From 167100d301ae0943cd3b8040dc5186d6dc5766e2 Mon Sep 17 00:00:00 2001
From: Marko Korhonen <marko.korhonen@druid.fi>
Date: Wed, 17 Apr 2024 16:24:51 +0300
Subject: [PATCH] Update saml-idp image using simplesamlphp 2.1.x and PHP 8.3

---
 misc/docker-bake.hcl                          |  4 +-
 misc/saml-idp/Dockerfile                      | 20 ++++---
 .../files/app/simplesamlphp/config/config.php | 45 ++++++++++++++-
 .../etc/nginx/{http.d => conf.d}/default.conf |  0
 misc/saml-idp/files/etc/nginx/fastcgi.conf    | 55 +++++++++++++++++++
 misc/saml-idp/files/etc/nginx/nginx.conf      |  2 +-
 6 files changed, 112 insertions(+), 14 deletions(-)
 rename misc/saml-idp/files/etc/nginx/{http.d => conf.d}/default.conf (100%)
 create mode 100644 misc/saml-idp/files/etc/nginx/fastcgi.conf

diff --git a/misc/docker-bake.hcl b/misc/docker-bake.hcl
index 5edcabf..78c4c77 100644
--- a/misc/docker-bake.hcl
+++ b/misc/docker-bake.hcl
@@ -1,6 +1,6 @@
 variable ALPINE_VERSION {}
 variable SIMPLESAMLPHP_VERSION {
-  default = "2.1.1"
+  default = "2.1.5"
 }
 
 group "default" {
@@ -30,8 +30,8 @@ target "curl" {
 target "saml-idp" {
   inherits = ["common"]
   context = "./misc/saml-idp"
+  target = "final"
   args = {
-    ALPINE_VERSION = "${ALPINE_VERSION}"
     SIMPLESAMLPHP_VERSION = "${SIMPLESAMLPHP_VERSION}"
   }
   tags = ["druidfi/saml-idp:${SIMPLESAMLPHP_VERSION}"]
diff --git a/misc/saml-idp/Dockerfile b/misc/saml-idp/Dockerfile
index 77d1247..9ece76e 100644
--- a/misc/saml-idp/Dockerfile
+++ b/misc/saml-idp/Dockerfile
@@ -1,8 +1,8 @@
-ARG ALPINE_VERSION
-
-FROM alpine:${ALPINE_VERSION} as simplesamlphp
+FROM alpine as simplesamlphp
 
 ARG SIMPLESAMLPHP_VERSION
+#ARG SIMPLESAMLPHP_URL=https://github.com/simplesamlphp/simplesamlphp/releases/download/v${SIMPLESAMLPHP_VERSION}/simplesamlphp-${SIMPLESAMLPHP_VERSION}.tar.gz
+# After 2.1.0
 ARG SIMPLESAMLPHP_URL=https://github.com/simplesamlphp/simplesamlphp/releases/download/v${SIMPLESAMLPHP_VERSION}/simplesamlphp-${SIMPLESAMLPHP_VERSION}.tar.gz
 
 RUN apk --update --no-cache add curl
@@ -11,20 +11,22 @@ RUN tar xzf /tmp/simplesamlphp.tar.gz -C /tmp
 RUN mv /tmp/simplesamlphp-* /home/simplesamlphp
 RUN rm -rf /home/simplesamlphp/modules/cron /home/simplesamlphp/modules/multiauth
 
-FROM druidfi/php-fpm:8.2 as final
+FROM druidfi/php-fpm:8.3 as final
 
 USER root
 
 RUN apk --update --no-cache add nginx && \
-    apk --update --no-cache add php82-tokenizer php82-xmlreader
-
-USER druid
+    apk --update --no-cache add php83-intl php83-tokenizer php83-xmlreader
 
 # Copy SimpleSAMLphp
-COPY --from=simplesamlphp /home/simplesamlphp /app/simplesamlphp
+COPY --from=simplesamlphp --chown=www-data /home/simplesamlphp /app/simplesamlphp
+
+RUN cd /app/simplesamlphp && php bin/translations translations:update:binary
 
 # Copy configuration files and scripts
-COPY files/ /
+COPY --chown=www-data files/ /
+
+USER druid
 
 EXPOSE 8080
 
diff --git a/misc/saml-idp/files/app/simplesamlphp/config/config.php b/misc/saml-idp/files/app/simplesamlphp/config/config.php
index 16c482c..0baea9b 100644
--- a/misc/saml-idp/files/app/simplesamlphp/config/config.php
+++ b/misc/saml-idp/files/app/simplesamlphp/config/config.php
@@ -259,7 +259,7 @@
     /*
      * Set the allowed clock skew between encrypting/decrypting assertions
      *
-     * If you have an server that is constantly out of sync, this option
+     * If you have a server that is constantly out of sync, this option
      * allows you to adjust the allowed clock-skew.
      *
      * Allowed range: 180 - 300
@@ -267,6 +267,21 @@
      */
     'assertion.allowed_clock_skew' => 180,
 
