dockerfiles/commul-customization/shib_fastcgi_params

+# vim: set filetype=conf :
+
+#See: https://blog.techsoc.io/adventures-in-shibboleth-and-nginx-part-2-of-2-6455a7f1d026
+include fastcgi_params;
+
+# Replace `fastcgi_param` with `sgci_param`, `uwsgi_param` or similar
+# directive for use with different upstreams. Consult the relevant upstream
+# documentation for more information on environment parameters.
+#
+# Auth-Type is configured as authType in
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings.
+# Other default SP variables are as per
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-CustomSPVariables
+
+shib_request_set $shib_auth_type $upstream_http_variable_auth_type;
+fastcgi_param Auth-Type $shib_auth_type;
+
+shib_request_set $shib_shib_application_id $upstream_http_variable_shib_application_id;
+fastcgi_param Shib-Application-ID $shib_shib_application_id;
+
+shib_request_set $shib_shib_authentication_instant $upstream_http_variable_shib_authentication_instant;
+fastcgi_param Shib-Authentication-Instant $shib_shib_authentication_instant;
+
+shib_request_set $shib_shib_authentication_method $upstream_http_variable_shib_authentication_method;
+fastcgi_param Shib-Authentication-Method $shib_shib_authentication_method;
+
+shib_request_set $shib_shib_authncontext_class $upstream_http_variable_shib_authncontext_class;
+fastcgi_param Shib-AuthnContext-Class $shib_shib_authncontext_class;
+
+shib_request_set $shib_shib_authncontext_decl $upstream_http_variable_shib_authncontext_decl;
+fastcgi_param Shib-AuthnContext-Decl $shib_shib_authncontext_decl;
+
+shib_request_set $shib_shib_identity_provider $upstream_http_variable_shib_identity_provider;
+fastcgi_param Shib-Identity-Provider $shib_shib_identity_provider;
+
+shib_request_set $shib_shib_session_id $upstream_http_variable_shib_session_id;
+fastcgi_param Shib-Session-ID $shib_shib_session_id;
+
+shib_request_set $shib_shib_session_index $upstream_http_variable_shib_session_index;
+fastcgi_param Shib-Session-Index $shib_shib_session_index;
+
+shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
+fastcgi_param Remote-User $shib_remote_user;
+
+#
+# CLARIN Supported attributes
+#
+#mail (1 values)
+#eduPersonTargetedID (1 values)
+#organizationName (1 values)
+#displayName (1 values)
+#oid-eduPersonPrincipalName (1 values)
+#cn (1 values)
+#eduPersonScopedAffiliation (1 values)
+#eduPersonEntitlement (1 values)
+#persistent-id (1 values)
+
+
+shib_request_set $shib_mail $upstream_http_variable_mail;
+fastcgi_param Mail $shib_mail;
+
+shib_request_set $shib_eptid $upstream_http_variable_edupersontargetedid;
+fastcgi_param EduPersonTargetedID $shib_eptid;
+
+shib_request_set $shib_o $upstream_http_variable_organizationname;
+fastcgi_param OrganizationName $shib_o;
+
+shib_request_set $shib_displayname $upstream_http_variable_displayname;
+fastcgi_param DisplayName $shib_displayname;
+
+shib_request_set $shib_eppn $upstream_http_variable_eppn;
+fastcgi_param EduPersonPrincipalName $shib_eppn;
+
+shib_request_set $shib_cn $upstream_http_variable_cn;
+fastcgi_param cn $shib_cn;
+
+shib_request_set $shib_epsa $upstream_http_variable_edupersonscopedaffiliation;
+fastcgi_param EduPersonScopedAffiliation $shib_epsa;
+
+shib_request_set $shib_epent $upstream_http_variable_edupersonentitlement;
+fastcgi_param EduPersonEntitlement $shib_epent;
+
+shib_request_set $shib_pid $upstream_http_variable_persistent_id;
+fastcgi_param Persistent-Id $shib_pid;

dockerfiles/commul-customization/shib_test.pl

@@ -70,7 +70,7 @@ sub render_table_rows {
 
 sub dump_shibboleth_attributes {
     my $debug_env = shift;
-    
+
     my @keys = sort(keys(%ENV));
     my @attrs = grep(!m/^(HTTPS|SERVER_|SCRIPT_|PATH|QUERY_STRING|GATEWAY|DOCUMENT_ROOT|REMOTE|REQUEST|HTTP_|AUTH_TYPE|Shib_)/i, @keys);
     my @shib = grep(m/Shib_/i, @keys);
@@ -100,9 +100,13 @@ sub dump_shibboleth_assertions {
         'Raw SAML Assertion(s)', '</th>', '</tr>';
     my $j = 0;
     my $browser = LWP::UserAgent->new;
+    $browser->ssl_opts( 'verify_hostname' => 0 );
+
     ASSERTION:
     for (my $i = 1; $i <= $count; $i++) {
-        my $url = $ENV{sprintf('Shib_Assertion_%02d', $i)};
+        my $url = $ENV{sprintf('HTTP_SHIB_ASSERTION_%02d', $i)};
+        my $eurac_host = "https://" . $ENV{"SERVER_NAME"};
+        $url =~ s#$eurac_host#https://127.0.0.1#;
         next ASSERTION unless defined ($url);
 
 	print '<tr class="', ($j++ % 2 == 0 ? 'even' : 'odd'), '">';
@@ -196,7 +200,7 @@ sub scan_attributes {
 	    }
 	}
 
-	if (defined($found)) {
+	if ((defined($found)) && (length $ENV{$found})) {
 	    print '<p class="attr ok">',
                 ($optional ? 'Optional'
                            : 'Required'),
@@ -205,6 +209,13 @@ sub scan_attributes {
                                      : ''),
 		'.</p>';
 	}
+    elsif (!(length $ENV{$found})) {
+        print '', ($optional ? '<p class="attr warn">Optional'
+                                 : '<p class="attr error">Required'),
+        ' attribute <code>', $attrs[0],
+                '</code> is available, but empty.</p>';
+        $missing++;
+    }
 	else {
 	    print '', ($optional ? '<p class="attr warn">Optional'
                                  : '<p class="attr error">Required'),
@@ -220,9 +231,9 @@ sub scan_attributes {
 sub main {
     my $q = shift;
 
-    if (defined($ENV{'Shib_Session_ID'})) {
+    if (defined($ENV{'HTTP_SHIB_SESSION_ID'})) {
 	# logout link
-	my $idp = $ENV{'Shib_Identity_Provider'};
+	my $idp = $ENV{'HTTP_SHIB_IDENTITY_PROVIDER'};
 	if (!defined($idp)) {
 	    $idp = '<span class="error">[UNKNOWN]</span>';
 	}
@@ -250,7 +261,7 @@ sub main {
 	}
 
 	# remote user
-	my $user = $ENV{'REMOTE_USER'};
+	my $user = $ENV{'HTTP_REMOTE_USER'};
 	$warnings++ unless defined($user);
 	print '<p class="attr ', (defined($user) ? 'ok' : 'warn'), '">';
 	print 'REMOTE_USER: ',
@@ -274,7 +285,7 @@ sub main {
 	print '<table class="attr">';
 	my $debug_env = (defined($q) && $q->param('debug_env'));
 	dump_shibboleth_attributes($debug_env);
-	dump_shibboleth_assertions($ENV{'Shib_Assertion_Count'});
+	dump_shibboleth_assertions($ENV{'HTTP_SHIB_ASSERTION_COUNT'});
 	print '</table>';
     }
     else {

dockerfiles/commul-customization/shibboleth2.xml

 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     logger="syslog.logger" clockSkew="180">
 
@@ -17,7 +17,7 @@
     To customize behavior for specific resources on Apache, and to link vhosts or
     resources to ApplicationOverride settings below, use web server options/commands.
     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-    
+
     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
     -->
@@ -26,16 +26,18 @@
         <Host name="clarin.eurac.edu"
                 authType="shibboleth"
                 requireSession="true"
+		exportAssertion="true"
                 redirectToSSL="443">
             <Path name="/secure" />
         </Host>
-        
+
     </RequestMap>
 </RequestMapper>
 
     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
     <ApplicationDefaults entityID="https://clarin.eurac.edu/Shibboleth.sso/Metadata"
                          REMOTE_USER="eppn persistent-id targeted-id"
+			 sessionHook="/php/aa-statistics.php"
                          cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
 
         <!--
@@ -47,8 +49,14 @@
         Note that while we default checkAddress to "false", this has a negative impact on the
         security of your site. Stealing sessions via cookie theft is much easier with this disabled.
         -->
-        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
-                  checkAddress="false" handlerSSL="false" cookieProps="http">
+        <Sessions lifetime="28800"
+		  timeout="3600"
+		  relayState="ss:mem"
+                  checkAddress="false"
+                  handlerSSL="true"
+		  cookieProps="https"
+		  exportLocation="/GetAssertion"
+                  exportACL="127.0.0.1">
 
             <!--
             Configures SSO for a default IdP. To allow for >1 IdP, remove
@@ -68,7 +76,7 @@
 
             <!-- SAML and local-only logout. -->
             <Logout>SAML2 Local</Logout>
-            
+
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false" template="clarin.eurac.edu.template.metadata.xml"/>
 
@@ -89,7 +97,7 @@
         <Errors supportContact="clarin@eurac.edu"
             helpLocation="/repository/xmlui/page/about"
             styleSheet="/shibboleth-sp/main.css"/>
-        
+
         <!-- Example of remotely supplied batch of signed metadata. -->
         <!--
         <MetadataProvider type="XML" validate="true"
@@ -97,7 +105,7 @@
               backingFilePath="federation-metadata.xml" reloadInterval="7200">
             <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
             <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
               attributeName="http://macedir.org/entity-category"
               attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
               attributeValue="http://refeds.org/category/hide-from-discovery" />
@@ -140,7 +148,7 @@
 
         <!-- Map to extract attributes from SAML assertions. -->
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-        
+
         <!-- Use a SAML query if no attributes are supplied during SSO. -->
         <AttributeResolver type="Query" subjectMatch="true"/>
 
@@ -155,7 +163,7 @@
         the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
         Resource requests are mapped by web server commands, or the RequestMapper, to an
         applicationId setting.
-        
+
         Example of a second application (for a second vhost) that has a different entityID.
         Resources on the vhost would map to an applicationId of "admin":
         -->
@@ -163,7 +171,7 @@
         <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
         -->
     </ApplicationDefaults>
-    
+
     <!-- Policies that determine how to process and authenticate runtime messages. -->
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
 

dockerfiles/commul-customization/shibboleth_sp_with_fastcgi.sh

@@ -21,12 +21,12 @@ function get {
   fi
 }
 
-get log4shib 1.0.9 http://shibboleth.net/downloads/log4shib/latest/
+get log4shib 1.0.9 http://shibboleth.net/downloads/log4shib/1.0.9/
 get xerces-c 3.2.1 http://mirror.hosting90.cz/apache/xerces/c/3/sources/
-get xml-security-c 1.7.3 http://mirror.hosting90.cz/apache/santuario/c-library/
-get xmltooling 1.6.4 http://shibboleth.net/downloads/c++-opensaml/latest/
-get opensaml 2.6.1 http://shibboleth.net/downloads/c++-opensaml/latest/
-get shibboleth-sp 2.6.1 http://shibboleth.net/downloads/service-provider/latest/
+get xml-security-c 1.7.3 https://archive.apache.org/dist/santuario/c-library/
+get xmltooling 1.6.4 http://shibboleth.net/downloads/c++-opensaml/2.6.1/
+get opensaml 2.6.1 http://shibboleth.net/downloads/c++-opensaml/2.6.1/
+get shibboleth-sp 2.6.1 http://shibboleth.net/downloads/service-provider/2.6.1/
 
 sed -i '676,679 s/^/\/\//' shibboleth-sp.2.6.1/shibsp/handler/impl/MetadataGenerator.cpp
 sed -i '687,688 s/^/\/\//' shibboleth-sp.2.6.1/shibsp/handler/impl/MetadataGenerator.cpp

dockerfiles/commul-customization/supervisord.conf

@@ -75,6 +75,21 @@ user=www-data
 stdout_logfile=/var/log/supervisor/shibresponder.log
 stderr_logfile=/var/log/supervisor/shibresponder.error.log
 
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.0 -c /etc/php/7.0/fpm/php-fpm.conf
+autostart=true
+autorestart=unexpected
+stdout_logfile=/var/log/php-fpm/stdout.log
+stdout_logfile_maxbytes=0
+stderr_logfile=/var/log/php-fpm/stderr.log
+stderr_logfile_maxbytes=0
+exitcodes=0
+
+[program:fcgiwrap]
+command=/usr/sbin/fcgiwrap -s unix:/tmp/fcgiwrap.socket -f
+user=www-data
+stdout_logfile=/var/log/supervisor/fcgiwrap.log
+stderr_logfile=/var/log/supervisor/fcgiwrap.error.log
 
 
 [program:nginx]
@@ -88,5 +103,3 @@ stopwaitsecs=30
 ; The below sample program section shows all possible program subsection values,
 ; create one or more 'real' program: sections to be able to control them under
 ; supervisor.
-
-

dockerfiles/commul-customization/variable.makefile

@@ -16,6 +16,7 @@ TOMCAT_GROUP:=tomcat$(TOMCAT_VERSION)
 TOMCAT_CONF:=/etc/$(TOMCAT_USER)
 
 # dspace
+# please note that this should not contain uppercase characters
 DSPACE_USER:=${DSPACE_USER}
 
 # tool directories

dockerfiles/release.sh

@@ -2,12 +2,13 @@
 set -e
 
 VERSION=${1:-latest}
+TYPE=${2:-staging}
 
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/dspace-image:$VERSION . -f Dockerfile.dspace
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/nginx-image:$VERSION . -f Dockerfile.nginx
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/postgres-image:$VERSION . -f Dockerfile.psql
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/dspace:$VERSION . -f Dockerfile.dspace
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/nginx:$VERSION . -f Dockerfile.nginx
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/postgres:$VERSION . -f Dockerfile.postgres
 
-docker push gitlab.scientificnet.org:4567/commul/dspace/dspace-image:$VERSION
-docker push gitlab.scientificnet.org:4567/commul/dspace/nginx-image:$VERSION
-docker push gitlab.scientificnet.org:4567/commul/dspace/postgres-image:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/dspace:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/nginx:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/postgres:$VERSION
 

kubernetes/dspace-deployment.yaml

@@ -50,7 +50,7 @@ spec:
             secretKeyRef:
               key: mail.pass
               name: dspace-secrets
-        image: gitlab.scientificnet.org:4567/commul/dspace/dspace-image:1.1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/dspace:1.2
         name: clarin-dspace
         imagePullPolicy: Always
         ports:

kubernetes/nginx-deployment.yaml

@@ -20,7 +20,7 @@ spec:
         io.kompose.service: nginx
     spec:
       containers:
-      - image: gitlab.scientificnet.org:4567/commul/dspace/nginx-image:1.1
+      - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/nginx:1.2
         imagePullPolicy: Always
         name: clarin-nginx
         ports:

kubernetes/postgres-deployment.yaml

@@ -48,7 +48,7 @@ spec:
             secretKeyRef:
               key: dspace.utils.name
               name: dspace-secrets
-        image: gitlab.scientificnet.org:4567/commul/dspace/postgres-image:1.1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/postgres:1.2
         imagePullPolicy: Always
         name: clarin-postgres
         resources: {}

kubernetes/start-kube.sh

@@ -3,12 +3,12 @@
 # kubectl create -f pgdata-persistentvolumeclaim.yaml
 kubectl create -f postgres-deployment.yaml
 kubectl create -f postgres-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f dspace-deployment.yaml
 kubectl create -f dspace-service.yaml
 kubectl create -f handle-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f nginx-deployment.yaml
 kubectl create -f nginx-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f dspace-ingress.yaml