Skip to content
Snippets Groups Projects
Commit a109803c authored by David Schmitz's avatar David Schmitz
Browse files

added inst/apache_shib_inst for edugain testing

parent 889a0381
No related branches found
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1962 additions and 0 deletions
inst/.gitignore 0 → 100644
+ 4
0
View file @ a109803c
apache_shib0
apache_shib0.tar.gz
inst/apache_shib/apache_shib_init.sh 0 → 100755
+ 62
0
View file @ a109803c
#!/bin/bash
#!/bin/sh
export LC_ALL="C"
#apt-get -y install apache2
#apt-get -y install libapache2-mod-shib2
#apt-get -y install perl libcgi-pm-perl
[ -z "$NOAPT" ] && apt-get -y install apache2 libapache2-mod-shib2 perl libcgi-pm-perl
[ -z "$NOMOD" ] && a2enmod proxy
[ -z "$NOMOD" ] && a2enmod proxy_http
[ -z "$NOMOD" ] && a2enmod cgi
#
basedir="/srv/flowspy"
basedir2="$basedir/inst/apache_shib"
#cd /srv/flowspy/ || exit 3
cd "$basedir" || exit 3
#cp -uva shibboleth_inst/inst/etc/apache2/ shibboleth_inst/inst/etc/shibboleth/ /etc/
echo 1>&2
#cp -uva shibboleth_inst/inst/etc/apache2/ /etc/
#cd ./shibboleth_inst/inst/etc/apache2/ && cp -uva --parents -t /etc/apache2/ .
#cd "$basedir/shibboleth_inst/inst/etc/apache2/" && cp -uva --parents -t /etc/apache2/ $(cat "$basedir/shibboleth_inst/etc-apache-diff.list.filtered2")
(cd "$basedir2/files.inst/etc/apache2/" && cp -fva --parents -t /etc/apache2/ $(cat "$basedir2/files.inst/etc-apache-diff.list.filtered2"))
echo 1>&2
#cp -uva shibboleth_inst/inst/etc/shibboleth/ /etc/
(cd "$basedir2/files.inst/etc/shibboleth/" && cp -fva --parents -t /etc/shibboleth/ $(cat "$basedir2/files.inst/etc-shibboleth-diff.list.filtered2"))
##
echo 1>&2
#cp shibboleth_inst/inst/srv/flowspy/flowspy/settings.py flowspy/settings.py
cp -fv "$basedir2/files.inst/srv/flowspy/flowspy/settings.py" flowspy/settings.py
echo 1>&2
(cd /etc/shibboleth/ && ./keygen.sh)
echo 1>&2
# -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/"
(cd /etc/apache2/ && openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt)
##
echo 1>&2
hostname test-fod.geant.net
##
/etc/init.d/shibd restart
/etc/init.d/apache2 restart
inst/apache_shib/files.inst/etc-apache-diff.list.filtered2 0 → 100644
+ 5
0
View file @ a109803c
cgi-bin-test/test.cgi
sites-enabled/000-default.conf
sites-enabled/100-default-https.conf
apache2.conf
sites-available/000-default.conf
inst/apache_shib/files.inst/etc-shibboleth-diff.list.filtered2 0 → 100644
+ 6
0
View file @ a109803c
keygen.sh
login-terena-org.xml
metagen.sh
attribute-map.xml
attribute-policy.xml
shibboleth2.xml
inst/apache_shib/files.inst/etc/apache2/apache2.conf 0 → 100644
+ 256
0
View file @ a109803c
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
#<IfModule mod_alias.c>
# <Location /shibboleth-sp>
# #Satisfy Any
# #Allow from all
# AllowOverride None
# Require all granted
# </Location>
# Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
#</IfModule>
#
##
## Configure the module for content.
##
## You MUST enable AuthType shibboleth for the module to process
## any requests, and there MUST be a require command as well. To
## enable Shibboleth but not specify any session/access requirements
## use "require shibboleth".
##
#<Location /secure>
# AuthType shibboleth
# #ShibCompatWith24 On
# ShibRequestSetting requireSession 1
# require shib-session
#</Location>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
inst/apache_shib/files.inst/etc/apache2/cgi-bin-test/test.cgi 0 → 100755
+ 9
0
View file @ a109803c
#!/usr/bin/perl
use CGI;
print CGI->header;
print "<pre>\n";
for (sort keys %ENV) {
print "$_ = ", $ENV{$_}, "\n";
}
print "</pre>\n";
exit 0;
inst/apache_shib/files.inst/etc/apache2/sites-available/000-default.conf 0 → 100644
+ 134
0
View file @ a109803c
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# ServerName test-fod-lab.geant.net
# APACHE_SHIB__SERVERNAME
ServerName test-fod.geant.net
Alias /shibboleth-sp "usr/share/shibboleth"
<IfModule mod_alias.c>
<Location /shibboleth-sp>
#Satisfy Any
#Allow from all
AllowOverride None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>
#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
##
<Location /secure>
AuthType shibboleth
#ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>
<Location "/Shibboleth.sso">
#Order allow,deny
#Allow from all
AllowOverride None
Require all granted
SetHandler shib
</Location>
<Location "/login">
Require shib-session
#Order allow,deny
#Allow from all
AllowOverride None
Require all granted
AuthType shibboleth
ShibUseHeaders on
ShibRequestSetting requireSession 1
#ShibCompatWith24 on
</Location>
Alias /static "/srv/flowspy/static"
#<Location /srv/flowspy/static>
# AllowOverride None
# Require all granted
#</Location>
<Location /static>
AllowOverride None
Require all granted
</Location>
## Proxy rules
ProxyRequests Off
ProxyPass /static !
<Location /static>
ProxyPassReverse !
</Location>
ProxyPass /shibboleth !
<Location /shibboleth>
ProxyPassReverse !
</Location>
ProxyPass /Shibboleth.sso !
<Location /Shibboleth.sso>
ProxyPassReverse !
</Location>
ProxyPass "/" "http://localhost:8000/" retry=0
<Location />
ProxyPassReverse http://localhost:8000/
</Location>
# ## Header rules
# ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
# Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# RequestHeader set X-Forwarded-Proto 'https'
# RequestHeader set X_FORWARDED_PROTO 'https'
# Header always set X-Forw-Proto 'https'
# SetEnv HTTPS 1
# SetEnv X_FORWARDED_PROTO 'https'
# ## Custom fragment
# ProxyErrorOverride off
# ProxyTimeout 28800
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
inst/apache_shib/files.inst/etc/apache2/sites-enabled/000-default.conf 0 → 120000
+ 1
0
View file @ a109803c
../sites-available/000-default.conf
\ No newline at end of file
inst/apache_shib/files.inst/etc/apache2/sites-enabled/100-default-https.conf 0 → 100644
+ 162
0
View file @ a109803c
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# ServerName test-fod-lab.geant.net
ServerName test-fod.geant.net
Alias /cgi-bin-test /etc/apache2/cgi-bin-test
<Location /cgi-bin-test>
Require shib-session
AuthType shibboleth
ShibUseHeaders on
ShibRequestSetting requireSession 1
#ShibCompatWith24 on
Options +ExecCGI
AddHandler cgi-script cgi pl
</Location>
Alias /shibboleth-sp "usr/share/shibboleth"
#<IfModule mod_alias.c>
<Location /shibboleth-sp>
#Satisfy Any
#Allow from all
AllowOverride None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
#</IfModule>
#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
##
<Location /secure>
AuthType shibboleth
#ShibCompatWith24 On
ShibRequestSetting requireSession 1
require shib-session
</Location>
<Location "/Shibboleth.sso">
#Order allow,deny
#Allow from all
AllowOverride None
Require all granted
SetHandler shib
</Location>
<Location "/login">
Require shib-session
#Order allow,deny
#Allow from all
#AllowOverride None
#Require all granted
AuthType shibboleth
ShibUseHeaders on
ShibRequestSetting requireSession 1
#ShibCompatWith24 on
</Location>
Alias /static "/srv/flowspy/static"
#<Location /srv/flowspy/static>
# AllowOverride None
# Require all granted
#</Location>
<Location /static>
AllowOverride None
Require all granted
</Location>
## Proxy rules
ProxyRequests Off
ProxyPass /static !
<Location /static>
ProxyPassReverse !
</Location>
ProxyPass /shibboleth !
<Location /shibboleth>
ProxyPassReverse !
</Location>
ProxyPass /Shibboleth.sso !
<Location /Shibboleth.sso>
ProxyPassReverse !
</Location>
ProxyPass /shibboleth-sp !
<Location /shibboleth-sp>
ProxyPassReverse !
</Location>
ProxyPass /cgi-bin-test !
<Location /cgi-bin-test>
ProxyPassReverse !
</Location>
ProxyPass "/" "http://localhost:8000/" retry=0
<Location />
ProxyPassReverse http://localhost:8000/
</Location>
# ## Header rules
# ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header
# Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# RequestHeader set X-Forwarded-Proto 'https'
# RequestHeader set X_FORWARDED_PROTO 'https'
# Header always set X-Forw-Proto 'https'
# SetEnv HTTPS 1
# SetEnv X_FORWARDED_PROTO 'https'
# ## Custom fragment
# ProxyErrorOverride off
# ProxyTimeout 28800
####
SSLEngine on
SSLCertificateFile "/etc/apache2/mysitename.crt"
SSLCertificateKeyFile "/etc/apache2/mysitename.key"
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
inst/apache_shib/files.inst/etc/shibboleth/attribute-map.xml 0 → 100644
+ 146
0
View file @ a109803c
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Core attributes -->
<Attribute name="TAL:federated_user_id" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uniqueID"/>
<Attribute name="urn:oid:2.5.4.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="organisation"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->
<!-- First, the deprecated version, decoded as a scoped string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id"/>
<!-- Surname -->
<Attribute name="urn:mace:dir:attribute-def:sn" id="surname"/>
<Attribute name="urn:oid:2.5.4.4" id="surname"/>
<!-- Given name -->
<Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<!-- E-mail address -->
<Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.5" id="homeOrganizationType">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Affiliation -->
<!-- to maintain backwards compatibility in SWITCHaai, the id is
"affiliation" instead of "unscoped-affiliation"
-->
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="affiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="affiliation"/>
<!-- Other attributes -->
<!-- User ID -->
<Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<!-- Employee number -->
<Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
<!-- Nick name -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
<!-- Preferred Language -->
<Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
<!-- Home postal address -->
<Attribute name="urn:mace:dir:attribute-def:homePostalAddress" id="homePostalAddress"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.39" id="homePostalAddress"/>
<!-- Business postal address -->
<Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
<Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
<!-- Private phone number -->
<Attribute name="urn:mace:dir:attribute-def:homePhone" id="homePhone"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.20" id="homePhone"/>
<!-- Business phone number -->
<Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<!-- Mobile phone number -->
<Attribute name="urn:mace:dir:attribute-def:mobile" id="mobile"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="mobile"/>
<!-- Scoped Affiliation -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="scoped-affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="scoped-affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Organization path -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
<!-- Organizational unit path -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
<!-- Primary organizational unit -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
<!-- Entitlement
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"-->
<!-- Other Standardized/International attributes -->
<!-- Organizational unit -->
<Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<!-- Assurance level -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonAssurance" id="assurance"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
<!-- Member of -->
<Attribute name="urn:mace:dir:attribute-def:isMemberOf" id="isMemberOf"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
<!-- Display Name -->
<Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="displayName"/>
<!-- Common Name -->
<Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="cn"/>
<!-- SCHAC Home Organisation -->
<Attribute name="urn:mace:terena.org:schac:homeOrganization" id="schacHomeOrganization"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
<!-- SCHAC Home Organisation Type -->
<Attribute name="urn:mace:terena.org:schac:homeOrganizationType" id="schacHomeOrganizationType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType"/>
<!-- Principal name -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="principalName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="principalName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
</Attributes>
inst/apache_shib/files.inst/etc/shibboleth/attribute-policy.xml 0 → 100644
+ 69
0
View file @ a109803c
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<afp:AttributeRule attributeID="affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="unscoped-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="primary-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively.