+    /*
+     * Set custom security headers. The defaults can be found in \SimpleSAML\Configuration::DEFAULT_SECURITY_HEADERS
+     *
+     * NOTE: When a header is already set on the response we will NOT overrule it and leave it untouched.
+     *
+     * Whenever you change any of these headers, make sure to validate your config by running your
+     * hostname through a security-test like https://en.internet.nl
+    'headers.security' => [
+        'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; base-uri 'none'",
+        'X-Frame-Options' => 'SAMEORIGIN',
+        'X-Content-Type-Options' => 'nosniff',
+        'Referrer-Policy' => 'origin-when-cross-origin',
+    ],
+     */
+
 
     /************************
     | ERRORS AND DEBUGGING |
@@ -349,7 +364,7 @@
      * loggingdir above to 'null'.
      */
     'logging.level' => SimpleSAML\Logger::DEBUG,
-    'logging.handler' => 'syslog',
+    'logging.handler' => 'stderr',
 
     /*
      * Specify the format of the logs. Its use varies depending on the log handler used (for instance, you cannot
@@ -1163,6 +1178,7 @@
     'metadata.sign.privatekey' => null,
     'metadata.sign.privatekey_pass' => null,
     'metadata.sign.certificate' => null,
+    'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
 
 
     /****************************
@@ -1225,6 +1241,28 @@
     'store.redis.username' => '',
     'store.redis.password' => '',
 
+    /*
+     * Communicate with Redis over a secure connection instead of plain TCP.
+     *
+     * This setting affects both single host connections as
+     * well as Sentinel mode.
+     */
+    'store.redis.tls' => false,
+
+    /*
+     * Verify the Redis server certificate.
+     */
+    'store.redis.insecure' => false,
+
+    /*
+     * Files related to secure communication with Redis.
+     *
+     * Files are searched in the 'certdir' when using relative paths.
+     */
+    'store.redis.ca_certificate' => null,
+    'store.redis.certificate' => null,
+    'store.redis.privatekey' => null,
+
     /*
      * The prefix we should use on our Redis datastore.
      */
@@ -1243,6 +1281,9 @@
      *     'tcp://[yoursentinel2]:[port]',
      *     'tcp://[yoursentinel3]:[port]
      * ],
+     *
+     * Use 'tls' instead of 'tcp' in order to make use of the additional
+     * TLS settings.
      */
     'store.redis.sentinels' => [],
 
diff --git a/misc/saml-idp/files/etc/nginx/http.d/default.conf b/misc/saml-idp/files/etc/nginx/conf.d/default.conf
similarity index 100%
rename from misc/saml-idp/files/etc/nginx/http.d/default.conf
rename to misc/saml-idp/files/etc/nginx/conf.d/default.conf
diff --git a/misc/saml-idp/files/etc/nginx/fastcgi.conf b/misc/saml-idp/files/etc/nginx/fastcgi.conf
new file mode 100644
index 0000000..613077e
--- /dev/null
+++ b/misc/saml-idp/files/etc/nginx/fastcgi.conf
@@ -0,0 +1,55 @@
+set $fastcgi_port "80";
+set $fastcgi_https "off";
+if ($http_x_forwarded_proto = 'https') {
+    set $fastcgi_https "on";
+    set $fastcgi_port  "443";
+}
+
+fastcgi_param  SCRIPT_FILENAME    $realpath_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+fastcgi_param  HTTPS              $fastcgi_https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+
+# Setting to Port 80 and 443 based on if we have an upstream https or not
+fastcgi_param  SERVER_PORT        $fastcgi_port;
+
+# Setting to $host as $server_name is empty all the time
+fastcgi_param  SERVER_NAME        $host;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# Mitigate https://httpoxy.org/ vulnerabilities
+fastcgi_param  HTTP_PROXY         "";
+
+# Mitigate CVE-2018-14773: https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
+fastcgi_param  HTTP_X-ORIGINAL-URL "";
+fastcgi_param  HTTP_X_ORIGINAL_URL "";
+fastcgi_param  HTTP_X-REWRITE-URL  "";
+fastcgi_param  HTTP_X_REWRITE_URL  "";
+
+fastcgi_keep_conn on;
+fastcgi_index  index.php;
+fastcgi_hide_header 'X-Generator';
+
+fastcgi_buffers         256 32k;
+fastcgi_buffer_size     32k;
+fastcgi_read_timeout    3600s;
+fastcgi_temp_path       /tmp/fastcgi_temp;
diff --git a/misc/saml-idp/files/etc/nginx/nginx.conf b/misc/saml-idp/files/etc/nginx/nginx.conf
index 1c5a5ac..bde8fb3 100644
--- a/misc/saml-idp/files/etc/nginx/nginx.conf
+++ b/misc/saml-idp/files/etc/nginx/nginx.conf
@@ -77,5 +77,5 @@ http {
                                 text/x-component
                                 text/x-cross-domain-policy;
 
-    include /etc/nginx/http.d/*.conf;
+    include /etc/nginx/conf.d/*.conf;
 }