Skip to content

Commit

Permalink
Upgrading to simplesamlphp 2.0.3 (#7)
Browse files Browse the repository at this point in the history 
Co-authored-by: Cody Finegan <cody.finegan@totara.com>
  • Loading branch information
@codyfinegan
codyfinegan and codyfinegan authored Apr 26, 2023
1 parent 6643170 commit 63e2aeb
Show file tree
Hide file tree
Showing 20 changed files with 600 additions and 543 deletions.
19 changes: 5 additions & 14 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
FROM node:18-alpine as node_builder

# Define the SAML version installed
ARG SAML_VERSION=1.19.7
ARG SAML_VERSION=2.0.3
ARG SAML_TAR_URL=https://github.com/simplesamlphp/simplesamlphp/releases/download/v${SAML_VERSION}/simplesamlphp-${SAML_VERSION}.tar.gz
ARG SAML_TAR_NAME=simplesamlphp-${SAML_VERSION}.tar.gz

Expand All @@ -12,9 +12,6 @@ RUN mkdir /app && \
wget ${SAML_TAR_URL} && \
tar -xzf ${SAML_TAR_NAME} -C ./samlphp --strip-components=1 && \
cd samlphp && \
npm install && \
npm run build && \
rm -rf node_modules && \
rm -rf metadata


Expand All @@ -31,27 +28,21 @@ ENV LISTEN_PORT 8089
EXPOSE 8089

# Update apache listen ports
RUN sed -ri -e 's!/var/www/html!/var/www/html/www/!g' /etc/apache2/sites-available/*.conf && \
sed -ri -e 's!/var/www/!/var/www/html/www/!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf && \
RUN sed -ri -e 's!/var/www/html!/var/www/html/public/!g' /etc/apache2/sites-available/*.conf && \
sed -ri -e 's!/var/www/!/var/www/html/public/!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf && \
sed -ri -e 's!Listen 80!Listen ${LISTEN_PORT}!g' /etc/apache2/ports.conf && \
sed -ri -e 's!:80>!:${LISTEN_PORT}>!g' /etc/apache2/sites-available/*.conf && \
sed -ri -e "s!usenewui!:usenewui2!g" /var/www/html/www/index.php # Hack to prevent auto-redirect to login page
sed -ri -e 's!:80>!:${LISTEN_PORT}>!g' /etc/apache2/sites-available/*.conf

# Generate the internal certificate
RUN cd /var/www/html/cert && \
openssl req -subj /C=NZ/ST=Wellington/L=Wellington/O=Totara/OU=Development/CN=server \
-newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem && \
chown www-data server.* && \
chown www-data /var/www/html/cache
chown www-data server.*

# Expose PHP errors to the CLI
RUN cp "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini" && \
echo "log_errors = On\nerror_log = /dev/stderr" > "$PHP_INI_DIR/conf.d/error.ini"

# Override the core module so we can alter the theme
#RUN #sed -ri -e 's!core:show_metadata.tpl.php!show_metadata.tpl.php!g' /var/www/html/modules/core/www/show_metadata.php && \
# sed -ri -e 's!core:frontpage_federation.tpl.php!frontpage_federation.tpl.php!g' /var/www/html/modules/core/www/frontpage_federation.php

RUN mkdir -p /var/www/metadata_storage && \
chown www-data /var/www/metadata_storage

Expand Down
38 changes: 25 additions & 13 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@
This is a wrapper around SimpleSAMLphp which provides a test SAML Identity Provider to use in Totara instances. It is
for testing the SAML2 connections only and should not be used in any production site.

Currently embedded is SimpleSAMLphp version **1.19.7**.
We currently embed SimpleSAMLphp version **2.0.3**. If you'd like to test with the 1.19.7 line please checkout the latest `v1.x` tags.

## Configuration

| Variable | Description |
|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| `LISTEN_PORT` | The port used to access the service. Defaults to `8089`. |
| `SITE_TITLE` | Override the default site title, used when running multiple to tell them apart. |
| Variable | Description |
|---------------|---------------------------------------------------------------------------------|
| `LISTEN_PORT` | The port used to access the service. Defaults to `8089`. |
| `SITE_TITLE` | Override the default site title, used when running multiple to tell them apart. |

## Getting Started

Expand All @@ -24,13 +24,13 @@ docker run --rm -p 8089:8089 -e LISTEN_PORT=8089 -it totara/simple-saml-test:lat

Once started, you can access the service via `http://localhost:{LISTEN_PORT}` (defaults to 8089).

Open the site, and then navigate to Federation -> Manage Metadata (you'll neeed to sign in with the admin account).
Open the site, login as admin, and then navigate to Manage Service Providers.
Add any SP instances on the page there, the URL must be the full URL to your metadata (it does not fully validate).

Eg: http://{YOUR_SP_INSTANCE}/path/to/metadata.php
Eg: `http://{YOUR_SP_INSTANCE}/path/to/metadata.php`

If your domain isn't publicly resolvable (such as it's a test environment) you will need to teach the
Domain/IP to this docker image.
We currently do not support raw XML dumps, the SAML image must be able to download the metadata file from your Service Provider directly.
You can teach docker the IP address of your service if it isn't resolvable.

```shell
# Instance is running directly on the host machine
Expand Down Expand Up @@ -67,16 +67,18 @@ Make sure you add `saml2` to your local hosts file, so it resolves in your brows

Start the docker service using `t up saml2`.

Try and access http://saml2:8089 and confirm you see the test environment.
Try and access `http://saml2:8089` and confirm you see the test environment.

*Important*: The URL that Totara and the URL that you access the site on via your browser must be the same.

The path to the metadata file depends on what SAML plugin you are using which is why it's not specified here.

## Custom Users
By default there's a hard-coded list of users and attributes. However you can provide your own PHP file via volumes and replace the user list with your own.

By default, there's a hard-coded list of users and attributes. However, you can provide your own PHP file via volumes and replace the user list with your own.

Create a new file called `custom_auth_sources.php` with the following structure:

```php
<?php
Expand All @@ -99,10 +101,20 @@ In the example above, the `my_user` user is known as `my_username` or `my_uid` t
Once created, include it as a volume, such as:
`docker run ... -v /path/to/custom_auth_sources.php:/var/www/custom_auth_sources.php ... -it totara/simple-saml-test:latest`


## Developing This Image

* Fork this repo, create a new branch and make the change.
* Test using the built-in docker image with docker-compose, you can run `docker-compose up --build dev` to run the dev version with the config/metadata/modules folders volumed in (real time changes).
* Test using the built-in docker image with docker-compose, you can run `docker-compose up --build dev` to run the dev version with the config/metadata/modules folders volumed in (
real time changes).
* Once everything is all good, test with the prod version `docker-compose up --build prod`.
* If it is all good, submit a pull request for the change.

## Updating SimpleSAMLphp library

* Fork this repo, create a new branch
* Edit the Dockerfile and change the `SAML_VERSION` build argument to the new version you want to include
* Check any upgrade notes about things that must change, specifically look for changes that impact modules, hooks or the idp-hosted or idp-remote files.
* Test using the built-in docker image with docker-compose, you can run `docker-compose up --build dev` to run the dev version with the config/metadata/modules folders volumed in (
real time changes).
* Once everything is all good, test with the prod version `docker-compose up --build prod`.
* If it is all good, submit a pull request for the change.
121 changes: 34 additions & 87 deletions config/config.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
$trusted = $env ? [$env] : null;
$title = getenv('SITE_HEADER') ?: 'SimpleSAML Test';

$httpUtils = new \SimpleSAML\Utils\HTTP();

$config = [

/*******************************
Expand Down Expand Up @@ -77,7 +79,7 @@
* also as the technical contact in generated metadata.
*/
'technicalcontact_name' => 'Administrator',
'technicalcontact_email' => 'team.platform@totaralearning.com',
'technicalcontact_email' => 'team.platform@totara.com',

/*
* (Optional) The method by which email is delivered. Defaults to mail which utilizes the
Expand Down Expand Up @@ -145,10 +147,8 @@
'auth.adminpassword' => '$2y$10$7.IbMHXHJIiqSlCFcBRF4.Paayv83i3.QVZpK6aSuzIO7pq3fUFqS',

/*
* Set this options to true if you want to require administrator password to access the web interface
* or the metadata pages, respectively.
* Set this option to true if you want to require administrator password to access the metadata.
*/
'admin.protectindexpage' => false,
'admin.protectmetadata' => false,

/*
Expand Down Expand Up @@ -467,19 +467,8 @@
* Note that shib13-idp has been deprecated and will be removed in SimpleSAMLphp 2.0.
*/
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,

