diff --git a/.gitignore b/.gitignore index 75884dcce..a1b3b52c5 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,6 @@ 3rdparty/vendor/onelogin/php-saml/endpoints/ build + +gitpod/mariadb/prepopulate.sql +gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php \ No newline at end of file diff --git a/.gitpod.yml b/.gitpod.yml new file mode 100644 index 000000000..fef5ed969 --- /dev/null +++ b/.gitpod.yml @@ -0,0 +1,47 @@ + +github: + prebuilds: + master: true + branches: true + pullRequests: true + pullRequestsFromForks: true + addCheck: true + addComment: false + addBadge: true + +tasks: + - name: Nextcloud Server + command: | + git config core.fileMode false + chmod -R 777 . + cd gitpod + export SIMPLESAML_URL=$(gp url 8082)/simplesaml + export NEXTCLOUD_URL=$(gp url 8080) + export HOSTIP=$(ip -4 addr show scope global dev eth0 | grep inet | awk '{print $2}' | cut -d / -f 1 | sed -n 1p) + + curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst + chmod +x envsubst + sudo mv envsubst /usr/local/bin + + envsubst < mariadb/prepopulate.sql.template > mariadb/prepopulate.sql + envsubst < simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php.template > simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php + docker-compose up + + - name: Terminal + command: clear + +ports: + - port: 8080 + onOpen: open-browser + visibility: private + - port: 8081 + visibility: private + onOpen: ignore + - port: 8082 + visibility: private + onOpen: ignore + +vscode: + extensions: + - ms-azuretools.vscode-docker + - felixfbecker.php-debug diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 000000000..54b483a41 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,11 @@ +{ + "version": "0.2.0", + "configurations": [ + { + "name": "Listen for Xdebug", + "type": "php", + "request": "launch", + "port": 9003 + }, + ] +} \ No newline at end of file diff --git a/gitpod/README.md b/gitpod/README.md new file mode 100644 index 000000000..36578d6d3 --- /dev/null +++ b/gitpod/README.md @@ -0,0 +1,56 @@ +# Try it on Gitpod +[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/[user]/[repository/) + +It will automatically spin up and configure a full Nextcloud, MariaDB, PhpMyAdmin, SimpleSAMLphp and 389 Directory development server. + +## Usage +- Open the Repository in gitpod +- Wait about 4 minutes for all servers to start (progress can be followed in the Nextcloud Terminal) +- If your browser doesn't block it, a new tab with the Nextcloud server opens automatically. +- If not go to the Remote Explorer Tab and open port 8080 + +## Ports +- 8080: Nextcloud +- 8081: PhpMyAdmin +- 8082: SimpleSAMLphp Admin (/simplesaml subdirectory) + +## Nextcloud Direct Login: +**URL:** [https://8080-[Workspace Name].gitpod.io/login?direct=1]() + +**Username:** dev + +**Password:** t2qQ1C6ktYUv7 + +## Nextcloud Saml Login: +### 1 +**Username:** test1 + +**Password:** test1password + +### 2 +**Username:** test2 + +**Password:** test2password + +### 3 +**Username:** bender + +**Password:** bender + +## PhpMyAdmin Login: +**Username:** nextcloud + +**Password:** wdGq73jQB0p373gLdf6yLRj5 + +(It is fine to have these static logins, because gitpod has acess control built in and no sensitive data is stored in these dev servers) + +## SimpleSAMLphp Admin Login: +**Username:** admin + +**Password:** 1234 + +# OCC Acess +You can acess nextclouds occ shell using this command: +``` +docker exec -it -u 33 gitpod_app_1 php occ +```` diff --git a/gitpod/docker-compose.yml b/gitpod/docker-compose.yml new file mode 100644 index 000000000..57f424c24 --- /dev/null +++ b/gitpod/docker-compose.yml @@ -0,0 +1,75 @@ +# This is for gitpod, DO NOT USE THIS TO HOST YOUR PRODUCTION NEXTCLOUD + +version: '2' + +volumes: + nextcloud: + db: + config: + +services: + db: + image: mariadb + restart: always + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF + volumes: + - db:/var/lib/mysql + - ./mariadb:/docker-entrypoint-initdb.d + environment: + - MYSQL_ROOT_PASSWORD=wdGq73jQB0p373gLdf6yLRj5 + - MYSQL_PASSWORD=wdGq73jQB0p373gLdf6yLRj5 + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + + phpmyadmin: + image: phpmyadmin + container_name: pma + links: + - db + environment: + PMA_HOST: db + PMA_PORT: 3306 + restart: always + ports: + - 8081:80 + + app: + image: nextcloud + build: + context: ./nextcloud + dockerfile: Dockerfile + restart: always + ports: + - 8080:80 + links: + - db + volumes: + - nextcloud:/var/www/html + - config:/var/www/html/config + - ${GITPOD_REPO_ROOT}:/var/www/html/custom_apps/user_saml + environment: + - MYSQL_PASSWORD=wdGq73jQB0p373gLdf6yLRj5 + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=nextcloud + - MYSQL_HOST=db + - NEXTCLOUD_ADMIN_USER=dev + - NEXTCLOUD_ADMIN_PASSWORD=t2qQ1C6ktYUv7 + - NEXTCLOUD_TRUSTED_DOMAINS=*.gitpod.io + - OVERWRITEPROTOCOL=https + - NEXTCLOUD_UPDATE=1 + extra_hosts: + - host:${HOSTIP} + + simplesamlphp: + build: + context: ./simplesamlphp/ + dockerfile: Dockerfile + restart: always + ports: + - 8082:80 + environment: + - SIMPLESAML_URL + - NEXTCLOUD_URL + + ldap: + build: ./ldap/ diff --git a/gitpod/ldap/Dockerfile b/gitpod/ldap/Dockerfile new file mode 100644 index 000000000..840d9ed09 --- /dev/null +++ b/gitpod/ldap/Dockerfile @@ -0,0 +1,27 @@ +FROM centos:centos7 + +RUN yum install -y epel-release \ + && yum update -y \ + && yum install -y 389-ds-base 389-adminutil \ + && yum clean all + +COPY ds-setup.inf /ds-setup.inf +COPY users.ldif /users.ldif + +# The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. +RUN useradd ldapadmin \ + && rm -fr /var/lock /usr/lib/systemd/system \ + # The 389-ds setup will fail because the hostname can't reliable be determined, so we'll bypass it and then install. \ + && sed -i 's/checkHostname {/checkHostname {\nreturn();/g' /usr/lib64/dirsrv/perl/DSUtil.pm \ + # Not doing SELinux \ + && sed -i 's/updateSelinuxPolicy($inf);//g' /usr/lib64/dirsrv/perl/* \ + # Do not restart at the end \ + && sed -i '/if (@errs = startServer($inf))/,/}/d' /usr/lib64/dirsrv/perl/* \ + && setup-ds.pl --silent --file /ds-setup.inf \ + && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \ + && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ + ldapadd -H ldap:/// -f /users.ldif -x -D "cn=Directory Manager" -w password + +EXPOSE 389 + +CMD /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && tail -F /var/log/dirsrv/slapd-dir/access diff --git a/gitpod/ldap/ds-setup.inf b/gitpod/ldap/ds-setup.inf new file mode 100644 index 000000000..d89a5deb2 --- /dev/null +++ b/gitpod/ldap/ds-setup.inf @@ -0,0 +1,21 @@ +[General] +AdminDomain = user_saml_gitpod +ConfigDirectoryAdminID = admin +ConfigDirectoryAdminPwd = admin +ConfigDirectoryLdapURL = ldap://localhost:389/o=NetscapeRoot +FullMachineName = localhost +ServerRoot = /usr/lib64/dirsrv +SuiteSpotGroup = nobody +SuiteSpotUserID = nobody + +[slapd] +AddOrgEntries = Yes +AddSampleEntries = No +InstallLdifFile = suggest +RootDN = cn=Directory Manager +RootDNPwd = password +ServerIdentifier = dir +ServerPort = 389 +SlapdConfigForMC = yes +Suffix = dc=user_saml_gitpod +UseExistingMC = No diff --git a/gitpod/ldap/users.ldif b/gitpod/ldap/users.ldif new file mode 100644 index 000000000..3994cd3d0 --- /dev/null +++ b/gitpod/ldap/users.ldif @@ -0,0 +1,47 @@ +dn: cn=admin,dc=user_saml_gitpod +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +userPassword: password +description: LDAP administrator + + +dn: uid=test1,ou=People,dc=user_saml_gitpod +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: inetOrgPerson +givenName: Test +uid: test1 +sn: Person 1 +cn: test person 1 +mail: test1@example.com/ +userPassword: test1password + +dn: uid=test2,ou=People,dc=user_saml_gitpod +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: inetOrgPerson +givenName: Test +uid: test2 +sn: Person 2 +cn: test person 2 +mail: test2@example.com/ +userPassword: test2password + +dn: cn=Bender Bending Rodriguez,ou=People,dc=user_saml_gitpod +objectClass: inetOrgPerson +objectClass: organizationalPerson +objectClass: person +objectClass: top +cn: Bender Bending Rodriguez +description: Robot +displayName: Bender +employeeType: Ship's Robot +givenName: Bender +mail: bender@planetexpress.com +ou: People +uid: bender +userPassword: bender +sn: Rodriguez \ No newline at end of file diff --git a/gitpod/mariadb/prepopulate.sql.template b/gitpod/mariadb/prepopulate.sql.template new file mode 100644 index 000000000..35614419a --- /dev/null +++ b/gitpod/mariadb/prepopulate.sql.template @@ -0,0 +1,39 @@ +SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; +START TRANSACTION; +SET time_zone = "+00:00"; + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8mb4 */; + +CREATE TABLE `oc_appconfig` ( + `appid` varchar(32) COLLATE utf8mb4_bin NOT NULL DEFAULT '', + `configkey` varchar(64) COLLATE utf8mb4_bin NOT NULL DEFAULT '', + `configvalue` longtext COLLATE utf8mb4_bin DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin ROW_FORMAT=COMPRESSED; + +INSERT INTO `oc_appconfig` (`appid`, `configkey`, `configvalue`) VALUES +('user_saml', 'enabled', 'yes'), +('user_saml', 'general-idp0_display_name', ''), +('user_saml', 'general-uid_mapping', 'urn:oid:0.9.2342.19200300.100.1.1'), +('user_saml', 'idp-entityId', '$SIMPLESAML_URL/saml2/idp/metadata.php'), +('user_saml', 'idp-singleLogoutService.url', '${SIMPLESAML_URL}/saml2/idp/SingleLogoutService.php'), +('user_saml', 'idp-singleSignOnService.url', '$SIMPLESAML_URL/saml2/idp/SSOService.php'), +('user_saml', 'idp-x509cert', '-----BEGIN CERTIFICATE-----\nMIIEazCCAtOgAwIBAgIUVe3Ml/fwjyN00L5CrJGDT9FKHU0wDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MTkxMTM2MzNaFw0zMTA3\nMTkxMTM2MzNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEB\nAQUAA4IBjwAwggGKAoIBgQDGxIo6wrrtHLYLLgVRne1cMjN3RdsSHZ18mvDF4Kov\nzqTS9jpP1qxWfAyC064Zk4S0sYXc2DCsjTEsibRb7LNBJpPDbzlAtavgsMS3H1v8\nTbYEW0tkTOGQR+HfFzvmprG8km28KFmYo4k3Ik092D12ff3sSEp7HifGQIz1k46G\n6Ac/kMiSVtaRn0JMWb9Z21T8rpntlI6/anDWgNjxjn9e38HmC4Thix6fr7u015ZP\nu26oAuA5PzJHju8mH6b+XY2jVNpUWg8YgmPX3bPWIbrVz82G7aGeFYodl+vn49dt\nUPH1k3bKWWU6vRgRXeXrQHZtMirDC3Nn008V+N5544jAjz3DatfRgYOux7zLQtBU\nb4XsFR8GLMxuCoqvX3TtcL73veOehio4eLEBikfM6MGpORxVMazzkcjQuQjqnA3n\nfCx8nMH7X+rbJFs7RzijZvIMkgwIYU2X/Lawaphj2cIBeFZdbmO7pJO0UTyhRc0u\nHMMvWRL6hAvxS9sxYyavn9ECAwEAAaNTMFEwHQYDVR0OBBYEFJvQolHQnd/B69q6\nTrnMMpkpkHmwMB8GA1UdIwQYMBaAFJvQolHQnd/B69q6TrnMMpkpkHmwMA8GA1Ud\nEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBADPs7uLp6wq1WOasxPSWTjvZ\nmdAuHep/+SlwII4hC3N/eaxgj3jS8N/EJve5nWEGRDBFvdIwizRTkXnX2IO8cqYE\n4qd9LMsi+0ONoDzh/CUeHjzRr/XX8rSw9fjGgfPQr2CWLG9IHAkj6mYUJf7dmULY\nnntiDvxGpow1WHUaihSIWj0Vni40V6S5YgW1WQwf5/Cz/CVUkUcO6ndtWBcc4Sl/\ntHVhFS/+Qefd/tf0Ms1TcgQBMRK6niDs7qW3snMy9M2hMJGhF2dqJD5iGHezeJNT\n5hNs2+v46y5qaq8X2nDlCiFpHKP8Lv1lHlb18j1l+MP9s9g4J2oEHjQy+bGIQQC9\nNt7bYroJ7IXNZMW4BMSpfafblpS7uF910l8/T0R8zGssjgfznWFV+xHonfC+rquv\nUgbNzfFyxVxTD06u/INdIA3ZYOiIssxpUjGlnpatbPs2vPF9Cu4byvdQhxatRXGs\nnyQRRqSHj2nuRltsjoeTQrpGBoXmaRPYCoPThnK2EQ==\n-----END