init setup

Former-commit-id: 5181702e57e39598f5f75839d9d262045b220e30

testbed/smoke-test/cheat.html

@@ -0,0 +1,110 @@
+<html>
+<body>
+<h2>Reload Service</h2>
+<form action="https://idp.unicon.local/idp/profile/admin/reload-service" target="_blank" method="get">
+    <label for="id">id</label>
+    <select name="id" id="id">
+        <option value="shibboleth.LoggingService">LoggingService</option>
+        <option value="shibboleth.AttributeFilterService">AttributeFilterService</option>
+        <option value="shibboleth.AttributeResolverService">AttributeResolverService</option>
+        <option value="shibboleth.AttributeRegistryService">AttributeRegistryService</option>
+        <option value="shibboleth.NameIdentifierGenerationService">NameIdentifierGenerationService</option>
+        <option value="shibboleth.RelyingPartyResolverService">RelyingPartyResolverService</option>
+        <option value="shibboleth.MetadataResolverService">MetadataResolverService</option>
+        <option value="shibboleth.ReloadableAccessControlService">ReloadableAccessControlService</option>
+        <option value="shibboleth.ReloadableCASServiceRegistry">ReloadableCASServiceRegistry</option>
+    </select>
+    <input type="submit" />
+</form>
+<h2>Attribute Resolution</h2>
+<form action="https://idp.unicon.local/idp/profile/admin/resolvertest" target="_blank" method="get">
+    <table>
+        <tr>
+            <td>
+                <label for="requester">Requester</label>
+            </td>
+            <td>
+    <input name="requester" id="requester" type="text" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+    <label for="principal">Principal</label>
+            </td>
+            <td>
+    <input name="principal" id="principal" type="text" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="acsIndex">acs index</label>
+            </td>
+            <td>
+                <input name="acsIndex" id="acsIndex" type="number" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="saml1">SAML1</label>
+            </td>
+            <td>
+                <input name="saml1" id="saml1" type="checkbox" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="saml2">SAML2</label>
+            </td>
+            <td>
+                <input name="saml2" id="saml2" type="checkbox" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+
+</form>
+<form action="https://idp.unicon.local/idp/profile/admin/mdquery" target="_blank" method="get">
+    <h2>Metadata Query</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="entityID">Entity ID</label>
+            </td>
+            <td>
+                <input name="entityID" id="entityID" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<form action="https://idp.unicon.local/idp/profile/admin/reload-metadata" target="_blank" method="get">
+    <h2>Reload Metadata</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="id">provider id</label>
+            </td>
+            <td>
+                <input name="id" id="provider" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<form action="https://idp.unicon.local/idp/profile/SAML2/Unsolicited/SSO" target="_blank" method="get">
+    <h2>Unsolicited SSO</h2>
+    <table>
+        <tr>
+            <td>
+                <label for="providerId">provider id</label>
+            </td>
+            <td>
+                <input name="providerId" type="text" />
+            </td>
+        </tr>
+    </table>
+    <input type="submit" />
+</form>
+<a href="https://idp.unicon.local/idp/profile/admin/metrics" target="_blank">metrics</a>
+</body>
+</html>

testbed/smoke-test/docker-compose.yml

@@ -0,0 +1,105 @@
+version: "3.8"
+
+services:
+  reverse-proxy:
+    image: library/traefik:v2.5.2
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web-secure.address=:443"
+      - "--providers.file.directory=/configuration/"
+      - "--providers.file.watch=true"
+      # - "--log.level=DEBUG"
+    networks:
+      reverse-proxy:
+        aliases:
+          - idp.unicon.local
+    ports:
+      - "80:80"
+      - "8080:8080"
+      - "443:443"
+      - "8443:8443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ../reverse-proxy/:/configuration/
+      - ../reverse-proxy/certs/:/certs/
+  directory:
+    build: ../directory
+    networks:
+      - idp
+    volumes:
+      - directory_data:/var/lib/ldap
+      - directory_config:/etc/ldap/slapd.d
+      - ../directory/certs:/container/service/slapd/assets/certs
+    environment:
+      LDAP_BASE_DN: "dc=unicon,dc=local"
+      LDAP_DOMAIN: "unicon.local"
+      HOSTNAME: "directory"
+      LDAP_TLS_VERIFY_CLIENT: "try"
+  idp:
+    build: ../integration/shibboleth-idp
+    labels:
+      - "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)"
+      - "traefik.http.services.idp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.idp.tls=true"
+      - "traefik.docker.network=integration_reverse-proxy"
+      - "traefik.enable=true"
+    depends_on:
+      - directory
+      - reverse-proxy
+    networks:
+      - reverse-proxy
+      - idp
+    volumes:
+      - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
+      - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
+      - dynamic_config:/opt/shibboleth-idp/conf/dynamic
+      - ../integration/shibboleth-idp/metadata/dynamic:/opt/shibboleth-idp/metadata/dynamic
+      - ../authentication/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml
+    healthcheck:
+      disable: true
+  shib-idp-ui:
+    image: unicon/shibui:latest
+    labels:
+      - "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)"
+      - "traefik.http.services.shibui.loadbalancer.server.port=8080"
+      - "traefik.http.routers.shibui.tls=true"
+      - "traefik.docker.network=integration_reverse-proxy"
+      - "traefik.enable=true"
+    networks:
+      - reverse-proxy
+      - backend
+    volumes:
+      - ../authentication/shibui:/conf
+      - ./shibui/application.yml:/application.yml
+      - dynamic_metadata:/var/shibboleth/dynamic_metadata
+      - dynamic_config:/var/shibboleth/dynamic_config
+      - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem
+    environment:
+      - "IDP_HOME=/opt/shibboleth-idp"
+  database:
+    image: postgres:14-alpine
+    environment:
+      POSTGRES_PASSWORD: shibui
+      POSTGRES_USER: shibui
+      POSTGRES_DB: shibui
+    networks:
+      - backend
+    volumes:
+      - database_data:/var/lib/postgresql/data
+networks:
+  reverse-proxy:
+  idp:
+  backend:
+volumes:
+  directory_data:
+    driver: local
+  directory_config:
+    driver: local
+  dynamic_metadata:
+    driver: local
+  dynamic_config:
+    driver: local
+  database_data:
+    driver: local

testbed/smoke-test/shibui/application.yml

@@ -0,0 +1,40 @@
+server:
+  forward-headers-strategy: NATIVE
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: postgres
+    driver-class-name: org.postgresql.Driver
+    url: jdbc:postgresql://database:5432/shibui
+    username: shibui
+    password: shibui
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.PostgreSQLDialect
+shibui:
+  default-password: "{noop}letmein7"
+  metadata-dir: /var/shibboleth/dynamic_metadata
+  metadataProviders:
+    target: file:/var/shibboleth/dynamic_config/metadata-providers.xml
+  user-bootstrap-resource: file:/conf/users.csv
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY
+  pac4j-enabled: true
+  pac4j:
+    keystorePath: "/conf/samlKeystore.jks"
+    keystorePassword: "changeit"
+    privateKeyPassword: "changeit"
+    serviceProviderEntityId: "https://unicon.net/test/shibui"
+    serviceProviderMetadataPath: "/conf/sp-metadata.xml"
+    identityProviderMetadataPath: "/conf/idp-metadata.xml"
+    forceServiceProviderMetadataGeneration: true
+    callbackUrl: "https://shibui.unicon.local/callback"
+    maximumAuthenticationLifetime: 3600000
+    simpleProfileMapping:
+      username: urn:oid:0.9.2342.19200300.100.1.1
+      firstName: urn:oid:2.5.4.42
+      lastName: urn:oid:2.5.4.4
+      email: urn:oid:0.9.2342.19200300.100.1.3
+      groups: urn:oid:2.5.4.15  # businessCategory
+      roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7  # eduPersonEntitlement