Added a lot of SSO stuff and base for SSO proxy.

2024-10-29 10:59:13 +01:00 · 2024-10-29 10:59:13 +01:00 · 4b11e53200
commit 4b11e53200
parent 0af1dbe562
6 changed files with 68 additions and 15 deletions
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -6,11 +6,18 @@
    ssh_allow_from_anywhere: false

 '^internal-sto1-dev-vulndash-1.cert.sunet.se$':
-  soc::sso:
-    hostname: 'vd-dev.cert.sunet.se'
-    email: 'cert@cert.sunet.se'
-    service_endpoint: 'http://nginx:80'
-    x_remote_user: true
-    groups:
-      - 'sunet-cert'
-    certbot: false
+#  soc::sso:
+#    hostname: 'vd-dev.cert.sunet.se'
+#    email: 'cert@cert.sunet.se'
+#    service_endpoint: 'http://nginx:80'
+#    x_remote_user: true
+#    groups:
+#      - 'sunet-cert'
+#    certbot: false
+
+test-sso-proxy1.cert.sunet.se:
+  sunet::starship:
+  sunet::dockerhost2:
+  sunet::satosa:
+    satosa_tag: 8.4.0
+#    dehydrated_name: 'test-sso-proxy1.cert.sunet.se'
--- a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
@ -0,0 +1 @@
+
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -1,4 +1,3 @@
-## Copy from CNAAS, modifications for Sunet CERT
 #
 # General SSO documentation: https://wiki.sunet.se/x/sZGLBg
 #
@ -22,7 +21,7 @@
 #   cases where the service we reverse proxy for can't create new accounts automatically.
 #   We use this only for Graylog at the time of writing.
 #
-# @param swamid_testing Set this to true if your SP is registered in swamid-testing.
+/ @param swamid_testing Set this to true if your SP is registered in swamid-testing.
 #
 # @param front_clients
 #   Hiera field, defined at common.yaml, with the the frontend IP prefixes that require access
@ -38,8 +37,11 @@ class soc::sso(
  $swamid_testing = false,
  $single_user = false,
  $front_clients = '',
+  $satosa = true,
+  $satosa_certbot = true,
  $translog = 'INFO',
-  $certbot = true,
+  $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
+  $norpan = false,
 ) {

  file { '/opt/sso':
@ -98,15 +100,46 @@ class soc::sso(
    ensure  => file,
    content => file('soc/sso/md-signer2.crt'),
  }
-  sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
-    hiera_key => 'sso_sp_key'
+  if $satosa {
+    if $norpan {
+        file { '/opt/sso/shibboleth/frontend.xml':
+          ensure  => file,
+          content => file('soc/sso/frontend_norpan.xml'),
+        }
+    } else {
+        file { '/opt/sso/shibboleth/frontend.xml':
+          ensure  => file,
+          content => file('soc/sso/frontend.xml'),
+        }
+    }
+
+    file { '/opt/sso/shibboleth/attribute-policy.xml':
+      ensure  => file,
+      content => file('soc/sso/attribute-policy.xml'),
+    }
+
+    if lookup('sso_sp_key', undef, undef, undef) != undef {
+      sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+        hiera_key => 'sso_sp_key'
+      }
+    } else {
+      sunet::snippets::keygen {'shib_cert':
+        key_file  => '/opt/sso/shibboleth/sp-key.pem',
+        cert_file => '/opt/sso/shibboleth/sp-cert.pem'
+      }
+    }
+
+  } else {
+    sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+      hiera_key => 'sso_sp_key'
+    }
  }

  #
  # Certbot
  #

-  if $certbot {
+  if $satosa_certbot {
    package { ['certbot', 'python3-requests']:
      ensure => 'latest',
    }
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
@ -34,7 +34,7 @@
        <%- if @x_remote_user -%>
        RequestHeader set X-Remote-User %{REMOTE_USER}s
        <%- elsif @single_user -%>
-        RequestHeader set X-Remote-User soc-user
+        RequestHeader set X-Remote-User cnaas-user
        <%- else -%>
        ShibUseHeaders On
        <%- end -%>
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
@ -15,7 +15,12 @@ services:
      - ./shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
      - ./shibboleth/shibd.logger:/etc/shibboleth/shibd.logger
      - ./shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml
+<% if @satosa -%>
+      - ./shibboleth/frontend.xml:/etc/shibboleth/frontend.xml
+      - ./shibboleth/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml
+<% else -%>
      - ./shibboleth/md-signer2.crt:/etc/shibboleth/md-signer2.crt
+<% end -%>
      - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
      - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
 networks:
--- a/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb
@ -40,6 +40,12 @@
            <!-- SAML and local-only logout. -->

            <Logout>SAML2 Local</Logout>
+<% if @satosa -%>
+            <SessionInitiator type="Chaining" Location="/satosa" id="satosa"
+                    entityID="<%= @proxy %>">
+                <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
+            </SessionInitiator>
+<% else -%>
            <SessionInitiator type="Chaining" Location="/DS/Login" id="swamid-ds-default" relayState="cookie">
                <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
                <SessionInitiator type="Shib1" defaultACSIndex="5"/>
@ -49,6 +55,7 @@
                <SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds"/>
                <%- end -%>
            </SessionInitiator>
+<% end -%>

            <!--
            md:AssertionConsumerService locations handle specific SSO protocol bindings,