Merge pull request #50 from MiamiOH/Release_1_1_dev

Release 1 1 dev

.rubocop.yml

@@ -28,6 +28,10 @@ AllCops:
 Style/HashSyntax:
   EnforcedStyle: hash_rockets
 
+Style/MixinUsage:
+  Exclude: 
+  - 'spec/**/*'
+
 #################### Metrics ###############################
 
 Metrics/LineLength:

CHANGELOG

@@ -1,3 +1,8 @@
+2018-01-20 (1.1.0)  Dirk Tepe
+        * Require minimum IdP version 3.3.0 if using scripted attributes
+        * Make IdP 3.3.2 the default version
+        * Address various deprecated config options
+
 2017-10-25 (1.0.2)  Duane Drake
         * Split SAML1 and SAML2 nameid generators
 

manifests/attribute_resolver/attribute.pp

@@ -10,11 +10,16 @@
   $source_attribute_id = undef,
   $transient = false,
   $script = undef,
+  $script_file = undef,
 
   $dependencies = {},
   $encoders = {},
 ) {
 
+  if $type == 'Script' {
+    fail("Attribute type 'Script' must be replaced with 'ScriptedAttribute' as of Shibboleth IdP 3.3")
+  }
+
   concat::fragment { "attribute_resolver_attribute_${id}":
     target  => 'attribute-resolver.xml',
     order   => '20',

manifests/attribute_resolver/dataconnector.pp

@@ -13,10 +13,8 @@
   $ldap_principal_credential = undef,
   $ldap_use_start_tls = undef,
   $ldap_filter_template = undef,
-  $ldap_filter_tls_trust_id = undef,
-  $ldap_filter_tls_trust_cert = undef,
+  $ldap_tls_trust_cert = undef,
   $ldap_return_attributes = undef,
-  $ldap_trust_cert_source = undef,
 ) {
 
   concat::fragment { "attribute_resolver_dataconnector_${id}":
@@ -33,14 +31,4 @@
     }
   }
 
-  if $ldap_trust_cert_source {
-    file { "${shibboleth_idp::shib_install_base}/${ldap_filter_tls_trust_cert}":
-      ensure => file,
-      source => $ldap_trust_cert_source,
-      owner  => $shibboleth_idp::shib_user,
-      group  => $shibboleth_idp::shib_group,
-      mode   => '0644',
-      notify => Class['shibboleth_idp::service'],
-    }
-  }
 }

manifests/params.pp

@@ -5,7 +5,7 @@
 
 class shibboleth_idp::params {
 
-  $shib_idp_version        = '3.2.1'
+  $shib_idp_version        = '3.3.2'
   $shib_user               = 'jetty'
   $shib_group              = 'jetty'
   $manage_user             = false

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "MiamiOH-shibboleth_idp",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "author": "Dirk Tepe",
   "summary": "Manage Shibboleth IdP",
   "license": "GPL-3.0+",
@@ -10,7 +10,7 @@
   "tags": ["shibboleth", "shib", "idp"],
   "dependencies": [
     {"name": "puppetlabs/stdlib", "version_requirement": ">= 4.2.0 < 5.0.0"},
-    {"name": "puppetlabs/concat", "version_requirement": ">= 1.1.1 < 3.0.0"},
+    {"name": "puppetlabs/concat", "version_requirement": ">= 4.1.1 < 5.0.0"},
     {"name": "puppet/archive", "version_requirement": ">= 0.5.0 < 2.0.0"},
     {"name": "camptocamp/openssl", "version_requirement": ">= 1.8.2 < 2.0.0"},
     {"name": "unibet/profiled", "version_requirement": ">= 0.1.4 < 1.0.0"},

templates/shibboleth/attribute_resolver/_attribute.erb

@@ -1,13 +1,10 @@
-    <resolver:AttributeDefinition id="<%= @id %>" xsi:type="ad:<%= @type %>" 
+    <AttributeDefinition id="<%= @id %>" xsi:type="<%= @type %>" 
         <% if @scope %>scope="<%= @scope %>" <% end %><% if @source_attribute_id %>sourceAttributeID="<%= @source_attribute_id %>" <% end %>>
         <%- @dependencies.each do |dependency| -%>
-        <resolver:Dependency ref="<%= dependency %>" />
-        <%- end -%>
-        <%- if @type == 'Script' -%>
-        <resolver:Dependency ref="<%= @id %>_scripted" />
+        <Dependency ref="<%= dependency %>" />
         <%- end -%>
         <%- @encoders.each do |encoder| -%>
-        <resolver:AttributeEncoder xsi:type="enc:<%= encoder['type'] %>"
+        <AttributeEncoder xsi:type="<%= encoder['type'] %>"
             <%- if encoder['name'] -%>
             name="<%= encoder['name'] %>"
             <%- end -%>
@@ -22,24 +19,18 @@
             />
         <%- end -%>
         <%- if @transient -%>
-        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
+        <AttributeEncoder xsi:type="SAML1StringNameIdentifier"
             nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
-        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" 
+        <AttributeEncoder xsi:type="SAML2StringNameID" 
             nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
         <%- end -%>
-        <%- if @type == 'Script' -%>
-        <ad:Script><![CDATA[
+        <%- if @type == 'ScriptedAttribute' -%>
+        <%- if @script_file -%>
+        <ScriptFile><%= @script_file %></ScriptFile>
+        <%- else -%>
+        <Script><![CDATA[
         <%= @script %>
-        ]]></ad:Script>
+        ]]></Script>
+        <%- end -%>
         <%- end -%>
-    </resolver:AttributeDefinition>
-
-    <%- if @type == 'Script' -%>
-    <resolver:DataConnector xsi:type="dc:Static" id="<%= @id %>_scripted"
-         xmlns="urn:mace:shibboleth:2.0:resolver:dc">
-        <Attribute id="<%= @id %>">
-            <Value>dummy</Value>
-        </Attribute>
-    </resolver:DataConnector>
-
-    <%- end -%>
+    </AttributeDefinition>

templates/shibboleth/attribute_resolver/_attribute_resolver_foot.erb

@@ -1,2 +1,2 @@
 
-</resolver:AttributeResolver>
+</AttributeResolver>

templates/shibboleth/attribute_resolver/_attribute_resolver_head.erb

@@ -1,26 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- 
-    This file is an EXAMPLE configuration file containing lots of commented
-    example attributes, encoders, and a couple of example data connectors.
-    
-    Not all attribute definitions or data connectors are demonstrated, but
-    a variety of LDAP attributes, some common to Shibboleth deployments and
-    many not, are included.
-    
-    Deployers should refer to the Shibboleth 2 documentation for a complete
-    list of components  and their options.
--->
-<resolver:AttributeResolver
-        xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
-        xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
-        xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
-        xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
-        xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
-        xmlns:sec="urn:mace:shibboleth:2.0:security"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
-                            urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
-                            urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
-                            urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
-                            urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
-                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver" 
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">

templates/shibboleth/attribute_resolver/_dataconnector.erb

@@ -1,19 +1,16 @@
-    <resolver:DataConnector id="<%= @id %>" xsi:type="dc:<%= @type %>"
+    <DataConnector id="<%= @id %>" xsi:type="<%= @type %>"
         ldapURL="%{idp.attribute.resolver.<%= @id %>.ldapURL}"
         baseDN="%{idp.attribute.resolver.<%= @id %>.baseDN}" 
         principal="%{idp.attribute.resolver.<%= @id %>.bindDN}"
         principalCredential="%{idp.attribute.resolver.<%= @id %>.bindDNCredential}"
-        useStartTLS="%{idp.attribute.resolver.<%= @id %>.useStartTLS:true}">
-        <dc:FilterTemplate>
+        useStartTLS="%{idp.attribute.resolver.<%= @id %>.useStartTLS:true}"
+        <%- if @ldap_tls_trust_cert -%>trustFile="%{idp.attribute.resolver.<%= @id %>.trustCertificates}"<%- end -%>
+        >
+        <FilterTemplate>
             <![CDATA[
                 %{idp.attribute.resolver.<%= @id %>.searchFilter}
             ]]>
-        </dc:FilterTemplate>
-        <%- if @ldap_trust_cert_source -%>
-        <dc:StartTLSTrustCredential id="<%= @id %>toIdPCredential" xsi:type="sec:X509ResourceBacked">
-            <sec:Certificate>%{idp.attribute.resolver.<%= @id %>.trustCertificates}</sec:Certificate>
-        </dc:StartTLSTrustCredential>
-        <%- end -%>
-        <!-- <ReturnAttributes>%{idp.attribute.resolver.<%= @id %>.returnAttributes}</ReturnAttributes> -->
-    </resolver:DataConnector>
+        </FilterTemplate>
+        <ReturnAttributes>%{idp.attribute.resolver.<%= @id %>.returnAttributes}</ReturnAttributes>
+    </DataConnector>
 

templates/shibboleth/attribute_resolver/_ldap_properties.erb

@@ -3,7 +3,7 @@ idp.attribute.resolver.<%= @id %>.baseDN              = <%= @ldap_base_dn %>
 idp.attribute.resolver.<%= @id %>.bindDN              = <%= @ldap_principal %>
 idp.attribute.resolver.<%= @id %>.bindDNCredential    = <%= @ldap_principal_credential %>
 idp.attribute.resolver.<%= @id %>.useStartTLS         = <%= @ldap_use_start_tls %>
-idp.attribute.resolver.<%= @id %>.trustCertificates   = %{idp.home}/<%= @ldap_filter_tls_trust_cert %>
+idp.attribute.resolver.<%= @id %>.trustCertificates   = <%= @ldap_tls_trust_cert %>
 idp.attribute.resolver.<%= @id %>.searchFilter        = <%= @ldap_filter_template %>
-idp.attribute.resolver.<%= @id %>.returnAttributes    = <%= @ldap_return_attributes.join(',') %>
+idp.attribute.resolver.<%= @id %>.returnAttributes    = <%= @ldap_return_attributes.join(' ') %>
 

templates/shibboleth/conf/c14n/subject-c14n.xml.erb

@@ -89,7 +89,7 @@
     Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
     -->
     <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
-        <constructor-arg>
+        <constructor-arg name="candidates">
             <list>
                 <!-- <value>https://sp.example.org</value> -->
                 <%- @nameid_allowed_entities.each do |entity| -%>