From 12ba5ead0883b4ee21df52a01658d1d17be6f3fe Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 30 Apr 2021 03:39:00 +0000 Subject: [PATCH 01/29] Set branch to develop for testing the develop branch --- bootstrap-v4.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 7f5a699..1f75733 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -25,7 +25,8 @@ function set_internal_variables { ACTIVITY_LOG=$INSTALL_BASE/shibboleth-idp4-installer/activity.log GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git - GIT_BRANCH=master +# GIT_BRANCH=master + GIT_BRANCH=develop FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From 66d8b9641bc2ea2cf647b36654ad35b399a31e04 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 30 Apr 2021 04:34:29 +0000 Subject: [PATCH 02/29] Added missing single quote. --- tasks/idp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/idp.yml b/tasks/idp.yml index 1026c0b..ca2eba0 100644 --- a/tasks/idp.yml +++ b/tasks/idp.yml @@ -57,7 +57,7 @@ - name: 'Enable the Consent module' command: '{{ shib_idp.home }}/bin/module.sh -e idp.intercept.Consent' args: - creates: '{{ shib_idp.home }}/views/intercept + creates: '{{ shib_idp.home }}/views/intercept' - include: libs.yml From 5b896c00df71a771ebb702b20833635fe8f27f4d Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 30 Apr 2021 06:19:51 +0000 Subject: [PATCH 03/29] Ensure packages are up to date. --- tasks/.system.yml.swp | Bin 0 -> 12288 bytes tasks/system.yml | 2 ++ 2 files changed, 2 insertions(+) create mode 100644 tasks/.system.yml.swp diff --git a/tasks/.system.yml.swp b/tasks/.system.yml.swp new file mode 100644 index 0000000000000000000000000000000000000000..37055d435415be142cf3c9c29f21b0561bed4f83 GIT binary patch literal 12288 zcmeI2&x;&I6vrz$Nc<7k9|-=qR7PZHgr3<=7G@ck2rfAU5~2>fHyLZX-)z@z|4LW& zWE;WFIq{Nz!n=47iC1qy(Srxi-W0re5>da^GrcpL)i7*8P+qg2?dkgQ>b-Bjddo63 zTHCpLU3S|W0@rgw{P6MJ4_4oJLcE60FEDuno`HrO$t9*xq7Z0KR~hNlx_RTNR)vC8b5jwy|$xLwB4qt@jPH{f?8ADUg(?QA9z%BqO|PU{9`IsT$>UMr~$Qz~rrvlAg?z z^~2#UZNq-Qp)%V*kCa6g!1B;neuy=lLDyO>hbcK3oZYONr1WG~+AvKnd082k=4Mp2 zJ2!jy1dF}7GgqevIAu;Z3!TH|O!@n2mkg|6)PIKx02o9j{GPKpj=wU_3@ z3FQV)vfr1D%|=VAB#_Nxfs{quXtgR&W=_{2k%}x(VmqzGD-%6X-^#x zEH4?*je*>mIl6h8$hxPFtcnM(!@ZU&tjBV`yWspWkx!Q`(@Z>4J65??!N_w7jx)rv zx;&Xe`n_P^TVMBZtD5T|PMcE4e0K>_S^dZKSkBLx`;{rT7wT{Vn$UD7xYj*2Q7)7^ zs(Ei6)RJkn@G1;NIw=l@Fs&oE@!KwxHXUHU7`HWSUeIEQICC9qWAtR&nx&EU%brB> z*d>$?44s)=$nODJIkI(=Jw|yjM@3dsM9s*~6afko7w=`yD?` z#(LK+2#*(5+X~6wKU(i-$1VijY&NHfGOXUF)J7IbKx3Uy(2{8`Pjn|~LMMAr>zq8O z5r0!WTwYhj!)4mE;J!I4wGpbKvGanqUDZifyXK{=>7Kk2HFP&u0k!^Z_m66y%c-T@ U$G`>m-Babh`x5}~J Date: Tue, 6 Jul 2021 04:16:06 +0000 Subject: [PATCH 04/29] Only backup specified files rather than all fines in credentials This will ensure the secrets.properties is not overwritten. --- bootstrap-v4.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 1f75733..0143a7b 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -278,7 +278,6 @@ function set_ansible_cfg_log_path { echo $ANSIBLE_CFG replace_property_nosp 'log_path=' "${ACTIVITY_LOG////\\/}" \ $ANSIBLE_CFG -echo "Done" } function set_update_idp_script_cd_path { @@ -325,7 +324,6 @@ function run_ansible { pushd $LOCAL_REPO > /dev/null ansible-playbook -i ansible_hosts site_v4.yml --force-handlers --extra-var="install_base=$INSTALL_BASE" popd > /dev/null -echo "Done" } function backup_shibboleth_credentials { @@ -333,8 +331,15 @@ function backup_shibboleth_credentials { mkdir $CREDENTIAL_BACKUP_PATH fi - cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/* $CREDENTIAL_BACKUP_PATH -echo "Done" + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-backchannel.crt $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-backchannel.p12 $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-encryption.crt $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-encryption.key $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-signing.crt $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/idp-signing.key $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/sealer.jks $CREDENTIAL_BACKUP_PATH + cp -R $SHIBBOLETH_IDP_INSTANCE/credentials/sealer.kver $CREDENTIAL_BACKUP_PATH + } function display_fr_idp_registration_link { @@ -343,7 +348,6 @@ function display_fr_idp_registration_link { else echo "$FR_PROD_REG" fi -echo "Done" } function display_completion_message { From e0dc1bc502269034225234d7213e15cb8626b548 Mon Sep 17 00:00:00 2001 From: trsau Date: Tue, 6 Jul 2021 06:11:08 +0000 Subject: [PATCH 05/29] Set the LDAP.searchFilter to the value set by the user. --- bootstrap-v4.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 0143a7b..f9db31e 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -299,6 +299,9 @@ function set_ldap_properties { "$LDAP_BIND_DN_PASSWORD" $SECRETS_PROPERTIES replace_property 'idp.authn.LDAP.userFilter *=' \ "($LDAP_USER_FILTER_ATTRIBUTE={user})" $LDAP_PROPERTIES + RES_PRI='$resolutionContext.principal' + replace_property 'idp.attribute.resolver.LDAP.searchFilter *=' \ + "($LDAP_USER_FILTER_ATTRIBUTE=$RES_PRI)" $LDAP_PROPERTIES } function create_ansible_assets { From 1c3533e942b4ff037b1b46da8c8d8fe54ae0fdb8 Mon Sep 17 00:00:00 2001 From: trsau Date: Tue, 6 Jul 2021 06:30:05 +0000 Subject: [PATCH 06/29] Add ol (Oracle Linux) and a Fedora like supported option --- bootstrap-v4.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index f9db31e..7c71327 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -4,9 +4,19 @@ set -e # # ------------------------ END BOOTRAP CONFIGURATION --------------------------- +# Supported Operating Systems +# +# Fedora like +# rhel - REDHat Linux 7 and 8 +# centos - CentOS 7, 8 and Stream +# ol - ORACLE Linux 7 and 8 +# +# Debian like +# ubuntu - Ubuntu 20.04 (Focal Fossa) +# function setup_valid_oss { APT_LIST="ubuntu" - YUM_LIST="rhel centos" + YUM_LIST="rhel centos ol" OS_LIST="$APT_LIST $YUM_LIST" } From f7f55f8833caf9b9321d39442aa495862c570398 Mon Sep 17 00:00:00 2001 From: trsau Date: Tue, 6 Jul 2021 23:50:18 +0000 Subject: [PATCH 07/29] Move the creation of /var/log/shibboleth-idp to the start. This ensures the Shibboleth IdP installer has location to link its local log directory to. --- tasks/idp.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/idp.yml b/tasks/idp.yml index ca2eba0..bc61f58 100644 --- a/tasks/idp.yml +++ b/tasks/idp.yml @@ -11,6 +11,14 @@ group: jetty mode: 0750 +- name: 'Create IdP log directory' + file: + name: /var/log/shibboleth-idp + owner: jetty + group: jetty + mode: 0700 + state: directory + - name: 'Download Shibboleth IdP distribution' get_url: url: '{{ urls.shib_idp.url }}' @@ -139,14 +147,6 @@ - name: 'Re-run IdP install.sh to install aaf-shib-ext and IdP branding' shell: '{{ shib_idp.src_root }}/install-{{ download.shib_idp.version}}.sh' -- name: 'Create IdP log directory' - file: - name: /var/log/shibboleth-idp - owner: jetty - group: jetty - mode: 0700 - state: directory - - name: 'Symlink IdP log directory' file: name: '{{ shib_idp.home }}/logs' From d5e8fbc94bca9c8f463214ff791ee1f0b32fa45e Mon Sep 17 00:00:00 2001 From: trsau Date: Wed, 7 Jul 2021 08:05:13 +0000 Subject: [PATCH 08/29] Added new variable idp_behind_proxy to indicate how the IdP will be accessed by users. Plus fisrt cut at the upgrade script. --- host_vars/idp.example.edu.dist.production | 3 ++ templates/jetty/idp.ini | 7 +++ upgrade | 52 ++++++++++++++++++++++- upgrade.yml | 22 ++++++++++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 upgrade.yml diff --git a/host_vars/idp.example.edu.dist.production b/host_vars/idp.example.edu.dist.production index e63b63b..8e1588f 100644 --- a/host_vars/idp.example.edu.dist.production +++ b/host_vars/idp.example.edu.dist.production @@ -82,3 +82,6 @@ source_persistent_id: # Old Persistent ID attribute name (for auEduPersonShared Token and eduPersonTargeted ID) old_source_persistent_id: + +# Set to true is the IdP is behind a device where ssl has been off-loaded to. +idp_behind_proxy: false diff --git a/templates/jetty/idp.ini b/templates/jetty/idp.ini index 61740d7..2a6543d 100644 --- a/templates/jetty/idp.ini +++ b/templates/jetty/idp.ini @@ -4,6 +4,9 @@ # --------------------------------------- --module=idp --module=http +{% if idp_behind_proxy == "true" %} +--module=http-forwarded +{% endif %} ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=/credentials/idp-userfacing.p12 @@ -32,7 +35,11 @@ jetty.sslContext.renegotiationAllowed=false jetty.ssl.port=443 # Allows use of default IdP command line tools. +{% if idp_behind_proxy == "true" %} +jetty.http.host=0.0.0.0 +{% else %} jetty.http.host=127.0.0.1 +{% endif %} jetty.http.port=80 # Trun off sending Jetty version in headers diff --git a/upgrade b/upgrade index f7eba69..71bd8c3 100755 --- a/upgrade +++ b/upgrade @@ -2,9 +2,59 @@ declare -a nodes +function git_update_details { + remote=`git config --get remote.origin.url` + current_branch=`git symbolic-ref -q --short HEAD` + + echo -e "The process will also perform the following UPGRADES:\n" + echo " 1. Upgrade to the most recent version of the installer: " + echo " * The update will be retrieved from: ${remote}" + echo " * It will be based on the most recent release from: ${current_branch}" + echo "" + echo " 2. May add additional files to your Assets area to allow for advanced configuration" + echo "" + echo " 3. Upgrade, if necessary, to the most recently vetted versions of: " + echo " * Shibboleth IdP" + echo -e " * Jetty\n\n" +} + the_install_base=/opt working_dir=$the_install_base/shibboleth-idp4-installer/repository cd $working_dir || exit -#git pull +git_update_details + +echo "You MUST have a tested rollback plan in place before continuing." +echo -e "\n-----\n" + +read -r -p "Are you sure you wish to continue with the process as detailed above? [y/N] " response +response=${response,,} + +if [[ $response =~ ^(yes|y)$ ]] +then + echo -e "\nAttempting to update the AAF Installer respositry...\n" + + git pull + + retval=$? + + if [ $retval -ne 0 ] + then + echo -e "\n ----" + echo -e " An ERROR occurred attempting to upgrade the local AAF Installer respoitory" + echo -e " This must be resolved before your upgrade can proceed!\n" + echo -e " Details of the issue are shown above." + echo -e " ----" + echo -e "\nNo changes have been made. Exiting." + exit 1 + else + ansible-playbook -i ansible_hosts update.yml --extra-var="install_base=$the_install_base" + + echo "Changes have been applied, you must now deploy to apply these changes." + fi +else + echo "No changes made, exiting." + exit 0 + +fi diff --git a/upgrade.yml b/upgrade.yml new file mode 100644 index 0000000..9e11d03 --- /dev/null +++ b/upgrade.yml @@ -0,0 +1,22 @@ +--- +- hosts: all + pre_tasks: + vars: + installer: + root: "{{ install_base }}/shibboleth-idp4-installer" + path: "{{ install_base }}/shibboleth-idp4-installer/build" + repository: "{{ install_base }}/shibboleth-idp4-installer/repository" + tasks: + - name: 'Verify Ansible meets AAF Installer version requirments.' + assert: + that: "ansible_version.full is version_compare('2.9', '>=')" + msg: "You must update Ansible to at least 2.9 to use this version of the AAF IdP Installer." + +- hosts: idp-servers + tasks: + - name: 'Add idp_behind_proxy to host_vars if it does not exist' + lineinfile: + path: '{{ installer.repository }}/host_vars/{{inventory_hostname}}' + line: "\n# Set to true is the IdP is behind a device where ssl has been off-loaded to.\nidp_behind_proxy: \"false\"" + insertafter: EOF + when: enable_shibcas is not defined From 1e31a7f64c76eff4cd7dc1dc60f829793e876b49 Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 00:35:36 +0000 Subject: [PATCH 09/29] Add IDP_BEHIND_PROXY option to bootstrap.ini and supporting files --- bootstrap-v4.ini | 9 +++++++++ bootstrap-v4.sh | 11 +++++++++-- export-v3-config.sh | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/bootstrap-v4.ini b/bootstrap-v4.ini index d275fe0..4d187e6 100644 --- a/bootstrap-v4.ini +++ b/bootstrap-v4.ini @@ -154,3 +154,12 @@ ENABLE_BACKCHANNEL=false # addition to making the technical changes. # ENABLE_EDUGAIN=false + +# + +# If your IdP is behind a load balancer that is SSL Offloading, set the following +# value to true. The will enable the IdP to recieve requests on port 80 from the +# load balancer. Note: The IdP MUST be within your DMZ or similarly protected area +# that will not allow general access to port 80 on the IdP. + +IDP_BEHIND_PROXY=false diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 7c71327..e92357e 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -46,7 +46,7 @@ function set_internal_variables { function ensure_mandatory_variables_set { for var in HOST_NAME ENVIRONMENT ORGANISATION_NAME ORGANISATION_BASE_DOMAIN \ HOME_ORG_TYPE SOURCE_ATTRIBUTE_ID INSTALL_BASE OS_UPDATE FIREWALL \ - ENABLE_BACKCHANNEL ENABLE_EDUGAIN; do + ENABLE_BACKCHANNEL ENABLE_EDUGAIN IDP_BEHIND_PROXY; do if [ ! -n "${!var:-}" ]; then echo "Variable '$var' is not set! Set this in `basename $0`" exit 1 @@ -80,12 +80,17 @@ function ensure_mandatory_variables_set { exit 1 fi - if [ $ENABLE_EDUGAIN != "true" ] && [ $ENABLE_EDUGAIN != "false" ] then echo "Variable ENABLE_EDUGAIN must be either true or false" exit 1 fi + + if [ $IDP_BEHIND_PROXY != "true" ] && [ $IDP_BEHIND_PROXY != "false" ] + then + echo "Variable IDP_BEHIND_PROXY must be either true or false" + exit 1 + fi } function ensure_install_base_exists { @@ -271,6 +276,8 @@ function set_ansible_host_vars { $ANSIBLE_HOST_VARS replace_property 'enable_edugain:' "\"$ENABLE_EDUGAIN\"" \ $ANSIBLE_HOST_VARS + replace_property 'idp_behind_proxy:' "\"$IDP_BEHIND_PROXY\"" \ + $ANSIBLE_HOST_VARS replace_property 'old_source_persistent_id:' "\"$SOURCE_ATTRIBUTE_ID\"" \ $ANSIBLE_HOST_VARS replace_property 'source_persistent_id:' "\"$PERSISTENT_ATTRIBUTE_ID\"" \ diff --git a/export-v3-config.sh b/export-v3-config.sh index b8ea302..87729f1 100644 --- a/export-v3-config.sh +++ b/export-v3-config.sh @@ -164,6 +164,7 @@ write_bootstrap_ini () echo "FIREWALL=$firewall" >> $bootstrap_file echo "ENABLE_EDUGAIN=$enable_edugain" >> $bootstrap_file echo "ENABLE_BACKCHANNEL=$enable_backchannel" >> $bootstrap_file + echo "IDP_BEHIND_PROXY=false" >> $bootstrap_file } copy_bilateral () From 42570931a3371c0eab3f1b2bd64f9d8ff1592701 Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 00:38:38 +0000 Subject: [PATCH 10/29] Set GIT_BRANCH for testing --- bootstrap-v4.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index e92357e..b8aa3d0 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -36,7 +36,7 @@ function set_internal_variables { GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git # GIT_BRANCH=master - GIT_BRANCH=develop + GIT_BRANCH=feature_behind-proxy FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From d837e517b43f3e092e9a498ec20643bef6b69ca8 Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 01:04:53 +0000 Subject: [PATCH 11/29] Both files have correct content based on environment --- host_vars/idp.example.edu.dist.production | 6 +++--- host_vars/idp.example.edu.dist.test | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/host_vars/idp.example.edu.dist.production b/host_vars/idp.example.edu.dist.production index 8e1588f..214abb2 100644 --- a/host_vars/idp.example.edu.dist.production +++ b/host_vars/idp.example.edu.dist.production @@ -59,8 +59,8 @@ server_patch: "true" # OS Tool to patch the system patch_with: "yum" -# Installed Firewall [firewalld none ] -firewall: "firewalld" +# Installed Firewall [firewalld | none ] +firewall: "firewalld" # Enable BackChannel enable_backchannel: "false" @@ -83,5 +83,5 @@ source_persistent_id: # Old Persistent ID attribute name (for auEduPersonShared Token and eduPersonTargeted ID) old_source_persistent_id: -# Set to true is the IdP is behind a device where ssl has been off-loaded to. +# Set to true is the IdP is behind a device where ssl has been off-loaded to. idp_behind_proxy: false diff --git a/host_vars/idp.example.edu.dist.test b/host_vars/idp.example.edu.dist.test index e477eef..a493109 100644 --- a/host_vars/idp.example.edu.dist.test +++ b/host_vars/idp.example.edu.dist.test @@ -82,3 +82,6 @@ source_persistent_id: # Old Persistent ID attribute name (for auEduPersonShared Token and eduPersonTargeted ID) old_source_persistent_id: + +# Set to true is the IdP is behind a device where ssl has been off-loaded to. +idp_behind_proxy: false From 497b01c57e4b70156dd1cc4d6bf263b006606f0d Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 01:28:19 +0000 Subject: [PATCH 12/29] Set branch to develop --- bootstrap-v4.