<afp:AttributeRule attributeID="persistent-id">
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
</afp:AttributeRule -->
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
inst/apache_shib/files.inst/etc/shibboleth/keygen.sh 0 → 100755
+ 85
0
View file @ a109803c
#! /bin/sh
while getopts h:u:g:o:e:y:bf c
do
case $c in
u) USER=$OPTARG;;
g) GROUP=$OPTARG;;
o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
\?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
exit 1;;
esac
done
if [ -z "$OUT" ] ; then
OUT=.
fi
if [ -n "$FORCE" ] ; then
rm $OUT/sp-key.pem $OUT/sp-cert.pem
fi
if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
if [ -z "$FQDN" ] ; then
FQDN=`hostname`
fi
if [ -z "$YEARS" ] ; then
YEARS=10
fi
DAYS=`expr $YEARS \* 365`
if [ -z "$ENTITYID" ] ; then
ALTNAME=DNS:$FQDN
else
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
SSLCNF=$OUT/sp-cert.cnf
cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating sp-cert.pem
[req]
prompt=no
default_bits=2048
encrypt_key=no
default_md=sha1
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
x509_extensions=ext
[dn]
CN=$FQDN
[ext]
subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF
touch $OUT/sp-key.pem
chmod 600 $OUT/sp-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
else
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
fi
rm $SSLCNF
if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then
chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem
fi
if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then
chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem
fi
inst/apache_shib/files.inst/etc/shibboleth/login-terena-org.xml 0 → 100644
+ 65
0
View file @ a109803c
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://login.terena.org/wayf/saml2/idp/metadata.php" ID="pfx97d1a047-79d7-86e6-2f1b-223fbe88e668">
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx97d1a047-79d7-86e6-2f1b-223fbe88e668">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>kHAfWD6N1M47jzCBwrsJCkx85Rc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
oUPgpYX2pSLWGZAdyyYhSRhYIs1VwILf1vm52W7vLY2/QFnD2uFFVv7ve229AmLNYW3jJkj8h9ZDQIlDS/Kw8LT7xifzXSAx9Nun2DvF7uTMIt1HwHL3WeepBuIbsVrQGBC88shNn/b2aW9sutvlm98R7oCpGoS9cczQnHhhun63sCEuMjT7HoL/ZGQjtwwTDnKnuID/PbJNbcN9wTL/dyCNwnCOMMel8Rv4Ybgs3DBnh3ZExEZlfoYk9EMBlPcy59IyZtiHIwdvzRNV2fpoupHzW33N7/vNMFw0DRKiEHTs9menj0uKCcnqGR9Bo/QHorhBI2WNxuGyVY92BJbEvg==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIEkjCCA3qgAwIBAgIJAL90CxMEVb/kMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEPMA0GA1UEChMGVEVSRU5BMQwwCgYDVQQLEwNJVFMxHjAcBgNVBAMTFWh0dHBzOi8vdGVyZW5hLm9yZy9zcDEdMBsGCSqGSIb3DQEJARYOYWFpQHRlcmVuYS5vcmcwHhcNMTEwMTEyMTUyNjM4WhcNMjEwMTExMTUyNjM4WjCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTxx8JBWSpBJiZgdvGOJDXLwaE29Opx1CBbIrYHm47Oy4btsf0BzCmfdSPDlydDm6//355hsQU8BgIh/waEwFZZCg/XyzrJEXCDTZBm1H210aT7FNp356azqKOO1bYWcku0xpFOWWf3jCIkjtOiTkbl12Tw7Y+zJRhV2+jleC5td3JxZ6k1qotgN+1cGwZ2Tv2HhSNeMC4QsGOyBqeP+7B1CLFqFZSiLWGVqcZi0fGkXf+SrTSEH/kLzdciEg2EePyQPcLCKNz9RiIhSmsLE/Rr1ksOvZGmyWFe7YsPyJOLsNyYcZTufDVwpl9fDuJdYy2GdMT1kSNNOpZXZ7QcgYwIDAQABo4H0MIHxMB0GA1UdDgQWBBQ6tVqjpKC8+30XF/qWlaZ3fUKTvDCBwQYDVR0jBIG5MIG2gBQ6tVqjpKC8+30XF/qWlaZ3fUKTvKGBkqSBjzCBjDELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xDzANBgNVBAoTBlRFUkVOQTEMMAoGA1UECxMDSVRTMR4wHAYDVQQDExVodHRwczovL3RlcmVuYS5vcmcvc3AxHTAbBgkqhkiG9w0BCQEWDmFhaUB0ZXJlbmEub3JnggkAv3QLEwRVv+QwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAn+06i7zZE7MjuB68gCaNvnCkrgfumi4PWiP6kaE6+LU2MTbxdFyoSAoKh6Ft9TDi+8ANAsn5jRQ5xLUE4YoVbub/KufMwdlX0zO9i+Q//npDTFESnWsiMi7DHg/av1LtzrYYZvE2E1e5c/7wo/axx8Bk7qsE9YXFRs372vDkDwOGSkLbRtgwdCUX47CE/fXvccPDHH217XMed2cVOGFjQgidsFZlJbSfSvQjWYw5LIE0wo9RtsEu5I3WAIar8Wr6/nhVOgIBUStpcw94GwlPxLywfij5CJ9HT+sN2SOj4YmKPBtcwHI75uNZp7XRy85jRjrvhahg5baIQ0u3aL8aMA==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIICGTCCAYICCQCTYS2pMIdaaDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTEwMDkwMTE4NTMyMFoXDTM4MDExNjE4NTMyMFowUTELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvhzp9Tk7zQC+q5cpS36FMaaX3uQp6Sksnh+EnFtKFKeR4lKPmmgCSmVZkFdkgd7cE/vfFBInrQdb2rvLZrICdQbyLDuhQJUyqZHK52nbtP5FNcRN7V9LjpBB3CsUznenQoJLrpdPogSMDlSPjeLTaeB697EdZTt7IAmWDQmWWb8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAbKXFszQd2En/pqaxHWPISCqcpPfAxXXm7PNZ+sem6TYbtJuY7V68T1izuvax10FFgXBoltLKTg9IOdou6ZO+g5JrdMq1sOCQL/kILdmaIUZjm/hIeoygbwN3I0LhoxZbJqgWT5+gLtb+7JGRmbs8WE/3/Wm5i17ITMxptGjZQnQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.terena.org/wayf/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.terena.org/wayf/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>TERENA</md:GivenName>
<md:SurName>AAI team</md:SurName>
<md:EmailAddress>aai@terena.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
inst/apache_shib/files.inst/etc/shibboleth/metagen.sh 0 → 100755
+ 355
0
View file @ a109803c
#!/usr/bin/env bash
DECLS=1
SAML1=0
SAML2=0
ARTIFACT=0
DS=0
LOGOUT=0
NAMEIDMGMT=0
SAML10PROT="urn:oasis:names:tc:SAML:1.0:protocol"
SAML11PROT="urn:oasis:names:tc:SAML:1.1:protocol"
SAML20PROT="urn:oasis:names:tc:SAML:2.0:protocol"
SAML20SOAP="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
SAML20REDIRECT="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
SAML20POST="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SAML20POSTSS="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
SAML20ART="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
SAML20PAOS="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
SAML1POST="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
SAML1ART="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
while getopts a:c:e:f:h:l:n:o:s:t:u:12ADLNO c
do
case $c in
c) CERTS[${#CERTS[*]}]=$OPTARG;;
e) ENTITYID=$OPTARG;;
f) FORMATS[${#FORMATS[*]}]=$OPTARG;;
h) HOSTS[${#HOSTS[*]}]=$OPTARG;;
l) HOSTLIST=$OPTARG;;
n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;;
o) ORGNAME=$OPTARG;;
a) ADMIN[${#ADMIN[*]}]=$OPTARG;;
s) SUP[${#SUP[*]}]=$OPTARG;;
t) TECH[${#TECH[*]}]=$OPTARG;;
u) URL=$OPTARG;;
1) SAML1=1;;
2) SAML2=1;;
A) ARTIFACT=1;;
D) DS=1;;
L) LOGOUT=1;;
N) NAMEIDMGMT=1;;
O) DECLS=0;;
\?) echo metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
exit 1;;
esac
done
if [ ${#HOSTS[*]} -eq 0 -a ${#NAKEDHOSTS[*]} -eq 0 ] ; then
echo metagen [-12ADLN] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID]
exit 1
fi
if [ ${#CERTS[*]} -eq 0 ] ; then
CERTS[${#CERTS[*]}]=sp-cert.pem
fi
for c in ${CERTS[@]}
do
if [ ! -s $c ] ; then
echo Certificate file $c does not exist!
exit 2
fi
done
if [ -z $ENTITYID ] ; then
if [ ${#HOSTS[*]} -eq 0 ] ; then
ENTITYID=https://${NAKEDHOSTS[0]}/shibboleth
else
ENTITYID=https://${HOSTS[0]}/shibboleth
fi
fi
if [ ! -z $HOSTLIST ] ; then
if [ -s $HOSTLIST ] ; then
while read h
do
HOSTS[${#HOSTS[@]}]=$h
done <$HOSTLIST
else
echo File with list of hostnames $l does not exist!
