Host both service provider and identity provider for local dev

2025-12-17 14:18:30 +09:00
parent 3d07547f80
commit 19c49b4a00
15 changed files with 1573 additions and 13 deletions
--- a/dist/simplesaml-dev/authsources.php
+++ b/dist/simplesaml-dev/authsources.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+$config = [
+    // This is used by the service provider to contact the identity provider
+    'default-sp' => [
+      'saml:SP',
+      'entityID' => 'http://localhost:1080/simplesaml/sp',
+      'idp' => 'http://localhost:1080/simplesaml/idp',
+    ],
+
+    // This is used by the identity provider to authenticate users
+    'example-userpass' => [
+        'exampleauth:UserPass',
+        'users' => [
+            'user:user' => [
+                'uid' => ['user'],
+                'group' => ['users'],
+                'cn' => '/home/pvv/d/user',
+                'mail' => 'user+test@pvv.ntnu.no',
+            ],
+            'admin:admin' => [
+                'uid' => ['admin'],
+                'group' => ['admins'],
+                'cn' => '/home/pvv/d/admin',
+                'mail' => 'admin+test@pvv.ntnu.no',
+            ],
+        ],
+    ],
+
+    // This is also used by the identity provider to authenticate IDP admins
+    // See http://localhost:1080/simplesaml/admin/
+    'admin' => [
+      'core:AdminPassword',
+    ],
+];
--- a/dist/simplesaml-dev/config.php
+++ b/dist/simplesaml-dev/config.php
--- a/dist/simplesaml-dev/saml20-idp-hosted.php
+++ b/dist/simplesaml-dev/saml20-idp-hosted.php
@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types=1);
+
+$metadata['http://localhost:1080/simplesaml/idp'] =  [
+    'host' => '__DEFAULT__',
+    'privatekey' => 'localhost.pem',
+    'certificate' => 'localhost.crt',
+    'auth' => 'example-userpass',
+];
--- a/dist/simplesaml-dev/saml20-idp-remote.php
+++ b/dist/simplesaml-dev/saml20-idp-remote.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+$metadata['https://idp.pvv.ntnu.no/'] =  [
+    'metadata-set' => 'saml20-idp-remote',
+    'entityid' => 'https://idp.pvv.ntnu.no/',
+    'SingleSignOnService' => [
+        0 => [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SSOService.php',
+        ],
+    ],
+    'SingleLogoutService' => [
+        0 => [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'https://idp.pvv.ntnu.no/simplesaml/saml2/idp/SingleLogoutService.php',
+        ],
+    ],
