From 346cb45851ae666aa9eb42ab6a6c30cb5371d7fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= <bjorklund@sunet.se>
Date: Wed, 27 Nov 2024 16:15:44 +0100
Subject: [PATCH] Shib fixes

---
 .../modules/soc/manifests/naemon_monitor.pp   |   8 ++
 .../naemon_monitor/docker-compose.yml.erb     |   3 +
 .../naemon_monitor/shibboleth2.xml.erb        | 119 ++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/shibboleth2.xml.erb

diff --git a/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp b/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
index 42e1363..dc97783 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
@@ -31,6 +31,7 @@ class soc::naemon_monitor (
   Optional[Boolean] $receive_otel = false,
   String $otel_retention = '2232h',
   String $acme_provider = 'acme-d',
+  Boolean $custom_shib = true,
 ) {
   include sunet::systemd_reload
 
@@ -98,6 +99,13 @@ class soc::naemon_monitor (
     sunet::snippets::secret_file { '/opt/naemon_monitor/shib-certs/sp-key.pem': hiera_key => 'shib_key' }
     # assume cert is in cosmos repo (overlay)
   }
+  if $custom_shib {
+    file { '/opt/naemon_monitor/shibboleth2.xml':
+      ensure  => file,
+      content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
+      mode    => '0444',
+    }
+  }
 
   $thruk_admins_string = inline_template('ADMIN_USERS=<%- @thruk_admins.each do |user| -%><%= user %>,<%- end -%>')
   $thruk_users_string = inline_template('READONLY_USERS=<%- @thruk_users.each do |user| -%><%= user %>,<%- end -%>')
diff --git a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
index 6192548..cf33c6c 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
@@ -58,6 +58,9 @@ services:
       - '/opt/naemon_monitor/shib-certs:/etc/shibboleth/certs'
       - '/opt/naemon_monitor/data:/var/lib/thruk'
       - '/opt/naemon_monitor/menu_local.conf:/etc/thruk/menu_local.conf'
+<%- if @custom_shib -%>
+      - '/opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml:ro'
+<% end -%>
 <%- @thruk_extra_volumes.each do |extra_volume| -%>
       - "<%= extra_volume %>"
 <%- end -%>
diff --git a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/shibboleth2.xml.erb b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/shibboleth2.xml.erb
new file mode 100644
index 0000000..3710037
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/shibboleth2.xml.erb
@@ -0,0 +1,119 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+        <ApplicationDefaults entityID="https://<%= @domain %>"
+                         REMOTE_USER="eppn subject-id"
+                         metadataAttributePrefix="Meta-">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            If you use this, you have to remove the SessionInitiator below.
+            <SSO entityID="https://swamididp.example.org
+                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
+              SAML2 SAML1
+            </SSO>
+            -->
+
+            <!-- SAML and local-only logout. -->
+
+            <Logout>SAML2 Local</Logout>
+            <SessionInitiator type="Chaining" Location="/satosa" id="satosa"
+                    entityID="https://test-sso-proxy.cert.sunet.se/idp">
+                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+            </SessionInitiator>
+
+            <!--
+            md:AssertionConsumerService locations handle specific SSO protocol bindings,
+            such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
+            are used when sessions are initiated to determine how to tell the IdP where and
+            how to return the response.
+            -->
+            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                conf:ignoreNoPassive="true"/>
+
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+
+            <!--
+            md:ArtifactResolutionService locations resolve artifacts issued when using the
+            SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
+            -->
+            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
+
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="cert@cert.sunet.se"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+
+        <!-- Example of remotely supplied batch of signed metadata. -->
+
+        <!-- SWAMID Metadata -->
+        <MetadataProvider
+                type="XML"
+                path="frontend.xml"/>
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+    </ApplicationDefaults>
+
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>