diff --git a/.rubocop.yml b/.rubocop.yml
index 18dce40..89600fc 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -28,6 +28,10 @@ AllCops:
Style/HashSyntax:
EnforcedStyle: hash_rockets
+Style/MixinUsage:
+ Exclude:
+ - 'spec/**/*'
+
#################### Metrics ###############################
Metrics/LineLength:
diff --git a/CHANGELOG b/CHANGELOG
index 9d4d719..21bd7a3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+2018-01-20 (1.1.0) Dirk Tepe
+ * Require minimum IdP version 3.3.0 if using scripted attributes
+ * Make IdP 3.3.2 the default version
+ * Address various deprecated config options
+
2017-10-25 (1.0.2) Duane Drake
* Split SAML1 and SAML2 nameid generators
diff --git a/manifests/attribute_resolver/attribute.pp b/manifests/attribute_resolver/attribute.pp
index baea312..ca70f87 100644
--- a/manifests/attribute_resolver/attribute.pp
+++ b/manifests/attribute_resolver/attribute.pp
@@ -10,11 +10,16 @@
$source_attribute_id = undef,
$transient = false,
$script = undef,
+ $script_file = undef,
$dependencies = {},
$encoders = {},
) {
+ if $type == 'Script' {
+ fail("Attribute type 'Script' must be replaced with 'ScriptedAttribute' as of Shibboleth IdP 3.3")
+ }
+
concat::fragment { "attribute_resolver_attribute_${id}":
target => 'attribute-resolver.xml',
order => '20',
diff --git a/manifests/attribute_resolver/dataconnector.pp b/manifests/attribute_resolver/dataconnector.pp
index 98f5091..f2d1b79 100644
--- a/manifests/attribute_resolver/dataconnector.pp
+++ b/manifests/attribute_resolver/dataconnector.pp
@@ -13,10 +13,8 @@
$ldap_principal_credential = undef,
$ldap_use_start_tls = undef,
$ldap_filter_template = undef,
- $ldap_filter_tls_trust_id = undef,
- $ldap_filter_tls_trust_cert = undef,
+ $ldap_tls_trust_cert = undef,
$ldap_return_attributes = undef,
- $ldap_trust_cert_source = undef,
) {
concat::fragment { "attribute_resolver_dataconnector_${id}":
@@ -33,14 +31,4 @@
}
}
- if $ldap_trust_cert_source {
- file { "${shibboleth_idp::shib_install_base}/${ldap_filter_tls_trust_cert}":
- ensure => file,
- source => $ldap_trust_cert_source,
- owner => $shibboleth_idp::shib_user,
- group => $shibboleth_idp::shib_group,
- mode => '0644',
- notify => Class['shibboleth_idp::service'],
- }
- }
}
diff --git a/manifests/params.pp b/manifests/params.pp
index e5ab09b..c5050ce 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -5,7 +5,7 @@
class shibboleth_idp::params {
- $shib_idp_version = '3.2.1'
+ $shib_idp_version = '3.3.2'
$shib_user = 'jetty'
$shib_group = 'jetty'
$manage_user = false
diff --git a/metadata.json b/metadata.json
index 61f4526..2c4c039 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
{
"name": "MiamiOH-shibboleth_idp",
- "version": "1.0.2",
+ "version": "1.1.0",
"author": "Dirk Tepe",
"summary": "Manage Shibboleth IdP",
"license": "GPL-3.0+",
@@ -10,7 +10,7 @@
"tags": ["shibboleth", "shib", "idp"],
"dependencies": [
{"name": "puppetlabs/stdlib", "version_requirement": ">= 4.2.0 < 5.0.0"},
- {"name": "puppetlabs/concat", "version_requirement": ">= 1.1.1 < 3.0.0"},
+ {"name": "puppetlabs/concat", "version_requirement": ">= 4.1.1 < 5.0.0"},
{"name": "puppet/archive", "version_requirement": ">= 0.5.0 < 2.0.0"},
{"name": "camptocamp/openssl", "version_requirement": ">= 1.8.2 < 2.0.0"},
{"name": "unibet/profiled", "version_requirement": ">= 0.1.4 < 1.0.0"},
diff --git a/templates/shibboleth/attribute_resolver/_attribute.erb b/templates/shibboleth/attribute_resolver/_attribute.erb
index dd3786b..2ce44bd 100644
--- a/templates/shibboleth/attribute_resolver/_attribute.erb
+++ b/templates/shibboleth/attribute_resolver/_attribute.erb
@@ -1,13 +1,10 @@
- <resolver:AttributeDefinition id="<%= @id %>" xsi:type="ad:<%= @type %>"
+ <AttributeDefinition id="<%= @id %>" xsi:type="<%= @type %>"
<% if @scope %>scope="<%= @scope %>" <% end %><% if @source_attribute_id %>sourceAttributeID="<%= @source_attribute_id %>" <% end %>>
<%- @dependencies.each do |dependency| -%>
- <resolver:Dependency ref="<%= dependency %>" />
- <%- end -%>
- <%- if @type == 'Script' -%>
- <resolver:Dependency ref="<%= @id %>_scripted" />
+ <Dependency ref="<%= dependency %>" />
<%- end -%>
<%- @encoders.each do |encoder| -%>
- <resolver:AttributeEncoder xsi:type="enc:<%= encoder['type'] %>"
+ <AttributeEncoder xsi:type="<%= encoder['type'] %>"
<%- if encoder['name'] -%>
name="<%= encoder['name'] %>"
<%- end -%>
@@ -22,24 +19,18 @@
/>
<%- end -%>
<%- if @transient -%>
- <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier"
+ <AttributeEncoder xsi:type="SAML1StringNameIdentifier"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
- <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
+ <AttributeEncoder xsi:type="SAML2StringNameID"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
<%- end -%>
- <%- if @type == 'Script' -%>
- <ad:Script><![CDATA[
+ <%- if @type == 'ScriptedAttribute' -%>
+ <%- if @script_file -%>
+ <ScriptFile><%= @script_file %></ScriptFile>
+ <%- else -%>
+ <Script><![CDATA[
<%= @script %>
- ]]></ad:Script>
+ ]]></Script>
+ <%- end -%>
<%- end -%>
- </resolver:AttributeDefinition>
-
- <%- if @type == 'Script' -%>
- <resolver:DataConnector xsi:type="dc:Static" id="<%= @id %>_scripted"
- xmlns="urn:mace:shibboleth:2.0:resolver:dc">
- <Attribute id="<%= @id %>">
- <Value>dummy</Value>
- </Attribute>
- </resolver:DataConnector>
-
- <%- end -%>
+ </AttributeDefinition>
diff --git a/templates/shibboleth/attribute_resolver/_attribute_resolver_foot.erb b/templates/shibboleth/attribute_resolver/_attribute_resolver_foot.erb
index 20dbadd..d3be94f 100644
--- a/templates/shibboleth/attribute_resolver/_attribute_resolver_foot.erb
+++ b/templates/shibboleth/attribute_resolver/_attribute_resolver_foot.erb
@@ -1,2 +1,2 @@
-</resolver:AttributeResolver>
+</AttributeResolver>
\ No newline at end of file
diff --git a/templates/shibboleth/attribute_resolver/_attribute_resolver_head.erb b/templates/shibboleth/attribute_resolver/_attribute_resolver_head.erb
index fd79ebd..490cf3e 100644
--- a/templates/shibboleth/attribute_resolver/_attribute_resolver_head.erb
+++ b/templates/shibboleth/attribute_resolver/_attribute_resolver_head.erb
@@ -1,26 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!--
- This file is an EXAMPLE configuration file containing lots of commented
- example attributes, encoders, and a couple of example data connectors.
-
- Not all attribute definitions or data connectors are demonstrated, but
- a variety of LDAP attributes, some common to Shibboleth deployments and
- many not, are included.
-
- Deployers should refer to the Shibboleth 2 documentation for a complete
- list of components and their options.
--->
-<resolver:AttributeResolver
- xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
- xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
- xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
- xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
- xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
- xmlns:sec="urn:mace:shibboleth:2.0:security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
- urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
- urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
- urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
- urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
- urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+<AttributeResolver
+ xmlns="urn:mace:shibboleth:2.0:resolver"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
diff --git a/templates/shibboleth/attribute_resolver/_dataconnector.erb b/templates/shibboleth/attribute_resolver/_dataconnector.erb
index 8eb645d..18e75d4 100644
--- a/templates/shibboleth/attribute_resolver/_dataconnector.erb
+++ b/templates/shibboleth/attribute_resolver/_dataconnector.erb
@@ -1,19 +1,16 @@
- <resolver:DataConnector id="<%= @id %>" xsi:type="dc:<%= @type %>"
+ <DataConnector id="<%= @id %>" xsi:type="<%= @type %>"
ldapURL="%{idp.attribute.resolver.<%= @id %>.ldapURL}"
baseDN="%{idp.attribute.resolver.<%= @id %>.baseDN}"
principal="%{idp.attribute.resolver.<%= @id %>.bindDN}"
principalCredential="%{idp.attribute.resolver.<%= @id %>.bindDNCredential}"
- useStartTLS="%{idp.attribute.resolver.<%= @id %>.useStartTLS:true}">
- <dc:FilterTemplate>
+ useStartTLS="%{idp.attribute.resolver.<%= @id %>.useStartTLS:true}"
+ <%- if @ldap_tls_trust_cert -%>trustFile="%{idp.attribute.resolver.<%= @id %>.trustCertificates}"<%- end -%>
+ >
+ <FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.<%= @id %>.searchFilter}
]]>
- </dc:FilterTemplate>
- <%- if @ldap_trust_cert_source -%>
- <dc:StartTLSTrustCredential id="<%= @id %>toIdPCredential" xsi:type="sec:X509ResourceBacked">
- <sec:Certificate>%{idp.attribute.resolver.<%= @id %>.trustCertificates}</sec:Certificate>
- </dc:StartTLSTrustCredential>
- <%- end -%>
- <!-- <ReturnAttributes>%{idp.attribute.resolver.<%= @id %>.returnAttributes}</ReturnAttributes> -->
- </resolver:DataConnector>
+ </FilterTemplate>
+ <ReturnAttributes>%{idp.attribute.resolver.<%= @id %>.returnAttributes}</ReturnAttributes>
+ </DataConnector>
diff --git a/templates/shibboleth/attribute_resolver/_ldap_properties.erb b/templates/shibboleth/attribute_resolver/_ldap_properties.erb
index 76d418f..545cb34 100644
--- a/templates/shibboleth/attribute_resolver/_ldap_properties.erb
+++ b/templates/shibboleth/attribute_resolver/_ldap_properties.erb
@@ -3,7 +3,7 @@ idp.attribute.resolver.<%= @id %>.baseDN = <%= @ldap_base_dn %>
idp.attribute.resolver.<%= @id %>.bindDN = <%= @ldap_principal %>
idp.attribute.resolver.<%= @id %>.bindDNCredential = <%= @ldap_principal_credential %>
idp.attribute.resolver.<%= @id %>.useStartTLS = <%= @ldap_use_start_tls %>
-idp.attribute.resolver.<%= @id %>.trustCertificates = %{idp.home}/<%= @ldap_filter_tls_trust_cert %>
+idp.attribute.resolver.<%= @id %>.trustCertificates = <%= @ldap_tls_trust_cert %>
idp.attribute.resolver.<%= @id %>.searchFilter = <%= @ldap_filter_template %>
-idp.attribute.resolver.<%= @id %>.returnAttributes = <%= @ldap_return_attributes.join(',') %>
+idp.attribute.resolver.<%= @id %>.returnAttributes = <%= @ldap_return_attributes.join(' ') %>
diff --git a/templates/shibboleth/conf/c14n/subject-c14n.xml.erb b/templates/shibboleth/conf/c14n/subject-c14n.xml.erb
index 7ab9e3c..22b8d5e 100644
--- a/templates/shibboleth/conf/c14n/subject-c14n.xml.erb
+++ b/templates/shibboleth/conf/c14n/subject-c14n.xml.erb
@@ -89,7 +89,7 @@
Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
-->
<bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
- <constructor-arg>
+ <constructor-arg name="candidates">
<list>
<!-- <value>https://sp.example.org</value> -->
<%- @nameid_allowed_entities.each do |entity| -%>