Commit decc5ea9 authored by Scotty Logan's avatar Scotty Logan
Browse files

bunch of updates to simplify things

parent 4dc52fc2
# data/Debian.yaml
# generic defaults for Debian-based systems
---
shib_sp::httpd_group: www-data
# data/common.yaml
# common defaults
---
PassEnv REQUESTER_MAIL
PassEnv REQUESTER_NAME
PassEnv REQUESTER_SUNETID
PassEnv ADMIN_MAIL
PassEnv ADMIN_USER
PassEnv ADMIN_PASSWORD
PassEnv PLATFORM_GROUP
PassEnv PLATFORM_IDP
PassEnv PLATFORM_IDP
PassEnv PLATFORM_IDP
PassEnv SITE_NAME
PassEnv SITE_DESC
PassEnv SITE_APP
PassEnv SITE_TYPE
PassEnv SITE_URL
PassEnv SITE_DOMAIN
PassEnv SITE_ADMIN_GROUP
PassEnv SITE_OWNER_GROUP
PassEnv SITE_EDITOR_GROUP
PassEnv ENV_ID
PassEnv ENV_PORT
PassEnv ENV_IMAGE
PassEnv ENV_ELB
PassEnv ENV_IDP
PassEnv ENV_NAME
PassEnv ENV_DOMAIN
PassEnv ENV_URL
PassEnv ENV_ENTITY_ID
PassEnv RDS_DB_NAME
PassEnv RDS_USERNAME
PassEnv RDS_PASSWORD
PassEnv RDS_HOSTNAME
PassEnv AWS_ACCESS_KEY
PassEnv AWS_SECRET_KEY
PassEnv S3_FILE_BUCKET
PassEnv S3_LOG_BUCKET
PassEnv S3_BUCKET
\ No newline at end of file
# suet-base/hiera.yaml
#
# Oh, the joys of multiple OSes on multiple architectures and virtualization
# platforms!
#
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "OS Family"
path: "%{os.family}.yaml"
- name: "Common"
path: "common.yaml"
# configure a Simple Shibboleth SP
# Class: shib_sp
# ===========================
#
# configure an Emerging Technology Apache + Shibboleth SP image
#
# === Authors
#
# Scotty Logan <swl@stanford.edu>
#
# === Copyright
#
# Copyright (c) 2018 The Board of Trustees of the Leland Stanford Junior
# University
#
class shib_sp (
$apache_service_enable,
$apache_service_ensure,
$httpd_group,
$entity_id = undef,
$support_email = 'support@example.com',
$idp = undef,
$metadata_uri = undef,
) {
class shibboleth_sp (
$idp = 'idp',
$contact = "webmaster@$::fqdn",
){
# add the admin user to the www-data group
user { 'admin':
groups => $httpd_group,
require => Package['httpd'],
}
case $idp {
'dev': {
$entity_id = 'https://idp.stanford.edu/'
$metadata_url = 'https://idp-dev.stanford.edu/metadata.xml'
}
'itlab': {
$entity_id = 'https://idp.itlab.stanford.edu/idp/shibboleth'
$metadata_url = 'https://idp.itlab.stanford.edu/idp/profile/Metadata/SAML'
}
default: {
$entity_id = 'https://idp.stanford.edu/'
$metadata_url = 'https://idp.stanford.edu/metadata.xml'
}
class { 'apache':
service_enable => $apache_service_enable,
service_ensure => $apache_service_ensure,
default_mods => false,
default_confd_files => false,
default_vhost => false,
log_formats => {
vhost_common => '%v %h %l %u %t \"%r\" %>s %b',
combined_elb => '%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"'
},
logroot => '/dev',
mpm_module => 'prefork',
}
package { 'libapache2-mod-shib2':
ensure => 'latest',
apache::vhost { 'shib_sp':
port => 8080,
docroot => '/var/www',
docroot_owner => 'root',
docroot_group => 'www-data',
docroot_mode => '0755',
servername => '${ENV_DOMAIN}', # lint:ignore:single_quote_string_with_variables
serveradmin => $support_email,
access_log_format => 'combined_elb',
access_log_file => 'stdout',
error_log_file => 'stdout',
directories => [
{
path => '/var/www',
allow_override => ['All'],
},
],
aliases => [
{
alias => '/shibboleth-sp',
path => '/usr/share/shibboleth',
}
],
}
class { 'apache::mod::alias': }
class { 'apache::mod::env': }
class { 'apache::mod::rewrite': }
class { 'apache::mod::authn_core': }
class { 'apache::mod::expires': }
class { 'apache::mod::headers': }
class { 'apache::mod::shib2': }
file {
[
'/var/log/apache2',
'/var/lock/apache2',
'/var/run/apache2',
]:
ensure => directory,
owner => 'www-data',
group => 'www-data',
mode => '0755',
require => Package['httpd'],
}
file { '/etc/apache2/conf.d/platform_env.conf':
ensure => file,
owner => '0',
group => '0',
mode => '0644',
source => "puppet:///modules/${module_name}/platform_env.conf",
}
file { '/etc/shibboleth/shibboleth2.xml':
ensure => file,
owner => 0,
group => 0,
owner => 'root',
group => 'root',
mode => '0644',
content => template('shibboleth_sp/shibboleth2.xml.erb'),
require => Package['libapache2-mod-shib2'],
content => template("${module_name}/shibboleth2.xml.erb"),
require => Class['apache::mod::shib2'],
}
file { '/etc/shibboleth/protocols.xml':
file { '/etc/shibboleth/attribute-map.xml':
ensure => file,
owner => 0,
group => 0,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/shibboleth_sp/protocols.xml',
require => Package['libapache2-mod-shib2'],
source => "puppet:///modules/${module_name}/attribute-map.xml",
require => Class['apache::mod::shib2'],
}
file { '/etc/shibboleth/attribute-map.xml':
file { '/etc/shibboleth/protocols.xml':
ensure => file,
owner => 0,
group => 0,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/shibboleth_sp/attribute-map.xml',
require => Package['libapache2-mod-shib2'],
source => "puppet:///modules/${module_name}/protocols.xml",
require => Class['apache::mod::shib2'],
}
file { '/start.sh':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
source => "puppet:///modules/${module_name}/start.sh",
}
}
......@@ -10,20 +10,18 @@
"issues_url": "https://code.stanford.edu/et/puppet-shibboleth-sp/issues",
"operatingsystem_support": [
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [
"14.04"
]
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [ "14.04", "16.04" ]
}
{
"operatingsystem": "Debian",
"operatingsystemrelease": [ "8", "9" ]
}
],
"dependencies": [
{
"name": "puppetlabs-concat",
"version_requirement": ">=2.1.0"
},
{
"name": "puppetlabs-apache",
"version_requirement": ">=1.8.0"
"version_requirement": ">=3.1.0"
}
]
}
......@@ -2,13 +2,13 @@
xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults
entityID="https://<%= @fqdn %>/"
REMOTE_USER="uid WEBAUTH_USER">
entityID="<%= @entity_id %>"
REMOTE_USER="uid eppn">
<Sessions
lifetime="28800"
......@@ -18,7 +18,7 @@
handlerSSL="true"
cookieProps="; path=/; secure; HttpOnly">
<SSO entityID="<%= @entity_id %>">SAML2</SSO>
<SSO entityID="<%= @idp %>">SAML2</SSO>
<Logout>Local</Logout>
......@@ -31,22 +31,24 @@
</Sessions>
<Errors
supportContact="<%= @contact %>"
supportContact="<%= @support_email %>"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider
type="XML"
uri="<%= @metadata_url %>"
backingFilePath="idp-metata.xml"
reloadInterval="7200" />
uri="<%= @metadata_uri %>"
backingFilePath="/var/cache/shibboleth/md.xml"
reloadInterval="7200">
<MetadataFilter type="Signature" certificate="md-signing.pem"/>
</MetadataProvider>
<AttributeExtractor
type="XML"
validate="true"
reloadChanges="false"
path="attribute-map.xml"/>
<AttributeFilter
type="XML"
validate="true"
......@@ -58,7 +60,7 @@
certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider
type="XML"
validate="true"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment