dist/simplesamlphp-config: renew to 2.5

2025-12-17 04:50:44 +09:00
parent f782d20e56
commit 6fd4a0599c
1 changed files with 439 additions and 333 deletions
--- a/dist/simplesamlphp-config.php
+++ b/dist/simplesamlphp-config.php
@@ -5,15 +5,16 @@ declare(strict_types=1);
 require_once dirname(__DIR__, 4) . \DIRECTORY_SEPARATOR . 'config.php';
 /**
- * The configuration of SimpleSAMLphp.
+ * The configuration of SimpleSAMLphp
 */
-$httpUtils = new SimpleSAML\Utils\HTTP();
+
 $httpUtils = new \SimpleSAML\Utils\HTTP();
 $config = [
-  /*
+    /*******************************
     | BASIC CONFIGURATION OPTIONS |
-     */
+     *******************************/
    /*
     * Setup the following parameters to match your installation.
@@ -55,7 +56,7 @@ $config = [
         * need to compute the right URLs yourself and pass them dynamically
         * to SimpleSAMLphp's API.
         */
-    // 'baseURL' => 'https://example.com',
+        //'baseURL' => 'https://example.com',
    ],
    /*
@@ -65,15 +66,12 @@ $config = [
     * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
     *                 handler other than `file`.
     * - 'datadir': Storage of general data.
     * - 'tempdir': Saving temporary files. SimpleSAMLphp will attempt to create
     *   this directory if it doesn't exist. DEPRECATED - replaced by cachedir.
     * When specified as a relative path, this is relative to the SimpleSAMLphp
     * root directory.
     */
    'cachedir' => $CACHE_DIRECTORY,
-  // 'loggingdir' => '/var/log/',
+    //'loggingdir' => '/var/log/',
-  // 'datadir' => '/var/data/',
+    //'datadir' => '/var/data/',
  // 'tempdir' => '/tmp/simplesamlphp',
    /*
     * Certificate and key material can be loaded from different possible
@@ -119,11 +117,11 @@ $config = [
     * Defaults are shown below, to change them, uncomment the line and update as
     * needed
     */
-  // 'cert.pdo.table' => 'certificates',
+    //'cert.pdo.table' => 'certificates',
-  // 'cert.pdo.keytable' => 'private_keys',
+    //'cert.pdo.keytable' => 'private_keys',
-  // 'cert.pdo.apply_prefix' => true,
+    //'cert.pdo.apply_prefix' => true,
-  // 'cert.pdo.id_column' => 'id',
+    //'cert.pdo.id_column' => 'id',
-  // 'cert.pdo.data_column' => 'data',
+    //'cert.pdo.data_column' => 'data',
    /*
     * Some information about the technical persons running this installation.
@@ -139,7 +137,7 @@ $config = [
     *
     * Valid options are: mail, sendmail and smtp.
     */
-  // 'mail.transport.method' => 'smtp',
+    //'mail.transport.method' => 'smtp',
    /*
     * Set the transport options for the transport method specified.  The valid settings are relative to the
@@ -167,7 +165,7 @@ $config = [
     * This should be in a domain that has your application's IP addresses in its SPF record
     * to prevent it from being rejected by mail filters.
     */
-  // 'sendmail_from' => 'no-reply@example.org',
+    //'sendmail_from' => 'no-reply@example.org',
    /*
     * The timezone of the server. This option should be set to the timezone you want
@@ -180,9 +178,9 @@ $config = [
-  /*
+    /**********************************
     | SECURITY CONFIGURATION OPTIONS |
-     */
+     **********************************/
    /*
     * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash
@@ -199,6 +197,10 @@ $config = [
     * This password will give access to the installation page of SimpleSAMLphp with
     * metadata listing and diagnostics pages.
     * You can also put a hash here; run "bin/pwgen.php" to generate one.
     *
     * If you are using Ansible you might like to use
     * ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13)
     * to generate this hashed value.
     */
    'auth.adminpassword' => $SAML_ADMIN_PASSWORD,
@@ -280,7 +282,17 @@ $config = [
     * Whenever you change any of these headers, make sure to validate your config by running your
     * hostname through a security-test like https://en.internet.nl
    'headers.security' => [
-        'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'",
+        'Content-Security-Policy' =>
            "default-src 'none'; " .
            "frame-ancestors 'self'; " .
            "object-src 'none'; " .
            "script-src 'self'; " .
            "style-src 'self'; " .
            "font-src 'self'; " .
            "connect-src 'self'; " .
            "media-src data:; " .
            "img-src 'self' data:; " .
            "base-uri 'none'",
        'X-Frame-Options' => 'SAMEORIGIN',
        'X-Content-Type-Options' => 'nosniff',
        'Referrer-Policy' => 'origin-when-cross-origin',
@@ -288,9 +300,9 @@ $config = [
     */
-  /*
+    /************************
     | ERRORS AND DEBUGGING |
-     */
+     ************************/
    /*
     * The 'debug' option allows you to control how SimpleSAMLphp behaves in certain
@@ -336,9 +348,69 @@ $config = [
     * When 'errorreporting' is enabled, a form will be presented for the user to report
     * the error to 'technicalcontact_email'.
