Build a SSP debug SP

Author: MKodde

.github/workflows/build-ssp-debug-sp.yml

@@ -0,0 +1,29 @@
+name: Build docker SSP debug SP container
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build-ssp-debug-sp:
+
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Check out the repo
+      uses: actions/checkout@v2
+
+    - name: Log into GitHub Container Registry
+      uses: docker/login-action@v1
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build the Apache container and push to GitHub Packages
+      uses: docker/build-push-action@v2
+      with:
+        tags: ghcr.io/openconext/openconext-containers/openconext-ssp-debug-sp:latest
+        context: docker/ssp-debug-sp/
+        push: true

docker/ssp-debug-sp/Dockerfile

@@ -0,0 +1,53 @@
+FROM webdevops/php-nginx:7.2-alpine AS ssp-debug-sp
+MAINTAINER Michiel Kodde (michiel@ibuildings.nl)
+
+RUN apt-get update && apt-get install -y \
+    git \
+    python \
+    zip \
+    libpng-dev \
+    && docker-php-ext-install pdo_mysql exif gd \
+
+ENV NVM_DIR /usr/local/nvm
+ENV NODE_VERSION 14
+
+# Install nvm with node and npm
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash
+    && source $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && nvm use default
+
+# Install Composer
+COPY --from=composer /usr/bin/composer /usr/local/bin/composer
+
+# Fix npm
+RUN mkdir /.npm && chown -R "${NPM_UID}:${NPM_GID}" "/.npm"
+RUN mkdir /.config && chown -R "${NPM_UID}:${NPM_GID}" "/.config"
+
+# Install SSP: Clone and install rev adf1eb8 of SSP
+RUN mkdir -p /var/simplesamlphp/
+RUN git clone https://github.com/simplesamlphp/simplesamlphp.git /var/simplesamlphp
+RUN cd /var/simplesamlphp
+RUN git reset --hard adf1eb8
+
+# Install SSP: Copy files
+COPY conf/config.php /var/simplesamlphp/config/config.php
+COPY conf/authsources.php /var/simplesamlphp/config/authsources.php
+COPY conf/accountgen.inc /var/simplesamlphp/config/accountgen.inc
+COPY certificates/ssp.key /var/simplesamlphp/cert/ssp.key
+COPY certificates/ssp.crt /var/simplesamlphp/cert/ssp.crt
+
+# Install SSP: Install dependencies and build
+RUN composer install --prefer-dist -n -o --no-scripts
+
+# Install SSP: Install and copy DebugSP files
+RUN composer require simplesamlphp/simplesamlphp-module-saml2debug
+COPY conf/DebugSP /var/simplesamlphp/modules/DebugSP
+COPY conf/sp.php /var/simplesamlphp/www/sp.php
+COPY conf/sp-config.inc /var/simplesamlphp/www/sp-config.inc
+COPY conf/sp-utils.inc /var/simplesamlphp/www/sp-utils.inc
+
+EXPOSE 80
+STOPSIGNAL SIGQUIT
+CMD ["nginx", "-g", "daemon off;"]

docker/ssp-debug-sp/certificates/ssp.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID4zCCAksCFE/RXnB+y6e2zlC0Zpi7Pl6GbyuAMA0GCSqGSIb3DQEBCwUAMC4x
+EzARBgNVBAMMClJBIFNBTUwgU1AxFzAVBgNVBAoMDkRldmVsb3BtZW50IFZNMB4X
+DTIxMDQyMDA3MDIyM1oXDTI2MDQxOTA3MDIyM1owLjETMBEGA1UEAwwKUkEgU0FN
+TCBTUDEXMBUGA1UECgwORGV2ZWxvcG1lbnQgVk0wggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCyMqGyevrF/Ms8fsGQdz6fqzCA8T/QKC9Jb3m7EpQOp/OM
+q/qBv4gjtFf0/bAun2N/u6zZOlPk61iVWRbxIet/O9BAoqRhtT6PHQVcReXR1F3+
+Dk2vH8+QyZwnWGENwh16BYuirIeWQuEgfVDUpSg2MBjkHjZmpF8Dxn6d485qwrdb
+FZN+z3QPtxNaNu1FBktsgPNjlpE7HNB9xcGy4DlgTIP+80nKgM+Kdopw9FVk71bf
+KKHp1m9qSSbFI+drtbtFJ7OPqFYDs9gJEY8ivALID1ERNQkAPImr/EIPiazHc4nk
+Qfi4Kt5ohsvGufdCxYtOUGxjcrkq9oJX5YiiC9xfekPeU05F2FsYWxYK0nmnEP0t
+ydgDFeKl2FI2vUhr2oOaiTs5VlNhMz43diX9AJzjmO4nrePsuA/T3wj8rSzhS9kD
+9IF6GkZ+y+1Yyzf8NWxPfFCL0K4B5/+pGDY5BETX+BHq4kKCGjWVWz9Whd9MeaJb
+4buycT9RyKZrmSEe/fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAjuAYYpA337xi
+Uem4MTmCB68VVEPxVeiR3geTqZdk42ep6ATfalbAIAsqzTsh5QPU5FZByrZauOWA
+6m5HLmlEY3UQmI6l1P9KcOAIVfHQ0uVIpREuEaiFJlA2pif/Epk+Go/jp+yKPHms
+/IT/ZhZTzUCM3xbcan9rDA779pgi/NqYSHJ1EljiD+Wt8jDk67hZAjHum9b79UNs
+bJqB4wHrNkoyOZZnmW88nDeJGvBpoeo/zsy4xi20E23oBP7ti7QVEvsvaZtJ5L7S
+mysHP03fIkfquXswZ8Xl5wS3Vjr82wx9LOGunzZzFF4awRrsIuovvxrTBTD/NNHA
+v0Mm7UC0I8A27mlpufneN4TFcXmYW0KZxkiLbcrXtOicqgRyfEB1UC2C8RAPmeX3
+VGM+odFNhJjkCecms4/xpSqj13CE6S6ci2+osfiMWm5uBw6wAfPt/5rPrvy50dWx
+J13vign9EqLAy7aVRzK8ghu1bOLlXV5Hp6kwwMYYqZBV5A0xOuSj
+-----END CERTIFICATE-----

docker/ssp-debug-sp/certificates/ssp.key

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAsjKhsnr6xfzLPH7BkHc+n6swgPE/0CgvSW95uxKUDqfzjKv6
+gb+II7RX9P2wLp9jf7us2TpT5OtYlVkW8SHrfzvQQKKkYbU+jx0FXEXl0dRd/g5N
+rx/PkMmcJ1hhDcIdegWLoqyHlkLhIH1Q1KUoNjAY5B42ZqRfA8Z+nePOasK3WxWT
+fs90D7cTWjbtRQZLbIDzY5aROxzQfcXBsuA5YEyD/vNJyoDPinaKcPRVZO9W3yih
+6dZvakkmxSPna7W7RSezj6hWA7PYCRGPIrwCyA9RETUJADyJq/xCD4msx3OJ5EH4
+uCreaIbLxrn3QsWLTlBsY3K5KvaCV+WIogvcX3pD3lNORdhbGFsWCtJ5pxD9LcnY
+AxXipdhSNr1Ia9qDmok7OVZTYTM+N3Yl/QCc45juJ63j7LgP098I/K0s4UvZA/SB
+ehpGfsvtWMs3/DVsT3xQi9CuAef/qRg2OQRE1/gR6uJCgho1lVs/VoXfTHmiW+G7
+snE/Ucima5khHv35AgMBAAECggGAKVZrgj7bG8C32NHCz2OKKHoK526PkhcwWQW+
+JHJ73CaD7hcbJqwqxbWZTeDn1PjumPwNbdsFCS67PvIKy2dF/R8AAW55WZ005Pgj
+fTNNy+5K25uv07c6bGkIi2wKH6nvMpZEvTjuvyHGncXUUW/6sw9XRtvnXMo2rGaI
+itIE2WlQJZYMwDcZwmeC2sOxKPj72DDVxT1xdVgK2ZJdi8ROKxO07xi6/noBKyqy
+lN9pS9/ltCD15ovzDqHnl4XrsmXWpvMuBl6f9ACNTI0jZE1WoMMKhxPdWvRm+gId
+U3ikNK6eLfReHu6jeTQRNCAO9dExrAJzgV7G4jHwinDrBk8ywYqSYVrbpz5Sx/Ij
+W6Gt9XMjHz2y8Bs114foVW3Fr3Fj55/eQu1xa6WaxFcF5nEP2/bLXexMJHqeMI4r
+T+150G6pjHk2uvh61JB8aAfaqIrOP7/1hjbJBIHjD/ub2xZ7uwtibFQvhmOpzYE8
+jeO09A2byQU2yIXvZXxVJWE4vmwBAoHBAOuRI+WqFpRAlJ7yolRfM0uwo3R09+Aw
+LZ3tvnMHGJPipImFC5k2ralll/tstBVdRNEMIqsLcogBfMt3F1kx6hYtMXj3gy9S
+b0XKJvEikdQvmdUjVfkIlRI+yMm811xqtqNXcLqndSxTUkTotpxmU7p1AhdXpIv9
+IiXaBfuUvBi68M8tJ0tgJWKCDtwJWtlvhKRv6UXVauJbb8QczIgrpk0PVI9WvX0Z
+VN/3bq/BxJBjD/RvLN1uNqjsi/qoN1wWeQKBwQDBp5XrNzU8wctaLxdZrKCjfe0T
+X3Scm9xgWKZOZUBOH6ydbVya/g0VsFM6mgu6tz2yMGA4TlmqM2WfzhzVkb2aJ8Z4
+me2jsyqku3sANZzFaGRMu0i03LC6SFv9NQ+YA8p01Ry9KPF8RU0Ows9Zv/uVgPNp
+CEy8GfjbmJsbfEPkj5gNIJx5RNEgI6mSOOtTAiQK7Mra4bJwgvRSudhpMQJWUdbo
+J8k0+VSspmC0gIh108rAvlpEDTBgDa7QAbMGQ4ECgcB1bQNk79WTj2HGnhK3VkF+
+wI2qdsg9dCa5LBMcyfPBfGAiwTSX6n7FC4Soa3aVk8nDH3aEpw8vpvYrgrEb4Frd
+NSgNMeyuATzAoFWrLF1fVV8stRGdM18EGlIC5mTAh92FLQhfsywgrWQ8P3kQG54v
+OzaQpjq7IbMNBVKoJ2tgNIfn7o1A8KuSIF0B6JPmAcYwJi01h35hWc0sCGMYmhGr
+JjIzxbxtiNwbTP9bE49FnmwMoALQWqlaqZfZmlMGT5kCgcBKaPiEHvyH0fcvOfUA
+8gHvkE1uKjmGi6UMKEQOz3z8B9Ot0f3JWGDyuoPgepyTLCG6vDfcqs5tRb6AvxP5
+RDzUZQAwCwVy5z81eQx0MiWA/PG9QiFXzYzipzchfif1w08hwVl/naHcnExVpalC
+1S/4bEobS6Mgi+JBjsvarc7wnfRQ5vz44+ZvMQTROKnDhYkP4Zi4rgyAivEScHKl
+SL2bKWsoXVFE16EfjfaOpOzKSY0YrovEpkS2Q8uuBVkiyQECgcB4JN+HiWD5auBl
+S0eDa+cGd7dNcs3d1t++sIyGZtxclzlpzHl5mr5Ey9UdkCvB3JmUh+fSsxBile7Y
+n03lt29kozvJ5FsL6t8zp3Fs9HY9fvNJQ51J7xLJpeGuZkUebxQRad/Gs18EkP4c
+5Wpa8inZay7o2+VHPcgyp1OmAMwUxof8WNdzhpqe1SR/c58WOOu0OPyDP6gmEUu3
+rka3UsBdb2pXLUCipKVDOOO64ACNicH6Lp+jZgdNCg1N+KKdTdM=
+-----END RSA PRIVATE KEY-----