+    'certData' => 'MIIDpTCCAo2gAwIBAgIJAJIgibrB7NvsMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAk5PMR4wHAYDVQQKDBVQcm9ncmFtdmFyZXZlcmtzdGVkZXQxGDAWBgNVBAMMD2lkcC5wdnYubnRudS5ubzEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2Lm50bnUubm8wHhcNMTcxMTEzMjI0NTQyWhcNMjcxMTEzMjI0NTQyWjBpMQswCQYDVQQGEwJOTzEeMBwGA1UECgwVUHJvZ3JhbXZhcmV2ZXJrc3RlZGV0MRgwFgYDVQQDDA9pZHAucHZ2Lm50bnUubm8xIDAeBgkqhkiG9w0BCQEWEWRyaWZ0QHB2di5udG51Lm5vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAveLujCsgVCRA360y5yezy8FcSPhaqodggDqY12UTkYOMQLBFaph6uUL4oCUlXZqxScrAYVRt9yw+7BYpcm0p51VZzVCsfMxRVkn+O1eUvsaXq3f13f87QHKYP2f0uqkGf5PvnKIdSaI/ix8WJhD8XT+h0OkHEcaBvUtSG7zbEhvG21WPHwgw2rvZSneArQ8tOitZC0u8VXSfdhtf6ynRseo0xC95634UwQAZivhQ2v4A6Tp57QG5DCXIJ9/z3PkINx3KB/hOeh0EP6Dpbp+7V0/t9778E3whpm4llrH144kzROhA7EgUgkZOjAVjxGCYlcj3xQPnnItihVOZ5B5qLwIDAQABo1AwTjAdBgNVHQ4EFgQUPLhrB+Qb/Kzz7Car9GJkKmEkz6swHwYDVR0jBBgwFoAUPLhrB+Qb/Kzz7Car9GJkKmEkz6swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd+4E6t0j8/p8rbZE8y/gZ9GsiRhxkR4l6JbMRUfEpqHKi415qstChRcP2Lo3Yd5qdmj9tLDWoPsqet1QgyTTmQTgUmPhhMOQDqSh90LuqEJseKWafXGS/SfWLH6MWVmzDV5YofJEw2ThPiU58GiS06OLS2poq1eAesa2LQ22J8yYisXM4sxImIFte+LYQ1+1evfBWcvU1vrGsQ0VLJHdef9WoXp1swUFhq4Zk0c7gjHiB1CFVlExAAlk9L6W3CVXmKIYlf4eUnEBGkC061Ir42+uhAMWO9Y/L1NEuboTyd2KAI/6JdKdzpmfk7zPVxWlNxNCZ7OPNuvOKp6VlpB2EA==',
+    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+];
+
+function getCertData(string $path): string
+{
+    $cert = file_get_contents($path);
+    $cert = str_replace("-----BEGIN CERTIFICATE-----", "", $cert);
+    $cert = str_replace("-----END CERTIFICATE-----", "", $cert);
+    $cert = str_replace(["\r", "\n"], "", $cert);
+    return $cert;
+}
+
+$metadata['http://localhost:1080/simplesaml/idp'] =  [
+    'metadata-set' => 'saml20-idp-remote',
+    'entityid' => 'https://localhost:1080/simplesaml/idp',
+    'SingleSignOnService' => [
+        0 => [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SSOService.php',
+        ],
+    ],
+    'SingleLogoutService' => [
+        0 => [
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SingleLogoutService.php',
+        ],
+    ],
+    'certData' => getCertData(__DIR__ . '/../cert/localhost.crt'),
+    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+];
--- a/dist/simplesaml-dev/saml20-sp-remote.php
+++ b/dist/simplesaml-dev/saml20-sp-remote.php
@@ -0,0 +1,16 @@
+<?php
+
+$metadata['http://localhost:1080/simplesaml/sp'] = [
+    'AssertionConsumerService' => [
+        [
+            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+        ],
+    ],
+    'SingleLogoutService' => [
+        [
+            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ],
+    ],
+];
--- a/dist/simplesaml-prod/authsources.php
+++ b/dist/simplesaml-prod/authsources.php
--- a/dist/simplesaml-prod/config.php
+++ b/dist/simplesaml-prod/config.php
--- a/dist/simplesaml-prod/saml20-idp-remote.php
+++ b/dist/simplesaml-prod/saml20-idp-remote.php
--- a/dist/sql/pvv_mysql.sql
+++ b/dist/sql/pvv_mysql.sql
--- a/dist/sql/pvv_sqlite.sql
+++ b/dist/sql/pvv_sqlite.sql
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -4,7 +4,22 @@
 }:

