Merge branch 'new_docker_image'

Author: John Van de Meulebrouck Brendgard

.travis.yml

@@ -15,11 +15,20 @@ matrix:
 script:
 - tox
 deploy:
-  provider: pypi
-  distributions: sdist bdist_wheel
-  user: Lundberg
-  password:
-    secure: NwkpOakaeJjErjTF4Y5MWeHzMvkxYZqrBFdRkzfenVfkWsomuyy553A691d3lc1+oREsh1fJJLjpZQYxTLUFIHOUmt/9zr02rFfguzj7hEYfWF8wHBXG6YSWv6T3aCA4RTMXvvzv9cHf1zfxh0fS7kgc+NRMAnd01diVLfYpBciLgmQ31J4mlwShp8yBQUoRBIvzSdzrgjr0TzCQZXB9xM6R2t/oJgXLo6Zz8dTzqq3De9nOU/1P2ZHLxodDikuFdu2/0CjoDgFXB0KnGKGKmJ6G1WMCVvi7abY7smmGA3s4a4NVL7Cirx6VwIj79PsAcgupr2iBAQk/GsPffzdpLtIrBek9u//p84hxrj/IaJWgPOeKeD7+r2Kc2g0r2dQjaM+9MqBx9/lC57xJRX/JHLQWirXfCucB9YyPun5I13Sf3hArkssQy/Jvd2aLFZ885BTfow6TAwl1ud+UPeauvEj6myKO98sko/3Y521EGXRofLGaPokLyPjI/3I4N4jCvw8m86eZAjjIhPFL7JKHf8OVc5gQCYQy3kxiF5wyvbfOeMBp0sk9UvJOrWvBEXFrimAZPu8o8T5WtlQAV02q7rxUwhMd+fpnbGewsl7Ob6eE4rGVrfWQIb86wOHbbJk3lCwPytjEFEI2bdUfRUFcrWxhC040hRP0gzVKLa+nBHM=
-  on:
-    tags: true
-    repo: SUNET/SATOSA
+  - provider: pypi
+    distributions: sdist bdist_wheel
+    user: Lundberg
+    password:
+      secure: NwkpOakaeJjErjTF4Y5MWeHzMvkxYZqrBFdRkzfenVfkWsomuyy553A691d3lc1+oREsh1fJJLjpZQYxTLUFIHOUmt/9zr02rFfguzj7hEYfWF8wHBXG6YSWv6T3aCA4RTMXvvzv9cHf1zfxh0fS7kgc+NRMAnd01diVLfYpBciLgmQ31J4mlwShp8yBQUoRBIvzSdzrgjr0TzCQZXB9xM6R2t/oJgXLo6Zz8dTzqq3De9nOU/1P2ZHLxodDikuFdu2/0CjoDgFXB0KnGKGKmJ6G1WMCVvi7abY7smmGA3s4a4NVL7Cirx6VwIj79PsAcgupr2iBAQk/GsPffzdpLtIrBek9u//p84hxrj/IaJWgPOeKeD7+r2Kc2g0r2dQjaM+9MqBx9/lC57xJRX/JHLQWirXfCucB9YyPun5I13Sf3hArkssQy/Jvd2aLFZ885BTfow6TAwl1ud+UPeauvEj6myKO98sko/3Y521EGXRofLGaPokLyPjI/3I4N4jCvw8m86eZAjjIhPFL7JKHf8OVc5gQCYQy3kxiF5wyvbfOeMBp0sk9UvJOrWvBEXFrimAZPu8o8T5WtlQAV02q7rxUwhMd+fpnbGewsl7Ob6eE4rGVrfWQIb86wOHbbJk3lCwPytjEFEI2bdUfRUFcrWxhC040hRP0gzVKLa+nBHM=
+    on:
+      tags: true
+      repo: SUNET/SATOSA
+  - provider: script
+    script: scripts/travis_create_docker_image.sh
+    on:
+      repo: SUNET/SATOSA
+      branch: master
+env:
+  global:
+  - secure: ymdbaVVKJFq193xn+pr7sRyjkcOBtpm6eu+A9QsdtzO6vhaj+MhFfsjWAJbGiaSvX691bLd+9kFqH76HViN1LbmkCujBm2+4k0DBSakb70T/81UNNpYGy4iIYzCKaWPPSwvFGfRjNY14RILEpOI8NCkJuDMuO7CiGkwOtmlOdP/tYdV9T3p36Hgpwa/0U5kIahqwnbBKiwjGGhI8YA4Ik01P4biEv3Fr++jS4dhzMe+hYjWDXW+bksf9OikbtJkPzHlZxCDgFH4yNY1TH6P3X/B8NLTrvpNZOj2GgQoZBDrTEM+RLdaLQ8EYcrJaEaOZs65Jicpw5Ycz8DHUuBXwlSiG1g/VJlzxYchGxnLguVyEELEm7p7vhDFYNOROL3J4PpY8E1+L834xzmhCqbHM2kHB2WeiIob0j1Hq7U1802tFuM+tu8P4gdEyGxstQaIehiTI/VQEJm+sKB1W5xtDQokrnMyiQfJy4K7T4ZrONV/gVhb85ayS6eF/Xu1vr/5s/fWyQOxNKvoeEiO6VVoLTWNPEysTewLFc8o7HcE/Qnv/67IwuK/vx0ZlESbNCRgTfqyWpn5vybyWmgo9aUC51hDiVQtZfVeaoF/Xtg2yxVn/4C1aPybpA2Oacll8LjyYwyoCeH3naD0j9Msy4izny2PF7MTT4iNbtwhRoAAqXic=
+  - secure: loJ+Bfind3tbEVrWqEalZT5bMqGFrMewo3jDwH9iJEw28tl+PasTCvCOJRsOomtdMp2QZh8e5wwnL1m7mkHWZaBDMxAg2mXlEv2W817SyAKkgFVnjXr8FJK4kjGAA5l2WXWKo7HKs2lOygZaDxj67i4htvg6cIxVf3dnI+MHpN5CONBfF6cXkFGMZoW+uc2diApyvIVCzte0JZkp6ZepWiyjelPl38pgWlD9elJEUaut0qKGZHtsRnLgTOzbBl49FV4lzCqt7wBnnwwQpTtvEyRW47O/VMYORAFFXpgUDPejE37+bf1wS6hlr0vSHFSUKILQWUH0l09+BPrxpoRj5SYkFD18xvqlWDNrNoANSMgRm/8cL1ucd7T5N03lKtNpaKT2ejHPj6Hu86mXFvcxcZnIcH7ppmXjZU2xfI2ytmmqxXysYeiCc6RgClmFBf3lnZz7iaHVrL8tU1x+eDzEQKvDbYHQnO9+4xXY37PH4ViJJEDoLq3NGhKxbDJ4oMgtz0mrjdWm8a1nWXIm8QTs2+oIhf+HrCpdqE8FfKnI7OyM8C+cwraApY77cZ9xfBqJGDQIgX3c+syB1ufVxY/DPDOXTysRUUHyWVgJeaL8EJEiMVnZMoGliY7QtnBznOglxynekIIaaZ5FMfh8hwA0pQ5idruqrtzVkBQoq8CdHfk=