docker/ssp-debug-sp/conf/DebugSP/default-disable

@@ -0,0 +1,83 @@
+<?php
+
+/**
+ * Copyright 2018 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* Installation: copy this file to the "modules/saml/lib/Auth/Source/" directory of your SimpleSAMLphp installation
+   Usage:
+   - In authsourcesphp use "DebugSP:SP" where you would otherwise use "saml:SP"
+   - In the call to AuthSimple::requireAuth($params), AuthSimple::login($params) set 'saml:AssertionConsumerServiceURL'
+     and 'DebugSP:extraPOSTvars' to the desired values.
+     E.g.:
+     $params=array(
+        'DebugSP:AssertionConsumerServiceURL' => 'https://...',
+        'DebugSP:extraPOSTvars' => array(
+           'SomePOSTvariable'    => 'SomeValue',
+           'AnotherPOSTvariable' => 'AnotherValue'
+        ),
+     );
+     $as->login($params);
+*/
+
+// Extend from the SimpleSAMLphp SAML 2.0 authentication source "saml:SP"
+class sspmod_DebugSP_Auth_Source_SP extends \SimpleSAML\Module\DebugSP\Auth\Source\SP {
+
+    public function __construct($info, $config) {
+        parent::__construct($info, $config);
+    }
+
+    public function sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar) {
+
+        if ( isset( $state['DebugSP:AssertionConsumerServiceURL'] ) ) {
+            // Set the AssertionConsumerServiceURL in the AuthnRequest
+            $ar->setAssertionConsumerServiceURL( $state['DebugSP:AssertionConsumerServiceURL'] );
+        }
+
+        if ($binding instanceof \SAML2\HTTPPost) {
+            // replicate \SAML2\HTTPPost::send(Message $message) so we can set additional POST variables
+            $destination = $ar->getDestination();
+            $relayState = $ar->getRelayState();
+            $post = array();
+
+            // Set extra POST variables
+            if (isset($state['DebugSP:extraPOSTvars'])) {
+                assert(is_array($state['DebugSP:extraPOSTvars']), 'DebugSP:extraPOSTvars must be array()');
+                foreach ($state['DebugSP:extraPOSTvars'] as $key => $value) {
+                    $post[$key] = $value;
+                }
+            }
+
+            // Create SAMLRequest
+            $msgStr = $ar->toSignedXML();
+            $msgStr = $msgStr->ownerDocument->saveXML($msgStr);
+
+            \SAML2\Utils::getContainer()->debugMessage($msgStr, 'out');
+
+            $post['SAMLRequest'] = base64_encode($msgStr);
+
+            if ($relayState !== null) {
+                $post['RelayState'] = $relayState;
+            }
+
+            \SAML2\Utils::getContainer()->postRedirect($destination, $post);
+
+            return;
+        }
+
+        // Use partent implementation
+        parent::sendSAML2AuthnRequest($state, $binding, $ar);
+    }
+}

docker/ssp-debug-sp/conf/DebugSP/lib/Auth/Source/SP.php

@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * Copyright 2018 SURFnet bv
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Rename the "_SAMLResponse" variable that used by the ADFS SFO extension back to the SAML HTTP-POST standard
+// "SAMLResponse" and then hand over processing to the standard SSP ACS processing
+
+if (isset($_POST['_SAMLResponse'])) {
+    $_POST['SAMLResponse'] = $_POST['_SAMLResponse'];
+}
+
+require(__DIR__.'/../../../saml/www/sp/saml2-acs.php');

