Added simple recipe/template, initial apache2 and iis recipes, and in…

…itial test files

files/default/tests/minitest/support/shibboleth-sp_apache2_test.rb

@@ -0,0 +1,7 @@
+require "minitest/autorun"
+
+describe_recipe "shibboleth-sp::apache2" do
+  include MiniTest::Chef::Assertions
+  include MiniTest::Chef::Context
+  include MiniTest::Chef::Resources
+end

files/default/tests/minitest/support/shibboleth-sp_iis_test.rb

@@ -0,0 +1,7 @@
+require "minitest/autorun"
+
+describe_recipe "shibboleth-sp::iis" do
+  include MiniTest::Chef::Assertions
+  include MiniTest::Chef::Context
+  include MiniTest::Chef::Resources
+end

files/default/tests/minitest/support/shibboleth-sp_simple_test.rb

@@ -0,0 +1,7 @@
+require "minitest/autorun"
+
+describe_recipe "shibboleth-sp::simple" do
+  include MiniTest::Chef::Assertions
+  include MiniTest::Chef::Context
+  include MiniTest::Chef::Resources
+end

files/default/tests/minitest/support/shibboleth-sp_test.rb

@@ -0,0 +1,7 @@
+require "minitest/autorun"
+
+describe_recipe "shibboleth-sp::default" do
+  include MiniTest::Chef::Assertions
+  include MiniTest::Chef::Context
+  include MiniTest::Chef::Resources
+end

recipes/apache2.rb

@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: shibboleth-sp
+# Recipe:: apache2
+#
+# Copyright 2012
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "shibboleth-sp"
+
+case node['platform']
+when 'ubuntu'
+	include_recipe "apache2"
+
+	package "libapache2-mod-shib2"
+	apache_module "shib2"
+end

recipes/iis.rb

@@ -0,0 +1,20 @@
+#
+# Cookbook Name:: shibboleth-sp
+# Recipe:: iis
+#
+# Copyright 2012
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "shibboleth-sp"

recipes/simple.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: shibboleth-sp
+# Recipe:: simple
+#
+# Copyright 2012
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+case node['platform']
+when 'windows'
+	config_path = "C:/opt/shibboleth-sp/etc/shibboleth"
+else
+	config_path = "/etc/shibboleth"
+end
+
+template "#{config_path}/shibboleth2.xml" do
+	source "shibboleth2.xml.erb"
+	owner "root" unless platform? 'windows'
+	group "root" unless platform? 'windows'
+	mode "0644"
+	notifies :restart, resources(:service => "shibd"), :delayed
+end

templates/default/shibboleth2.xml.erb

@@ -0,0 +1,234 @@
+<!--
+	Dynamically generated by Chef on <%= node["fqdn"] %>
+	Local modifications will be overwritten by Chef.
+-->
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+	xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	clockSkew="180">
+
+	<% if node['platform'] == "windows" -%>
+	<!--
+	The InProcess section contains settings affecting web server modules.
+	Required for IIS, but can be removed when using other web servers.
+	-->
+	<InProcess logger="native.logger">
+		<ISAPI normalizeRequest="true" safeHeaderNames="true">
+			<!--
+			Maps IIS Instance ID values to the host scheme/name/port. The name is
+			required so that the proper <Host> in the request map above is found without
+			having to cover every possible DNS/IP combination the user might enter.
+			-->
+			<!--
+			When the port and scheme are omitted, the HTTP request's port and scheme are used.
+			If these are wrong because of virtualization, they can be explicitly set here to
+			ensure proper redirect generation.
+			-->
+			<!--
+			<Site id="42" name="virtual.example.org" scheme="https" port="443"/>
+			-->
+			<% node['shibboleth-sp']['iis']['sites'].each do |site| -%>
+			<Site id="<%= site['id'] %>" name="<%= site['name'] %>"
+				<% if site['scheme'] -%>
+				scheme="<%= site['scheme'] %>"
+				<% end -%>
+				<% if site['port'] -%>
+				port="<%= site['port'] %>"
+				<% end -%>
+			/>
+			<% end -%>
+		</ISAPI>
+	</InProcess>
+	<% end -%>
+
+	<!--
+	By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+	are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+	-->
+
+	<!--
+	To customize behavior for specific resources on Apache, and to link vhosts or
+	resources to ApplicationOverride settings below, use web server options/commands.
+	See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+	
+	For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+	file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+	-->
+
+	<% if node['platform'] == "windows" -%>
+	<!--
+	To customize behavior for specific resources on IIS, and to link vhosts or
+	resources to ApplicationOverride settings below, use the XML syntax below.
+	See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo for help.
+	
+	Apache users should rely on web server options/commands in most cases, and can remove the
+	RequestMapper element. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
+	-->
+	<RequestMapper type="Native">
+		<RequestMap>
+			<!--
+			The example requires a session for documents in /secure on the containing host with http and
+			https on the default ports. Note that the name and port in the <Host> elements MUST match
+			Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
+			-->
+			<!--
+			<Host name="sp.example.org">
+				<Path name="secure" authType="shibboleth" requireSession="true"/>
+			</Host>
+			-->
+			<!-- Example of a second vhost mapped to a different applicationId. -->
+			<!--
+			<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
+			-->
+			<% node['shibboleth-sp']['iis']['hosts'].each do |host| -%>
+			<Host name="<%= host['name'] %>"
+				<% if host['applicationId'] -%>
+				applicationId="<%= host['applicationId'] %>"
+				<% end -%>
+			>
+				<% if host['path'] -%>
+				<Path name="<%= host['path']['name'] %>" authType="<%= host['path']['authType'] ? host['path']['authType'] : "shibboleth" %>" requireSession="<%= host['path']['requireSession'] ? host['path']['requireSession'] : "true" %>"/>
+				<% end -%>
+			</Host>
+			<% end -%>
+		</RequestMap>
+	</RequestMapper>
+
+	<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+	<ApplicationDefaults entityID="<%= node['shibboleth-sp']['entityID'] %>"
+						 REMOTE_USER="<%= node['shibboleth-sp']['REMOTE_USER'] %>">
+
+		<!--
+		Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+		You MUST supply an effectively unique handlerURL value for each of your applications.
+		The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+		a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+		the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+		Note that while we default checkAddress to "false", this has a negative impact on the
+		security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+		-->
+		<Sessions lifetime="<%= node['shibboleth-sp']['Sessions']['lifetime'] %>" timeout="<%= node['shibboleth-sp']['Sessions']['timeout'] %>" relayState="<%= node['shibboleth-sp']['Sessions']['relayState'] %>"
+				  checkAddress="<%= node['shibboleth-sp']['Sessions']['checkAddress'] %>" handlerSSL="<%= node['shibboleth-sp']['Sessions']['handlerSSL'] %>" cookieProps="<%= node['shibboleth-sp']['Sessions']['cookieProps'] %>">
+
+			<!--
+			Configures SSO for a default IdP. To allow for >1 IdP, remove
