Add missing shib config

2024-11-28 13:58:23 +01:00 · 2024-11-28 13:58:23 +01:00 · f3b9059f4f
commit f3b9059f4f
parent 3332545dc8
6 changed files with 135 additions and 5 deletions
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -50,5 +50,5 @@ monitor-dev.cert.sunet.se:
    domain: monitor-dev.cert.sunet.se
    thruk_admins:
      - bjorklund@sunet.se
-    default_host_group: sunet::nagios:nrpe
+    default_host_group: sunet::nagios::nrpe
    nrpe_group: sunet::nagios::nrpe
--- a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-map.xml
@ -0,0 +1,22 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    SWAMID standard attribute-map.xml for SAML 2.0
+    ==============================================
+    The mappings are agreed to within the Shibboleth community or directly LDAP attribute names.
+
+    Version: 2017-01-04
+
+    REMEMBER to notify SWAMID saml-admins list when updating this file!
+    -->
+
+    <!-- eduPerson attributes until version 201310 -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+
+    <!-- Attribute to extract SWAMID Assurance Profiles -->
+    <Attribute name="urn:oasis:names:tc:SAML:attribute:assurance-certification" id="Assurance-Certification"/>
+
+</Attributes>
--- a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/attribute-policy.xml
@ -0,0 +1,82 @@
+<afp:AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:afp="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="AttributeValueString" value="faculty"/>
+        <Rule xsi:type="AttributeValueString" value="student"/>
+        <Rule xsi:type="AttributeValueString" value="staff"/>
+        <Rule xsi:type="AttributeValueString" value="alum"/>
+        <Rule xsi:type="AttributeValueString" value="member"/>
+        <Rule xsi:type="AttributeValueString" value="affiliate"/>
+        <Rule xsi:type="AttributeValueString" value="employee"/>
+        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+    </afp:PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="AttributeValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
+    </afp:PermitValueRule>
+
+    <afp:AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <afp:AttributeRule attributeID="affiliation">
+            <afp:PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="unscoped-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="primary-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="subject-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="pairwise-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+        
+        <afp:AttributeRule attributeID="eppn">
+	<!-- Disabled scope check since the proxy does it for us and the proxies metadata doesn't include scopes from our customers.
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+	-->
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="targeted-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <afp:AttributeRule attributeID="persistent-id">
+            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+        </afp:AttributeRule>
+        
+        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+        <afp:AttributeRule attributeID="schacHomeOrganization">
+            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
+        </afp:AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <afp:AttributeRule attributeID="*" permitAny="true"/>
+        
+    </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
--- a/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/naemon_monitor/frontend.xml
--- a/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/naemon_monitor.pp
@ -100,10 +100,22 @@ class soc::naemon_monitor (
    # assume cert is in cosmos repo (overlay)
  }
  if $custom_shib {
-    file { '/opt/naemon_monitor/shibboleth2.xml':
-      ensure  => file,
-      content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
-      mode    => '0444',
+    file {
+      '/opt/naemon_monitor/shibboleth2.xml':
+        ensure  => file,
+        content => template('soc/naemon_monitor/shibboleth2.xml.erb'),
+        mode    => '0444',
+        ;
+      '/opt/naemon_monitor/attribute-map.xml':
+        ensure  => file,
+        content => file('soc/naemon_monitor/attribute-map.xml'),
+        mode    => '0444',
+        ;
+      '/opt/naemon_monitor/attribute-policy.xml':
+        ensure  => file,
+        content => file('soc/naemon_monitor/attribute-policy.xml'),
+        mode    => '0444',
+        ;
    }
  }

--- a/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/naemon_monitor/docker-compose.yml.erb
@ -60,6 +60,8 @@ services:
      - '/opt/naemon_monitor/menu_local.conf:/etc/thruk/menu_local.conf'
 <%- if @custom_shib -%>
      - '/opt/naemon_monitor/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml:ro'
+      - '/opt/naemon_monitor/attribute-map.xml:/etc/shibboleth/attribute-map.xml:ro'
+      - '/opt/naemon_monitor/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml:ro'
 <% end -%>
 <%- @thruk_extra_volumes.each do |extra_volume| -%>
      - "<%= extra_volume %>"