Add config files and IdP version switch

TomiBelan · TomiBelan · commit b56288ae41f8 · 2024-12-12T23:55:56.000+01:00
diff --git a/README.md b/README.md
diff --git a/etc/apache2/sites-available/idp.conf b/etc/apache2/sites-available/idp.conf
@@ -0,0 +1,14 @@
+<VirtualHost *:443>
+	ServerName idp.unibatest.internal
+	SSLEngine on
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+	DocumentRoot /nonexistent
+	ErrorLog ${APACHE_LOG_DIR}/idp-error.log
+	CustomLog ${APACHE_LOG_DIR}/idp-access.log combined
+	ProxyPreserveHost On
+	ProxyAddHeaders On
+	ProxyPass / http://localhost:8080/
+	ProxyPassReverse / http://localhost:8080/
+	RequestHeader set X-Forwarded-Proto "https"
+</VirtualHost>
diff --git a/etc/apache2/sites-available/spmellon.conf b/etc/apache2/sites-available/spmellon.conf
@@ -0,0 +1,28 @@
+<VirtualHost *:443>
+	ServerName spmellon.unibatest.internal
+	SSLEngine on
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+	DocumentRoot /var/www/spmellon
+	ErrorLog ${APACHE_LOG_DIR}/spmellon-error.log
+	CustomLog ${APACHE_LOG_DIR}/spmellon-access.log combined
+	WSGIScriptAlias /pyinfo /var/www/pyinfo.py process-group=spmellonpy
+	WSGIScriptAlias /secret/pyinfo /var/www/pyinfo.py process-group=spmellonpy
+	WSGIDaemonProcess spmellonpy processes=1 threads=1
+	WSGIApplicationGroup %{GLOBAL}
+	<Location />
+		MellonEnable "info"
+		MellonSPMetadataFile /etc/apache2/spmellon/https_spmellon.unibatest.internal_mellon_metadata.xml
+		MellonSPPrivateKeyFile /etc/apache2/spmellon/https_spmellon.unibatest.internal_mellon_metadata.key
+		MellonSPCertFile /etc/apache2/spmellon/https_spmellon.unibatest.internal_mellon_metadata.cert
+		MellonIdPMetadataFile /opt/idpswitch/active/idp-metadata.xml
+		MellonSecureCookie On
+		# optional, for testing /mellon/invalidate:
+		MellonEnabledInvalidateSessionEndpoint On
+	</Location>
+	<Location /secret>
+		Require valid-user
+		AuthType "Mellon"
+		MellonEnable "auth"
+	</Location>
+</VirtualHost>
diff --git a/etc/apache2/sites-available/spmellon2.conf b/etc/apache2/sites-available/spmellon2.conf
@@ -0,0 +1,28 @@
+<VirtualHost *:443>
+	ServerName spmellon2.unibatest.internal
+	SSLEngine on
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+	DocumentRoot /var/www/spmellon2
+	ErrorLog ${APACHE_LOG_DIR}/spmellon2-error.log
+	CustomLog ${APACHE_LOG_DIR}/spmellon2-access.log combined
+	WSGIScriptAlias /pyinfo /var/www/pyinfo.py process-group=spmellon2py
+	WSGIScriptAlias /secret/pyinfo /var/www/pyinfo.py process-group=spmellon2py
+	WSGIDaemonProcess spmellon2py processes=1 threads=1
+	WSGIApplicationGroup %{GLOBAL}
+	<Location />
+		MellonEnable "info"
+		MellonSPMetadataFile /etc/apache2/spmellon2/https_spmellon2.unibatest.internal_mellon_metadata.xml
+		MellonSPPrivateKeyFile /etc/apache2/spmellon2/https_spmellon2.unibatest.internal_mellon_metadata.key
+		MellonSPCertFile /etc/apache2/spmellon2/https_spmellon2.unibatest.internal_mellon_metadata.cert
+		MellonIdPMetadataFile /opt/idpswitch/active/idp-metadata.xml
+		MellonSecureCookie On
+		# optional, for testing /mellon/invalidate:
+		MellonEnabledInvalidateSessionEndpoint On
+	</Location>
+	<Location /secret>
+		Require valid-user
+		AuthType "Mellon"
+		MellonEnable "auth"
+	</Location>
+</VirtualHost>
diff --git a/etc/apache2/sites-available/spshib.conf b/etc/apache2/sites-available/spshib.conf
@@ -0,0 +1,23 @@
+<VirtualHost *:443>
+	ServerName spshib.unibatest.internal
+	SSLEngine on
+	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
+	DocumentRoot /var/www/spshib
+	ErrorLog ${APACHE_LOG_DIR}/spshib-error.log
+	CustomLog ${APACHE_LOG_DIR}/spshib-access.log combined
+	WSGIScriptAlias /pyinfo /var/www/pyinfo.py process-group=spshibpy
+	WSGIScriptAlias /secret/pyinfo /var/www/pyinfo.py process-group=spshibpy
+	WSGIDaemonProcess spshibpy processes=1 threads=1
+	WSGIApplicationGroup %{GLOBAL}