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index b8aa3d0..e92357e 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -36,7 +36,7 @@ function set_internal_variables { GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git # GIT_BRANCH=master - GIT_BRANCH=feature_behind-proxy + GIT_BRANCH=develop FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From 6ebf200c22fa98341399999f7c95dc26e02c5c4f Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 05:58:11 +0000 Subject: [PATCH 13/29] Added default_encryption option --- .../idp.example.edu.dist/idp/conf/idp.properties | 2 +- bootstrap-v4.ini | 15 +++++++++++++++ bootstrap-v4.sh | 10 +++++++++- export-v3-config.sh | 1 + host_vars/idp.example.edu.dist.production | 6 +++++- host_vars/idp.example.edu.dist.test | 5 ++++- upgrade.yml | 9 ++++++++- 7 files changed, 43 insertions(+), 5 deletions(-) diff --git a/assets/idp.example.edu.dist/idp/conf/idp.properties b/assets/idp.example.edu.dist/idp/conf/idp.properties index 835cf19..7738d71 100644 --- a/assets/idp.example.edu.dist/idp/conf/idp.properties +++ b/assets/idp.example.edu.dist/idp/conf/idp.properties @@ -76,7 +76,7 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt # The new install default for encryption is now AES-GCM. #idp.encryption.config=shibboleth.EncryptionConfiguration.GCM -idp.encryption.config=shibboleth.EncryptionConfiguration.CBC +idp.encryption.config=shibboleth.EncryptionConfiguration.{{ default_encryption }} # Configures trust evaluation of keys used by services at runtime # Internal default is Chaining, overriden for new installs diff --git a/bootstrap-v4.ini b/bootstrap-v4.ini index 4d187e6..c4f2505 100644 --- a/bootstrap-v4.ini +++ b/bootstrap-v4.ini @@ -163,3 +163,18 @@ ENABLE_EDUGAIN=false # that will not allow general access to port 80 on the IdP. IDP_BEHIND_PROXY=false + +# + +# The following option allows you to downgrade encryption from GCM to CBC for all +# services. Some older services will fail as they are unable to process newer +# encryption. The recommended approach is to leave the default seti at GMC, and +# carve out exceptions for each SP that doesn't support GCM. Use the he Algorithm +# Metadata Filter (https://wiki.shibboleth.net/confluence/display/IDP4/AlgorithmFilter) +# to achieve this. +# +# Changing the global setting to CBC is is NOT recommended for production deployments! +# Please see: https://wiki.shibboleth.net/confluence/display/IDP4/GCMEncryption for +# more details. + +DEFAULT_ENCRYPTION=GCM diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index e92357e..88cac2c 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -46,7 +46,7 @@ function set_internal_variables { function ensure_mandatory_variables_set { for var in HOST_NAME ENVIRONMENT ORGANISATION_NAME ORGANISATION_BASE_DOMAIN \ HOME_ORG_TYPE SOURCE_ATTRIBUTE_ID INSTALL_BASE OS_UPDATE FIREWALL \ - ENABLE_BACKCHANNEL ENABLE_EDUGAIN IDP_BEHIND_PROXY; do + ENABLE_BACKCHANNEL ENABLE_EDUGAIN IDP_BEHIND_PROXY DEFAULT_ENCRYPTION; do if [ ! -n "${!var:-}" ]; then echo "Variable '$var' is not set! Set this in `basename $0`" exit 1 @@ -91,6 +91,12 @@ function ensure_mandatory_variables_set { echo "Variable IDP_BEHIND_PROXY must be either true or false" exit 1 fi + + if [ $DEFAULT_ENCRYPTION != "GCM" ] && [ $DEFAULT_ENCRYPTION != "CBC" ] + then + echo "Variable DEFAULT_ENCRYPTION must be either GCM or CBC" + exit 1 + fi } function ensure_install_base_exists { @@ -278,6 +284,8 @@ function set_ansible_host_vars { $ANSIBLE_HOST_VARS replace_property 'idp_behind_proxy:' "\"$IDP_BEHIND_PROXY\"" \ $ANSIBLE_HOST_VARS + replace_property 'default_encryption:' "\"$DEFAULT_ENCRYPTION\"" \ + $ANSIBLE_HOST_VARS replace_property 'old_source_persistent_id:' "\"$SOURCE_ATTRIBUTE_ID\"" \ $ANSIBLE_HOST_VARS replace_property 'source_persistent_id:' "\"$PERSISTENT_ATTRIBUTE_ID\"" \ diff --git a/export-v3-config.sh b/export-v3-config.sh index 87729f1..9d94f01 100644 --- a/export-v3-config.sh +++ b/export-v3-config.sh @@ -165,6 +165,7 @@ write_bootstrap_ini () echo "ENABLE_EDUGAIN=$enable_edugain" >> $bootstrap_file echo "ENABLE_BACKCHANNEL=$enable_backchannel" >> $bootstrap_file echo "IDP_BEHIND_PROXY=false" >> $bootstrap_file + echo "DEFAULT_ENCRYPTION=GCM" >> $bootstrap_file } copy_bilateral () diff --git a/host_vars/idp.example.edu.dist.production b/host_vars/idp.example.edu.dist.production index 214abb2..f1d4e92 100644 --- a/host_vars/idp.example.edu.dist.production +++ b/host_vars/idp.example.edu.dist.production @@ -84,4 +84,8 @@ source_persistent_id: old_source_persistent_id: # Set to true is the IdP is behind a device where ssl has been off-loaded to. -idp_behind_proxy: false +idp_behind_proxy: "false" + +# Set default encryption [GCM | CBC]. +default_encryption: "GCM" + diff --git a/host_vars/idp.example.edu.dist.test b/host_vars/idp.example.edu.dist.test index a493109..91d70a1 100644 --- a/host_vars/idp.example.edu.dist.test +++ b/host_vars/idp.example.edu.dist.test @@ -84,4 +84,7 @@ source_persistent_id: old_source_persistent_id: # Set to true is the IdP is behind a device where ssl has been off-loaded to. -idp_behind_proxy: false +idp_behind_proxy: "false" + +# Set default encryption [GCM | CBC]. +default_encryption: "GCM" diff --git a/upgrade.yml b/upgrade.yml index 9e11d03..de60fdf 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -19,4 +19,11 @@ path: '{{ installer.repository }}/host_vars/{{inventory_hostname}}' line: "\n# Set to true is the IdP is behind a device where ssl has been off-loaded to.\nidp_behind_proxy: \"false\"" insertafter: EOF - when: enable_shibcas is not defined + when: idp_behind_proxy is not defined + + - name: 'Add default_encryption to host_vars if it does not exist' + lineinfile: + path: '{{ installer.repository }}/host_vars/{{inventory_hostname}}' + line: "\n# Set default encryption [GCM | CBC].\ndefault_encryption: \"GCM\"" + insertafter: EOF + when: default_encryption is not defined From 98c657a582f335b0413a3761ff876554669b7aac Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 05:59:33 +0000 Subject: [PATCH 14/29] Set GIT_BRANCH for testing --- bootstrap-v4.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 88cac2c..58b2981 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -36,7 +36,7 @@ function set_internal_variables { GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git # GIT_BRANCH=master - GIT_BRANCH=develop + GIT_BRANCH=feature_dorwgrade-encryption FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From 6d1c64ec6df2fd88a7a23e4d243c10428ca67db3 Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 07:09:58 +0000 Subject: [PATCH 15/29] Updates versions of component software --- site_v4.yml | 28 ++++++---------------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/site_v4.yml b/site_v4.yml index 68e906a..a82b155 100644 --- a/site_v4.yml +++ b/site_v4.yml @@ -28,28 +28,20 @@ download: jetty: baseurl: "{{ aaf_binaries.baseurl }}/jetty" - version: 9.4.38.v20210224 - sha256sum: 579f6496ecf1d2a77cac8a12a0606b37e5098eca95f0c4de74235ddb898eff09 + version: 9.4.43.v20210629 + sha256sum: 01fae654b09932e446019aa859e7af6e05e27dbade12b54cd7bae3249fc723d9 shib_idp: baseurl: "{{ aaf_binaries.baseurl }}/shibboleth" - version: 4.1.0 - sha256sum: 46fe154859f9f1557acd1ae26ee9ac82ded938af52a7dec0b18adbf5bb4510e9 + version: 4.1.2 + sha256sum: 2d35dbccc6c6ae6f7eec4adc98eaa406c33df3ad49879839a3839dbf427afff8 mysql_connector: baseurl: "{{ aaf_binaries.baseurl }}/jars/Connector-J" - version: 8.0.23 - sha256sum: 6a0a6b9bbc84e40ed5571930af12328479d78472ebc9a01ee50fbee9d5a3be8c + version: 8.0.25 + sha256sum: 883954c6979eeb41cde2bfce508347c5946c57f919688cd215cb2f7f91d34834 dta_ssl: baseurl: "{{ aaf_binaries.baseurl }}/jars/jetty94-dta-ssl" version: 1.0.0 sha256sum: 5e5de66e3517d30ff19ef66cf7a4aa5443b861d83e36a75e85845b007a03afbf - commons_dbcp2: - baseurl: "{{ aaf_binaries.baseurl }}/jars/commons_dbcp2" - version: 2.8.0 - sha256sum: X-c25520cd156f8e6425bbb01edecae3795a344d517fdcc537408206cc21e96e8f - commons_pool2: - baseurl: "{{ aaf_binaries.baseurl }}/jars/commons_pool2" - version: 2.9.0 - sha256sum: X-3e84d5bb006834c9087e18d8d2333f047469aa54da8cb0aac3474dfb74efafcd aaf_shib_ext: baseurl: "{{ aaf_binaries.baseurl }}/jars/aaf_shib_ext" version: 2.0.0 @@ -58,14 +50,6 @@ baseurl: "{{ aaf_binaries.baseurl }}/keystore" version: "Unknown" sha256sum: ae4185b2f0bb1af00abc6a4502fbfbdc6a90aec65c7bcee08e37a1bc20de5ac1 - cas_client_core: - baseurl: "{{ aaf_binaries.baseurl }}/jars/cas_extensions" - version: 3.6.0 - sha256sum: X-21c46f083530a494fb3f94c91d1c817851608409717382c9e3673c44acada522 - shib_cas_authenticator: - baseurl: "{{ aaf_binaries.baseurl }}/jars/cas_extensions" - version: 3.3.0 - sha256sum: X-435aebc3e301341e31c22e73ee5dee42c36bb1ea88483b5db182b13170a79ff2 logback_access: baseurl: "{{ aaf_binaries.baseurl }}/jars/logback" version: 1.2.3 From 75f0fbb6ce10f9d0d09410640f030c85f18d304c Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 07:11:24 +0000 Subject: [PATCH 16/29] Set branch to testing --- bootstrap-v4.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 58b2981..2bead06 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -36,7 +36,7 @@ function set_internal_variables { GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git # GIT_BRANCH=master - GIT_BRANCH=feature_dorwgrade-encryption + GIT_BRANCH=feature_upgrade_shib4.1.2 FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From 1cb6003b6758fd8e63a365ac11d1224f6e666dd8 Mon Sep 17 00:00:00 2001 From: trsau Date: Thu, 8 Jul 2021 23:52:17 +0000 Subject: [PATCH 17/29] Removed references to downloads that are no longer required --- site_v4.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/site_v4.yml b/site_v4.yml index a82b155..3761883 100644 --- a/site_v4.yml +++ b/site_v4.yml @@ -79,18 +79,10 @@ url: "{{ download.mysql_connector.baseurl }}/mysql-connector-java-{{ download.mysql_connector.version }}.tar.gz" dta_ssl: url: "{{ download.dta_ssl.baseurl }}/jetty94-dta-ssl-{{download.dta_ssl.version}}.jar" - commons_dbcp2: - url: "{{ download.commons_dbcp2.baseurl }}/commons-dbcp2-{{ download.commons_dbcp2.version }}-bin.tar.gz" - commons_pool2: - url: "{{ download.commons_pool2.baseurl }}/commons-pool2-{{ download.commons_pool2.version }}-bin.tar.gz" aaf_shib_ext: url: "{{ download.aaf_shib_ext.baseurl }}/aaf-shib-ext-{{ download.aaf_shib_ext.version }}.jar" keystore: url: "{{ download.keystore.baseurl }}/keystore" - cas_client_core: - url: "{{ download.cas_client_core.baseurl }}/cas-client-core-{{ download.cas_client_core.version }}.jar" - shib_cas_authenticator: - url: "{{ download.shib_cas_authenticator.baseurl }}/shib-cas-authenticator-{{ download.shib_cas_authenticator.version }}.jar" logback_access: url: "{{ download.logback_access.baseurl }}/logback-access-{{ download.logback_access.version }}.jar" logback_classic: From 366f66172aec78c277ba36c0edd210e3d36eb872 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 02:01:02 +0000 Subject: [PATCH 18/29] Updated comments to match v4.1.2 --- .../idp/branding/messages/messages.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/idp.example.edu.dist/idp/branding/messages/messages.properties b/assets/idp.example.edu.dist/idp/branding/messages/messages.properties index b29462b..d0b52a2 100644 --- a/assets/idp.example.edu.dist/idp/branding/messages/messages.properties +++ b/assets/idp.example.edu.dist/idp/branding/messages/messages.properties @@ -1,5 +1,5 @@ # You can define message properties here to override messages defined in -# system/messages/ or to add your own messages. +# the system-supplied message file or to add your own messages. idp.title = {{ organisation_name }} Login Service idp.logo = /images/logo.png From 27cee9399f826e6c797cfa718dc83e47d196cf4e Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 02:17:22 +0000 Subject: [PATCH 19/29] Minor changes to move to V4.1.2 --- assets/idp.example.edu.dist/idp/branding/views/error.vm | 4 +++- assets/idp.example.edu.dist/idp/branding/views/logout.vm | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/idp.example.edu.dist/idp/branding/views/error.vm b/assets/idp.example.edu.dist/idp/branding/views/error.vm index dcb8e2b..395f7f3 100644 --- a/assets/idp.example.edu.dist/idp/branding/views/error.vm +++ b/assets/idp.example.edu.dist/idp/branding/views/error.vm @@ -34,10 +34,12 @@ #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error")) #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix")) #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId")) + $response.setStatus(500) #else ## This is a catch-all that theoretically shouldn't happen? #set ($titleSuffix = $defaultTitleSuffix) #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred.")) + $response.setStatus(500) #end ## @@ -70,4 +72,4 @@ - \ No newline at end of file + diff --git a/assets/idp.example.edu.dist/idp/branding/views/logout.vm b/assets/idp.example.edu.dist/idp/branding/views/logout.vm index 0b9103b..89cbe4a 100644 --- a/assets/idp.example.edu.dist/idp/branding/views/logout.vm +++ b/assets/idp.example.edu.dist/idp/branding/views/logout.vm @@ -25,13 +25,11 @@ - #* #if ($promptForSP) #elseif ($promptForIdP) #end - *# #springMessageText("idp.title", "Web Login Service") @@ -130,4 +128,4 @@ - \ No newline at end of file + From c9ee6716ef56bc057e000db953981fefc29e3d47 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 02:22:44 +0000 Subject: [PATCH 20/29] Upgrade version of jquery for 4.1.2 --- .../idp/branding/webapp/js/jquery-3.4.1.min.js | 2 -- .../idp/branding/webapp/js/jquery-3.6.0.min.js | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 assets/idp.example.edu.dist/idp/branding/webapp/js/jquery-3.4.1.min.js create mode 100644 assets/idp.example.edu.dist/idp/branding/webapp/js/jquery-3.6.0.min.js diff --git a/assets/idp.example.edu.dist/idp/branding/webapp/js/jquery-3.4.1.min.js b/assets/idp.example.edu.dist/idp/branding/webapp/js/jquery-3.4.1.min.js deleted file mode 100644 index a1c07fd..0000000 --- a/assets/idp.example.edu.dist/idp/branding/webapp/js/jquery-3.4.1.min.js +++ /dev/null @@ -1,2 +0,0 @@ -/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ -!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e,t){return new k.fn.init(e,t)},p=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g;function d(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp($),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+$),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),ne=function(e,t,n){var r="0x"+t-65536;return r!