opt/shibboleth-idp/metadata
+ADD ${OIDCREG} /opt/shibboleth-idp/static
+ADD ${TOMREWRITE} /usr/local/tomcat/conf/Catalina/localhost/rewrite.config
 
 EXPOSE 8080
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/access-control.xml
@@ -28,20 +28,18 @@
 
     <util:map id="shibboleth.AccessControlPolicies">
 
-        <entry key="AccessByIPAddress">
-            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
-                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
-        </entry>
-
-        <!--
         <entry key="AccessByAdminUser">
             <bean parent="shibboleth.PredicateAccessControl">
                 <constructor-arg>
-                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'banderson'}" />
                 </constructor-arg>
             </bean>
         </entry>
-        -->
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12'} }" />
+        </entry>
 
         <!--
         <entry key="AccessByAttribute">

diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/credentials.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
+
+    This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
+    configuration. You don't normally need to touch this, unless you have advanced requirements such as
+    supporting multiple sets of keys for different relying parties, in which case you may want to define
+    all your credentials here for convenience.
+    -->
+
+    <!--
+    The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
+    for example for specific relying parties or different key types, make sure to include them within this list.
+    -->
+    <util:list id="shibboleth.SigningCredentials">
+        <ref bean="shibboleth.DefaultSigningCredential" />
+    </util:list>
+
+    <!-- Your IdP's default signing key, set via property file. -->
+    <bean id="shibboleth.DefaultSigningCredential"
+        class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+        p:privateKeyResource="%{idp.signing.key}"
+        p:certificateResource="%{idp.signing.cert}"
+        p:entityId-ref="entityID" />
+
+    <!-- Your IdP's default client TLS credential, by default the same as the default signing credential. -->
+    <alias alias="shibboleth.DefaultClientTLSCredential" name="shibboleth.DefaultSigningCredential" />
+
+    <!--
+    The list of ALL of your IdP's encryption credentials. By default this is just an alias
+    for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
+    a list with additional credentials if needed.
+    -->
+    <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />
+
+    <!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
+    <util:list id="shibboleth.DefaultEncryptionCredentials">
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key}"
+            p:certificateResource="%{idp.encryption.cert}"
+            p:entityId-ref="entityID" />
+
+        <!--
+        For key rollover, uncomment and point to your original keypair, and use the one above
+        to point to your new keypair. Once metadata has propagated, comment this one out again.
+        -->
+        <!--
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key.2}"
+            p:certificateResource="%{idp.encryption.cert.2}"
+            p:entityId-ref="entityID" />
+        -->
+    </util:list>
+
+  <!-- OIDC extension default credential definitions -->
+  <import resource="oidc-credentials.xml" />
+
+</beans>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml b/testbed/integration/shibboleth-idp/config/shib-idp/conf/global.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Use this file to define any custom beans needed globally. -->
+
+    <!-- Postgres configuration -->
+    <bean id="shibboleth.JPAStorageService"
+        class="org.opensaml.storage.impl.JPAStorageService"
+        p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}"
+        c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" />
+
+    <bean id="shibboleth.JPAStorageService.EntityManagerFactory"
+        class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
+        <property name="persistenceUnitName" value="storageservice" />
+        <property name="packagesToScan" value="org.opensaml.storage.impl" />
+        <property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" />
+        <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
+        <property name="jpaDialect">
+            <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
+        </property>
+    </bean>
+
+    <bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
+        class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
+        <property name="database" value="POSTGRESQL" />
+    </bean> 
+    <bean id="shibboleth.JPAStorageService.DataSource"
+        class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true"
+        p:driverClassName="org.postgresql.Driver"
+        p:jdbcUrl="jdbc:postgresql://database:5432/oidc_dynreg"
+        p:username="shibui"
+        p:password="shibui" />
+
+    <!--
+    Algorithm include/exclude sets that override or merge with library defaults. Normally you can leave these
+    empty or commented and use the system defaults, but you can override those defaults using these beans.
+    Each <value> element is an algorithm URI; you can also use <util:constant> elements in place of literal values.
+    -->
+
+    <!--
+    <util:set id="shibboleth.IncludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedSignatureAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.IncludedEncryptionAlgorithms">
+    </util:set>
+
+    <util:set id="shibboleth.ExcludedEncryptionAlgorithms">
+    </util:set>
+    -->
+
+    <!--
+    If you need to define and inject custom Java object(s) into the various views used throughout the
+    system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
+    type required. It will appear in the view scope as a variable named "custom".
+    
+    The example below defines the bean as a map, which allows you to inject multiple objects under
+    named keys to expand the feature to support multiple injected objects.
+    -->
+
+    <!--
+    <util:map id="shibboleth.CustomViewContext">
+        <entry key="foo" value="bar"/>
+    </util:map>
+    -->
+
+</beans>
diff --git a/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties b/testbed/integration/shibboleth-idp/config/shib-idp/conf/idp.properties
@@ -1,5 +1,5 @@
 # Load any additional property resources from a comma-delimited list
-idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties
+idp.additionalProperties=/conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties, /credentials/secrets.properties, /conf/oidc.properties
 
 # In most cases (and unless noted in the surrounding comments) the
 # commented settings in the distributed files document default behavior.
@@ -224,3 +224,5 @@ idp.ui.fallbackLanguages=en,fr,de
 
 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
+
+#idp.loglevel.idp=DEBUG