Some more fixes to get Pagure to work with OIDC on staging

- patch the httplib2 library to avoid hardcoding TLSv1 - set the missing configuration variables in `pagure.cfg` (they have no defaults) - set the password for the future production version of `client_secrets.json` Also note that in the private ansible repo, the Pagure client configuration in Ipsilon was fixed: the `token_endpoint_auth_method` variable was set to `"client_secret_post"`. Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2023-08-11 11:01:37 +02:00 · 2023-08-11 11:01:37 +02:00 · 1e26cf9246
commit 1e26cf9246
parent a05113b48d
3 changed files with 28 additions and 8 deletions
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@ -517,3 +517,14 @@
  tags:
  - pagure
  - letsencrypt
+
+# httplib2 0.10.3, as available in EL8, hardcodes TLSv1. The next version
+# (0.11.0) chooses the TLS version that is supported by both client and server.
+# That variable is only available since Python 3.5+, but EL8 has Python 3.6, so
+# we're good to patch. The alternative would be for EL8 to update httplib2 to
+# at least version 0.11.0.
+- name: Patch httplib2 to not hardcode TLSv1, which is not accepted by Ipsilon
+  ansible.builtin.replace:
+    path: /usr/lib/python3.6/site-packages/httplib2/__init__.py
+    regexp: 'ssl\.PROTOCOL_TLSv1'
+    replace: 'ssl.PROTOCOL_TLS'
--- a/roles/pagure/templates/client_secrets.json
+++ b/roles/pagure/templates/client_secrets.json
@ -1,8 +1,8 @@
 {
    "web": {
+        "client_id": "pagure",
 {% if env == 'pagure-staging' %}
        "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
-        "client_id": "{{ pagure_oidc_client_id }}",
        "client_secret": "{{ pagure_stg_oidc_client_secret }}",
        "issuer": "https://id.stg.fedoraproject.org/openidc/",
        "redirect_uris": [
@ -12,8 +12,7 @@
        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
 {% else %}
        "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
-        "client_id": "{{ pagure_oidc_client_id }}",
-        "client_secret": "{{ pagure_stg_oidc_client_secret }}",
+        "client_secret": "{{ pagure_oidc_client_secret }}",
        "issuer": "https://id.fedoraproject.org/openidc/",
        "redirect_uris": [
            "https://pagure.io/login"
--- a/roles/pagure/templates/pagure.cfg
+++ b/roles/pagure/templates/pagure.cfg
@ -193,13 +193,23 @@ DISABLED_PLUGINS = ['IRC']
 # Authentication related configuration option

 ### Switch the authentication method
-# Specify which authentication method to use, defaults to `fas` can be or
-# `local`
+# Specify which authentication method to use: `openid`, `oidc`, `local`
 # Default: ``fas``.
 {% if env == 'pagure-staging' %}
-PAGURE_AUTH = 'openid'
-#PAGURE_AUTH = 'oidc'
-#OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+PAGURE_AUTH = 'oidc'
+OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+OIDC_ID_TOKEN_COOKIE_SECURE = True
+OIDC_SCOPES = [
+    'openid', 'email', 'profile',
+    'https://id.fedoraproject.org/scope/groups',
+    'https://id.fedoraproject.org/scope/agreements',
+]
+OIDC_PAGURE_EMAIL = 'email'
+OIDC_PAGURE_FULLNAME = 'fullname'
+OIDC_PAGURE_USERNAME = 'preferred_username'
+OIDC_PAGURE_SSH_KEY = 'ssh_key'
+OIDC_PAGURE_GROUPS = 'groups'
+OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
 {% else %}
 PAGURE_AUTH = 'openid'
 {% endif %}