From bc37a650ca1545376b154fc3f16eca7d66a6a3f3 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Mon, 2 Oct 2023 16:15:06 +0200
Subject: [PATCH] fixup! standalone shibboleth image

---
 .../shibboleth-idp/conf/attribute-filter.xml  |  2 +-
 .../conf/attributes/default-rules.xml         | 14 ++++++
 .../shibboleth-idp/conf/idp.properties        |  6 +++
 .../conf/metadata-providers.xml               | 30 +++++--------
 .../shibboleth-idp/conf/nextcloud.xml         |  2 +-
 .../shibboleth-idp/conf/oidc-credentials.xml  | 44 +++++++++++++++++++
 .../shibboleth-idp/metadata/idp-metadata.xml  | 24 +++-------
 user_saml_shibboleth-idp/start.sh             |  1 -
 8 files changed, 83 insertions(+), 40 deletions(-)
 create mode 100644 user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml
 create mode 100644 user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml

diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml
index 36f6e3a6..92513ef3 100644
--- a/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml
@@ -15,7 +15,7 @@
 
     <!-- Release some attributes to an SP. -->
     <AttributeFilterPolicy id="example1">
-        <PolicyRequirementRule xsi:type="Requester" value="http://localhost/index.php/apps/user_saml/saml/metadata" />
+        <PolicyRequirementRule xsi:type="Requester" value="http://localhost:8080/index.php/apps/user_saml/saml/metadata" />
 
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml
new file mode 100644
index 00000000..956852eb
--- /dev/null
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/attributes/default-rules.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"
+
+	   default-init-method="initialize"
+	   default-destroy-method="destroy">
+
+	<!--
+	This file is empty since we stick with the Attribute encoders. Cf:
+	- https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631499/ReleaseNotes#Attribute-Related-Changes
+	-->
+
+</beans>
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties b/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties
index d71cbc6c..048fd9b7 100644
--- a/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/idp.properties
@@ -193,3 +193,9 @@ idp.ui.fallbackLanguages= en,fr,de
 #idp.fticks.salt=somethingsecret
 #idp.fticks.loghost=localhost
 #idp.fticks.logport=514
+
+idp.loglevel.idp = DEBUG
+idp.loglevel.messages = DEBUG
+idp.loglevel.opensaml = DEBUG
+idp.loglevel.encryption = DEBUG
+idp.loglevel.ldap = INFO
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml
index f1eae46e..39919979 100644
--- a/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/metadata-providers.xml
@@ -2,15 +2,9 @@
 <!-- This file is an EXAMPLE metadata configuration file. -->
 <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
     xmlns="urn:mace:shibboleth:2.0:metadata"
-    xmlns:resource="urn:mace:shibboleth:2.0:resource"
-    xmlns:security="urn:mace:shibboleth:2.0:security"
-    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
-                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
-                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
-                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
-                        
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd">
+
     <!-- ========================================================================================== -->
     <!--                             Metadata Configuration                                         -->
     <!--                                                                                            -->
@@ -19,7 +13,7 @@
     <!--                                                                                            -->
     <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
     <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
-    <!--  provides more details.                                                                    --> 
+    <!--  provides more details.                                                                    -->
     <!--                                                                                            -->
     <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
     <!-- ========================================================================================== -->
@@ -33,35 +27,35 @@
     it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
 
     The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
-    that the IdP needs to interoperate with. 
+    that the IdP needs to interoperate with.
     -->
-    
+
     <!--
     <MetadataProvider id="HTTPMetadata"
                       xsi:type="FileBackedHTTPMetadataProvider"
                       backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
-                      metadataURL="http://WHATEVER"> 
-        
+                      metadataURL="http://WHATEVER">
+
         <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
         <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
         <MetadataFilter xsi:type="EntityRoleWhiteList">
             <RetainedRole>md:SPSSODescriptor</RetainedRole>
         </MetadataFilter>
     </MetadataProvider>
-    -->   
+    -->
 
