Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
Erin Fahy committed Oct 21, 2017
0 parents commit c607f4e
Show file tree
Hide file tree
Showing 8 changed files with 551 additions and 0 deletions.
59 changes: 59 additions & 0 deletions .ebextensions/00_recompile_nginx.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
packages:
yum:
git: []
gd-devel: []
perl-ExtUtils-Embed: []
GeoIP-devel: []
gperftools-devel: []

files:
/root/build-nginx.sh:
mode: "000755"
owner: root
group: root
content: |
rm -rf build
mkdir ./build ; cd ./build

# the headers-more-nginx-module requires nginx 1.11.2
wget -O - http://nginx.org/download/nginx-1.11.2.tar.gz | tar xfvz -
git clone https://github.com/nginx-shib/nginx-http-shibboleth.git
git clone https://github.com/openresty/headers-more-nginx-module.git

cd nginx-1.11.2/

./configure --add-module=../nginx-http-shibboleth \
--add-module=../headers-more-nginx-module \
--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx \
--user=nginx --group=nginx --with-file-aio --with-ipv6 \
--with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_addition_module --with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic \
--with-http_sub_module --with-http_dav_module --with-http_flv_module \
--with-http_mp4_module --with-http_gunzip_module \
--with-http_gzip_static_module --with-http_random_index_module \
--with-http_secure_link_module --with-http_degradation_module \
--with-http_slice_module --with-http_stub_status_module \
--with-http_perl_module=dynamic --with-http_auth_request_module \
--with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit \
--with-stream=dynamic --with-stream_ssl_module \
--with-google_perftools_module --with-debug \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' \
--with-ld-opt=' -Wl,-E'

make
make install

commands:
01_build_nginx:
test: test -e $(2>&1 nginx -V | tr -- - '\n' | grep _module | grep shib)
command: chmod +x ~/build-nginx.sh && ~/build-nginx.sh
29 changes: 29 additions & 0 deletions .ebextensions/01_yum_repos.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
files:
/etc/yum.repos.d/jcu.repo:
mode: "000755"
owner: root
group: root
content: |
[jcu-eresearch]
name=JCU eResearch EL6 Custom Repo
baseurl=https://www.hpc.jcu.edu.au/repos/jcu_eresearch/centos-6/
gpgcheck=0
enabled=1
priority=1
/etc/yum.repos.d/shib.repo:
mode: "000755"
owner: root
group: root
content: |
[security_shibboleth]
name=Shibboleth (RHEL_6)
baseurl=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/
gpgcheck=1
gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/repodata/repomd.xml.key
enabled=1

commands:
01_clean_yum:
command: yum clean all
02_update_yum:
command: yum update
3 changes: 3 additions & 0 deletions .ebextensions/02_install_shib.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
packages:
yum:
shibboleth: []
33 changes: 33 additions & 0 deletions .ebextensions/03_supervisor.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
files:
/etc/supervisord.conf:
mode: "000755"
owner: root
group: root
content: |
[fcgi-program:shibauthorizer]
command=/usr/lib64/shibboleth/shibauthorizer
socket=unix:///opt/shibboleth/shibauthorizer.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/shibboleth/shibauthorizer.log
stderr_logfile=/var/log/shibboleth/shibauthorizer.error.log

[fcgi-program:shibresponder]
command=/usr/lib64/shibboleth/shibresponder
socket=unix:///opt/shibboleth/shibresponder.sock
socket_owner=shibd:shibd
socket_mode=0660
user=shibd
stdout_logfile=/var/log/shibboleth/shibresponder.log
stderr_logfile=/var/log/shibboleth/shibresponder.error.log

[supervisord]

[supervisorctl]

commands:
01_install_supervisor:
command: easy_install supervisor
02_supervise_auth_and_respond:
command: supervisord -c /etc/supervisord.conf
251 changes: 251 additions & 0 deletions .ebextensions/04_shib_xml.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,251 @@
files:
/etc/shibboleth/shibboleth2.xml:
mode: "000755"
owner: root
group: root
content: |
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180">
<!--
READ ME!

This configuration file is based on Shibboleth SP v2.4.4. Stanford
runs both a production and development IdP (identity provider)
system, each with a pair of load balanced servers. This file is
pre-configured against the production IdP. If you ever want to
authenticate against dev instead, replace 'idp.stanford.edu' with
'idp-dev.stanford.edu' in the two locations below (SSO link and
metadata download).

More information:

* https://itservices.stanford.edu/service/shibboleth/sp
* http://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration

-->
<!--

By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.

-->
<!--

To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.

For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.

-->

<RequestMapper type="XML">
<RequestMap>
<Host name="SERVICENAME"
authType="shibboleth"
requireSession="true"
redirectToSSL="443">
<Path name="/secure" />
</Host>
</RequestMap>
</RequestMapper>

<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
-->
<ApplicationDefaults entityID="PROVIDERID" REMOTE_USER="eppn persistent-id targeted-id">
<!--

Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.

-->
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
<!--

Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.

-->
<SSO entityID="https://idp.stanford.edu/">SAML2 SAML1</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!--
Extension service that generates "approximate" metadata based on SP configuration.
-->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed" cacheToDisk="false"/>
</Sessions>
<!--

Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.

-->
<Errors supportContact="EMAIL" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
<!--
Example of remotely supplied batch of signed metadata.
-->
<!--

<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>

-->
<!--
Automatically download and refresh the IDP's metadata.
-->
<MetadataProvider type="XML" uri="https://idp.stanford.edu/metadata.xml" backingFilePath="/etc/shibboleth/metadata/metadata.xml" reloadInterval="7200"></MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--

<MetadataProvider type="XML" file="partner-metadata.xml"/>

-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<!--
Use a SAML query if no attributes are supplied during SSO.
-->
<AttributeResolver type="Query" subjectMatch="true"/>
<!--
Default filtering policy for recognized attributes, lets other data pass.
-->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!--
Simple file-based resolver for using a single keypair.
-->
<CredentialResolver type="File" key="SSLKEY" certificate="SSLCERT"/>
<!--

The default settings can be overridden by creating ApplicationOverride elements (see
the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.

Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":

-->
<!--

<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>

-->
</ApplicationDefaults>
<!--
Policies that determine how to process and authenticate runtime messages.
-->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!--
Low-level configuration about protocols and bindings available for use.
-->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

/etc/shibboleth/attribute-map.xml:
mode: "000755"
owner: root
group: root
content: |
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
First some useful eduPerson attributes that many sites might use.
-->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
<!--
A persistent id attribute that supports personalized anonymous access.
-->
<!-- First, the deprecated version: -->
<!--
Using SAML2 so comment out SAML1 definition.
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
-->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<!-- Second, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<!-- Third, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
</Attribute>
<!--
Examples of common attributes, uncomment to use these.
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid-alt"/>
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:oid:2.5.4.4" id="sn"/>
<Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.12" id="title"/>
<Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF"/>
<Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
<Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:mace:dir:attribute-def:suUnivID" id="suUnivID"/>
<Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationID" id="suPrimaryOrganizationID" />
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.1.1" id="suRegID" />
<Attribute name="suAffiliation" id="suAffiliation"/>
<Attribute name="urn:mace:dir:attribute-def:suPrimaryOrganizationName" id="suPrimaryOrganizationName"/>
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.204" id="suPrimaryOrganizationName" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameLast" id="suDisplayNameLast" />
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.25" id="suDisplayNameLast" />
<Attribute name="urn:mace:dir:attribute-def:suDisplayNameFirst" id="suDisplayNameFirst"/>
<Attribute name="urn:oid:1.3.6.1.4.1.299.11.1.23" id="suDisplayNameFirst" />
<Attribute name="urn:mace:dir:attribute-def:o" id="o" />
<Attribute name="urn:oid:2.5.4.10" id="o" />
<Attribute name="urn:mace:dir:attribute-def:description" id="description" />
<Attribute name="urn:oid:2.5.4.13" id="description" />

-->
</Attributes>
11 changes: 11 additions & 0 deletions .ebextensions/05_load_certs.config
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
commands:
01_copy_shib_key:
command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/shib/shibd.key /etc/shibboleth/
02_copy_shib_csr:
command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/shib/shibd.crt /etc/shibboleth/

# this should be a combo with the cert and any intermediates
03_copy_ssl_crt:
command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/certs/server.crt /etc/pki/tls/certs/
04_copy_ssl_key:
command: aws s3 cp s3://elasticbeanstalk-REGION-ACCOUNT/certs/server.key /etc/pki/tls/private/
Loading

0 comments on commit c607f4e

Please sign in to comment.