Update and deploy OIDC scopes

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2017-02-07 13:02:59 +00:00 · 2017-02-07 13:02:59 +00:00 · 788ecda667
commit 788ecda667
parent ce2f293cd8
4 changed files with 33 additions and 15 deletions
--- a/roles/ipsilon/files/fedora-scopes.py
+++ b/roles/ipsilon/files/fedora-scopes.py
@ -1,14 +0,0 @@
-from __future__ import absolute_import
-
-from ipsilon.providers.openidc.plugins.common import OpenidCExtensionBase
-
-
-class OpenidCExtension(OpenidCExtensionBase):
-    name = 'fedora'
-    display_name = 'Fedora'
-    scopes = {
-        'fedora': {
-            'display_name': 'Fedora',
-            'claims': ['cla', 'zoneinfo', 'groups']
-        }
-    }
--- a/roles/ipsilon/files/oidc_scopes/account-scopes.py
+++ b/roles/ipsilon/files/oidc_scopes/account-scopes.py
@ -0,0 +1,22 @@
+from __future__ import absolute_import
+
+from ipsilon.providers.openidc.plugins.common import OpenidCExtensionBase
+
+
+class OpenidCExtension(OpenidCExtensionBase):
+    name = 'fedora-account'
+    display_name = 'Fedora Account Information'
+    scopes = {
+        'fedora': {  # NOTE: This is temporary! DO NOT USE IN NEW PROJECTS!
+            'display_name': 'Fedora',
+            'claims': ['cla', 'zoneinfo', 'groups']
+        },
+        'https://id.fedoraproject.org/scope/groups': {
+            'display_name': 'Fedora Account Groups list',
+            'claims': ['groups']
+        },
+        'https://id.fedoraproject.org/scope/cla': {
+            'display_name': 'Fedora Account CLA status',
+            'claims': ['cla']
+        },
+    }
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@ -23,6 +23,16 @@
        dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/extensions/api.py
        owner=root group=root mode=0644

+- name: Copy OpenID Connect scope registrations
+  copy: src=oidc_scopes/{{item}}.py
+        dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openidc/plugins/{{item}}.py
+        owner=root group=root mode=0644
+  with_items:
+  - account-scopes
+  tags:
+  - ipsilon
+  - ipsilon/oidc_scopes
+
 - name: Apply hotfix for taiga to get POST results
  copy: src=openid_server.py
        dest=/usr/lib/python2.7/site-packages/openid/server/server.py
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -39,7 +39,7 @@ openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/
 openidc idp key file=/etc/ipsilon/openidc{{env_suffix}}.key
 openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }}
 openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg
-openidc enabled extensions=
+openidc enabled extensions=fedora-account
 openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication
 openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
 openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy