diff --git a/.gitignore b/.gitignore index db68ed7..1e1b654 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,6 @@ .settings/ target/ node_modules/ -.DS_Store \ No newline at end of file +.DS_Store +secrets.yml +private-secrets/ \ No newline at end of file diff --git a/demo.yml b/demo.yml index 278ec33..606451a 100644 --- a/demo.yml +++ b/demo.yml @@ -135,14 +135,14 @@ networks: secrets: idp_backchannel: - file: ./secrets/idp/idp-backchannel.p12 + file: ./sample-secrets/idp/idp-backchannel.p12 idp_browser: - file: ./secrets/idp/idp-browser.p12 + file: ./sample-secrets/idp/idp-browser.p12 idp_encryption: - file: ./secrets/idp/idp-encryption.key + file: ./sample-secrets/idp/idp-encryption.key idp_signing: - file: ./secrets/idp/idp-signing.key + file: ./sample-secrets/idp/idp-signing.key idp_sealer: - file: ./secrets/idp/sealer.jks + file: ./sample-secrets/idp/sealer.jks sp_key: - file: ./secrets/sp/sp-key.pem + file: ./sample-secrets/sp/sp-key.pem diff --git a/docker-compose.yml b/docker-compose.yml index 2c29c87..734a2da 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -315,14 +315,14 @@ networks: secrets: idp_backchannel: - file: ./secrets/idp/idp-backchannel.p12 + file: ./sample-secrets/idp/idp-backchannel.p12 idp_browser: - file: ./secrets/idp/idp-browser.p12 + file: ./sample-secrets/idp/idp-browser.p12 idp_encryption: - file: ./secrets/idp/idp-encryption.key + file: ./sample-secrets/idp/idp-encryption.key idp_signing: - file: ./secrets/idp/idp-signing.key + file: ./sample-secrets/idp/idp-signing.key idp_sealer: - file: ./secrets/idp/sealer.jks + file: ./sample-secrets/idp/sealer.jks sp_key: - file: ./secrets/sp/sp-key.pem + file: ./sample-secrets/sp/sp-key.pem diff --git a/eclipse-pass.base.yml b/eclipse-pass.base.yml index 47bce4a..c91b490 100644 --- a/eclipse-pass.base.yml +++ b/eclipse-pass.base.yml @@ -131,14 +131,14 @@ networks: secrets: idp_backchannel: - file: ./secrets/idp/idp-backchannel.p12 + file: ./sample-secrets/idp/idp-backchannel.p12 idp_browser: - file: ./secrets/idp/idp-browser.p12 + file: ./sample-secrets/idp/idp-browser.p12 idp_encryption: - file: ./secrets/idp/idp-encryption.key + file: ./sample-secrets/idp/idp-encryption.key idp_signing: - file: ./secrets/idp/idp-signing.key + file: ./sample-secrets/idp/idp-signing.key idp_sealer: - file: ./secrets/idp/sealer.jks + file: ./sample-secrets/idp/sealer.jks sp_key: - file: ./secrets/sp/sp-key.pem + file: ./sample-secrets/sp/sp-key.pem diff --git a/eclipse-pass.demo.yml b/eclipse-pass.demo.yml index ee41492..7e551ac 100644 --- a/eclipse-pass.demo.yml +++ b/eclipse-pass.demo.yml @@ -20,3 +20,9 @@ services: loader: env_file: .eclipse-pass.demo_env + + idp: + build: + args: + IDP_ENV: local + image: dee3c85737f2 diff --git a/harvard.yml b/harvard.yml index f83eafa..1d90d06 100644 --- a/harvard.yml +++ b/harvard.yml @@ -307,14 +307,14 @@ networks: secrets: idp_backchannel: - file: ./secrets/idp/idp-backchannel.p12 + file: ./sample-secrets/idp/idp-backchannel.p12 idp_browser: - file: ./secrets/idp/idp-browser.p12 + file: ./sample-secrets/idp/idp-browser.p12 idp_encryption: - file: ./secrets/idp/idp-encryption.key + file: ./sample-secrets/idp/idp-encryption.key idp_signing: - file: ./secrets/idp/idp-signing.key + file: ./sample-secrets/idp/idp-signing.key idp_sealer: - file: ./secrets/idp/sealer.jks + file: ./sample-secrets/idp/sealer.jks sp_key: - file: ./secrets/sp/sp-key.pem + file: ./sample-secrets/sp/sp-key.pem diff --git a/idp/Dockerfile b/idp/Dockerfile index caabc82..46f9e55 100644 --- a/idp/Dockerfile +++ b/idp/Dockerfile @@ -7,7 +7,7 @@ COPY common/shibboleth-idp/ /opt/shibboleth-idp/ COPY common/shib-jetty-base/ /opt/shib-jetty-base/ COPY ${TENANT}/shibboleth-idp/ /opt/shibboleth-idp/ -COPY metadata/{IDP_ENV}/ /opt/shibboleth-idp/metadata/ +COPY metadata/${IDP_ENV}/ /opt/shibboleth-idp/metadata/ COPY styling/main.css /opt/shibboleth-idp/webapp/css/main.css COPY styling/dummylogo.png /opt/shibboleth-idp/webapp/images/dummylogo.png diff --git a/idp/jhu/shibboleth-idp/conf/idp.properties b/idp/jhu/shibboleth-idp/conf/idp.properties index 7c54272..7484135 100644 --- a/idp/jhu/shibboleth-idp/conf/idp.properties +++ b/idp/jhu/shibboleth-idp/conf/idp.properties @@ -14,7 +14,7 @@ # limitations under