=r||n?t:r<0?String.fromCharCode(r+65536):String.fromCharCode(r>>10|55296,1023&r|56320)},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(m.childNodes),m.childNodes),t[m.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&((e?e.ownerDocument||e:m)!==C&&T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!A[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&U.test(t)){(s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=k),o=(l=h(t)).length;while(o--)l[o]="#"+s+" "+xe(l[o]);c=l.join(","),f=ee.test(t)&&ye(e.parentNode)||e}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){A(t,!0)}finally{s===k&&e.removeAttribute("id")}}}return g(t.replace(B,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[k]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e.namespaceURI,n=(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:m;return r!==C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),m!==C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=k,!C.getElementsByName||!C.getElementsByName(k).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){a.appendChild(e).innerHTML="",e.querySelectorAll("[msallowcapture^='']").length&&v.push("[*^$]="+M+"*(?:''|\"\")"),e.querySelectorAll("[selected]").length||v.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+k+"-]").length||v.push("~="),e.querySelectorAll(":checked").length||v.push(":checked"),e.querySelectorAll("a#"+k+"+*").length||v.push(".#.+[+~]")}),ce(function(e){e.innerHTML="";var t=C.createElement("input");t.setAttribute("type","hidden"),e.appendChild(t).setAttribute("name","D"),e.querySelectorAll("[name=d]").length&&v.push("name"+M+"*[*^$|!~]?="),2!==e.querySelectorAll(":enabled").length&&v.push(":enabled",":disabled"),a.appendChild(e).disabled=!0,2!==e.querySelectorAll(":disabled").length&&v.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),v.push(",.*:")})),(d.matchesSelector=K.test(c=a.matches||a.webkitMatchesSelector||a.mozMatchesSelector||a.oMatchesSelector||a.msMatchesSelector))&&ce(function(e){d.disconnectedMatch=c.call(e,"*"),c.call(e,"[s!='']:x"),s.push("!=",$)}),v=v.length&&new RegExp(v.join("|")),s=s.length&&new RegExp(s.join("|")),t=K.test(a.compareDocumentPosition),y=t||K.test(a.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},D=t?function(e,t){if(e===t)return l=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)===(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!d.sortDetached&&t.compareDocumentPosition(e)===n?e===C||e.ownerDocument===m&&y(m,e)?-1:t===C||t.ownerDocument===m&&y(m,t)?1:u?P(u,e)-P(u,t):0:4&n?-1:1)}:function(e,t){if(e===t)return l=!0,0;var n,r=0,i=e.parentNode,o=t.parentNode,a=[e],s=[t];if(!i||!o)return e===C?-1:t===C?1:i?-1:o?1:u?P(u,e)-P(u,t):0;if(i===o)return pe(e,t);n=e;while(n=n.parentNode)a.unshift(n);n=t;while(n=n.parentNode)s.unshift(n);while(a[r]===s[r])r++;return r?pe(a[r],s[r]):a[r]===m?-1:s[r]===m?1:0}),C},se.matches=function(e,t){return se(e,null,null,t)},se.matchesSelector=function(e,t){if((e.ownerDocument||e)!==C&&T(e),d.matchesSelector&&E&&!A[t+" "]&&(!s||!s.test(t))&&(!v||!v.test(t)))try{var n=c.call(e,t);if(n||d.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(e){A(t,!0)}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=p[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&p(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function j(e,n,r){return m(n)?k.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?k.grep(e,function(e){return e===n!==r}):"string"!=typeof n?k.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(k.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||q,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:L.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof k?t[0]:t,k.merge(this,k.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),D.test(r[1])&&k.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(k):k.makeArray(e,this)}).prototype=k.fn,q=k(E);var H=/^(?:parents|prev(?:Until|All))/,O={children:!0,contents:!0,next:!0,prev:!0};function P(e,t){while((e=e[t])&&1!==e.nodeType);return e}k.fn.extend({has:function(e){var t=k(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i,ge={option:[1,""],thead:[1,"","
"],col:[2,"","
"],tr:[2,"","
"],td:[3,"","
"],_default:[0,"",""]};function ve(e,t){var n;return n="undefined"!=typeof e.getElementsByTagName?e.getElementsByTagName(t||"*"):"undefined"!=typeof e.querySelectorAll?e.querySelectorAll(t||"*"):[],void 0===t||t&&A(e,t)?k.merge([e],n):n}function ye(e,t){for(var n=0,r=e.length;nx",y.noCloneChecked=!!me.cloneNode(!0).lastChild.defaultValue;var Te=/^key/,Ce=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,Ee=/^([^.]*)(?:\.(.+)|)/;function ke(){return!0}function Se(){return!1}function Ne(e,t){return e===function(){try{return E.activeElement}catch(e){}}()==("focus"===t)}function Ae(e,t,n,r,i,o){var a,s;if("object"==typeof t){for(s in"string"!=typeof n&&(r=r||n,n=void 0),t)Ae(e,s,n,r,t[s],o);return e}if(null==r&&null==i?(i=n,r=n=void 0):null==i&&("string"==typeof n?(i=r,r=void 0):(i=r,r=n,n=void 0)),!1===i)i=Se;else if(!i)return e;return 1===o&&(a=i,(i=function(e){return k().off(e),a.apply(this,arguments)}).guid=a.guid||(a.guid=k.guid++)),e.each(function(){k.event.add(this,t,i,r,n)})}function De(e,i,o){o?(Q.set(e,i,!1),k.event.add(e,i,{namespace:!1,handler:function(e){var t,n,r=Q.get(this,i);if(1&e.isTrigger&&this[i]){if(r.length)(k.event.special[i]||{}).delegateType&&e.stopPropagation();else if(r=s.call(arguments),Q.set(this,i,r),t=o(this,i),this[i](),r!==(n=Q.get(this,i))||t?Q.set(this,i,!1):n={},r!==n)return e.stopImmediatePropagation(),e.preventDefault(),n.value}else r.length&&(Q.set(this,i,{value:k.event.trigger(k.extend(r[0],k.Event.prototype),r.slice(1),this)}),e.stopImmediatePropagation())}})):void 0===Q.get(e,i)&&k.event.add(e,i,ke)}k.event={global:{},add:function(t,e,n,r,i){var o,a,s,u,l,c,f,p,d,h,g,v=Q.get(t);if(v){n.handler&&(n=(o=n).handler,i=o.selector),i&&k.find.matchesSelector(ie,i),n.guid||(n.guid=k.guid++),(u=v.events)||(u=v.events={}),(a=v.handle)||(a=v.handle=function(e){return"undefined"!=typeof k&&k.event.triggered!==e.type?k.event.dispatch.apply(t,arguments):void 0}),l=(e=(e||"").match(R)||[""]).length;while(l--)d=g=(s=Ee.exec(e[l])||[])[1],h=(s[2]||"").split(".").sort(),d&&(f=k.event.special[d]||{},d=(i?f.delegateType:f.bindType)||d,f=k.event.special[d]||{},c=k.extend({type:d,origType:g,data:r,handler:n,guid:n.guid,selector:i,needsContext:i&&k.expr.match.needsContext.test(i),namespace:h.join(".")},o),(p=u[d])||((p=u[d]=[]).delegateCount=0,f.setup&&!1!==f.setup.call(t,r,h,a)||t.addEventListener&&t.addEventListener(d,a)),f.add&&(f.add.call(t,c),c.handler.guid||(c.handler.guid=n.guid)),i?p.splice(p.delegateCount++,0,c):p.push(c),k.event.global[d]=!0)}},remove:function(e,t,n,r,i){var o,a,s,u,l,c,f,p,d,h,g,v=Q.hasData(e)&&Q.get(e);if(v&&(u=v.events)){l=(t=(t||"").match(R)||[""]).length;while(l--)if(d=g=(s=Ee.exec(t[l])||[])[1],h=(s[2]||"").split(".").sort(),d){f=k.event.special[d]||{},p=u[d=(r?f.delegateType:f.bindType)||d]||[],s=s[2]&&new RegExp("(^|\\.)"+h.join("\\.(?:.*\\.|)")+"(\\.|$)"),a=o=p.length;while(o--)c=p[o],!i&&g!==c.origType||n&&n.guid!==c.guid||s&&!s.test(c.namespace)||r&&r!==c.selector&&("**"!==r||!c.selector)||(p.splice(o,1),c.selector&&p.delegateCount--,f.remove&&f.remove.call(e,c));a&&!p.length&&(f.teardown&&!1!