From 5289379f15a2f89ba7c120798de8e2877655647b Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Tue, 10 Dec 2024 16:34:44 +0100 Subject: [PATCH] update simplesaml --- roles/demo-sp/tasks/main.yml | 9 +++++-- roles/demo-sp/templates/config.php.j2 | 8 ++---- .../templates/saml20-idp-remote.php.j2 | 14 +++++++++-- roles/simplesamlphp/defaults/main.yml | 1 - roles/simplesamlphp/handlers/main.yml | 2 +- roles/simplesamlphp/tasks/main.yml | 25 +++++++++---------- roles/surfstar-idp/templates/config.php.j2 | 7 +----- roles/test-idp/templates/config.php.j2 | 2 +- 8 files changed, 36 insertions(+), 32 deletions(-) diff --git a/roles/demo-sp/tasks/main.yml b/roles/demo-sp/tasks/main.yml index a459f79e5..15182e2bd 100644 --- a/roles/demo-sp/tasks/main.yml +++ b/roles/demo-sp/tasks/main.yml @@ -61,9 +61,14 @@ - name: Install JumboJett OIDC PHP module community.general.composer: - command: require - arguments: jumbojett/openid-connect-php + command: "require" + arguments: "jumbojett/openid-connect-php" working_dir: "{{ demosp_dir}}" + no_scripts: true + no_plugins: true + environment: + # TODO: fix this; create a separate user that own the files and can run composer + COMPOSER_ALLOW_SUPERUSER: "1" notify: "restart php-fpm" - name: Install OIDC RP config diff --git a/roles/demo-sp/templates/config.php.j2 b/roles/demo-sp/templates/config.php.j2 index 13367cf32..ebb9c9c77 100644 --- a/roles/demo-sp/templates/config.php.j2 +++ b/roles/demo-sp/templates/config.php.j2 @@ -22,7 +22,8 @@ $config = [ | SECURITY CONFIGURATION OPTIONS | **********************************/ 'secretsalt' => '{{ simplesaml_salt.content }}', - 'auth.adminpassword' => '{{ simplesaml_admin_passwd }}', + {# because OF COURSE php head to reinvent the wheel and only support their very limited password hash types -#} + 'auth.adminpassword' => '{{ simplesaml_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}', 'admin.protectmetadata' => false, 'admin.checkforupdates' => true, @@ -164,11 +165,6 @@ $config = [ *************************************/ 'authproc.idp' => [ 30 => 'core:LanguageAdaptor', - 45 => [ - 'class' => 'core:StatisticsWithAttribute', - 'attributename' => 'realm', - 'type' => 'saml20-idp-SSO', - ], 50 => 'core:AttributeLimit', 99 => 'core:LanguageAdaptor', ], diff --git a/roles/demo-sp/templates/saml20-idp-remote.php.j2 b/roles/demo-sp/templates/saml20-idp-remote.php.j2 index 9296a4f79..d1dfb6fb0 100644 --- a/roles/demo-sp/templates/saml20-idp-remote.php.j2 +++ b/roles/demo-sp/templates/saml20-idp-remote.php.j2 @@ -7,7 +7,12 @@ $metadata['https://proxy.acc.sram.eduteams.org/proxy'] = array( 'en' => 'SRAM acc', 'nl' => 'SRAM acc', ], - 'SingleSignOnService' => 'https://proxy.acc.sram.eduteams.org/saml2sp/sso/redirect', + 'SingleSignOnService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://proxy.acc.sram.eduteams.org/saml2sp/sso/redirect', + ], + ], 'certificate' => 'eduteams-acc.pem', 'authproc' => [ @@ -21,7 +26,12 @@ $metadata['https://proxy.sram.surf.nl/proxy'] = array( 'en' => 'SRAM prod', 'nl' => 'SRAM prod', ], - 'SingleSignOnService' => 'https://proxy.sram.surf.nl/saml2sp/sso/redirect', + 'SingleSignOnService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://proxy.sram.surf.nl/saml2sp/sso/redirect', + ], + ], 'certificate' => 'eduteams-prd.pem', 'authproc' => [ diff --git a/roles/simplesamlphp/defaults/main.yml b/roles/simplesamlphp/defaults/main.yml index 0ea0487a4..fdd0c310a 100644 --- a/roles/simplesamlphp/defaults/main.yml +++ b/roles/simplesamlphp/defaults/main.yml @@ -14,4 +14,3 @@ simplesaml_group: "ssp-group" simplesaml_project_dir: "/opt/{{simplesaml_name}}" simplesaml_tmp_dir: "{{simplesaml_project_dir}}/tmp/" simplesaml_cert_dir: "{{simplesaml_project_dir}}/cert/" - diff --git a/roles/simplesamlphp/handlers/main.yml b/roles/simplesamlphp/handlers/main.yml index db5201dfd..07a030e9b 100644 --- a/roles/simplesamlphp/handlers/main.yml +++ b/roles/simplesamlphp/handlers/main.yml @@ -2,7 +2,7 @@ - name: "restart php-fpm" listen: "restart php-fpm" systemd: - name: "php7.4-fpm.service" + name: "php{{php_version}}-fpm.service" state: "restarted" daemon_reload: true enabled: true diff --git a/roles/simplesamlphp/tasks/main.yml b/roles/simplesamlphp/tasks/main.yml index 047833d28..b44e04a9f 100644 --- a/roles/simplesamlphp/tasks/main.yml +++ b/roles/simplesamlphp/tasks/main.yml @@ -15,6 +15,17 @@ - "php-ldap" state: "present" +- name: Find php version + command: > + php -r '$v=phpversion(); echo substr($v, 0, strrpos($v, "."));' + register: "php_output" + changed_when: false + +- set_fact: + php_version={{ php_output.stdout }} + simplesaml_project_dir={{simplesaml_project_dir}} + simplesaml_cert_dir={{simplesaml_cert_dir}} + - name: Create simplesaml group group: name: "{{simplesaml_group}}" @@ -92,7 +103,6 @@ force: false notify: "restart php-fpm" - - name: Read random salt slurp: src: "{{ simplesaml_project_dir }}/config/salt" @@ -121,20 +131,9 @@ - name: Install fpm pool config template: src: "fpm-pool.j2" - dest: "/etc/php/7.4/fpm/pool.d/{{simplesaml_name}}.conf" + dest: "/etc/php/{{ php_version }}/fpm/pool.d/{{simplesaml_name}}.conf" notify: "restart php-fpm" -- name: Find php version - command: > - php -r '$v=phpversion(); echo substr($v, 0, strrpos($v, "."));' - register: "php_output" - changed_when: false - -- set_fact: - php_version={{ php_output.stdout }} - simplesaml_project_dir={{simplesaml_project_dir}} - simplesaml_cert_dir={{simplesaml_cert_dir}} - - name: Set php session cookie httponly ansible.builtin.copy: content: | diff --git a/roles/surfstar-idp/templates/config.php.j2 b/roles/surfstar-idp/templates/config.php.j2 index 18cef5367..318bf1a70 100644 --- a/roles/surfstar-idp/templates/config.php.j2 +++ b/roles/surfstar-idp/templates/config.php.j2 @@ -29,7 +29,7 @@ $config = [ | SECURITY CONFIGURATION OPTIONS | **********************************/ 'secretsalt' => '{{ simplesaml_salt.content }}', - 'auth.adminpassword' => '{{ surfstar_idp_admin_passwd }}', + 'auth.adminpassword' => '{{ surfstar_idp_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}', 'admin.protectmetadata' => false, 'admin.checkforupdates' => true, @@ -150,11 +150,6 @@ $config = [ *************************************/ 'authproc.idp' => [ 30 => 'core:LanguageAdaptor', - 45 => [ - 'class' => 'core:StatisticsWithAttribute', - 'attributename' => 'realm', - 'type' => 'saml20-idp-SSO', - ], 50 => 'core:AttributeLimit', 99 => 'core:LanguageAdaptor', ], diff --git a/roles/test-idp/templates/config.php.j2 b/roles/test-idp/templates/config.php.j2 index 9cb70eea0..f93532c08 100644 --- a/roles/test-idp/templates/config.php.j2 +++ b/roles/test-idp/templates/config.php.j2 @@ -22,7 +22,7 @@ $config = [ | SECURITY CONFIGURATION OPTIONS | **********************************/ 'secretsalt' => '{{ simplesaml_salt.content }}', - 'auth.adminpassword' => '{{ simplesaml_admin_passwd }}', + 'auth.adminpassword' => '{{ simplesaml_admin_passwd | string | ansible.builtin.password_hash(hashtype="bcrypt") | replace("$2b$", "$2y$") }}', 'admin.protectmetadata' => false, 'admin.checkforupdates' => true,