Dynamic DB IdP configuration

06e3ff28 · Martin van Es · 117b6b97 · 06e3ff28 · 06e3ff28 · 06e3ff28
Commit 06e3ff28 authored 4 years ago by Martin van Es
--- a/metadata/saml20-idp-hosted.php
+++ b/metadata/saml20-idp-hosted.php
+<?php
+
+/**
+ * SAML 2.0 IdP configuration for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
+ */
+
+function nest($name, $value) {
+  $element = array_pop($name);
+  if ($element) return nest($name, array($element => $value));
+  else return $value;
+}
+
+$config = SimpleSAML\Configuration::getInstance();
+$db_dsn = $config->getString('database.dsn', null);
+$db_user = $config->getString('database.username', null);
+$db_passwd = $config->getString('database.password', null);
+$db = new PDO($db_dsn, $db_user, $db_passwd);
+
+$vserver = $_SERVER['SERVER_NAME'];
+$vparts = explode('.', $vserver);
+$vhost = $vparts[0];
+
+$metadata['__DYNAMIC:1__'] = [
+    /*
+     * The hostname of the server (VHOST) that will use this SAML entity.
+     *
+     * Can be '__DEFAULT__', to use this entry by default.
+     */
+    'host' => '__DEFAULT__',
+
+    'OrganizationName' => $vhost . ' IdP',
+    'OrganizationDisplayName' => $vhost . ' IdP',
+    'OrganizationURL' => 'https:// ' . $vserver . '/',
+
+    'contacts' => [
+        'a' => [
+            'contactType'       => 'technical',
+            'emailAddress'      => 'support@'. $vserver,
+            'givenName'         => 'John',
+            'surName'           => $vhost,
+            'telephoneNumber'   => '+31(0)12345678',
+            'company'           => $vhost . ' Inc.',
+        ],
+    ],
+
+    'UIInfo' => array(
+        'DisplayName' => array(
+            'en' => $vhost . ' IdP'
+        ),
+        'Description' => array(
+            'en' => $vhost . ' IdP description'
+        ),
+    ),
+
+    'RegistrationInfo' => [
+        'authority' => 'urn:mace:' . $vhost,
+        'instant' => '2008-01-17T11:28:03Z',
+        'policies' => [
+            'en' => 'http://' . $vhost . '/policy',
+        ],
+    ],
+
+    // X.509 key and certificate. Relative to the cert directory.
+    'privatekey' => 'server.pem',
+    'certificate' => 'server.crt',
+
+    /*
+     * Authentication source to use. Must be one that is configured in
+     * 'config/authsources.php'.
+     */
+    'auth' => 'example-userpass',
+
+    /* Uncomment the following to use the uri NameFormat on attributes. */
+    /*
+    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+    'authproc' => [
+        // Convert LDAP names to oids.
+        100 => ['class' => 'core:AttributeMap', 'name2oid'],
+    ],
+    */
+];
+
+$query = "select o.name, o.type, c.value  from idps i
+  left join config c on c.idp_id = i.idp_id
+  left join options o on c.option_id = o.option_id
+  where i.host = :host";
+
+
+$stmt = $db->prepare($query);
+$stmt->execute(array(':host' => $vhost));
+$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+$config = array();
+foreach ($result as $row) {
+  $name = explode(':', $row['name']);
+  $value = $row['value'];
+  $config = array_merge_recursive($config, nest($name, $value));
+} 
+
+$metadata['__DYNAMIC:1__'] = array_replace_recursive($metadata['__DYNAMIC:1__'], $config);
+
--- a/metadata/saml20-sp-remote.php
+++ b/metadata/saml20-sp-remote.php
+<?php
+
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+$config = SimpleSAML\Configuration::getInstance();
+$db_dsn = $config->getString('database.dsn', null);
+$db_user = $config->getString('database.username', null);
+$db_passwd = $config->getString('database.password', null);
+$db = new PDO($db_dsn, $db_user, $db_passwd);
+
+$vserver = $_SERVER['SERVER_NAME'];
+$vparts = explode('.', $vserver);
+$vhost = $vparts[0];
+
+$query = "select sp_metadata from idps i where i.host = :host";
+
+$stmt = $db->prepare($query);
+$stmt->execute(array(':host' => $vhost));
+$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+foreach ($result as $row) {
+  $xmldata = $row['sp_metadata'];
+  SimpleSAML\Utils\XML::checkSAMLMessage($xmldata, 'saml-meta');
+  $entities = SimpleSAML\Metadata\SAMLParser::parseDescriptorsString($xmldata);
+  foreach ($entities as &$entity) {
+    $entity = array('saml20-sp-remote' => $entity->getMetadata20SP());
+  }
+} 
+
+if ($entities) {
+  $output = SimpleSAML\Utils\Arrays::transpose($entities);
+  $metadata = $output['saml20-sp-remote'];
+} else {
+  $metadata = array();
+}
+
--- a/testidp.sql
+++ b/testidp.sql
+-- MySQL dump 10.17  Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86_64)
+--
+-- Host: localhost    Database: testidp
+-- ------------------------------------------------------
+-- Server version	10.3.25-MariaDB-0ubuntu0.20.04.1
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8mb4 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `config`
+--
+
+DROP TABLE IF EXISTS `config`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `config` (
+  `idp_id` int(10) unsigned NOT NULL,
+  `option_id` int(10) unsigned NOT NULL,
+  `value` varchar(100) DEFAULT NULL,
+  KEY `config_FK` (`idp_id`),
+  KEY `config_FK_1` (`option_id`),
+  CONSTRAINT `config_FK` FOREIGN KEY (`idp_id`) REFERENCES `idps` (`idp_id`),
+  CONSTRAINT `config_FK_1` FOREIGN KEY (`option_id`) REFERENCES `options` (`option_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `config`
+--
+
+LOCK TABLES `config` WRITE;
+/*!40000 ALTER TABLE `config` DISABLE KEYS */;
+INSERT INTO `config` VALUES (1,1,'Foobar DB DisplayName'),(1,2,'Foobar DB'),(1,3,'http://foobar.org/url'),(1,5,'technical'),(1,6,'technical@geant.org'),(1,7,'FooDB'),(1,8,'Doe'),(1,9,'+316012345678'),(1,10,'Foobar DB inc.'),(1,11,'Foobar DB mdui'),(1,12,'Foober DB description mdui'),(1,13,'Foobar DB authority'),(1,14,'2008-01-17T11:28:03Z'),(1,15,'http://foobar.org/policy/en');
+/*!40000 ALTER TABLE `config` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `idps`
+--
+
+DROP TABLE IF EXISTS `idps`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `idps` (
+  `idp_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `host` varchar(100) NOT NULL,
+  `comment` varchar(100) DEFAULT NULL,
+  `sp_metadata` text DEFAULT NULL,
+  PRIMARY KEY (`idp_id`)
+) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `idps`
+--
+
+LOCK TABLES `idps` WRITE;
+/*!40000 ALTER TABLE `idps` DISABLE KEYS */;
+INSERT INTO `idps` VALUES (1,'foobar','Test Foobar IdP','<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/metadata.php/default-sp\">\n  <md:SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol\">\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/saml2-logout.php/default-sp\"/>\n    <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/saml2-acs.php/default-sp\" index=\"0\"/>\n    <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:1.0:profiles:browser-post\" Location=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/saml1-acs.php/default-sp\" index=\"1\"/>\n    <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/saml2-acs.php/default-sp\" index=\"2\"/>\n    <md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:1.0:profiles:artifact-01\" Location=\"https://foobar.testidp.incubator.geant.org/saml/module.php/saml/sp/saml1-acs.php/default-sp/artifact\" index=\"3\"/>\n  </md:SPSSODescriptor>\n</md:EntityDescriptor>');
+/*!40000 ALTER TABLE `idps` ENABLE KEYS */;
+UNLOCK TABLES;
+
+--
+-- Table structure for table `options`
+--
+
+DROP TABLE IF EXISTS `options`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `options` (
+  `option_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) NOT NULL,
+  `type` varchar(100) NOT NULL,
+  `comment` varchar(100) DEFAULT NULL,
+  PRIMARY KEY (`option_id`)
+) ENGINE=InnoDB AUTO_INCREMENT=16 DEFAULT CHARSET=utf8mb4;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `options`
+--
+
+LOCK TABLES `options` WRITE;
+/*!40000 ALTER TABLE `options` DISABLE KEYS */;
+INSERT INTO `options` VALUES (1,'OrganizationDisplayName','string','Organization Display name'),(2,'OrganizationName','string','Organization Name'),(3,'OrganizationURL','string','Organization URL'),(5,'contacts:a:contactType','string','e.g. technical or support'),(6,'contacts:a:emailAddress','string','email'),(7,'contacts:a:givenName','string','Given name of the contact'),(8,'contacts:a:surName','string','Surname'),(9,'contacts:a:telephoneNumber','string','Phone number'),(10,'contacts:a:company','string','Company name'),(11,'UIInfo:DisplayName:en','string','Display name (UIInfo)'),(12,'UIInfo:Description:en','string','Description (UIInfo)'),(13,'RegistrationInfo:authority','string','Registration authority'),(14,'RegistrationInfo:instant','date','Registraion instant (date format)'),(15,'RegistrationInfo:policies:en','string','Policy URL (en)');
+/*!40000 ALTER TABLE `options` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2021-04-08 12:02:51