Compare revisions

281b2e38 · 281b2e38 · 281b2e38 · 281b2e38 · 281b2e38 · 281b2e38
--- a/dockerfiles/commul-customization/shib_fastcgi_params
+++ b/dockerfiles/commul-customization/shib_fastcgi_params
+# vim: set filetype=conf :
+#See: https://blog.techsoc.io/adventures-in-shibboleth-and-nginx-part-2-of-2-6455a7f1d026
+include fastcgi_params;
+# Replace `fastcgi_param` with `sgci_param`, `uwsgi_param` or similar
+# directive for use with different upstreams. Consult the relevant upstream
+# documentation for more information on environment parameters.
+#
+# Auth-Type is configured as authType in
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings.
+# Other default SP variables are as per
+# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-CustomSPVariables
+shib_request_set $shib_auth_type $upstream_http_variable_auth_type;
+fastcgi_param Auth-Type $shib_auth_type;
+shib_request_set $shib_shib_application_id $upstream_http_variable_shib_application_id;
+fastcgi_param Shib-Application-ID $shib_shib_application_id;
+shib_request_set $shib_shib_authentication_instant $upstream_http_variable_shib_authentication_instant;
+fastcgi_param Shib-Authentication-Instant $shib_shib_authentication_instant;
+shib_request_set $shib_shib_authentication_method $upstream_http_variable_shib_authentication_method;
+fastcgi_param Shib-Authentication-Method $shib_shib_authentication_method;
+shib_request_set $shib_shib_authncontext_class $upstream_http_variable_shib_authncontext_class;
+fastcgi_param Shib-AuthnContext-Class $shib_shib_authncontext_class;
+shib_request_set $shib_shib_authncontext_decl $upstream_http_variable_shib_authncontext_decl;
+fastcgi_param Shib-AuthnContext-Decl $shib_shib_authncontext_decl;
+shib_request_set $shib_shib_identity_provider $upstream_http_variable_shib_identity_provider;
+fastcgi_param Shib-Identity-Provider $shib_shib_identity_provider;
+shib_request_set $shib_shib_session_id $upstream_http_variable_shib_session_id;
+fastcgi_param Shib-Session-ID $shib_shib_session_id;
+shib_request_set $shib_shib_session_index $upstream_http_variable_shib_session_index;
+fastcgi_param Shib-Session-Index $shib_shib_session_index;
+shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
+fastcgi_param Remote-User $shib_remote_user;
+#
+# CLARIN Supported attributes
+#
+#mail (1 values)
+#eduPersonTargetedID (1 values)
+#organizationName (1 values)
+#displayName (1 values)
+#oid-eduPersonPrincipalName (1 values)
+#cn (1 values)
+#eduPersonScopedAffiliation (1 values)
+#eduPersonEntitlement (1 values)
+#persistent-id (1 values)
+shib_request_set $shib_mail $upstream_http_variable_mail;
+fastcgi_param Mail $shib_mail;
+shib_request_set $shib_eptid $upstream_http_variable_edupersontargetedid;
+fastcgi_param EduPersonTargetedID $shib_eptid;
+shib_request_set $shib_o $upstream_http_variable_organizationname;
+fastcgi_param OrganizationName $shib_o;
+shib_request_set $shib_displayname $upstream_http_variable_displayname;
+fastcgi_param DisplayName $shib_displayname;
+shib_request_set $shib_eppn $upstream_http_variable_eppn;
+fastcgi_param EduPersonPrincipalName $shib_eppn;
+shib_request_set $shib_cn $upstream_http_variable_cn;
+fastcgi_param cn $shib_cn;
+shib_request_set $shib_epsa $upstream_http_variable_edupersonscopedaffiliation;
+fastcgi_param EduPersonScopedAffiliation $shib_epsa;
+shib_request_set $shib_epent $upstream_http_variable_edupersonentitlement;
+fastcgi_param EduPersonEntitlement $shib_epent;
+shib_request_set $shib_pid $upstream_http_variable_persistent_id;
+fastcgi_param Persistent-Id $shib_pid;
--- a/dockerfiles/commul-customization/shib_test.pl
+++ b/dockerfiles/commul-customization/shib_test.pl
@@ -70,7 +70,7 @@ sub render_table_rows {
 sub dump_shibboleth_attributes {
    my $debug_env = shift;
    my @keys = sort(keys(%ENV));
    my @attrs = grep(!m/^(HTTPS|SERVER_|SCRIPT_|PATH|QUERY_STRING|GATEWAY|DOCUMENT_ROOT|REMOTE|REQUEST|HTTP_|AUTH_TYPE|Shib_)/i, @keys);
    my @shib = grep(m/Shib_/i, @keys);
@@ -100,9 +100,13 @@ sub dump_shibboleth_assertions {
        'Raw SAML Assertion(s)', '</th>', '</tr>';
    my $j = 0;
    my $browser = LWP::UserAgent->new;
+    $browser->ssl_opts( 'verify_hostname' => 0 );
    ASSERTION:
    for (my $i = 1; $i <= $count; $i++) {
-        my $url = $ENV{sprintf('Shib_Assertion_%02d', $i)};
+        my $url = $ENV{sprintf('HTTP_SHIB_ASSERTION_%02d', $i)};
+        my $eurac_host = "https://" . $ENV{"SERVER_NAME"};
+        $url =~ s#$eurac_host#https://127.0.0.1#;
        next ASSERTION unless defined ($url);
 	print '<tr class="', ($j++ % 2 == 0 ? 'even' : 'odd'), '">';
@@ -196,7 +200,7 @@ sub scan_attributes {
 	    }
 	}
-	if (defined($found)) {
+	if ((defined($found)) && (length $ENV{$found})) {
 	    print '<p class="attr ok">',
                ($optional ? 'Optional'
                           : 'Required'),
@@ -205,6 +209,13 @@ sub scan_attributes {
                                     : ''),
 		'.</p>';
 	}
+    elsif (!(length $ENV{$found})) {
+        print '', ($optional ? '<p class="attr warn">Optional'
+                                 : '<p class="attr error">Required'),
+        ' attribute <code>', $attrs[0],
+                '</code> is available, but empty.</p>';
+        $missing++;
+    }
 	else {
 	    print '', ($optional ? '<p class="attr warn">Optional'
                                 : '<p class="attr error">Required'),
@@ -220,9 +231,9 @@ sub scan_attributes {
 sub main {
    my $q = shift;
-    if (defined($ENV{'Shib_Session_ID'})) {
+    if (defined($ENV{'HTTP_SHIB_SESSION_ID'})) {
 	# logout link
-	my $idp = $ENV{'Shib_Identity_Provider'};
+	my $idp = $ENV{'HTTP_SHIB_IDENTITY_PROVIDER'};
 	if (!defined($idp)) {
 	    $idp = '<span class="error">[UNKNOWN]</span>';
 	}
@@ -250,7 +261,7 @@ sub main {
 	}
 	# remote user
-	my $user = $ENV{'REMOTE_USER'};
+	my $user = $ENV{'HTTP_REMOTE_USER'};
 	$warnings++ unless defined($user);
 	print '<p class="attr ', (defined($user) ? 'ok' : 'warn'), '">';
 	print 'REMOTE_USER: ',
@@ -274,7 +285,7 @@ sub main {
 	print '<table class="attr">';
 	my $debug_env = (defined($q) && $q->param('debug_env'));
 	dump_shibboleth_attributes($debug_env);
-	dump_shibboleth_assertions($ENV{'Shib_Assertion_Count'});
+	dump_shibboleth_assertions($ENV{'HTTP_SHIB_ASSERTION_COUNT'});
 	print '</table>';
    }
    else {

--- a/dockerfiles/commul-customization/shibboleth2.xml
+++ b/dockerfiles/commul-customization/shibboleth2.xml
 <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    logger="syslog.logger" clockSkew="180">
@@ -17,7 +17,7 @@
    To customize behavior for specific resources on Apache, and to link vhosts or
    resources to ApplicationOverride settings below, use web server options/commands.
    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
    -->
@@ -26,16 +26,18 @@
        <Host name="clarin.eurac.edu"
                authType="shibboleth"
                requireSession="true"
+		exportAssertion="true"
                redirectToSSL="443">
            <Path name="/secure" />
        </Host>
    </RequestMap>
 </RequestMapper>
    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://clarin.eurac.edu/Shibboleth.sso/Metadata"
                         REMOTE_USER="eppn persistent-id targeted-id"
+			 sessionHook="/php/aa-statistics.php"
                         cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
        <!--
@@ -47,8 +49,14 @@
        Note that while we default checkAddress to "false", this has a negative impact on the
        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
        -->
-        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+        <Sessions lifetime="28800"
-                  checkAddress="false" handlerSSL="false" cookieProps="http">
+		  timeout="3600"
+		  relayState="ss:mem"
+                  checkAddress="false"
+                  handlerSSL="true"
+		  cookieProps="https"
+		  exportLocation="/GetAssertion"
+                  exportACL="127.0.0.1">
            <!--
            Configures SSO for a default IdP. To allow for >1 IdP, remove
@@ -68,7 +76,7 @@
            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false" template="clarin.eurac.edu.template.metadata.xml"/>
@@ -89,7 +97,7 @@
        <Errors supportContact="clarin@eurac.edu"
            helpLocation="/repository/xmlui/page/about"
            styleSheet="/shibboleth-sp/main.css"/>
        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true"
@@ -97,7 +105,7 @@
              backingFilePath="federation-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
-            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" 
+            <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
              attributeName="http://macedir.org/entity-category"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="http://refeds.org/category/hide-from-discovery" />
@@ -140,7 +148,7 @@
        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>
@@ -155,7 +163,7 @@
        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
        Resource requests are mapped by web server commands, or the RequestMapper, to an
        applicationId setting.
        Example of a second application (for a second vhost) that has a different entityID.
        Resources on the vhost would map to an applicationId of "admin":
        -->
@@ -163,7 +171,7 @@
        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
        -->
    </ApplicationDefaults>
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

