From 1e26cf924694e931e9fef3b341d240b0b20c55ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 11 Aug 2023 11:01:37 +0200 Subject: [PATCH] Some more fixes to get Pagure to work with OIDC on staging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - patch the httplib2 library to avoid hardcoding TLSv1 - set the missing configuration variables in `pagure.cfg` (they have no defaults) - set the password for the future production version of `client_secrets.json` Also note that in the private ansible repo, the Pagure client configuration in Ipsilon was fixed: the `token_endpoint_auth_method` variable was set to `"client_secret_post"`. Signed-off-by: Aurélien Bompard --- roles/pagure/tasks/main.yml | 11 +++++++++++ roles/pagure/templates/client_secrets.json | 5 ++--- roles/pagure/templates/pagure.cfg | 20 +++++++++++++++----- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml index 4088a3e0b5..2b184a5be7 100644 --- a/roles/pagure/tasks/main.yml +++ b/roles/pagure/tasks/main.yml @@ -517,3 +517,14 @@ tags: - pagure - letsencrypt + +# httplib2 0.10.3, as available in EL8, hardcodes TLSv1. The next version +# (0.11.0) chooses the TLS version that is supported by both client and server. +# That variable is only available since Python 3.5+, but EL8 has Python 3.6, so +# we're good to patch. The alternative would be for EL8 to update httplib2 to +# at least version 0.11.0. +- name: Patch httplib2 to not hardcode TLSv1, which is not accepted by Ipsilon + ansible.builtin.replace: + path: /usr/lib/python3.6/site-packages/httplib2/__init__.py + regexp: 'ssl\.PROTOCOL_TLSv1' + replace: 'ssl.PROTOCOL_TLS' diff --git a/roles/pagure/templates/client_secrets.json b/roles/pagure/templates/client_secrets.json index f491759776..4a2a2f416c 100644 --- a/roles/pagure/templates/client_secrets.json +++ b/roles/pagure/templates/client_secrets.json @@ -1,8 +1,8 @@ { "web": { + "client_id": "pagure", {% if env == 'pagure-staging' %} "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization", - "client_id": "{{ pagure_oidc_client_id }}", "client_secret": "{{ pagure_stg_oidc_client_secret }}", "issuer": "https://id.stg.fedoraproject.org/openidc/", "redirect_uris": [ @@ -12,8 +12,7 @@ "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo" {% else %} "auth_uri": "https://id.fedoraproject.org/openidc/Authorization", - "client_id": "{{ pagure_oidc_client_id }}", - "client_secret": "{{ pagure_stg_oidc_client_secret }}", + "client_secret": "{{ pagure_oidc_client_secret }}", "issuer": "https://id.fedoraproject.org/openidc/", "redirect_uris": [ "https://pagure.io/login" diff --git a/roles/pagure/templates/pagure.cfg b/roles/pagure/templates/pagure.cfg index cfaf191c09..409ba264af 100644 --- a/roles/pagure/templates/pagure.cfg +++ b/roles/pagure/templates/pagure.cfg @@ -193,13 +193,23 @@ DISABLED_PLUGINS = ['IRC'] # Authentication related configuration option ### Switch the authentication method -# Specify which authentication method to use, defaults to `fas` can be or -# `local` +# Specify which authentication method to use: `openid`, `oidc`, `local` # Default: ``fas``. {% if env == 'pagure-staging' %} -PAGURE_AUTH = 'openid' -#PAGURE_AUTH = 'oidc' -#OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json" +PAGURE_AUTH = 'oidc' +OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json" +OIDC_ID_TOKEN_COOKIE_SECURE = True +OIDC_SCOPES = [ + 'openid', 'email', 'profile', + 'https://id.fedoraproject.org/scope/groups', + 'https://id.fedoraproject.org/scope/agreements', +] +OIDC_PAGURE_EMAIL = 'email' +OIDC_PAGURE_FULLNAME = 'fullname' +OIDC_PAGURE_USERNAME = 'preferred_username' +OIDC_PAGURE_SSH_KEY = 'ssh_key' +OIDC_PAGURE_GROUPS = 'groups' +OIDC_PAGURE_USERNAME_FALLBACK = 'nickname' {% else %} PAGURE_AUTH = 'openid' {% endif %}