==f.teardown.call(e,h,v.handle)||k.removeEvent(e,d,v.handle),delete u[d])}else for(d in u)k.event.remove(e,d+t[l],n,r,!0);k.isEmptyObject(u)&&Q.remove(e,"handle events")}},dispatch:function(e){var t,n,r,i,o,a,s=k.event.fix(e),u=new Array(arguments.length),l=(Q.get(this,"events")||{})[s.type]||[],c=k.event.special[s.type]||{};for(u[0]=s,t=1;t\x20\t\r\n\f]*)[^>]*)\/>/gi,qe=/\s*$/g;function Oe(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&k(e).children("tbody")[0]||e}function Pe(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function Re(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Me(e,t){var n,r,i,o,a,s,u,l;if(1===t.nodeType){if(Q.hasData(e)&&(o=Q.access(e),a=Q.set(t,o),l=o.events))for(i in delete a.handle,a.events={},l)for(n=0,r=l[i].length;n")},clone:function(e,t,n){var r,i,o,a,s,u,l,c=e.cloneNode(!0),f=oe(e);if(!(y.noCloneChecked||1!==e.nodeType&&11!==e.nodeType||k.isXMLDoc(e)))for(a=ve(c),r=0,i=(o=ve(e)).length;r").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var Vt,Gt=[],Yt=/(=)\?(?=&|$)|\?\?/;k.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=Gt.pop()||k.expando+"_"+kt++;return this[e]=!0,e}}),k.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Yt.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Yt.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Yt,"$1"+r):!1!==e.jsonp&&(e.url+=(St.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||k.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?k(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,Gt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((Vt=E.implementation.createHTMLDocument("").body).innerHTML="
",2===Vt.childNodes.length),k.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=D.exec(e))?[t.createElement(i[1])]:(i=we([e],t,o),o&&o.length&&k(o).remove(),k.merge([],i.childNodes)));var r,i,o},k.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(k.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},k.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){k.fn[t]=function(e){return this.on(t,e)}}),k.expr.pseudos.animated=function(t){return k.grep(k.timers,function(e){return t===e.elem}).length},k.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=k.css(e,"position"),c=k(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=k.css(e,"top"),u=k.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,k.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):c.css(f)}},k.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){k.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===k.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===k.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=k(e).offset()).top+=k.css(e,"borderTopWidth",!0),i.left+=k.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-k.css(r,"marginTop",!0),left:t.left-i.left-k.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===k.css(e,"position"))e=e.offsetParent;return e||ie})}}),k.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;k.fn[t]=function(e){return _(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),k.each(["top","left"],function(e,n){k.cssHooks[n]=ze(y.pixelPosition,function(e,t){if(t)return t=_e(e,n),$e.test(t)?k(e).position()[n]+"px":t})}),k.each({Height:"height",Width:"width"},function(a,s){k.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){k.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return _(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?k.css(e,t,i):k.style(e,t,n,i)},s,n?e:void 0,n)}})}),k.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){k.fn[n]=function(e,t){return 0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp(F),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+F),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(p.childNodes),p.childNodes),t[p.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&(T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!N[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&(U.test(t)||z.test(t))){(f=ee.test(t)&&ye(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=S)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){N(t,!0)}finally{s===S&&e.removeAttribute("id")}}}return g(t.replace($,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[S]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e&&e.namespaceURI,n=e&&(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:p;return r!=C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),p!=C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.scope=ce(function(e){return a.appendChild(e).appendChild(C.createElement("div")),"undefined"!=typeof e.querySelectorAll&&!e.querySelectorAll(":scope fieldset div").length}),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=S,!C.getElementsByName||!C.getElementsByName(S).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){var t;a.appendChild(e).innerHTML="",e.querySelectorAll("[msallowcapture^='']").length&&v.push("[*^$]="+M+"*(?:''|\"\")"),e.querySelectorAll("[selected]").length||v.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+S+"-]").length||v.push("~="),(t=C.createElement("input")).setAttribute("name",""),e.appendChild(t),e.querySelectorAll("[name='']").length||v.push("\\["+M+"*name"+M+"*="+M+"*(?:''|\"\")"),e.querySelectorAll(":checked").length||v.push(":checked"),e.querySelectorAll("a#"+S+"+*").length||v.push(".#.+[+~]"),e.querySelectorAll("\\\f"),v.push("[\\r\\n\\f]")}),ce(function(e){e.innerHTML="";var t=C.createElement("input");t.setAttribute("type","hidden"),e.appendChild(t).setAttribute("name","D"),e.querySelectorAll("[name=d]").length&&v.push("name"+M+"*[*^$|!~]?="),2!==e.querySelectorAll(":enabled").length&&v.push(":enabled",":disabled"),a.appendChild(e).disabled=!0,2!==e.querySelectorAll(":disabled").length&&v.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),v.push(",.*:")})),(d.matchesSelector=K.test(c=a.matches||a.webkitMatchesSelector||a.mozMatchesSelector||a.oMatchesSelector||a.msMatchesSelector))&&ce(function(e){d.disconnectedMatch=c.call(e,"*"),c.call(e,"[s!='']:x"),s.push("!=",F)}),v=v.length&&new RegExp(v.join("|")),s=s.length&&new RegExp(s.join("|")),t=K.test(a.compareDocumentPosition),y=t||K.test(a.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},j=t?function(e,t){if(e===t)return l=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)==(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!d.sortDetached&&t.compareDocumentPosition(e)===n?e==C||e.ownerDocument==p&&y(p,e)?-1:t==C||t.ownerDocument==p&&y(p,t)?1:u?P(u,e)-P(u,t):0:4&n?-1:1)}:function(e,t){if(e===t)return l=!0,0;var n,r=0,i=e.parentNode,o=t.parentNode,a=[e],s=[t];if(!i||!o)return e==C?-1:t==C?1:i?-1:o?1:u?P(u,e)-P(u,t):0;if(i===o)return pe(e,t);n=e;while(n=n.parentNode)a.unshift(n);n=t;while(n=n.parentNode)s.unshift(n);while(a[r]===s[r])r++;return r?pe(a[r],s[r]):a[r]==p?-1:s[r]==p?1:0}),C},se.matches=function(e,t){return se(e,null,null,t)},se.matchesSelector=function(e,t){if(T(e),d.matchesSelector&&E&&!N[t+" "]&&(!s||!s.test(t))&&(!v||!v.test(t)))try{var n=c.call(e,t);if(n||d.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(e){N(t,!0)}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=m[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&m(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function j(e,n,r){return m(n)?S.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?S.grep(e,function(e){return e===n!==r}):"string"!=typeof n?S.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(S.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||D,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:q.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof S?t[0]:t,S.merge(this,S.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),N.test(r[1])&&S.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(S):S.makeArray(e,this)}).prototype=S.fn,D=S(E);var L=/^(?:parents|prev(?:Until|All))/,H={children:!0,contents:!0,next:!0,prev:!0};function O(e,t){while((e=e[t])&&1!==e.nodeType);return e}S.fn.extend({has:function(e){var t=S(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i;ce=E.createDocumentFragment().appendChild(E.createElement("div")),(fe=E.createElement("input")).setAttribute("type","radio"),fe.setAttribute("checked","checked"),fe.setAttribute("name","t"),ce.appendChild(fe),y.checkClone=ce.cloneNode(!0).cloneNode(!0).lastChild.checked,ce.innerHTML="",y.noCloneChecked=!!ce.cloneNode(!0).lastChild.defaultValue,ce.innerHTML="",y.option=!!ce.lastChild;var ge={thead:[1,"","