     */
-  'showerrors' => true,
+    'showerrors' => false,
    'errorreporting' => true,
    /*
     * When showerrors is true, this is an array of which errors
     * should still be shown to the user. By default an error will
     * always be shown if showerrors==true and this setting is at the default value to allow all.
     *
     * If you list anything in this option you have to explicitly list each error
     * you would like to be shown to the user. You can also set the value to false
     * to hide that error. If this setting is used with anything other than the default
     * value and an error is not listed in the list then a backtrace for that error
     * will not be shown.
     *
     * These can be any of the error codes in
     * src/SimpleSAML/Error/ErrorCodes.php
     *
     */
    'showerrors.whitelist' => [ '*' => true ],
    /*
       some of the many possibilities for this setting
    'showerrors.whitelist' => [
       'ACSPARAMS' => true,
       'ADMINNOTHASHED' => true,
       'ARSPARAMS' => true,
       'AUTHSOURCEERROR' => true,
       'BADREQUEST' => true,
       'CASERROR' => true,
       'CONFIG' => true,
       'CREATEREQUEST' => true,
       'DISCOPARAMS' => true,
       'GENERATEAUTHNRESPONSE' => true,
       'INVALIDCERT' => true,
       'LDAPERROR' => true,
       'LOGOUTINFOLOST' => true,
       'LOGOUTREQUEST' => true,
       'MEMCACHEDOWN' => true,
       'METADATA' => true,
       'METADATANOTFOUND' => true,
       'METHODNOTALLOWED' => true,
       'NOACCESS' => true,
       'NOCERT' => true,
       'NORELAYSTATE' => true,
       'NOSTATE' => true,
       'NOTFOUND' => true,
       'NOTFOUNDREASON' => true,
       'NOTSET' => true,
       'NOTVALIDCERT' => true,
       'NOTVALIDCERTSIGNATURE' => true,
       'PROCESSASSERTION' => true,
       'PROCESSAUTHNREQUEST' => true,
       'RESPONSESTATUSNOSUCCESS' => true,
       'SLOSERVICEPARAMS' => true,
       'SSOPARAMS' => true,
       'UNHANDLEDEXCEPTION' => true,
       'UNKNOWNCERT' => true,
       'USERABORTED' => true,
       'WRONGUSERPASS' => true,
       ],
     */
    /*
     * Custom error show function called from SimpleSAML\Error\Error::show.
     * See docs/simplesamlphp-errorhandling.md for function code example.
@@ -348,9 +420,9 @@ $config = [
     */
-  /*
+    /**************************
     | LOGGING AND STATISTICS |
-     */
+     **************************/
    /*
     * Define the minimum log level to log. Available levels:
@@ -397,7 +469,7 @@ $config = [
     * - %msg: the message to be logged.
     *
     */
-  // 'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg',
+    //'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg',
    /*
     * Choose which facility should be used when logging with syslog.
@@ -410,7 +482,7 @@ $config = [
     *
     * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not.
     */
-  'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : \LOG_USER,
+    'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
    /*
     * The process name that should be used when logging to syslog.
@@ -446,15 +518,15 @@ $config = [
-  /*
+    /***********************
     | PROXY CONFIGURATION |
-     */
+     ***********************/
    /*
     * Proxy to use for retrieving URLs.
     *
     * Example:
-     *   'proxy' => 'tcp://proxy.example.com:5100'
+     *   'proxy' => 'http://proxy.example.com:5100'
     */
    'proxy' => null,
@@ -463,13 +535,13 @@ $config = [
     * Example:
     *   'proxy.auth' = 'myuser:password'
     */
-  // 'proxy.auth' => 'myuser:password',
+    //'proxy.auth' => 'myuser:password',
-  /*
+    /**************************
     | DATABASE CONFIGURATION |
-     */
+     **************************/
    /*
     * This database configuration is optional. If you are not using
@@ -529,9 +601,9 @@ $config = [
-  /*
+    /*************
     | PROTOCOLS |
-     */
+     *************/
    /*
     * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
@@ -543,33 +615,31 @@ $config = [
-  /*
+    /***********
     | MODULES |
-     */
+     ***********/
    /*
-     * Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled.
+     * Configuration for enabling/disabling modules. By default, the 'core', 'admin' and 'saml' modules are enabled.
     *
     * Example:
     *
     * 'module.enable' => [
     *     'exampleauth' => true, // Setting to TRUE enables.
     *     'consent' => false, // Setting to FALSE disables.
-     *     'core' => null, // Unset or NULL uses default.
+     *     'core' => null, // Unset or NULL uses default from \SimpleSAML\Module::$core_modules.
