added the shib testing page inclucing dependencies, fixes #10

dockerfiles/Dockerfile.nginx

@@ -49,12 +49,10 @@ RUN chmod a+x /etc/init.d/nginx
 RUN ln -s /opt/nginx/sbin/nginx /usr/sbin/nginx
 # copy over static html
 COPY commul-customization/webpage/ /opt/nginx/html/
+
 #RUN mkdir /opt/nginx/html/img
 #COPY commul-customization/index.html /opt/nginx/html/
 #COPY commul-customization/eurac.png /opt/nginx/html/img/
-# create the test secure folder
-RUN mkdir /opt/nginx/html/secure
-COPY commul-customization/shib_test.pl /opt/nginx/html/secure/
 
 # install php
 RUN apt-get update && apt-get install -y php-fpm php-xml
@@ -75,6 +73,15 @@ RUN /tmp/shibboleth_sp_with_fastcgi.sh
 RUN cp /opt/shibboleth-sp-fastcgi/etc/shibboleth/shibd-debian /etc/init.d/shibd
 RUN chmod a+x /etc/init.d/shibd
 
+# create the test secure folder and set up perl fastcgi
+RUN mkdir /opt/nginx/html/secure
+RUN apt-get update && apt-get install -y fcgiwrap
+RUN cpanm CGI URI XML::Twig LWP::Protocol::https
+COPY commul-customization/shib_test.pl /opt/nginx/html/secure/
+COPY commul-customization/shib_fastcgi_params /opt/nginx/conf/
+COPY commul-customization/attribute-map.xml /opt/shibboleth-sp-fastcgi/etc/shibboleth/
+RUN chown -R www-data:www-data /opt/nginx/html/secure
+RUN chmod a+x /opt/nginx/html/secure/shib_test.pl
 
 # install supervisor
 RUN apt-get install -y python-setuptools
@@ -115,4 +122,3 @@ RUN yui-compressor -o aai.min.js aai.js
 
 
 ENTRYPOINT ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf"]
-

dockerfiles/commul-customization/attribute-map.xml

+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+	SAML1 + SAML2 declarations : name = input, id is output name
+	-->
+
+    <!-- EduPersonPrincipalName -->
+	<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="mace-eduPersonPrincipalName" >
+    		<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+	</Attribute>
+	<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="mace-eduPersonPrincipalName" />
+	<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn" >
+    		<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+	</Attribute>
+
+    <!-- eduPersonTargetedID -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="eduPersonTargetedID" /> <!-- incorrect SAML 1.1 mapping, required for historical compatibility see https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="eduPersonTargetedID"> <!-- the usually recommended approach to passing an eduPersonTargetedID to SAML 2.0 SPs, including Shibboleth 2.x. https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTargetedID -->
+           <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name!!$NameQualifier!!$SPNameQualifier"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="eduPersonTargetedID" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+           <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name!!$NameQualifier!!$SPNameQualifier"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="eduPersonTargetedID" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+           <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name!!$NameQualifier!!$SPNameQualifier"/>
+    </Attribute>
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- eduPersonScopedAffiliation -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="eduPersonScopedAffiliation"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="eduPersonScopedAffiliation"/>
+
+    <!-- eduPersonEntitlement -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
+
+    <!-- commonName -->
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn" />
+    <Attribute name="urn:oid:2.5.4.3" id="cn" />
+
+    <!-- mail -->
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+
+    <!-- organization -->
+    <Attribute name="urn:mace:dir:attribute-def:organizationName" id="organizationName"/>
+    <Attribute name="urn:oid:2.5.4.10" id="organizationName"/>
+
+    <!-- displayName -->
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid" />
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:surName" id="surName"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="eduPersonAffiliation"/>
+    <Attribute name="urn:mace:dir:attribute-def:damlrPersonAffiliation" id="eduPersonAffiliation" />
+    -->
+</Attributes>

dockerfiles/commul-customization/default-ssl

@@ -132,14 +132,14 @@ server {
     alias /opt/repository/sources/lindat-aai-discovery; }
 
