Skip to content
Snippets Groups Projects
config.pp 6.79 KiB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
#
Adam Lewenberg's avatar
Adam Lewenberg committed
# $access_control_ips: an array of IP addresses that should have
# access to administrative pages (e.g., the status page). These addresses
# should be valid CIDR ranges. Note that these are IN ADDITION to the ones
# we allow by default (localhost, load-balancer, other IdP servers, Adam
# and Vivien's workstation).
Adam Lewenberg's avatar
Adam Lewenberg committed
# Example:
#
Adam Lewenberg's avatar
Adam Lewenberg committed
# shibb_idp3::config::access_control_allowedRanges:
Adam Lewenberg's avatar
Adam Lewenberg committed
#   - 171.67.218.160/28
#   - 172.27.218.160/28
#   - 171.64.19.46/32
#
# Note that '127.0.0.1/32' and '::1/128' are automatically added to this
# list.
Adam Lewenberg's avatar
Adam Lewenberg committed
# DEFAULT: [] (the empty array)
#
# $access_checkInterval: sets the property
# idp.service.access.checkInterval in the services.xml file. This is time
# is how often access-control.xml should be checked for reload.
# DEFAULT: 'PT5M'
#
Adam Lewenberg's avatar
Adam Lewenberg committed
# $relyingparty_checkInterval: sets the property
# idp.service.relyingparty.checkInterval in the services.xml file. This is time
# is how often relying-party.xml should be checked for reload.
# DEFAULT: 'PT2M'
#
Adam Lewenberg's avatar
Adam Lewenberg committed
# $access_nameidGeneration: sets the property
# idp.service.nameidGeneration.checkInterval in the services.xml
# file. This time is how often saml-nameid.xml should be checked for
# reload.  DEFAULT: 'PT2M'
#
# $nameid_checkInterval: sets the property
# idp.service.nameidGeneration.checkInterval in the services.xml
# file. This time is how often saml-nameid.xml should be checked for
# reload.  DEFAULT: 'PT2M'
#
# $filter_checkInterval: sets the property
# idp.service.attribute.filter.checkInterval in the services.xml
# file. This time is how often attribute-filter.xml should be checked for
# reload.  DEFAULT: 'PT2M'
#
# $resolver_checkInterval: sets the property
# idp.service.attribute.resolver.checkInterval in the services.xml
# file. This time is how often attribute-resolver.xml should be checked for
# reload.  DEFAULT: 'PT2M'
Adam Lewenberg's avatar
Adam Lewenberg committed
#
# $logging_checkInterval: sets the property
# idp.service.logging.checkInterval in the services.xml
# file. This time is how often logback.xml should be checked for
# reload.  DEFAULT: 'PT2M'
#
# $loghistory: the number of old log files to keep on LOCAL disk.
# DEFAULT: 15
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed

class shibb_idp3::config (
Adam Lewenberg's avatar
Adam Lewenberg committed
  $relyingparty_checkInterval   = 'PT2M',
Adam Lewenberg's avatar
Adam Lewenberg committed
  $access_checkInterval         = 'PT5M',
  $nameid_checkInterval         = 'PT2M',
  $filter_checkInterval         = 'PT2M',
  $resolver_checkInterval       = 'PT2M',
Adam Lewenberg's avatar
Adam Lewenberg committed
  $logging_checkInterval        = 'PT2M',
Adam Lewenberg's avatar
Adam Lewenberg committed
  $access_control_allowedRanges = [],
  $loghistory                   = '15',
Adam Lewenberg's avatar
Adam Lewenberg committed
){
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed
  # Let's make some local copies of variables that will be useful in the
  # ERB files.
Adam Lewenberg's avatar
Adam Lewenberg committed
  $pool_fqdn = "${shibb_idp3::pool_fqdn}"
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed
  ## tomcat8 configuration
  file { '/etc/default/tomcat8':
    ensure  => present,
    source  => 'puppet:///modules/shibb_idp3/etc/default/tomcat8',
    mode    => '0644',
  }

Adam Lewenberg's avatar
Adam Lewenberg committed
  # Default file resource attributes
  File {
    ensure => 'present',
    mode   => '0644',
    owner  => 'tomcat8',
    group  => 'tomcat8',
  }


Adam Lewenberg's avatar
Adam Lewenberg committed
  ### PROPERTIES FILES

  # idp.properties
Adam Lewenberg's avatar
Adam Lewenberg committed
  include shibb_idp3::config::idp_properties
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed
  # services.properties
  # Controls the dynamic reloading behavior of
  # services listed services.xml. Right now, we want relying-party
  # resources to use legacy V2 format.
  file { '/etc/shibboleth-idp/conf/services.properties':
    content => template('shibb_idp3/etc/shibboleth-idp/conf/services.properties.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
  }

  ### Create the directory where the SP metadata files go.
  file { '/etc/shibboleth-idp/metadata':
    ensure  => directory,
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }


  ### The tomcat web.xml file
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed
  # 1. web.xml: custom version contains TwoStepRemoteUser definition.
  file { '/opt/shibboleth-idp/webapp/WEB-INF/web.xml':
    content => template('shibb_idp3/opt/shibboleth-idp/webapp/WEB-INF/web.xml.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }
Adam Lewenberg's avatar
Adam Lewenberg committed

Adam Lewenberg's avatar
Adam Lewenberg committed

  ### LOGGING

  # logback.xml: log-level settings. Note that the parameter
  # loghistory is used in logback.xml.erb and sets the number of old log
  # files we keep on local disk.
  #
Adam Lewenberg's avatar
Adam Lewenberg committed
  # Being Debian, we put the logs in /var/log/shibboleth-idp.
  file { '/var/log/shibboleth-idp':
    ensure => directory,
  }
  file { '/opt/shibboleth-idp/logs':
    ensure => link,
    target => '/var/log/shibboleth-idp',
  }
Adam Lewenberg's avatar
Adam Lewenberg committed
  file { '/etc/shibboleth-idp/conf/logback.xml':
    content => template('shibb_idp3/etc/shibboleth-idp/conf/logback.xml.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

  # We want to run some of the shibboleth-idp log files through
  # filter-syslog and sent to root mail so we can see if there are any
  # system problems.
Adam Lewenberg's avatar
Adam Lewenberg committed

  # The idp-warn log file contains messages of WARN or higher severity. We
  # want to see these messages in our root mail. We use a daily cron job
  # for this. Note that for this to work it is CRUCIAL that the
  # filter-syslog job run
  file { '/etc/filter-syslog/idp-warn':
    source  => 'puppet:///modules/shibb_idp3/etc/filter-syslog/idp-warn',
  }
  # The format of the audit log is set by conf/audit.xml. We add the
  # nameid type field to the default set of attributes included.
  file { '/etc/shibboleth-idp/conf/audit.xml':
    content => template('shibb_idp3/etc/shibboleth-idp/conf/audit.xml.erb'),
    require => Package['shibboleth-identity-provider'],
  }


  # 2. access-control.xml: allow access to status page
  file { '/etc/shibboleth-idp/conf/access-control.xml':
    content => template('shibb_idp3/etc/shibboleth-idp/conf/access-control.xml.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

Adam Lewenberg's avatar
Adam Lewenberg committed

  # 3. saml-nameid.xml
  include shibb_idp3::config::saml_nameid



Adam Lewenberg's avatar
Adam Lewenberg committed
  #### FLOWS

  # general-authn.xml: some customizations
Adam Lewenberg's avatar
Adam Lewenberg committed
  file { '/etc/shibboleth-idp/conf/authn/general-authn.xml':
    content => template('shibb_idp3/etc/shibboleth-idp/conf/authn/general-authn.xml.erb'),
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

Adam Lewenberg's avatar
Adam Lewenberg committed
  file { '/etc/shibboleth-idp/conf/authn/twostepremoteuser-authn-config.xml':
Adam Lewenberg's avatar
Adam Lewenberg committed
    source  => 'puppet:///modules/shibb_idp3/etc/shibboleth-idp/conf/authn/twostepremoteuser-authn-config.xml',
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => Package['shibboleth-identity-provider'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

  #   twostepremoteuser-authn-flow.xml
Adam Lewenberg's avatar
Adam Lewenberg committed
  file { '/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/twostepremoteuser-authn-beans.xml':
    source  => 'puppet:///modules/shibb_idp3/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/twostepremoteuser-authn-beans.xml',
Adam Lewenberg's avatar
Adam Lewenberg committed
    require => File['/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/'],
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

Adam Lewenberg's avatar
Adam Lewenberg committed
  file {
    '/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/':
      ensure => directory,
Adam Lewenberg's avatar
Adam Lewenberg committed
      require => Package['shibboleth-identity-provider'];
Adam Lewenberg's avatar
Adam Lewenberg committed
    '/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/twostepremoteuser-authn-flow.xml':
      source  => 'puppet:///modules/shibb_idp3/opt/shibboleth-idp/flows/authn/TwoStepRemoteUser/twostepremoteuser-authn-flow.xml',
Adam Lewenberg's avatar
Adam Lewenberg committed
      require => Package['shibboleth-identity-provider'];
Adam Lewenberg's avatar
Adam Lewenberg committed
  }

Adam Lewenberg's avatar
Adam Lewenberg committed
}