CERTIFICATE-----'), +('user_saml', 'installed_version', '4.2.0'), +('user_saml', 'saml-attribute-mapping-displayName_mapping', 'urn:oid:2.16.840.1.113730.3.1.241'), +('user_saml', 'saml-attribute-mapping-email_mapping', 'urn:oid:0.9.2342.19200300.100.1.3'), +('user_saml', 'sp-privateKey', '-----BEGIN PRIVATE KEY-----\nMIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQC1YvuoUvLGdQcH\nUXh1IkeeyG3aTxJPORd19b7r6PJFnQIhLcvjSDKqeyMJJUbNG+s12fp3X4M70xCZ\nM8T+DuRg7r1CXXQjQbr3ubTz49Z063AQf0Ng0Lv8wTWtA/Y2V74QUx8cs+W6BPk9\nhRGoEgmXsFf7+fEq135TvrqkB+huhpBGr3DS7zPfMtNce72RyT2nZyLBhKOfFXMa\nylgroV9WaBGb3t/0KBfWPMJz0kqLiuwUwvSceZO09gAZVK4PqW9H6vDKtcXE9pLQ\nQBWzISDB/HA0/G6UmS6RnjcV0uQcag856bfDgK+pVtVAOM4uWPExR/fC2WB5CqBb\nw7JLFis8de7conPb5VkQzhiFFF5U33nYKphuIWpIJsT681o39UQOgNb8gKPbTjPD\nt5P0rUKaSWy6ghwToADWeMzGubxUyOOjzULc5pqBt3EUFbp1SLu+ooSZwa+3PsKI\nTqPC1Vbb/+jIb59cffNBrNJVxobm5tj11T1HbadpzQr2lbqeQpUCAwEAAQKCAYA/\nICuk8Pk8yA2iJmBdo4h5YheZGlus5pmbm+LOB0wJnhLXqTCD8ORxIFmZHTf+ufCp\n1Sqt0LfDYjksmC++m0Av2+ZR6mQ4wO9ot2CaYHiKSEW/+Api70H9POCJTg+p6e9j\njwoM2y7gBksXdfAnJd/gwqZcMygTWNvGGWKrI3VowbwEXZpOTqEm1HFqhkX7LqYe\nVG5sGtU20Cg28qSsyoR7dcxrCq22Mx3YmVyzIkR/O+Hdd9vZeRZGrDZsmmPZX4Wc\nyUmGWpMnLHRESn7F5w6W48ZvE2btdmQuAsFWnjCnHWLTroYiIHrla6TdK7dBAx4k\nogPJ4oAf07owNfsECTtcitD+B4zu0t8SElVQb0JOMRSAS+0FJQ7hGouSR9bhp6D1\nRUB7t8//pICSzBxZZcP83lVTAkJx6psM9C5xIUPK3Hfdz8PbQb5pFfiiiR1o821E\ndatfYqPYs72ME3CQ3gFkxbAvpxmUSx07mI1xhi3ACD53oqH58NCOessTtfoJISEC\ngcEA4O1TWJnJo73eRXTTwPm0OaElT392wgktpsnJeC8HI8wp2pfWnBUNU7bJO3DM\nQb9J4IGP9IuWbmn5zAgX0RjGNCQg8dkR1vxbkrPgyKRCPeJk/8KXX7vsl+Vf65al\nf4Y0amJj95P0zWafgjv0HNWB9nOp/PfNLEMoatIoAdYZ2hcJoMyGimLb9KpBbmYL\ndJJlp9LfDhnmdT3YOavqBDTzKRefJfArHoT38BzLEArlpSTPkSrjAjn0POWWEIJv\ntA+nAoHBAM5x04FT/7Otqr8RQwTa9atwbIlt/roUQBULY4sl5EZPTiYbQ9RJos6X\nwqYLCIQN8e+0+xzNXNO4g1GBHKdgn2xHmHsT97jyiCrZNuWaAyfr5pYiWtZXnh/a\nK4nNNB65j1yS76Qf0vpHecZS9SysaWveLThKw2iEqGLcH0bpr3P1E3QlcTiuYJh+\n70KI+8CuL2O7Ff/etAd2kFYqzLt/8uM58ZPenvILdkKAkoSjH+KZjo7EGuo107A7\n2DoFIXDDYwKBwQCknm16kguW0JaF5Qw510eFSiCBf3uOZaNIx7SxRlIGbB1RxAEo\n+OtpEoVTAKotkG/kZU7Tnvn5U4ykPGQZ//TIIo0OFF3PJ6FpzEa+8iEdI73hxix9\nv49YWGMMjJQRskpYdixN/baUQgCKE5EFLWpR0rNd1osOUxSYobjwJx+Ck4vTaP0q\n+VGcTqNWxk6qAZ9u5ZGkw2X89sdy5hR/AbXZpFUxMgaM7qp7zMb9tcv/QuK7j1TX\nw0yy6SEcciqI8U8CgcEAmiT3jetQU7LqePvElM2A/d9Vy0+sEPip2IzGaNGEHtN8\nQIu/G7VXsPYzypMWarOW4Cq8DQdxtkxhEOxcnsVQhCL5QXzpTNkavxOtH8bdcGN9\nqsBAHycQ1Cusspnbvs1CtBaqhFuWxnW0AVdT5WVe2cHs9cktGs9ig15kpCg8b1Kg\nkeqbHX1mdrbgo0dw4q+shsTcak65EZF/uDcA40dn7i4HqSdieswAIyupOwwp9KI/\nhW37wsEqLL6idr/59h6NAoHANRK2a7U6sKaQkBRNw7xgVQCVsRQi3Cqq5Fs3exak\nVvtYOKto4N/W1ISArzHvTygbt9Q/LFZ80RAs7IltjGKbiunXh3fIuGx0OpFKUSwZ\ndy/nxwq5UtRqYUPCyDjgSC9DHO55kcNEUN9huJ/Ejo3Zx+eB8Hf8h/lF2VI8ZVjh\nDOnj19l9OHV7uqrV8CXhjy7TjkrEzFvT036wRfIQUGJ8izFLoUm4FoxeIZGZbRgB\nCiONbpiC7t7kh92JD11YmZwd\n-----END PRIVATE KEY-----'), +('user_saml', 'sp-x509cert', '-----BEGIN CERTIFICATE-----\nMIIEazCCAtOgAwIBAgIUZEMlBQH5YU3J5ELRvGxy1EnjSGkwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MTkxMjE2NTZaFw0zMTA3\nMTkxMjE2NTZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEB\nAQUAA4IBjwAwggGKAoIBgQC1YvuoUvLGdQcHUXh1IkeeyG3aTxJPORd19b7r6PJF\nnQIhLcvjSDKqeyMJJUbNG+s12fp3X4M70xCZM8T+DuRg7r1CXXQjQbr3ubTz49Z0\n63AQf0Ng0Lv8wTWtA/Y2V74QUx8cs+W6BPk9hRGoEgmXsFf7+fEq135TvrqkB+hu\nhpBGr3DS7zPfMtNce72RyT2nZyLBhKOfFXMaylgroV9WaBGb3t/0KBfWPMJz0kqL\niuwUwvSceZO09gAZVK4PqW9H6vDKtcXE9pLQQBWzISDB/HA0/G6UmS6RnjcV0uQc\nag856bfDgK+pVtVAOM4uWPExR/fC2WB5CqBbw7JLFis8de7conPb5VkQzhiFFF5U\n33nYKphuIWpIJsT681o39UQOgNb8gKPbTjPDt5P0rUKaSWy6ghwToADWeMzGubxU\nyOOjzULc5pqBt3EUFbp1SLu+ooSZwa+3PsKITqPC1Vbb/+jIb59cffNBrNJVxobm\n5tj11T1HbadpzQr2lbqeQpUCAwEAAaNTMFEwHQYDVR0OBBYEFA1R/XFcW/vjaocE\nepB+rx3QrQVaMB8GA1UdIwQYMBaAFA1R/XFcW/vjaocEepB+rx3QrQVaMA8GA1Ud\nEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAEBS4NL8u3hN2O5oWzv2LsTA\nhdPaqGQI8935KDn36NAVRQ3J+b5K1aFPfNsMdCPI2YgT78QlgIPQ8HVz6bVt+Q7l\nk1BybxLgnvHwIxviFkOPtzdKcMgPYocMREg+NjYSa2d6tu5u1ySb8mhECJI+9hcU\nkCCeARK2tm8x+A2uvvnUy2+O4i2nDvqDbophEUv8EETM+Gb9M+7kQ2hOLD7jwdm7\n5yBLNmAkVLALLpYS5rONJlSXzkJ+kQ/XxrOxfIf/QT+CvmeQ/FG6Hp/UBtbmPxKe\n928J5ZZ8dlGAdP2M7nX06aNM8lFSow/dCScF+VaUYSSEoGB3xpxZKdorVNpSBODj\nxN++2WeXpuN8mHaFMjM5MrcNnZ8P6xrPhlfsrbm4IFIJfxJxnQrzoqs+LogfPL30\n/C8UStRbrz4ljZ+Tq99DJQb+XtoCSGvlxvIsKjvx6IT1BRUCt0RJ5gHIv+7rds8X\nLKbQ2aXzQTav4+NxahMYyy/n4WMgwdC0s8I0D+xwQw==\n-----END CERTIFICATE-----'), +('user_saml', 'type', 'saml'), +('user_saml', 'types', 'authentication'); + +ALTER TABLE `oc_appconfig` + ADD PRIMARY KEY (`appid`,`configkey`), + ADD KEY `appconfig_config_key_index` (`configkey`); +COMMIT; + +/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; +/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; +/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; diff --git a/gitpod/nextcloud/Dockerfile b/gitpod/nextcloud/Dockerfile new file mode 100644 index 000000000..cd488c1f8 --- /dev/null +++ b/gitpod/nextcloud/Dockerfile @@ -0,0 +1,17 @@ +FROM nextcloud + +RUN yes | pecl install xdebug \ + && echo "zend_extension=$(find /usr/local/lib/php/extensions/ -name xdebug.so)" > /usr/local/etc/php/conf.d/xdebug.ini \ + && echo "xdebug.remote_enable=on" >> /usr/local/etc/php/conf.d/xdebug.ini \ + && echo "xdebug.remote_autostart=on" >> /usr/local/etc/php/conf.d/xdebug.ini \ + && echo "xdebug.remote_host=host" >> /usr/local/etc/php/conf.d/xdebug.ini + +COPY custom-entrypoint.sh /custom-entrypoint.sh +COPY after-install.sh /after-install.sh + +RUN chmod +x /custom-entrypoint.sh +RUN chmod +x /after-install.sh + +ENTRYPOINT ["/custom-entrypoint.sh"] + +CMD ["/after-install.sh"] diff --git a/gitpod/nextcloud/after-install.sh b/gitpod/nextcloud/after-install.sh new file mode 100644 index 000000000..d46b10480 --- /dev/null +++ b/gitpod/nextcloud/after-install.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +run_as() { + if [ "$(id -u)" = 0 ]; then + su -p www-data -s /bin/sh -c "$1" + else + sh -c "$1" + fi +} + +run_as "php /var/www/html/occ config:system:set debug --value='true' --type=boolean" + +# Weirdly the Nextcloud docker activates user_saml app automatically but doesn't run the migration steps necessary for it to work +run_as "php /var/www/html/occ migrations:migrate user_saml" + +run_as "php /var/www/html/occ app:disable firstrunwizard" + +run_as "php /var/www/html/occ config:system:set defaultapp --value='files'" + +apache2-foreground \ No newline at end of file diff --git a/gitpod/nextcloud/custom-entrypoint.sh b/gitpod/nextcloud/custom-entrypoint.sh new file mode 100644 index 000000000..6801a2cae --- /dev/null +++ b/gitpod/nextcloud/custom-entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +# Both gitpod and Nextcloud need read/write acess +# Obviously not recommended for a production system +chmod -R 777 /var/www/html/custom_apps/ + +# mv /debug.config.php /var/www/html/config + +# chmod -R 777 /var/www/html/config + +/entrypoint.sh "$@" diff --git a/gitpod/simplesamlphp/Dockerfile b/gitpod/simplesamlphp/Dockerfile new file mode 100644 index 000000000..02e94ed17 --- /dev/null +++ b/gitpod/simplesamlphp/Dockerfile @@ -0,0 +1,6 @@ +FROM unicon/simplesamlphp + +COPY var-simplesamlphp /var/simplesamlphp/ + +RUN chown apache:apache /var/simplesamlphp/log/ \ + && chown -R apache:apache /var/simplesamlphp/cert/ diff --git a/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.crt b/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.crt new file mode 100644 index 000000000..20903ea29 --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIUVe3Ml/fwjyN00L5CrJGDT9FKHU0wDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MTkxMTM2MzNaFw0zMTA3 +MTkxMTM2MzNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEB +AQUAA4IBjwAwggGKAoIBgQDGxIo6wrrtHLYLLgVRne1cMjN3RdsSHZ18mvDF4Kov +zqTS9jpP1qxWfAyC064Zk4S0sYXc2DCsjTEsibRb7LNBJpPDbzlAtavgsMS3H1v8 +TbYEW0tkTOGQR+HfFzvmprG8km28KFmYo4k3Ik092D12ff3sSEp7HifGQIz1k46G +6Ac/kMiSVtaRn0JMWb9Z21T8rpntlI6/anDWgNjxjn9e38HmC4Thix6fr7u015ZP +u26oAuA5PzJHju8mH6b+XY2jVNpUWg8YgmPX3bPWIbrVz82G7aGeFYodl+vn49dt +UPH1k3bKWWU6vRgRXeXrQHZtMirDC3Nn008V+N5544jAjz3DatfRgYOux7zLQtBU +b4XsFR8GLMxuCoqvX3TtcL73veOehio4eLEBikfM6MGpORxVMazzkcjQuQjqnA3n +fCx8nMH7X+rbJFs7RzijZvIMkgwIYU2X/Lawaphj2cIBeFZdbmO7pJO0UTyhRc0u +HMMvWRL6hAvxS9sxYyavn9ECAwEAAaNTMFEwHQYDVR0OBBYEFJvQolHQnd/B69q6 +TrnMMpkpkHmwMB8GA1UdIwQYMBaAFJvQolHQnd/B69q6TrnMMpkpkHmwMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBADPs7uLp6wq1WOasxPSWTjvZ +mdAuHep/+SlwII4hC3N/eaxgj3jS8N/EJve5nWEGRDBFvdIwizRTkXnX2IO8cqYE +4qd9LMsi+0ONoDzh/CUeHjzRr/XX8rSw9fjGgfPQr2CWLG9IHAkj6mYUJf7dmULY +nntiDvxGpow1WHUaihSIWj0Vni40V6S5YgW1WQwf5/Cz/CVUkUcO6ndtWBcc4Sl/ +tHVhFS/+Qefd/tf0Ms1TcgQBMRK6niDs7qW3snMy9M2hMJGhF2dqJD5iGHezeJNT +5hNs2+v46y5qaq8X2nDlCiFpHKP8Lv1lHlb18j1l+MP9s9g4J2oEHjQy+bGIQQC9 +Nt7bYroJ7IXNZMW4BMSpfafblpS7uF910l8/T0R8zGssjgfznWFV+xHonfC+rquv +UgbNzfFyxVxTD06u/INdIA3ZYOiIssxpUjGlnpatbPs2vPF9Cu4byvdQhxatRXGs +nyQRRqSHj2nuRltsjoeTQrpGBoXmaRPYCoPThnK2EQ== +-----END CERTIFICATE----- diff --git a/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.pem b/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.pem new file mode 100644 index 000000000..47b40fcac --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/cert/simplesamlserver.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDGxIo6wrrtHLYL +LgVRne1cMjN3RdsSHZ18mvDF4KovzqTS9jpP1qxWfAyC064Zk4S0sYXc2DCsjTEs +ibRb7LNBJpPDbzlAtavgsMS3H1v8TbYEW0tkTOGQR+HfFzvmprG8km28KFmYo4k3 +Ik092D12ff3sSEp7HifGQIz1k46G6Ac/kMiSVtaRn0JMWb9Z21T8rpntlI6/anDW +gNjxjn9e38HmC4Thix6fr7u015ZPu26oAuA5PzJHju8mH6b+XY2jVNpUWg8YgmPX +3bPWIbrVz82G7aGeFYodl+vn49dtUPH1k3bKWWU6vRgRXeXrQHZtMirDC3Nn008V ++N5544jAjz3DatfRgYOux7zLQtBUb4XsFR8GLMxuCoqvX3TtcL73veOehio4eLEB +ikfM6MGpORxVMazzkcjQuQjqnA3nfCx8nMH7X+rbJFs7RzijZvIMkgwIYU2X/Law +aphj2cIBeFZdbmO7pJO0UTyhRc0uHMMvWRL6hAvxS9sxYyavn9ECAwEAAQKCAYAK +uW/726XaRUJNOB5xWOQFpW/Bb7NyNsbYgkObaZPFIJEkEMT0qdCCmg7SwDkUiDEQ +zsM6Ny/pH3UXwhZJH2xMh5hRYx7jrumnJeJ3Punnowm/Em3u63cAIeC9+LLyruvI +EN562HJ9GdW9c8xXGeO3EPUyWnQqUGY0/Cae2WdHQB2kAFvSCX1qPf2FwRHh90OO +np0PhIRvL38HE8ygu9+Dbu83SkfRI4BzfTfTeg5SHvrJdd5DOHWuBrhAhlSsRL/X +MNNi1zLAOLTgL+7KQBZtz+kHByI/yKt84TJx2c41TmK4GGHrHl2v3jjH7cOB27xo +VkgFSvDSUAigWOHOH48RrGNeDJcr86uzMkZjXtxWbB7maiybJiPATvG8u71OCXOd +GpqsqVfDAc34WKwzg3lrT+snGj3a8JO2aaeXEIy2h9tMax68YAJYzFsNCDl8DdgQ +/rkfDiXxNVrXvnapmp5RVZvKbGJPkO9DcINRY7UUTAWJyk4W+wMrCBCV2t38FUEC +gcEA9i1F6ACa8kyGQ+k1L+CYULylAxX4NkG04aXwM5EQXEil/g9NtRcIO1TGEt7s +7QY6lnLN3lrB29nQ7/H/RTm9gtZ8Y9Sx7Jg7rTmjYocBqaPIl6hQjYIW7H2Xv92P +QIAlOA+kvs2sSUBmbP0bxgflJJgIbA8U0LaTLN4RIq4ncqcFvGZsuO2uOIvFVFic +2Izd3E98Lo/4a29IfzLp70nkOP4KBBcnCLvso+9NCTxLNxfryuFw4EJGc9Da32k2 +qokXAoHBAM6y+hguMG0zLgUgljzshkqyhK6ww4wa1f2iGsJ+ypsgCqD+OQv4v5ZK +vB504LHUbDIQbEXHaxXCQeK7bAUSQCW5jH21C8qkYibFAdU9kOQaH5uWSggbJo9B +gbpnr67EdoXkIDrw7o+KdwWXRKD3F67QGlpD0/8Pbw11LQOTRhasedgSxjy+yCkP +nn1IfV1vNd2GLGRLwhuEcwkovO4ZI5QRGDhQhfgtFMrlgECmk+tbAdTXNR9jya+i +tASx1zDfVwKBwQCGWv8kN/BY/VrqBYV5s+JtbgfBP2RQeFv4K1CFVE7RjvTJTCDl +DMT5XLMd6Xz1f8jKA65IBNB45NAbpL/lUDYWCmmpMpRIxG0Nhb+eLoDBzRnVa49L +LAzG1WTU2l8snMOzbRZE7ItzDyrXoOxfkD+HUVKHZ1O89WgtvKUtgE8XTADdaik8 +ZLwJMH9qIVK4/Wi4rMjhwMGcIQg4I9l5N6LPWBavVNOA+M+WSSyKNdX3I58VAyVP +v9wjqYFLHWkwedECgcEAxtbrubktQs9aNPp9LIyIP3FuLDLFWpEyTDTWM0YPl50C +PI9yx256t5SbVV0wDkH/90VPMu08uYjPItMTfelppiDR4tf4SO9LsGoSclUwfg4X +W+/+tb+Qn3zv1CcMnT5HmlOzIaBGjfUwvEMhdQteT//HahAX7ySkuzh+nhLd+M/g +wpiE9Ui+eqmY2IKUfv6NvdXl/HHYf+oxU51J6m5qiHTNbNchmXWcq/aNIyRb5av9 +ngeNBe5Txc7qCB4gmdYvAoHBAOmOQGcl2pQokHlpqflIWyM7iUFY42ZHUNijH+sa +hqaubA2+aDTfKjLbgTqlfBSu9d551fg/tTzJJ17NItyMpAXQyVSEbyzNJ5x1Whq0 +SfqUxeprgfaZzhlv35q6aeWXKOPEdNQtVQ4VSh6s41J4rC44phOqlyijvEvvzOle +otYP1M/S2HqJ9fAGE55/E4Num5vCMmspvnUUf/ZcA5rUJ22rf3k6Gy9MLc6oONs1 +Es1UO141GjLwvHCmi9ONEbEqVg== +-----END PRIVATE KEY----- diff --git a/gitpod/simplesamlphp/var-simplesamlphp/config/authsources.php b/gitpod/simplesamlphp/var-simplesamlphp/config/authsources.php new file mode 100644 index 000000000..d16b5deac --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/config/authsources.php @@ -0,0 +1,48 @@ + array( + // The default is to use core:AdminPassword, but it can be replaced with + // any authentication source. + + 'core:AdminPassword', + ), + + 'ldap' => array( + 'ldap:LDAP', + + 'hostname' => 'ldap', + + 'enable_tls' => FALSE, + + 'debug' => TRUE, + + 'timeout' => 0, + + 'port' => 389, + + 'referrals' => TRUE, + + 'attributes' => null, + + 'dnpattern' => 'uid=%username%,ou=People,dc=user_saml_gitpod', + + 'search.enable' => true, + + 'search.base' => 'ou=People,dc=user_saml_gitpod', + + 'search.attributes' => ['uid', 'mail'], + + 'search.username' => NULL, + 'search.password' => NULL, + + 'priv.read' => FALSE, + + 'priv.username' => NULL, + 'priv.password' => NULL, + + ), + +); diff --git a/gitpod/simplesamlphp/var-simplesamlphp/config/config.php b/gitpod/simplesamlphp/var-simplesamlphp/config/config.php new file mode 100644 index 000000000..16b0dc9e0 --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/config/config.php @@ -0,0 +1,511 @@ + getenv('SIMPLESAML_URL'), + 'certdir' => 'cert/', + 'loggingdir' => 'log/', + 'datadir' => 'data/', + + 'tempdir' => '/tmp/simplesaml', + + 'debug' => true, + + 'showerrors' => true, + 'errorreporting' => true, + + 'debug.validatexml' => false, + + 'auth.adminpassword' => '1234', + 'admin.protectindexpage' => false, + 'admin.protectmetadata' => false, + + /** + * This is a secret salt used by SimpleSAMLphp when it needs to generate a secure hash + * of a value. It must be changed from its default value to a secret value. The value of + * 'secretsalt' can be any valid string of any length. + * + * A possible way to generate a random salt is by running the following command from a unix shell: + * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo + */ + 'secretsalt' => '9ce4uikx2xn9a6py96fv4yn3m3h8ck4r', + + 'technicalcontact_name' => 'Administrator', + + 'timezone' => null, + + 'logging.level' => SimpleSAML_Logger::DEBUG, + 'logging.handler' => 'syslog', + + 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER, + + 'logging.processname' => 'simplesamlphp', + + 'logging.logfile' => 'simplesamlphp.log', + + /* (New) statistics output configuration. + * + * This is an array of outputs. Each output has at least a 'class' option, which + * selects the output. + */ + 'statistics.out' => array( + array( + 'class' => 'core:Log', + 'level' => 'notice', + ), + ), + + 'enable.saml20-idp' => true, + 'enable.shib13-idp' => false, + 'enable.adfs-idp' => false, + 'enable.wsfed-sp' => false, + 'enable.authmemcookie' => false, + + + 'module.enable' => [ + 'core' => true, + 'saml' => true, + 'ldap' => true, + ], + + + /* + * This value is the duration of the session in seconds. Make sure that the time duration of + * cookies both at the SP and the IdP exceeds this duration. + */ + 'session.duration' => 8 * (60 * 60), // 8 hours. + + /* + * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for + * login and logout requests, thid option will control the maximum time these operations can take. + * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations. + */ + 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours + + /* + * Sets the duration, in seconds, auth state should be stored. + */ + 'session.state.timeout' => (60 * 60), // 1 hour + + /* + * Option to override the default settings for the session cookie name + */ + 'session.cookie.name' => 'SimpleSAMLSessionID', + + /* + * Expiration time for the session cookie, in seconds. + * + * Defaults to 0, which means that the cookie expires when the browser is closed. + * + * Example: + * 'session.cookie.lifetime' => 30*60, + */ + 'session.cookie.lifetime' => 0, + + /* + * Limit the path of the cookies. + * + * Can be used to limit the path of the cookies to a specific subdirectory. + * + * Example: + * 'session.cookie.path' => '/simplesaml/', + */ + 'session.cookie.path' => '/', + + /* + * Cookie domain. + * + * Can be used to make the session cookie available to several domains. + * + * Example: + * 'session.cookie.domain' => '.example.org', + */ + 'session.cookie.domain' => null, + + /* + * Set the secure flag in the cookie. + * + * Set this to TRUE if the user only accesses your service + * through https. If the user can access the service through + * both http and https, this must be set to FALSE. + */ + 'session.cookie.secure' => false, + + /* + * Enable secure POST from HTTPS to HTTP. + * + * If you have some SP's on HTTP and IdP is normally on HTTPS, this option + * enables secure POSTing to HTTP endpoint without warning from browser. + * + * For this to work, module.php/core/postredirect.php must be accessible + * also via HTTP on IdP, e.g. if your IdP is on + * https://idp.example.org/ssp/, then + * http://idp.example.org/ssp/module.php/core/postredirect.php must be accessible. + */ + 'enable.http_post' => false, + + /* + * Options to override the default settings for php sessions. + */ + 'session.phpsession.cookiename' => null, + 'session.phpsession.savepath' => null, + 'session.phpsession.httponly' => true, + + /* + * Option to override the default settings for the auth token cookie + */ + 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken', + + /* + * Options for remember me feature for IdP sessions. Remember me feature + * has to be also implemented in authentication source used. + * + * Option 'session.cookie.lifetime' should be set to zero (0), i.e. cookie + * expires on browser session if remember me is not checked. + * + * Session duration ('session.duration' option) should be set according to + * 'session.rememberme.lifetime' option. + * + * It's advised to use remember me feature with session checking function + * defined with 'session.check_function' option. + */ + 'session.rememberme.enable' => false, + 'session.rememberme.checked' => false, + 'session.rememberme.lifetime' => (14 * 86400), + + /** + * Custom function for session checking called on session init and loading. + * See docs/simplesamlphp-advancedfeatures.txt for function code example. + * + * Example: + * 'session.check_function' => array('sspmod_example_Util', 'checkSession'), + */ + + /* + * Languages available, RTL languages, and what language is default + */ + 'language.available' => array( + 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'fr', 'it', 'nl', 'lb', 'cs', + 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw', 'ru', 'et', + 'he', 'id', 'sr', 'lv', 'ro', 'eu' + ), + 'language.rtl' => array('ar', 'dv', 'fa', 'ur', 'he'), + 'language.default' => 'en', + + /* + * Options to override the default settings for the language parameter + */ + 'language.parameter.name' => 'language', + 'language.parameter.setcookie' => true, + + /* + * Options to override the default settings for the language cookie + */ + 'language.cookie.name' => 'language', + 'language.cookie.domain' => null, + 'language.cookie.path' => '/', + 'language.cookie.lifetime' => (60 * 60 * 24 * 900), + + 'attributes.extradictionary' => null, + + 'theme.use' => 'default', + + + /* + * Default IdP for WS-Fed. + */ + 'default-wsfed-idp' => 'urn:federation:pingfederate:localhost', + + /* + * Whether the discovery service should allow the user to save his choice of IdP. + */ + 'idpdisco.enableremember' => true, + 'idpdisco.rememberchecked' => true, + + // Disco service only accepts entities it knows. + 'idpdisco.validate' => true, + + 'idpdisco.extDiscoveryStorage' => null, + + 'idpdisco.layout' => 'dropdown', + + /* + * Whether SimpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication + * responses. + * + * The default is to sign the assertion element, but that can be overridden by setting this + * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the + * same name to the metadata of the SP. + */ + 'shib13.signresponse' => true, + + + /* + * Authentication processing filters that will be executed for all IdPs + * Both Shibboleth and SAML 2.0 + */ + 'authproc.idp' => array( + /* Enable the authproc filter below to add URN Prefixces to all attributes + 10 => array( + 'class' => 'core:AttributeMap', 'addurnprefix' + ), */ + /* Enable the authproc filter below to automatically generated eduPersonTargetedID. + 20 => 'core:TargetedID', + */ + + // Adopts language from attribute to use in UI + 30 => 'core:LanguageAdaptor', + + /* Add a realm attribute from edupersonprincipalname + 40 => 'core:AttributeRealm', + */ + 45 => array( + 'class' => 'core:StatisticsWithAttribute', + 'attributename' => 'realm', + 'type' => 'saml20-idp-SSO', + ), + + /* When called without parameters, it will fallback to filter attributes ‹the old way› + * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. + */ + 50 => 'core:AttributeLimit', + + /* + * Search attribute "distinguishedName" for pattern and replaces if found + + 60 => array( + 'class' => 'core:AttributeAlter', + 'pattern' => '/OU=studerende/', + 'replacement' => 'Student', + 'subject' => 'distinguishedName', + '%replace', + ), + */ + + /* + * Consent module is enabled (with no permanent storage, using cookies). + + 90 => array( + 'class' => 'consent:Consent', + 'store' => 'consent:Cookie', + 'focus' => 'yes', + 'checked' => TRUE + ), + */ + // If language is set in Consent module it will be added as an attribute. + 99 => 'core:LanguageAdaptor', + ), + /* + * Authentication processing filters that will be executed for all SPs + * Both Shibboleth and SAML 2.0 + */ + 'authproc.sp' => array( + /* + 10 => array( + 'class' => 'core:AttributeMap', 'removeurnprefix' + ), + */ + + /* + * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. + 60 => array( + 'class' => 'core:GenerateGroups', 'eduPersonAffiliation' + ), + */ + /* + * All users will be members of 'users' and 'members' + 61 => array( + 'class' => 'core:AttributeAdd', 'groups' => array('users', 'members') + ), + */ + + // Adopts language from attribute to use in UI + 90 => 'core:LanguageAdaptor', + + ), + + 'metadata.sources' => array( + array('type' => 'flatfile'), + ), + + + /* + * Configure the datastore for SimpleSAMLphp. + * + * - 'phpsession': Limited datastore, which uses the PHP session. + * - 'memcache': Key-value datastore, based on memcache. + * - 'sql': SQL datastore, using PDO. + * + * The default datastore is 'phpsession'. + * + * (This option replaces the old 'session.handler'-option.) + */ + 'store.type' => 'phpsession', + + + /* + * The DSN the sql datastore should connect to. + * + * See http://www.php.net/manual/en/pdo.drivers.php for the various + * syntaxes. + */ + 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', + + /* + * The username and password to use when connecting to the database. + */ + 'store.sql.username' => null, + 'store.sql.password' => null, + + /* + * The prefix we should use on our tables. + */ + 'store.sql.prefix' => 'SimpleSAMLphp', + + + /* + * Configuration for the 'memcache' session store. This allows you to store + * multiple redundant copies of sessions on different memcache servers. + * + * 'memcache_store.servers' is an array of server groups. Every data + * item will be mirrored in every server group. + * + * Each server group is an array of servers. The data items will be + * load-balanced between all servers in each server group. + * + * Each server is an array of parameters for the server. The following + * options are available: + * - 'hostname': This is the hostname or ip address where the + * memcache server runs. This is the only required option. + * - 'port': This is the port number of the memcache server. If this + * option isn't set, then we will use the 'memcache.default_port' + * ini setting. This is 11211 by default. + * - 'weight': This sets the weight of this server in this server + * group. http://php.net/manual/en/function.Memcache-addServer.php + * contains more information about the weight option. + * - 'timeout': The timeout for this server. By default, the timeout + * is 3 seconds. + * + * Example of redundant configuration with load balancing: + * This configuration makes it possible to lose both servers in the + * a-group or both servers in the b-group without losing any sessions. + * Note that sessions will be lost if one server is lost from both the + * a-group and the b-group. + * + * 'memcache_store.servers' => array( + * array( + * array('hostname' => 'mc_a1'), + * array('hostname' => 'mc_a2'), + * ), + * array( + * array('hostname' => 'mc_b1'), + * array('hostname' => 'mc_b2'), + * ), + * ), + * + * Example of simple configuration with only one memcache server, + * running on the same computer as the web server: + * Note that all sessions will be lost if the memcache server crashes. + * + * 'memcache_store.servers' => array( + * array( + * array('hostname' => 'localhost'), + * ), + * ), + * + */ + 'memcache_store.servers' => array( + array( + array('hostname' => 'localhost'), + ), + ), + + + /* + * This value allows you to set a prefix for memcache-keys. The default + * for this value is 'simpleSAMLphp', which is fine in most cases. + * + * When running multiple instances of SSP on the same host, and more + * than one instance is using memcache, you probably want to assign + * a unique value per instance to this setting to avoid data collision. + */ + 'memcache_store.prefix' => null, + + + /* + * This value is the duration data should be stored in memcache. Data + * will be dropped from the memcache servers when this time expires. + * The time will be reset every time the data is written to the + * memcache servers. + * + * This value should always be larger than the 'session.duration' + * option. Not doing this may result in the session being deleted from + * the memcache servers while it is still in use. + * + * Set this value to 0 if you don't want data to expire. + * + * Note: The oldest data will always be deleted if the memcache server + * runs out of storage space. + */ + 'memcache_store.expires' => 36 * (60 * 60), // 36 hours. + + + /* + * Should signing of generated metadata be enabled by default. + * + * Metadata signing can also be enabled for a individual SP or IdP by setting the + * same option in the metadata for the SP or IdP. + */ + 'metadata.sign.enable' => false, + + /* + * The default key & certificate which should be used to sign generated metadata. These + * are files stored in the cert dir. + * These values can be overridden by the options with the same names in the SP or + * IdP metadata. + * + * If these aren't specified here or in the metadata for the SP or IdP, then + * the 'certificate' and 'privatekey' option in the metadata will be used. + * if those aren't set, signing of metadata will fail. + */ + 'metadata.sign.privatekey' => null, + 'metadata.sign.privatekey_pass' => null, + 'metadata.sign.certificate' => null, + + + /* + * Proxy to use for retrieving URLs. + * + * Example: + * 'proxy' => 'tcp://proxy.example.com:5100' + */ + 'proxy' => null, + + /* + * Array of domains that are allowed when generating links or redirections + * to URLs. SimpleSAMLphp will use this option to determine whether to + * to consider a given URL valid or not, but you should always validate + * URLs obtained from the input on your own (i.e. ReturnTo or RelayState + * parameters obtained from the $_REQUEST array). + * + * SimpleSAMLphp will automatically add your own domain (either by checking + * it dynamically, or by using the domain defined in the 'baseurlpath' + * directive, the latter having precedence) to the list of trusted domains, + * in case this option is NOT set to NULL. In that case, you are explicitly + * telling SimpleSAMLphp to verify URLs. + * + * Set to an empty array to disallow ALL redirections or links pointing to + * an external URL other than your own domain. This is the default behaviour. + * + * Set to NULL to disable checking of URLs. DO NOT DO THIS UNLESS YOU KNOW + * WHAT YOU ARE DOING! + * + * Example: + * 'trusted.url.domains' => array('sp.example.com', 'app.example.com'), + */ + 'trusted.url.domains' => array(), + +); diff --git a/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-idp-hosted.php b/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-idp-hosted.php new file mode 100644 index 000000000..9492f4134 --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-idp-hosted.php @@ -0,0 +1,32 @@ + '__DEFAULT__', + + // X.509 key and certificate. Relative to the cert directory. + 'privatekey' => 'simplesamlserver.pem', + 'certificate' => 'simplesamlserver.crt', + + 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', + + 'authproc' => [ + // Convert LDAP names to oids. + 100 => ['class' => 'core:AttributeMap', 'name2oid'], + ], + + /* + * Authentication source to use. Must be one that is configured in + * 'config/authsources.php'. + */ + 'auth' => 'ldap', +); diff --git a/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php.template b/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php.template new file mode 100644 index 000000000..f77e46cbc --- /dev/null +++ b/gitpod/simplesamlphp/var-simplesamlphp/metadata/saml20-sp-remote.php.template @@ -0,0 +1,39 @@ + '$NEXTCLOUD_URL/apps/user_saml/saml/metadata', + 'contacts' => + array ( + ), + 'metadata-set' => 'saml20-sp-remote', + 'AssertionConsumerService' => + array ( + 0 => + array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'Location' => '$NEXTCLOUD_URL/apps/user_saml/saml/acs', + 'index' => 1, + ), + ), + 'SingleLogoutService' => + array ( + 0 => + array ( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => '$NEXTCLOUD_URL/apps/user_saml/saml/sls', + ), + ), + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', + 'keys' => + array ( + 0 => + array ( + 'encryption' => false, + 'signing' => true, + 'type' => 'X509Certificate', + 'X509Certificate' => 'MIIEazCCAtOgAwIBAgIUZEMlBQH5YU3J5ELRvGxy1EnjSGkwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA3MTkxMjE2NTZaFw0zMTA3MTkxMjE2NTZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC1YvuoUvLGdQcHUXh1IkeeyG3aTxJPORd19b7r6PJFnQIhLcvjSDKqeyMJJUbNG+s12fp3X4M70xCZM8T+DuRg7r1CXXQjQbr3ubTz49Z063AQf0Ng0Lv8wTWtA/Y2V74QUx8cs+W6BPk9hRGoEgmXsFf7+fEq135TvrqkB+huhpBGr3DS7zPfMtNce72RyT2nZyLBhKOfFXMaylgroV9WaBGb3t/0KBfWPMJz0kqLiuwUwvSceZO09gAZVK4PqW9H6vDKtcXE9pLQQBWzISDB/HA0/G6UmS6RnjcV0uQcag856bfDgK+pVtVAOM4uWPExR/fC2WB5CqBbw7JLFis8de7conPb5VkQzhiFFF5U33nYKphuIWpIJsT681o39UQOgNb8gKPbTjPDt5P0rUKaSWy6ghwToADWeMzGubxUyOOjzULc5pqBt3EUFbp1SLu+ooSZwa+3PsKITqPC1Vbb/+jIb59cffNBrNJVxobm5tj11T1HbadpzQr2lbqeQpUCAwEAAaNTMFEwHQYDVR0OBBYEFA1R/XFcW/vjaocEepB+rx3QrQVaMB8GA1UdIwQYMBaAFA1R/XFcW/vjaocEepB+rx3QrQVaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAEBS4NL8u3hN2O5oWzv2LsTAhdPaqGQI8935KDn36NAVRQ3J+b5K1aFPfNsMdCPI2YgT78QlgIPQ8HVz6bVt+Q7lk1BybxLgnvHwIxviFkOPtzdKcMgPYocMREg+NjYSa2d6tu5u1ySb8mhECJI+9hcUkCCeARK2tm8x+A2uvvnUy2+O4i2nDvqDbophEUv8EETM+Gb9M+7kQ2hOLD7jwdm75yBLNmAkVLALLpYS5rONJlSXzkJ+kQ/XxrOxfIf/QT+CvmeQ/FG6Hp/UBtbmPxKe928J5ZZ8dlGAdP2M7nX06aNM8lFSow/dCScF+VaUYSSEoGB3xpxZKdorVNpSBODjxN++2WeXpuN8mHaFMjM5MrcNnZ8P6xrPhlfsrbm4IFIJfxJxnQrzoqs+LogfPL30/C8UStRbrz4ljZ+Tq99DJQb+XtoCSGvlxvIsKjvx6IT1BRUCt0RJ5gHIv+7rds8XLKbQ2aXzQTav4+NxahMYyy/n4WMgwdC0s8I0D+xwQw==', + ), + ), + 'validate.authnrequest' => false, + 'saml20.sign.assertion' => false, +); \ No newline at end of file