Merge pull request #111 from edx/jbau/new-shib

Create roles for apache and shibboleth that run the lms and

playbooks/edx-west/ansible.cfg

+../ansible.cfg
\ No newline at end of file

playbooks/edx-west/edxapp_prod.yml

@@ -16,7 +16,6 @@
   roles:
     - common
     - nginx
-    - gunicorn
     - edxapp
     # run this role last
     - in_production

playbooks/edx-west/edxapp_prod_apache.yml

-- hosts: tag_Name_app4_prod
+- hosts: ~tag_Name_app(12|22)_prod
 #- hosts: security_group_edx-prod-EdxappServerSecurityGroup-NSKCQTMZIPQB
   sudo: True
   vars_files:
@@ -6,6 +6,12 @@
     - "{{ secure_dir }}/vars/users.yml"
     - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
     - "{{ secure_dir }}/vars/shib_prod_vars.yml"
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    # this indicates the path to site-specific (with precedence)
+    # things like nginx template files
+    local_dir:  '../../../configuration-secure/ansible/local'
+
   roles:
     - nginx
     - edxapp

playbooks/roles/apache/handlers/main.yml

+---
+- name: restart apache
+  service: name=apache2 state=restarted

playbooks/roles/apache/tasks/apache_site.yml

+# Requires nginx package
+---
+- name: Copying apache config {{ site_name }}
+  template: src={{ item }} dest=/etc/apache2/sites-available/{{ site_name }}
+  first_available_file:
+    - "{{ local_dir }}/apache/templates/{{ site_name }}.j2"
+    # seems like paths in first_available_file must be relative to the playbooks dir
+    - "roles/apache/templates/{{ site_name }}.j2"
+  notify: restart apache
+  when_set: $apache_role_run
+  tags:
+    - apache
+    - update
+
+- name: Creating apache2 config link {{ site_name }}
+  file: src=/etc/apache2/sites-available/{{ site_name }} dest=/etc/apache2/sites-enabled/{{ site_name }} state={{ state }} owner=root group=root
+  notify: restart apache
+  when_set: $apache_role_run
+  tags:
+    - apache
+    - update

playbooks/roles/apache/tasks/main.yml

+#Installs apache and runs the lms wsgi
+---
+
+- name: Installs apache and mod_wsgi from apt
+  apt: pkg={{item}} install_recommends=no state=present update_cache=yes
+  with_items:
+    - apache2
+    - libapache2-mod-wsgi
+  notify: restart apache
+  tags:
+    - apache
+    - install
+    
+- name: disables default site
+  command: a2dissite 000-default
+  notify: restart apache
+  tags:
+    - apache
+    - install
+    
+- name: rewrite apache ports conf
+  template: dest=/etc/apache2/ports.conf src=ports.conf.j2 owner=root group=root
+  notify: restart apache
+  tags:
+    - apache
+    - install
+  
+- name: Register the fact that apache role has run
+  command: echo True
+  register: apache_role_run
+  tags:
+    - apache
+    - install
+
+
+- include: apache_site.yml state=link site_name=lms

playbooks/roles/apache/templates/lms.j2

+WSGIPythonHome {{venv_dir}}
+WSGIRestrictEmbedded On
+
+<VirtualHost *:{{apache_port}}>
+    ServerName https://{{ lms_env_config.SITE_NAME }}
+    ServerAlias *.{{ lms_env_config.SITE_NAME }}
+    UseCanonicalName On
+ 
+    Alias /static/ /opt/wwc/staticfiles/
+    
+    <Directory /opt/wwc/staticfiles>
+        Order deny,allow
+        Allow from all
+    </Directory>
+
+    SetEnv SERVICE_VARIANT lms
+    
+    WSGIScriptAlias / {{platform_code_dir}}/lms/wsgi_apache_lms.py
+
+    <Directory {{platform_code_dir}}/lms>
+    <Files wsgi_apache_lms.py>
+        Order deny,allow
+        Allow from all
+    </Files>
+    </Directory>
+
+    <Location /Shibboleth.sso>
+        SetHandler shib
+        Satisfy Any
+        Allow from all
+        AuthType None
+        Require all granted
+        ShibRequestSetting applicationId class
+    </Location>
+    <Location '/shib-login'>
+        ShibRequestSetting applicationId class
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        require valid-user
+    </Location>
+
+    WSGIDaemonProcess lms user=www-data group=adm processes=1 python-path={{platform_code_dir}}:{{venv_dir}}/lib/python2.7/site-packages display-name=%{GROUP}
+    WSGIProcessGroup lms
+    WSGIApplicationGroup %{GLOBAL}
+    
+    ErrorLog ${APACHE_LOG_DIR}/apache-edx-error.log
+
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" apache-edx
+    CustomLog ${APACHE_LOG_DIR}/apache-edx-access.log apache-edx
+
+</VirtualHost>
\ No newline at end of file

playbooks/roles/apache/templates/ports.conf.j2

+NameVirtualHost *:{{apache_port}}
+Listen {{apache_port}}

playbooks/roles/apache/vars/main.yml

+---
+apache_port: 80
\ No newline at end of file

playbooks/roles/nginx/tasks/main.yml

@@ -35,12 +35,6 @@
   - nginx
   - update
 
-- name: Ensuring that nginx is running
-  service: name=nginx state=started
-  tags:
-  - nginx
-  - update
-
 # Note that nginx logs to /var/log until it reads its configuration, so /etc/logrotate.d/nginx is still good
 