+			entityID property and adjust discoveryURL to point to discovery service.
+			(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+			You can also override entityID on /Login query string, or in RequestMap/htaccess.
+			-->
+			<% if node['shibboleth-sp']['SSO']['discoveryURL'].empty? -%>
+			<SSO entityID="<%= node['shibboleth-sp']['SSO']['entityID'] %>">
+			<% else -%>
+			<SSO discoveryProtocol="<%= node['shibboleth-sp']['SSO']['discoveryProtocol'] %>" discoveryURL="<%= node['shibboleth-sp']['SSO']['discoveryURL'] %>">            
+			<% end -%>
+			  SAML2 SAML1
+			</SSO>
+
+			<!-- SAML and local-only logout. -->
+			<Logout>SAML2 Local</Logout>
+
+			<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+			<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+			<!-- Status reporting service. -->
+			<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+			<!-- Session diagnostic service. -->
+			<Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+			<!-- JSON feed of discovery information. -->
+			<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+		</Sessions>
+
+		<!--
+		Allows overriding of error template information/filenames. You can
+		also add attributes with values that can be plugged into the templates.
+		-->
+		<Errors supportContact="<%= node['shibboleth-sp']['Errors']['supportContact'] %>"
+			helpLocation="/about.html"
+			styleSheet="/shibboleth-sp/main.css"/>
+
+		<!-- Example of remotely supplied batch of signed metadata. -->
+		<!--
+		<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+			  backingFilePath="federation-metadata.xml" reloadInterval="7200">
+			<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+			<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+		</MetadataProvider>
+		-->
+
+		<!-- Example of locally maintained metadata. -->
+		<!--
+		<MetadataProvider type="XML" file="partner-metadata.xml"/>
+		-->
+		<% if node['shibboleth-sp']['MetadataProvider'] -%>
+			<% case node['shibboleth-sp']['MetadataProvider']['type'] -%>
+			<% when "Folder" -%>
+				<MetadataProvider type="Folder" path="<%= node['shibboleth-sp']['MetadataProvider']['path'] %>"/>
+			<% else -%>
+				<% if node['shibboleth-sp']['MetadataProvider']['path'] -%>
+				<MetadataProvider type="XML"
+					path="<%= node['shibboleth-sp']['MetadataProvider']['path'] %>"/>
+				<% else -%>
+				<MetadataProvider type="XML"
+					url="<%= node['shibboleth-sp']['MetadataProvider']['url'] %>"
+					backingFilePath="<%= node['shibboleth-sp']['MetadataProvider']['backingFilePath'] %>"
+					<%- if node['shibboleth-sp']['MetadataProvider']['reloadInterval'] %>
+					reloadInterval="<%= node['shibboleth-sp']['MetadataProvider']['reloadInterval'] %>">
+					<% end -%>
+				</MetadataProvider>
+				<% end -%>
+			<% end -%>
+		<% end -%>
+
+		<!-- Map to extract attributes from SAML assertions. -->
+		<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+
+		<!-- Use a SAML query if no attributes are supplied during SSO. -->
+		<AttributeResolver type="Query" subjectMatch="true"/>
+
+		<!-- Default filtering policy for recognized attributes, lets other data pass. -->
+		<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+		<!-- Simple file-based resolver for using a single keypair. -->
+		<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+		<!--
+		The default settings can be overridden by creating ApplicationOverride elements (see
+		the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+		Resource requests are mapped by web server commands, or the RequestMapper, to an
+		applicationId setting.
+		
+		Example of a second application (for a second vhost) that has a different entityID.
+		Resources on the vhost would map to an applicationId of "admin":
+		-->
+		<!--
+		<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+		-->
+		<% if node['shibboleth-sp']['ApplicationOverrides'] -%>
+		<% node['shibboleth-sp']['ApplicationOverrides'].each do |app| -%>
+			<ApplicationOverride id="<%= app['id'] %>"
+				<% if app['entityID'] -%>
+				entityID="<%= app['entityID'] %>"
+				<% end -%>
+			>
+			<% if app['AttributeExtractor'] -%>
+				<AttributeExtractor type="XML" validate="true" path="<%= app['AttributeExtractor'] %>"/>
+			<% end -%>
+			<% if app['AttributeFilter'] -%>
+				<AttributeFilter type="XML" validate="true" path="<%= app['AttributeFilter'] %>"/>
+			<% end -%>
+			</ApplicationOverride>
+		<% end -%>
+		<% end -%>
+	</ApplicationDefaults>
+
+	<!-- Policies that determine how to process and authenticate runtime messages. -->
+	<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+	<!-- Low-level configuration about protocols and bindings available for use. -->
+	<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>