Adding vulnerablesamlapp

[saml]Bump version to 1.0.4 and add TLS configuration to ingress for secure connections

[saml]Bump version to 1.0.5 and enable HTTPS in deployment configuration

Bump version to 1.0.6 and remove unused volume mounts in deployment configuration

charts/vulnerablesamlapp/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/vulnerablesamlapp/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: vulnerablesamlapp
+description: A Helm chart for Kubernetes
+
+#https://github.com/NeuraLegion/VulnerableSAMLApp
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+keywords:
+- saml
+version: 1.0.6
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

charts/vulnerablesamlapp/templates/configmap-idp.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $.Release.Name }}-idp
+  labels:
+    app: {{ $.Release.Name }}-idp
+data:
+  saml20-sp-remote.php: |
+    <?php
+    /**
+    * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+    *
+    * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+    */
+
+    /*
+    * Example SimpleSAMLphp SAML 2.0 SP
+    */
+    $metadata['https://saml2sp.example.org'] = array(
+            'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+            'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+    );
+
+    /*
+    * This example shows an example config that works with G Suite (Google Apps) for education.
+    * What is important is that you have an attribute in your IdP that maps to the local part of the email address
+    * at G Suite. In example, if your Google account is foo.com, and you have a user that has an email [email protected], then you
+    * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+    */
+    $metadata['google.com'] = array(
+            'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
+            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+            'simplesaml.nameidattribute' => 'uid',
+            'simplesaml.attributes' => FALSE,
+    );
+
+    $metadata['http://{{ .Values.ingress.url }}/metadata/'] = array (
+            'AssertionConsumerService' => 'http://{{ .Values.ingress.url }}/?acs',
+            'SingleLogoutService' => 'http://{{ .Values.ingress.url }}/?sls',
+    );
+
+    $metadata['http://{{ .Values.ingress.url }}/metadata'] = array (
+            'AssertionConsumerService' => 'http://{{ .Values.ingress.url }}/?acs',
+            'SingleLogoutService' => 'http://{{ .Values.ingress.url }}/?sls',
+    );
+

charts/vulnerablesamlapp/templates/configmap-sp.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $.Release.Name }}-sp
+  labels:
+    app: {{ $.Release.Name }}-sp
+data:
+  settings.json: |
+        {
+        "strict": true,
+        "debug": true,
+        "sp": {
+                "entityId": "http://{{ .Values.ingress.url }}/metadata/",
+                "assertionConsumerService": {
+                "url": "http://{{ .Values.ingress.url }}/?acs",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                },
+                "singleLogoutService": {
+                "url": "http://{{ .Values.ingress.url }}/?sls",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                },
+                "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+                "x509cert": "MIIDSTCCAjGgAwIBAgIJAMrYtXzE+otvMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJLUzEQMA4GA1UEBwwHV2ljaGl0YTENMAsGA1UECgwEQmxlaDAeFw0xODAxMDgxODI5NDNaFw0yODAxMDgxODI5NDNaMDsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJLUzEQMA4GA1UEBwwHV2ljaGl0YTENMAsGA1UECgwEQmxlaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7Mi/jls3XYiEhS/IL2K8geg1/V9ei9B7H8b4ekxzm141IR4iERVu9eL7xclM0VdpSavOsO2vzve/ML9cfY21P1Acvoj1i+txsLUdBNeREr8MneuLfdv+tPfy1qc19RPnmbxxSCGvlSeNV/TOMqyvJKg4wHS7ZXlNcrWl0SCVTN8FKJGZYG7YfYnBI0uH6H4zqpWpB3S3DSgl3u5ocTYN5tbU6aW7k30+xe53OIed42XffBBplX9Ye9biAbj110JLLn4UTy4BDvb21e9FGfJY2lYXWJCvBZZJc4NAzLOSn1BtDjF3ouZQt17I6MJN72GVnJfRN4jBI4qULrkDcQQu0CAwEAAaNQME4wHQYDVR0OBBYEFN+z4GtgrmhxbjtzIJFQrFVRh9lgMB8GA1UdIwQYMBaAFN+z4GtgrmhxbjtzIJFQrFVRh9lgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGbmHjd1RrOK/HdNdIy47tyYo5H7DYCwUPDtj9lN9GShQ3gC41C8kNUqRpO4yt/BmMOCf6jpqdF/86/KJoyHwP1uFNFhu/1k5kH/m7EXH7wIR73fb+/gfOOvgJUSvUPt2Bh/Qbt/TB+PUnAf24bR2cvDPeKJFb2O4QUfyZgoex79mjq3d+SDq3ulxg9TKYzFTjDRr0zYkmfZPW+CY3lKxBGfou3v6ysuZONbVUZi1adXezneWAudpMp0NvujOb0PgfQ0dZyixe2opDgPPsJpy5EP9nQJKM3YhuVtZ1IcXTI3rDmnT0IVdqxvAp3npO4rFfI5qXnk4oiY4mPI5CZwex4=",
+                "privateKey": "MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+zIv45bN12IhIUvyC9ivIHoNf1fXovQex/G+HpMc5teNSEeIhEVbvXi+8XJTNFXaUmrzrDtr873vzC/XH2NtT9QHL6I9YvrcbC1HQTXkRK/DJ3ri33b/rT38tanNfUT55m8cUghr5UnjVf0zjKsrySoOMB0u2V5TXK1pdEglUzfBSiRmWBu2H2JwSNLh+h+M6qVqQd0tw0oJd7uaHE2DebW1Omlu5N9PsXudziHneNl33wQaZV/WHvW4gG49ddCSy5+FE8uAQ729tXvRRnyWNpWF1iQrwWWSXODQMyzkp9QbQ4xd6LmULdeyOjCTe9hlZyX0TeIwSOKlC65A3EELtAgMBAAECggEAUpRbXK2mX7IJQixQyCndxy6Vs8v6M/Jkuz9D0lSaObskmSfOVHuZwd5lEMSNTrokaasTazUxyNmqLwaVKRsNyqe3UFbmfAWHYLgkf+CYLrty6xxvnHzojOMKa1CwgKe8P4wRvSmWnSR50gXX9FZYIkfn6ZpaxZ/gdsR3xuKAkWgVAHhowLwMZiqdyrcaCMHpOn4KQzZaK8rcfT2RU0TEXW37HVBCLseBSxAFpBF2Y80rpgXAwA0stE+22Y8eWRy6Woo3K5KLh+PPymYu/2/msSgNQv2WJVw61W6SrG06FsCdAfuN80mE3ugFf7QOh2FZZMrpu/C4f9zrmweSe8tKAQKBgQDsy8yuFyUZYsGo3q8GZ/r4aEqah8CLsQAdN1rVPw8HMVCraPOeGwqXK78Sd8RcWII8IQdl4O4y+SnKm9SP6+bkgpBHRNkg7NBBMwEKnB0bVmESIbN29mIq2M+gEjUeBDR8sQOGsspNNT8XC4gb/jVe+POJyfubgjTh5H9bZ/t9gQKBgQDORclzRikXLFPlyWxBf/lyDUQlYoSlie6a+eKSmuBn/QlUi4Wx5x8KPgSJtBGjQWMEwf/mbs3g+f2u95xZnME2s2/tV1BP5siM7XaaMPuUydRZMQ/A11nFIdOWxtPjUVZnwEqRqi5h90rktnRVTvhDHi6LyY03mo1rAVy24stTbQKBgQDSprZNxL83Jxh6nqb7PvMPms+LSuqqGmqskvrWK4O19VP7OKFIbGvucXdH+Y2QTRiGXyeSpReh9vALkrb01XoQnGm3TPMPjDvzVGk/xANMt3ohRCO/140a6sdBchEYw8rhhiNJ57F6H70hRhvuMyXNeBBG6o1PGPTsY3Y8nXMngQKBgQCH5wzqKSCrhuYj8IilwxZrYXgzlWxF0NHnQ5pW8znE6b869833P4qA6gl9XKl+QXdmzBa5EOoOP0c3/yYBGLloO+MTocJlUm1yBIZu4rTu++cveJajfH9F1ZqdrZQvIgjmxJecz15N52ttsxSEnEoPlpQeP4YOS4K/LJ+UU2qZJQKBgQDZIIcCmyjCCfLJoYDkP1QdZc75lRvFbg1zAtz65zs+LwsQ+FuZJAYasK4miKYLjJAu79ZGwekiX3e9F1i6NwB9APN6gl8F3sZXB+HN9wZsNEHcyyPzFVwvCxj0nw+dPC0/Q3xdrgVSvO4w0PWTEhBwX/CHEsAGYKohpLt4xHnn2Q=="
+        },
+        "idp": {
+                "entityId": "http://idp-{{ .Values.ingress.url }}/simplesamlphp/saml2/idp/metadata.php",
+                "singleSignOnService": {
+                "url": "http://idp-{{ .Values.ingress.url }}/simplesamlphp/saml2/idp/SSOService.php",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                },
+                "singleLogoutService": {
+                "url": "http://idp-{{ .Values.ingress.url }}/simplesamlphp/saml2/idp/SingleLogoutService.php",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                },
+                "x509cert": "MIIDeTCCAmGgAwIBAgIJANvZGeYKX7nIMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZLYW5zYXMxEDAOBgNVBAcMB1dpY2hpdGExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODAxMTAxNzAzMThaFw0yODAxMTAxNzAzMThaMFMxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZLYW5zYXMxEDAOBgNVBAcMB1dpY2hpdGExITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOysjXhxnPnXGheeidZphc8PurUT+ToxJBswCk3/uY3lPeAGLaS2a0XvQw9UUJ7qoZ8BiSlegIVD/940E+5T0EPmBJrmJB3VQCEF/tHdo+WCL0JTg1paJCnkS1kZqMUMmH1OHwQg8cKAL0D0VcEl0z0v6gQkKcEU4UNTk8TQB7dNK1EemM9PWDx5ZBIyW7osY+ECR5k4bWal9sexdicrUnRbgszkQfgp5Rx+OUyu6WKWCyl8swrz0CWLI16uA5EdSi5evQkJnzVI/e9uvOUDWc/zwSfiEA1ZnwWtW3tr/F09WTvg/6zInqh2TxIwk3uKxyu7HMFekcu2tAVNyiJjp5ECAwEAAaNQME4wHQYDVR0OBBYEFOnZYhqx73Vel6SbDJxtovD/VLPKMB8GA1UdIwQYMBaAFOnZYhqx73Vel6SbDJxtovD/VLPKMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAISIj9g7X0PGUbeclFg+ZvfclSCqVpypzy2nJMWC5S8IyOFjo+BQbbry1bR2sKZ9OwIReFDh0qSOh+dzNSlKvfwj5B/phocmzi9UTAlatex02x/QYO3A0iDDj1Qf3cJQj2QJQ/Lqk+yynVdWREfFdHTyjqozd3UoC1SdITskigDCgPjLIVvlrIexBwucspctmNoRYcVzLGpOMlgQHMoMKsG0DHAFC0S/baWs8eulYsl8nDQWx0W96DS0pw/jskDxsyIw4rMpqzYfR1XBI2lcALqIjaucDPAZMI9OufoHCSgmUPD1h4g5oIZn/27SkhWqi/hfnBBTc4otzB0h+9q6FhU="
+        }
+        }
+

