diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 01f05e4..af3312e 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -6,11 +6,18 @@
ssh_allow_from_anywhere: false
'^internal-sto1-dev-vulndash-1.cert.sunet.se$':
- soc::sso:
- hostname: 'vd-dev.cert.sunet.se'
- email: 'cert@cert.sunet.se'
- service_endpoint: 'http://nginx:80'
- x_remote_user: true
- groups:
- - 'sunet-cert'
- certbot: false
+# soc::sso:
+# hostname: 'vd-dev.cert.sunet.se'
+# email: 'cert@cert.sunet.se'
+# service_endpoint: 'http://nginx:80'
+# x_remote_user: true
+# groups:
+# - 'sunet-cert'
+# certbot: false
+
+test-sso-proxy1.cert.sunet.se:
+ sunet::starship:
+ sunet::dockerhost2:
+ sunet::satosa:
+ satosa_tag: 8.4.0
+# dehydrated_name: 'test-sso-proxy1.cert.sunet.se'
diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
@@ -0,0 +1 @@
+
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index 30eaf63..7ae51a6 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -1,4 +1,3 @@
-## Copy from CNAAS, modifications for Sunet CERT
#
# General SSO documentation: https://wiki.sunet.se/x/sZGLBg
#
@@ -22,7 +21,7 @@
# cases where the service we reverse proxy for can't create new accounts automatically.
# We use this only for Graylog at the time of writing.
#
-# @param swamid_testing Set this to true if your SP is registered in swamid-testing.
+/ @param swamid_testing Set this to true if your SP is registered in swamid-testing.
#
# @param front_clients
# Hiera field, defined at common.yaml, with the the frontend IP prefixes that require access
@@ -38,8 +37,11 @@ class soc::sso(
$swamid_testing = false,
$single_user = false,
$front_clients = '',
+ $satosa = true,
+ $satosa_certbot = true,
$translog = 'INFO',
- $certbot = true,
+ $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
+ $norpan = false,
) {
file { '/opt/sso':
@@ -98,15 +100,46 @@ class soc::sso(
ensure => file,
content => file('soc/sso/md-signer2.crt'),
}
- sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
- hiera_key => 'sso_sp_key'
+ if $satosa {
+ if $norpan {
+ file { '/opt/sso/shibboleth/frontend.xml':
+ ensure => file,
+ content => file('soc/sso/frontend_norpan.xml'),
+ }
+ } else {
+ file { '/opt/sso/shibboleth/frontend.xml':
+ ensure => file,
+ content => file('soc/sso/frontend.xml'),
+ }
+ }
+
+ file { '/opt/sso/shibboleth/attribute-policy.xml':
+ ensure => file,
+ content => file('soc/sso/attribute-policy.xml'),
+ }
+
+ if lookup('sso_sp_key', undef, undef, undef) != undef {
+ sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+ hiera_key => 'sso_sp_key'
+ }
+ } else {
+ sunet::snippets::keygen {'shib_cert':
+ key_file => '/opt/sso/shibboleth/sp-key.pem',
+ cert_file => '/opt/sso/shibboleth/sp-cert.pem'
+ }
+ }
+
+ } else {
+ sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+ hiera_key => 'sso_sp_key'
+ }
}
#
# Certbot
#
- if $certbot {
+ if $satosa_certbot {
package { ['certbot', 'python3-requests']:
ensure => 'latest',
}
diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
index 5dfd133..538db71 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
@@ -34,7 +34,7 @@
<%- if @x_remote_user -%>
RequestHeader set X-Remote-User %{REMOTE_USER}s
<%- elsif @single_user -%>
- RequestHeader set X-Remote-User soc-user
+ RequestHeader set X-Remote-User cnaas-user
<%- else -%>
ShibUseHeaders On
<%- end -%>
diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
index e1813f8..ecc0b79 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
@@ -15,7 +15,12 @@ services:
- ./shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
- ./shibboleth/shibd.logger:/etc/shibboleth/shibd.logger
- ./shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
+<% if @satosa -%>
+ - ./shibboleth/frontend.xml:/etc/shibboleth/frontend.xml
+ - ./shibboleth/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml
+<% else -%>
- ./shibboleth/md-signer2.crt:/etc/shibboleth/md-signer2.crt
+<% end -%>
- ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
- ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
networks:
diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb
index cae74ac..0bd3413 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb
@@ -40,6 +40,12 @@
SAML2 Local
+<% if @satosa -%>
+
+
+
+<% else -%>
@@ -49,6 +55,7 @@
<%- end -%>
+<% end -%>