remove stale shibboleth.JDBCStorageService so db can be read only

working static stored id and failover to computed
indentation
2022-08-05 15:06:37 +00:00 · 2022-08-05 14:52:07 +00:00 · 2022-08-05 14:32:50 +00:00 · 2022-08-05 14:32:19 +00:00 · 2022-08-05 14:00:14 +00:00
6 changed files with 67 additions and 140 deletions
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@ -20,85 +20,8 @@
        <PolicyRequirementRule xsi:type="ANY" />
        
        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+        <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
    </AttributeFilterPolicy>

-    <!--
-    Example rule relying on a locally applied tag in metadata to trigger attribute
-    release of some specific attributes. Add additional attributes as desired.
-    -->
-	<AttributeFilterPolicy id="Per-Attribute-singleValued">
-	    <PolicyRequirementRule xsi:type="ANY" />
-	 
-	    <AttributeRule attributeID="eduPersonPrincipalName">
-	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
-	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
-	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-	            attributeValue="eduPersonPrincipalName" />
-	    </AttributeRule>
-	 
-	    <AttributeRule attributeID="mail">
-	        <PermitValueRule xsi:type="EntityAttributeExactMatch"
-	            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
-	            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-	            attributeValue="mail" />
-	    </AttributeRule>
-	</AttributeFilterPolicy>
-
-    <!--
-    Same as above but more efficient form for an attribute with multiple values.
-    -->
-    <AttributeFilterPolicy id="Per-Attribute-Affiliation">
-        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-            attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
-            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-            attributeValue="eduPersonScopedAffiliation" />
-     
-        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
-    </AttributeFilterPolicy>
-
-    <!--
-    Example rule for honoring Subject ID requirement tag in metadata.
-    The example supplies pairwise-id if subject-id isn't explicitly required.
-    -->
-    <AttributeFilterPolicy id="subject-identifiers">
-        <PolicyRequirementRule xsi:type="ANY" />
-
-        <AttributeRule attributeID="samlPairwiseID">
-            <PermitValueRule xsi:type="OR">
-                <Rule xsi:type="EntityAttributeExactMatch"
-                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    attributeValue="pairwise-id" />
-                <Rule xsi:type="EntityAttributeExactMatch"
-                    attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                    attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                    attributeValue="any" />
-            </PermitValueRule>
-        </AttributeRule>
-
-        <AttributeRule attributeID="samlSubjectID">
-            <PermitValueRule xsi:type="EntityAttributeExactMatch"
-                attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
-                attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
-                attributeValue="subject-id" />
-        </AttributeRule>
-    </AttributeFilterPolicy>
-
-    <!-- Release an additional attribute to an SP. -->
-    <AttributeFilterPolicy id="example1">
-        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
-
-        <AttributeRule attributeID="uid" permitAny="true" />
-    </AttributeFilterPolicy>
-
-    <!-- Release eduPersonScopedAffiliation to two specific SPs. -->
-    <AttributeFilterPolicy id="example2">
-        <PolicyRequirementRule xsi:type="OR">
-            <Rule xsi:type="Requester" value="https://sp.example.org" />
-            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
-        </PolicyRequirementRule>
-
-        <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
-    </AttributeFilterPolicy>
    
 </AttributeFilterPolicyGroup>
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@ -61,6 +61,14 @@ list of possible components and their options.
        <InputDataConnector ref="staticAttributes" attributeNames="affiliation" />
    </AttributeDefinition>

+    <AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID"
+        nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
+        <InputDataConnector ref="sqlite-db" attributeNames="persistentId"/>
+
+        <AttributeEncoder xsi:type="SAML2XMLObject"
+                name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+

    <!-- ========================================== -->
    <!--      Data Connectors                       -->
@ -75,4 +83,21 @@ list of possible components and their options.
        </Attribute>
    </DataConnector>

+    <DataConnector xsi:type="ComputedId" id="computedID"
+	    generatedAttributeID="persistentId"
+	    salt='04D00D29-5FFF-4732-8645-ED8B7678BE4E'>
+        <InputAttributeDefinition ref="uid" />
+    </DataConnector>
+
+    <DataConnector id="sqlite-db" xsi:type="RelationalDatabase" noResultIsError="true">
+	    <FailoverDataConnector ref="computedID"/>
+	    <SimpleManagedConnection jdbcDriver="%{datasource.driverClass}" jdbcURL="%{datasource.jdbcUrl}" />
+	    <QueryTemplate>
+		    <![CDATA[
+			    SELECT persistentId FROM shibpid WHERE peerEntity='$resolutionContext.attributeRecipientID' AND principalName='$resolutionContext.principal';
+			    ]]>
+	    </QueryTemplate>
+	    <Column columnName="persistentId" attributeID="persistentId" />
+    </DataConnector>
+
 </AttributeResolver>
--- a/conf/authn/authn.properties
+++ b/conf/authn/authn.properties
@ -2,7 +2,7 @@
 # specific methods.