the License. # # Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties +idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/idp_secrets.properties # Set the entityID of the IdP idp.entityID= https://pass.local/idp/shibboleth @@ -36,23 +36,26 @@ idp.scope= johnshopkins.edu #idp.views = %{idp.home}/views # Settings for internal AES encryption key +# JHU: moved to secrets: #idp.sealer.storeType = JCEKS #idp.sealer.updateInterval = PT15M #idp.sealer.aliasBase = secret -idp.sealer.storeResource= /run/secrets/idp_sealer -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= password -idp.sealer.keyPassword= password +#idp.sealer.storeResource= +#idp.sealer.versionResource= +#idp.sealer.storePassword= +#idp.sealer.keyPassword= # Settings for public/private signing and encryption key(s) # During decryption key rollover, point the ".2" properties at a second # keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= /run/secrets/idp_signing -idp.signing.cert= %{idp.home}/credentials/idp-signing.crt -idp.encryption.key= /run/secrets/idp_encryption -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt +# JHU: moved to secrets: +#idp.signing.key= +#idp.signing.cert= +#idp.encryption.key= +#idp.encryption.cert= +# JHU: presently unused: +#idp.encryption.key.2 = +#idp.encryption.cert.2 = # Sets the bean ID to use as a default security configuration set #idp.security.config = shibboleth.DefaultSecurityConfiguration diff --git a/idp/jhu/shibboleth-idp/conf/idp.properties.k8s b/idp/jhu/shibboleth-idp/conf/idp.properties.k8s deleted file mode 100644 index 20d0f3d..0000000 --- a/idp/jhu/shibboleth-idp/conf/idp.properties.k8s +++ /dev/null @@ -1,210 +0,0 @@ -# -# Copyright 2019 Johns Hopkins University -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Load any additional property resources from a comma-delimited list -idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties - -# Set the entityID of the IdP -idp.entityID= https://pass.local/idp/shibboleth - -# Set the scope used in the attribute resolver for scoped attributes -idp.scope= johnshopkins.edu - -# General cookie properties (maxAge only applies to persistent cookies) -#idp.cookie.secure = false -#idp.cookie.httpOnly = true -#idp.cookie.domain = -#idp.cookie.path = -#idp.cookie.maxAge = 31536000 - -# Set the location of user-supplied web flow definitions -#idp.webflows = %{idp.home}/flows - -# Set the location of Velocity view templates -#idp.views = %{idp.home}/views - -# Settings for internal AES encryption key -#idp.sealer.storeType = JCEKS -#idp.sealer.updateInterval = PT15M -#idp.sealer.aliasBase = secret -idp.sealer.storeResource= /run/secrets/idp/idp_sealer -idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver -idp.sealer.storePassword= password -idp.sealer.keyPassword= password - -# Settings for public/private signing and encryption key(s) -# During decryption key rollover, point the ".2" properties at a second -# keypair, uncomment in credentials.xml, then publish it in your metadata. -idp.signing.key= /run/secrets/idp/idp_signing -idp.signing.cert= %{idp.home}/credentials/idp-signing.crt -idp.encryption.key= /run/secrets/idp/idp_encryption -idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt -#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key -#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt - -# Sets the bean ID to use as a default security configuration set -#idp.security.config = shibboleth.DefaultSecurityConfiguration - -# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1 -#idp.signing.config = shibboleth.SigningConfiguration.SHA256 - -# Configures trust evaluation of keys used by services at runtime -# Defaults to supporting both explicit key and PKIX using SAML metadata. -#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine -#idp.trust.certificates = shibboleth.ChainingX509TrustEngine -# To pick only one set to one of: -# shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine - -# If true, encryption will happen whenever a key to use can be located, but -# failure to encrypt won't result in request failure. -#idp.encryption.optional = false - -# Configuration of client- and server-side storage plugins -#idp.storage.cleanupInterval = PT10M -#idp.storage.htmlLocalStorage = false - -# Set to true to expose more detailed errors in responses to SPs -idp.errors.detailed = true -# Set to false to skip signing of SAML response messages that signal errors -#idp.errors.signed = true -# Name of bean containing a list of Java exception classes to ignore -#idp.errors.excludedExceptions = ExceptionClassListBean -# Name of bean containing a property set mapping exception names to views -#idp.errors.exceptionMappings = ExceptionToViewPropertyBean -# Set if a different default view name for events and exceptions is needed -#idp.errors.defaultView = error - -# Set to false to disable the IdP session layer -#idp.session.enabled = true - -# Set to "shibboleth.StorageService" for server-side storage of user sessions -#idp.session.StorageService = shibboleth.ClientSessionStorageService -idp.session.StorageService = shibboleth.StorageService - -# Size of session IDs -#idp.session.idSize = 32 -# Bind sessions to IP addresses -#idp.session.consistentAddress = true -# Inactivity timeout -#idp.session.timeout = PT60M -# Extra time to store sessions for logout -#idp.session.slop = PT0S -# Tolerate storage-related errors -#idp.session.maskStorageFailure = false -# Track information about SPs logged into -#idp.session.trackSPSessions = false -# Support lookup by SP for SAML logout -#idp.session.secondaryServiceIndex = false -# Length of time to track SP sessions -#idp.session.defaultSPlifetime = PT2H - -# Regular expression matching login flows to enable, e.g. IPAddress|Password -idp.authn.flows= Password - -# Regular expression of forced "initial" methods when no session exists, -# usually in conjunction with the idp.authn.resolveAttribute property below. -#idp.authn.flows.initial = Password - -# Set to an attribute ID to resolve prior to selecting authentication flows; -# its values are used to filter the flows to allow. -#idp.authn.resolveAttribute = eduPersonAssurance - -# Default lifetime and timeout of various authentication methods -#idp.authn.defaultLifetime = PT60M -#idp.authn.defaultTimeout = PT30M - -# Whether to prioritize "active" results when an SP requests more than -# one possible matching login method (V2 behavior was to favor them) -#idp.authn.favorSSO = true - -# Whether to fail requests when a user identity after authentication -# doesn't match the identity in a pre-existing session. -#idp.authn.identitySwitchIsError = false - -# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -#idp.consent.StorageService = shibboleth.ClientPersistentStorageService - -# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute -# to key user consent storage records (and set the attribute name) -#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey -#idp.consent.userStorageKeyAttribute = uid - -# Flags controlling how built-in attribute consent feature operates -#idp.consent.allowDoNotRemember = true -#idp.consent.allowGlobal = true -#idp.consent.allowPerAttribute = false - -# Whether attribute values and terms of use text are compared -#idp.consent.compareValues = false -# Maximum number of consent records for space-limited storage (e.g. cookies) -#idp.consent.maxStoredRecords = 10 -# Maximum number of consent records for larger/server-side storage (0 = no limit) -#idp.consent.expandedMaxStoredRecords = 0 - -# Time in milliseconds to expire consent storage records. -#idp.consent.storageRecordLifetime = P1Y - -# Whether to lookup metadata, etc. for every SP involved in a logout -# for use by user interface logic; adds overhead so off by default. -#idp.logout.elaboration = false - -# Whether to require logout requests be signed/authenticated. -#idp.logout.authenticated = true - -# Message freshness and replay cache tuning -#idp.policy.messageLifetime = PT3M -#idp.policy.clockSkew = PT3M - -# Set to custom bean for alternate storage of replay cache -#idp.replayCache.StorageService = shibboleth.StorageService - -# Toggles whether to allow outbound messages via SAML artifact -#idp.artifact.enabled = true -# Suppresses typical signing/encryption when artifact binding used -#idp.artifact.secureChannel = true -# May differ to direct SAML 2 artifact lookups to specific server nodes -#idp.artifact.endpointIndex = 2 -# Set to custom bean for alternate storage of artifact map state -#idp.artifact.StorageService = shibboleth.StorageService - -# Name of access control policy for various admin flows -idp.status.accessPolicy= AccessByIPAddress -idp.resolvertest.accessPolicy= AccessByIPAddress -idp.reload.accessPolicy= AccessByIPAddress - -# Comma-delimited languages to use if not match can be found with the -# browser-supported languages, defaults to an empty list. -idp.ui.fallbackLanguages= en,fr,de - -# Storage service used by CAS protocol -# Defaults to shibboleth.StorageService (in-memory) -# MUST be server-side storage (e.g. in-memory, memcached, database) -# NOTE that idp.session.StorageService requires server-side storage -# when CAS protocol is enabled -idp.cas.StorageService=shibboleth.StorageService - -# CAS service registry implementation class -#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry - -# Profile flows in which the ProfileRequestContext should be exposed -# in servlet request under the key "opensamlProfileRequestContext" -#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO - -# F-TICKS auditing - set salt to include hashed username -#idp.fticks.federation=MyFederation -#idp.fticks.algorithm=SHA-256 -#idp.fticks.salt=somethingsecret diff --git a/idp/jhu/shibboleth-idp/conf/idp_secrets.properties b/idp/jhu/shibboleth-idp/conf/idp_secrets.properties new file mode 120000 index 0000000..234ca44 --- /dev/null +++ b/idp/jhu/shibboleth-idp/conf/idp_secrets.properties @@ -0,0 +1 @@ +/run/secrets/idp_secrets_properties \ No newline at end of file diff --git a/secrets/idp/idp-backchannel.p12 b/sample-secrets/idp/idp-backchannel.p12 similarity index 100% rename from secrets/idp/idp-backchannel.p12 rename to sample-secrets/idp/idp-backchannel.p12 diff --git a/secrets/idp/idp-browser.p12 b/sample-secrets/idp/idp-browser.p12 similarity index 100% rename from secrets/idp/idp-browser.p12 rename to sample-secrets/idp/idp-browser.p12 diff --git a/sample-secrets/idp/idp-cert.p12 b/sample-secrets/idp/idp-cert.p12 new file mode 100644 index 0000000..e5277aa Binary files /dev/null and b/sample-secrets/idp/idp-cert.p12 differ diff --git a/sample-secrets/idp/idp-cert.pem b/sample-secrets/idp/idp-cert.pem new file mode 100644 index 0000000..b277495 --- /dev/null +++ b/sample-secrets/idp/idp-cert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICoDCCAYgCCQCs7hi46wwVvTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd0 +ZXN0YmVkMB4XDTIyMTIwODIyMzIwNFoXDTIzMTIwMzIyMzIwNFowEjEQMA4GA1UE +AwwHdGVzdGJlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFe/Sjd ++ZPyKW7IuMniUEBUJb5lFXIRc9hC5GLu98Nw7hrp3WTGIkuxorRbzxU3GMVBGvw+ +AORavby/CgfWuCTikuyzMsPjwMHMP3jal4mX9LoWewgmOZodwGHils2FTjKjC7re +IqS+22txkARukSujpnwLOJYTHyzLChpgRAaJ8+Sv05FXoKfe3Gr72AwF48bjUau1 +mtQYi77Gud0vRKGHg+rR6r/0wCxWUghcRrz1Z8fwnaQVxM5+ha0hzvRvtMtlCzHh +ic1yesYtJQRyy0XI8tf5e2/lI1kXz044jFdU2M2+ATkNslv2EwzhQAWoj7Vuj1Cq +3HBOGNz+w68jHM0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAe7cktK/QKZNw6fJD +EYbTWYF8pJqNgaQn6ZAxW5H275vzNNGUC2cAk4yin9HGKGVLASplySNLcAUtEpFk +iuH5OOvXR/aZPQ3SElk9oBBHdd5w77BO+czGDQvk3yO/lVBMQIXIVLC11tc2+EQB +573X/JKPoF/Uz+GuK5ulIw3ai7VZ4mO9u6uk3iwMdutkPDO/3OjT1xVrvhaFVwsS +P7Bpdfre3ZMNEdIg8L0dpPclVPmJh6AntsJFXBj8Zulqqq4oDb597uiEvL4TkvqC +JB6Y/Tra0Z7EJ8NN7IRJ/eY6gcCYVuQjt/b9i7dy/tXBrWqGX01w7dnKhOrD7VFZ +Jh/OXA== +-----END CERTIFICATE----- diff --git a/secrets/idp/idp-encryption.key b/sample-secrets/idp/idp-encryption.key similarity index 100% rename from secrets/idp/idp-encryption.key rename to sample-secrets/idp/idp-encryption.key diff --git a/secrets/idp/idp-signing.key b/sample-secrets/idp/idp-signing.key similarity index 100% rename from secrets/idp/idp-signing.key rename to sample-secrets/idp/idp-signing.key diff --git a/secrets/idp/sealer.jks b/sample-secrets/idp/sealer.jks similarity index 100% rename from secrets/idp/sealer.jks rename to sample-secrets/idp/sealer.jks diff --git a/secrets/sp/sp-key.pem b/sample-secrets/sp/sp-key.pem similarity index 100% rename from secrets/sp/sp-key.pem rename to sample-secrets/sp/sp-key.pem diff --git a/tools/generate-secrets.sh b/tools/generate-secrets.sh new file mode 100644 index 0000000..7a693aa --- /dev/null +++ b/tools/generate-secrets.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +