Imported all shibboleth stuff from openstack-test05
This commit is contained in:
		
							
								
								
									
										8
									
								
								keystone/.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										8
									
								
								keystone/.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1,8 +0,0 @@ | |||||||
| # ---> Vim |  | ||||||
| [._]*.s[a-w][a-z] |  | ||||||
| [._]s[a-w][a-z] |  | ||||||
| *.un~ |  | ||||||
| Session.vim |  | ||||||
| .netrwhist |  | ||||||
| *~ |  | ||||||
|  |  | ||||||
| @@ -13,16 +13,36 @@ RUN set -x \ | |||||||
|     && apt-get -y update \ |     && apt-get -y update \ | ||||||
|     && apt-get -y install \ |     && apt-get -y install \ | ||||||
|     && apt-get -y install keystone python-openstackclient \ |     && apt-get -y install keystone python-openstackclient \ | ||||||
|  |     && apt-get -y install libapache2-mod-shib2 \ | ||||||
|     && apt-get -y clean |     && apt-get -y clean | ||||||
|  |  | ||||||
| # set admin token TODO: make this a secret | # set admin token TODO: make this a secret | ||||||
| # in volume of met env | # in volume of met env | ||||||
| COPY keystone.conf /etc/keystone/keystone.conf | COPY keystone.conf /etc/keystone/keystone.conf | ||||||
|  |  | ||||||
|  | COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf | ||||||
|  |  | ||||||
|  | COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml | ||||||
|  | COPY attribute-map.xml /etc/shibboleth/attribute-map.xml | ||||||
|  | COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml | ||||||
|  |  | ||||||
|  | COPY sso_callback_template.html /etc/keystone/sso_callback_template.html | ||||||
|  |  | ||||||
|  | RUN mkdir /var/run/shibboleth | ||||||
|  |  | ||||||
|  | COPY run.sh /etc/run.sh | ||||||
|  |  | ||||||
| RUN mkdir /etc/keystone/fernet-keys | RUN mkdir /etc/keystone/fernet-keys | ||||||
|  |  | ||||||
| RUN chown keystone: /etc/keystone/fernet-keys | RUN chown keystone: /etc/keystone/fernet-keys | ||||||
|  |  | ||||||
|  | RUN a2enmod shib2 | ||||||
|  |  | ||||||
| COPY bootstrap.sh /etc/bootstrap.sh | COPY bootstrap.sh /etc/bootstrap.sh | ||||||
|  |  | ||||||
| CMD apachectl -DFOREGROUND | # Testing only!!! | ||||||
|  | RUN mkdir -p /var/www/html/secure | ||||||
|  | RUN apt-get -y install php libapache2-mod-php | ||||||
|  | COPY test.php /var/www/html/secure/test.php | ||||||
|  |  | ||||||
|  | CMD /etc/run.sh | ||||||
|   | |||||||
							
								
								
									
										126
									
								
								keystone/apache-keystone.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										126
									