 # Regular expression matching login flows to enable, e.g. IPAddress|Password
-#idp.authn.flows = Password
+idp.authn.flows = RemoteUser

 # Default settings for most authentication methods.
 #idp.authn.defaultLifetime = PT1H
--- a/conf/global.xml
+++ b/conf/global.xml
@ -49,4 +49,13 @@
    </util:map>
    -->

+    <bean id="sqlite-dataconnector" class="org.apache.commons.dbcp2.BasicDataSource" destroy-method="close"
+	    p:driverClassName="%{datasource.driverClass}"
+	    p:url="%{datasource.jdbcUrl}"
+	    p:initialSize="5"
+	    p:maxTotal="50"
+	    p:maxIdle="5"
+	    p:maxWaitMillis="2000"
+	    />
+
 </beans>
--- a/conf/idp.properties
+++ b/conf/idp.properties
@ -242,3 +242,14 @@ idp.ui.fallbackLanguages=en,fr,de

 # Set false if you want SAML bindings "spelled out" in audit log
 idp.audit.shortenBindings=true
+
+idp.loglevel.idp=DEBUG
+idp.loglevel.messages=DEBUG
+idp.loglevel.encryption=DEBUG
+
+# database details
+datasource.driverClass = org.sqlite.JDBC
+datasource.jdbcUrl = jdbc:sqlite:/opt/idp-storedid/db/stored-id.db
+# datasource.user = <USER>
+# datasource.password = <PASS>
+
--- a/conf/metadata-providers.xml
+++ b/conf/metadata-providers.xml
@ -21,69 +21,28 @@
                        http://www.w3.org/2009/xmlenc11# http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/xenc-schema-11.xsd"
    sortKey="1">

-    <!--
-    Below you place the mechanisms which define how to load the metadata for SP(s) you will
-    provide service to.
-    
-    Some simple examples are provided. The documentation provides more details; in most cases,
-    the modern replacement for these older plugins are the "DynamicHTTPMetadataProvider" and
-    "LocalDynamic" variants, which provide dramatic memory savings and more reliable operation.
-     
-    NOTE: You do NOT need to load metadata for this IdP itself within this configuration.
-    -->
-    
-    
-    
-    <!--
-    Example HTTP metadata provider.  Use this if you want to download the metadata
-    from a remote source.
-
-    You *MUST* provide the SignatureValidationFilter in order to function securely.
-    Get the public key certificate from the party publishing the metadata, and validate
-    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
-
-    The EntityRole filter saves memory by only loading metadata from SAML roles
-    that the IdP needs to interoperate with.
-    -->
-    
-    <!--
-    <MetadataProvider id="HTTPMetadata"
-                      xsi:type="FileBackedHTTPMetadataProvider"
-                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
-                      metadataURL="http://WHATEVER"
-                      failFastInitialization="false">
-        
-        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
-        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
-        <MetadataFilter xsi:type="EntityRole">
-            <RetainedRole>md:SPSSODescriptor</RetainedRole>
-        </MetadataFilter>
-    </MetadataProvider>
-    -->   
-
-    <!--
-    Example file metadata provider.  Use this if you want to load metadata
-    from a local file. You use this if you have some local SPs which are not
-    "federated" but you wish to offer a service to.
-    
-    If you do not provide a SignatureValidation filter, then you have the
-    responsibility to ensure that the contents on disk are trustworthy.
-    -->
-    
-    <!--
-    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-    -->
-
-
-    <!--
-    Example CAS metadata source for managing CAS services using SAML metadata.
-    -->
-
-    <!--
-    <MetadataProvider id="CASMetadata"
+    <MetadataProvider id="shib-sp-test"
            xsi:type="FilesystemMetadataProvider"
-                      metadataFile="PATH_TO_YOUR_METADATA"
-                      indexesRef="shibboleth.CASMetadataIndices" />
-    -->
+            metadataFile="/opt/idp4/metadata/shib-sp-test.xml"
+            />
+
+    <MetadataProvider id="app1"
+            xsi:type="FilesystemMetadataProvider"
+            metadataFile="/opt/idp4/metadata/app1.xml"
+            />
+
+    <MetadataProvider id="spmetadata"
+            xsi:type="FilesystemMetadataProvider"
+            metadataFile="/opt/idp4/metadata/idp-cluster-sp.xml"
+            />
+
+    <MetadataProvider id="shib-sp.mafoo.org.uik"
+            xsi:type="FilesystemMetadataProvider"
+            metadataFile="/opt/idp4/metadata/shib-sp.mafoo.org.uk.xml"
+            />
+
+    <MetadataProvider id="upstream-idp-metadata"
+            xsi:type="FilesystemMetadataProvider"
+	    metadataFile="/opt/idp4/metadata/idp-cluster-sp-idp.xml"/>

 </MetadataProvider>
Author	SHA1	Message	Date
root	1c67d893ea	remove stale shibboleth.JDBCStorageService so db can be read only	2022-08-05 15:06:37 +00:00
root	adc02b1925	working static stored id and failover to computed	2022-08-05 14:52:07 +00:00
root	fdc4e0ec2f	indentation	2022-08-05 14:32:50 +00:00
root	16e9ff7096	storedid working	2022-08-05 14:32:19 +00:00
root	d8367d6a72	prepare	2022-08-05 14:00:14 +00:00