Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,6 @@ max_line_length = 180

[*.py]
indent_size = 4

[*.{php,php.j2}]
indent_size = 4
14 changes: 9 additions & 5 deletions roles/diyidp/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
---
diyidp_domain: "diyidp.{{ base_domain }}"
diyidp_cert: "diyidp.crt"
diyidp:
diyidp_db:
db_host: "{{ mariadb_host }}"
db_name: diyidp
db_user: diyidprw
db_name: "diyidp"
db_user: "diyidprw"
db_password: "{{ mysql_passwords.diyidp }}"
secretsalt: "{{ diyidp_secret_salt }} "
admin_password: "{{ diyidp_secret }}"
diyidp_secret_salt: secretsecret
diyidp_secret: secret
diyidp_theme: "theme_diyidp:diyidp"
diyidp_secret_salt: "diyidp_secretsecret"
diyidp_secret: "diyidp_secret"
diyidp_remotesp:
- name: "{{ instance_name }} SP metadata"
metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata"
acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion"
diyidp_docker_networks:
- name: "loadbalancer"

# set this to add extra users to the default. See vars/main.yml
diyidp_users_extra: []
62 changes: 0 additions & 62 deletions roles/diyidp/files/diyidp.sql

This file was deleted.

1 change: 1 addition & 0 deletions roles/diyidp/files/theme_diyidp/default-enable
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
-
3 changes: 3 additions & 0 deletions roles/diyidp/files/theme_diyidp/public/assets/userclick.css
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
table {
text-color: red;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
{% set pagetitle = 'Continue as persona' %}

{% extends "@core/base.twig" %}

{% block preload %}
<link rel="stylesheet" href="{{ asset('css/default.css', 'exampleauth') }}">
<link rel="stylesheet" href="{{ asset('userpicker.css', 'themesurf') }}">
{% endblock %}

{% block content %}

<h2>Sandbox IdP</h2>
<p>Please select one of the following test users to log in. Hoover over the user to see their attributes.</p>

{# Show list of users of attribtue table on hoover #}
<div id="single_user">
<table>
{% for id, attributes in users %}
<tr class="example_user" id="tr_{{ id }}">
<td class="username">
<a href="{{ usersLinks[id] }}">{{ attributes['username'][0] }}</a>
</td>
<td class="displayname">
<a href="{{ usersLinks[id] }}">{{ attributes['displayName'][0] }}</a>
</td>
</tr>
{%- endfor %}
</table>

{% for id, attributes in users %}
<table id="table_{{ id }}">
{% for name, values in attributes %}
<tr class="attribute">
<td class="attribute_name">{{ name }}</td>
<td class="attribute_values">
{{ values | join('<br/>') }}
{#
{% for v in values %}
<span class="values">{{ v }}</span>
{% endfor %}
#}
</td>
</tr>
{%- endfor %}
</table>
{%- endfor %}
</div>

{# create a list of all used attributes. We'll print them in columns #}
{# inital value make sure the ocmmon attributes are ordered correctly #}
{% set all_attributes = ['username', 'displayName', 'cn', 'sn', 'givenName', 'mail', 'uid', 'schacHomeOrganiztion'] %}
{% for user in users %}
{% for key, value in user %}
{% if key not in all_attributes %}
{% set all_attributes = all_attributes|merge([key]) %}
{% endif %}
{% endfor %}
{% endfor %}

{# Show table of all users and all values #}
<div id="all_users">
<table>
<thead>
<tr>
{% for a in all_attributes %}
<th>{{ a }}</th>
{% endfor %}
</tr>
</thead>
<tbody>
{% for id, attributes in users %}
<tr>
{% for a in all_attributes %}
<td>
{% if attributes[a] is defined %}
{{ attributes[a] | join(', ') }}
{% else %}
&ndash;
{% endif %}
</td>
{% endfor %}
</tr>
{% endfor %}
</tbody>
</table>
</div>