								
								keystone/apache-keystone.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,126 @@ | |||||||
|  | LoadModule ssl_module modules/mod_ssl.so | ||||||
|  |  | ||||||
|  | Listen 5000 | ||||||
|  | Listen 35357 | ||||||
|  |  | ||||||
|  | <Location /secure> | ||||||
|  |   AuthType shibboleth | ||||||
|  |   ShibRequestSetting requireSession 1 | ||||||
|  |   require valid-user | ||||||
|  | </Location> | ||||||
|  |  | ||||||
|  | Alias "/secure" "/var/www/html/secure" | ||||||
|  |  | ||||||
|  | <VirtualHost *:5000> | ||||||
|  |     ServerName https://merlin.hpc.rug.nl:5000 | ||||||
|  |     SSLEngine on | ||||||
|  |     SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt" | ||||||
|  |     SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key" | ||||||
|  |     UseCanonicalName On | ||||||
|  |     WSGIScriptAlias / /usr/bin/keystone-wsgi-public | ||||||
|  |     WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} | ||||||
|  |     WSGIProcessGroup keystone-public | ||||||
|  |     WSGIApplicationGroup %{GLOBAL} | ||||||
|  |     WSGIPassAuthorization On | ||||||
|  |     LimitRequestBody 114688 | ||||||
|  |  | ||||||
|  |     # Added for federation. | ||||||
|  |     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1 | ||||||
|  |  | ||||||
|  |     <IfVersion >= 2.4> | ||||||
|  |       ErrorLogFormat "%{cu}t %M" | ||||||
|  |     </IfVersion> | ||||||
|  |  | ||||||
|  |     ErrorLog /var/log/apache2/keystone.log | ||||||
|  |     CustomLog /var/log/apache2/keystone_access.log combined | ||||||
|  |  | ||||||
|  |     <Directory /usr/bin> | ||||||
|  |         <IfVersion >= 2.4> | ||||||
|  |             Require all granted | ||||||
|  |         </IfVersion> | ||||||
|  |         <IfVersion < 2.4> | ||||||
|  |             Order allow,deny | ||||||
|  |             Allow from all | ||||||
|  |         </IfVersion> | ||||||
|  |     </Directory> | ||||||
|  |  | ||||||
|  |     <Location /Shibboleth.sso> | ||||||
|  |         SetHandler shib | ||||||
|  |     </Location> | ||||||
|  |  | ||||||
|  |     <Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth> | ||||||
|  |         ShibRequestSetting requireSession 1 | ||||||
|  |         AuthType shibboleth | ||||||
|  |         ShibExportAssertion Off | ||||||
|  |         Require valid-user | ||||||
|  |  | ||||||
|  |         <IfVersion < 2.4> | ||||||
|  |             ShibRequireSession On | ||||||
|  |             ShibRequireAll On | ||||||
|  |        </IfVersion> | ||||||
|  |     </Location> | ||||||
|  |  | ||||||
|  |     <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped"> | ||||||
|  |       AuthType shibboleth | ||||||
|  |       Require valid-user | ||||||
|  |       ShibRequestSetting requireSession 1 | ||||||
|  |       ShibRequireSession On | ||||||
|  |       ShibExportAssertion Off | ||||||
|  |     </Location> | ||||||
|  |     <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/"> | ||||||
|  |       AuthType shibboleth | ||||||
|  |       Require valid-user | ||||||
|  |     </Location> | ||||||
|  |  | ||||||
|  | </VirtualHost> | ||||||
|  |  | ||||||
|  | <VirtualHost *:35357> | ||||||
|  |     ServerName https://merlin.hpc.rug.nl:35357 | ||||||
|  |     SSLEngine on | ||||||
|  |     SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt" | ||||||
|  |     SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key" | ||||||
|  |     UseCanonicalName On | ||||||
|  |     WSGIScriptAlias / /usr/bin/keystone-wsgi-admin | ||||||
|  |     WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} | ||||||
|  |     WSGIProcessGroup keystone-admin | ||||||
|  |     WSGIApplicationGroup %{GLOBAL} | ||||||
|  |     WSGIPassAuthorization On | ||||||
|  |     LimitRequestBody 114688 | ||||||
|  |  | ||||||
|  |     <IfVersion >= 2.4> | ||||||
|  |       ErrorLogFormat "%{cu}t %M" | ||||||
|  |     </IfVersion> | ||||||
|  |  | ||||||
|  |     ErrorLog /var/log/apache2/keystone.log | ||||||
|  |     CustomLog /var/log/apache2/keystone_access.log combined | ||||||
|  |  | ||||||
|  |     <Directory /usr/bin> | ||||||
|  |         <IfVersion >= 2.4> | ||||||
|  |             Require all granted | ||||||
|  |         </IfVersion> | ||||||
|  |         <IfVersion < 2.4> | ||||||
|  |             Order allow,deny | ||||||
|  |             Allow from all | ||||||
|  |         </IfVersion> | ||||||
|  |     </Directory> | ||||||
|  | </VirtualHost> | ||||||
|  |  | ||||||
|  | Alias /identity /usr/bin/keystone-wsgi-public | ||||||
|  | <Location /identity> | ||||||
|  |     SetHandler wsgi-script | ||||||
|  |     Options +ExecCGI | ||||||
|  |  | ||||||
|  |     WSGIProcessGroup keystone-public | ||||||
|  |     WSGIApplicationGroup %{GLOBAL} | ||||||
|  |     WSGIPassAuthorization On | ||||||
|  | </Location> | ||||||
|  |  | ||||||
|  | Alias /identity_admin /usr/bin/keystone-wsgi-admin | ||||||
|  | <Location /identity_admin> | ||||||
|  |     SetHandler wsgi-script | ||||||
|  |     Options +ExecCGI | ||||||
|  |  | ||||||
|  |     WSGIProcessGroup keystone-admin | ||||||
|  |     WSGIApplicationGroup %{GLOBAL} | ||||||
|  |     WSGIPassAuthorization On | ||||||
|  | </Location> | ||||||
							
								
								
