From 0eec23dcd856c80641ce8a2ecd1277a6d1290214 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Thu, 8 Feb 2018 12:28:19 +0100
Subject: [PATCH] Switch Koschei web auth to OpenIDC

---
 inventory/group_vars/koschei-web               |  4 +++-
 inventory/group_vars/koschei-web-stg           |  5 ++++-
 roles/koschei/frontend/tasks/main.yml          |  2 +-
 .../frontend/templates/config-frontend.cfg.j2  |  7 -------
 roles/koschei/frontend/templates/httpd.conf.j2 | 18 +-----------------
 5 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/inventory/group_vars/koschei-web b/inventory/group_vars/koschei-web
index 9ddb030906..3f93bccff4 100644
--- a/inventory/group_vars/koschei-web
+++ b/inventory/group_vars/koschei-web
@@ -12,9 +12,11 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji02.phx2.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
-koschei_openid_provider: id.fedoraproject.org
+koschei_oidc_provider: id.fedoraproject.org
 koschei_bugzilla: bugzilla.redhat.com
 
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"
 
 tcp_ports: [ 80, 443 ]
 
diff --git a/inventory/group_vars/koschei-web-stg b/inventory/group_vars/koschei-web-stg
index aabde7a764..c3692a7c30 100644
--- a/inventory/group_vars/koschei-web-stg
+++ b/inventory/group_vars/koschei-web-stg
@@ -11,9 +11,12 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
 koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
-koschei_openid_provider: id.stg.fedoraproject.org
+koschei_oidc_provider: id.stg.fedoraproject.org
 koschei_bugzilla: partner-bugzilla.redhat.com
 
+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
+
 tcp_ports: [ 80, 443 ]
 
 custom_rules: [
diff --git a/roles/koschei/frontend/tasks/main.yml b/roles/koschei/frontend/tasks/main.yml
index dc8f201c00..85e5bc3010 100644
--- a/roles/koschei/frontend/tasks/main.yml
+++ b/roles/koschei/frontend/tasks/main.yml
@@ -4,7 +4,7 @@
   - koschei-frontend
   - koschei-frontend-fedora
   - koschei-frontend-copr
-  - "{{ 'mod_auth_openidc' if env == 'staging' else 'mod_auth_openid' }}"
+  - mod_auth_openidc
   tags:
   - koschei
   - packages
diff --git a/roles/koschei/frontend/templates/config-frontend.cfg.j2 b/roles/koschei/frontend/templates/config-frontend.cfg.j2
index dd18b0005c..9ae9d25ba9 100644
--- a/roles/koschei/frontend/templates/config-frontend.cfg.j2
+++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2
@@ -61,20 +61,13 @@ config = {
     "frontend": {
         "builds_per_page": 8,
         "auth": {
-            {% if env == 'staging' %}
             "user_re": "(.+)",
             "user_env": "OIDC_CLAIM_nickname",
-            {% else %}
-            "user_re": "http://(.+)\\.id{{ env_prefix }}\\.fedoraproject\\.org/",
-            {% endif %}
         },
         "fedora_assets_url": "/global",
         "fedmenu_url": "/fedmenu",
         "fedmenu_data_url": "/js/data.js",
     },
-    "openid": {
-        "openid_provider": "{{ koschei_openid_provider }}",
-    },
     "links": [
         {"name": "Packages",
          "url": "https://apps{{ env_prefix }}.fedoraproject.org/packages/{package.name}"},
diff --git a/roles/koschei/frontend/templates/httpd.conf.j2 b/roles/koschei/frontend/templates/httpd.conf.j2
index 67032217b4..1dd652c575 100644
--- a/roles/koschei/frontend/templates/httpd.conf.j2
+++ b/roles/koschei/frontend/templates/httpd.conf.j2
@@ -16,17 +16,11 @@
         Require all granted
     </Directory>
 
-{% if env == 'staging' %}
     OIDCRedirectURI "{{ koschei_topurl }}/login/redirect_uri"
-    OIDCProviderMetadataURL "https://{{ koschei_openid_provider }}/openidc/wellknown_openid_configuration"
+    OIDCProviderMetadataURL "https://{{ koschei_oidc_provider }}/openidc/wellknown_openid_configuration"
     OIDCClientID "koschei"
-    {% if env == 'staging' %}
-    OIDCClientSecret "{{ koschei_oidc_client_secret_stg }}"
-    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret_stg }}"
-    {% else %}
     OIDCClientSecret "{{ koschei_oidc_client_secret }}"
     OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
-    {% endif %}
     OIDCSSLValidateServer On
     OIDCResponseType "code"
 
@@ -36,14 +30,4 @@
         AuthType openid-connect
         Require valid-user
     </Location>
-{% else %}
-    <Location /koschei/login>
-        Require valid-user
-        AuthType OpenID
-        AuthOpenIDSingleIdP https://{{ koschei_openid_provider }}/
-        AuthOpenIDServerName https://apps.fedoraproject.org
-        AuthOpenIDTrustRoot https://apps.fedoraproject.org/koschei/
-        AuthOpenIDUseCookie off
-    </Location>
-{% endif %}
 </VirtualHost>