Merge Develop (#593)

Merge Develop

---------

Co-authored-by: Ines <Tyskai@users.noreply.github.com>
Co-authored-by: Leroy <3416288+Liemine@users.noreply.github.com>
Co-authored-by: Ricardo van der Heijden <ricardo.vanderheijden@surf.nl>
Co-authored-by: Ricardo van der Heijden <20791917+ricardovdheijden@users.noreply.github.com>
Co-authored-by: Bas Zoetekouw <bas.zoetekouw@surf.nl>

Author: 6 people

group_vars/all.yml

@@ -34,6 +34,7 @@ httpd_csp:
   lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
   lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
   lenient_with_static_img_with_oidcng: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
+  lenient_with_static_img_with_surfconext: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} https://*.surfconext.nl http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
   strict: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; manifest-src 'self'"
   strict_with_static_img: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'; manifest-src 'self'"
   lenient_with_static_img_for_idp: "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self' https://{{ oidcng_vhost }}; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; base-uri 'none'"

roles/manage/files/policies/allowed_attributes.json

@@ -1,38 +1,56 @@
 [
   {
     "value": "urn:mace:terena.org:attribute-def:schacHomeOrganization",
+    "validationRegex": "^[a-z]+(\\.[a-z]+)+$",
+    "allowedInDenyRule": true,
     "label": "Schac home organization"
   },
   {
     "value": "urn:mace:terena.org:attribute-def:schacHomeOrganizationType",
+    "validationRegex": "^[a-z]+$",
+    "allowedInDenyRule": true,
     "label": "Schac home organization type"
   },
   {
     "value": "urn:mace:dir:attribute-def:eduPersonAffiliation",
+    "validationRegex": "^(student|staff|faculty|employee|member)$",
+    "allowedInDenyRule": true,
     "label": "Edu person affiliation"
   },
   {
     "value": "urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
+    "validationRegex": "^(student|staff|faculty|employee|member)@[a-z]+(\\.[a-z]+)+$",
+    "allowedInDenyRule": true,
     "label": "Edu person scoped affiliation"
   },
   {
     "value": "urn:mace:dir:attribute-def:eduPersonEntitlement",
+    "validationRegex": "^[a-z]+$",
+    "allowedInDenyRule": true,
     "label": "Edu person entitlement"
   },
   {
     "value": "urn:mace:dir:attribute-def:isMemberOf",
+    "validationRegex": "^.*$",
+    "allowedInDenyRule": true,
     "label": "Is-member-of"
   },
   {
     "value": "urn:collab:group:surfteams.nl",
+    "validationRegex": "^(urn:mace:surf\\.nl:invite:|urn:collab:group:)[a-z0-9_]+$",
+    "allowedInDenyRule": false,
     "label": "SURFconext Invite (voot) role urn"
   },
   {
     "value": "urn:collab:sab:surfnet.nl",
+    "validationRegex": "^(Superuser|Instellingsbevoegde|OperationeelBeheerder|SURFconextbeheerder|DNS-Beheerder)$",
+    "allowedInDenyRule": false,
     "label": "SAB role"
   },
   {
     "value": "urn:mace:dir:attribute-def:mail",
+    "validationRegex": "^[^@]+@[^@]+\\.[^@]+$",
+    "allowedInDenyRule": true,
     "label": "Mail address"
   }
 ]

roles/manage/tasks/main.yml

@@ -158,7 +158,7 @@
       start_period: 10s
     hostname: managegui
     env:
-      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}"
+      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_with_surfconext }}"
       HTTPD_SERVERNAME: "manage.{{ base_domain }}"
       OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
       OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"

roles/manage/templates/application.yml.j2

@@ -64,6 +64,7 @@ product:
 metadata_configuration_path: file://{{ manage_dir }}/metadata_configuration
 metadata_templates_path: file://{{ manage_dir }}/metadata_templates
 metadata_export_path: classpath:/metadata_export
+disabled_metadata_schemas:
 