exit 2
fi
fi
# Establish protocols and bindings.
if [ $SAML1 -eq 0 -a $SAML2 -eq 0 ] ; then
SAML1=1
SAML2=1
fi
if [ $LOGOUT -eq 1 -o $NAMEIDMGMT -eq 1 ] ; then
SAML2=1
SLO[${#SLO[*]}]=$SAML20SOAP
SLO[${#SLO[*]}]=$SAML20REDIRECT
SLO[${#SLO[*]}]=$SAML20POST
SLOLOC[${#SLOLOC[*]}]="SOAP"
SLOLOC[${#SLOLOC[*]}]="Redirect"
SLOLOC[${#SLOLOC[*]}]="POST"
if [ $ARTIFACT -eq 1 ] ; then
SLO[${#SLO[*]}]=$SAML20ART
SLOLOC[${#SLOLOC[*]}]="Artifact"
fi
fi
if [ $SAML1 -eq 1 -a $SAML2 -eq 1 ] ; then
PROTENUM="$SAML20PROT $SAML11PROT"
elif [ $SAML1 -eq 1 ] ; then
PROTENUM="$SAML11PROT"
else
PROTENUM="$SAML20PROT"
fi
if [ $SAML2 -eq 1 ] ; then
ACS[${#ACS[*]}]=$SAML20POST
ACSLOC[${#ACSLOC[*]}]="SAML2/POST"
ACS[${#ACS[*]}]=$SAML20POSTSS
ACSLOC[${#ACSLOC[*]}]="SAML2/POST-SimpleSign"
if [ $ARTIFACT -eq 1 ] ; then
ACS[${#ACS[*]}]=$SAML20ART
ACSLOC[${#ACSLOC[*]}]="SAML2/Artifact"
fi
ACS[${#ACS[*]}]=$SAML20PAOS
ACSLOC[${#ACSLOC[*]}]="SAML2/ECP"
fi
if [ $SAML1 -eq 1 ] ; then
ACS[${#ACS[*]}]=$SAML1POST
ACSLOC[${#ACSLOC[*]}]="SAML/POST"
if [ $ARTIFACT -eq 1 ] ; then
ACS[${#ACS[*]}]=$SAML1ART
ACSLOC[${#ACSLOC[*]}]="SAML/Artifact"
fi
fi
if [ $DECLS -eq 1 ] ; then
DECLS="xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" "
if [ $DS -eq 1 ] ; then
DECLS="${DECLS}xmlns:disco=\"urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol\" "
fi
else
DECLS=""
fi
cat <<EOF
<md:EntityDescriptor ${DECLS}entityID="${ENTITYID}">
<md:SPSSODescriptor protocolSupportEnumeration="${PROTENUM}">
EOF
# Discovery BEGIN
if [ $DS -eq 1 ] ; then
cat << EOF
<md:Extensions>
EOF
count=1
for h in ${HOSTS[@]}
do
cat << EOF
<disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
for h in ${NAKEDHOSTS[@]}
do
cat << EOF
<disco:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://$h/Shibboleth.sso/DS" index="$count"/>
EOF
let "count++"
done
cat << EOF
</md:Extensions>
EOF
fi
# Discovery END
for c in ${CERTS[@]}
do
cat << EOF
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
EOF
grep -v ^- $c
cat << EOF
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
EOF
done
for f in ${FORMATS[@]}
do
cat << EOF
<md:NameIDFormat>$f</md:NameIDFormat>
EOF
done
# Logout BEGIN
if [ $LOGOUT -eq 1 ] ; then
for h in ${HOSTS[@]}
do
count=0
while [ $count -lt ${#SLO[*]} ]
do
cat <<EOF
<md:SingleLogoutService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
let "count++"
done
done
for h in ${NAKEDHOSTS[@]}
do
count=0
while [ $count -lt ${#SLO[*]} ]
do
cat <<EOF
<md:SingleLogoutService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/SLO/${SLOLOC[$count]}"/>
EOF
let "count++"
done
done
fi
# Logout END
# NameID Mgmt BEGIN
if [ $NAMEIDMGMT -eq 1 ] ; then
for h in ${HOSTS[@]}
do
count=0
while [ $count -lt ${#SLO[*]} ]
do
cat <<EOF
<md:ManageNameIDService Binding="${SLO[$count]}" Location="https://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
let "count++"
done
done
for h in ${NAKEDHOSTS[@]}
do
count=0
while [ $count -lt ${#SLO[*]} ]
do
cat <<EOF
<md:ManageNameIDService Binding="${SLO[$count]}" Location="http://$h/Shibboleth.sso/NIM/${SLOLOC[$count]}"/>
EOF
let "count++"
done
done
fi
# NameID Mgmt END
index=0
for h in ${HOSTS[@]}
do
count=0
while [ $count -lt ${#ACS[*]} ]
do
cat <<EOF
<md:AssertionConsumerService Binding="${ACS[$count]}" Location="https://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
EOF
let "count++"
let "index++"
done
done
for h in ${NAKEDHOSTS[@]}
do
count=0
while [ $count -lt ${#ACS[*]} ]
do
cat <<EOF
<md:AssertionConsumerService Binding="${ACS[$count]}" Location="http://$h/Shibboleth.sso/${ACSLOC[$count]}" index="$((index+1))"/>
EOF
let "count++"
let "index++"
done
done
cat <<EOF
</md:SPSSODescriptor>
EOF
if [ -n "$ORGNAME" ] ; then
if [ -z "$URL" ] ; then
URL=$ENTITYID
fi
cat <<EOF
<md:Organization>
<md:OrganizationName xml:lang="en">$ORGNAME</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">$ORGNAME</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">$URL</md:OrganizationURL>
</md:Organization>
EOF
fi
count=${#ADMIN[*]}
for (( i=0; i<count; i++ ))
do
IFS="/"; declare -a c=(${ADMIN[$i]})
cat <<EOF
<md:ContactPerson contactType="administrative">
<md:GivenName>${c[0]}</md:GivenName>
<md:SurName>${c[1]}</md:SurName>
<md:EmailAddress>${c[2]}</md:EmailAddress>
</md:ContactPerson>
EOF
done
count=${#SUP[*]}
for (( i=0; i<count; i++ ))
do
IFS="/"; declare -a c=(${SUP[$i]})
cat <<EOF
<md:ContactPerson contactType="support">
<md:GivenName>${c[0]}</md:GivenName>
<md:SurName>${c[1]}</md:SurName>
<md:EmailAddress>${c[2]}</md:EmailAddress>
</md:ContactPerson>
EOF
done
count=${#TECH[*]}
for (( i=0; i<count; i++ ))
do
IFS="/"; declare -a c=(${TECH[$i]})
cat <<EOF
<md:ContactPerson contactType="technical">
<md:GivenName>${c[0]}</md:GivenName>
<md:SurName>${c[1]}</md:SurName>
<md:EmailAddress>${c[2]}</md:EmailAddress>
</md:ContactPerson>
EOF
done
cat <<EOF
</md:EntityDescriptor>
EOF
inst/apache_shib/files.inst/etc/shibboleth/shibboleth2.xml 0 → 100644
+ 128
0
View file @ a109803c
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://test-fod.geant.net/shibboleth"
homeURL="https://test-fod.geant.net/Shibboleth.sso/Session"
REMOTE_USER="uniqueID eppn persistent-id targeted-id"
metadataAttributePrefix="Meta-"
signing="back"
requireTransportAuth="false">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://login.terena.org/wayf/saml2/idp/metadata.php"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
-->
<MetadataProvider type="XML" file="login-terena-org.xml"/>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
inst/apache_shib/files.inst/srv/flowspy/flowspy/settings.py 0 → 100644
+ 475
0
View file @ a109803c
# -*- coding: utf-8 -*- vim:fileencoding=utf-8:
# vim: tabstop=4:shiftwidth=4:softtabstop=4:expandtab
# Django settings for flowspy project.
# Copyright © 2011-2015 Greek Research and Technology Network (GRNET S.A.)
# Copyright © 2011-2014 Leonidas Poulopoulos (@leopoul)
# Copyright © 2014-2015 Stavros Kroustouris (@kroustou)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# _uuid_generate_random was deprecated and removed in newer python
import uuid
uuid._uuid_generate_random = None
try:
from uuid import _uuid_generate_random
except ImportError:
_uuid_generate_random = None
import os
import djcelery
djcelery.setup_loader()
from celery.schedules import crontab
DEBUG = True
TEMPLATE_DEBUG = DEBUG
ADMINS = (
('AdminName', 'admin@example.com'),
)
MANAGERS = ADMINS
here = lambda x: os.path.join(os.path.abspath(os.path.dirname(__file__)), x)
BASE_DIR = os.path.dirname(os.path.dirname(__file__))
# Hosts/domain names that are valid for this site; required if DEBUG is False
ALLOWED_HOSTS = ['*']
SITE_ID = 1
# Place a sequence of random chars here
SECRET_KEY = '@sa@5234#$%345345^@#$%*()123^@12!&!()$JMNDF#$@(@#8FRNJWX_'
# Set up database
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
'NAME': 'example-data',
'USER': '',
'PASSWORD': '',
'HOST': '', # Set to empty string for localhost.
'PORT': '', # Set to empty string for default.
}
}
# Local time zone for this installation. Choices can be found here:
# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
# although not all choices may be available on all operating systems.
# In a Windows environment this must be set to your system time zone.
#TIME_ZONE = 'Europe/Athens'
TIME_ZONE = 'UTC'
# Language code for this installation. All choices can be found here:
# http://www.i18nguy.com/unicode/language-identifiers.html
LANGUAGE_CODE = 'en'
# Language code for this installation. All choices can be found here:
# http://www.i18nguy.com/unicode/language-identifiers.html
_ = lambda s: s
LANGUAGES = (
('el', _('Greek')),
('en', _('English')),
)
LOCALE_PATHS = (
os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'locale'),
)
# If you set this to False, Django will make some optimizations so as not
# to load the internationalization machinery.
USE_I18N = True
# If you set this to False, Django will not format dates, numbers and
# calendars according to the current locale.
USE_L10N = True
# If you set this to False, Django will not use timezone-aware datetimes.
USE_TZ = True
PROJECT_PATH = os.path.abspath(os.path.dirname(__file__))
STATIC_ROOT = os.path.join(BASE_DIR)
STATICFILES_DIRS = ( os.path.join(BASE_DIR, 'static'), )
STATIC_URL = '/static/'
STATICFILES_FINDERS = (
'django.contrib.staticfiles.finders.FileSystemFinder',
'django.contrib.staticfiles.finders.AppDirectoriesFinder',
)
# Templates
TEMPLATE_DIRS = (
os.path.join(BASE_DIR, 'templates'),
os.path.join('/srv/venv/django/contrib/admin/templates/'),
)
TEMPLATE_LOADERS = (
'django.template.loaders.filesystem.Loader',
'django.template.loaders.app_directories.Loader',
)
TEMPLATE_CONTEXT_PROCESSORS = (
"django.contrib.auth.context_processors.auth",
"django.core.context_processors.debug",
"django.core.context_processors.i18n",
"django.core.context_processors.media",
"django.core.context_processors.static",
"django.contrib.messages.context_processors.messages",
"context.global_vars.settings_vars",
)
MIDDLEWARE_CLASSES = (
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
)
ROOT_URLCONF = 'flowspy.urls'
WSGI_APPLICATION = 'flowspy.wsgi.application'
AUTHENTICATION_BACKENDS = (
'djangobackends.shibauthBackend.shibauthBackend',
'django.contrib.auth.backends.ModelBackend',
)
INSTALLED_APPS = (
'longerusername',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.flatpages',
'django.contrib.messages',
'django.contrib.staticfiles',
'flowspec',
'poller',
'south',
'django.contrib.admin',
'djcelery',
'peers',
'registration',
'accounts',
'tinymce',
'widget_tweaks',
'rest_framework',
'rest_framework.authtoken',
)
#GRAPHS_API_URL = 'graphs'
GRAPHS_API_URL = 'http://127.0.0.1:8080/api/routes/'
# A sample logging configuration. The only tangible logging
# performed by this configuration is to send an email to
# the site admins on every HTTP 500 error when DEBUG=False.
# See http://docs.djangoproject.com/en/dev/topics/logging for
# more details on how to customize your logging configuration.
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'file': {
'level': 'DEBUG',
'class': 'logging.FileHandler',
'filename': 'debug.log',
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'DEBUG',
'propagate': True,
},
},
}
LOGIN_URL = '/welcome'
# CACHES = {
# 'default': {
# 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
# 'LOCATION': '127.0.0.1:11211',
# }
# }
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
}
}
AUTH_PROFILE_MODULE = 'accounts.UserProfile'
# Netconf Device credentials
# The following variables should contain the address of the device with
# flowspec, the username and password of the appliers account and the netconf
# port.
NETCONF_DEVICE = ""
NETCONF_USER = ""
NETCONF_PASS = ""
NETCONF_PORT = 830
# The filter applied in the device in order to find the flowspec routes
ROUTES_FILTER = "<configuration><routing-options><flow/></routing-options></configuration>"
ROUTE_FILTER = "<configuration><routing-options><flow><route><name>%s</name></route></flow></routing-options></configuration>"
COMMIT_CONFIRMED_TIMEOUT = "120"
# Change the following values only if you know what you are doing!!!
# To integrate FoD with tables (Peer, Networks, Contacts)
# from your CRM platform, set the following values to False and create the views that are
# exact matches of the tables in peers/models.py
PEER_MANAGED_TABLE = True
PEER_RANGE_MANAGED_TABLE = True
PEER_TECHC_MANAGED_TABLE = True
# Actually apply the rules
COMMIT = True
# Flowspy configuration
#EXPIRATION_DAYS_OFFSET = 7
EXPIRATION_DAYS_OFFSET = 30
USE_X_FORWARDED_HOST = True
# Beanstalk configuration (as a broker for celery)
BROKER_HOST = "localhost"
BROKER_PORT = 11300
POLLS_TUBE = 'polls'
BROKER_URL = "beanstalk://localhost:11300//"
BROKER_VHOST = "/"
CELERY_CONCURRENCY = 1
POLL_SESSION_UPDATE = 60.0
CELERYBEAT_SCHEDULE = {
"every-day-sync": {
"task": "flowspec.tasks.check_sync",
"schedule": crontab(minute=01, hour=01),
"args": (),
},
"notify-expired": {
"task": "flowspec.tasks.notify_expired",
"schedule": crontab(minute=01, hour=02),
"args": (),
},
"snmp-stats-poll": {
"task": "flowspec.tasks.poll_snmp_statistics",
"schedule": crontab(minute="*/5"),
"args": (),
},
}
# List of modules to import when celery starts.
CELERY_IMPORTS = ("flowspec.tasks", )
# Notifications
SERVER_EMAIL = "Example FoD Service <noreply@example.com>"
EMAIL_SUBJECT_PREFIX = "[FoD] "
EXPIRATION_NOTIFY_DAYS = 4
# max number of days into the future that is allowed to pick in rule expiration datepicker
MAX_RULE_EXPIRE_DAYS = 30
PREFIX_LENGTH = 29
POLL_SESSION_UPDATE = 60.0
# Shibboleth
#SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
SHIB_AUTH_ENTITLEMENT = ''
SHIB_ADMIN_DOMAIN = 'example.com'
SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
##############################################################################
# Shibboleth attribute map
# general info on these shibboleth attribute definitions:
# *_DISPLAY_NAME and *_ADDINFO should give edugain-global names and definitions and so match definitions in /etc/shibboleth/attribute-map.xml
# as values of the * variables (SHIB_ENTITLEMENT, SHIB_USERNAME, SHIB_MAIL, SHIB_FIRSTNAME, SHIB_LASTNAME) are in principle only host-config-local keys
