Compare commits
No commits in common. "fda9cc2795112b33d5e6fd92dc21eb87310fe280" and "18448c183ebbbdc72374294ae57a5d5337a0599c" have entirely different histories.
fda9cc2795
...
18448c183e
|
@ -6,129 +6,110 @@
|
||||||
* @author Yorn de Jong
|
* @author Yorn de Jong
|
||||||
* @package simpleSAMLphp
|
* @package simpleSAMLphp
|
||||||
*/
|
*/
|
||||||
|
class sspmod_authpwauth_Auth_Source_PwAuth extends sspmod_core_Auth_UserPassBase {
|
||||||
|
|
||||||
namespace SimpleSAML\Module\authpwauth\Auth\Source;
|
protected $pwauth_bin_path;
|
||||||
|
protected $mail_domain;
|
||||||
|
|
||||||
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
|
public function __construct($info, $config) {
|
||||||
{
|
assert('is_array($info)');
|
||||||
protected $pwauth_bin_path;
|
assert('is_array($config)');
|
||||||
protected $mail_domain;
|
|
||||||
|
|
||||||
public function __construct(array $info, array &$config) {
|
/* Call the parent constructor first, as required by the interface. */
|
||||||
assert('is_array($info)');
|
parent::__construct($info, $config);
|
||||||
assert('is_array($config)');
|
|
||||||
|
|
||||||
/* Call the parent constructor first, as required by the interface. */
|
$this->pwauth_bin_path = $config['pwauth_bin_path'];
|
||||||
parent::__construct($info, $config);
|
if (array_key_exists('mail_domain', $config)) {
|
||||||
|
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$this->pwauth_bin_path = $config['pwauth_bin_path'];
|
public function login($username, $password) {
|
||||||
if (array_key_exists('mail_domain', $config)) {
|
$username = strtolower( $username );
|
||||||
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public function login(string $username, string $password): array {
|
$handle = popen($this->pwauth_bin_path, 'w');
|
||||||
$username = strtolower( $username );
|
if ($handle === FALSE) {
|
||||||
|
die("Error opening pipe to pwauth");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!file_exists($this->pwauth_bin_path)) {
|
$data = "$username\n$password\n";
|
||||||
die("Could not find pwauth binary");
|
if (fwrite($handle, $data) !== strlen($data)) {
|
||||||
return false;
|
die("Error writing to pwauth pipe");
|
||||||
}
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!is_executable($this->pwauth_bin_path)) {
|
# Is the password valid?
|
||||||
die("pwauth binary is not executable");
|
$result = pclose( $handle );
|
||||||
return false;
|
if ($result !== 0) {
|
||||||
}
|
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
|
||||||
|
die("pwauth returned $result for username $username");
|
||||||
|
}
|
||||||
|
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
$ldap = ldap_connect('129.241.210.159', 389);
|
||||||
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||||
|
ldap_start_tls($ldap);
|
||||||
|
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
|
||||||
|
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
|
||||||
|
$entry = ldap_first_entry($ldap, $search);
|
||||||
|
$dn = ldap_get_dn($ldap, $entry);
|
||||||
|
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
|
||||||
|
ldap_modify_batch($ldap, $dn, [
|
||||||
|
#[
|
||||||
|
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
|
||||||
|
# 'attrib' => 'unicodePwd',
|
||||||
|
# 'values' => [$password],
|
||||||
|
#],
|
||||||
|
[
|
||||||
|
#'modtype' => LDAP_MODIFY_BATCH_ADD,
|
||||||
|
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
|
||||||
|
'attrib' => 'unicodePwd',
|
||||||
|
'values' => [$newpassword],
|
||||||
|
],
|
||||||
|
]);
|
||||||
|
*/
|
||||||
|
|
||||||
$handle = popen($this->pwauth_bin_path, 'w');
|
#0 - Login OK.
|
||||||
if ($handle === FALSE) {
|
#1 - Nonexistant login or (for some configurations) incorrect password.
|
||||||
die("Error opening pipe to pwauth");
|
#2 - Incorrect password (for some configurations).
|
||||||
return false;
|
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
|
||||||
}
|
#4 - Login ID has expired.
|
||||||
|
#5 - Login's password has expired.
|
||||||
$data = "$username\n$password\n";
|
#6 - Logins to system have been turned off (usually by /etc/nologin file).
|
||||||
if (fwrite($handle, $data) !== strlen($data)) {
|
#7 - Limit on number of bad logins exceeded.
|
||||||
die("Error writing to pwauth pipe");
|
#50 - pwauth was not run with real uid SERVER_UID. If you get this
|
||||||
return false;
|
# this error code, you probably have SERVER_UID set incorrectly
|
||||||
}
|
# in pwauth's config.h file.
|
||||||
|
#51 - pwauth was not given a login & password to check. The means
|
||||||
# Is the password valid?
|
# the passing of data from mod_auth_external to pwauth is messed
|
||||||
$result = pclose( $handle );
|
# up. Most likely one is trying to pass data via environment
|
||||||
if ($result !== 0) {
|
# variables, while the other is trying to pass data via a pipe.
|
||||||
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
|
#52 - one of several possible internal errors occured.
|
||||||
die("pwauth returned $result for username $username");
|
|
||||||
}
|
|
||||||
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
$ldap = ldap_connect('129.241.210.159', 389);
|
|
||||||
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
||||||
ldap_start_tls($ldap);
|
|
||||||
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
|
|
||||||
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
|
|
||||||
$entry = ldap_first_entry($ldap, $search);
|
|
||||||
$dn = ldap_get_dn($ldap, $entry);
|
|
||||||
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
|
|
||||||
ldap_modify_batch($ldap, $dn, [
|
|
||||||
#[
|
|
||||||
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
|
|
||||||
# 'attrib' => 'unicodePwd',
|
|
||||||
# 'values' => [$password],
|
|
||||||
#],
|
|
||||||
[
|
|
||||||
#'modtype' => LDAP_MODIFY_BATCH_ADD,
|
|
||||||
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
|
|
||||||
'attrib' => 'unicodePwd',
|
|
||||||
'values' => [$newpassword],
|
|
||||||
],
|
|
||||||
]);
|
|
||||||
*/
|
|
||||||
|
|
||||||
#0 - Login OK.
|
|
||||||
#1 - Nonexistant login or (for some configurations) incorrect password.
|
|
||||||
#2 - Incorrect password (for some configurations).
|
|
||||||
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
|
|
||||||
#4 - Login ID has expired.
|
|
||||||
#5 - Login's password has expired.
|
|
||||||
#6 - Logins to system have been turned off (usually by /etc/nologin file).
|
|
||||||
#7 - Limit on number of bad logins exceeded.
|
|
||||||
#50 - pwauth was not run with real uid SERVER_UID. If you get this
|
|
||||||
# this error code, you probably have SERVER_UID set incorrectly
|
|
||||||
# in pwauth's config.h file.
|
|
||||||
#51 - pwauth was not given a login & password to check. The means
|
|
||||||
# the passing of data from mod_auth_external to pwauth is messed
|
|
||||||
# up. Most likely one is trying to pass data via environment
|
|
||||||
# variables, while the other is trying to pass data via a pipe.
|
|
||||||
#52 - one of several possible internal errors occured.
|
|
||||||
|
|
||||||
|
|
||||||
$uid = $username;
|
$uid = $username;
|
||||||
# TODO: Reinstate this code once passwd is working...
|
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
|
||||||
/*
|
|
||||||
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
|
|
||||||
|
|
||||||
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
|
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
|
||||||
array_shift($groups);
|
array_shift($groups);
|
||||||
array_shift($groups);
|
array_shift($groups);
|
||||||
array_pop($groups);
|
array_pop($groups);
|
||||||
|
|
||||||
$info = posix_getpwnam($uid);
|
$info = posix_getpwnam($uid);
|
||||||
$group = $info['gid'];
|
$group = $info['gid'];
|
||||||
if (!in_array($group, $groups)) {
|
if (!in_array($group, $groups)) {
|
||||||
$groups[] = $group;
|
$groups[] = $group;
|
||||||
}
|
}
|
||||||
*/
|
$result = array(
|
||||||
$cn = "Unknown McUnknown";
|
'uid' => array($uid),
|
||||||
$groups = array();
|
'cn' => array($cn),
|
||||||
|
'group' => $groups,
|
||||||
$result = array(
|
);
|
||||||
'uid' => array($uid),
|
if (isset($this->mail_domain)) {
|
||||||
'cn' => array($cn),
|
$result['mail'] = array($uid.$this->mail_domain);
|
||||||
'group' => $groups,
|
}
|
||||||
);
|
return $result;
|
||||||
if (isset($this->mail_domain)) {
|
}
|
||||||
$result['mail'] = array($uid.$this->mail_domain);
|
|
||||||
}
|
|
||||||
return $result;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
|
||||||
|
/* This is the name of this authentication source, and will be used to access it later. */
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
|
||||||
|
'entityID' => 'https://bekkalokk.pvv.ntnu.no/',
|
||||||
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
|
@ -31,7 +31,7 @@ $config = [
|
||||||
* external url, no matter where you come from (direct access or via the
|
* external url, no matter where you come from (direct access or via the
|
||||||
* reverse proxy).