"],col:[2,"","
"],tr:[2,"","
"],td:[3,"","
"],_default:[0,"",""]};function ve(e,t){var n;return n="undefined"!=typeof e.getElementsByTagName?e.getElementsByTagName(t||"*"):"undefined"!=typeof e.querySelectorAll?e.querySelectorAll(t||"*"):[],void 0===t||t&&A(e,t)?S.merge([e],n):n}function ye(e,t){for(var n=0,r=e.length;n",""]);var me=/<|&#?\w+;/;function xe(e,t,n,r,i){for(var o,a,s,u,l,c,f=t.createDocumentFragment(),p=[],d=0,h=e.length;d\s*$/g;function je(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&S(e).children("tbody")[0]||e}function De(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function qe(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Le(e,t){var n,r,i,o,a,s;if(1===t.nodeType){if(Y.hasData(e)&&(s=Y.get(e).events))for(i in Y.remove(t,"handle events"),s)for(n=0,r=s[i].length;n").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var _t,zt=[],Ut=/(=)\?(?=&|$)|\?\?/;S.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=zt.pop()||S.expando+"_"+wt.guid++;return this[e]=!0,e}}),S.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Ut.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Ut.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Ut,"$1"+r):!1!==e.jsonp&&(e.url+=(Tt.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||S.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?S(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,zt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((_t=E.implementation.createHTMLDocument("").body).innerHTML="
",2===_t.childNodes.length),S.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=N.exec(e))?[t.createElement(i[1])]:(i=xe([e],t,o),o&&o.length&&S(o).remove(),S.merge([],i.childNodes)));var r,i,o},S.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(S.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},S.expr.pseudos.animated=function(t){return S.grep(S.timers,function(e){return t===e.elem}).length},S.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=S.css(e,"position"),c=S(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=S.css(e,"top"),u=S.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,S.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):c.css(f)}},S.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){S.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===S.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===S.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=S(e).offset()).top+=S.css(e,"borderTopWidth",!0),i.left+=S.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-S.css(r,"marginTop",!0),left:t.left-i.left-S.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===S.css(e,"position"))e=e.offsetParent;return e||re})}}),S.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;S.fn[t]=function(e){return $(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),S.each(["top","left"],function(e,n){S.cssHooks[n]=Fe(y.pixelPosition,function(e,t){if(t)return t=We(e,n),Pe.test(t)?S(e).position()[n]+"px":t})}),S.each({Height:"height",Width:"width"},function(a,s){S.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){S.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return $(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?S.css(e,t,i):S.style(e,t,n,i)},s,n?e:void 0,n)}})}),S.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){S.fn[t]=function(e){return this.on(t,e)}}),S.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),S.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){S.fn[n]=function(e,t){return 0 Date: Fri, 9 Jul 2021 04:56:47 +0000 Subject: [PATCH 21/29] Minor changes to reflect changes to v4.1.2 --- .../idp/conf/admin/admin.properties | 55 +++++++++++++++++++ .../idp/conf/admin/metrics.xml | 2 +- .../idp.example.edu.dist/idp/conf/global.xml | 6 +- .../idp/conf/idp.properties | 50 +++++++++-------- .../idp/conf/services.properties | 2 +- .../idp/conf/services.xml | 1 - 6 files changed, 87 insertions(+), 29 deletions(-) create mode 100644 assets/idp.example.edu.dist/idp/conf/admin/admin.properties diff --git a/assets/idp.example.edu.dist/idp/conf/admin/admin.properties b/assets/idp.example.edu.dist/idp/conf/admin/admin.properties new file mode 100644 index 0000000..7f14b56 --- /dev/null +++ b/assets/idp.example.edu.dist/idp/conf/admin/admin.properties @@ -0,0 +1,55 @@ +# Configure properties controlling administrative features + +#idp.status.logging = Status +#idp.status.accessPolicy = AccessByIPAddress +#idp.status.authenticated = false +#idp.status.nonBrowserSupported = false +#idp.status.resolveAttributes = false + +#idp.reload.logging = Reload +#idp.reload.accessPolicy = AccessByIPAddress +#idp.reload.authenticated = false +#idp.reload.nonBrowserSupported = false +#idp.reload.resolveAttributes = false + +#idp.resolvertest.logging = ResolverTest +#idp.resolvertest.accessPolicy = AccessByIPAddress +#idp.resolvertest.authenticated = false +#idp.resolvertest.nonBrowserSupported = false +#idp.resolvertest.resolveAttributes = false + +#idp.mdquery.logging = MetadataQuery +#idp.mdquery.accessPolicy = AccessByIPAddress +#idp.mdquery.authenticated = false +#idp.mdquery.nonBrowserSupported = false +#idp.mdquery.resolveAttributes = false + +#idp.metrics.logging = Metrics +#idp.metrics.authenticated = false +#idp.metrics.nonBrowserSupported = false +#idp.metrics.resolveAttributes = false +# See admin/metrics.xml for other configuration + +#idp.hello.logging = Hello +#idp.hello.accessPolicy = AccessByAdminUser +#idp.hello.authenticated = true +#idp.hello.nonBrowserSupported = false +#idp.hello.resolveAttributes = true + +#idp.lockout.logging = Lockout +#idp.lockout.accessPolicy = AccessDenied +#idp.lockout.authenticated = false +#idp.lockout.nonBrowserSupported = false +#idp.lockout.resolveAttributes = false + +#idp.storage.logging = Storage +#idp.storage.accessPolicy = AccessDenied +#idp.storage.authenticated = false +#idp.storage.nonBrowserSupported = false +#idp.storage.resolveAttributes = false + +#idp.unlock-keys.logging = UnlockKeys +#idp.unlock-keys.accessPolicy = AccessDenied +#idp.unlock-keys.authenticated = true +#idp.unlock-keys.nonBrowserSupported = false +#idp.unlock-keys.resolveAttributes = false diff --git a/assets/idp.example.edu.dist/idp/conf/admin/metrics.xml b/assets/idp.example.edu.dist/idp/conf/admin/metrics.xml index 1475276..208ab6b 100644 --- a/assets/idp.example.edu.dist/idp/conf/admin/metrics.xml +++ b/assets/idp.example.edu.dist/idp/conf/admin/metrics.xml @@ -73,7 +73,7 @@ idp.entityID --> - + diff --git a/assets/idp.example.edu.dist/idp/conf/global.xml b/assets/idp.example.edu.dist/idp/conf/global.xml index 6b99dc0..ec68556 100644 --- a/assets/idp.example.edu.dist/idp/conf/global.xml +++ b/assets/idp.example.edu.dist/idp/conf/global.xml @@ -15,9 +15,9 @@ - %{idp.home}/conf/relying-party.xml %{idp.home}/conf/credentials.xml From ea09283b7b31cf3cf9b6d5c0496bb6a51577f44a Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 06:10:53 +0000 Subject: [PATCH 22/29] general-admin.xml file replace with the admin.properties --- .../idp/conf/admin/general-admin.xml | 74 ------------------- 1 file changed, 74 deletions(-) delete mode 100644 assets/idp.example.edu.dist/idp/conf/admin/general-admin.xml diff --git a/assets/idp.example.edu.dist/idp/conf/admin/general-admin.xml b/assets/idp.example.edu.dist/idp/conf/admin/general-admin.xml deleted file mode 100644 index 2814bf6..0000000 --- a/assets/idp.example.edu.dist/idp/conf/admin/general-admin.xml +++ /dev/null @@ -1,74 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From 52421402ae61a9b89b1c46f5b56a9ee3d5763eeb Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 06:13:06 +0000 Subject: [PATCH 23/29] admin.properties replaces general-admin.xml --- tasks/idp.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/idp.yml b/tasks/idp.yml index bc61f58..b75d447 100644 --- a/tasks/idp.yml +++ b/tasks/idp.yml @@ -327,10 +327,10 @@ mode: 0640 backup: yes -- name: 'Set admin/general-admin.xml' +- name: 'Set admin/admin.properties' template: - src: 'assets/{{inventory_hostname}}/idp/conf/admin/general-admin.xml' - dest: '{{ shib_idp.home }}/conf/admin/general-admin.xml' + src: 'assets/{{inventory_hostname}}/idp/conf/admin/admin.properties' + dest: '{{ shib_idp.home }}/conf/admin/admin.properties' owner: root group: jetty mode: 0640 From 0b506c7ac33f9c59166885f1d7e32009bf992bf0 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 06:20:04 +0000 Subject: [PATCH 24/29] Ensure new files added to the assests distribution are added to the active assets area. --- upgrade.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/upgrade.yml b/upgrade.yml index de60fdf..9a78fb6 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -27,3 +27,9 @@ line: "\n# Set default encryption [GCM | CBC].\ndefault_encryption: \"GCM\"" insertafter: EOF when: default_encryption is not defined + + - name: 'Copy example files to assets only if they do not exist' + copy: + src: '{{ installer.repository }}/assets/idp.example.edu.dist/' + dest: '{{ installer.repository }}/assets/{{inventory_hostname}}' + force: no From fd4632abf3ed42b81bc388233b1a7188d62cc02c Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 06:24:05 +0000 Subject: [PATCH 25/29] Renamed update.yml to upgrade.yml --- upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upgrade b/upgrade index 71bd8c3..55c7c37 100755 --- a/upgrade +++ b/upgrade @@ -49,7 +49,7 @@ then echo -e "\nNo changes have been made. Exiting." exit 1 else - ansible-playbook -i ansible_hosts update.yml --extra-var="install_base=$the_install_base" + ansible-playbook -i ansible_hosts upgrade.yml --extra-var="install_base=$the_install_base" echo "Changes have been applied, you must now deploy to apply these changes." fi From a5f91f4aee9416ae82e594d2710bb21f9a446e50 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 07:01:55 +0000 Subject: [PATCH 26/29] Reorganized the upgrade.yml file --- upgrade.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/upgrade.yml b/upgrade.yml index 9a78fb6..f6f9451 100644 --- a/upgrade.yml +++ b/upgrade.yml @@ -1,18 +1,18 @@ --- - hosts: all pre_tasks: - vars: - installer: - root: "{{ install_base }}/shibboleth-idp4-installer" - path: "{{ install_base }}/shibboleth-idp4-installer/build" - repository: "{{ install_base }}/shibboleth-idp4-installer/repository" tasks: - name: 'Verify Ansible meets AAF Installer version requirments.' assert: that: "ansible_version.full is version_compare('2.9', '>=')" msg: "You must update Ansible to at least 2.9 to use this version of the AAF IdP Installer." -- hosts: idp-servers +- hosts: idp_servers + vars: + installer: + root: "{{ install_base }}/shibboleth-idp4-installer" + path: "{{ install_base }}/shibboleth-idp4-installer/build" + repository: "{{ install_base }}/shibboleth-idp4-installer/repository" tasks: - name: 'Add idp_behind_proxy to host_vars if it does not exist' lineinfile: From 14ec1319bf8dce5d7d5dbbae81f0a471e90c24c8 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 9 Jul 2021 07:05:53 +0000 Subject: [PATCH 27/29] Set repo to develop --- bootstrap-v4.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 2bead06..88cac2c 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -36,7 +36,7 @@ function set_internal_variables { GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git # GIT_BRANCH=master - GIT_BRANCH=feature_upgrade_shib4.1.2 + GIT_BRANCH=develop FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp From 04126886a2be816cf18008033084ab477da0ab93 Mon Sep 17 00:00:00 2001 From: trsau Date: Tue, 13 Jul 2021 00:36:16 +0000 Subject: [PATCH 28/29] Set umask and file ownership approprialty to ensure IdP works --- tasks/.system.yml.swp | Bin 12288 -> 0 bytes tasks/idp.yml | 12 +++++++++--- tasks/jetty.yml | 1 + tasks/libs.yml | 4 +++- 4 files changed, 13 insertions(+), 4 deletions(-) delete mode 100644 tasks/.system.yml.swp diff --git a/tasks/.system.yml.swp b/tasks/.system.yml.swp deleted file mode 100644 index 37055d435415be142cf3c9c29f21b0561bed4f83..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2&x;&I6vrz$Nc<7k9|-=qR7PZHgr3<=7G@ck2rfAU5~2>fHyLZX-)z@z|4LW& zWE;WFIq{Nz!n=47iC1qy(Srxi-W0re5>da^GrcpL)i7*8P+qg2?dkgQ>b-Bjddo63 zTHCpLU3S|W0@rgw{P6MJ4_4oJLcE60FEDuno`HrO$t9*xq7Z0KR~hNlx_RTNR)vC8b5jwy|$xLwB4qt@jPH{f?8ADUg(?QA9z%BqO|PU{9`IsT$>UMr~$Qz~rrvlAg?z z^~2#UZNq-Qp)%V*kCa6g!1B;neuy=lLDyO>hbcK3oZYONr1WG~+AvKnd082k=4Mp2 zJ2!jy1dF}7GgqevIAu;Z3!TH|O!@n2mkg|6)PIKx02o9j{GPKpj=wU_3@ z3FQV)vfr1D%|=VAB#_Nxfs{quXtgR&W=_{2k%}x(VmqzGD-%6X-^#x zEH4?*je*>mIl6h8$hxPFtcnM(!@ZU&tjBV`yWspWkx!Q`(@Z>4J65??!N_w7jx)rv zx;&Xe`n_P^TVMBZtD5T|PMcE4e0K>_S^dZKSkBLx`;{rT7wT{Vn$UD7xYj*2Q7)7^ zs(Ei6)RJkn@G1;NIw=l@Fs&oE@!KwxHXUHU7`HWSUeIEQICC9qWAtR&nx&EU%brB> z*d>$?44s)=$nODJIkI(=Jw|yjM@3dsM9s*~6afko7w=`yD?` z#(LK+2#*(5+X~6wKU(i-$1VijY&NHfGOXUF)J7IbKx3Uy(2{8`Pjn|~LMMAr>zq8O z5r0!WTwYhj!)4mE;J!I4wGpbKvGanqUDZifyXK{=>7Kk2HFP&u0k!^Z_m66y%c-T@ U$G`>m-Babh`x5}~J umask 0027; tar zx -C {{ jetty.root }} -f {{ jetty_dist_archive_path }} --no-same-permissions; + chown -R root {{ jetty.home }}; chgrp -R jetty {{ jetty.home }} creates={{ jetty.home }} diff --git a/tasks/libs.yml b/tasks/libs.yml index b5a32c2..3ed81bc 100644 --- a/tasks/libs.yml +++ b/tasks/libs.yml @@ -128,7 +128,9 @@ creates={{ installer.path }}/mysql-connector-java-{{ download.mysql_connector.version }}/mysql-connector-java-{{ download.mysql_connector.version }}.jar - name: 'Copy over mysql connector lib' - command: 'cp {{ installer.path }}/mysql-connector-java-{{ download.mysql_connector.version }}/mysql-connector-java-{{ download.mysql_connector.version }}.jar {{ shib_idp.libs }}/ creates="{{ shib_idp.libs }}/mysql-connector-java-{{ download.mysql_connector.version }}.jar"' + shell: | + umask 0022 + cp {{ installer.path }}/mysql-connector-java-{{ download.mysql_connector.version }}/mysql-connector-java-{{ download.mysql_connector.version }}.jar {{ shib_idp.libs }}/ creates="{{ shib_idp.libs }}/mysql-connector-java-{{ download.mysql_connector.version }}.jar" - name: 'Link to mysql connector lib' file: From 86b9f72dde7bbc9b2881de72c00cd367fa6f99b8 Mon Sep 17 00:00:00 2001 From: trsau Date: Fri, 16 Jul 2021 02:01:57 +0000 Subject: [PATCH 29/29] Setup from new release version --- VERSION | 6 +++--- bootstrap-v4.sh | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/VERSION b/VERSION index 9e7eb97..38543e4 100644 --- a/VERSION +++ b/VERSION @@ -1,3 +1,3 @@ -AAF_IdP_Installer_version= 1.0.0 -Shibboleth_IdP_version= 4.1.0 -Jetty_version= 9.4.38.v20210224 +AAF_IdP_Installer_version= 1.1.0 +Shibboleth_IdP_version= 4.1.2 +Jetty_version= 9.4.43.v20210629 diff --git a/bootstrap-v4.sh b/bootstrap-v4.sh index 88cac2c..4b93fc6 100755 --- a/bootstrap-v4.sh +++ b/bootstrap-v4.sh @@ -35,8 +35,7 @@ function set_internal_variables { ACTIVITY_LOG=$INSTALL_BASE/shibboleth-idp4-installer/activity.log GIT_REPO=https://github.com/ausaccessfed/shibboleth-idp4-installer.git -# GIT_BRANCH=master - GIT_BRANCH=develop + GIT_BRANCH=master FR_TEST_REG=https://manager.test.aaf.edu.au/federationregistry/registration/idp FR_PROD_REG=https://manager.aaf.edu.au/federationregistry/registration/idp