federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

profiles/wayf: init work (wip)

Browse source 
This is a very early version of the deployment, it doesn't work due to… PHP versions issues?

Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
This commit is contained in:
Ryan Lahfa 2024-02-14 04:17:49 +01:00
parent c9fe2f098b
commit 4a043d6fb5
5 changed files with 423 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hive.nix
View file

@ -85,7 +85,7 @@ in
};
lagon = { name, nodes, ... }: {
deployment.tags = [ "keycloak" ];
deployment.tags = [ "keycloak" "wayf" ];
deployment.targetHost = "lagon.federez.net";
networking.hostName = name;
federez.monitoring.apiKey = "f85dcb12-970c-4ea1-99b4-01e2fc26bc6c";
@ -97,7 +97,7 @@ in
imports = [
./profiles/vm.nix
./profiles/keycloak.nix
./profiles/wayf.nix
];
};

12
npins/sources.json
View file

@ -24,6 +24,18 @@
"url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz",
"hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy"
},
"nix-phps": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "fossar",
"repo": "nix-phps"
},
"branch": "master",
"revision": "509bc62c91ecf1767b0e0142373d069308cf86c5",
"url": "https://github.com/fossar/nix-phps/archive/509bc62c91ecf1767b0e0142373d069308cf86c5.tar.gz",
"hash": "0s548v1vylqdw8a5vlzz12gxjklcyqzckvbma2a3z539sfg4iils"
},
"nixpkgs": {
"type": "Channel",
"name": "nixos-unstable-small",

6
pkgs/switchwayf.nix
View file

@ -15,6 +15,12 @@ stdenv.mkDerivation rec {
hash = "sha256-SqJzkV7dJXPUrY/9pz54VYxd8eAv+aFDik9F3N4WBIg=";
};
installPhase = ''
mkdir -p $out/
cp -r www $out/
ln -s $out/www/WAYF $out/www/WAYF.php
'';
meta = with lib; {
description = "SAML Identity Provider Discovery Service implementation developed by SWITCH";
homepage = "https://gitlab.switch.ch/aai/SWITCHwayf";

324
profiles/switch-config.php Normal file
View file

@ -0,0 +1,324 @@
<?php // Copyright (c) 2019, SWITCH
//******************************************************************************
// This file contains the configuration of SWITCHwayf, a light-weight
// implementation of a SAML Discovery Service. Adapt the settings to reflect
// your environment and then do some testing before going into production.
// Unless specifically set, default values will be used for all options.
//******************************************************************************
// 1. Language Settings
//*********************
// Language that is used by default if the language of the user's web browser
// is not available in languages.php or custom-languages.php.
// If string in local language is not available, english ('en') will be used
// as last resort.
//$defaultLanguage = 'en';
// 2. Cookie Settings
//*******************
// Domain within the WAYF cookie should be readable. Must start with a .
//$commonDomain = '.example.org';
// Optionnal cookie name prefix in case you run several
// instances of the WAYF in the same domain.
// Example: $cookieNamePrefix = '_mywayf';
//$cookieNamePrefix = '';
// Names of the cookies where to store the settings to temporarily
// redirect users transparently to their last selected IdP
//$redirectCookieName = $cookieNamePrefix.'_redirect_user_idp';
// Stores last selected IdPs
// This value shouldn't be changed because _saml_idp is the officilly
// defined name in the SAML specification
//$SAMLDomainCookieName = $cookieNamePrefix.'_saml_idp';
// Stores last selected SP
// This value can be choosen as you like because it is something specific
// to this WAYF implementation. It can be used to display help/contact
// information on a page in the same domain as $commonDomain by accessing
// the federation metadata and parsing out the contact information of the
// selected IdP and SP using $SAMLDomainCookieName and $SPCookieName
//$SPCookieName = $cookieNamePrefix.'_saml_sp';
// If enabled cookies are set/transmitted only via https connections
// and the http only option is set to prevent javascripts from reading the
// cookies
//$cookieSecurity = false;
// Number of days longterm cookies should be valid
//$cookieValidity = 100;
// 3. Features and Extensions
//***************************
// Whether to show the checkbox to permanently remember a setting
//$showPermanentSetting = false;
// Whether or not to use the search-as-you-type feature of the drop down list
// Enabling this will use JavaScript to convert the select element containing
// all Identity Providers to a searchable search-as-you-type list that also
// displays logos if available
// Please note that select2 activation superseeds improveDropDown activation
//$useImprovedDropDownList = true;
// If true the improved drop-down-list will not display logos that
// have to be loaded from remote URLs. That way the web browser
// does not have to make requests to third party hosts.
// Logos that are embedded using data URIs
// (src="data:image/png;base64...") will however still be displayed
//$disableRemoteLogos = false;
// Whether or not use Select2 drop down
// Attention: setting this to true, overrides $useImprovedDropDownList param
//$useSelect2 = true;
// Config to change the number of IdP fetched when using Select2 dropdown
//$select2PageSize = 100;
// For Select2 to work in embedded WAYF, CORS must be enabled.
// This settings allows to limit origins
// default: *
//$allowedCORSDomain = "*";
// Number of previously used Identity Providers to show at top of drop-down list
// Default is 3, set to 0 to disable
//$showNumOfPreviouslyUsedIdPs = 3;
// Set to true in order to enable reading the Identity Providers and Service
// Providers from a SAML2 metadata file defined below in $metadataFile
// The parsed data will be available in $metadataIDPFile and $metadataSPFile
//$useSAML2Metadata = false;
// If true parsed metadata should have precedence if there are entries defined
// in metadata as well as the local IDProviders configuration file.
// Requires $useSAML2Metadata to be true
//$SAML2MetaOverLocalConf = false;
// If includeLocalConfEntries parameter is set to true, Identity Providers
// not listed in metadata but defined in the local IDProviders file will also
// be displayed in the drop down list. This is required if you need to add
// local exceptions over the federation metadata
// Requires $useSAML2Metadata to be true
//$includeLocalConfEntries = true;
// Whether the return parameter is checked against SAML2 metadata or not
// The Discovery Service specification says the DS SHOULD check this in order
// to mitigate phising problems.
// The return parameter will only be checked if the Service Provider's metadata
// contains an <idpdisc:DiscoveryResponse> or if the assertion consumer url
// check below is enabled
// Requires $useSAML2Metadata to be true
//$enableDSReturnParamCheck = true;
// If true, the return parameter is checked for Service Providers that
// don't have and <idpdisc:DiscoveryResponse> extension set. Instead of this
// extension, the hostnames of the assertion consumer URLs are used to check
// the return parameter against.
// This feature is useful in case the Service Provider's metadata doesn't contain
// a <idpdisc:DiscoveryResponse> extension. It increases security for Service
// Provider's that don't have an <idpdisc:DiscoveryResponse> extensions.
// Requires $useSAML2Metadata and $enableDSReturnParamCheck to be true
//$useACURLsForReturnParamCheck = false;
// Whether to turn on Kerberos support for Identity Provider preselection
//$useKerberos = false;
// A Kerboros-protected page that redirects back to the WAYF script
//$kerberosRedirectURL = '/myFederation/kerberosRedirect.php';
// If enabled, the user's IP is used for a reverse DNS lookup whose resulting
// domain name then is matched with the URN values of the Identity Providers
//$useReverseDNSLookup = false;
// Whether the JavaScript required for embedding the WAYF
// on a remote site should be generated or not
// Lowers security against phising!
// If this value is set to true, any web page in the world can
// (with some efforts) find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
//$useEmbeddedWAYF = false;
// If enabled the Embedded WAYF will prevent releasing information
// about the user's preselected Identity Provider
// While this is benefical to the data protection of the user, it will also
// prevent preselecting the user's Identity Provider. Thus, users will have
// to preselect their IdP each and every time
// Requires $useEmbeddedWAYF to be true
//$useEmbeddedWAYFPrivacyProtection = false;
// If enabled, the referer hostname of the request must match an assertion
// consumer URL or a discovery URL of a Service Provider in $metadataSPFile
// in order to let the Embedded WAYF preselect an Identity Provider.
// Therefore, this option is a good compromise between data protection and
// userfriendlyness.
// Requires $useSAML2Metadata to be true and $useEmbeddedWAYFPrivacyProtection
// to be false
//$useEmbeddedWAYFRefererForPrivacyProtection = false;
// If enabled (default) Identity Providers that are in the
// "Hide From Discovery" entity category (see
// https://refeds.org/category/hide-from-discovery/) will not
// be parsed when SAML2 metadata is processed. The effect will
// be that these IdPs are not shown in the organisation drop
// down list. IdPs in this entity category, however, still can
// be manually added using the Embedded WAYF.
//$supportHideFromDiscoveryEntityCategory = true;
// Only process IDPs with a particular entity category. All
// others are ignored and not taken into account.
// Multiple entity category identifiers can be provided
// space separated. If the IdP is in none of them,
// the IdP is ignored.
//$filterEntityCategory = 'http://example.com/category/example-member';
// Whether or not to add the entityID of the preselected IdP to the
// exported JSON/Text/PHP Code
// Lowers security against phising!
// If this value is set to true, any web page
// in the world can easily find out with a high probability from which
// organization a user is from. This could be misused for phishing attacks.
// Therefore, only enable this feature if you know what you are doing!
//$exportPreselectedIdP = false;
// Whether to enable logging of WAYF/DS requests
// If turned on make sure to also configure $WAYFLogFile
//$useLogging = true;
// Where to log the access requests
// This log is only an audit log for access requests.
// Errors (e.g. when parsing SAML metadata) go to the syslog.
// Make sure the web server user has write access to this file!
//$WAYFLogFile = '/var/log/apache2/wayf.log';
// if set, errors intended for end users will trigger a redirection to a
// dedicated service instead of being displayed locally, as possible with
// Shibboleth SP:
// https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334361/Errors#Errors-Redirection
// the following variables are available, and will be substituded in the URL:
// - $time: current date and time
// - $type: the error message localization code
// - $message: the localized error message
// - $url: the URL associated with the request
// - $entityID: name of service provider, if known
// - $contactName: name of first technical contact for service provider, if known
// - $contactEmail: email of first technical contact for service provider, if known
//$errorRedirectURL = 'https://error.example.com?now=$time&errorType=$type&errorText=$message&entityID=$entityID';
// 4. Files and path Settings
//***************************
// all relatives paths are resolved relatively to configuration directory
// Set both config files to the same value if you don't want to use the
// the WAYF to read a (potential) automatically generated file that undergoes
// some plausability checks before being used
//$IDPConfigFile = 'IDProvider.conf.php';
//$backupIDPConfigFile = 'IDProvider.conf.php';
// Use $metadataFile as source federation's metadata.
//$metadataFile = '/etc/shibboleth/metadata.myFederation.xml';
// File to store the parsed IdP list
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataIDPFile = 'IDProvider.metadata.php';
// File to store the parsed SP list.
// Will be updated automatically if the metadataFile modification time
// is more recent than this file's
// The user running the script must have permission to create $metadataIdpFile
//$metadataSPFile = 'SProvider.metadata.php';
// File to use as the lock file for writing the parsed IdP and SP lists.
// The user running the script must have permission to write $metadataLockFile
//$metadataLockFile = '/tmp/wayf_metadata.lock';
// Use an absolute URL in case you want to use the embedded WAYF
// The default assumes that this is in the same directory like
// the WAYF script.
//$imageURL = 'https://ds.example.org/SWITCHwayf/images';
// Absolute URL to point to css directory
// The default assumes that this is in the same directory like
// the WAYF script.
//$cssURL = 'https://ds.example.org/SWITCHwayf/css';
// Absolute URL to point to javascript directory
// The default assumes that this is in the same directory like
// the WAYF script.
//$javascriptURL = 'https://ds.example.org/SWITCHwayf/js';
// Abolute URL to point to APIs
//$apiURL = 'https://ds.example.org/SWITCHwayf/api.php';
// 5. Appearance Settings
//**************************
// Identifier for this particular instance of the SWITCHwayf
// This is mainly used for logging to syslog and in particular
// useful in case multiple instances of the SWITCHwayf are
// operated on the same host
//$instanceIdentifier = 'SWITCHwayf';
// URL to send user to when clicking on federation logo
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
// Set to an empty string to hide the logo
//$federationURL = 'http://www.example.org/myFed/';
// Absolute URL to the federation logo that should be displayed in the Embedded WAYF
// Set to an empty string to hide the logo
//$logoURL = 'http://ds.example.org/SWITCHwayf/images/federation-logo.png';
// Absolute URL to the small federation logo that should be displayed in the
// embedded WAYF. Make sure the dimensions (in particular the height of the logo)
// is small, ideally not larger than 120x30 pixel
//$smallLogoURL = 'http://ds.example.org/SWITCHwayf/images/small-federation-logo.png';
// Support contact email address
//$supportContactEmail = 'helpdesk@example.org';
// Absolute URL to the logo of the organization operating this Discovery Service
// Set to an empty string to hide the logo
//$organizationLogoURL = 'https://ds.example.org/SWITCHwayf/images/organization-logo.png';
// Absolute URL to the organization's web page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
//$organizationURL = 'http://www.example.org/';
// Absolute URL to an FAQ page
// This entries local string is 'faq' in languages.php
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
// Set to an empty string to hide the logo
//$faqURL = 'http://www.example.org/%s/myFed/faq/';
// Absolute URL to a help/support page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
// Set to an empty string to hide the logo
//$helpURL = 'http://www.example.org/%s/myFed/help/';
// Absolute URL to a privacy policy page
// Insert %s as macro to be substituted by the language (e.g. 'en', 'de', 'fr', ...) the WAYF uses
// Set to an empty string to hide the logo
//$privacyURL = 'http://www.example.org/%s/myFed/privacy/';
// Additional strings form custom templates
//$customStrings = array(
// 'federationName' = 'myFederation'
//);
// Development mode settings
//**************************
// If the development mode is activated, PHP errors and warnings will be displayed
// on pages the SWITCHwayf generates
//$developmentMode = true;

79
profiles/wayf.nix Normal file
View file

@ -0,0 +1,79 @@
{ config, pkgs, ... }:
let
sources = import ../npins;
phps = import sources.nix-phps;
in
{
nixpkgs.overlays = [
(self: super: {
switchwayf = super.callPackage ../pkgs/switchwayf.nix { };
})
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts."sso.federez.net" = {
enableACME = true;
forceSSL = true;
root = "${pkgs.switchwayf}/www/";
locations."~ \\.php" = {
root = "${pkgs.switchwayf}/www/";
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index WAYF.php;
fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket};
include ${config.services.nginx.package}/conf/fastcgi.conf;
include ${config.services.nginx.package}/conf/fastcgi_params;
'';
};
# locations."~ /wayf/\\.php".extraConfig = ''
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket};
# include ${config.services.nginx.package}/conf/fastcgi.conf;
# include ${config.services.nginx.package}/conf/fastcgi_params;
# '';
};
};
users.users.switchwayf = {
isSystemUser = true;
group = "nginx";
};
users.groups.nginx = {};
services.phpfpm.pools.switchwayf = {
user = "switchwayf";
group = "nginx";
settings = {
pm = "dynamic";
"listen.owner" = "nginx";
"pm.max_children" = 10;
"pm.start_servers" = 1;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 1;
};
# XXX(raitobezarius): I don't allow anyone to go in real production with this.
phpPackage = phps.packages.${builtins.currentSystem}.php74;
phpEnv = {
backupIDPConfigFile = "/var/lib/switchwayf/IDProvider.conf.php";
metadataIDPFile = "/var/lib/switchwayf/IDProvider.metadata.conf.php";
metadataSPFile = "/var/lib/switchwayf/SProvider.metadata.conf.php";
WAYFLogFile = "/var/log/switchwayf/wayf.log";
#SWITCHWAYF_CONFIG = pkgs.writeText "switch_config.php"
# (builtins.readFile ./switch-config.php);
};
};
}