From 26e4b95c8c37c8581eb34bbbf4f3a0d03ea4a110 Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Tue, 19 Dec 2017 13:40:49 +0100
Subject: [PATCH] se proxy config

---
 .../eidas-proxy/se/cfg/application.properties | 91 +++++++++++++++++++
 .../se/cfg/general-metadata.properties        | 12 +++
 .../etc/eidas-proxy/se/cfg/infotext.md        | 44 +++++++++
 .../se/cfg/natsp-idpdisco.properties          | 27 ++++++
 .../se/cfg/natsp-metadata.properties          | 24 +++++
 .../se/cfg/psidp-metadata.properties          | 25 +++++
 .../eidas-proxy/se/ps-mdcache/.placeholder    |  0
 7 files changed, 223 insertions(+)
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/application.properties
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/general-metadata.properties
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/infotext.md
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-idpdisco.properties
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-metadata.properties
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/cfg/psidp-metadata.properties
 create mode 100644 eidas-proxy/overlay/etc/eidas-proxy/se/ps-mdcache/.placeholder

diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/application.properties b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/application.properties
new file mode 100644
index 00000000..4ced7ed6
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/application.properties
@@ -0,0 +1,91 @@
+# Logging
+logging.level.org.springframework.web=INFO
+
+# Service path
+server.context-path=/eidas-ps
+
+proxy-service.path.prefix=${spring.config.location}..
+proxy-service.config.location=file://${spring.config.location}
+
+# Service port connector settings
+server.port=8443
+#server.ssl.key-store=${proxy-service.path.prefix}/keystore/sslSnakeOil.p12
+#server.ssl.key-store-type=PKCS12
+#server.ssl.key-store-password=secret
+#server.ssl.key-password=secret
+
+tomcat.ajp.port=8009
+tomcat.ajp.remoteauthentication=false
+tomcat.ajp.enabled=true
+
+# For development. Allowing signature check on metadata to be skipped. Default false.
+#proxy-service.dev.ignoreMetadataSignCheck=true
+
+# Initial delay in milliseconds (default 5000) and seconds between metadata configuration recache (default 240 sec).
+#proxy-service.daemon.inital.delay.ms=5000
+proxy-service.daemon.recache.delay.sec=240
+
+# Location of other properties files (general-metadata.properties, psidp-metadata.properties and natsp-metadata.properties)
+# Example specifying external location: 'proxy-service.config.location=file:///opt/webapp/eidas-ps/cfg/'
+# Example specifying src/main/resources config location: 'classpath:'
+
+
+# Key Store properties
+# Location can be specified as "classpath:" or as file path e.g "/opt/webapp/eidas-ps/keystore/keyStore.jks"
+proxy-service.keySourceType=PKCS12
+proxy-service.keySourceLocation=${proxy-service.path.prefix}/proxy.p12
+proxy-service.keySourcePass=dummy
+proxy-service.keySourceAlias=proxy
+
+proxy-service.natsp.keySourceType=PKCS12
+proxy-service.natsp.keySourceLocation=${proxy-service.path.prefix}/proxy.p12
+proxy-service.natsp.keySourcePass=dummy
+proxy-service.natsp.keySourceAlias=proxy
+
+proxy-service.metadata.keySourceType=PKCS12
+proxy-service.metadata.keySourceLocation=${proxy-service.path.prefix}/metadata.p12
+proxy-service.metadata.keySourcePass=dummy
+proxy-service.metadata.keySourceAlias=proxy
+
+# Session Encryption properties
+#proxy-service.cookieEncryptPw=changeme
+
+# Requirements to show consent dialogue (Default false);
+proxy-service.consent=true
+proxy-service.consent.attributes=urn:oid:1.2.752.201.3.7,\
+  urn:oid:2.5.4.4,\
+  urn:oid:2.5.4.42,\
+  urn:oid:1.3.6.1.5.5.7.9.3,\
+  urn:oid:1.3.6.1.5.5.7.9.1
+proxy-service.consent.valuetranslation=urn:oid:1.3.6.1.5.5.7.9.3
+
+# Welcome page presentation text location
+proxy-service.welcomepage.markdown=${proxy-service.path.prefix}/cfg/infotext.md
+
+#Metadata Service List location specified as either URL (http or https), "file://" or "classpath:"
+proxy-service.eidasMdListLocation=https://eid.svelegtest.se/nodeconfig/mdservicelist
+
+# Optional certificate file for validating metadata service list file signatures
+# If no certificate is specified then proxy-service.dev.ignoreMetadataSignCheck=true must be set
+proxy-service.eidasMdListCertFile=${proxy-service.path.prefix}/eIDASmdListCert.crt
+
+#Metadata location for aggregated metadata specified as either URL (http or https), "file://" or "classpath:"
+proxy-service.eidasMetadataLocation=https://eid.svelegtest.se/nodeconfig/metadata
+
+# Optional certificate file for validating metadata signatures
+# If no certificate is specified then proxy-service.dev.ignoreMetadataSignCheck=true must be set
+proxy-service.eidasMetadataCertFile=${proxy-service.path.prefix}/eIDASmdListCert.crt
+
+# Optional cache dir for caching downloaded metadata. If not set, cache is stored in memory.
+proxy-service.eidasMetadataCacheDirName=${proxy-service.path.prefix}/ps-mdcache
+
+
+#Metadata location for national IdP metadata specified as either URL (http or https), "file://" or "classpath:"
+proxy-service.nationalMetadataLocation=http://eid.svelegtest.se/metadata/mdx/role/idp.xml
+
+# Optional certificate file for validating metadata signatures
+# If no certificate is specified then proxy-service.dev.ignoreMetadataSignCheck=true must be set
+proxy-service.nationalMetadataCert=${proxy-service.path.prefix}/se-metadata-cert.crt
+
+# Optional cache dir for caching downloaded national metadata. If not set, cache is stored in memory.
+proxy-service.nationalPsMetadataCacheDirName=${proxy-service.path.prefix}/ps-mdcache
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/general-metadata.properties b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/general-metadata.properties
new file mode 100644
index 00000000..ef5cf22f
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/general-metadata.properties
@@ -0,0 +1,12 @@
+psgen.country=XY
+psgen.name=Sweden XY eIDAS ProxyService
+psgen.orgName=Swedish E-Identification Board
+psgen.dispName=Swedish eIDAS Proxy Service
+psgen.orgUrl=http://eidasweb.se
+psgen.supportGivenName=Customer support
+psgen.techGivenName=Technical support
+psgen.supportEmail=support@example.com
+psgen.techEmail=support@example.com
+
+
+
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/infotext.md b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/infotext.md
new file mode 100644
index 00000000..bfc4503d
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/infotext.md
@@ -0,0 +1,44 @@
+### Proxy Service
+
+This is the Swedish XY Country test proxy sevice of the Swedish eIDAS Pilot
+
+**Relevant resources:**
+<table class="table table-dark table-links table-responsive">
+
+<tr><td>eIDAS Project Home Page</td>
+<td><a href="http://eidasweb.se/home/">http://eidasweb.se</a></td><tr>
+
+<tr><td>eIDAS Proxy Service Metadata</td>
+<td><a href="ServiceMetadata">https://xy.proxy.qa.sveidas.se/eidas-ps/ServiceMetadata</a></td><tr>
+
+<tr><td>National SP Metadata</td>
+<td><a href="nat-metadata">https://xy.proxy.qa.sveidas.se/eidas-ps/nat-metadata</a></td><tr>
+
+<tr><td>Swedish E-Identification Board</td>
+<td><a href="https://www.elegnamnden.se">https://www.elegnamnden.se</a></td><tr>
+
+</table>
+
+**Metadata validation certificate:**
+<div style="margin-left:20px; font-size:small">
+
+```
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiMCBgFfWGgYvjANBgkqhkiG9w0BAQ0FADBhMSkwJwYDVQQDEyBUZXN0IENvdW50cnkg
+ZUlEQVMgUHJveHkgU2VydmljZTEnMCUGA1UEChMeU3dlZGlzaCBFLUlkZW50aWZpY2F0aW9uIEJv
+YXJkMQswCQYDVQQGEwJYWTAeFw0xNzEwMjYwOTE4NTdaFw0yMjEwMjYxMTE4NTdaMGExKTAnBgNV
+BAMTIFRlc3QgQ291bnRyeSBlSURBUyBQcm94eSBTZXJ2aWNlMScwJQYDVQQKEx5Td2VkaXNoIEUt
+SWRlbnRpZmljYXRpb24gQm9hcmQxCzAJBgNVBAYTAlhZMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAoo+9Fjjtx50yc8QzkFHxmRDqZC3/cPvWNIK0bqmXrBdlvstB5kYn0x+t644d9zQA
+v6yXFW3hhSHjTeeB49NVwa2HVxtmkX5VzJLNo0mjQm3c3vAZNooUHzv+deZrl5HhFkZZPD1sLwOb
+dlCHd1ozf60+diD/P0EkMkCwwaVWnq13pHv1XuQOBFmVb0O5/muJrzu6uGZAsPS4SUsg9IFgl1AK
+hcl5FPykNvqYMEamOKCbJoL2mpjUQFGtudlDaqneqz0Jt4syoQmvuFal/0uC1XhKwLNitu3GGceZ
+Mwdq6TJlR1pMNDgFOjSO2Yv0v/3kKtmhiOCBpmXXl4JcWDCMBQIDAQABMA0GCSqGSIb3DQEBDQUA
+A4IBAQBTCQT2OTGE+f5qWe4NiXRZBHfLuU0A2Lj3fm30dA+N/3WO5eOTHCGSEJhSh/SxeFzexTiG
+QSrdUuJtTM+mtqF6v0OfJ55K+dhSNzcE5dtM3ds6qZ73VAJQlxLv3qE4hqR7bLMhvz0Zby0Hq0XJ
++FCMs5vSMDtMi5n/CLqh/ctEacUx+lNfQEjZWHInfntMBRUxwy6SYfqjPdhDneP+IXAertPi/Uqn
+NFkI8ewylphNXoewIEIjfFk6WSAwgc2scWgnj8U4un1LFjl//m4DWCEQEkjwuxNf1pTCQFDW7Gc3
++lNgymwLJoieNYqSOhomsTRZTXyuRI4b/ttebvbNiALS
+-----END CERTIFICATE-----
+```
+</div>
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-idpdisco.properties b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-idpdisco.properties
new file mode 100644
index 00000000..24052db8
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-idpdisco.properties
@@ -0,0 +1,27 @@
+proxy-service.idpdisco.idplist=\
+  testIdp,\
+  mobIdp,\
+  ccBankid,\
+  ccTelia
+proxy-service.idpdisco.langs=\
+  se,\
+  en,\
+  fr
+proxy-service.idpdisco.entityid={\
+  testIdp :'https://idp.svelegtest.se/idp',\
+  mobIdp :'https://midp.svelegtest.se/idp',\
+  ccBankid : 'https://eid.identityhub.se/demo/bankid/',\
+  ccTelia : 'https://eid.identityhub.se/demo/teliabrowserplugin/'\
+  }
+proxy-service.idpdisco.name={\
+  testIdp :'Test ID-tjänst, Test IdP, Test IdP',\
+  mobIdp :'Mobil Test IdP, Mobile Test IdP, Mobile Test IdP',\
+  ccBankid : 'BankID, BankID, BankID',\
+  ccTelia : 'Telia,Telia,Telia'\
+  }
+proxy-service.idpdisco.logo={\
+  testIdp :'https://eid.svelegtest.se/logos/elegnamnden_notext_68x67.png, 67, 68',\
+  mobIdp :'https://eid.svelegtest.se/logos/elegnamnden_notext_68x67.png, 67, 68',\
+  ccBankid : 'img/disco/bankid_logo.png, 94, 100',\
+  ccTelia : 'img/disco/telia_min_logo.png,89,86'\
+  }
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-metadata.properties b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-metadata.properties
new file mode 100644
index 00000000..baab65d7
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/natsp-metadata.properties
@@ -0,0 +1,24 @@
+#EntityID of the n
+natsp.entityId=${proxy-service.domain.prefix}/nat-ps-sp
+natsp.displayNames={\
+  en:'Swedish Citizen Adapter',\
+  sv:'Sveriges internationella legitimeringsnod'\
+  }
+natsp.descriptions={\
+  en:'Test service for the Swedish eIDAS Pilot New Local',\
+  sv:'Testtjänst för Svenska eIDAS piloten'\
+  }
+# Logos are specified as a map with the url as key followed by  height,width[,lang] as comma separated parameters.
+natsp.logos={\
+  'https://eunode.eidastest.se/Connector/custom/idpLogo.png':'276,293'\
+  }
+natsp.assertionConsumerServices={\
+  'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':'${proxy-service.domain.prefix}/assertionconsumer'\
+  }
+natsp.nameIDFormats=\
+  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,\
+  urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+natsp.entityCategories=\
+  http://id.elegnamnden.se/ec/1.0/loa3-pnr
+
+
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/psidp-metadata.properties b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/psidp-metadata.properties
new file mode 100644
index 00000000..546cd70d
--- /dev/null
+++ b/eidas-proxy/overlay/etc/eidas-proxy/se/cfg/psidp-metadata.properties
@@ -0,0 +1,25 @@
+psmd.gen.entityID=${proxy-service.domain.prefix}/ServiceMetadata
+psmd.ext.supportedEncAlgos=\
+  http://www.w3.org/2009/xmlenc11#aes128-gcm,\
+  http://www.w3.org/2009/xmlenc11#aes192-gcm,\
+  http://www.w3.org/2009/xmlenc11#aes256-gcm
+psmd.ext.supportedSigAlgorithms=\
+  http://www.w3.org/2001/04/xmldsig-more#rsa-sha512,\
+  http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,\
+  http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
+psmd.ext.supportedDigestAlgorithms=\
+  http://www.w3.org/2001/04/xmldsig-more#sha384,\
+  http://www.w3.org/2001/04/xmlenc#sha512,\
+  http://www.w3.org/2001/04/xmlenc#sha256
+psmd.idp.nameIDFormats=\
+  urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,\
+  urn:oasis:names:tc:SAML:2.0:nameid-format:transient,\
+  urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+psmd.idp.ssoList={'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':'${proxy-service.domain.prefix}/ColleagueRequest'}
+psmd.idp.supportedAttributes=\
+  http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName,\
+  http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName,\
+  http://eidas.europa.eu/attributes/naturalperson/DateOfBirth,\
+  http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier,\
+  http://eidas.europa.eu/attributes/naturalperson/Gender
+psmd.idp.assuranceCertifications=http://eidas.europa.eu/LoA/substantial
\ No newline at end of file
diff --git a/eidas-proxy/overlay/etc/eidas-proxy/se/ps-mdcache/.placeholder b/eidas-proxy/overlay/etc/eidas-proxy/se/ps-mdcache/.placeholder
new file mode 100644
index 00000000..e69de29b