									
										30
									
								
								keystone/attribute-map.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								keystone/attribute-map.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | |||||||
|  | <?xml version="1.0"?> | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  | <Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | ||||||
|  |   <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id"> | ||||||
|  |     <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/> | ||||||
|  |   </Attribute> | ||||||
|  |   <Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/> | ||||||
|  |  | ||||||
|  |   <!-- Added for nikhef --> | ||||||
|  |   <Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/> | ||||||
|  |  | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/> | ||||||
|  |   <Attribute name="urn:oid:2.5.4.4"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/> | ||||||
|  |   <Attribute name="urn:oid:2.5.4.42"                      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/> | ||||||
|  |   <Attribute name="urn:oid:2.5.4.3"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/> | ||||||
|  |   <Attribute name="urn:oid:2.16.840.1.113730.3.1.241"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/> | ||||||
|  |   <Attribute name="urn:oid:0.9.2342.19200300.100.1.3"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9"       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/> | ||||||
|  |   <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/> | ||||||
|  |   <Attribute name="urn:oid:0.9.2342.19200300.100.1.1"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/> | ||||||
|  |   <Attribute name="urn:oid:2.16.840.1.113730.3.1.39"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/> | ||||||
|  | </Attributes> | ||||||
							
								
								
									
										71
									
								
								keystone/attribute-policy.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										71
									
								
								keystone/attribute-policy.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,71 @@ | |||||||
|  | <afp:AttributeFilterPolicyGroup | ||||||
|  |     xmlns="urn:mace:shibboleth:2.0:afp:mf:basic" | ||||||
|  |     xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" | ||||||
|  |     xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" | ||||||
|  |     xmlns:afp="urn:mace:shibboleth:2.0:afp" | ||||||
|  |     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | ||||||
|  |  | ||||||
|  |     <!-- Shared rule for affiliation values. --> | ||||||
|  |     <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR"> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="faculty"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="student"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="staff"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="alum"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="member"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="affiliate"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="employee"/> | ||||||
|  |         <Rule xsi:type="AttributeValueString" value="library-walk-in"/> | ||||||
|  |     </afp:PermitValueRule> | ||||||
|  |      | ||||||
|  |     <!-- | ||||||
|  |     Shared rule for all "scoped" attributes, but you'll have to manually apply it inside | ||||||
|  |     an AttributeRule for each attribute you want to check. | ||||||
|  |     --> | ||||||
|  |     <afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/> | ||||||
|  |     <!-- # Hacked for Nikhef federation | ||||||
|  |     <afp:PermitValueRule id="ScopingRules" xsi:type="AND"> | ||||||
|  |         <Rule xsi:type="NOT"> | ||||||
|  |             <Rule xsi:type="AttributeValueRegex" regex="@"/> | ||||||
|  |         </Rule> | ||||||
|  |         <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/> | ||||||
|  |     </afp:PermitValueRule> | ||||||
|  |     --> | ||||||
|  |     <afp:AttributeFilterPolicy> | ||||||
|  |         <!-- This policy is in effect in all cases. --> | ||||||
|  |         <afp:PolicyRequirementRule xsi:type="ANY"/> | ||||||
|  |  | ||||||
|  |         <!-- Filter out undefined affiliations and ensure only one primary. --> | ||||||
|  |         <afp:AttributeRule attributeID="affiliation"> | ||||||
|  |             <afp:PermitValueRule xsi:type="AND"> | ||||||
|  |                 <RuleReference ref="eduPersonAffiliationValues"/> | ||||||
|  |                 <RuleReference ref="ScopingRules"/> | ||||||
|  |             </afp:PermitValueRule> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |         <afp:AttributeRule attributeID="unscoped-affiliation"> | ||||||
|  |             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |         <afp:AttributeRule attributeID="primary-affiliation"> | ||||||
|  |             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |          | ||||||
|  |         <afp:AttributeRule attributeID="eppn"> | ||||||
|  |             <afp:PermitValueRuleReference ref="ScopingRules"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |  | ||||||
|  |         <afp:AttributeRule attributeID="targeted-id"> | ||||||
|  |             <afp:PermitValueRuleReference ref="ScopingRules"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |  | ||||||
|  |         <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. --> | ||||||
|  |         <afp:AttributeRule attributeID="persistent-id"> | ||||||
|  |             <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |  | ||||||
|  |         <!-- Catch-all that passes everything else through unmolested. --> | ||||||
|  |         <afp:AttributeRule attributeID="*"> | ||||||
|  |             <afp:PermitValueRule xsi:type="ANY"/> | ||||||
|  |         </afp:AttributeRule> | ||||||
|  |          | ||||||
|  |     </afp:AttributeFilterPolicy> | ||||||
|  |  | ||||||
|  | </afp:AttributeFilterPolicyGroup> | ||||||
| @@ -1,6 +1,7 @@ | |||||||
| [DEFAULT] | [DEFAULT] | ||||||
|  |  | ||||||
| verbose = true | verbose = true | ||||||
|  | log_file = /var/log/keystone/keystone.log | ||||||
|  |  | ||||||
| [database] | [database] | ||||||
| connection = mysql+pymysql://keystone:keystone@mariadb/keystone | connection = mysql+pymysql://keystone:keystone@mariadb/keystone | ||||||
| @@ -8,5 +9,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone | |||||||
| [token] | [token] | ||||||
| provider = fernet | provider = fernet | ||||||
|  |  | ||||||
|  | [auth] | ||||||
|  | methods = password,token,mapped,openid,saml2 | ||||||
|  |  | ||||||
|  | [federation] | ||||||
|  | trusted_dashboard = http://merlin.hpc.rug.nl/horizon/auth/websso/ | ||||||
|  | sso_calback_template = /etc/keystone/sso_calback_template.html | ||||||
|  |  | ||||||
|  | [mapped] | ||||||
|  | remote_id_attribute = Shib-Identity-Provider | ||||||
|  |  | ||||||
| [identity] | [identity] | ||||||
| default_domain_id = default | default_domain_id = default | ||||||
|   | |||||||
							