   # add path your repository path that will be protected by shibboleth
-  location /repository/xmlui/shibboleth-login { 
-	include repository_auth; 
+  location /repository/xmlui/shibboleth-login {
+	include repository_auth;
     ajp_keep_conn on;
     ajp_pass tomcats;
 	}
 
-  location /xmlui/shibboleth-login            { 
-	include repository_auth; 
+  location /xmlui/shibboleth-login            {
+	include repository_auth;
 	ajp_keep_conn on;
     ajp_pass tomcats;
 	}
@@ -168,17 +168,19 @@ server {
   location /shibboleth-sp {
     alias /opt/shibboleth-sp-fastcgi/share/shibboleth/;
   }
- 
+
   location /secure {
-    include shib_clear_headers;
+         #include shib_clear_headers;
          #Add your attributes here. They get introduced as headers
          #by the FastCGI authorizer so we must prevent spoofing.
-         more_clear_input_headers 'displayName' 'mail' 'persistent-id';
+         #more_clear_input_headers 'displayName' 'mail' 'persistent-id';
          shib_request /shibauthorizer;
          shib_request_use_headers on;
-         proxy_pass http://localhost:8080;
+         gzip off;
+         include shib_fastcgi_params;
+         fastcgi_pass unix:/tmp/fcgiwrap.socket;
+         fastcgi_param SCRIPT_FILENAME /opt/nginx/html$fastcgi_script_name;
      }
 
   include /opt/nginx/conf/proxies-enabled/*;
 }
-

dockerfiles/commul-customization/fastcgi.conf

-
-fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-fastcgi_param  QUERY_STRING       $query_string;
-fastcgi_param  REQUEST_METHOD     $request_method;
-fastcgi_param  CONTENT_TYPE       $content_type;
-fastcgi_param  CONTENT_LENGTH     $content_length;
-
-fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
-fastcgi_param  REQUEST_URI        $request_uri;
-fastcgi_param  DOCUMENT_URI       $document_uri;
-fastcgi_param  DOCUMENT_ROOT      $document_root;
-fastcgi_param  SERVER_PROTOCOL    $server_protocol;
-fastcgi_param  REQUEST_SCHEME     $scheme;
-fastcgi_param  HTTPS              $https if_not_empty;
-
-fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
-fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
-
-fastcgi_param  REMOTE_ADDR        $remote_addr;
-fastcgi_param  REMOTE_PORT        $remote_port;
-fastcgi_param  SERVER_ADDR        $server_addr;
-fastcgi_param  SERVER_PORT        $server_port;
-fastcgi_param  SERVER_NAME        $server_name;
-
-# PHP only, required if PHP was built with --enable-force-cgi-redirect
-fastcgi_param  REDIRECT_STATUS    200;

dockerfiles/commul-customization/shib_clear_headers

@@ -10,6 +10,8 @@
 more_clear_input_headers
     Auth-Type
     Shib-Application-Id
+    Shib-Assertion-Count
+    Shib-Assertion-01
     Shib-Authentication-Instant
     Shib-Authentication-Method
     Shib-Authncontext-Class
@@ -30,4 +32,3 @@ more_clear_input_headers
 #     DisplayName
 #     Email
 #     OrganizationName;
-

dockerfiles/commul-customization/shib_fastcgi_params

+# vim: set filetype=conf :
+
+#See: https://blog.techsoc.io/adventures-in-shibboleth-and-nginx-part-2-of-2-6455a7f1d026
+include fastcgi_params;
+
+# Replace `fastcgi_param` with `sgci_param`, `uwsgi_param` or similar
+# directive for use with different upstreams. Consult the relevant upstream
+# documentation for more information on environment parameters.
+#
+# Auth-Type is configured as authType in
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings.
+# Other default SP variables are as per
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-CustomSPVariables
+
+shib_request_set $shib_auth_type $upstream_http_variable_auth_type;
+fastcgi_param Auth-Type $shib_auth_type;
+
+shib_request_set $shib_shib_application_id $upstream_http_variable_shib_application_id;
+fastcgi_param Shib-Application-ID $shib_shib_application_id;
+
+shib_request_set $shib_shib_authentication_instant $upstream_http_variable_shib_authentication_instant;
+fastcgi_param Shib-Authentication-Instant $shib_shib_authentication_instant;
+
+shib_request_set $shib_shib_authentication_method $upstream_http_variable_shib_authentication_method;
+fastcgi_param Shib-Authentication-Method $shib_shib_authentication_method;
+
+shib_request_set $shib_shib_authncontext_class $upstream_http_variable_shib_authncontext_class;
+fastcgi_param Shib-AuthnContext-Class $shib_shib_authncontext_class;
+
+shib_request_set $shib_shib_authncontext_decl $upstream_http_variable_shib_authncontext_decl;
+fastcgi_param Shib-AuthnContext-Decl $shib_shib_authncontext_decl;
+
+shib_request_set $shib_shib_identity_provider $upstream_http_variable_shib_identity_provider;
+fastcgi_param Shib-Identity-Provider $shib_shib_identity_provider;
+
+shib_request_set $shib_shib_session_id $upstream_http_variable_shib_session_id;
+fastcgi_param Shib-Session-ID $shib_shib_session_id;
+
+shib_request_set $shib_shib_session_index $upstream_http_variable_shib_session_index;
+fastcgi_param Shib-Session-Index $shib_shib_session_index;
+
+shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
+fastcgi_param Remote-User $shib_remote_user;
+
+#
+# CLARIN Supported attributes
+#
+#mail (1 values)
+#eduPersonTargetedID (1 values)
+#organizationName (1 values)
+#displayName (1 values)
+#oid-eduPersonPrincipalName (1 values)
+#cn (1 values)
+#eduPersonScopedAffiliation (1 values)
+#eduPersonEntitlement (1 values)
+#persistent-id (1 values)
+
+
+shib_request_set $shib_mail $upstream_http_variable_mail;
+fastcgi_param Mail $shib_mail;
+
+shib_request_set $shib_eptid $upstream_http_variable_edupersontargetedid;
+fastcgi_param EduPersonTargetedID $shib_eptid;
+
+shib_request_set $shib_o $upstream_http_variable_organizationname;
+fastcgi_param OrganizationName $shib_o;
+
+shib_request_set $shib_displayname $upstream_http_variable_displayname;
+fastcgi_param DisplayName $shib_displayname;
+
+shib_request_set $shib_eppn $upstream_http_variable_eppn;
+fastcgi_param EduPersonPrincipalName $shib_eppn;
+
+shib_request_set $shib_cn $upstream_http_variable_cn;
+fastcgi_param cn $shib_cn;
+
+shib_request_set $shib_epsa $upstream_http_variable_edupersonscopedaffiliation;
+fastcgi_param EduPersonScopedAffiliation $shib_epsa;
+
+shib_request_set $shib_epent $upstream_http_variable_edupersonentitlement;
+fastcgi_param EduPersonEntitlement $shib_epent;
+
+shib_request_set $shib_pid $upstream_http_variable_persistent_id;
+fastcgi_param Persistent-Id $shib_pid;

dockerfiles/commul-customization/shib_test.pl

@@ -70,7 +70,7 @@ sub render_table_rows {
 
 sub dump_shibboleth_attributes {
     my $debug_env = shift;
-    
+
     my @keys = sort(keys(%ENV));
     my @attrs = grep(!m/^(HTTPS|SERVER_|SCRIPT_|PATH|QUERY_STRING|GATEWAY|DOCUMENT_ROOT|REMOTE|REQUEST|HTTP_|AUTH_TYPE|Shib_)/i, @keys);
     my @shib = grep(m/Shib_/i, @keys);
@@ -100,9 +100,13 @@ sub dump_shibboleth_assertions {
         'Raw SAML Assertion(s)', '</th>', '</tr>';
     my $j = 0;
     my $browser = LWP::UserAgent->new;
+    $browser->ssl_opts( 'verify_hostname' => 0 );
+
     ASSERTION:
     for (my $i = 1; $i <= $count; $i++) {
-        my $url = $ENV{sprintf('Shib_Assertion_%02d', $i)};
+        my $url = $ENV{sprintf('HTTP_SHIB_ASSERTION_%02d', $i)};
+        my $eurac_host = "https://" . $ENV{"SERVER_NAME"};
+        $url =~ s#$eurac_host#https://127.0.0.1#;
         next ASSERTION unless defined ($url);
 
 	print '<tr class="', ($j++ % 2 == 0 ? 'even' : 'odd'), '">';
@@ -220,9 +224,9 @@ sub scan_attributes {
 sub main {
     my $q = shift;
 