Dockerfile

@@ -0,0 +1,24 @@
+FROM ubuntu:16.04
+
+RUN apt-get update && \
+    apt-get -y dist-upgrade && \
+    apt-get install -y --no-install-recommends \
+    git \
+    python3-dev \
+    build-essential \
+    python3-pip \
+    libffi-dev \
+    libssl-dev \
+    xmlsec1 \
+    libyaml-dev
+
+RUN mkdir -p /src/satosa
+COPY . /src/satosa
+COPY docker/setup.sh /setup.sh
+RUN /setup.sh
+
+COPY docker/start.sh /start.sh
+COPY docker/attributemaps /opt/satosa/attributemaps
+
+VOLUME /opt/satosa/etc
+ENTRYPOINT ["/start.sh"]

README.md

@@ -48,7 +48,7 @@ can convert request and make the communication possible.
 
 ## SAML2<->Social logins
 This setup makes it possible to connect a SAML2 service provider to multiple social media identity 
-providers such as Goolgle, Facebook. The proxy makes it possible to mirror a identity provider by 
+providers such as Google and Facebook. The proxy makes it possible to mirror a identity provider by 
 generating SAML2 metadata corresponding that provider and create dynamic endpoint which 
 are connected to a single identity provider.
 For more information about how to set up, configure and run such a proxy instance please visit 

doc/README.md

@@ -5,7 +5,7 @@ This document describes how to install and configure the SATOSA proxy.
 # Installation
 
 ## <a name="docker" style="color:#000000">Docker</a>
-A pre-built Docker image is accessible at the [Docker Hub](https://hub.docker.com/r/itsdirg/satosa/), and is the
+A pre-built Docker image is accessible at the [Docker Hub](https://hub.docker.com/r/satosa/), and is the
 recommended ways of running the proxy.
 
 ## <a name="manual_installation" style="color:#000000">Manual installation</a>
@@ -17,7 +17,7 @@ apt-get install libffi-dev libssl-dev xmlsec1
 ````
 
 ### <a name="install_instructions" style="color:#000000">Instructions</a>
-1. Download the SATOSA proxy project as a [compressed archive](https://github.com/its-dirg/SATOSA/releases)
+1. Download the SATOSA proxy project as a [compressed archive](https://github.com/SUNET/SATOSA/releases)
    and unpack it to `<satosa_path>`.
 
 1. Install the application:
@@ -26,7 +26,7 @@ apt-get install libffi-dev libssl-dev xmlsec1
    pip install <satosa_path>
    ```
 
-Alternatively the application can be installed directly from PyPI (`pip install satosa`), or the [Docker image](https://hub.docker.com/r/itsdirg/satosa/) can be used.
+Alternatively the application can be installed directly from PyPI (`pip install satosa`), or the [Docker image](https://hub.docker.com/r/satosa/) can be used.
 
 # Configuration
 All default configuration files, as well as an example WSGI application for the proxy, can be found
@@ -306,10 +306,10 @@ The configuration parameters available:
     * `client_registration_supported` (default: `No`): boolean whether [dynamic client registration is supported](https://openid.net/specs/openid-connect-registration-1_0.html).
         If dynamic client registration is not supported all clients must exist in the MongoDB instance configured by the `db_uri` in the `"clients"` collection of the `"satosa"` database.
         The registration info must be stored using the client id as a key, and use the parameter names of a [OIDC Registration Response](https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse).
-    * `authorization_code_lifetime`: how long authorization codes should be valid, see [default](https://github.com/its-dirg/pyop#token-lifetimes)
-    * `access_token_lifetime`: how long access tokens should be valid, see [default](https://github.com/its-dirg/pyop#token-lifetimes)
-    * `refresh_token_lifetime`: how long refresh tokens should be valid, if not specified no refresh tokens will be issued (which is [default](https://github.com/its-dirg/pyop#token-lifetimes))
-    * `refresh_token_threshold`: how long before expiration refresh tokens should be refreshed, if not specified refresh tokens will never be refreshed (which is [default](https://github.com/its-dirg/pyop#token-lifetimes))
+    * `authorization_code_lifetime`: how long authorization codes should be valid, see [default](https://github.com/SUNET/pyop#token-lifetimes)
+    * `access_token_lifetime`: how long access tokens should be valid, see [default](https://github.com/SUNET/pyop#token-lifetimes)
+    * `refresh_token_lifetime`: how long refresh tokens should be valid, if not specified no refresh tokens will be issued (which is [default](https://github.com/SUNET/pyop#token-lifetimes))
+    * `refresh_token_threshold`: how long before expiration refresh tokens should be refreshed, if not specified refresh tokens will never be refreshed (which is [default](https://github.com/SUNET/pyop#token-lifetimes))
 
 The other parameters should be left with their default values.
 
@@ -519,7 +519,7 @@ To produce signed SAML metadata for all SAML front- and backend modules, run the
 satosa-saml-metadata <path to proxy_conf.yaml> <path to key for signing> <path to cert for signing>
 ```
 
-Detailed usage instructions can be viewed by running `satosa-saml-metadata -h`.
+Detailed usage instructions can be viewed by running `satosa-saml-metadata --help`.
 