								
								
									
										252
									
								
								keystone/routers.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										252
									
								
								keystone/routers.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,252 @@ | |||||||
|  | # Licensed under the Apache License, Version 2.0 (the "License"); you may | ||||||
|  | # not use this file except in compliance with the License. You may obtain | ||||||
|  | # a copy of the License at | ||||||
|  | # | ||||||
|  | #      http://www.apache.org/licenses/LICENSE-2.0 | ||||||
|  | # | ||||||
|  | # Unless required by applicable law or agreed to in writing, software | ||||||
|  | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||||||
|  | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||||||
|  | # License for the specific language governing permissions and limitations | ||||||
|  | # under the License. | ||||||
|  |  | ||||||
|  | import functools | ||||||
|  |  | ||||||
|  | from keystone.common import json_home | ||||||
|  | from keystone.common import wsgi | ||||||
|  | from keystone.federation import controllers | ||||||
|  |  | ||||||
|  |  | ||||||
|  | build_resource_relation = functools.partial( | ||||||
|  |     json_home.build_v3_extension_resource_relation, | ||||||
|  |     extension_name='OS-FEDERATION', extension_version='1.0') | ||||||
|  |  | ||||||
|  | build_parameter_relation = functools.partial( | ||||||
|  |     json_home.build_v3_extension_parameter_relation, | ||||||
|  |     extension_name='OS-FEDERATION', extension_version='1.0') | ||||||
|  |  | ||||||
|  | IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id') | ||||||
|  | PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation( | ||||||
|  |     parameter_name='protocol_id') | ||||||
|  | SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id') | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class Routers(wsgi.RoutersBase): | ||||||
|  |     """API Endpoints for the Federation extension. | ||||||
|  |  | ||||||
|  |     The API looks like:: | ||||||
|  |  | ||||||
|  |         PUT /OS-FEDERATION/identity_providers/{idp_id} | ||||||
|  |         GET /OS-FEDERATION/identity_providers | ||||||
|  |         GET /OS-FEDERATION/identity_providers/{idp_id} | ||||||
|  |         DELETE /OS-FEDERATION/identity_providers/{idp_id} | ||||||
|  |         PATCH /OS-FEDERATION/identity_providers/{idp_id} | ||||||
|  |  | ||||||
|  |         PUT /OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id} | ||||||
|  |         GET /OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols | ||||||
|  |         GET /OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id} | ||||||
|  |         PATCH /OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id} | ||||||
|  |         DELETE /OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id} | ||||||
|  |  | ||||||
|  |         PUT /OS-FEDERATION/mappings | ||||||
|  |         GET /OS-FEDERATION/mappings | ||||||
|  |         PATCH /OS-FEDERATION/mappings/{mapping_id} | ||||||
|  |         GET /OS-FEDERATION/mappings/{mapping_id} | ||||||
|  |         DELETE /OS-FEDERATION/mappings/{mapping_id} | ||||||
|  |  | ||||||
|  |         GET /OS-FEDERATION/projects | ||||||
|  |         GET /OS-FEDERATION/domains | ||||||
|  |  | ||||||
|  |         PUT /OS-FEDERATION/service_providers/{sp_id} | ||||||
|  |         GET /OS-FEDERATION/service_providers | ||||||
|  |         GET /OS-FEDERATION/service_providers/{sp_id} | ||||||
|  |         DELETE /OS-FEDERATION/service_providers/{sp_id} | ||||||
|  |         PATCH /OS-FEDERATION/service_providers/{sp_id} | ||||||
|  |  | ||||||
|  |         GET /OS-FEDERATION/identity_providers/{idp_id}/ | ||||||
|  |             protocols/{protocol_id}/auth | ||||||
|  |         POST /OS-FEDERATION/identity_providers/{idp_id}/ | ||||||
|  |             protocols/{protocol_id}/auth | ||||||
|  |         GET /auth/OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id}/websso | ||||||
|  |             ?origin=https%3A//horizon.example.com | ||||||
|  |         POST /auth/OS-FEDERATION/identity_providers/ | ||||||
|  |             {idp_id}/protocols/{protocol_id}/websso | ||||||
|  |             ?origin=https%3A//horizon.example.com | ||||||
|  |  | ||||||
|  |  | ||||||
|  |         POST /auth/OS-FEDERATION/saml2 | ||||||
|  |         POST /auth/OS-FEDERATION/saml2/ecp | ||||||
|  |         GET /OS-FEDERATION/saml2/metadata | ||||||
|  |  | ||||||
|  |         GET /auth/OS-FEDERATION/websso/{protocol_id} | ||||||
|  |             ?origin=https%3A//horizon.example.com | ||||||
|  |  | ||||||
|  |         POST /auth/OS-FEDERATION/websso/{protocol_id} | ||||||
|  |              ?origin=https%3A//horizon.example.com | ||||||
|  |  | ||||||
|  |     """ | ||||||
|  |  | ||||||
|  |     def _construct_url(self, suffix): | ||||||
|  |         return "/OS-FEDERATION/%s" % suffix | ||||||
|  |  | ||||||
|  |     def append_v3_routers(self, mapper, routers): | ||||||
|  |         auth_controller = controllers.Auth() | ||||||
|  |         idp_controller = controllers.IdentityProvider() | ||||||
|  |         protocol_controller = controllers.FederationProtocol() | ||||||
|  |         mapping_controller = controllers.MappingController() | ||||||
|  |         project_controller = controllers.ProjectAssignmentV3() | ||||||
|  |         domain_controller = controllers.DomainV3() | ||||||
|  |         saml_metadata_controller = controllers.SAMLMetadataV3() | ||||||
|  |         sp_controller = controllers.ServiceProvider() | ||||||
|  |  | ||||||
|  |         # Identity Provider CRUD operations | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, idp_controller, | ||||||
|  |             path=self._construct_url('identity_providers/{idp_id}'), | ||||||
|  |             get_action='get_identity_provider', | ||||||
|  |             put_action='create_identity_provider', | ||||||
|  |             patch_action='update_identity_provider', | ||||||
|  |             delete_action='delete_identity_provider', | ||||||
|  |             rel=build_resource_relation(resource_name='identity_provider'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'idp_id': IDP_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, idp_controller, | ||||||
|  |             path=self._construct_url('identity_providers'), | ||||||
|  |             get_action='list_identity_providers', | ||||||
|  |             rel=build_resource_relation(resource_name='identity_providers')) | ||||||
|  |  | ||||||
|  |         # Protocol CRUD operations | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, protocol_controller, | ||||||
|  |             path=self._construct_url('identity_providers/{idp_id}/protocols/' | ||||||
|  |                                      '{protocol_id}'), | ||||||
|  |             get_action='get_protocol', | ||||||
|  |             put_action='create_protocol', | ||||||
|  |             patch_action='update_protocol', | ||||||
|  |             delete_action='delete_protocol', | ||||||
|  |             rel=build_resource_relation( | ||||||
|  |                 resource_name='identity_provider_protocol'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'idp_id': IDP_ID_PARAMETER_RELATION, | ||||||
|  |                 'protocol_id': PROTOCOL_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, protocol_controller, | ||||||
|  |             path=self._construct_url('identity_providers/{idp_id}/protocols'), | ||||||
|  |             get_action='list_protocols', | ||||||
|  |             rel=build_resource_relation( | ||||||
|  |                 resource_name='identity_provider_protocols'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'idp_id': IDP_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |  | ||||||
|  |         # Mapping CRUD operations | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, mapping_controller, | ||||||
|  |             path=self._construct_url('mappings/{mapping_id}'), | ||||||
|  |             get_action='get_mapping', | ||||||
|  |             put_action='create_mapping', | ||||||
|  |             patch_action='update_mapping', | ||||||
|  |             delete_action='delete_mapping', | ||||||
|  |             rel=build_resource_relation(resource_name='mapping'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'mapping_id': build_parameter_relation( | ||||||
|  |                     parameter_name='mapping_id'), | ||||||
|  |             }) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, mapping_controller, | ||||||
|  |             path=self._construct_url('mappings'), | ||||||
|  |             get_action='list_mappings', | ||||||
|  |             rel=build_resource_relation(resource_name='mappings')) | ||||||
|  |  | ||||||
|  |         # Service Providers CRUD operations | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, sp_controller, | ||||||
|  |             path=self._construct_url('service_providers/{sp_id}'), | ||||||
|  |             get_action='get_service_provider', | ||||||
|  |             put_action='create_service_provider', | ||||||
|  |             patch_action='update_service_provider', | ||||||
|  |             delete_action='delete_service_provider', | ||||||
|  |             rel=build_resource_relation(resource_name='service_provider'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'sp_id': SP_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, sp_controller, | ||||||
|  |             path=self._construct_url('service_providers'), | ||||||
|  |             get_action='list_service_providers', | ||||||
|  |             rel=build_resource_relation(resource_name='service_providers')) | ||||||
|  |  | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, domain_controller, | ||||||
|  |             path=self._construct_url('domains'), | ||||||
|  |             new_path='/auth/domains', | ||||||
|  |             get_action='list_domains_for_user', | ||||||
|  |             rel=build_resource_relation(resource_name='domains')) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, project_controller, | ||||||
|  |             path=self._construct_url('projects'), | ||||||
|  |             new_path='/auth/projects', | ||||||
|  |             get_action='list_projects_for_user', | ||||||
|  |             rel=build_resource_relation(resource_name='projects')) | ||||||
|  |  | ||||||
|  |         # Auth operations | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, auth_controller, | ||||||
|  |             path=self._construct_url('identity_providers/{idp_id}/' | ||||||
|  |                                      'protocols/{protocol_id}/auth'), | ||||||
|  |             get_post_action='federated_authentication', | ||||||
|  |             rel=build_resource_relation( | ||||||
|  |                 resource_name='identity_provider_protocol_auth'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'idp_id': IDP_ID_PARAMETER_RELATION, | ||||||
|  |                 'protocol_id': PROTOCOL_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, auth_controller, | ||||||
|  |             path='/auth' + self._construct_url('saml2'), | ||||||
|  |             post_action='create_saml_assertion', | ||||||
|  |             rel=build_resource_relation(resource_name='saml2')) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, auth_controller, | ||||||
|  |             path='/auth' + self._construct_url('saml2/ecp'), | ||||||
|  |             post_action='create_ecp_assertion', | ||||||
|  |             rel=build_resource_relation(resource_name='ecp')) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, auth_controller, | ||||||
|  |             path='/auth' + self._construct_url('websso/{protocol_id}'), | ||||||
|  |             get_post_action='federated_sso_auth', | ||||||
|  |             rel=build_resource_relation(resource_name='websso'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'protocol_id': PROTOCOL_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, auth_controller, | ||||||
|  |             path='/auth' + self._construct_url( | ||||||
|  |                  'identity_providers/{idp_id}/protocols/{protocol_id}/websso'), | ||||||
|  |             get_post_action='federated_idp_specific_sso_auth', | ||||||
|  |             rel=build_resource_relation(resource_name='identity_providers'), | ||||||
|  |             path_vars={ | ||||||
|  |                 'idp_id': IDP_ID_PARAMETER_RELATION, | ||||||
|  |                 'protocol_id': PROTOCOL_ID_PARAMETER_RELATION, | ||||||
|  |             }) | ||||||
|  |  | ||||||
|  |         # Keystone-Identity-Provider metadata endpoint | ||||||
|  |         self._add_resource( | ||||||
|  |             mapper, saml_metadata_controller, | ||||||
|  |             path=self._construct_url('saml2/metadata'), | ||||||
|  |             get_action='get_metadata', | ||||||
|  |             rel=build_resource_relation(resource_name='metadata')) | ||||||
							
