shibboleths_lil_helper 1.0.0

data/lib/slh/cli/describe_config.rb

@@ -0,0 +1,75 @@
+class Slh::Cli::DescribeConfig < Slh::Cli::CommandBase
+  def default_options
+   { :mode => :all, :filter => :none}
+  end
+  def option_parser
+    @valid_modes = %w(all hosts)
+    return OptionParser.new do |opts|
+      opts.on('-m','--mode MODE', "Can be #{@valid_modes.join(',')}, extracts specified info from shibboleths_lil_helper/config.rb") do |value|
+        unless @valid_modes.include?(value)
+          raise "invalid mode option passed, #{value}"
+        end
+        @options[:mode] = value.to_sym
+      end
+      opts.on('-f','--filter FILTER', "Output will be filtered by matching hosts if specified") do |value|
+        @options[:filter] = value
+      end
+    end
+  end
+ 
+  def perform_action
+    @output = [] 
+    case @options[:mode]
+    when :all
+      Slh.strategies.each do |strategy|
+        @output << strategy.name
+        strategy.hosts.each do |host|
+          next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+          @output << "  #{host.name} #{host.host_type}"
+          host.sites.each do |site|
+            @output << "    #{site.name}"
+            site.paths.each do |path|
+              @output << "      #{path.name} #{path.flavor}"
+            end
+          end
+        end
+      end
+    when :hosts
+      warn_on_multiple_strategies = false
+      host_strategy_mappings = {}
+      Slh.strategies.each do |strategy|
+        strategy.hosts.each do |host|
+          next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+          host_strategy_mappings[host.name] ||= []
+          host_strategy_mappings[host.name] << strategy
+        end
+      end
+      host_strategy_mappings.each_pair do |host,strat_array|
+        if strat_array.length > 1
+          warn_on_multiple_strategies = true
+          @output << [host, {:highlight => :red}]
+        else
+          @output << host
+        end
+        strat_array.each_with_index do |strat,index|
+          @output << "    ---#{index+1}---"
+          @output << "    strategy name: #{strat.name}"
+          @output << "    sp_entity_id #{strat.sp_entity_id}"
+          @output << "    idp_metadata_url #{strat.idp_metadata_url}"
+        end
+      end
+      if warn_on_multiple_strategies
+        @output << ["Make sure to check that the highlighted hosts with multiple strategies are configured correctly on your target hosts, only one can function correctly for a given host once deployed", {:highlight => :red}]
+      end
+    else
+      raise "invalid mode #{@options[:mode]}"
+    end
+    @output.each do |line|
+      if line.kind_of?(String) || line.kind_of?(Symbol)
+        Slh::Cli.instance.output line.to_s
+      elsif line.kind_of? Array
+        Slh::Cli.instance.output line[0], line[1]
+      end
+    end
+  end
+end

data/lib/slh/cli/fetch_metadata.rb

@@ -0,0 +1,27 @@
+class Slh::Cli::FetchMetadata < Slh::Cli::HostFilterableBase
+  def perform_action
+    Slh.strategies.each do |strategy|
+      Slh::Cli.instance.output "Fetching metadata for all sites associated with strategy #{strategy.name}"
+      strategy.hosts.each do |host|
+        next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+        host.sites.each do |site|
+          # Slh::Cli.instance.output "Writing fetched metadata for #{site.name} to \n  #{site.fetched_metadata_path}"
+          FileUtils.mkdir_p(site.config_dir)
+          File.open(site.fetched_metadata_path,'w') do |f| 
+            begin
+              f.write(site.metadata)
+            rescue Slh::Models::Site::CouldNotGetMetadata => e
+              Slh::Cli.instance.output "NOT FOUND metadata not found at #{site.metadata_url}", :highlight => :red
+              Slh::Cli.instance.output "  Error message: #{e.message}"
+              next # skip this site
+            rescue Timeout::Error => e
+              Slh::Cli.instance.output "  TIMEOUT at #{site.metadata_url}", :highlight => :red
+              Slh::Cli.instance.output "    Remote metadata not available at #{site.metadata_url}, exception message: #{e.message}"
+              next # skip this site
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/slh/cli/generate.rb

