auth and integration testbeds combined

Former-commit-id: 09cf8130a77974ecff8968d079945b9cb8d4017b

testbed/smoke-test/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - "--entrypoints.web-secure.address=:443"
       - "--providers.file.directory=/configuration/"
       - "--providers.file.watch=true"
-      # - "--log.level=DEBUG"
+      #- "--log.level=DEBUG"
     networks:
       reverse-proxy:
         aliases:
@@ -43,7 +43,7 @@ services:
       - "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)"
       - "traefik.http.services.idp.loadbalancer.server.port=8080"
       - "traefik.http.routers.idp.tls=true"
-      - "traefik.docker.network=integration_reverse-proxy"
+      - "traefik.docker.network=smoke-test_reverse-proxy"
       - "traefik.enable=true"
     depends_on:
       - directory
@@ -52,11 +52,14 @@ services:
       - reverse-proxy
       - idp
     volumes:
-      - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
       - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic
       - dynamic_config:/opt/shibboleth-idp/conf/dynamic
-      - ../integration/shibboleth-idp/metadata/dynamic:/opt/shibboleth-idp/metadata/dynamic
+      - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
       - ../authentication/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml
+      - ./shibboleth-idp/conf/metadata-providers.xml:/opt/shibboleth-idp/conf/metadata-providers.xml
+      - ./shibboleth-idp/conf/access-control.xml:/opt/shibboleth-idp/conf/access-control.xml
+      - ./shibboleth-idp/metadata/test-provider-config.xml:/opt/shibboleth-idp/metadata/test-provider-config.xml
+      - ../integration/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml:/opt/shibboleth-idp/metadata/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml
     healthcheck:
       disable: true
   shib-idp-ui:
@@ -65,16 +68,16 @@ services:
       - "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)"
       - "traefik.http.services.shibui.loadbalancer.server.port=8080"
       - "traefik.http.routers.shibui.tls=true"
-      - "traefik.docker.network=integration_reverse-proxy"
+      - "traefik.docker.network=smoke-test_reverse-proxy"
       - "traefik.enable=true"
     networks:
       - reverse-proxy
       - backend
     volumes:
-      - ../authentication/shibui:/conf
-      - ./shibui/application.yml:/application.yml
       - dynamic_metadata:/var/shibboleth/dynamic_metadata
       - dynamic_config:/var/shibboleth/dynamic_config
+      - ../authentication/shibui:/conf
+      - ./shibui/application.yml:/application.yml
       - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem
     environment:
       - "IDP_HOME=/opt/shibboleth-idp"

testbed/smoke-test/shibboleth-idp/conf/access-control.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                  p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.16.0.0/12', '192.168.0.0/12'} }" />
+        </entry>
+
+        <!--
+        <entry key="AccessByAdminUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+    </util:map>
+
+</beans>

testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml

@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:ds11="http://www.w3.org/2009/xmldsig11#"
+    xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+    xmlns:enc11="http://www.w3.org/2009/xmlenc11#"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd
+                        urn:oasis:names:tc:SAML:metadata:algsupport http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport-v1.0.xsd
+                        http://www.w3.org/2000/09/xmldsig# http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
+                        http://www.w3.org/2009/xmldsig11# http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/xmldsig11-schema.xsd
+                        http://www.w3.org/2001/04/xmlenc# http://www.w3.org/TR/xmlenc-core/xenc-schema.xsd
+                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd">
+
+    <!--
+    Below you place the mechanisms which define how to load the metadata for SP(s) you will
+    provide service to.
+    
+    Some simple examples are provided. The documentation provides more details; in most cases,
+    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
+    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
+     
+    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
+    -->
+
+
+
+    <!--
+    Example HTTP metadata provider.  Use this if you want to download the metadata
+    from a remote source.
+
+    You *MUST* provide the SignatureValidationFilter in order to function securely.
+    Get the public key certificate from the party publishing the metadata, and validate
+    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
+
+    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
+    that the IdP needs to interoperate with.
+    -->
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER"> 
+        
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->   
+
+    <!--
+    Example file metadata provider.  Use this if you want to load metadata
+    from a local file. You use this if you have some local SPs which are not
+    "federated" but you wish to offer a service to.
+    
+    If you do not provide a SignatureValidation filter, then you have the
+    responsibility to ensure that the contents on disk are trustworthy.
+    -->
+
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml"/>
+
+
+    <!--
+    Example CAS metadata source for managing CAS services using SAML metadata.
+    -->
+
+    <!--
+    <MetadataProvider id="CASMetadata"
+                      xsi:type="FilesystemMetadataProvider"
+                      metadataFile="PATH_TO_YOUR_METADATA"
+                      indexesRef="shibboleth.CASMetadataIndices" />
+    -->
+
+    <MetadataProvider id="local-dynamic" xsi:type="LocalDynamicMetadataProvider" sourceDirectory="%{idp.home}/metadata/dynamic" />
+
+     <!-- InCommon Per-Entity Metadata Distribution Service -->
+     <MetadataProvider id="incommon" xsi:type="DynamicHTTPMetadataProvider"
+                   maxCacheDuration="PT24H" minCacheDuration="PT10M">
+       <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
+       <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
+                   certificateFile="%{idp.home}/credentials/inc-md-cert-mdq.pem" />
+
+       <!-- Require a validUntil XML attribute no more than 14 days into the future -->
+       <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
+
+       <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
+       <MetadataQueryProtocol>https://mdq.incommon.org/</MetadataQueryProtocol>
+     </MetadataProvider>
+
+</MetadataProvider>

testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml

@@ -0,0 +1,38 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="test-provider-config">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
+    <md:KeyDescriptor>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>
+MIIECDCCAnCgAwIBAgIUXOD+38b0Cpaynm5Wrclnzigz9rcwDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4MB4XDTIyMDgwNTE3MDE1
+NloXDTMyMDgwMjE3MDE1NlowHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4
+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAynP0dUXXr0yb4oAYT5OG
+/ik+24jor0W0Z/0T0g3C4IXqDMHMdHlfPSrp6rf+PDlS+0L+GCZQC2IpntmGNEdf
+miCs9UcssZ3aBHoch0R0Og4rxu74Vk488NVXHsX75RTom5B0atPGxdmHRNIPUPNp
+F4AqAMMV18y35+ElJj5UuPZe9QEgJVzGqdH0dGvaNFPZfB7HCD7lGJiO0Remhufn
+umwrRqfQETmefCD4Wrv60I4LgUrUSqlZTpD4TaR3o1N6uSKaJPy7iANqQXoEqc3p
+jbiM+Tkv6t+q6FbEIF3zKwODzHcycaVYzqOxzVMGWtyPADBm3P/8wvDZnHWEqAcy
+9cHY7THHq8s6bdR8aIO+T0uvIqXJAO0orGVJ4b1X2OBRRneUVtxFbzbAXWN+wwKW
+Xn8M1sP9hteV9CAkp4nbyPnfwWlZYaN48QytMZhu3oQywlcc/VuDEst04IeAt/1f
+YTWmSliJwAduFXpRtQjgB/ejfLUkJHugNJe2N23dNb8ZAgMBAAGjQDA+MB0GA1Ud
+EQQWMBSCEnVuaWNvbi1zcG9ydGgtMjY1ODAdBgNVHQ4EFgQUuAUQzGLs2Psbx5aw
+ec5sz66h4TIwDQYJKoZIhvcNAQELBQADggGBAEqDt2lXrAEJ80yWLYZKM2qdif5j
+DbFI4oGMJ+6Wicfjh9iSm6CG2pSdZllypNLd7KmUJbGFS5wmP7qPAiPLOiHn6hBC
+L5ke3y8bJsaEazOmZt0IgKv2w6naEAfvR5dKbEbXsipf/k+WHyk6uLFoz9iGxZ0g
+f8MA+nWa1tJcPcGVOReN3wNNeBaRZ5y0r6oWSpwYtoBJH+wp2EoLPYhOXFjUoAZ0
+d4b+G2x9FyHU4yfnN9sTLocl/BVDiVdazMQqSvZDSWbccRsD8sz4BaLnXkLOtulv
+0qOYuVTdCivgU0lBMhvXjiEpn0ZwU+UlSgtfEgaVP8pZVgHxKrMhoOxAe85dNHun
+RyYCrByqg4lyFGzRKSTAUlx0YittvEyYOEqbSsXExViSIl+elg4PtghsYAaUphm4
++FHJo8B1rNNQp4vqikGF2WOr3D2usIS9ZbiGvTC0M8TSG39jGCqgQZaclV2yshEC
+cXQllPfIyCtMzlaGVjpXPEqahwkug4ywml9yAw==
+          </ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.provider.config/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://test.provider.config/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://test.provider.config/Shibboleth.sso/SAML2/ECP" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://test.provider.config/Shibboleth.sso/SAML/POST" index="4"/>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>