								
								
									
										20
									
								
								keystone/rules.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								keystone/rules.json
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | |||||||
|  | [ | ||||||
|  |     { | ||||||
|  |         "local": [ | ||||||
|  |             { | ||||||
|  |                 "group_ids": "{1}", | ||||||
|  |                 "user": { | ||||||
|  |                     "name": "{0}" | ||||||
|  |                 } | ||||||
|  |             } | ||||||
|  |         ], | ||||||
|  |         "remote": [ | ||||||
|  |             { | ||||||
|  |                 "type": "REMOTE_USER" | ||||||
|  |             }, | ||||||
|  |             { | ||||||
|  |                 "type": "openstackGroupEntitlements" | ||||||
|  |             } | ||||||
|  |         ] | ||||||
|  |     } | ||||||
|  | ] | ||||||
							
								
								
									
										20
									
								
								keystone/run.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										20
									
								
								keystone/run.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,20 @@ | |||||||
|  | #!/bin/bash | ||||||
|  | # start nova compute service | ||||||
|  |  | ||||||
|  | chown keystone: /etc/keystone/fernet-keys | ||||||
|  | chmod 700 /etc/keystone/fernet-keys | ||||||
|  |  | ||||||
|  | # Start apache | ||||||
|  | a2enmod ssl | ||||||
|  | apachectl -DFOREGROUND & | ||||||
|  |  | ||||||
|  | chown _shibd: /etc/shibboleth/sp*.pem | ||||||
|  |  | ||||||
|  | shibd -f -F & | ||||||
|  |  | ||||||
|  | # If any process fails, kill the rest. | ||||||
|  | # This insures the container stops and systemd will restart it. | ||||||
|  |  | ||||||
|  | wait -n | ||||||
|  | pkill -P $$ | ||||||
|  |  | ||||||
							
								
								
									
										114
									
								
								keystone/shibboleth2.xml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										114
									
