6 files changed, 173 insertions, 0 deletions

diff --git a/apache-sp/Dockerfile b/apache-sp/Dockerfile
new file mode 100644
index 0000000..51cc408
--- /dev/null
+++ b/apache-sp/Dockerfile
@@ -0,0 +1,16 @@
+FROM debian:jessie
+MAINTAINER Markus Krogh <markus@nordu.net>
+
+RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
+RUN apt-get update && apt-get -y install apache2 libapache2-mod-shib2 ssl-cert curl
+RUN a2enmod shib2 headers ssl
+
+RUN rm -f /etc/apache2/sites-available/* /etc/apache2/sites-enabled/*
+ADD apache-conf/*.conf /etc/apache2/sites-available/
+ADD shibd/shibboleth2.xml /etc/shibboleth/
+ADD secure /var/www/secure
+ADD entrypoint.sh /entrypoint.sh
+RUN chmod a+rx /entrypoint.sh
+EXPOSE 443
+EXPOSE 80
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf
new file mode 100644
index 0000000..3de6bf4
--- /dev/null
+++ b/apache-sp/apache-conf/sp.conf
@@ -0,0 +1,57 @@
+ServerName __SP_HOSTNAME__
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+
+<VirtualHost *:80>
+        ServerName __SP_HOSTNAME__
+        DocumentRoot /var/www/
+</VirtualHost>
+<VirtualHost *:443>
+  ServerName idp.nordu.dev
+  SSLEngine On
+  SSLCertificateFile __KEYDIR__/certs/__SP_HOSTNAME__.crt
+  SSLCertificateKeyFile __KEYDIR__/private/__SP_HOSTNAME__.key
+  ProxyPass / http://shibboleth-docker:8080/
+</VirtualHost>
+<VirtualHost *:443>
+        ServerName __SP_HOSTNAME__
+        SSLEngine On
+        SSLCertificateFile __KEYDIR__/certs/__SP_HOSTNAME__.crt
+        SSLCertificateKeyFile __KEYDIR__/private/__SP_HOSTNAME__.key
+        DocumentRoot /var/www/
+
+        Alias /shibboleth-sp/ /usr/share/shibboleth/
+        AddDefaultCharset utf-8
+
+        HostnameLookups Off
+        ErrorLog /proc/self/fd/2
+        LogLevel warn
+        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+        LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+        LogFormat "%h %l %u %t \"%r\" %>s %O" common
+        LogFormat "%{Referer}i -> %U" referer
+        LogFormat "%{User-agent}i" agent
+        CustomLog /proc/self/fd/1 combined
+        ServerSignature off
+
+
+        <Location /secure>
+           AuthType shibboleth
+           ShibRequireSession On
+           require valid-user
+           Options +Includes
+           Header set X_REMOTE_USER %{eppn}e
+           Header set EPPN %{eppn}e
+           Header set GIVENNAME %{givenName}e
+           Header set DISPLAYNAME %{displayName}e
+           Header set SN %{sn}e
+           Header set MAIL %{mail}e
+           Header set AFFILIATION %{affiliation}e
+           Header set UNSCOPED_AFFILIATION %{unscoped_affiliation}e
+           Header set UID %{uid}e
+
+           AddType text/html .shtml
+           AddOutputFilter INCLUDES .shtml
+        </Location>
+</VirtualHost>
diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh
new file mode 100644
index 0000000..30714c4
--- /dev/null
+++ b/apache-sp/entrypoint.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Setup ssl keys
+KEYDIR=/etc/ssl
+export KEYDIR
+if [ ! -f "$KEYDIR/private/shibsp.key" -o ! -f "$KEYDIR/certs/shibsp.crt" ]; then
+   shib-keygen -o /tmp -h $SP_HOSTNAME #2>/dev/null
+   mv /tmp/sp-key.pem "$KEYDIR/private/shibsp.key"
+   mv /tmp/sp-cert.pem "$KEYDIR/certs/shibsp.crt"
+fi
+
+if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTNAME}.crt" ]; then
+   make-ssl-cert generate-default-snakeoil --force-overwrite
+   cp /etc/ssl/private/ssl-cert-snakeoil.key "$KEYDIR/private/${SP_HOSTNAME}.key"
+   cp /etc/ssl/certs/ssl-cert-snakeoil.pem "$KEYDIR/certs/${SP_HOSTNAME}.crt"
+fi
+
+
+# Setup shibd
+sed -i -e "s/__SP_HOSTNAME__/$SP_HOSTNAME/g" -e "s%__KEYDIR__%$KEYDIR%g" /etc/shibboleth/shibboleth2.xml
+
+adduser -- _shibd ssl-cert
+mkdir -p /var/log/shibboleth
+mkdir -p /var/log/apache2 /var/lock/apache2
+
+
+# Setup apache
+
+sed -i -e "s/__SP_HOSTNAME__/$SP_HOSTNAME/g" -e "s%__KEYDIR__%$KEYDIR%g" /etc/apache2/sites-available/*.conf
+
+a2enmod proxy
+a2enmod proxy_http
+a2ensite sp
+
+service shibd start
+rm -f /var/run/apache2/apache2.pid
+
+curl http://idp.nordu.dev/idp/shibboleth -o /var/www/metadata.xml
+chown www-data:www-data /var/www/metadata.xml && chmod a+r /var/www/metadata.xml
+
+env APACHE_LOCK_DIR=/var/lock/apache2 APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_LOG_DIR=/var/log/apache2 apache2 -DFOREGROUND
diff --git a/apache-sp/secure/index.haml b/apache-sp/secure/index.haml
new file mode 100644
index 0000000..856d379
--- /dev/null
+++ b/apache-sp/secure/index.haml
@@ -0,0 +1,10 @@
+!!!
+%html
+  %head
+    %title Secure site!!!!1
+  %body
+    .wrapper
+      %h1 Enviornment
+      %pre
+        <!--#printenv -->
+
diff --git a/apache-sp/secure/index.shtml b/apache-sp/secure/index.shtml
new file mode 100644
index 0000000..4ead79a
--- /dev/null
+++ b/apache-sp/secure/index.shtml
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Secure site!!!!1</title>
+  </head>
+  <body>
+    <div class='wrapper'>
+      <h1>Enviornment</h1>
+      <pre><!--#printenv --></pre>
+    </div>
+  </body>
+</html>
diff --git a/apache-sp/shibd/shibboleth2.xml b/apache-sp/shibd/shibboleth2.xml
new file mode 100644
index 0000000..2bc8b7a
--- /dev/null
+++ b/apache-sp/shibd/shibboleth2.xml
@@ -0,0 +1,38 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://__SP_HOSTNAME__/shibboleth"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+            <md:AssertionConsumerService Location="/SAML2/POST"
+                                         index="1"
+                                         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                         conf:ignoreNoPassive="true" />
+            <!-- <SessionInitiator type="Chaining" Location="/Login/https" id="sidp.norud.dev" relayState="cookie" entityID="https://idp.nordu.dev/idp/shibboleth"> -->
+            <!--           <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/> -->
+            <!-- </SessionInitiator> -->
+            <SessionInitiator type="Chaining" Location="/Login/http" id="idp.norud.dev" relayState="cookie" entityID="https://idp.nordu.dev/idp/shibboleth">
+                      <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
+            </SessionInitiator>
+        </Sessions>
+        <Errors supportContact="test@example.com"
+            helpLocation="/about" />
+        <MetadataProvider type="XML" uri="file:///var/www/metadata.xml" backingFilePalth="metadata.xml" reloadInterval="300"></MetadataProvider>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="__KEYDIR__/private/shibsp.key" certificate="__KEYDIR__/certs/shibsp.crt"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+</SPConfig>
+