|
* reverse proxy).
|
||||||
*/
|
*/
|
||||||
'baseurlpath' => '/',
|
'baseurlpath' => 'simplesaml/',
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The 'application' configuration array groups a set configuration options
|
* The 'application' configuration array groups a set configuration options
|
||||||
|
@ -66,7 +66,7 @@ $config = [
|
||||||
* When specified as a relative path, this is relative to the SimpleSAMLphp
|
* When specified as a relative path, this is relative to the SimpleSAMLphp
|
||||||
* root directory.
|
* root directory.
|
||||||
*/
|
*/
|
||||||
'cachedir' => '$CACHE_DIRECTORY',
|
'cachedir' => '/var/cache/mediawiki/simplesamlphp',
|
||||||
//'loggingdir' => '/var/log/',
|
//'loggingdir' => '/var/log/',
|
||||||
//'datadir' => '/var/data/',
|
//'datadir' => '/var/data/',
|
||||||
|
|
||||||
|
@ -532,7 +532,7 @@ $config = [
|
||||||
* one of the functionalities below, but in some cases you could run multiple functionalities.
|
* one of the functionalities below, but in some cases you could run multiple functionalities.
|
||||||
* In example when you are setting up a federation bridge.
|
* In example when you are setting up a federation bridge.
|
||||||
*/
|
*/
|
||||||
'enable.saml20-idp' => true,
|
'enable.saml20-idp' => false,
|
||||||
'enable.adfs-idp' => false,
|
'enable.adfs-idp' => false,
|
||||||
|
|
||||||
|
|
||||||
|
@ -555,7 +555,6 @@ $config = [
|
||||||
|
|
||||||
'module.enable' => [
|
'module.enable' => [
|
||||||
'admin' => true,
|
'admin' => true,
|
||||||
'authpwauth' => true,
|
|
||||||
],
|
],
|
||||||
|
|
||||||
|
|
||||||
|
@ -1195,7 +1194,7 @@ $config = [
|
||||||
* See http://www.php.net/manual/en/pdo.drivers.php for the various
|
* See http://www.php.net/manual/en/pdo.drivers.php for the various
|
||||||
* syntaxes.
|
* syntaxes.
|
||||||
*/
|
*/
|
||||||
'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
|
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3',
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The username and password to use when connecting to the database.
|
* The username and password to use when connecting to the database.
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
let
|
let
|
||||||
pwAuthScript = pkgs.writeShellApplication {
|
pwAuthScript = pkgs.writeShellApplication {
|
||||||
name = "pwauth";
|
name = "pwauth";
|
||||||
runtimeInputs = with pkgs; [ coreutils heimdal ];
|
|
||||||
text = ''
|
text = ''
|
||||||
read -r user1
|
read -r user1
|
||||||
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
|
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
|
||||||
|
@ -11,181 +10,86 @@ let
|
||||||
read -r _
|
read -r _
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
# kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
|
${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
|
||||||
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
package = pkgs.simplesamlphp.override {
|
package = (pkgs.simplesamlphp.override {
|
||||||
extra_files = {
|
authsourcesFile = pkgs.writeText "idp-authsources.php" ''
|
||||||
# NOTE: Using self signed certificate created 30. march 2024, with command:
|
<?php
|
||||||
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
|
$config = array(
|
||||||
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
|
'pwauth' => array(
|
||||||
<?php
|
'authpwauth:PwAuth',
|
||||||
$metadata['https://idp2.pvv.ntnu.no/'] = array(
|
'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
|
||||||
'host' => '__DEFAULT__',
|
'mail_domain' => '@pvv.ntnu.no',
|
||||||
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
|
),
|
||||||
'certificate' => '${./idp.crt}',
|
);
|
||||||
'auth' => 'pwauth',
|
'';
|
||||||
);
|
saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
|
||||||
?>
|
configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
|
||||||
'';
|
cp ${./config.php} "$out"
|
||||||
|
|
||||||
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
|
substituteInPlace "$out" \
|
||||||
<?php
|
--replace '$SAML_COOKIE_SECURE' 'true' \
|
||||||
${ lib.pipe config.services.idp.sp-remote-metadata [
|
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
||||||
(map (url: ''
|
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
||||||
$metadata['${url}'] = [
|
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
|
||||||
'SingleLogoutService' => [
|
'';
|
||||||
[
|
}).overrideAttrs (prev: {
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
postInstall = prev.postInstall + ''
|
||||||
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
|
install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
|
||||||
],
|
'';
|
||||||
[
|
});
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
|
|
||||||
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'AssertionConsumerService' => [
|
|
||||||
[
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
|
|
||||||
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
|
|
||||||
'index' => 0,
|
|
||||||
],
|
|
||||||
[
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
|
|
||||||
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
|
|
||||||
'index' => 1,
|
|
||||||
],
|
|
||||||
],
|
|
||||||
];
|
|
||||||
''))
|
|
||||||
(lib.concatStringsSep "\n")
|
|
||||||
]}
|
|
||||||
?>
|
|
||||||
'';
|
|
||||||
|
|
||||||
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
|
|
||||||
<?php
|
|
||||||
$config = array(
|
|
||||||
'admin' => array(
|
|
||||||
'core:AdminPassword'
|
|
||||||
),
|
|
||||||
'pwauth' => array(
|
|
||||||
'authpwauth:PwAuth',
|
|
||||||
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
|
|
||||||
'mail_domain' => '@pvv.ntnu.no',
|
|
||||||
),
|
|
||||||
);
|
|
||||||
?>
|
|
||||||
'';
|
|
||||||
|
|
||||||
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
|
|
||||||
cp ${./config.php} "$out"
|
|
||||||
|
|
||||||
substituteInPlace "$out" \
|
|
||||||
--replace '$SAML_COOKIE_SECURE' 'true' \
|
|
||||||
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
|
||||||
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
|
||||||
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
|
|
||||||
--replace '$STATE_DIRECTORY' '/var/lib/idp' \
|
|
||||||
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
|
|
||||||
'';
|
|
||||||
|
|
||||||
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.services.idp.sp-remote-metadata = lib.mkOption {
|
users.groups."idp" = { };
|
||||||
type = with lib.types; listOf str;
|
users.users."idp" = {
|
||||||
default = [ ];
|
description = "PVV Identity Provider Service User";
|
||||||
description = ''
|
group = "idp";
|
||||||
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
|
createHome = false;
|
||||||
|
isSystemUser = true;
|
||||||
:::{.note}
|
|
||||||
Make sure the url ends with a `/`
|
|
||||||
:::
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
services.phpfpm.pools.idp = {
|
||||||
sops.secrets = {
|
user = "idp";
|
||||||
"idp/certificate" = {
|
group = "idp";
|
||||||
owner = "idp";
|
settings = let
|
||||||
group = "idp";
|
listenUser = config.services.nginx.user;
|
||||||
mode = "0770";
|
listenGroup = config.services.nginx.group;
|
||||||
};
|
in {
|
||||||
"idp/privatekey" = {
|
"pm" = "dynamic";
|
||||||
owner = "idp";
|
"pm.max_children" = 32;
|
||||||
group = "idp";
|
"pm.max_requests" = 500;
|
||||||
mode = "0770";
|
"pm.start_servers" = 2;
|
||||||
};
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 4;
|
||||||
|
"listen.owner" = listenUser;
|
||||||
|
"listen.group" = listenGroup;
|
||||||
|
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
# "php_admin_value[error_log]" = "stderr";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.groups."idp" = { };
|
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
||||||
users.users."idp" = {
|
forceSSL = true;
|
||||||
description = "PVV Identity Provider Service User";
|
enableACME = true;
|
||||||
group = "idp";
|
root = "${package}/share/php/simplesamlphp/public";
|
||||||
createHome = false;
|
locations = {
|
||||||
isSystemUser = true;
|
"/".index = "index.php";
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.settings."10-idp" = {
|
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
"/var/cache/idp".d = {
|
"~ /(.+\\.php)" = {
|
||||||
user = "idp";
|
extraConfig = ''
|
||||||
group = "idp";
|
fastcgi_index index.php;
|
||||||
mode = "0770";
|
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
|
||||||
};
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
"/var/lib/idp".d = {
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
user = "idp";
|
|
||||||
group = "idp";
|
|
||||||
mode = "0770";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.phpfpm.pools.idp = {
|
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$request_filename;
|
||||||
user = "idp";
|
fastcgi_param SCRIPT_NAME $request_filename;
|
||||||
group = "idp";
|
'';
|
||||||
settings = let
|
|
||||||
listenUser = config.services.nginx.user;
|
|
||||||
listenGroup = config.services.nginx.group;
|
|
||||||
in {
|
|
||||||
"pm" = "dynamic";
|
|
||||||
"pm.max_children" = 32;
|
|
||||||
"pm.max_requests" = 500;
|
|
||||||
"pm.start_servers" = 2;
|
|
||||||
"pm.min_spare_servers" = 2;
|
|
||||||
"pm.max_spare_servers" = 4;
|
|
||||||
"listen.owner" = listenUser;
|
|
||||||
"listen.group" = listenGroup;
|
|
||||||
|
|
||||||
"catch_workers_output" = true;
|
|
||||||
"php_admin_flag[log_errors]" = true;
|
|
||||||
# "php_admin_value[error_log]" = "stderr";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
root = "${package}/share/php/simplesamlphp/public";
|
|
||||||
locations = {
|
|
||||||
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
|
|
||||||
"/" = {
|
|
||||||
alias = "${package}/share/php/simplesamlphp/public/";
|
|
||||||
index = "index.php";
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
|
|
||||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
|
|
||||||
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
|
|
||||||
fastcgi_param SCRIPT_NAME /$phpfile;
|
|
||||||
fastcgi_param PATH_INFO $pathinfo if_not_empty;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,33 +0,0 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
|
|
||||||
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
|
|
||||||
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
|
|
||||||
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
|
|
||||||
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
|
|
||||||
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
|
|
||||||
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
|
|
||||||
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
|
|
||||||
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
|
|
||||||
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
|
|
||||||
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
|
|
||||||
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
|
|
||||||
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
|
|
||||||
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
|
|
||||||
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
|
|
||||||
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
|
|
||||||
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
|
|
||||||
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
|
|
||||||
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
|
|
||||||
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
|
|
||||||
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
|
|
||||||
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
|
|
||||||
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
|
|
||||||
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
|
|
||||||
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
|
|
||||||
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
|
|
||||||
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
|
|
||||||
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
|
|
||||||
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
|
|
||||||
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
|
|
||||||
UxTpf01QJnZkMqf5NQ==
|
|
||||||
-----END CERTIFICATE-----
|
|
|
@ -1,22 +0,0 @@
|
||||||
''
|
|
||||||
<?php
|
|
||||||
$metadata['https://idp2.pvv.ntnu.no/'] = [
|
|
||||||
'metadata-set' => 'saml20-idp-hosted',
|
|
||||||
'entityid' => 'https://idp2.pvv.ntnu.no/',
|
|
||||||
'SingleSignOnService' => [
|
|
||||||
[
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
||||||
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'SingleLogoutService' => [
|
|
||||||
[
|
|
||||||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
||||||
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
|
|
||||||
'certificate' => '${./idp.crt}',
|
|
||||||
];
|
|
||||||
?>
|
|
||||||
''
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
<?php
|
||||||
|
$metadata['https://idp.pvv.ntnu.no/'] = array (
|
||||||
|
'metadata-set' => 'saml20-idp-remote',
|
||||||
|
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
'SingleSignOnService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'SingleLogoutService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
|
||||||
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||||
|
);
|
|
@ -8,27 +8,19 @@
|
||||||
group = config.users.users.${user}.group;
|
group = config.users.users.${user}.group;
|
||||||
|
|
||||||
simplesamlphp = pkgs.simplesamlphp.override {
|
simplesamlphp = pkgs.simplesamlphp.override {
|
||||||
extra_files = {
|
authsourcesFile = ./simplesamlphp/authsources.php;
|
||||||
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
|
saml20-idp-remoteFile = ./simplesamlphp/saml20-idp-remote.php;
|
||||||
|
configFile = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
|
||||||
|
cp ${./simplesamlphp/config.php} "$out"
|
||||||
|
|
||||||
"config/authsources.php" = ./simplesaml-authsources.php;
|
substituteInPlace "$out" \
|
||||||
|
--replace '$SAML_COOKIE_SECURE' 'true' \
|
||||||
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
|
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
||||||
cp ${./simplesaml-config.php} "$out"
|
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
||||||
|
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )'
|
||||||
substituteInPlace "$out" \
|
'';
|
||||||
--replace '$SAML_COOKIE_SECURE' 'true' \
|
|
||||||
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
|
|
||||||
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
|
|
||||||
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
|
|
||||||