     * ],
     */
    'module.enable' => [
    'exampleauth' => false,
        'core' => true,
        'admin' => true,
        'saml' => true,
    ],
-  /*
+    /*************************
     | SESSION CONFIGURATION |
-     */
+     *************************/
    /*
     * This value is the duration of the session in seconds. Make sure that the time duration of
@@ -693,9 +763,9 @@ $config = [
-  /*
+    /**************************
     | MEMCACHE CONFIGURATION |
-     */
+     **************************/
    /*
     * Configuration for the 'memcache' session store. This allows you to store
@@ -815,16 +885,16 @@ $config = [
-  /*
+    /*************************************
     | LANGUAGE AND INTERNATIONALIZATION |
-     */
+     *************************************/
    /*
     * Languages available, RTL languages, and what language is the default.
     */
    'language.available' => [
        'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
-    'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw',
+        'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt_BR', 'tr', 'ja', 'zh', 'zh_TW',
        'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
    ],
    'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
@@ -847,7 +917,7 @@ $config = [
    'language.cookie.lifetime' => (60 * 60 * 24 * 900),
    'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
-  /*
+    /**
     * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
     * Function should return language code of one of the available languages or NULL.
     * See SimpleSAML\Locale\Language::getLanguage() source code for more info.
@@ -859,9 +929,9 @@ $config = [
     *   'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
     */
-  /*
+    /**************
     | APPEARANCE |
-     */
+     **************/
    /*
     * Which theme directory should be used?
@@ -872,16 +942,16 @@ $config = [
     * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
     * any text to appear in the header.
     */
-  // 'theme.header' => 'SimpleSAMLphp',
+    //'theme.header' => 'SimpleSAMLphp',
-  /*
+    /**
     * A template controller, if any.
     *
     * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set
     * the 'theme.controller' configuration option to a class that implements the
     * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it.
     */
-  // 'theme.controller' => '',
+    //'theme.controller' => '',
    /*
     * Templating options
@@ -890,7 +960,7 @@ $config = [
     * Set 'template.cache' to an absolute path pointing to a directory that
     * SimpleSAMLphp has read and write permissions to.
     */
-  // 'template.cache' => '',
+    //'template.cache' => '',
    /*
     * Set the 'template.auto_reload' to true if you would like SimpleSAMLphp to
@@ -900,6 +970,14 @@ $config = [
     */
    'template.auto_reload' => false,
    /*
     * Set the 'template.debug' to true to enable debugging for Twig templates.
     * This is useful during development as it provides better error messages.
     * Defaults to false.
     */
    //'template.debug' => false,
    /*
     * Set this option to true to indicate that your installation of SimpleSAMLphp
     * is running in a production environment. This will affect the way resources
@@ -917,6 +995,19 @@ $config = [
     * The serving of the resources can be configured through these settings.
     */
    'assets' => [
        /*
         * Used to generate cache buster tags. This salt is only used for this purpose.
         * You should set this in the same way as secretsalt.
         *
         * You can change this salt at any time. This will have the effect of explicit
         * cache busting as the tags for resources will change and thus all resources
         * will be fetched again.
         *
         * Leaving the default value in place can allow an attacker the opportunity
         * to work out the version of SSP you have installed.
         */
        'salt' => 'assets.salt.default',
        /*
         * These settings adjust the caching headers that are sent
         * when serving static resources.
@@ -938,16 +1029,16 @@ $config = [
        ],
    ],
-  /*
+    /**
     * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
     * front page to somewhere more useful. If left unset, a basic welcome message
     * is shown.
     */
-  // 'frontpage.redirect' => 'https://example.com/',
+    //'frontpage.redirect' => 'https://example.com/',
-  /*
+    /*********************
     | DISCOVERY SERVICE |
-     */
+     *********************/
    /*
     * Whether the discovery service should allow the user to save his choice of IdP.
@@ -976,9 +1067,9 @@ $config = [
-  /*
+    /*************************************
     | AUTHENTICATION PROCESSING FILTERS |
-     */
+     *************************************/
    /*
     * Authentication processing filters that will be executed for all IdPs
@@ -1060,9 +1151,9 @@ $config = [
-  /*
+    /**************************
     | METADATA CONFIGURATION |
-     */
+     **************************/
    /*
     * This option allows you to specify a directory for your metadata outside of the standard metadata directory
@@ -1130,6 +1221,21 @@ $config = [
     *     ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'],
     * ],
     *
     * This example defines a remote xml-file with optional connection context.
     * See PHP documentation for possible context options: https://www.php.net/manual/en/context.php
     *
     * 'metadata.sources' => [
     *     [
     *         'type' => 'xml',
     *         'url' => 'https://example.org/idp.example.org-idpMeta.xml',
     *         'context' => [
     *             'ssl' => [
     *                 'verify_peer' => true,
     *             ],
     *         ],
     *     ],
     * ],
     *
     * This example defines an mdq source.
     * 'metadata.sources' => [
     *      [
@@ -1182,9 +1288,9 @@ $config = [
    'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
-  /*
+    /****************************
     | DATA STORE CONFIGURATION |
-     */
+     ****************************/
    /*
     * Configure the data store for SimpleSAMLphp.
@@ -1288,9 +1394,9 @@ $config = [
     */
    'store.redis.sentinels' => [],
-  /*
+    /*********************
     | IdP/SP PROXY MODE |
-     */
+     *********************/
    /*
     * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends