remove stale shibboleth.JDBCStorageService so db can be read only

working static stored id and failover to computed
indentation
2022-08-05 15:06:37 +00:00 · 2022-08-05 14:52:07 +00:00 · 2022-08-05 14:32:50 +00:00 · 2022-08-05 14:32:19 +00:00 · 2022-08-05 14:00:14 +00:00
6 changed files with 67 additions and 140 deletions
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@ -20,85 +20,8 @@
        <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
        <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
    </AttributeFilterPolicy>
    <!--
    Example rule relying on a locally applied tag in metadata to trigger attribute
    release of some specific attributes. Add additional attributes as desired.
    -->
 	<AttributeFilterPolicy id="Per-Attribute-singleValued">
 	    <PolicyRequirementRule xsi:type="ANY" />
 	    <AttributeRule attributeID="eduPersonPrincipalName">
 	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
 	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
 	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 	            attributeValue="eduPersonPrincipalName" />
 	    </AttributeRule>
 	    <AttributeRule attributeID="mail">
 	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
 	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
 	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
 	            attributeValue="mail" />
 	    </AttributeRule>
 	</AttributeFilterPolicy>
    <!--
    Same as above but more efficient form for an attribute with multiple values.
    -->
    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            attributeValue="eduPersonScopedAffiliation" />
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
    </AttributeFilterPolicy>
    <!--
    Example rule for honoring Subject ID requirement tag in metadata.
    The example supplies pairwise-id if subject-id isn't explicitly required.
    -->
    <AttributeFilterPolicy id="subject-identifiers">
        <PolicyRequirementRule xsi:type="ANY" />
        <AttributeRule attributeID="samlPairwiseID">
            <PermitValueRule xsi:type="OR">
                <Rule xsi:type="EntityAttributeExactMatch"
                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                    attributeValue="pairwise-id" />
                <Rule xsi:type="EntityAttributeExactMatch"
                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                    attributeValue="any" />
            </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="samlSubjectID">
            <PermitValueRule xsi:type="EntityAttributeExactMatch"
                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                attributeValue="subject-id" />
        </AttributeRule>
    </AttributeFilterPolicy>
    <!-- Release an additional attribute to an SP. -->
    <AttributeFilterPolicy id="example1">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
        <AttributeRule attributeID="uid" permitAny="true" />
    </AttributeFilterPolicy>
    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
    <AttributeFilterPolicy id="example2">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="Requester" value="https://sp.example.org" />
            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
    </AttributeFilterPolicy>
 </AttributeFilterPolicyGroup>
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@ -61,6 +61,14 @@ list of possible components and their options.
        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
    </AttributeDefinition>
    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
        nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        <InputDataConnector ref="sqlite-db" attributeNames="persistentId"/>
        <AttributeEncoder xsi:type="SAML2XMLObject"
                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
    </AttributeDefinition>
    <!-- ========================================== -->
    <!--      Data Connectors                       -->
@ -75,4 +83,21 @@ list of possible components and their options.
        </Attribute>
    </DataConnector>
    <DataConnector xsi:type="ComputedId" id="computedID"
 	    generatedAttributeID="persistentId"
 	    salt='04D00D29-5FFF-4732-8645-ED8B7678BE4E'>
        <InputAttributeDefinition ref="uid" />
    </DataConnector>
    <DataConnector id="sqlite-db" xsi:type="RelationalDatabase" noResultIsError="true">
 	    <FailoverDataConnector ref="computedID"/>
 	    <SimpleManagedConnection jdbcDriver="%{datasource.driverClass}" jdbcURL="%{datasource.jdbcUrl}" />
 	    <QueryTemplate>
 		    <![CDATA[
 			    SELECT persistentId FROM shibpid WHERE peerEntity='$resolutionContext.attributeRecipientID' AND principalName='$resolutionContext.principal';
 			    ]]>
 	    </QueryTemplate>
 	    <Column columnName="persistentId" attributeID="persistentId" />
    </DataConnector>
 </AttributeResolver>
--- a/conf/authn/authn.properties
+++ b/conf/authn/authn.properties
@ -2,7 +2,7 @@
 # specific methods.
 # Regular expression matching login flows to enable, e.g. IPAddress|Password
-#idp.authn.flows = Password
+idp.authn.flows = RemoteUser
 # Default settings for most authentication methods.
 #idp.authn.defaultLifetime = PT1H
--- a/conf/global.xml
+++ b/conf/global.xml
@ -49,4 +49,13 @@
    </util:map>
    -->
    <bean id="sqlite-dataconnector" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close"
 	    p:driverClassName="%{datasource.driverClass}"
 	    p:url="%{datasource.jdbcUrl}"
 	    p:initialSize="5"
 	    p:maxTotal="50"
 	    p:maxIdle="5"
 	    p:maxWaitMillis="2000"
 	    />
 </beans>
--- a/conf/idp.properties
+++ b/conf/idp.properties
@ -242,3 +242,14 @@ idp.ui.fallbackLanguages=en,fr,de
 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
 idp.loglevel.idp=DEBUG
 idp.loglevel.messages=DEBUG
 idp.loglevel.encryption=DEBUG
 # database details
 datasource.driverClass = org.sqlite.JDBC
 datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db
 # datasource.user = <USER>
 # datasource.password = <PASS>
--- a/conf/metadata-providers.xml
+++ b/conf/metadata-providers.xml
@ -21,69 +21,28 @@
                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
    sortKey="1">
-    <!--
+    <MetadataProvider id="shib-sp-test"
-    Below you place the mechanisms which define how to load the metadata for SP(s) you will
+            xsi:type="FilesystemMetadataProvider"
-    provide service to.
+            metadataFile="/opt/idp4/metadata/shib-sp-test.xml"
            />
-    Some simple examples are provided. The documentation provides more details; in most cases,
+    <MetadataProvider id="app1"
-    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
+            xsi:type="FilesystemMetadataProvider"
-    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
+            metadataFile="/opt/idp4/metadata/app1.xml"
            />
-    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
+    <MetadataProvider id="spmetadata"
-    -->
+            xsi:type="FilesystemMetadataProvider"
            metadataFile="/opt/idp4/metadata/idp-cluster-sp.xml"
            />
    <MetadataProvider id="shib-sp.mafoo.org.uik"
            xsi:type="FilesystemMetadataProvider"
            metadataFile="/opt/idp4/metadata/shib-sp.mafoo.org.uk.xml"
            />
-    
+    <MetadataProvider id="upstream-idp-metadata"
-    <!--
+            xsi:type="FilesystemMetadataProvider"
-    Example HTTP metadata provider.  Use this if you want to download the metadata
+	    metadataFile="/opt/idp4/metadata/idp-cluster-sp-idp.xml"/>
    from a remote source.
    You *MUST* provide the SignatureValidationFilter in order to function securely.
    Get the public key certificate from the party publishing the metadata, and validate
    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
    The EntityRole filter saves memory by only loading metadata from SAML roles
    that the IdP needs to interoperate with.
    -->
    <!--
    <MetadataProvider id="HTTPMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
                      metadataURL="http://WHATEVER"
                      failFastInitialization="false">
        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
        <MetadataFilter xsi:type="EntityRole">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
    </MetadataProvider>
    -->   
    <!--
    Example file metadata provider.  Use this if you want to load metadata
    from a local file. You use this if you have some local SPs which are not
    "federated" but you wish to offer a service to.
    If you do not provide a SignatureValidation filter, then you have the
    responsibility to ensure that the contents on disk are trustworthy.
    -->
    <!--
    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
    -->
    <!--
    Example CAS metadata source for managing CAS services using SAML metadata.
    -->
    <!--
    <MetadataProvider id="CASMetadata"
                      xsi:type="FilesystemMetadataProvider"
                      metadataFile="PATH_TO_YOUR_METADATA"
                      indexesRef="shibboleth.CASMetadataIndices" />
    -->
 </MetadataProvider>
Author	SHA1	Message	Date
root	1c67d893ea	remove stale shibboleth.JDBCStorageService so db can be read only	2022-08-05 15:06:37 +00:00
root	adc02b1925	working static stored id and failover to computed	2022-08-05 14:52:07 +00:00
root	fdc4e0ec2f	indentation	2022-08-05 14:32:50 +00:00
root	16e9ff7096	storedid working	2022-08-05 14:32:19 +00:00
root	d8367d6a72	prepare	2022-08-05 14:00:14 +00:00