--replace '$STATE_DIRECTORY' '/var/lib/mediawiki' \
|
|
||||||
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
|
|
||||||
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"mediawiki/password" = {
|
"mediawiki/password" = {
|
||||||
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
|
||||||
|
@ -73,6 +65,7 @@ in {
|
||||||
"pm.max_spare_servers" = 4;
|
"pm.max_spare_servers" = 4;
|
||||||
"listen.owner" = listenUser;
|
"listen.owner" = listenUser;
|
||||||
"listen.group" = listenGroup;
|
"listen.group" = listenGroup;
|
||||||
|
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
|
||||||
"catch_workers_output" = true;
|
"catch_workers_output" = true;
|
||||||
"php_admin_flag[log_errors]" = true;
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
@ -102,10 +95,7 @@ in {
|
||||||
$wgGroupPermissions['*']['edit'] = false;
|
$wgGroupPermissions['*']['edit'] = false;
|
||||||
|
|
||||||
# Styling
|
# Styling
|
||||||
$wgLogos = array(
|
$wgLogo = "/PNG/PVV-logo.png";
|
||||||
"2x" => "/PNG/PVV-logo.png",
|
|
||||||
"svg" => "/PNG/PVV-logo.svg",
|
|
||||||
);
|
|
||||||
$wgDefaultSkin = "monobook";
|
$wgDefaultSkin = "monobook";
|
||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
|
@ -116,13 +106,15 @@ in {
|
||||||
|
|
||||||
# SimpleSAML
|
# SimpleSAML
|
||||||
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
|
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
|
||||||
|
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
|
||||||
|
$wgSimpleSAMLphp_RealNameAttribute = "cn";
|
||||||
|
$wgSimpleSAMLphp_EmailAttribute = "mail";
|
||||||
|
$wgSimpleSAMLphp_UsernameAttribute = "uid";
|
||||||
|
|
||||||
$wgPluggableAuth_Config['Log in using my SAML'] = [
|
$wgPluggableAuth_Config['Log in using my SAML'] = [
|
||||||
'plugin' => 'SimpleSAMLphp',
|
'plugin' => 'SimpleSAMLphp',
|
||||||
'data' => [
|
'data' => [
|
||||||
'authSourceId' => 'default-sp',
|
'authSourceId' => 'default-sp',
|
||||||
'usernameAttribute' => 'uid',
|
|
||||||
'emailAttribute' => 'mail',
|
|
||||||
'realNameAttribute' => 'cn',
|
|
||||||
]
|
]
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -131,9 +123,13 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# 'usernameAttribute' => 'username',
|
||||||
|
# 'realNameAttribute' => 'name',
|
||||||
|
# 'emailAttribute' => 'email'
|
||||||
|
|
||||||
# Cache directory for simplesamlphp
|
# Cache directory for simplesamlphp
|
||||||
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
|
||||||
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
|
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp/core".d = {
|
||||||
user = "mediawiki";
|
user = "mediawiki";
|
||||||
group = "mediawiki";
|
group = "mediawiki";
|
||||||
mode = "0770";
|
mode = "0770";
|
||||||
|
@ -211,7 +207,18 @@ in {
|
||||||
"/images".root = config.services.mediawiki.uploadsDir;
|
"/images".root = config.services.mediawiki.uploadsDir;
|
||||||
|
|
||||||
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
|
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
|
||||||
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
|
|
||||||
|
# Redirects from gitea
|
||||||
|
"/Projects".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"^~ /Projects/(.+\\.php)".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/oysteikt".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/Drift".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/felixalb".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/adriangl".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/danio".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/pederbs".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/jonmro".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
|
"/explore".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
<?php
|
|
||||||
$config = array(
|
|
||||||
'admin' => array(
|
|
||||||
'core:AdminPassword'
|
|
||||||
),
|
|
||||||
'default-sp' => array(
|
|
||||||
'saml:SP',
|
|
||||||
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
|
|
||||||
# 'entityID' => 'https://idp2.pvv.ntnu.no/',
|
|
||||||
'idp' => 'https://idp2.pvv.ntnu.no/',
|
|
||||||
),
|
|
||||||
);
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
<?php
|
||||||
|
$config = array(
|
||||||
|
|
||||||
|
/* This is the name of this authentication source, and will be used to access it later. */
|
||||||
|
'default-sp' => array(
|
||||||
|
'saml:SP',
|
||||||
|
# 'entityID' => 'https://wiki.pvv.ntnu.no/',
|
||||||
|
'entityID' => 'https://wiki2.pvv.ntnu.no/',
|
||||||
|
'idp' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
),
|
||||||
|
);
|
|
@ -66,7 +66,7 @@ $config = [
|
||||||
* When specified as a relative path, this is relative to the SimpleSAMLphp
|
* When specified as a relative path, this is relative to the SimpleSAMLphp
|
||||||
* root directory.
