Wordpress shibb changes

Workbench/configs-and-secrets/wordpress/httpd/shib.conf

@@ -22,7 +22,7 @@ ShibCompatValidUser Off
 #
 # Ensures handler will be accessible.
 #
-<Location /wordpresssSSO/Shibboleth.sso>
+<Location /wordpressSSO/Shibboleth.sso>
   AuthType None
   Require all granted
   SetHandler shib

Workbench/configs-and-secrets/wordpress/shibboleth/shibboleth2.xml

@@ -25,8 +25,8 @@
         "false", this makes an assertion stolen in transit easier for attackers to misuse.
         -->
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" handlerURL="/wordpressSSO/Shibboleth.sso"
-                  checkAddress="false" handlerSSL="true" cookieProps="https"
-                  redirectLimit="exact">
+                  checkAddress="false"  handlerSSL="true" cookieProps="https"
+                  redirectLimit="none">
 
             <!--
             Configures SSO for a default IdP. To properly allow for >1 IdP, remove

Workbench/docker-compose.yml

@@ -300,6 +300,7 @@ services:
     command: bash -c 'if [ ! -s /var/www/html/wp-config.php ];  then while ! nc -z  wordpress_data 3306 ; do echo waiting for mysql on wordpress_data to start; sleep 3; done; /root/wp core download --allow-root && sleep 10 && /root/wp config create --dbname=wordpress --dbuser=wordpress --dbpass=54y6RxN7GfC7aes3 --dbhost=wordpress_data --allow-root; sleep 3 && /root/wp core install --url="http://localhost/" --title="wordpress" --admin_user="admin" --admin_password="54y6RxN7GfC7aes3" --admin_email="sentrifugo.container@gmail.com" --allow-root && /root/wp --allow-root rewrite structure "/%postname%" --hard --debug; /root/wp  rewrite flush --hard --debug --allow-root && sed -i "s/<\/IfModule>/RewriteCond \%{HTTP:Authorization} \^\(\.\*\)\nRewriteRule \^\(\.\*\) - [E=HTTP_AUTHORIZATION:\%1]\n<\/IfModule>\nSetEnvIf Authorization "\(\.\*\)" HTTP_AUTHORIZATION=\$$1/" /var/www/html/.htaccess && /root/sed.sh && /root/wp plugin install jwt-authentication-for-wp-rest-api  --activate --allow-root && /root/wp plugin install wp-rest-api-log --activate --allow-root && /root/wp plugin install shibboleth --activate --allow-root; fi; /usr/local/bin/startup.sh;'
     ports:
       - "80:80"
+      - "12443:443"
     healthcheck:
       test: curl -s wordpress_server:80
       interval: 30s
@@ -318,6 +319,10 @@ services:
       - type: bind
         source: ./configs-and-secrets/wordpress/shibboleth/sp-cert.pem
         target: /etc/shibboleth/sp-cert.pem
+      - type: bind
+        source: ./configs-and-secrets/wordpress/httpd/shib.conf
+        target: /etc/httpd/conf.d/shib.conf
+
     secrets:
       - source: w_sp-key.pem
         target: shib_sp-key.pem

Workbench/idp/container_files/system/setservername.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
 
 for file in $files
   do

Workbench/idp/shibboleth-idp/conf/metadata-providers.xml

@@ -28,6 +28,7 @@
     <MetadataProvider id="GrouperSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
     <MetadataProvider id="MidpointSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
     <MetadataProvider id="ComanageSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
+    <MetadataProvider id="WordpressSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
     <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
 