     <!--
     Example file metadata provider.  Use this if you want to load metadata
     from a local file.  You might use this if you have some local SPs
     which are not "federated" but you wish to offer a service to.
-    
+
     If you do not provide a SignatureValidation filter, then you have the
     responsibility to ensure that the contents on disk are trustworthy.
     -->
-    
+
     <!--
     <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
     -->
-    <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/conf/nextcloud.xml" />          
-    
+    <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/conf/nextcloud.xml" />
+
 </MetadataProvider>
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml
index 0274e16e..85341a9e 100644
--- a/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/nextcloud.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2032-01-06T12:44:32Z" cacheDuration="PT604800S" entityID="http://localhost:8080/index.php/apps/user_saml/saml/metadata">
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2032-01-06T12:44:32Z" cacheDuration="PT604800S" entityID="https://nc.zara/master/index.php/apps/user_saml/saml/acs">
   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml
new file mode 100644
index 00000000..dbfe5855
--- /dev/null
+++ b/user_saml_shibboleth-idp/shibboleth-idp/conf/oidc-credentials.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:util="http://www.springframework.org/schema/util"
+	   xmlns:p="http://www.springframework.org/schema/p"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+	                       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+	   default-init-method="initialize"
+	   default-destroy-method="destroy">
+	<!-- This file contains default oidc signing credentials. This file should be imported to credentials.xml -->
+	<!-- The list of ALL of your OP's ID Token / UserInfo response signing credentials for the default security configuration.
+		  If you define additional signing credentials, for example for new supported signing algorithms, make sure to include them
+		  within this list. -->
+	<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" id="shibboleth.oidc.PEMSigningCredential" p:certificateResource="%{idp.signing.cert}" p:entityId-ref="issuer" p:keyNames="Signing" p:privateKeyResource="%{idp.signing.key}"/>
+	<bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" id="shibboleth.oidc.PEMEncryptionCredential" p:certificateResource="%{idp.encryption.cert}" p:entityId-ref="issuer" p:keyNames="Encryption" p:privateKeyResource="%{idp.encryption.key}"/>
+	<util:list id="shibboleth.oidc.SigningCredentials">
+		<ref bean="shibboleth.oidc.PEMSigningCredential"/>
+	</util:list>
+	<!-- The list of ALL of your OP's Request Object decryption credentials for the default security configuration. If you
+		  define additional decryption credentials, for example to support new algorithm, make sure to include them within
+		  this list. -->
+	<util:list id="shibboleth.oidc.EncryptionCredentials">
+		<ref bean="shibboleth.oidc.PEMEncryptionCredential"/>
+	</util:list>
+	<!-- If you need to publish key set different from shibboleth.oidc.EncryptionCredentials, define a list named as shibboleth.oidc.EncryptionCredentialsToPublish -->
+	<alias name="shibboleth.oidc.EncryptionCredentials" alias="shibboleth.oidc.EncryptionCredentialsToPublish"/>
+	<!--
+	  Example of case having two active encryption credentials but then stop publishing the second before removing it from active configuration.
+	  <util:list id="shibboleth.oidc.EncryptionCredentialsToPublish">
+		  <ref bean="shibboleth.oidc.OnlyNewDefaultRSAEncryptionCredential" />
+	  </util:list>
+	  -->
+	<!-- If you need to publish key set different from shibboleth.oidc.SigningCredentials, define a list named as shibboleth.oidc.SigningCredentialsToPublish -->
+	<alias name="shibboleth.oidc.SigningCredentials" alias="shibboleth.oidc.SigningCredentialsToPublish"/>
+	<!--
+	  Example of case publishing signing credential before taking it to active configuration:
+
+	  <util:list id="shibboleth.oidc.SigningCredentialsToPublish">
+		  <ref bean="shibboleth.oidc.DefaultRSSigningCredential" />
+		  <ref bean="shibboleth.oidc.DefaultESSigningCredential" />
+		  <ref bean="shibboleth.oidc.UpcomingDefaultRSSigningCredential" />
+	  </util:list>
+	  -->
+</beans>
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml b/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml
index 7a351b60..7daa5c01 100644
--- a/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml
+++ b/user_saml_shibboleth-idp/shibboleth-idp/metadata/idp-metadata.xml
@@ -5,23 +5,13 @@
 
      This metadata is not dynamic - it will not change as your configuration changes.
 -->
-<EntityDescriptor  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://shibboleth-integration-nextcloud.localdomain/idp/shibboleth">
+<EntityDescriptor
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+	entityID="https://shibboleth-integration-nextcloud.localdomain/idp/shibboleth"
+>
 
     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
-        <Extensions>
-            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-<!--
-    Fill in the details for your IdP here 
-
-            <mdui:UIInfo>
-                <mdui:DisplayName xml:lang="en">A Name for the IdP at shibboleth-integration-nextcloud.localdomain</mdui:DisplayName>
-                <mdui:Description xml:lang="en">Enter a description of your IdP at shibboleth-integration-nextcloud.localdomain</mdui:Description>
-                <mdui:Logo height="80" width="80">https://shibboleth-integration-nextcloud.localdomain/Path/To/Logo.png</mdui:Logo>
-            </mdui:UIInfo>
--->
-        </Extensions>
-
         <KeyDescriptor use="signing">
             <ds:KeyInfo>
                     <ds:X509Data>
@@ -130,10 +120,6 @@ GrYd+TvG2duNh6z69Ppj2WuD
 
     <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
 
-        <Extensions>
-            <shibmd:Scope regexp="false">example.org</shibmd:Scope>
-        </Extensions>
-
         <KeyDescriptor use="signing">
             <ds:KeyInfo>
                     <ds:X509Data>
diff --git a/user_saml_shibboleth-idp/start.sh b/user_saml_shibboleth-idp/start.sh
index cfeb759b..92a7a67f 100644
--- a/user_saml_shibboleth-idp/start.sh
+++ b/user_saml_shibboleth-idp/start.sh
@@ -10,5 +10,4 @@ export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=nextcloud
 export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=nextcloud
 
 init-idp.sh
-rm /opt/shibboleth-idp/conf/oidc-credentials.xml
 $JAVA_HOME/bin/java -jar $JETTY_HOME/start.jar jetty.home=$JETTY_HOME jetty.base=$JETTY_BASE -Djetty.sslContext.keyStorePassword=$JETTY_KEYSTORE_PASSWORD -Djetty.sslContext.keyStorePath=$JETTY_KEYSTORE_PATH