Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Some more fixes to get Pagure to work with OIDC on staging

Browse source 
- patch the httplib2 library to avoid hardcoding TLSv1
- set the missing configuration variables in `pagure.cfg` (they have no
  defaults)
- set the password for the future production version of
  `client_secrets.json`

Also note that in the private ansible repo, the Pagure client
configuration in Ipsilon was fixed: the `token_endpoint_auth_method`
variable was set to `"client_secret_post"`.

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2023-08-11 11:01:37 +02:00 committed by Michal Konecny
parent a05113b48d
commit 1e26cf9246
3 changed files with 28 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

11
roles/pagure/tasks/main.yml
View file

@ -517,3 +517,14 @@
tags: tags:
- pagure - pagure
- letsencrypt - letsencrypt
# httplib2 0.10.3, as available in EL8, hardcodes TLSv1. The next version
# (0.11.0) chooses the TLS version that is supported by both client and server.
# That variable is only available since Python 3.5+, but EL8 has Python 3.6, so
# we're good to patch. The alternative would be for EL8 to update httplib2 to
# at least version 0.11.0.
- name: Patch httplib2 to not hardcode TLSv1, which is not accepted by Ipsilon
ansible.builtin.replace:
path: /usr/lib/python3.6/site-packages/httplib2/__init__.py
regexp: 'ssl\.PROTOCOL_TLSv1'
replace: 'ssl.PROTOCOL_TLS'

5
roles/pagure/templates/client_secrets.json
View file

@ -1,8 +1,8 @@
{ {
"web": { "web": {
"client_id": "pagure",
{% if env == 'pagure-staging' %} {% if env == 'pagure-staging' %}
"auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization", "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
"client_id": "{{ pagure_oidc_client_id }}",
"client_secret": "{{ pagure_stg_oidc_client_secret }}", "client_secret": "{{ pagure_stg_oidc_client_secret }}",
"issuer": "https://id.stg.fedoraproject.org/openidc/", "issuer": "https://id.stg.fedoraproject.org/openidc/",
"redirect_uris": [ "redirect_uris": [
@ -12,8 +12,7 @@
"userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo" "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
{% else %} {% else %}
"auth_uri": "https://id.fedoraproject.org/openidc/Authorization", "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
"client_id": "{{ pagure_oidc_client_id }}", "client_secret": "{{ pagure_oidc_client_secret }}",
"client_secret": "{{ pagure_stg_oidc_client_secret }}",
"issuer": "https://id.fedoraproject.org/openidc/", "issuer": "https://id.fedoraproject.org/openidc/",
"redirect_uris": [ "redirect_uris": [
"https://pagure.io/login" "https://pagure.io/login"

20
roles/pagure/templates/pagure.cfg
View file

@ -193,13 +193,23 @@ DISABLED_PLUGINS = ['IRC']
# Authentication related configuration option # Authentication related configuration option
### Switch the authentication method ### Switch the authentication method
# Specify which authentication method to use, defaults to `fas` can be or # Specify which authentication method to use: `openid`, `oidc`, `local`
# `local`
# Default: ``fas``. # Default: ``fas``.
{% if env == 'pagure-staging' %} {% if env == 'pagure-staging' %}
PAGURE_AUTH = 'openid' PAGURE_AUTH = 'oidc'
#PAGURE_AUTH = 'oidc' OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
#OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json" OIDC_ID_TOKEN_COOKIE_SECURE = True
OIDC_SCOPES = [
'openid', 'email', 'profile',
'https://id.fedoraproject.org/scope/groups',
'https://id.fedoraproject.org/scope/agreements',
]
OIDC_PAGURE_EMAIL = 'email'
OIDC_PAGURE_FULLNAME = 'fullname'
OIDC_PAGURE_USERNAME = 'preferred_username'
OIDC_PAGURE_SSH_KEY = 'ssh_key'
OIDC_PAGURE_GROUPS = 'groups'
OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
{% else %} {% else %}
PAGURE_AUTH = 'openid' PAGURE_AUTH = 'openid'
{% endif %} {% endif %}