Stepup configuration in manage (#629)

See OpenConext/OpenConext-manage#627

Author: oharsta

roles/manage/defaults/main.yml

@@ -32,6 +32,8 @@ manage_tabs_enabled:
   - provisioning
   - sram
   - organisation
+  - sfo
+  - institution
 manage_docker_networks:
   - name: loadbalancer
 manage_server_restart_policy: always

roles/manage/files/metadata_templates/institution.template.json

@@ -0,0 +1,19 @@
+{
+  "entityid": "",
+  "metaDataFields": {},
+  "identifier": "",
+  "use_ra_locations": true,
+  "show_raa_contact_information": true,
+  "verify_email": true,
+  "allowed_second_factors": [
+    "tiqr"
+  ],
+  "number_of_tokens_per_identity": 3,
+  "use_ra": [],
+  "use_raa": [],
+  "select_raa": [],
+  "self_vet": true,
+  "allow_self_asserted_tokens": false,
+  "sso_on_2fa": false,
+  "stepup-client": "full"
+}

roles/manage/files/metadata_templates/sfo.template.json

@@ -0,0 +1,14 @@
+{
+  "name": "",
+  "entityid": "",
+  "metaDataFields": {},
+  "public_key": "",
+  "acs": [],
+  "loa": "{{ stepup_loa_values_supported[0] }}",
+  "assertion_encryption_enabled": false,
+  "second_factor_only": true,
+  "second_factor_only_nameid_patterns": [],
+  "blacklisted_encryption_algorithms": [],
+  "allow_sso_on_2fa": true,
+  "set_sso_cookie_on_2fa": true
+}

roles/manage/tasks/main.yml

@@ -11,6 +11,15 @@
     - "/opt/openconext/manage/metadata_templates"
     - "/opt/openconext/manage/policies"
 
+- name: Copy Stepup stepup_config.json from inventory
+  ansible.builtin.copy:
+    src: "{{ inventory_dir }}/files/manage/stepup_config.json"
+    dest: "/opt/openconext/manage/stepup_config.json"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: restart manageserver
+
 - name: Import the mongo CA file
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/secrets/mongo/mongoca.pem"
@@ -114,6 +123,10 @@
       - source: /opt/openconext/manage/__cacert_entrypoint.sh
         target: /__cacert_entrypoint.sh
         type: bind
+      - source: /opt/openconext/manage/stepup_config.json
+        target: /stepup_config.json
+        type: bind
+
     command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/"
     etc_hosts:
       host.docker.internal: host-gateway

roles/manage/templates/application.yml.j2

@@ -53,11 +53,20 @@ push:
     user: {{ pdp.username }}
     password: "{{ pdp.password }}"
     enabled: {{ manage.pdp_push_enabled }}
+  stepup:
+    url: https://middleware.{{ base_domain }}
+    user: {{ manage.middleware_user }}
+    configuration_file: "file:///stepup_config.json"
+    password: {{ manage_middleware_password }}
+    enabled:  {{ manage.stepup_push_enabled }}
+
 
 product:
   name: Manage
   organization: {{ instance_name }}
   service_provider_feed_url: {{ manage_service_provider_feed_url }}
+  jira_base_url: https://servicedesk.surf.nl/jira/browse/
+  jira_ticket_prefixes: CXT,SD
   supported_languages: {{ supported_language_codes }}
   show_oidc_rp: {{ manage_show_oidc_rp_tab }}
 

roles/manage/templates/metadata_configuration/institution.schema.json.j2

@@ -0,0 +1,116 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "institution",
+  "order": 11,
+  "type": "object",
+  "properties": {
+    "eid": {
+      "type": "number"
+    },
+    "name": {
+      "type": "string",
+      "minLength": 1
+    },
+    "entityid": {
+      "type": "string",
+      "minLength": 1
+    },
+    "identifier": {
+      "type": "string",
+      "info": "The unique identifier of the institution."
+    },
+    "use_ra_locations": {
+      "type": "boolean"
+    },
+    "show_raa_contact_information": {
+      "type": "boolean"
+    },
+    "verify_email": {
+      "type": "boolean"
+    },
+    "allowed_second_factors": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "enum": [
+          "yubikey",
+          "tiqr",
+          "webauthn",
+          "sms"
+        ]
+      }
+    },
+    "number_of_tokens_per_identity": {
+      "type": "number"
+    },
+    "use_ra": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "use_raa": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "select_raa": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "self_vet": {
+      "type": "boolean"
+    },
+    "allow_self_asserted_tokens": {
+      "type": "boolean"
+    },
+    "sso_on_2fa": {
+      "type": "boolean"
+    },
+    "stepup-client": {
+      "type": "string",
+      "enum": [
+        "freerider",
+        "full"
+      ],
+      "default": "freerider"
+    },
+
+    "revisionid": {
+      "type": "number"
+    },
+    "created": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "revisionnote": {
+      "type": "string"
+    },
+    "notes": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "metaDataFields": {
+      "type": "object",
+      "properties": {},
+      "patternProperties": {},
+      "required": [],
+      "additionalProperties": false
+    }
+  },
+  "required": [
+    "name",
+    "entityid",
+    "identifier",
+    "stepup-client"
+  ],
+  "additionalProperties": false,
+  "indexes": []
+}

roles/manage/templates/metadata_configuration/sfo.schema.json.j2

@@ -0,0 +1,99 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "sfo",
+  "order": 10,
+  "type": "object",
+  "properties": {
+    "eid": {
+      "type": "number"
+    },
+    "name": {
+      "type": "string",
+      "minLength": 1
+    },
+    "entityid": {
+      "type": "string",
+      "minLength": 1
+    },
+    "public_key": {
+      "type": "string",
+      "format": "certificate",
+      "info": "The supplied public certificate of the institution. This must be a PEM encoded certificate. DER, CRT or CER are not supported."
+    },
+    "acs": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "format": "url"
+      },
+      "info": "The ACS locations of this institution."
+    },
+    "loa": {
+      "type": "string",
+      "enum": [
+            {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported %}
+            "{{ loa }}"{{ "," if not loop.last else ""}}
+            {% endfor %}
+          ],
+      "default": "{{ stepup_loa_values_supported[0] }}",
+    },
+    "assertion_encryption_enabled": {
+      "type": "boolean"
+    },
+    "second_factor_only": {
+      "type": "boolean"
+    },
+    "second_factor_only_nameid_patterns": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "blacklisted_encryption_algorithms": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "allow_sso_on_2fa": {
+        "type": "boolean"
+    },
+    "set_sso_cookie_on_2fa": {
+        "type": "boolean"
+    },
+    "revisionid": {
+      "type": "number"
+    },
+    "created": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "revisionnote": {
+      "type": "string"
+    },
+    "notes": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "metaDataFields": {
+      "type": "object",
+      "properties": {},
+      "patternProperties": {},
+      "required": [],
+      "additionalProperties": false
+    }
+  },
+  "required": [
+    "name",
+    "entityid",
+    "public_key",
+    "acs",
+    "loa"
+  ],
+  "additionalProperties": false,
+  "indexes": []
+}