     <!-- Example HTTP metadata provider.  Use this if you want to download

Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml

@@ -0,0 +1,110 @@
+<!--
+This is example metadata only. Do *NOT* supply it as is without review,
+and do *NOT* provide it in real time to your partners.
+ -->
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_9d0ae95ee88f2396b39d245b74751e04b8508425" entityID="https://wordpressdemo/shibboleth">
+
+  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
+    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+  </md:Extensions>
+
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:Extensions>
+      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Login"/>
+    </md:Extensions>
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>1f84026f1f87</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=1f84026f1f87</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAKlkm2CJBUzxMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDFmODQwMjZmMWY4NzAeFw0yMDA0MjExOTAwMzlaFw0zMDA0MTkxOTAwMzla
+MBcxFTATBgNVBAMTDDFmODQwMjZmMWY4NzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAPHOVkU6Zu4Q0Mpx1/YpGa+iDG3e8boT5D4ptJldP80cmh13MoA3
+AyeQac86EC8dO1Z8XFmnwsSwT246kBVfLgr6gQgMy7Ql4zLpnFzhKFBPgHBCT/5e
+or9qdn/b/ZPBC2sAeRecS7gFox66/s3+/FJ/XNHErrEDZi3XnDIz6UpOPFWR5WE1
+IUWMnEY27GFX4dAqIaXGBELwvPKsyZYpJLGjovi0beFVlN6B39dDmZn5yUD00ekX
+WSnYPSIYgXo5M1iM7tn5jRoaRo/KGbCK0q4/F3cCbzMSgfwkMAJ5GY0yhPUUXQGQ
+5ieLPawBV5QCiNNF4+SJIdGuASTYiZr7o51bmcMTqjAxTqPRL34cd+Cddndf+sGU
+24zPHfmjB79C0Xn+QgKmvkhujoi+n/pCgEtF1M75IsGY1djipqplOiph9vjQsD2x
+HGe5Vi1RDPqCIMgbxARJh3NodbgLeM92SiJur6VDpOVgdVOich1JYBsL5O3Vlb5v
+xKA6Sol8TneRywIDAQABozowODAXBgNVHREEEDAOggwxZjg0MDI2ZjFmODcwHQYD
+VR0OBBYEFOxhICWI1bbhgXsMW4DNuNHLB4g4MA0GCSqGSIb3DQEBCwUAA4IBgQBU
+0gKlnY0GzzFuYyWoF+tbLPKT9i3InG320A4H9V+VJ3ZgnXy+3kG2rIg09j04mgWF
+YSrWb7BUwYk8WMLD5fbhQ99vpFpKiJnhWvISc3wstgo18k9xr09n4lVU2aYDwgoD
+GTVj59KPu+KlwULvIMnvFbWZm3z2JqGzBMFv8zkID3YCGzyz1Ej7W05A12qcga+o
+Pu5/PLuVY2iRRI2cYpbxG5+kYejNXqiNHph5ROmEEpfnMFHyfMZrpH+BUxVfSTkJ
+K62rduZQabp4qKhIibyXw5fuANIXoGxsSC2IbBKl1jJ23j4aY1OUOqW7YBYkk94Q
+hp77m7JILWdulKtE314/Iy+/5V0k05FsVnWdeRLFW08NK5klt7+x6zG5gTFczN4I
+X+znZJ9LQKrr5VRwEx8aGBbpJ1OVXc5U5ARdtSMz/Nl+yRgZJD3kxID/1sjFRwmq
+OGk1Wid/0g2ZjXSiVMjTi8WrUzw9OyyCi4w9AkBPVNHRvBy1qVjZIlCzcso4gEQ=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:KeyName>1f84026f1f87</ds:KeyName>
+        <ds:X509Data>
+          <ds:X509SubjectName>CN=1f84026f1f87</ds:X509SubjectName>
+          <ds:X509Certificate>MIID6zCCAlOgAwIBAgIJAOqc+LvB4m+VMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDFmODQwMjZmMWY4NzAeFw0yMDA0MjExOTAwNDBaFw0zMDA0MTkxOTAwNDBa
+MBcxFTATBgNVBAMTDDFmODQwMjZmMWY4NzCCAaIwDQYJKoZIhvcNAQEBBQADggGP
+ADCCAYoCggGBAKcbX9lvwcBpG9qmza970xI4Vj537Aad7Fq7XNJfxRsXbPK+sRYV
+0TwRok2HhCPt2fKrzE03JZtqA7GemihvDDgWiW/KiSU8mFiFeGap0JkxoRnNQOLu
+y7AcZ9NrSh5jts+ko9SrJkVerNI7tF8njlmCR/19R1g/yp/ThLzr6PwfNg9zkFdo
+RXDtzYd1Qq4GPMaHqC8VMKwnaiv2s4KPU/sKN0sEea4XaaziCI6Cf2iZR/rHLNHe
+x9ST0VpuVODz/BOWmxsgTgeYrY3aGAwrB3lXlRkJL6KKabgC5cvrza1MfilzEart
+ngT0ckzCiLoRp10P3pVINqM7unyDdSwgElWvH3AcI3zJDblNyzL0eZp9F/pudNSN
+V4HVyqWPsGhRnDpLW/TS+Fnxv2DQqEe2Srxh61Un+8jZK7IWGeuCgPPuQrwzxq5c
+X98oyNqeys5X3yHkor42RbX4qYQzjfbvjDg4ewcNpNtu9RKfgUXAaMSS6dH5wdrZ
+fwo4Nuv0lCZB/QIDAQABozowODAXBgNVHREEEDAOggwxZjg0MDI2ZjFmODcwHQYD
+VR0OBBYEFCG6Hg40T0gRUyl4IQdW3pcoOIvTMA0GCSqGSIb3DQEBCwUAA4IBgQCM
+wJIMbAtcShEHhPOeZ72rGycR9Z7+yC72uSXyScgHME/kcLVqwzsHXvw37IkfbuvH
+D9Gz34OI4gg5QZtbarp4GpSycnoNJDT5IRNKkFrPyv3QWvyiTBtFguSAr6xOO8Py
+tBWetorrCcpqvnmiEDHIfs6g8vFq1HUDS1etDkrOk/e5RyHW7Yys3CBfRtLoRX/c
+iiEcuQg/HPqlCTFlHFbaSFMjklomSfSYFytdFkqGNNgZobUCAaj3L2Zw3FEBVn0o
+G0CcW9X3s+L+C3CAyofZBY0Nto2AOrAyaRW0wbGkcI3hI744f9rHArUyonTIe0hG
+SS1pwkfzFbpWZmiBMnoA7CB1ma/xVF+ln/gEn1LS7yKIdHO84/etJ3Ve8yjZKSBD
+e1TRefMMT5McNwoKEZdD0OhD8CBk95Pkhcl2limOzy6R7ekBlak2PclSLXyD6Hda
+m1lmTwWWHX/Jt8iVZsV85PlLIbZC0PJaJk90yMtMTBVxyLTU+iNcdhD9qnjwVb8=
+</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
+      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+    </md:KeyDescriptor>
+    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/Artifact/SOAP" index="1"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/SOAP"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/Redirect"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/POST"/>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SLO/Artifact"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/POST" index="1"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/Artifact" index="3"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://__CSPHOSTNAME__/wordpressSSO/Shibboleth.sso/SAML2/ECP" index="4"/>
+  </md:SPSSODescriptor>
+
+</md:EntityDescriptor>

Workbench/ssh-tunnel-redir-fix.sh

@@ -9,6 +9,7 @@ declare -a fileList=(
 "idp/shibboleth-idp/metadata/grouper-sp.xml"
 "idp/shibboleth-idp/metadata/midpoint-sp.xml"
 "idp/shibboleth-idp/metadata/midpoint-sp-new.xml"
+"idp/shibboleth-idp/metadata/wordpress-sp.xml"
 )
 
 if [ $# -eq 0 ]

Workbench/wordpress_server/Dockerfile

@@ -19,37 +19,19 @@ RUN yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm \
     && yum-config-manager --enable remi-php72 \
     && yum install -y php php-gd mariadb wget php-mysql postfix nc
 RUN echo 'date.timezone="UTC"' >> /etc/php.ini
-#RUN echo 'nameserver 127.0.0.11' > /etc/resolv.conf
-#RUN /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-encrypt -f \
-#     && /etc/shibboleth/keygen.sh -o /etc/shibboleth/ -y 10 -n sp-signing -f
-
-#RUN cd /root \
-#    && wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \
-#    && chmod +x wp-cli.phar
 
 RUN cat /etc/resolv.conf
 WORKDIR /var/www/html
-#RUN /root/wp-cli.phar core download 
-#    && sleep 3 \
-#    && cat /etc/resolv.conf \
-#    && cat /etc/hosts \
-#    && /root/wp-cli.phar  config create --dbname=wordpress --dbuser=wordpress --dbpass=54y6RxN7GfC7aes3 --dbhost=wordpress_data2 \
-#    && sleep 15 \
-#    && /root/wp-cli.phar core install --url="http://localhost/" --title="wordpress" --admin_user="admin" --admin_password="54y6RxN7GfC7aes3" --admin_email="sentrifugo.container@gmail.com" --allow-root \
-#    && /root/wp-cli.phar  plugin install jwt-authentication-for-wp-rest-api  --activate --allow-root \
-#    && /root/wp-cli.phar  plugin install shibboleth --activate --allow-root \
-#    && /root/wp-cli.phar  plugin install wp-rest-api-log --activate --allow-root
-
-#RUN sed -i "s/<\/IfModule>/RewriteCond \%{HTTP:Authorization} \^\(\.\*\)\nRewriteRule \^\(\.\*\) - [E=HTTP_AUTHORIZATION:\%1]\n<\/IfModule>\nSetEnvIf Authorization "\(\.\*\)" HTTP_AUTHORIZATION=\$$1/" /var/www/html/.htaccess \
-#    && sed -i "s/define( 'DB_COLLATE', '' );/define( 'DB_COLLATE', '' );\ndefine('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\ndefine('JWT_AUTH_CORS_ENABLE', true);\n/" /var/www/html/wp-config.php \
-#    && sed -i "s/RewriteBase \//RewriteBase \/\nRewriteRule \^wp-json\/\(\.\*\) \/?rest_route=\/\$1 \[L\]\n/" /var/www/html/.htaccess 
 
 RUN ln -sf /run/secrets/shib_sp-key.pem /etc/shibboleth/sp-key.pem
 RUN chown -R apache:apache /var/www/html
 COPY container_files/system/setservername.sh /usr/local/bin/
-RUN chmod 755 /usr/local/bin/setservername.sh && rm -f /etc/httpd/conf.d/ssl.conf
+RUN chmod 755 /usr/local/bin/setservername.sh #&& rm -f /etc/httpd/conf.d/ssl.conf
 
 #set hostname
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
 RUN /usr/local/bin/setservername.sh