commit 784ae601fdad6c3c1dcd93253f26afecb75d66a3
author Alexander Noskov <anoskov@mirantis.com> Mon Dec 19 16:21:17 2016 +0400
committer Alexander Noskov <anoskov@mirantis.com> Mon Dec 19 16:50:54 2016 +0400
tree 516944f378232eff815c013f0421d48092433558
parent d0e69afa579141aadeffe7e149f77cc143307c52

Adding feature to enable SP/idP certificates and keys

shibboleth/files/shibboleth2.xml

diff --git a/shibboleth/files/shibboleth2.xml b/shibboleth/files/shibboleth2.xml
index 7f0482b..0ec230e 100644
--- a/shibboleth/files/shibboleth2.xml
+++ b/shibboleth/files/shibboleth2.xml
@@ -71,7 +71,9 @@
 
         <MetadataProvider type="XML" uri="{{ server.idp_metadata_url }}"
               backingFilePath="/etc/shibboleth/metadata.xml" reloadInterval="180000">
-        <!--    <MetadataFilter type="Signature" certificate="fedsigner.pem"/> -->
+	    {%- if server.idp_certificate is defined %}
+	    <MetadataFilter type="Signature" certificate="/etc/shibboleth/fedsigner.pem"/>
+	    {%- endif %}
         </MetadataProvider>
 
         <!-- Example of locally maintained metadata. -->
@@ -88,8 +90,10 @@
         <!-- Default filtering policy for recognized attributes, lets other data pass. -->
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
+        {%- if server.sp_key_cert is defined %}
         <!-- Simple file-based resolver for using a single keypair. -->
         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+        {%- endif %}
 
         <!--
         The default settings can be overridden by creating ApplicationOverride elements (see

shibboleth/server.sls

diff --git a/shibboleth/server.sls b/shibboleth/server.sls
index 7a4bf7b..6da6460 100644
--- a/shibboleth/server.sls
+++ b/shibboleth/server.sls
@@ -15,6 +15,38 @@
     - service: apache_service
     - service: shibboleth_service
 
+{%- if server.idp_certificate is defined %}
+/etc/shibboleth/fedsigner.pem:
+  file.managed:
+  - contents_pillar: shibboleth:server:idp_certificate
+  - require:
+    - pkg: apache_packages
+  - watch_in:
+    - service: apache_service
+    - service: shibboleth_service
+{%- endif %}
+
+{%- if server.sp_key_cert is defined %}
+/etc/shibboleth/sp-key.pem:
+  file.managed:
+  - contents_pillar: shibboleth:server:sp_key_cert:key
+  - mode: 600
+  - require:
+    - pkg: apache_packages
+  - watch_in:
+    - service: apache_service
+    - service: shibboleth_service
+
+/etc/shibboleth/sp-cert.pem:
+  file.managed:
+  - contents_pillar: shibboleth:server:sp_key_cert:cert
+  - require:
+    - pkg: apache_packages
+  - watch_in:
+    - service: apache_service
+    - service: shibboleth_service
+{%- endif %}
+
 /etc/shibboleth/attribute-map.xml:
   file.managed:
   - source: salt://shibboleth/files/attribute-map.xml