Projects/nettsiden
8
3
Fork 0
Code Issues 22 Pull Requests Activity

WIP: it works wahoo! and now for the cleanup

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2025-12-17 19:07:01 +09:00
parent 2262438085
commit e3ac9f7404
8 changed files with 68 additions and 1468 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
dist/identity-provider/authsources.php vendored
View File

@@ -1,21 +0,0 @@
<?php
declare(strict_types=1);
$config = [
'admin' => [
'core:AdminPassword',
],
'example-userpass' => [
'exampleauth:UserPass',
'users' => [
'user:user' => [
'uid' => ['user'],
'eduPersonAffiliation' => ['member', 'student'],
],
'admin:admin' => [
'uid' => ['admin'],
'eduPersonAffiliation' => ['member', 'employee'],
],
],
],
];

1411
dist/identity-provider/config.php vendored
View File

File diff suppressed because it is too large Load Diff

22
dist/service-provider/authsources.php vendored
View File

@@ -11,7 +11,25 @@ $config = [
'dev-sp' => [ 'dev-sp' => [
'saml:SP', 'saml:SP',
'entityID' => 'http://localhost:1080/simplesaml/', 'entityID' => 'http://localhost:1080/simplesaml/sp',
'idp' => 'http://localhost:1080/simplesaml-idp/', 'idp' => 'http://localhost:1080/simplesaml/idp',
],
'example-userpass' => [
'exampleauth:UserPass',
'users' => [
'user:user' => [
'uid' => ['user'],
'eduPersonAffiliation' => ['member', 'student'],
],
'admin:admin' => [
'uid' => ['admin'],
'eduPersonAffiliation' => ['member', 'employee'],
],
],
],
'admin' => [
'core:AdminPassword',
], ],
]; ];