/*
* Whether SimpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
* responses.
*
* The default is to sign the assertion element, but that can be overridden by setting this
* option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
* same name to the metadata of the SP.
*/
'shib13.signresponse' => true,



/***********
Expand All @@ -499,11 +488,13 @@
*
*/

'module.enable' => [
'exampleauth' => true,
'core' => true,
'saml' => true
],
'module.enable' => [
'exampleauth' => true,
'core' => true,
'admin' => true,
'saml' => true,
'totara' => true,
],


/*************************
Expand Down Expand Up @@ -561,7 +552,7 @@
* Example:
* 'session.cookie.domain' => '.example.org',
*/
'session.cookie.domain' => null,
'session.cookie.domain' => '',

/*
* Set the secure flag in the cookie.
Expand Down Expand Up @@ -589,7 +580,7 @@
* Example:
* 'session.cookie.samesite' => 'None',
*/
// 'session.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
// 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
'session.cookie.samesite' => null, // Breaks otherwise in Chrome.

/*
Expand Down Expand Up @@ -757,41 +748,6 @@
| LANGUAGE AND INTERNATIONALIZATION |
*************************************/

/*
* Language-related options.
*/
'language' => [
/*
* An array in the form 'language' => <list of alternative languages>.
*
* Each key in the array is the ISO 639 two-letter code for a language,
* and its value is an array with a list of alternative languages that
* can be used if the given language is not available at some point.
* Each alternative language is also specified by its ISO 639 code.
*
* For example, for the "no" language code (Norwegian), we would have:
*
* 'priorities' => [
* 'no' => ['nb', 'nn', 'en', 'se'],
* ...
* ],
*
* establishing that if a translation for the "no" language code is
* not available, we look for translations in "nb",
* and so on, in that order.
*/
'priorities' => [
'no' => ['nb', 'nn', 'en', 'se'],
'nb' => ['no', 'nn', 'en', 'se'],
'nn' => ['no', 'nb', 'en', 'se'],
'se' => ['nb', 'no', 'nn', 'en'],
'nr' => ['zu', 'en'],
'nd' => ['zu', 'en'],
'tw' => ['st', 'en'],
'nso' => ['st', 'en'],
],
],

/*
* Languages available, RTL languages, and what language is the default.
*/
Expand All @@ -816,8 +772,9 @@
'language.cookie.secure' => true,
'language.cookie.httponly' => false,
'language.cookie.lifetime' => (60 * 60 * 24 * 900),
// 'language.cookie.samesite' => \SimpleSAML\Utils\HTTP::canSetSameSiteNone() ? 'None' : null,
// 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
'language.cookie.samesite' => null, // Breaks otherwise in Chrome

/**
* Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
* Function should return language code of one of the available languages or NULL.
Expand All @@ -830,33 +787,6 @@
* 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
*/

/*
* Extra dictionary for attribute names.
* This can be used to define local attributes.
*
* The format of the parameter is a string with <module>:<dictionary>.
*
* Specifying this option will cause us to look for modules/<module>/dictionaries/<dictionary>.definition.json
* The dictionary should look something like:
*
* {
* "firstattribute": {
* "en": "English name",
* "no": "Norwegian name"
* },
* "secondattribute": {
* "en": "English name",
* "no": "Norwegian name"
* }
* }
*
* Note that all attribute names in the dictionary must in lowercase.
*
* Example: 'attributes.extradictionary' => 'ourmodule:ourattributes',
*/
'attributes.extradictionary' => null,



/**************
| APPEARANCE |
Expand All @@ -873,8 +803,6 @@
*/
'theme.header' => $title,

'usenewui' => true,

/**
* A template controller, if any.
*
Expand Down Expand Up @@ -939,6 +867,13 @@
],
],

/**
* Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
* front page to somewhere more useful. If left unset, a basic welcome message
* is shown.
*/
'frontpage.redirect' => '/admin',


/*********************
| DISCOVERY SERVICE |
Expand Down Expand Up @@ -1223,4 +1158,16 @@
* The prefix we should use on our Redis datastore.
*/
'store.redis.prefix' => 'SimpleSAMLphp',

/*********************
| IdP/SP PROXY MODE |
*********************/

/*
* If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends
* AuthnContextClassRef, decide whether the AuthnContextClassRef will be
* processed by the IdP/SP proxy or if it will be passed to the SP behind
* the IdP/SP proxy.
*/
'proxymode.passAuthnContextClassRef' => false,
];
Loading

0 comments on commit 63e2aeb

Please sign in to comment.