+	<Location />
+		AuthType Shibboleth
+		Require shibboleth
+		ShibRequestSetting requireSession false
+	</Location>
+	<Location /secret>
+		AuthType Shibboleth
+		Require shib-session
+		ShibRequestSetting requireSession 1
+	</Location>
+</VirtualHost>
diff --git a/etc/systemd/system/idp.service b/etc/systemd/system/idp.service
@@ -0,0 +1,10 @@
+[Unit]
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+ExecStart=/bin/bash /opt/idpswitch/active/run
+User=idp
+Group=idp
+
+[Install]
+WantedBy=multi-user.target
diff --git a/opt/idpswitch/idp4-jetty10/idp-metadata.xml b/opt/idpswitch/idp4-jetty10/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp4/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp4-jetty10/run b/opt/idpswitch/idp4-jetty10/run
@@ -0,0 +1 @@
+exec env -C /opt/idp4-jetty10-base/src/main/resources/jetty-base /usr/lib/jvm/java-11-amazon-corretto/bin/java -Didp.home=/opt/idp4 -jar /opt/jetty-home-10.*/start.jar
diff --git a/opt/idpswitch/idp4-jetty12/idp-metadata.xml b/opt/idpswitch/idp4-jetty12/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp4/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp4-jetty12/run b/opt/idpswitch/idp4-jetty12/run
@@ -0,0 +1 @@
+exec env -C /opt/idp4-jetty12-base/jetty-impl/src/main/resources/net/shibboleth/idp/module/jetty/jetty-base java -Didp.home=/opt/idp4 -jar /opt/jetty-home-12.*/start.jar
diff --git a/opt/idpswitch/idp4-jetty9/idp-metadata.xml b/opt/idpswitch/idp4-jetty9/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp4/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp4-jetty9/run b/opt/idpswitch/idp4-jetty9/run
@@ -0,0 +1 @@
+exec env -C /opt/idp4-jetty9-base/src/main/resources/jetty-base /usr/lib/jvm/java-11-amazon-corretto/bin/java -Didp.home=/opt/idp4 -jar /opt/jetty-distribution-9.*/start.jar
diff --git a/opt/idpswitch/idp4-tomcat9/idp-metadata.xml b/opt/idpswitch/idp4-tomcat9/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp4/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp4-tomcat9/run b/opt/idpswitch/idp4-tomcat9/run
@@ -0,0 +1 @@
+CATALINA_BASE=/opt/idp4-tomcat9-base/src/main/resources/tomcat-base exec /opt/apache-tomcat-9.*/bin/catalina.sh run
diff --git a/opt/idpswitch/idp5-jetty11/idp-metadata.xml b/opt/idpswitch/idp5-jetty11/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp5/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp5-jetty11/run b/opt/idpswitch/idp5-jetty11/run
@@ -0,0 +1 @@
+exec env -C /opt/idp5-jetty11-base/src/main/resources/jetty-base java -Didp.home=/opt/idp5 -jar /opt/jetty-home-11.*/start.jar
diff --git a/opt/idpswitch/idp5-jetty12/idp-metadata.xml b/opt/idpswitch/idp5-jetty12/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp5/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp5-jetty12/run b/opt/idpswitch/idp5-jetty12/run
@@ -0,0 +1 @@
+exec env -C /opt/idp5-jetty12-base/jetty-impl/src/main/resources/net/shibboleth/idp/module/jetty/jetty-base java -Didp.home=/opt/idp5 -jar /opt/jetty-home-12.*/start.jar
diff --git a/opt/idpswitch/idp5-tomcat10/idp-metadata.xml b/opt/idpswitch/idp5-tomcat10/idp-metadata.xml
@@ -0,0 +1 @@
+/opt/idp5/metadata/idp-metadata.xml
diff --git a/opt/idpswitch/idp5-tomcat10/run b/opt/idpswitch/idp5-tomcat10/run
@@ -0,0 +1 @@
+CATALINA_BASE=/opt/idp5-tomcat10-base/tomcat-base exec /opt/apache-tomcat-10.*/bin/catalina.sh run
diff --git a/repo-to-system b/repo-to-system
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+cd "$(dirname "$0")"
+
+cp -rPv etc opt var /
diff --git a/system-to-repo b/system-to-repo
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+cd "$(dirname "$0")"
+
+rm -rf etc opt var
+
+for f in \
+  etc/systemd/system/idp.service \
+  etc/apache2/sites-available \
+  var/www \
+  opt/idpswitch \
+  ;
+do
+  mkdir -p "${f%/*}"
+  cp -av "/$f" "$f"
+done
+
+rm -rf etc/apache2/sites-available/*default* var/www/html opt/idpswitch/active
diff --git a/var/www/pyinfo.py b/var/www/pyinfo.py
@@ -0,0 +1,5 @@
+def application(environ, start_response):
+    start_response('200 OK', [('Content-Type', 'text/plain;charset=UTF-8')])
+    items = ''.join(f'  {k!r}: {v!r},\n' for k, v in sorted(environ.items()))
+    body = '{\n' + items + '}'
+    return [body.encode('utf-8')]
diff --git a/var/www/spmellon/index.html b/var/www/spmellon/index.html
@@ -0,0 +1,15 @@
+<body style="font-size: 2em">
+<h1>spmellon public</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>mellon/ <a href="/mellon/login?ReturnTo=/">login</a>
+| <a href="/mellon/logout?ReturnTo=/">logout</a>
+| <a href="/mellon/invalidate?ReturnTo=/">invalidate</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>
diff --git a/var/www/spmellon/secret/index.html b/var/www/spmellon/secret/index.html
@@ -0,0 +1,15 @@
+<body style="font-size: 2em">
+<h1>spmellon SECRET</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>mellon/ <a href="/mellon/login?ReturnTo=/">login</a>
+| <a href="/mellon/logout?ReturnTo=/">logout</a>
+| <a href="/mellon/invalidate?ReturnTo=/">invalidate</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>
diff --git a/var/www/spmellon2/index.html b/var/www/spmellon2/index.html
@@ -0,0 +1,15 @@
+<body style="font-size: 2em">
+<h1>spmellon2 public</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>mellon/ <a href="/mellon/login?ReturnTo=/">login</a>
+| <a href="/mellon/logout?ReturnTo=/">logout</a>
+| <a href="/mellon/invalidate?ReturnTo=/">invalidate</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>
diff --git a/var/www/spmellon2/secret/index.html b/var/www/spmellon2/secret/index.html
@@ -0,0 +1,15 @@
+<body style="font-size: 2em">
+<h1>spmellon2 SECRET</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>mellon/ <a href="/mellon/login?ReturnTo=/">login</a>
+| <a href="/mellon/logout?ReturnTo=/">logout</a>
+| <a href="/mellon/invalidate?ReturnTo=/">invalidate</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>
diff --git a/var/www/spshib/index.html b/var/www/spshib/index.html
@@ -0,0 +1,16 @@
+<body style="font-size: 2em">
+<h1>spshib public</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>Shibboleth.sso/ <a href="/Shibboleth.sso/Login?target=/">Login</a>
+| <a href="/Shibboleth.sso/Logout?return=/">Logout</a>
+| <a href="/Shibboleth.sso/Status">Status</a>
+| <a href="/Shibboleth.sso/Session">Session</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>
diff --git a/var/www/spshib/secret/index.html b/var/www/spshib/secret/index.html
@@ -0,0 +1,16 @@
+<body style="font-size: 2em">
+<h1>spshib SECRET</h1>
+<p><a href="/">public page</a>
+| <a href="/pyinfo/">public pyinfo</a>
+| <a href="/secret/">secret page</a>
+| <a href="/secret/pyinfo/">secret pyinfo</a>
+<p>Shibboleth.sso/ <a href="/Shibboleth.sso/Login?target=/">Login</a>
+| <a href="/Shibboleth.sso/Logout?return=/">Logout</a>
+| <a href="/Shibboleth.sso/Status">Status</a>
+| <a href="/Shibboleth.sso/Session">Session</a>
+<p><a href="https://idp.unibatest.internal/">idp/</a>
+| <a href="https://idp.unibatest.internal/idp/">idp/idp/</a>
+| <a href="https://idp.unibatest.internal/idp/profile/admin/hello">hello</a>
+| <a href="https://spmellon.unibatest.internal/">spmellon</a>
+| <a href="https://spmellon2.unibatest.internal/">spmellon2</a>
+| <a href="https://spshib.unibatest.internal/">spshib</a>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+exec env -C /opt/idp4-jetty10-base/src/main/resources/jetty-base /usr/lib/jvm/java-11-amazon-corretto/bin/java -Didp.home=/opt/idp4 -jar /opt/jetty-home-10.*/start.jar`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+exec env -C /opt/idp4-jetty12-base/jetty-impl/src/main/resources/net/shibboleth/idp/module/jetty/jetty-base java -Didp.home=/opt/idp4 -jar /opt/jetty-home-12.*/start.jar`