@@ -0,0 +1,20 @@
+class Slh::Cli::Generate < Slh::Cli::HostFilterableBase
+  def perform_action
+    Slh.strategies.each do |strategy|
+      Slh::Cli.instance.output "Generating Native SP config files for strategy #{strategy.name.to_s}"
+      FileUtils.rm_rf(strategy.config_dir)
+      FileUtils.mkdir_p(strategy.config_dir)
+      strategy.hosts.each do |host|
+        next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+        Slh::Cli.instance.output "  Generating host config for #{host.name}"
+        Slh::Models::Strategy::VALID_CONFIG_FILES.each do |cf|
+          next if host.host_type == :iis && cf == 'shib_apache.conf' # not needed
+          FileUtils.mkdir_p(host.config_dir)
+          File.open(strategy.config_file_path(cf,host), 'w') {|f| f.write(strategy.generate_config_file_content(cf,host)) }
+          Slh::Cli.instance.output "    Wrote #{strategy.config_file_path(cf,host)}"
+        end
+      end
+    end
+    Slh::Cli.instance.output "You MUST deploy these files your web servers and restart httpd and shibd for subsequent commands to work", :highlight => true
+  end
+end

data/lib/slh/cli/generate_capistrano_deploy.rb

@@ -0,0 +1,35 @@
+class Slh::Cli::GenerateCapistranoDeploy < Slh::Cli::CommandBase
+  def default_options
+   { }
+  end
+  def perform_action
+    Slh::Cli.instance.output "Generating a config/deploy.rb"
+    self.generate_deploy_dot_rb
+    Slh::Cli.instance.output "Will MUST change the TODO sections in this file and setup the symlinks correctly on your target servers for you to be able to do\ncap deploy HOST=somehost.com", :highlight => true
+  end
+
+
+  def config_dir
+    'config'
+  end
+
+  def generate_deploy_dot_rb
+    file_path = File.join(self.config_dir, 'deploy.rb')
+    if File.exists?(file_path)
+      Slh::Cli.instance.output "#{file_path} already exists, MISSION ABORT.", :exit => true
+    end
+    FileUtils.mkdir_p(self.config_dir)
+    File.open(file_path, 'w') do |f|
+      f.write(self.generate_config_file_content)
+    end
+  end
+
+  def config_template_file_path
+    File.join(File.dirname(__FILE__), '..', 'templates','deploy.rb.erb')
+  end
+
+  def generate_config_file_content
+    ERB.new(File.read(self.config_template_file_path)).result(binding)
+  end
+end
+

data/lib/slh/cli/generate_metadata.rb

@@ -0,0 +1,53 @@
+class Slh::Cli::GenerateMetadata < Slh::Cli::HostFilterableBase
+
+  # def perform_action
+  #   Slh.strategies.each do |strategy|
+  #     strategy.hosts.each do |host|
+  #       next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+  #       host_dir = strategy.config_dir_for_host(host)
+  #       file_path = 'sp_metadata_for_host_to_give_to_idp.xml'
+  #       @strategy = strategy
+  #       @host = host
+  #       # Global config shared across vhosts like the X509Certificate
+  #       # uses the first site arbirarily
+  #       @first_site_for_host = @host.sites.first
+  #       Slh::Cli.instance.output "Generating metadata for #{host.name}"
+  #       the_written_file = "sp_metadata_for_#{host.name.gsub(/[^a-zA-Z0-9\-_\.]/,'_')}.xml"
+  #       the_written_path = File.join(host_dir, the_written_file)
+  #       File.open(the_written_path,'w') do |f|
+  #         f.write(ERB.new(strategy.config_template_content(file_path)).result(binding))
+  #         Slh::Cli.instance.output "Wrote file to #{the_written_path}"
+  #       end
+  #     end
+  #   end
+  # end
+
+  def perform_action
+    template_rel_file_path ='sp_metadata_for_entity_id_to_give_to_idp.xml'
+    Slh.strategies.each do |strategy|
+      Slh::Cli.instance.output "Generating #{template_rel_file_path} for strategy #{strategy.name}, sp_entity_id=#{strategy.sp_entity_id}"
+      if @options[:filter].kind_of?(String)
+        matching_hosts = strategy.hosts.select {|h| h.name.match(@options[:filter])}
+        if matching_hosts.empty?
+          Slh::Cli.instance.output "No hosts matched in this strategy for filter #{@options[:filter]}, aborting for this strategy", :highlight => :red
+          next
+        else
+          Slh::Cli.instance.output "#{matching_hosts.map {|x| x.name}.join(',')} hosts matched in this strategy for filter #{@options[:filter]}", :highlight => :green
+        end
+      else
+        matching_hosts = strategy.hosts
+      end
+
+      # expose vars for ERB template
+      @strategy = strategy 
+      @matching_hosts = matching_hosts
+      # @options is also exposed to utilize the --filter option
+
+      file_path = File.join(strategy.config_dir,"#{strategy.name}_sp_metadata_for_idp.xml")
+      File.open(file_path,'w') do |f|
+        f.write(ERB.new(strategy.config_template_content(template_rel_file_path)).result(binding))
+        Slh::Cli::instance.output "Wrote metadata to\n  #{file_path}"
+      end
+    end
+  end
+end

data/lib/slh/cli/host_filterable_base.rb

@@ -0,0 +1,16 @@
+# An abstract class shared by generators that filter by host
+# Generators that loop over hosts and want to support this form of filtering might consider
+# extending from this class and use this code in their host iterator
+#   next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+class Slh::Cli::HostFilterableBase < Slh::Cli::CommandBase
+  def default_options
+   {:filter => :none}
+  end
+  def option_parser
+    return OptionParser.new do |opts|
+      opts.on('-f','--filter FILTER', "Output will be filtered by matching hosts if specified") do |value|
+        @options[:filter] = value
+      end
+    end
+  end
+end

data/lib/slh/cli/initialize.rb

@@ -0,0 +1,30 @@
+class Slh::Cli::Initialize < Slh::Cli::CommandBase
+  def default_options
+   { :force_create => false }
+  end
+  def option_parser
+    return OptionParser.new do |opts|
+      opts.on('-f','--force', "Destroy existing dir if exists") do
+        @options[:force_create] = true
+      end
+    end
+  end
+  def perform_action
+    Slh::Cli.instance.output "Generating shibboleths_lil_helper/config.rb as a starting point"
+    if self.options[:force_create]
+      if File.directory?(Slh.config_dir)
+        FileUtils.rm_rf(Slh.config_dir)
+      end
+    end
+    begin
+      FileUtils.mkdir(Slh.config_dir)
+    rescue Exception => e
+      Slh::Cli.instance.output "Could not create directory, use --force option #{Slh.config_dir}", :exception => e
+      exit
+    end
+
+    config_string = ERB.new(File.read(File.join(File.dirname(__FILE__),'..','templates','config.rb.erb'))).result(binding)
+    File.open(Slh.config_file,'w') {|f| f.write(config_string)}
+    Slh::Cli.instance.output "You should go edit #{Slh.config_file} to reflect your organizations Shib setup", :highlight => :red
+  end
+end

data/lib/slh/cli/verify_metadata_encryption.rb

@@ -0,0 +1,25 @@
+class Slh::Cli::VerifyMetadataEncryption < Slh::Cli::HostFilterableBase
+  def perform_action
+    Slh.strategies.each do |strategy|
+      broken = false
+      Slh::Cli.instance.output "Iterating hosts for strategy #{strategy.name}"
+      key_originator_site = strategy.key_originator_site
+      strategy.hosts.each do |host|
+        next if @options[:filter].kind_of?(String) && !host.name.match(@options[:filter])
+        Slh::Cli.instance.output "Iterating sites for host #{host.name}"
+        host.sites.each do |site|
+          if key_originator_site.x509_certificate_string == site.x509_certificate_string
+            Slh::Cli.instance.output "  X509Certificate matches for #{site.name} ", :highlight => :green
+          else
+            Slh::Cli.instance.output "  Mismatching X509Certificate for #{site.name}, WILL NOT WORK", :highlight => :red
+            broken = true
+          end
+        end
+      end
+      if broken
+        Slh::Cli.instance.output "To fix issues highlighted above need to copy the sp-key.pem and sp-cert.pem files from host #{key_originator_site.parent_host.name} to the hosts associated with each of the sites listed above", :highlight => true
+      end
+    end
+  end
+end
+

data/lib/slh/models/base.rb

@@ -0,0 +1,23 @@
+class Slh::Models::Base
+  def set(attr_accessor_name, val)
+    self.send("#{attr_accessor_name}=",val)
+  end
+
+  # A wee-bit-o-meta-programming to dynamically create stuff you might want to expose
+  # and interpolate in templates
+  # http://blog.jayfields.com/2008/02/ruby-dynamically-define-method.html
+  # Allows stuff like
+  #   # in config.rb
+  #   set_custom :poo,'the_poo'
+  #   # in a template
+  #   <%= @strategy.poo -%>  ---> will return "the_poo"
+  #
+  def set_custom(attr_accessor_name,val)
+    (class << self; self; end).class_eval do
+      define_method attr_accessor_name do
+        val
+      end
+    end
+    return true
+  end
+end

data/lib/slh/models/host.rb

@@ -0,0 +1,55 @@
+# This model represents the actual hostname/machine the shib SP instance lives on
+class Slh::Models::Host < Slh::Models::Base
+  ##########################
+  # CORE API METHODS BEGIN #
+  ##########################
+  def for_site(site_name, &block)
+    @sites << Slh::Models::Site.new(site_name,self, &block)
+  end
+  ########################
+  # CORE API METHODS END #
+  ########################
+
+  attr_reader :name, :sites, :parent_strategy
+  attr_accessor :host_type, :shib_prefix
+  def initialize(host_name,parent_strategy,&block)
+    @parent_strategy = parent_strategy
+    @name = host_name
+    @host_type = :apache
+    @sites = []
+    if block_given?
+      self.instance_eval(&block)
+    end
+
+    if self.sites.length == 0
+      raise "Misconfiguration on host=#{self.name}: You must define at least one site for a host even if it's the same name as the host"
+    end
+    if self.host_type == :iis
+      if self.sites.detect {|x| x.site_id.nil?}
+        raise "If your :host_type is iis, you must specify :site_id for all of your sites"
+      end
+    end
+  end
+
+
+  # File.join('', 'asdf.txt') returns '/asdf.txt'. We need a way to accomodate
+  # shib_prefix when needed, but avoiding values like '/shibboleth2.xml' when
+  # a prefix isn't set.
+  # For interpolation into templates
+  def prefixed_filepath_for(filename)
+    filepath = filename
+    unless @shib_prefix.nil?
+      filepath = File.join(@shib_prefix, filename)
+    end
+    filepath
+  end
+
+  def config_dir
+    File.join(self.parent_strategy.config_dir,self.name.to_s)
+  end
+
+  # refers to the file within this checkout
+  def shibboleth2_path
+    File.join(self.config_dir,'shibboleth2.xml')
+  end
+end

data/lib/slh/models/site.rb

@@ -0,0 +1,139 @@
+class Slh::Models::Site < Slh::Models::Base
+  ##########################
+  # CORE API METHODS BEGIN #
+  ##########################
+  def protect(site_path, &block)
+    if site_path == '/' && !@paths.empty?
+      raise "If you want to protect the entire site, you must specify \"protect '/'\" before all other site path rules"
+    end
+    @paths << Slh::Models::SitePath.new(site_path, self, &block)
+  end
+  ##########################
+  # CORE API METHODS END   #
+  ##########################
+  class CouldNotGetMetadata < Exception; end
+  attr_reader :name, :paths, :parent_host
+
+  # This indicates the site is where all other sites get their encryption keys from
+  # and where the metadata X509Certificate comes from
+  attr_accessor :is_key_originator
+
+  # site_id is for hosts who's host_type == :iis
+  attr_accessor :site_id 
+  def initialize(site_name,parent_host,&block)
+    @parent_host = parent_host
+    @name = site_name
+    @paths = []
+    self.is_key_originator = false
+    if block_given?
+      self.instance_eval(&block)
+    end
+  end
+
+  def metadata
+    if @metadata.blank?
+      url = URI.parse(self.metadata_url)
+      http = Net::HTTP.new(url.host, url.port)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      http.open_timeout = 5
+      http.read_timeout = 5
+      begin
+        the_metadata_for_site = http.get(url.path)
+      rescue
+        raise CouldNotGetMetadata.new("Could not https GET #{self.metadata_url}, have you deployed your generated shib config files to this machine and restarted shibd?")
+      end
+      case the_metadata_for_site
+      when Net::HTTPSuccess
+        @metadata = the_metadata_for_site.body
+      else
+        raise CouldNotGetMetadata.new("Got a non-200 http status code (actual=#{the_metadata_for_site.code}) from #{self.metadata_url}")
+      end
+    end
+    @metadata
+  end
+
+  def metadata_nokogiri
+    if @metadata_nokogiri.blank?
+      @metadata_nokogiri = Nokogiri::XML(self.metadata)
+    end
+    @metadata_nokogiri
+  end
+
+  def metadata_url
+    "#{self.to_https_prefixed_name}/Shibboleth.sso/Metadata"
+  end
+
+  # Gets interpolated into the sp_metadata_for_host_to_give_to_idp.xml
+  # file
+  def x509_certificate_string
+    t=self.metadata_nokogiri.clone
+    t.remove_namespaces!
+    the_xpath = "//KeyDescriptor/KeyInfo/X509Data/X509Certificate"
+    node = t.xpath(the_xpath)
+    if node.blank?
+      raise "Could not extract X509Certificate from #{site.name}"
+    else
+      node.inner_text
+    end
+  end
+
+
+  
+  # See these for specs
+  # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo
+  # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapPath
+  # https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapPathRegex
+  def to_auth_request_map_directive
+    common_host_begin = "<Host name=\"#{self.name}\" redirectToSSL=\"443\" applicationId=\"#{self.name}\" "
+    host_end = '</Host>'
+    path_strings = []
+    if self.paths.first.name == '/'
+      host_begin = common_host_begin + " #{self.auth_request_map_xml_payload_for_flavor(self.paths.first.flavor)}>"
+    else
+      host_begin =  common_host_begin + ">" # just close the tag, we all good
+    end
+    self.paths.each do |p|
+      next if p.name == '/' # Already dealt with/baked into the <Host> Xml
+      if p.flavor == :authentication_required_for_specific_users
+        path_strings << <<-EOS
+          <!-- Shibboleths Lil Helper flavor=#{p.flavor} -->
+          <Path name="#{p.name}" #{self.auth_request_map_xml_payload_for_flavor(p.flavor)}>
+            <AccessControl>
+              <Rule require="user">#{p.specific_users.join(' ')}</Rule>
+            </AccessControl>
+          </Path>
+        EOS
+      else
+        path_strings << "<Path name=\"#{p.name}\" #{self.auth_request_map_xml_payload_for_flavor(p.flavor)} />"
+      end
+    end
+    return "#{host_begin}\n#{path_strings.join("\n")}\n#{host_end}"
+  end
+
+  def to_https_prefixed_name
+    "https://#{self.name}"
+  end
+
+  def config_dir
+    File.join(self.parent_host.config_dir,self.name.to_s)
+  end
+
+  def fetched_metadata_path
+    File.join(self.config_dir,'fetched_metadata.xml')
+  end
+
+  protected
+    # Internal helper, used in <RequestMapper> 
+    # returned strings are interpoleted into <Host> or <Path>
+    #
+    def auth_request_map_xml_payload_for_flavor(flavor)
+      if flavor == :authentication_optional
+        'authType="shibboleth" requireSession="false"'
+      elsif [:authentication_required,:authentication_required_for_specific_users].include?(flavor)
+        'authType="shibboleth" requireSession="true"'
+      else 
+        raise "No auth_request_map_xml_payload_for_flavor flavor=#{flavor}"
+      end
+    end
+end