Merge branch 'main' into feature-bookworm

.github/workflows/ci-runner.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout $GITHUB_WORKSPACE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Decrypt secret
       - name: Copy secret

.github/workflows/main.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout $GITHUB_WORKSPACE
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Create date output to seconds
       - name: Get Date
@@ -147,6 +147,7 @@ jobs:
           path: |
             screenshot.png
             page.html
+            console.txt
         if: failure()
 
       - name: Show journal output

.gitignore

@@ -1,6 +1,7 @@
 .ansible/
 .vagrant/
 .mypy_cache/
+.vscode/
 vagrant.log
 provision.retry
 provision_status.json
@@ -23,4 +24,6 @@ ci-runner/lib
 ci-runner/bin
 ci-runner/pyvenv.cfg
 screenshot.png
+page.html
+console.txt
 ignore.main.yml

environments/vm/secrets/all.yml

@@ -16,6 +16,9 @@ ldap_monitor_password: "changethispassword"
 db_admin_user: "admin"
 db_admin_password: "changethispassword"
 
+# password for fetching contacts list
+tools_contacts_password: "tools_contacts_password_vm_secret"
+
 # SBS defaults to override
 sbs_db_password: "changethispassword"
 sbs_migration_password: "changethispassword"
@@ -26,7 +29,9 @@ sbs_client_secret: "changethispassword"
 sbs_sysread_password: "changethispassword"
 sbs_sysadmin_password: "changethispassword"
 sbs_ipaddress_password: "changethispassword"
+sbs_tools_contacts_password: "sbs_tools_contacts_password"
 sbs_redis_password: "changethispassword"
+
 sbs_api_users:
   sysread:
     password: "{{ sbs_sysread_password }}"
@@ -37,6 +42,9 @@ sbs_api_users:
   haproxy_acl:
     password: "{{ sbs_ipaddress_password }}"
     scopes: ["ipaddress"]
+  tools_contacts:
+    password: "{{ sbs_tools_contacts_password }}"
+    scopes: ["read"]
 
 sbs_surf_secure_id:
   environment: test.surfconext.nl

roles/ci-test/files/resume.html

@@ -1,20 +1,5 @@
 <html><body>
 <form id='oidc' action="/" method="post"></form>
-<script type="text/javascript">
-fragment = window.location.hash.substring(1);
-//alert(fragment);
-if (fragment) {
-  params = fragment.split("&")
-  for (let i=0; i < params.length; i++) {
-    var p = params[i].split("=");
-    var input = document.createElement('input');
-    input.type = 'hidden';
-    input.name = p[0];
-    input.value = p[1];
-    document.forms['oidc'].appendChild(input);
-  }
-  document.forms['oidc'].submit();
-}
-</script>
+<script type="text/javascript" src="resume.js"></script>
 </body></html>
 

roles/ci-test/files/resume.js

@@ -0,0 +1,14 @@
+fragment = window.location.hash.substring(1);
+//alert(fragment);
+if (fragment) {
+    params = fragment.split("&")
+    for (let i=0; i < params.length; i++) {
+        var p = params[i].split("=");
+        var input = document.createElement('input');
+        input.type = 'hidden';
+        input.name = p[0];
+        input.value = p[1];
+        document.forms['oidc'].appendChild(input);
+    }
+    document.forms['oidc'].submit();
+}

roles/ci-test/tasks/main.yml

@@ -56,8 +56,8 @@
 - name: Ensure that packages are installed
   apt:
     name:
-      - composer
-    state: present
+      - "composer"
+    state: "present"
 
 - name: Create directories
   file:
@@ -70,23 +70,26 @@
 
 - name: Install JumboJett OIDC PHP module
   community.general.composer:
-    command: require
-    arguments: jumbojett/openid-connect-php
+    command: "require"
+    arguments: "jumbojett/openid-connect-php"
     working_dir: "{{ rp_jumbojett_dir}}"
   notify: "restart php-fpm"
 
-- name: Create RP index.php
+- name: Create RP files
   template:
-    src: index.php.j2
+    src: "index.php.j2"
     dest: "{{ rp_docroot_dir }}/index.php"
-    mode: 0644
+    mode: "0644"
   notify: "restart php-fpm"
 
 - name: Create RP resume.html
   copy:
-    src: resume.html
-    dest: "{{ rp_docroot_dir }}/resume.html"
-    mode: 0644
+    src: "{{ item }}"
+    dest: "{{ rp_docroot_dir }}/{{ item }}"
+    mode: "0644"
+  loop:
+    - "resume.html"
+    - "resume.js"
   notify: "restart php-fpm"
 
 

roles/ci-test/templates/nginx.conf.j2

@@ -4,8 +4,9 @@ server {
 
     ssl_certificate        {{ ssl_certs_dir }}/{{ internal_base_domain }}.crt;
     ssl_certificate_key    {{ ssl_certs_dir }}/{{ internal_base_domain }}.key;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 
-    add_header Strict-Transport-Security "max-age=31536000";
+    include security_headers;
 
     location / {
         root             {{ rp_docroot_dir }};
@@ -30,9 +31,10 @@ server {
 
     ssl_certificate        {{ ssl_certs_dir }}/{{ internal_base_domain }}.crt;
     ssl_certificate_key    {{ ssl_certs_dir }}/{{ internal_base_domain }}.key;
-
     add_header Strict-Transport-Security "max-age=31536000";
 
+    include security_headers;
+
     location ^~ /saml {
         index index.php
         try_files $uri $uri/ /index.php$is_args$args;

roles/demo-sp/files/auth.php

@@ -13,23 +13,29 @@
 $ENVS = array("test","acc","prd");
 $FORMATS = array("table", "json", "raw");
 
-$ATTRIBUTES = array(
-    'subject-id',
-    'eduPersonUniqueId',
-    'voPersonExternalID',
-    'uid',
-    'eduPersonPrincipalName',
+$SUPPORTED = array(
+    'cn',
     'displayName',
     'givenName',
     'sn',
     'mail',
+    'eduPersonUniqueId',
+    'subject-id',
+    'voPersonID',
+    'voPersonExternalID',
+    'uid',
+    'userid',
+    'eduPersonPrincipalName',
     'eduPersonScopedAffiliation',
     'voPersonExternalAffiliation',
     'eduPersonEntitlement',
     'sshPublicKey',
-    'voPersonStatus',
 );
 
+$UNSUPPORTED = array(
+    'eduPersonAssurance',
+    'schacHomeOrganization',
+);
 
 # sanitize user input
 $env = $_SERVER['PATH_INFO'];
@@ -89,7 +95,7 @@
 print('<h1>Known attributes</h1>');
 print('<table class="redTable">');
 print('<thead><tr><th>Attribute</th><th>Value</th></thead>'); print("\n");
-foreach ($ATTRIBUTES as $attr) {
+foreach ($SUPPORTED as $attr) {
     print('<tr>');
     print("<td>{$attr}</td>"); print("\n");
     print('<td>');
@@ -110,28 +116,59 @@
 print('</div>');
 
 
-
-$unknown_attr = array_diff( array_keys($user_attr), $ATTRIBUTES);
-print('<div id="unknown">');
-print('<h1>Unknown attributes</h1>');
+print('<div id="unsupported">');
+print('<h1>Unsupported attributes</h1>');
 print('<table class="redTable">');
 print('<thead><tr><th>Attribute</th><th>Value</th></thead>'); print("\n");
-foreach ($unknown_attr as $attr) {
+foreach ($UNSUPPORTED as $attr) {
     print('<tr>');
     print("<td>{$attr}</td>"); print("\n");
     print('<td>');
-    foreach ($user_attr[$attr] as $val) {
+    if (array_key_exists($attr, $user_attr)) {
         sort($user_attr[$attr]);
-        print('<span class="attr_val">');
-        print($val);
-        print('</span>');
+        foreach ($user_attr[$attr] as $val) {
+            print('<div class="attr_val">');
+            print($val);
+            print('</div>');
+        }
+    } else {
+        print('<span class="not_found">not present</span>');
     }
     print('</td>'); print("\n");
     print('</tr>'); print("\n");
 }
 print('</table>');
 print('</div>');
 
+$known_attr = array_merge(
+    $SUPPORTED,
+    $UNSUPPORTED,
+);
+
+$unknown_attr = array_diff( array_keys($user_attr), $known_attr );
+if ( !empty($unknown_attr) ) {
+    print('<div id="unknown">');
+    print('<h1>Unknown attributes</h1>');
+    print('<table class="redTable">');
+    print('<thead><tr><th>Attribute</th><th>Value</th></thead>'); print("\n");
+    foreach ($unknown_attr as $attr) {
+        print('<tr>');
+        print("<td>{$attr}</td>"); print("\n");
+        print('<td>');
+        foreach ($user_attr[$attr] as $val) {
+            sort($user_attr[$attr]);
+            print('<span class="attr_val">');
+            print($val);
+            print('</span>');
+        }
+        print('</td>'); print("\n");
+        print('</tr>'); print("\n");
+    }
+    print('</table>');
+    print('</div>');
+}
+
+echo("<br>\n");
 $url = $as->getLogoutURL("/");
 printf('<div><a href="%1$s">logout</a></div>', htmlspecialchars($url));
 

roles/demo-sp/templates/nginx.conf.j2

@@ -23,8 +23,9 @@ server {
     ssl_protocols          TLSv1.3;
     ssl_stapling on;
     ssl_stapling_verify on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 
-    add_header Strict-Transport-Security "max-age=31536000";
+    include security_headers;
 
     location ^~ /saml {
         alias {{simplesaml_project_dir}}/simplesaml/public;

roles/http_redirect/templates/http-redirect.conf.j2

@@ -4,6 +4,8 @@ server {
 
     server_name _;
 
+    add_header X-Content-Type-Options "nosniff";
+
     location / {
         return 403;
     }
@@ -16,6 +18,8 @@ server {
 
     server_name {{ h }};
 
+    add_header X-Content-Type-Options "nosniff";
+
 {% if letsencrypt_challenge_dir is defined %}
     location /.well-known/acme-challenge {
         alias {{letsencrypt_challenge_dir}}/.well-known/acme-challenge;

roles/lb_haproxy/templates/haproxy.cfg.j2

@@ -89,7 +89,7 @@ frontend fe_https
 
     # insert strict Feature-Policy if none was set
     acl has_fp_header res.hdr(Permissions-Policy) -m found
-    http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()" if !has_fp_header
+    http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()" if !has_fp_header
 
     http-request set-header X-Forwarded-For "%[src]"
     http-request set-header X-Forwarded-Host "%[req.hdr(Host)]"

roles/nginx/files/security_headers

@@ -0,0 +1,7 @@
+add_header X-Frame-Options "sameorigin";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options "nosniff";
+add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; frame-ancestors 'none'; block-all-mixed-content;";
+add_header Permissions-Policy "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()";