diff --git a/group_vars/all.yml b/group_vars/all.yml index d46919794..1d8bd6f84 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -34,6 +34,7 @@ httpd_csp: lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" lenient_with_static_img_with_oidcng: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" + lenient_with_static_img_with_surfconext: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} https://*.surfconext.nl http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" strict: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; manifest-src 'self'" strict_with_static_img: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; manifest-src 'self'" lenient_with_static_img_for_idp: "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'" diff --git a/roles/manage/files/policies/allowed_attributes.json b/roles/manage/files/policies/allowed_attributes.json index 656312d1e..beb5c8363 100644 --- a/roles/manage/files/policies/allowed_attributes.json +++ b/roles/manage/files/policies/allowed_attributes.json @@ -1,38 +1,56 @@ [ { "value": "urn:mace:terena.org:attribute-def:schacHomeOrganization", + "validationRegex": "^[a-z]+(\\.[a-z]+)+$", + "allowedInDenyRule": true, "label": "Schac home organization" }, { "value": "urn:mace:terena.org:attribute-def:schacHomeOrganizationType", + "validationRegex": "^[a-z]+$", + "allowedInDenyRule": true, "label": "Schac home organization type" }, { "value": "urn:mace:dir:attribute-def:eduPersonAffiliation", + "validationRegex": "^(student|staff|faculty|employee|member)$", + "allowedInDenyRule": true, "label": "Edu person affiliation" }, { "value": "urn:mace:dir:attribute-def:eduPersonScopedAffiliation", + "validationRegex": "^(student|staff|faculty|employee|member)@[a-z]+(\\.[a-z]+)+$", + "allowedInDenyRule": true, "label": "Edu person scoped affiliation" }, { "value": "urn:mace:dir:attribute-def:eduPersonEntitlement", + "validationRegex": "^[a-z]+$", + "allowedInDenyRule": true, "label": "Edu person entitlement" }, { "value": "urn:mace:dir:attribute-def:isMemberOf", + "validationRegex": "^.*$", + "allowedInDenyRule": true, "label": "Is-member-of" }, { "value": "urn:collab:group:surfteams.nl", + "validationRegex": "^(urn:mace:surf\\.nl:invite:|urn:collab:group:)[a-z0-9_]+$", + "allowedInDenyRule": false, "label": "SURFconext Invite (voot) role urn" }, { "value": "urn:collab:sab:surfnet.nl", + "validationRegex": "^(Superuser|Instellingsbevoegde|OperationeelBeheerder|SURFconextbeheerder|DNS-Beheerder)$", + "allowedInDenyRule": false, "label": "SAB role" }, { "value": "urn:mace:dir:attribute-def:mail", + "validationRegex": "^[^@]+@[^@]+\\.[^@]+$", + "allowedInDenyRule": true, "label": "Mail address" } ] diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 35c20b29a..4b2d6d6de 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -158,7 +158,7 @@ start_period: 10s hostname: managegui env: - HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_with_surfconext }}" HTTPD_SERVERNAME: "manage.{{ base_domain }}" OPENCONEXT_INSTANCENAME: "{{ instance_name }}" OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" diff --git a/roles/manage/templates/application.yml.j2 b/roles/manage/templates/application.yml.j2 index 8cb960366..9b1bb7354 100644 --- a/roles/manage/templates/application.yml.j2 +++ b/roles/manage/templates/application.yml.j2 @@ -64,6 +64,7 @@ product: metadata_configuration_path: file://{{ manage_dir }}/metadata_configuration metadata_templates_path: file://{{ manage_dir }}/metadata_templates metadata_export_path: classpath:/metadata_export +disabled_metadata_schemas: security: backdoor_user_name: {{ manage.backdoor_api_user }} diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 03fe23e5b..827065468 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -37,11 +37,13 @@ springdoc: enabled: true email: - from_deprovisioning: "{{ myconext.email.from_deprovisioning }}" - from_code: "{{ myconext.email.from_code }}" - from_app_nudge: "{{ myconext.email.from_deprovisioning }}" - from_new_device: "{{ myconext.email.from_deprovisioning }}" + from_deprovisioning: + from: eduID + from_code: eduID + from_app_nudge: + from_new_device: error: {{ error_mail_to }} + error_mail: {{ error_mail_to }} magic-link-url: https://login.{{ myconext_base_domain }}/saml/guest-idp/magic my-surfconext-url: https://mijn.{{ myconext_base_domain }} idp-surfconext-url: https://login.{{ myconext_base_domain }} diff --git a/roles/openaccess/templates/serverapplication.yml.j2 b/roles/openaccess/templates/serverapplication.yml.j2 index 94d4a72f3..944e4ff46 100644 --- a/roles/openaccess/templates/serverapplication.yml.j2 +++ b/roles/openaccess/templates/serverapplication.yml.j2 @@ -94,6 +94,31 @@ config: invite: "https://invite.{{ base_domain }}" sram: "https://{{ env }}.sram.surf.nl/" serviceDesk: "https://servicedesk.surf.nl/jira/plugins/servlet/desk/user/requests?reporter=all" + # For other environments, move to group_vars + identity_providers: + - name: "SXS IdP" + entityid: "http://mock-idp" + descriptionEN: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je hier" + descriptionNL: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je hier" + - name: "SXS Dummy" + entityid: "https://idp.diy.surfconext.nl" + descriptionEN: "Een test-IdP met fictieve gebruikersaccounts. De metadata vind je hier" + descriptionNL: "Een test-IdP met fictieve gebruikersaccounts. De metadata vind je hier" + idp_proxy_meta_data: https://metadata.test2.surfconext.nl/idp-metadata.xml + minimal_stepup_acr_level: "http://{{ base_domain }}/assurance/loa2" + features: + - name: idp + enabled: true + - name: invite + enabled: true + - name: sram + enabled: true + - name: mfa + enabled: true + acr_values: + {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported %} + - "{{ loa }}" + {% endfor %} eduid-idp-entity-id: "https://login.{{ myconext_base_domain }}" @@ -134,6 +159,19 @@ manage: staticManageDirectory: classpath:/manage # staticManageDirectory: file:///usr/local/etc/manage +invite: + enabled: True + url: "https://invite.{{ base_domain }}" + user: {{ invite.access_user }} + password: "{{ invite.access_secret }}" + +# Todo relace with openconextaccess user +statistics: + enabled: True + url: {{ dashboard.stats_url }} + user: {{ dashboard.stats_user }} + password: {{ stats_dashboard_api_password }} + s3storage: url: {{ openconextaccess.s3_storage.url }} key: {{ openconextaccess.s3_storage.key }}