docker/ssp-debug-sp/conf/DebugSP/www/sp/saml2-acs.php

@@ -0,0 +1,85 @@
+<?php
+
+/*
+Generate accounts for simpleSAMLphp "example-userpass" auth source
+
+$config: simplesaml php config array
+$prefix: account name prefix
+$email: An existing email address, if you want to receive mail
+$scope: Used as schachome, EPPN scope and names
+$slugs: array of account variants
+*/
+
+function account_gen(&$config, $prefix, $email, $scope, $slugs)
+{
+    foreach($slugs as $slug)
+    {
+        $uid=$prefix.$slug;
+        $account=array(
+            'NameID' => 'urn:collab:person:'.$scope.':'.$uid,
+            'uid' => array($uid),
+            'eduPersonPrincipalName' => $uid.'@'.$scope,
+            'givenName' => 'gn-'.$uid,
+            'sn' => 'sn-'.$scope,
+            'cn' => $uid.' '.$scope,
+            'mail' => str_replace('@', '+'.$uid.'@', $email),
+            'displayName' => 'd-'.$uid.' '.$scope,
+            'eduPersonAffiliation' => array('student'),
+            'schacHomeOrganization' => $scope,
+            'schacHomeOrganizationType' => 'urn:mace:terena.org:schac:homeOrganizationType:int:university',
+        );
+        $config['example-userpass'][$uid.':'.$uid]=$account;
+    }
+
+    // Without SHO
+    $uid=$prefix.'-nosho';
+    $account=array(
+        'NameID' => 'urn:collab:person:'.$scope.':'.$uid,
+        'uid' => array($uid),
+        'eduPersonPrincipalName' => $uid.'@'.$scope,
+        'givenName' => 'gn-'.$uid,
+        'sn' => 'sn-'.$scope,
+        'cn' => $uid.' '.$scope,
+        'mail' => str_replace('@', '+'.$uid.'@', $email),
+        'displayName' => 'd-'.$uid.' '.$scope,
+        'eduPersonAffiliation' => array('student'),
+        //'schacHomeOrganization' => $scope,
+        'schacHomeOrganizationType' => 'urn:mace:terena.org:schac:homeOrganizationType:int:university',
+    );
+    $config['example-userpass'][$uid.':'.$uid]=$account;
+
+    // Without mail
+    $uid=$prefix.'-nomail';
+    $account=array(
+        'NameID' => 'urn:collab:person:'.$scope.':'.$uid,
+        'uid' => array($uid),
+        'eduPersonPrincipalName' => $uid.'@'.$scope,
+        'givenName' => 'gn-'.$uid,
+        'sn' => 'sn-'.$scope,
+        'cn' => $uid.' '.$scope,
+        //'mail' => str_replace('@', '+'.$uid.'@', $email),
+        'displayName' => 'd-'.$uid.' '.$scope,
+        'eduPersonAffiliation' => array('student'),
+        'schacHomeOrganization' => $scope,
+        'schacHomeOrganizationType' => 'urn:mace:terena.org:schac:homeOrganizationType:int:university',
+    );
+    $config['example-userpass'][$uid.':'.$uid]=$account;
+
+    // Without cn
+    $uid=$prefix.'-nocn';
+    $account=array(
+        'NameID' => 'urn:collab:person:'.$scope.':'.$uid,
+        'uid' => array($uid),
+        'eduPersonPrincipalName' => $uid.'@'.$scope,
+        'givenName' => 'gn-'.$uid,
+        'sn' => 'sn-'.$scope,
+        //'cn' => $uid.' '.$scope,
+        'mail' => str_replace('@', '+'.$uid.'@', $email),
+        'displayName' => 'd-'.$uid.' '.$scope,
+        'eduPersonAffiliation' => array('student'),
+        'schacHomeOrganization' => $scope,
+        'schacHomeOrganizationType' => 'urn:mace:terena.org:schac:homeOrganizationType:int:university',
+    );
+    $config['example-userpass'][$uid.':'.$uid]=$account;
+
+}