								
								keystone/shibboleth2.xml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,114 @@ | |||||||
|  | <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" | ||||||
|  |     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" | ||||||
|  |     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||||||
|  |     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"     | ||||||
|  |     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||||||
|  |     clockSkew="180"> | ||||||
|  |  | ||||||
|  |     <!-- | ||||||
|  |     By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache | ||||||
|  |     are used. See example-shibboleth2.xml for samples of explicitly configuring them. | ||||||
|  |     --> | ||||||
|  |  | ||||||
|  |     <!-- | ||||||
|  |     To customize behavior for specific resources on Apache, and to link vhosts or | ||||||
|  |     resources to ApplicationOverride settings below, use web server options/commands. | ||||||
|  |     See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help. | ||||||
|  |      | ||||||
|  |     For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml | ||||||
|  |     file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic. | ||||||
|  |     --> | ||||||
|  |  | ||||||
|  |     <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> | ||||||
|  |     <ApplicationDefaults entityID="https://merlin.hpc.rug.nl" | ||||||
|  |                          REMOTE_USER="eppn persistent-id targeted-id"> | ||||||
|  |  | ||||||
|  |         <!-- | ||||||
|  |         Controls session lifetimes, address checks, cookie handling, and the protocol handlers. | ||||||
|  |         You MUST supply an effectively unique handlerURL value for each of your applications. | ||||||
|  |         The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing | ||||||
|  |         a relative value based on the virtual host. Using handlerSSL="true", the default, will force | ||||||
|  |         the protocol to be https. You should also set cookieProps to "https" for SSL-only sites. | ||||||
|  |         Note that while we default checkAddress to "false", this has a negative impact on the | ||||||
|  |         security of your site. Stealing sessions via cookie theft is much easier with this disabled. | ||||||
|  |         --> | ||||||
|  |         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" | ||||||
|  |                   checkAddress="false" handlerSSL="true" cookieProps="https"> | ||||||
|  |  | ||||||
|  |             <!-- | ||||||
|  |             Configures SSO for a default IdP. To allow for >1 IdP, remove | ||||||
|  |             entityID property and adjust discoveryURL to point to discovery service. | ||||||
|  |             (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) | ||||||
|  |             You can also override entityID on /Login query string, or in RequestMap/htaccess. | ||||||
|  |             --> | ||||||
|  |             <SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"> | ||||||
|  |               SAML2 | ||||||
|  |             </SSO> | ||||||
|  |  | ||||||
|  |             <!-- SAML and local-only logout. --> | ||||||
|  |             <Logout>SAML2 Local</Logout> | ||||||
|  |              | ||||||
|  |             <!-- Extension service that generates "approximate" metadata based on SP configuration. --> | ||||||
|  |             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> | ||||||
|  |  | ||||||
|  |             <!-- Status reporting service. --> | ||||||
|  |             <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> | ||||||
|  |  | ||||||
|  |             <!-- Session diagnostic service. --> | ||||||
|  |             <Handler type="Session" Location="/Session" showAttributeValues="false"/> | ||||||
|  |  | ||||||
|  |             <!-- JSON feed of discovery information. --> | ||||||
|  |             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> | ||||||
|  |         </Sessions> | ||||||
|  |  | ||||||
|  |         <!-- | ||||||
|  |         Allows overriding of error template information/filenames. You can | ||||||
|  |         also add attributes with values that can be plugged into the templates. | ||||||
|  |         --> | ||||||
|  |         <Errors supportContact="root@localhost" | ||||||