-    if (defined($ENV{'Shib_Session_ID'})) {
+    if (defined($ENV{'HTTP_SHIB_SESSION_ID'})) {
 	# logout link
-	my $idp = $ENV{'Shib_Identity_Provider'};
+	my $idp = $ENV{'HTTP_SHIB_IDENTITY_PROVIDER'};
 	if (!defined($idp)) {
 	    $idp = '<span class="error">[UNKNOWN]</span>';
 	}
@@ -250,7 +254,7 @@ sub main {
 	}
 
 	# remote user
-	my $user = $ENV{'REMOTE_USER'};
+	my $user = $ENV{'HTTP_REMOTE_USER'};
 	$warnings++ unless defined($user);
 	print '<p class="attr ', (defined($user) ? 'ok' : 'warn'), '">';
 	print 'REMOTE_USER: ',
@@ -274,7 +278,7 @@ sub main {
 	print '<table class="attr">';
 	my $debug_env = (defined($q) && $q->param('debug_env'));
 	dump_shibboleth_attributes($debug_env);
-	dump_shibboleth_assertions($ENV{'Shib_Assertion_Count'});
+	dump_shibboleth_assertions($ENV{'HTTP_SHIB_ASSERTION_COUNT'});
 	print '</table>';
     }
     else {

dockerfiles/commul-customization/shibboleth2.xml

 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     logger="syslog.logger" clockSkew="180">
 
@@ -17,7 +17,7 @@
     To customize behavior for specific resources on Apache, and to link vhosts or
     resources to ApplicationOverride settings below, use web server options/commands.
     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
+
     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
     -->
@@ -30,7 +30,7 @@
                 redirectToSSL="443">
             <Path name="/secure" />
         </Host>
-        
+
     </RequestMap>
 </RequestMapper>
 
@@ -76,7 +76,7 @@
 
             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-            
+
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false" template="clarin.eurac.edu.template.metadata.xml"/>
 
@@ -97,7 +97,7 @@
         <Errors supportContact="clarin@eurac.edu"
             helpLocation="/repository/xmlui/page/about"
             styleSheet="/shibboleth-sp/main.css"/>
-        
+
         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
         <MetadataProvider type="XML" validate="true"
@@ -105,7 +105,7 @@
               backingFilePath="federation-metadata.xml" reloadInterval="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
             <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
               attributeName="http://macedir.org/entity-category"
               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
               attributeValue="http://refeds.org/category/hide-from-discovery" />
@@ -148,7 +148,7 @@
 
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
+
         <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="true"/>
 
@@ -163,7 +163,7 @@
         the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
         Resource requests are mapped by web server commands, or the RequestMapper, to an
         applicationId setting.
-        
+
         Example of a second application (for a second vhost) that has a different entityID.
         Resources on the vhost would map to an applicationId of "admin":
         -->
@@ -171,7 +171,7 @@
         <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
         -->
     </ApplicationDefaults>
-    
+
     <!-- Policies that determine how to process and authenticate runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
 

dockerfiles/commul-customization/supervisord.conf

@@ -85,6 +85,12 @@ stderr_logfile=/var/log/php-fpm/stderr.log
 stderr_logfile_maxbytes=0
 exitcodes=0
 
+[program:fcgiwrap]
+command=/usr/sbin/fcgiwrap -s unix:/tmp/fcgiwrap.socket -f
+user=www-data
+stdout_logfile=/var/log/supervisor/fcgiwrap.log
+stderr_logfile=/var/log/supervisor/fcgiwrap.error.log
+
 
 [program:nginx]
 command=/opt/nginx/sbin/nginx -g "daemon off;"
@@ -97,5 +103,3 @@ stopwaitsecs=30
 ; The below sample program section shows all possible program subsection values,
 ; create one or more 'real' program: sections to be able to control them under
 ; supervisor.
-
-