 security:
   backdoor_user_name: {{ manage.backdoor_api_user }}

roles/myconext/templates/application.yml.j2

@@ -37,11 +37,13 @@ springdoc:
     enabled: true
 
 email:
-  from_deprovisioning: "{{ myconext.email.from_deprovisioning }}"
-  from_code: "{{ myconext.email.from_code }}"
-  from_app_nudge: "{{ myconext.email.from_deprovisioning }}"
-  from_new_device: "{{ myconext.email.from_deprovisioning }}"
+  from_deprovisioning: <noreply+deprovisioning@{{ myconext_base_domain }}>
+  from: eduID <noreply@{{ myconext_base_domain }}>
+  from_code: eduID <noreply@{{ myconext_base_domain }}>
+  from_app_nudge: <noreply+appnudge@{{ myconext_base_domain }}>
+  from_new_device: <noreply+newdevice@{{ myconext_base_domain }}>
   error: {{ error_mail_to }}
+  error_mail: {{ error_mail_to }}
   magic-link-url: https://login.{{ myconext_base_domain }}/saml/guest-idp/magic
   my-surfconext-url: https://mijn.{{ myconext_base_domain }}
   idp-surfconext-url: https://login.{{ myconext_base_domain }}

roles/openaccess/templates/serverapplication.yml.j2

@@ -94,6 +94,31 @@ config:
   invite: "https://invite.{{ base_domain }}"
   sram: "https://{{ env }}.sram.surf.nl/"
   serviceDesk: "https://servicedesk.surf.nl/jira/plugins/servlet/desk/user/requests?reporter=all"
+  # For other environments, move to group_vars
+  identity_providers:
+      - name: "SXS IdP"
+        entityid: "http://mock-idp"
+        descriptionEN: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je <a href='https://mujina-idp.test.surfconext.nl/metadata' target='_blank'>hier</a>"
+        descriptionNL: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je <a href='https://mujina-idp.test.surfconext.nl/metadata' target='_blank'>hier</a>"
+      - name: "SXS Dummy"
+        entityid: "https://idp.diy.surfconext.nl"
+        descriptionEN: "Een test-IdP met <a href='https://idp.diy.surfconext.nl/showusers.php' target='_blank'>fictieve gebruikersaccounts</a>. De metadata vind je <a href='https://idp.diy.surfconext.nl/saml2/idp/metadata.php' target='_blank'>hier</a>"
+        descriptionNL: "Een test-IdP met <a href='https://idp.diy.surfconext.nl/showusers.php' target='_blank'>fictieve gebruikersaccounts</a>. De metadata vind je <a href='https://idp.diy.surfconext.nl/saml2/idp/metadata.php' target='_blank'>hier</a>"
+  idp_proxy_meta_data:  https://metadata.test2.surfconext.nl/idp-metadata.xml
+  minimal_stepup_acr_level: "http://{{ base_domain }}/assurance/loa2"
+  features:
+    - name: idp
+      enabled: true
+    - name: invite
+      enabled: true
+    - name: sram
+      enabled: true
+    - name: mfa
+      enabled: true
+  acr_values:
+  {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported %}
+  - "{{ loa }}"
+  {% endfor %}
 
 eduid-idp-entity-id: "https://login.{{ myconext_base_domain }}"
 
@@ -134,6 +159,19 @@ manage:
   staticManageDirectory: classpath:/manage
   #  staticManageDirectory: file:///usr/local/etc/manage
 
+invite:
+  enabled: True
+  url: "https://invite.{{ base_domain }}"
+  user: {{ invite.access_user }}
+  password: "{{ invite.access_secret }}"
+
+# Todo relace with openconextaccess user
+statistics:
+  enabled: True
+  url: {{ dashboard.stats_url }}
+  user: {{ dashboard.stats_user }}
+  password: {{ stats_dashboard_api_password }}
+
 s3storage:
   url: {{ openconextaccess.s3_storage.url }}
   key: {{ openconextaccess.s3_storage.key }}