 php.buildComposerProject rec {
-  src = ./..;
+  src = lib.fileset.toSource {
+    root = ./..;
+    fileset = lib.fileset.difference
+      (lib.fileset.unions [
+        ../dist
+        ../inc
+        ../src
+        ../www
+        ../composer.json
+        ../composer.lock
+      ])
+      (lib.fileset.unions [
+        (lib.fileset.maybeMissing ../www/simplesaml)
+        (lib.fileset.maybeMissing ../www/simplesaml-idp)
+      ]);
+  };
  pname = "pvv-nettsiden";
  version = "0.0.1";
  vendorHash = "sha256-7I7Fdp5DvCwCdYY66Mv0hZ+a8xRzQt+WMUKG544k7Fc=";
@@ -12,10 +27,10 @@ php.buildComposerProject rec {
  passthru.simplesamlphpPath = "share/php/pvv-nettsiden/vendor/simplesamlphp/simplesamlphp";

  postInstall = ''
-    install -Dm644 dist/simplesamlphp-config.php      $out/${passthru.simplesamlphpPath}/config/config.php
-    install -Dm644 dist/simplesamlphp-authsources.php $out/${passthru.simplesamlphpPath}/config/authsources.php
-    install -Dm644 dist/simplesamlphp-idp.php         $out/${passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php
-    install -Dm644 dist/config.source-env.php         $out/share/php/pvv-nettsiden/config.php
+    install -Dm644 dist/simplesaml-prod/config.php            "$out"/${passthru.simplesamlphpPath}/config/config.php
+    install -Dm644 dist/simplesaml-prod/authsources.php       "$$out/${passthru.simplesamlphpPath}/config/authsources.php
+    install -Dm644 dist/simplesaml-prod/saml20-idp-remote.php "$$out/${passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php
+    install -Dm644 dist/config.source-env.php                 "$$out/share/php/pvv-nettsiden/config.php

    ${lib.pipe extra_files [
      (lib.mapAttrsToList (target_path: source_path: ''
--- a/nix/shell.nix
+++ b/nix/shell.nix
@@ -12,6 +12,7 @@ pkgs.mkShellNoCC {
    php84Packages.php-cs-fixer
    sqlite-interactive
    sql-formatter
+    openssl
  ];

  # Prepare dev environment with sqlite and config files
@@ -21,16 +22,32 @@ pkgs.mkShellNoCC {
    declare -a PROJECT_ROOT="$("${lib.getExe pkgs.git}" rev-parse --show-toplevel)"

    mkdir -p "$PROJECT_ROOT/www/galleri/bilder/slideshow"
-    test -e "$PROJECT_ROOT/pvv.sqlite" || sqlite3 "$PROJECT_ROOT/pvv.sqlite" < "$PROJECT_ROOT/dist/pvv_sqlite.sql"
+    test -e "$PROJECT_ROOT/pvv.sqlite" || sqlite3 "$PROJECT_ROOT/pvv.sqlite" < "$PROJECT_ROOT/dist/sql/pvv_sqlite.sql"
    test -e "$PROJECT_ROOT/config.php" || cp -v "$PROJECT_ROOT/dist/config.local.php" "$PROJECT_ROOT/config.php"

    if [ ! -d "$PROJECT_ROOT/vendor" ] ; then
      pushd "$PROJECT_ROOT"
      composer install || exit $?

-      cp dist/simplesamlphp-authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-      cp dist/simplesamlphp-idp.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-      cp dist/simplesamlphp-config.php vendor/simplesamlphp/simplesamlphp/config/config.php
+      # Set up SimpleSAMLphp identity provider (for local testing)
+      install -m644 dist/simplesaml-dev/authsources.php -t vendor/simplesamlphp/simplesamlphp/config/
+      install -m644 dist/simplesaml-dev/config.php -t vendor/simplesamlphp/simplesamlphp/config/
+      install -m644 dist/simplesaml-dev/saml20-idp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
+      install -m644 dist/simplesaml-dev/saml20-idp-hosted.php -t vendor/simplesamlphp/simplesamlphp/metadata/
+      install -m644 dist/simplesaml-dev/saml20-sp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
+
+      # See session.phpsession.savepath in config.php
+      mkdir -p vendor/simplesamlphp/simplesamlphp/sessions/
+
+      openssl req \
+        -newkey rsa:4096 \
+        -new \
+        -x509 \
+        -days 3652 \
+        -nodes \
+        -out vendor/simplesamlphp/simplesamlphp/cert/localhost.crt \
+        -keyout vendor/simplesamlphp/simplesamlphp/cert/localhost.pem \
+        -subj "/C=NO/ST=Trondheim/L=Trondheim/O=Programvareverkstedet/CN=localhost"

      cp dist/config.local.php config.php