charts/vulnerablesamlapp/templates/deployment.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app: {{ .Release.Name }}
+    spec:
+      restartPolicy: Always
+      hostAliases:
+      - ip: "127.0.0.1"
+        hostnames:
+        - "vulnerableidp"
+        - "vulnerablesp"
+      containers:
+        - name: vulnerableidp
+          image: brightsec/vulnerablesamlapp:vulnerableidp
+          imagePullPolicy: Always
+          env:
+            - name: IDP_HOST
+              value: "idp-{{ .Values.ingress.url }}"
+            - name: SP_HOST
+              value: "{{ .Values.ingress.url }}"
+            - name: USE_HTTPS
+              value: "1"  
+          ports:
+          - name: port80
+            containerPort: 80
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 300m
+              memory: 512Mi
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 120
+            periodSeconds: 30
+
+        - name: vulnerablesp
+          image: brightsec/vulnerablesamlapp:vulnerablesp
+          imagePullPolicy: Always
+          ports:
+          - containerPort: 8000
+          env:
+            - name: SP_HOST
+              value: "{{ .Values.ingress.url }}"
+            - name: IDP_HOST
+              value: "idp-{{ .Values.ingress.url }}"
+            - name: USE_HTTPS
+              value: "1"  
+          resources:
+            requests:
+              cpu: 25m
+              memory: 256Mi
+            limits:
+              cpu: 100m
+              memory: 512Mi
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+              scheme: HTTP
+            initialDelaySeconds: 120
+            periodSeconds: 30
+

charts/vulnerablesamlapp/templates/ingress.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: "TLSv1.1 TLSv1.2"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    {{ if eq .Values.ingress.cert "" }}
+    cert-manager.io/cluster-issuer: letsencrypt-cf-prod
+    {{ end }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - {{ .Values.ingress.url }}
+      secretName: {{ if eq .Values.ingress.cert "" }}distributorwildcard{{ else }}{{ .Values.ingress.cert }}{{ end }}
+  rules:
+    - host: {{ .Values.ingress.url }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  number: 8000
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-idp
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: "TLSv1.1 TLSv1.2"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    {{ if eq .Values.ingress.cert "" }}
+    cert-manager.io/cluster-issuer: letsencrypt-cf-prod
+    {{ end }}
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - idp-{{ .Values.ingress.url }}
+      secretName: {{ if eq .Values.ingress.cert "" }}distributorwildcard{{ else }}{{ .Values.ingress.cert }}{{ end }}
+  rules:
+    - host: idp-{{ .Values.ingress.url }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  number: 80
+
+

charts/vulnerablesamlapp/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    - name: http8000
+      port: 8000
+      targetPort: 8000
+  selector:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app: {{ .Release.Name }}

charts/vulnerablesamlapp/values.yaml

@@ -0,0 +1,4 @@
+ingress:
+  url: dev.vuln.nexploit.app
+  cert: ""
+  authlevel: "."