 # <a name="run" style="color:#000000">Start proxy application</a>
 Start the proxy server with the following command:

docker/attributemaps/__init__.py

@@ -0,0 +1,2 @@
+__author__ = 'rohe0002'
+__all__ = ["adfs_v1x", "adfs_v20", "basic", "saml_uri", "shibboleth_uri"]

docker/attributemaps/adfs_v1x.py

@@ -0,0 +1,18 @@
+CLAIMS = 'http://schemas.xmlsoap.org/claims/'
+
+
+MAP = {
+    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+    'fro': {
+        CLAIMS+'commonname': 'commonName',
+        CLAIMS+'emailaddress': 'emailAddress',
+        CLAIMS+'group': 'group',
+        CLAIMS+'upn': 'upn',
+    },
+    'to': {
+        'commonName': CLAIMS+'commonname',
+        'emailAddress': CLAIMS+'emailaddress',
+        'group': CLAIMS+'group',
+        'upn': CLAIMS+'upn',
+    }
+}

docker/attributemaps/adfs_v20.py

@@ -0,0 +1,49 @@
+CLAIMS = 'http://schemas.xmlsoap.org/claims/'
+COM_WS_CLAIMS = 'http://schemas.xmlsoap.com/ws/2005/05/identity/claims/'
+MS_CLAIMS = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/'
+ORG_WS_CLAIMS = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/'
+
+
+MAP = {
+    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+    'fro': {
+        CLAIMS+'commonname': 'commonName',
+        CLAIMS+'group': 'group',
+        COM_WS_CLAIMS+'denyonlysid': 'denyOnlySid',
+        MS_CLAIMS+'authenticationmethod': 'authenticationMethod',
+        MS_CLAIMS+'denyonlyprimarygroupsid': 'denyOnlyPrimaryGroupSid',
+        MS_CLAIMS+'denyonlyprimarysid': 'denyOnlyPrimarySid',
+        MS_CLAIMS+'groupsid': 'groupSid',
+        MS_CLAIMS+'primarygroupsid': 'primaryGroupSid',
+        MS_CLAIMS+'primarysid': 'primarySid',
+        MS_CLAIMS+'role': 'role',
+        MS_CLAIMS+'windowsaccountname': 'windowsAccountName',
+        ORG_WS_CLAIMS+'emailaddress': 'emailAddress',
+        ORG_WS_CLAIMS+'givenname': 'givenName',
+        ORG_WS_CLAIMS+'name': 'name',
+        ORG_WS_CLAIMS+'nameidentifier': 'nameId',
+        ORG_WS_CLAIMS+'privatepersonalidentifier': 'privatePersonalId',
+        ORG_WS_CLAIMS+'surname': 'surname',
+        ORG_WS_CLAIMS+'upn': 'upn',
+    },
+    'to': {
+        'authenticationMethod': MS_CLAIMS+'authenticationmethod',
+        'commonName': CLAIMS+'commonname',
+        'denyOnlyPrimaryGroupSid': MS_CLAIMS+'denyonlyprimarygroupsid',
+        'denyOnlyPrimarySid': MS_CLAIMS+'denyonlyprimarysid',
+        'denyOnlySid': COM_WS_CLAIMS+'denyonlysid',
+        'emailAddress': ORG_WS_CLAIMS+'emailaddress',
+        'givenName': ORG_WS_CLAIMS+'givenname',
+        'group': CLAIMS+'group',
+        'groupSid': MS_CLAIMS+'groupsid',
+        'name': ORG_WS_CLAIMS+'name',
+        'nameId': ORG_WS_CLAIMS+'nameidentifier',
+        'primaryGroupSid': MS_CLAIMS+'primarygroupsid',
+        'primarySid': MS_CLAIMS+'primarysid',
+        'privatePersonalId': ORG_WS_CLAIMS+'privatepersonalidentifier',
+        'role': MS_CLAIMS+'role',
+        'surname': ORG_WS_CLAIMS+'surname',
+        'upn': ORG_WS_CLAIMS+'upn',
+        'windowsAccountName': MS_CLAIMS+'windowsaccountname',
+    }
+}