#
# values of *_DISPLAY* are shown in edugain/login-related error messages for users;
# instead, the values of * variables (e.g. SHIB_ENTITLEMENT, ...) are of no use for users and just confusing!
#
# specifically:
# *_DISPLAY_NAME should be a single string fully identifying the required attribute in an human-readable fashion
# *_DISPLAY_ADDINFO should be a string and should correspondingly contain descriptions for each array element of the value of the * variable
# e.g. for SHIB_ENTITLEMENT = "HTTP_ENTITLEMENT" =>
#
# key in /etc/shibboleth/attribute-map.xml is "entitlement":
# <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
# <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"-->
#SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT'] # value in settings.py.dist
SHIB_ENTITLEMENT = ['HTTP_ENTITLEMENT']
SHIB_ENTITLEMENT_DISPLAY_NAME = "eduPersonEntitlement"
SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7; the value of this attribute also has to include 'urn:mace:example.com:pki:user'"
#SHIB_ENTITLEMENT_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
# (";"-separated) part of value of attribute with key SHIB_ENTITLEMENT needed in order to be considered a valid user:
# if SHIB_AUTH_ENTITLEMENT is empty no constraint on SHIB_ENTITLEMENT attribute value is enforced (can even be missing)
#SHIB_AUTH_ENTITLEMENT = 'urn:mace:example.com:pki:user'
SHIB_AUTH_ENTITLEMENT = '' # is also in settings_local.py so override it there
#SHIB_USERNAME = ['HTTP_EPPN'] # in settings.py.dist # originally used for SHIB_USERNAME
#SHIB_USERNAME_DISPLAY_NAME = "eduPersonPrincipalName"
#SHIB_USERNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:eduPersonPrincipalName or urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
#SHIB_USERNAME = ['HTTP_PERSISTENT_ID']
SHIB_USERNAME = ['HTTP_PERSISTENT_ID', 'HTTP_PRINCIPALNAME']
#SHIB_USERNAME = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
SHIB_USERNAME_DISPLAY_NAME = "PERSISTENT_ID"
SHIB_USERNAME_DISPLAY_ADDINFO = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
#SHIB_SLUGIFY_USERNAME = False # value in settings.py.dist
SHIB_SLUGIFY_USERNAME = True
SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
SHIB_MAIL_DISPLAY_NAME = "MAIL"
SHIB_MAIL_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:mail or urn:oid:0.9.2342.19200300.100.1.3 or SHIB_INETORGPERSON_MAIL"
# both optional:
SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME'] # value in settings.py.dist
#SHIB_FIRSTNAME = ['HTTP_GIVENNAME']
SHIB_FIRSTNAME_DISPLAY_NAME = "GIVENNAME"
SHIB_FIRSTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:givenName or urn:oid:2.5.4.42"
SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME'] # value in settings.py.dist
#SHIB_LASTNAME = ['HTTP_SURNAME']
SHIB_LASTNAME_DISPLAY_NAME = "SURNAME"
SHIB_LASTNAME_DISPLAY_ADDINFO = "urn:mace:dir:attribute-def:sn or urn:oid:2.5.4.4"
##############################################################################
# BCC mail addresses
NOTIFY_ADMIN_MAILS = ["admin@example.com"]
# Then actions in the ui (dropdown)
UI_USER_THEN_ACTIONS = ['discard', 'rate-limit']
UI_USER_PROTOCOLS = ['icmp', 'tcp', 'udp']
ACCOUNT_ACTIVATION_DAYS = 7
# Define subnets that should not have any rules applied whatsoever
PROTECTED_SUBNETS = ['10.10.0.0/16']
# Add two whois servers in order to be able to get all the subnets for an AS.
PRIMARY_WHOIS = 'whois.example.com'
ALTERNATE_WHOIS = 'whois.example.net'
TINYMCE_JS_URL = STATIC_URL + 'js/tinymce/tiny_mce.js'
TINYMCE_DEFAULT_CONFIG = {
'extended_valid_elements': 'iframe[src|width|height|name|align]',
'plugins': "table,spellchecker,paste,searchreplace",
'theme': "advanced",
}
import _version
SW_VERSION = _version.VERSION
LOG_FILE_LOCATION = "/var/log/fod"
BRANDING = {
'name': 'Example',
'url': 'https://example.com',
'footer_iframe': 'https://example.com/iframe',
'facebook': '//facebook.com/',
'twitter': '//twitter.com/',
'phone': '800-example-com',
'email': 'helpdesk@example.com',
'logo': 'fodlogo2.png',
'favicon': 'favicon.ico',
}
# Django Rest Framework configuration.
# You should leave this intact.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
),
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.DjangoModelPermissions',
'rest_framework.permissions.IsAuthenticated'
]
}
# Limit of ports in 'ports' / 'SrcPorts' / 'DstPorts' of a rule:
#PORTRANGE_LIMIT = 100
PORTRANGE_LIMIT = 65535
# Statistics polled via SNMP:
# Default community string
SNMP_COMMUNITY = "abcd"
# list of IP addresses, each IP is a dict with "ip", "port" (optional, default
# is 161), "community" (optional, default is SNMP_COMMUNITY) keys
SNMP_IP = [
{"ip": "192.168.0.1", "port": 1000},
{"ip": "192.168.0.2", "port": 1001, "community": "abcdef"},
{"ip": "192.168.0.3", "port": 1002},
{"ip": "192.168.0.4", "port": 1002}
]
# or simpler way of IP list:
# SNMP_IP = ["10.0.0.1", "10.0.0.2"]
# OID of bytes counter (currently unused)
SNMP_CNTBYTES = "1.3.6.1.4.1.2636.3.5.2.1.5"
# OID of packet counter
SNMP_CNTPACKETS = "1.3.6.1.4.1.2636.3.5.2.1.4"
# get only statistics of specified tables
SNMP_RULESFILTER = ["__flowspec_default_inet__", "__flowspec_IAS_inet__"]
# load new data into cache if it is older that a specified number of seconds
SNMP_POLL_INTERVAL = 8 #seconds
# cache file for data
SNMP_TEMP_FILE = "/tmp/snmp_temp_data"
SNMP_POLL_LOCK = "/var/run/fod/snmppoll.lock"
# Number of historical values to store for a route.
# Polling interval must be set for "snmp-stats-poll" celery task in CELERYBEAT_SCHEDULE.
# By default, it is 5 min interval, so SNMP_MAX_SAMPLECOUNT=12 means we have about
# one hour history.
SNMP_MAX_SAMPLECOUNT = 12
# Age of inactive routes that can be already removed (in seconds)
SNMP_REMOVE_RULES_AFTER = 3600
##############################################################################
##############################################################################
# REST API config (v1.6 only)
DISABLE_RULE_OVERLAP_CHECK = False
ALLOW_DELETE_FULL_FOR_NONADMIN = False
MAIL_NOTIFICATION_TO_ALL_MATCHING_PEERS = True
# statistics calc
STATISTICS_PER_MATCHACTION_ADD_FINAL_ZERO = False # not necessary if STATISTICS_PER_RULE==True
STATISTICS_PER_RULE = True
STATISTICS_PER_RULE__ADD_INITIAL_ZERO = True
#
DISABLE_EMAIL_NOTIFICATION = True
##############################################################################
##############################################################################
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment