From 66df6d95092f28685bae6d53132e9052938a9365 Mon Sep 17 00:00:00 2001
From: Cody Finegan <44886+codyfinegan@users.noreply.github.com>
Date: Thu, 7 Nov 2024 12:57:35 +1300
Subject: [PATCH] Adding support for multiple certificates (#8)

---
 Dockerfile                     | 31 ++++++++++++++----------
 README.md                      | 43 ++++++++++++++++++++++++++++++++--
 config/authsources.php         |  4 ++--
 metadata/saml20-idp-hosted.php | 14 +++++++++--
 4 files changed, 73 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f9c9301..6e610ca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:18-alpine as node_builder
+FROM node:18-alpine AS node_builder
 
 # Define the SAML version installed
 ARG SAML_VERSION=2.0.3
@@ -15,14 +15,14 @@ RUN mkdir /app && \
     rm -rf metadata
 
 
-FROM php:8.0-apache-buster as dev
+FROM php:8.0-apache-buster AS dev
 
 COPY --from=node_builder /app/samlphp/ /var/www/html/
 
-ENV SIMPLESAMLPHP_CONFIG_DIR /var/www/config/
-ENV SIMPLESAMLPHP_METADATA_DIR /var/www/metadata/
-ENV SIMPLESAMLPHP_METADATA_STORAGE_DIR /var/www/metadata_storage/
-ENV LISTEN_PORT 8089
+ENV SIMPLESAMLPHP_CONFIG_DIR=/var/www/config/
+ENV SIMPLESAMLPHP_METADATA_DIR=/var/www/metadata/
+ENV SIMPLESAMLPHP_METADATA_STORAGE_DIR=/var/www/metadata_storage/
+ENV LISTEN_PORT=8089
 
 # Default expose port
 EXPOSE 8089
@@ -36,8 +36,13 @@ RUN sed -ri -e 's!/var/www/html!/var/www/html/public/!g' /etc/apache2/sites-avai
 # Generate the internal certificate
 RUN cd /var/www/html/cert &&  \
     openssl req -subj /C=NZ/ST=Wellington/L=Wellington/O=Totara/OU=Development/CN=server \
-      -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem && \
-    chown www-data server.*
+      -newkey rsa:3072 -new -x509 -days 3650 -nodes -out server.crt -keyout server.pem && \
+    openssl req -subj /C=NZ/ST=Wellington/L=Wellington/O=Totara/OU=Development/CN=server \
+      -newkey rsa:3072 -new -x509 -days 3650 -nodes -out new_server.crt -keyout new_server.pem && \
+    openssl req -subj /C=NZ/ST=Wellington/L=Wellington/O=Totara/OU=Development/CN=server \
+      -newkey rsa:3072 -new -x509 -days 1 -nodes -out expired_server.crt -keyout expired_server.pem && \
+    chown www-data *.crt && \
+    chown www-data *.pem
 
 # Expose PHP errors to the CLI
 RUN cp "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini" && \
@@ -48,12 +53,12 @@ RUN mkdir -p /var/www/metadata_storage && \
 
 
 
-FROM php:8.0-apache-buster as prod
+FROM php:8.0-apache-buster AS prod
 
-ENV SIMPLESAMLPHP_CONFIG_DIR /var/www/config/
-ENV SIMPLESAMLPHP_METADATA_DIR /var/www/metadata/
-ENV SIMPLESAMLPHP_METADATA_STORAGE_DIR /var/www/metadata_storage/
-ENV LISTEN_PORT 8089
+ENV SIMPLESAMLPHP_CONFIG_DIR=/var/www/config/
+ENV SIMPLESAMLPHP_METADATA_DIR=/var/www/metadata/
+ENV SIMPLESAMLPHP_METADATA_STORAGE_DIR=/var/www/metadata_storage/
+ENV LISTEN_PORT=8089
 
 # Default expose port
 EXPOSE 8089
diff --git a/README.md b/README.md
index 0a71059..d761e34 100644
--- a/README.md
+++ b/README.md
@@ -77,7 +77,7 @@ The path to the metadata file depends on what SAML plugin you are using which is
 
 By default, there's a hard-coded list of users and attributes. However, you can provide your own PHP file via volumes and replace the user list with your own.
 