|
* root directory.
|
||||||
*/
|
*/
|
||||||
'cachedir' => '$CACHE_DIRECTORY',
|
'cachedir' => '/var/cache/mediawiki/simplesamlphp',
|
||||||
//'loggingdir' => '/var/log/',
|
//'loggingdir' => '/var/log/',
|
||||||
//'datadir' => '/var/data/',
|
//'datadir' => '/var/data/',
|
||||||
|
|
||||||
|
@ -1195,7 +1195,7 @@ $config = [
|
||||||
* See http://www.php.net/manual/en/pdo.drivers.php for the various
|
* See http://www.php.net/manual/en/pdo.drivers.php for the various
|
||||||
* syntaxes.
|
* syntaxes.
|
||||||
*/
|
*/
|
||||||
'store.sql.dsn' => 'sqlite:$STATE_DIRECTORY/simplesamlphp.sqlite3',
|
'store.sql.dsn' => 'sqlite:/var/lib/mediawiki/simplesamlphp.sqlite3',
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The username and password to use when connecting to the database.
|
* The username and password to use when connecting to the database.
|
|
@ -0,0 +1,23 @@
|
||||||
|
<?php
|
||||||
|
$metadata['https://idp.pvv.ntnu.no/'] = array (
|
||||||
|
'metadata-set' => 'saml20-idp-remote',
|
||||||
|
'entityid' => 'https://idp.pvv.ntnu.no/',
|
||||||
|
'SingleSignOnService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'SingleLogoutService' =>
|
||||||
|
array (
|
||||||
|
0 =>
|
||||||
|
array (
|
||||||
|
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||||
|
'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
|
||||||
|
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
|
||||||
|
);
|
|
@ -1,9 +1,9 @@
|
||||||
{ lib
|
{ php
|
||||||
, php
|
|
||||||
, writeText
|
, writeText
|
||||||
, fetchFromGitHub
|
, fetchFromGitHub
|
||||||
, extra_files ? { }
|
, configFile ? "config/config.php.dist"
|
||||||
|
, authsourcesFile ? "config/authsources.php.dist"
|
||||||
|
, saml20-idp-remoteFile ? writeText "saml20-idp-remote.php" "<?php ?>"
|
||||||
}:
|
}:
|
||||||
|
|
||||||
php.buildComposerProject rec {
|
php.buildComposerProject rec {
|
||||||
|
@ -24,10 +24,11 @@ php.buildComposerProject rec {
|
||||||
# TODO: metadata could be fetched automagically with these:
|
# TODO: metadata could be fetched automagically with these:
|
||||||
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
|
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
|
||||||
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
|
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
|
||||||
postPatch = lib.pipe extra_files [
|
postPatch = ''
|
||||||
(lib.mapAttrsToList (target_path: source_path: ''install -Dm444 "${source_path}" "${target_path}"''))
|
install -Dm444 "${configFile}" "config/config.php"
|
||||||
(lib.concatStringsSep "\n")
|
install -Dm444 "${authsourcesFile}" "config/authsources.php"
|
||||||
];
|
install -Dm444 "${saml20-idp-remoteFile}" "metadata/saml20-idp-remote.php"
|
||||||
|
'';
|
||||||
|
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
|
ln -sr $out/share/php/simplesamlphp/vendor/simplesamlphp/simplesamlphp-assets-base $out/share/php/simplesamlphp/public/assets/base
|
||||||
|
|
Loading…
Reference in New Issue