32
dist/service-provider/config.php vendored
View File

@@ -190,7 +190,7 @@ $config = [
* A possible way to generate a random salt is by running the following command from a unix shell: * A possible way to generate a random salt is by running the following command from a unix shell:
* LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo * LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
*/ */
'secretsalt' => $SAML_COOKIE_SALT, 'secretsalt' => 'supersecretandlongsaltvaluechangeit',
/* /*
* This password must be kept secret, and modified from the default value 123. * This password must be kept secret, and modified from the default value 123.
@@ -202,7 +202,7 @@ $config = [
* ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13) * ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13)
* to generate this hashed value. * to generate this hashed value.
*/ */
'auth.adminpassword' => $SAML_ADMIN_PASSWORD, 'auth.adminpassword' => '$argon2id$v=19$m=64,t=4,p=1$anU4QTExRXVDRzJNRkhqaw$VJ/LIKwUjH/9JJjdBbEQNXbTArli5Np9VkIlZx4A1aM',
/* /*
* Set this option to true if you want to require administrator password to access the metadata. * Set this option to true if you want to require administrator password to access the metadata.
@@ -237,7 +237,7 @@ $config = [
* Example: * Example:
* 'trusted.url.domains' => ['sp.example.com', 'app.example.com'], * 'trusted.url.domains' => ['sp.example.com', 'app.example.com'],
*/ */
'trusted.url.domains' => $SAML_TRUSTED_DOMAINS, 'trusted.url.domains' => [ 'localhost', 'localhost:1080' ],
/* /*
* Enable regular expression matching of trusted.url.domains. * Enable regular expression matching of trusted.url.domains.
@@ -338,7 +338,7 @@ $config = [
'debug' => [ 'debug' => [
'saml' => true, 'saml' => true,
'backtraces' => true, 'backtraces' => true,
'validatexml' => false, 'validatexml' => true,
], ],
/* /*
@@ -349,7 +349,7 @@ $config = [
* the error to 'technicalcontact_email'. * the error to 'technicalcontact_email'.
*/ */
'showerrors' => true, 'showerrors' => true,
'errorreporting' => false, 'errorreporting' => true,
/* /*
* When showerrors is true, this is an array of which errors * When showerrors is true, this is an array of which errors
@@ -612,7 +612,7 @@ $config = [
* one of the functionalities below, but in some cases you could run multiple functionalities. * one of the functionalities below, but in some cases you could run multiple functionalities.
* In example when you are setting up a federation bridge. * In example when you are setting up a federation bridge.
*/ */
'enable.saml20-idp' => false, 'enable.saml20-idp' => true,
'enable.adfs-idp' => false, 'enable.adfs-idp' => false,
@@ -633,6 +633,7 @@ $config = [
* ], * ],
*/ */
'module.enable' => [ 'module.enable' => [
'exampleauth' => true,
'core' => true, 'core' => true,
'admin' => true, 'admin' => true,
'saml' => true, 'saml' => true,
@@ -694,7 +695,7 @@ $config = [
* Example: * Example:
* 'session.cookie.domain' => '.example.org', * 'session.cookie.domain' => '.example.org',
*/ */
'session.cookie.domain' => '', // 'session.cookie.domain' => 'localhost',
/* /*
* Set the secure flag in the cookie. * Set the secure flag in the cookie.
@@ -705,7 +706,7 @@ $config = [
* *
* If unset, SimpleSAMLphp will try to automatically determine the right value * If unset, SimpleSAMLphp will try to automatically determine the right value
*/ */
'session.cookie.secure' => $SAML_COOKIE_SECURE, 'session.cookie.secure' => false,
/* /*
* Set the SameSite attribute in the cookie. * Set the SameSite attribute in the cookie.
@@ -724,14 +725,15 @@ $config = [
* Example: * Example:
* 'session.cookie.samesite' => 'None', * 'session.cookie.samesite' => 'None',
*/ */
'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, // 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
'session.cookie.samesite' => 'Lax',
/* /*
* Options to override the default settings for php sessions. * Options to override the default settings for php sessions.
*/ */
'session.phpsession.cookiename' => 'SimpleSAML', 'session.phpsession.cookiename' => 'SimpleSAML',
'session.phpsession.savepath' => null, // 'session.phpsession.savepath' => '/home/h7x4/pvv/nettsiden/sessionstate',
'session.phpsession.httponly' => true, 'session.phpsession.httponly' => false,
/* /*
* Option to override the default settings for the auth token cookie * Option to override the default settings for the auth token cookie
@@ -914,7 +916,7 @@ $config = [
'language.cookie.name' => 'language', 'language.cookie.name' => 'language',
'language.cookie.domain' => '', 'language.cookie.domain' => '',
'language.cookie.path' => '/', 'language.cookie.path' => '/',
'language.cookie.secure' => true, 'language.cookie.secure' => false,
'language.cookie.httponly' => false, 'language.cookie.httponly' => false,
'language.cookie.lifetime' => (60 * 60 * 24 * 900), 'language.cookie.lifetime' => (60 * 60 * 24 * 900),
'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null, 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
@@ -990,7 +992,7 @@ $config = [
* *
* Defaults to true. * Defaults to true.
*/ */
'production' => true, 'production' => false,
/* /*
* SimpleSAMLphp modules can host static resources which are served through PHP. * SimpleSAMLphp modules can host static resources which are served through PHP.
@@ -1304,7 +1306,7 @@ $config = [
* *
* The default datastore is 'phpsession'. * The default datastore is 'phpsession'.
*/ */
'store.type' => 'phpsession', 'store.type' => 'sql',
/* /*
* The DSN the sql datastore should connect to. * The DSN the sql datastore should connect to.
@@ -1312,7 +1314,7 @@ $config = [
* See http://www.php.net/manual/en/pdo.drivers.php for the various * See http://www.php.net/manual/en/pdo.drivers.php for the various
* syntaxes. * syntaxes.
*/ */
'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', 'store.sql.dsn' => 'sqlite:/home/h7x4/pvv/nettsiden/session.sqlite',
/* /*
* The username and password to use when connecting to the database. * The username and password to use when connecting to the database.

2
dist/identity-provider/saml20-idp-hosted.php → dist/service-provider/saml20-idp-hosted.php vendored
View File

@@ -2,7 +2,7 @@
declare(strict_types=1); declare(strict_types=1);
$metadata['http://localhost:1080/simplesaml-idp/'] = [ $metadata['http://localhost:1080/simplesaml/idp'] = [
'host' => '__DEFAULT__', 'host' => '__DEFAULT__',
'privatekey' => 'localhost.pem', 'privatekey' => 'localhost.pem',
'certificate' => 'localhost.crt', 'certificate' => 'localhost.crt',

18
dist/service-provider/saml20-idp-remote.php vendored
View File

@@ -21,20 +21,30 @@ $metadata['https://idp.pvv.ntnu.no/'] = [
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
]; ];
$metadata['http://localhost:1080/simplesaml-idp/'] = [ function getCertData(string $path): string
{
$cert = file_get_contents($path);
$cert = str_replace("-----BEGIN CERTIFICATE-----", "", $cert);
$cert = str_replace("-----END CERTIFICATE-----", "", $cert);
$cert = str_replace(["\r", "\n"], "", $cert);
return $cert;
}
$metadata['http://localhost:1080/simplesaml/idp'] = [
'metadata-set' => 'saml20-idp-remote', 'metadata-set' => 'saml20-idp-remote',
'entityid' => 'https://localhost:1080/', 'entityid' => 'https://localhost:1080/simplesaml/idp',
'SingleSignOnService' => [ 'SingleSignOnService' => [
0 => [ 0 => [
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:1080/simplesaml-idp/simplesaml/saml2/idp/SSOService.php', 'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SSOService.php',
], ],
], ],
'SingleLogoutService' => [ 'SingleLogoutService' => [
0 => [ 0 => [
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://localhost:1080/simplesaml-idp/simplesaml/saml2/idp/SingleLogoutService.php', 'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SingleLogoutService.php',
], ],
], ],
'certData' => getCertData(__DIR__ . '/../cert/localhost.crt'),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
]; ];

6
dist/identity-provider/saml20-sp-remote.php → dist/service-provider/saml20-sp-remote.php vendored
View File

@@ -1,15 +1,15 @@
<?php <?php
$metadata['http://localhost:1080/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = [ $metadata['http://localhost:1080/simplesaml/sp'] = [
'AssertionConsumerService' => [ 'AssertionConsumerService' => [
[ [
'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', 'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-acs.php/dev-sp',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
], ],
], ],
'SingleLogoutService' => [ 'SingleLogoutService' => [
[ [
'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', 'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-logout.php/dev-sp',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
], ],
], ],

24
nix/shell.nix
View File

@@ -29,18 +29,20 @@ pkgs.mkShellNoCC {
pushd "$PROJECT_ROOT" pushd "$PROJECT_ROOT"
composer install || exit $? composer install || exit $?
cp -r vendor/simplesamlphp vendor/simplesamlphp-idp # cp -r vendor/simplesamlphp vendor/simplesamlphp-idp
# Set up SimpleSAMLphp service provider # Set up SimpleSAMLphp service provider
install dist/service-provider/authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php install -m644 dist/service-provider/authsources.php -t vendor/simplesamlphp/simplesamlphp/config/
install dist/service-provider/config.php vendor/simplesamlphp/simplesamlphp/config/config.php install -m644 dist/service-provider/config.php -t vendor/simplesamlphp/simplesamlphp/config/
install dist/service-provider/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php install -m644 dist/service-provider/saml20-idp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
install -m644 dist/service-provider/saml20-idp-hosted.php -t vendor/simplesamlphp/simplesamlphp/metadata/
install -m644 dist/service-provider/saml20-sp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
# Set up SimpleSAMLphp identity provider (for local testing) # Set up SimpleSAMLphp identity provider (for local testing)
install dist/identity-provider/authsources.php vendor/simplesamlphp-idp/simplesamlphp/config/authsources.php # install -m644 dist/identity-provider/authsources.php -t vendor/simplesamlphp-idp/simplesamlphp/config/
install dist/identity-provider/config.php vendor/simplesamlphp-idp/simplesamlphp/config/config.php # install -m644 dist/identity-provider/config.php -t vendor/simplesamlphp-idp/simplesamlphp/config/
install dist/identity-provider/saml20-idp-hosted.php vendor/simplesamlphp-idp/simplesamlphp/metadata/saml20-idp-hosted.php # install -m644 dist/identity-provider/saml20-idp-hosted.php -t vendor/simplesamlphp-idp/simplesamlphp/metadata/
install dist/identity-provider/saml20-sp-remote.php vendor/simplesamlphp-idp/simplesamlphp/metadata/saml20-sp-remote.php # install -m644 dist/identity-provider/saml20-sp-remote.php -t vendor/simplesamlphp-idp/simplesamlphp/metadata/
openssl req \ openssl req \
-newkey rsa:4096 \ -newkey rsa:4096 \
@@ -48,14 +50,14 @@ pkgs.mkShellNoCC {
-x509 \ -x509 \
-days 3652 \ -days 3652 \
-nodes \ -nodes \
-out vendor/simplesamlphp-idp/simplesamlphp/cert/localhost.crt \ -out vendor/simplesamlphp/simplesamlphp/cert/localhost.crt \
-keyout vendor/simplesamlphp-idp/simplesamlphp/cert/localhost.pem \ -keyout vendor/simplesamlphp/simplesamlphp/cert/localhost.pem \
-subj "/C=NO/ST=Trondheim/L=Trondheim/O=Programvareverkstedet/CN=localhost" -subj "/C=NO/ST=Trondheim/L=Trondheim/O=Programvareverkstedet/CN=localhost"
cp dist/config.local.php config.php cp dist/config.local.php config.php
ln -s ../vendor/simplesamlphp/simplesamlphp/public/ www/simplesaml ln -s ../vendor/simplesamlphp/simplesamlphp/public/ www/simplesaml
ln -s ../vendor/simplesamlphp-idp/simplesamlphp/public/ www/simplesaml-idp # ln -s ../vendor/simplesamlphp-idp/simplesamlphp/public/ www/simplesaml-idp
popd popd
fi fi
''; '';