--- a/dockerfiles/commul-customization/shibboleth_sp_with_fastcgi.sh
+++ b/dockerfiles/commul-customization/shibboleth_sp_with_fastcgi.sh
@@ -21,12 +21,12 @@ function get {
  fi
 }
-get log4shib 1.0.9 http://shibboleth.net/downloads/log4shib/latest/
+get log4shib 1.0.9 http://shibboleth.net/downloads/log4shib/1.0.9/
 get xerces-c 3.2.1 http://mirror.hosting90.cz/apache/xerces/c/3/sources/
-get xml-security-c 1.7.3 http://mirror.hosting90.cz/apache/santuario/c-library/
+get xml-security-c 1.7.3 https://archive.apache.org/dist/santuario/c-library/
-get xmltooling 1.6.4 http://shibboleth.net/downloads/c++-opensaml/latest/
+get xmltooling 1.6.4 http://shibboleth.net/downloads/c++-opensaml/2.6.1/
-get opensaml 2.6.1 http://shibboleth.net/downloads/c++-opensaml/latest/
+get opensaml 2.6.1 http://shibboleth.net/downloads/c++-opensaml/2.6.1/
-get shibboleth-sp 2.6.1 http://shibboleth.net/downloads/service-provider/latest/
+get shibboleth-sp 2.6.1 http://shibboleth.net/downloads/service-provider/2.6.1/
 sed -i '676,679 s/^/\/\//' shibboleth-sp.2.6.1/shibsp/handler/impl/MetadataGenerator.cpp
 sed -i '687,688 s/^/\/\//' shibboleth-sp.2.6.1/shibsp/handler/impl/MetadataGenerator.cpp

--- a/dockerfiles/commul-customization/supervisord.conf
+++ b/dockerfiles/commul-customization/supervisord.conf
@@ -75,6 +75,21 @@ user=www-data
 stdout_logfile=/var/log/supervisor/shibresponder.log
 stderr_logfile=/var/log/supervisor/shibresponder.error.log
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.0 -c /etc/php/7.0/fpm/php-fpm.conf
+autostart=true
+autorestart=unexpected
+stdout_logfile=/var/log/php-fpm/stdout.log
+stdout_logfile_maxbytes=0
+stderr_logfile=/var/log/php-fpm/stderr.log
+stderr_logfile_maxbytes=0
+exitcodes=0
+[program:fcgiwrap]
+command=/usr/sbin/fcgiwrap -s unix:/tmp/fcgiwrap.socket -f
+user=www-data
+stdout_logfile=/var/log/supervisor/fcgiwrap.log
+stderr_logfile=/var/log/supervisor/fcgiwrap.error.log
 [program:nginx]
@@ -88,5 +103,3 @@ stopwaitsecs=30
 ; The below sample program section shows all possible program subsection values,
 ; create one or more 'real' program: sections to be able to control them under
 ; supervisor.
--- a/dockerfiles/commul-customization/variable.makefile
+++ b/dockerfiles/commul-customization/variable.makefile
@@ -16,6 +16,7 @@ TOMCAT_GROUP:=tomcat$(TOMCAT_VERSION)
 TOMCAT_CONF:=/etc/$(TOMCAT_USER)
 # dspace
+# please note that this should not contain uppercase characters
 DSPACE_USER:=${DSPACE_USER}
 # tool directories

--- a/dockerfiles/release.sh
+++ b/dockerfiles/release.sh
@@ -2,12 +2,13 @@
 set -e
 VERSION=${1:-latest}
+TYPE=${2:-staging}
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/dspace-image:$VERSION . -f Dockerfile.dspace
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/dspace:$VERSION . -f Dockerfile.dspace
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/nginx-image:$VERSION . -f Dockerfile.nginx
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/nginx:$VERSION . -f Dockerfile.nginx
-docker build -t gitlab.scientificnet.org:4567/commul/dspace/postgres-image:$VERSION . -f Dockerfile.psql
+docker build -t gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/postgres:$VERSION . -f Dockerfile.postgres
-docker push gitlab.scientificnet.org:4567/commul/dspace/dspace-image:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/dspace:$VERSION
-docker push gitlab.scientificnet.org:4567/commul/dspace/nginx-image:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/nginx:$VERSION
-docker push gitlab.scientificnet.org:4567/commul/dspace/postgres-image:$VERSION
+docker push gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/$TYPE/postgres:$VERSION
--- a/kubernetes/dspace-deployment.yaml
+++ b/kubernetes/dspace-deployment.yaml
@@ -50,7 +50,7 @@ spec:
            secretKeyRef:
              key: mail.pass
              name: dspace-secrets
-        image: gitlab.scientificnet.org:4567/commul/dspace/dspace-image:1.1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/dspace:1.2
        name: clarin-dspace
        imagePullPolicy: Always
        ports:

--- a/kubernetes/nginx-deployment.yaml
+++ b/kubernetes/nginx-deployment.yaml
@@ -20,7 +20,7 @@ spec:
        io.kompose.service: nginx
    spec:
      containers:
-      - image: gitlab.scientificnet.org:4567/commul/dspace/nginx-image:1.1
+      - image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/nginx:1.2
        imagePullPolicy: Always
        name: clarin-nginx
        ports:

--- a/kubernetes/postgres-deployment.yaml
+++ b/kubernetes/postgres-deployment.yaml
@@ -48,7 +48,7 @@ spec:
            secretKeyRef:
              key: dspace.utils.name
              name: dspace-secrets
-        image: gitlab.scientificnet.org:4567/commul/dspace/postgres-image:1.1
+        image: gitlab.inf.unibz.it:4567/commul/docker/clarin-dspace/production/postgres:1.2
        imagePullPolicy: Always
        name: clarin-postgres
        resources: {}

--- a/kubernetes/start-kube.sh
+++ b/kubernetes/start-kube.sh
@@ -3,12 +3,12 @@
 # kubectl create -f pgdata-persistentvolumeclaim.yaml
 kubectl create -f postgres-deployment.yaml
 kubectl create -f postgres-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f dspace-deployment.yaml
 kubectl create -f dspace-service.yaml
 kubectl create -f handle-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f nginx-deployment.yaml
 kubectl create -f nginx-service.yaml
-sleep 30
+#sleep 30
 kubectl create -f dspace-ingress.yaml
No results found