|  |             helpLocation="/about.html" | ||||||
|  |             styleSheet="/shibboleth-sp/main.css"/> | ||||||
|  |          | ||||||
|  |         <!-- Example of remotely supplied batch of signed metadata. --> | ||||||
|  |         <MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php" | ||||||
|  |               backingFilePath="federation-metadata.xml" reloadInterval="7200"> | ||||||
|  |         </MetadataProvider> | ||||||
|  |  | ||||||
|  |         <!-- Example of locally maintained metadata. --> | ||||||
|  |         <!-- | ||||||
|  |         <MetadataProvider type="XML" file="partner-metadata.xml"/> | ||||||
|  |         --> | ||||||
|  |  | ||||||
|  |         <!-- Map to extract attributes from SAML assertions. --> | ||||||
|  |         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> | ||||||
|  |          | ||||||
|  |         <!-- Use a SAML query if no attributes are supplied during SSO. --> | ||||||
|  |         <AttributeResolver type="Query" subjectMatch="true"/> | ||||||
|  |  | ||||||
|  |         <!-- Default filtering policy for recognized attributes, lets other data pass. --> | ||||||
|  |         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> | ||||||
|  |  | ||||||
|  |         <!-- Simple file-based resolver for using a single keypair. --> | ||||||
|  |         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> | ||||||
|  |  | ||||||
|  |         <!-- | ||||||
|  |         The default settings can be overridden by creating ApplicationOverride elements (see | ||||||
|  |         the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic). | ||||||
|  |         Resource requests are mapped by web server commands, or the RequestMapper, to an | ||||||
|  |         applicationId setting. | ||||||
|  |          | ||||||
|  |         Example of a second application (for a second vhost) that has a different entityID. | ||||||
|  |         Resources on the vhost would map to an applicationId of "admin": | ||||||
|  |         --> | ||||||
|  |         <!-- | ||||||
|  |         <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> | ||||||
|  |         --> | ||||||
|  |     </ApplicationDefaults> | ||||||
|  |      | ||||||
|  |     <!-- Policies that determine how to process and authenticate runtime messages. --> | ||||||
|  |     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> | ||||||
|  |  | ||||||
|  |     <!-- Low-level configuration about protocols and bindings available for use. --> | ||||||
|  |     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> | ||||||
|  |  | ||||||
|  | </SPConfig> | ||||||
							
								
								
									
										22
									
								
								keystone/sso_callback_template.html
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								keystone/sso_callback_template.html
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | <!DOCTYPE html> | ||||||
|  | <html xmlns="http://www.w3.org/1999/xhtml"> | ||||||
|  |   <head> | ||||||
|  |     <title>Keystone WebSSO redirect</title> | ||||||
|  |   </head> | ||||||
|  |   <body> | ||||||
|  |      <form id="sso" name="sso" action="$host" method="post"> | ||||||
|  |        Please wait... | ||||||
|  |        <br/> | ||||||
|  |        <input type="hidden" name="token" id="token" value="$token"/> | ||||||
|  |        <noscript> | ||||||
|  |          <input type="submit" name="submit_no_javascript" id="submit_no_javascript" | ||||||
|  |             value="If your JavaScript is disabled, please click to continue"/> | ||||||
|  |        </noscript> | ||||||
|  |      </form> | ||||||
|  |      <script type="text/javascript"> | ||||||
|  |        window.onload = function() { | ||||||
|  |          document.forms['sso'].submit(); | ||||||
|  |        } | ||||||
|  |      </script> | ||||||
|  |   </body> | ||||||
|  | </html> | ||||||
							
								
								
									
										4
									
								
								keystone/test.php
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								keystone/test.php
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | <html> | ||||||
|  | <head><title>Shibboleth test</title></head> | ||||||
|  | <body><pre><?php print_r($_SERVER); ?></pre></body> | ||||||
|  | </html> | ||||||
		Reference in New Issue
	
	Block a user