 - name: Set up nginx access log rotation

playbooks/roles/shibboleth/handlers/main.yml

+---
+- name: restart shibd
+  service: name=shibd state=restarted

playbooks/roles/shibboleth/tasks/main.yml

+#Install shibboleth
+
+---
+- name: Installs shib and dependencies from apt
+  apt: pkg={{item}} install_recommends=no state=present update_cache=yes
+  with_items:
+    - shibboleth-sp2-schemas
+    - libshibsp-dev
+    - libshibsp-doc
+    - libapache2-mod-shib2
+    - opensaml2-tools
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: Creates /etc/shibboleth/metadata directory
+  file: path=/etc/shibboleth/metadata state=directory mode=2774 group=_shibd owner=_shibd
+  tags:
+    - shib
+    - install
+
+- name: Downloads metadata into metadata directory as backup
+  get_url: url=https://idp.stanford.edu/Stanford-metadata.xml dest=/etc/shibboleth/metadata/idp-metadata.xml mode=0640 group=_shibd owner=_shibd
+  tags:
+    - shib
+    - install
+
+- name: writes out key and pem file
+  template: src=sp.{{item}}.j2 dest=/etc/shibboleth/sp.{{item}}  group=_shibd owner=_shibd mode=0600
+  with_items:
+    - key
+    - pem
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: writes out configuration files
+  template: src={{item}}.j2 dest=/etc/shibboleth/{{item}}  group=_shibd owner=_shibd mode=0644
+  with_items:
+    - attribute-map.xml
+    - shibboleth2.xml
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: enables shib
+  command: a2enmod shib2
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+    

playbooks/roles/shibboleth/templates/attribute-map.xml.j2

+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
+    
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+    
+    <!-- First, the deprecated version: -->
+<!-- Using SAML2 so comment out SAML1 definition.
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+-->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+
+    <!-- Second, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!-- Third, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!--Examples of LDAP-based attributes, uncomment to use these... -->
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid-alt"/>
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:suUnivID" id="suUnivID"/>
+
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+
+</Attributes>

playbooks/roles/shibboleth/templates/shibboleth2.xml.j2

+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+
+
+
+    <!-- READ ME!
+ 
+      This configuration file is based on Shibboleth SP v2.4.3. Stanford
+      runs both a production and development IdP (identity provider)
+      system, each with a pair of load balanced servers. This file is
+      pre-configured against the production IdP. If you ever want to
+      authenticate against dev instead, replace 'idp.stanford.edu' with
+      'idp-dev.stanford.edu' in the two locations below (SSO link and
+      metadata download).
+
+      More information:
+
+      * https://itservices.stanford.edu/service/shibboleth/sp
+      * http://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
+ -->
+
+
+
+
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="{{shib.sp_entity_id}}" REMOTE_USER="eppn persistent-id targeted-id">
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+        in that case. Note that while we default checkAddress to "false", this has a negative
+        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="{{shib.idp_entity_id}}">
+              SAML2 SAML1
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed" cacheToDisk="false" />
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="{{shib.support_email}}"
+            logoLocation="/shibboleth-sp/logo.jpg"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+        </MetadataProvider>
+        -->
+        <!-- Automatically download and refresh the IDP's metadata. -->
+        <MetadataProvider type="XML" uri="{{shib.idp_metadata_url}}"
+             backingFilePath="/etc/shibboleth/metadata/idp-metadata.xml"
+             reloadInterval="7200" >
+        </MetadataProvider>
+
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp.key" certificate="sp.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+        <ApplicationOverride id="class" entityID="{{shib.sp_entity_id}}"/>
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
+

playbooks/roles/shibboleth/templates/sp.key.j2

+{{ shib.sp_key }}
\ No newline at end of file

playbooks/roles/shibboleth/templates/sp.pem.j2

+{{ shib.sp_pem }}
\ No newline at end of file

playbooks/roles/shibboleth/vars/main.yml

+shib:
+  sp_entity_id: 'https://myownshibsp.org/shibboleth'
+  #defaultng to use testshib.org
+  idp_entity_id: 'https://idp.testshib.org/idp/shibboleth'
+  idp_metadata_url: 'http://www.testshib.org/metadata/testshib-providers.xml'
+  support_email: 'support@myownshibsp.org'
+  sp_key: |
+    YOU NEED TO GENERATE A REAL KEY HERE USING OPENSSL
+  sp_pem: |
+    THE CORRESPONDING CERTIFICATE PEM GOES HERE