-Create a new file called `custom_auth_sources.php` with the following structure:
+Create a new file called `custom-auth-sources.php` with the following structure:
 
 ```php
 <?php
@@ -93,13 +93,52 @@ return [
         'username' => ['annie_example'],
         'firstname' => ['annie']
     ],
+]
 ```
 
 The `username:password` section applies to the IdP, while the internal array is what will be posted back to the SP.
 In the example above, the `my_user` user is known as `my_username` or `my_uid` to the service provider and will never see `my_user`.
 
 Once created, include it as a volume, such as:
-`docker run ... -v /path/to/custom_auth_sources.php:/var/www/custom_auth_sources.php ... -it totara/simple-saml-test:latest`
+`docker run ... -v /path/to/custom-auth-sources.php:/var/www/custom-auth-sources.php ... -it totara/simple-saml-test:latest`
+
+## Custom IdP Configuration
+
+To change the settings in `./metadata/saml20-idp-hosted.php` you can create a file called `custom-saml20-idp-hosted.php`.
+Return an array of settings to override or merge into the `saml20-idp-hosted.php` main file.
+
+Once created, include it as a volume, such as:
+`docker run ... -v /path/to/custom-saml20-idp-hosted.php:/var/www/custom-saml20-idp-hosted.php ... -it totara/simple-saml-test:latest`
+
+### Enable Other Certificates
+Three certificates are provided with this docker image:
++ server.crt / server.pem - Normal key that lasts 10 years
++ new_server.crt / new_server.pem - Another key that lasts 10 years
++ expired_server.crt / expired_server.pem - Key that's expired.
+
+The first is automatically used, but the new and expired can be set by adding the following to your `custom-saml20-idp-hosted.php` override.
+
+```php
+# To change the active key
+return [
+  'privatekey' => 'new_server.pem',
+  'certificate' => 'new_server.crt',
+];
+
+# To have both the regular & new keys together
+return [
+  'privatekey' => 'server.pem',
+  'certificate' => 'server.crt',
+  'new_privatekey' => 'new_server.pem',
+  'new_certificate' => 'new_server.crt',
+];
+
+# To use the expired key
+return [
+  'privatekey' => 'expired_server.pem',
+  'certificate' => 'expired_server.crt',
+];
+```
 
 ## Developing This Image
 
diff --git a/config/authsources.php b/config/authsources.php
index 229f953..bcc46e5 100644
--- a/config/authsources.php
+++ b/config/authsources.php
@@ -82,8 +82,8 @@
         'email' => ['sarah.allison@example.com'],
     ],
 ];
-if (file_exists('/var/www/custom_auth_sources.php')) {
-    $sources = include('/var/www/custom_auth_sources.php');
+if (file_exists('/var/www/custom-auth-sources.php')) {
+    $sources = include('/var/www/custom-auth-sources.php');
 }
 
 $config = [
diff --git a/metadata/saml20-idp-hosted.php b/metadata/saml20-idp-hosted.php
index 789f782..d9bde53 100644
--- a/metadata/saml20-idp-hosted.php
+++ b/metadata/saml20-idp-hosted.php
@@ -6,7 +6,17 @@
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
  */
 
-$metadata['urn:x-simplesaml:idp-' . getenv('LISTEN_PORT')] = [
+
+$extra = [];
+if (file_exists('/var/www/custom-saml20-idp-hosted.php')) {
+    $extra = include('/var/www/custom-saml20-idp-hosted.php');
+    if (!is_array($extra)) {
+        $extra = [];
+    }
+}
+
+
+$metadata['urn:x-simplesaml:idp-' . getenv('LISTEN_PORT')] = array_merge([
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.
      *
@@ -69,4 +79,4 @@
         ],
     ],
     */
-];
+], $extra);