{% endblock %}
{# vi:sw=4:ts=4:expanddtab #}
11 changes: 9 additions & 2 deletions roles/diyidp/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
---
- name: restart diyidp
command: docker restart diyidp
- name: "Restart diyidp"
community.docker.docker_container:
name: "diyidp"
state: "started"
restart: true
# avoid restarting it creates unexpected data loss according to docker_container_module notes
comparisons:
'*': "ignore"
when: "diyidp_container is success and diyidp_container is not change"
159 changes: 89 additions & 70 deletions roles/diyidp/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,114 +1,133 @@
---
- debug:
msg: "{{ diyidp }}"
- name: Create directories
- name: "Create directories"
ansible.builtin.file:
path: "/opt/openconext/diyidp/{{ item }}"
state: directory
owner: root
group: root
state: "directory"
owner: "root"
group: "root"
mode: "0775"
with_items:
- www
- metadata
- cert
- "cert"

- name: Put metadata certificate in place
- name: "Put metadata certificate in place"
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/certs/{{ diyidp_cert }}"
dest: "/opt/openconext/diyidp/cert/server.crt"
owner: root
group: root
owner: "root"
group: "root"
mode: "0644"

- name: Put metadata key in place
- name: "Put metadata key in place"
ansible.builtin.copy:
content: "{{ diyidp_private_key }}"
dest: "/opt/openconext/diyidp/cert/server.key"
owner: root
group: root
owner: "root"
group: "root"
mode: "0444"
notify: restart diyidp
notify: "Restart diyidp"

- name: Copy simplesamlphp configuration files
- name: "Copy simplesamlphp configuration files"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/opt/openconext/diyidp/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
with_items:
- config-override.php
- authsources.php
notify: restart diyidp
- "config-override.php"
- "authsources.php"
- "saml20-idp-hosted.php"
- "saml20-sp-remote.php"
notify: "Restart diyidp"

- name: Copy simplesamlphp metadata files
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/opt/openconext/diyidp/metadata/{{ item }}"
- name: "Copy DIY IdP theme"
ansible.builtin.copy:
src: "theme_diyidp"
dest: "/opt/openconext/diyidp/"
owner: "root"
group: "root"
mode: "0644"
directory_mode: "0755"

- name: "Remove obsolete files"
ansible.builtin.file:
path: "/opt/openconext/diyidp/{{ item }}"
state: "absent"
with_items:
- saml20-idp-hosted.php
- saml20-sp-remote.php
notify: restart diyidp
- "metadata"
- "www"

- name: Copy showusers php script
ansible.builtin.template:
src: "showusers.php.j2"
dest: "/opt/openconext/diyidp/www/showusers.php"
owner: root
- name: "Showusers"
ansible.builtin.copy:
dest: "/opt/openconext/diyidp/alive.php"
content: |
<?php print("It's alive!");
owner: "root"
group: "root"
mode: "0644"
notify: restart diyidp

- name: Copy the apache config
- name: "Copy the apache config"
ansible.builtin.template:
src: "000-default.conf.j2"
dest: "/opt/openconext/diyidp/000-default.conf"
owner: root
group: root
owner: "root"
group: "root"
mode: "0644"
notify: restart diyidp
notify: "Restart diyidp"

- name: Add the mariadb docker network to the list of networks when MariaDB runs in Docker
- name: "Add the mariadb docker network to the list of networks when MariaDB runs in Docker"
ansible.builtin.set_fact:
diyidp_docker_networks:
- name: loadbalancer
- name: openconext_mariadb
when: mariadb_in_docker | default(false) | bool
- name: "loadbalancer"
- name: "openconext_mariadb"
when: "mariadb_in_docker | default(false) | bool"

- name: Create the container
- name: "Create the container"
community.docker.docker_container:
name: diyidp
image: cirrusid/simplesamlphp:v2.2.2
name: "diyidp"
image: "docker.io/cirrusid/simplesamlphp:v2.5.0"
pull: true
restart_policy: "always"
state: started
state: "started"
hostname: "diyidp"
networks: "{{ diyidp_docker_networks }}"
env:
SSP_ENABLED_MODULES: "sqlauth themesurf theme_diyidp exampleauth"
SSP_LOG_HANDLER: "stderr"
COMPOSER_REQUIRE: "simplesamlphp/simplesamlphp-module-sqlauth surfnet/simplesamlphp-module-themesurf:dev-main"
SSP_ENABLE_IDP: "true"
SSP_SECRET_SALT: "{{ diyidp_secretsalt }}"
labels:
traefik.http.routers.diyidp.rule: "Host(`{{ diyidp_domain }}`)"
traefik.http.routers.diyidp.tls: "true"
traefik.enable: "true"
hostname: diyidp
mounts:
- source: /opt/openconext/diyidp/config-override.php
target: /var/simplesamlphp/config/config-override.php
type: bind
- source: /opt/openconext/diyidp/authsources.php
target: /var/simplesamlphp/config/authsources.php
type: bind
- source: /opt/openconext/diyidp/metadata
target: /var/simplesamlphp/config/metadata
type: bind
- source: /opt/openconext/diyidp/cert
target: /var/simplesamlphp/config/cert
type: bind
- source: /opt/openconext/diyidp/www/showusers.php
target: /var/simplesamlphp/public/showusers.php
type: bind
- source: /opt/openconext/diyidp/000-default.conf
target: /etc/apache2/sites-enabled/000-default.conf
type: bind
env:
SSP_ENABLED_MODULES: "sqlauth themesurf"
SSP_LOG_HANDLER: stderr
COMPOSER_REQUIRE: "simplesamlphp/simplesamlphp-module-sqlauth surfnet/simplesamlphp-module-themesurf:dev-main"
SSP_ENABLE_IDP: "true"
SSP_SECRET_SALT: "{{ diyidp.secretsalt }}"
- source: "/opt/openconext/diyidp/config-override.php"
target: "/var/simplesamlphp/config/config-override.php"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/authsources.php"
target: "/var/simplesamlphp/config/authsources.php"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/"
target: "/var/simplesamlphp/config/metadata/"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/cert"
target: "/var/simplesamlphp/config/cert"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/000-default.conf"
target: "/etc/apache2/sites-enabled/000-default.conf"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/alive.php"
target: "/var/simplesamlphp/public/showusers.php"
type: "bind"
read_only: true
- source: "/opt/openconext/diyidp/theme_diyidp"
target: "/var/simplesamlphp/modules/theme_diyidp"
type: "bind"
read_only: true
register: "diyidp_container"
29 changes: 10 additions & 19 deletions roles/diyidp/templates/authsources.php.j2
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,15 @@

$config = array(

// This is a authentication source which handles admin authentication.
'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.
// This is a authentication source which handles admin authentication.
'admin' => array(
'core:AdminPassword',
),

'core:AdminPassword',
),


'sql_user' => array(
'core:loginpage_links' => [
'users' => ['href' => '/showusers.php', 'text' => 'List of available users'],
],
'sqlauth:SQL',
'dsn' => 'mysql:host={{ diyidp.db_host}};port=3306;dbname={{ diyidp.db_name }}',
'username' => '{{ diyidp.db_user}}',
'password' => '{{ diyidp.db_password}}',
'query' => "SELECT uid,givenName,sn,cn, mail,displayName,schacHomeOrganization, CONCAT(uid, '@', schacHomeOrganization) as eduPersonPrincipalName,eduPersonEntitlement,eduPersonAffiliation,isMemberOf,schacPersonalUniqueCode,eduPersonScopedAffiliation
FROM users WHERE username = :username AND password = :password",
),
// be careful: diyidp_users has weird characters and quotes inside the strings, se we need to use a nowdoc to expand the variable
'user_chooser' => [ 'exampleauth:UserClick', 'users' => json_decode(<<<'ENDJSON'
{{ (diyidp_users + diyidp_users_extra) | to_json }}
ENDJSON
, true),
]
);
4 changes: 2 additions & 2 deletions roles/diyidp/templates/config-override.php.j2
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<?php
$config['certdir'] = 'config/cert/';
$config['metadatadir'] = 'config/metadata/';
$config['auth.adminpassword'] = '{{ diyidp.admin_password }}';
$config['auth.adminpassword'] = '{{ diyidp_admin_password }}';
$config['baseurlpath'] = 'https://{{ diyidp_domain }}/';
$config['theme.use'] = '{{ diyidp_theme |default("default") }}';
$config['theme.use'] = '{{ diyidp_theme }}';
Loading