From 7b2c578983d257a5e03da98d16fa07cf3308d12b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Wed, 24 Mar 2021 13:49:24 +0100 Subject: [PATCH] Ipsilon in prod is now on a VM like in staging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- roles/ipsilon/templates/configuration.conf | 25 +--- roles/ipsilon/templates/httpd.conf.j2 | 21 +--- roles/ipsilon/templates/httpd.conf.staging.j2 | 107 ------------------ roles/ipsilon/templates/ipsilon.conf | 5 - .../ipsilon/templates/ipsilon.conf.production | 32 ------ roles/ipsilon/templates/ipsilon.conf.staging | 32 ------ 6 files changed, 6 insertions(+), 216 deletions(-) delete mode 100644 roles/ipsilon/templates/httpd.conf.staging.j2 delete mode 100644 roles/ipsilon/templates/ipsilon.conf.production delete mode 100644 roles/ipsilon/templates/ipsilon.conf.staging diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 5db6822276..0f7954219c 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -39,24 +39,15 @@ openidc subject salt={{ ipsilon_stg_openidc_subject_salt }} openidc subject salt={{ ipsilon_openidc_subject_salt }} {% endif %} openidc endpoint url=https://id{{env_suffix}}.fedoraproject.org/openidc/ -{% if env == 'staging' %} openidc idp key file=/etc/ipsilon/root/openidc.key openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg -{% else %} -openidc idp key file=/etc/ipsilon/openidc.key -openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg -{% endif %} openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy openidc idp sig key id=20161031-sig openidc allow dynamic client registration=False -{% if env == 'staging' %} openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] -{% else %} -openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]] -{% endif %} openid endpoint url=https://id{{env_suffix}}.fedoraproject.org/openid/ openid identity url template=http://%(username)s.id{{env_suffix}}.fedoraproject.org/ @@ -68,25 +59,17 @@ openid trusted roots=https://ask.fedoraproject.org/,https://fedorahosted.org/,ht openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openid untrusted roots= openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API -{% if env == 'staging' %} openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] -{% else %} -openid default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]] -{% endif %} -{% if env == 'staging' %} saml2 idp metadata file=metadata.xml saml2 idp storage path=/etc/ipsilon/root/saml2 +{% if env == 'staging' %} saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }} +{% else %} +saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }} +{% endif %} saml2 idp certificate file=idp.crt saml2 idp key file=idp.key -{% else %} -saml2 idp metadata file=/httpdir/metadata.xml -saml2 idp storage path=/etc/ipsilon -saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }} -saml2 idp certificate file=saml2_idp.crt -saml2 idp key file=saml2_idp.key -{% endif %} saml2 allow self registration=False saml2 default nameid=transient saml2 default email domain=fedoraproject.org diff --git a/roles/ipsilon/templates/httpd.conf.j2 b/roles/ipsilon/templates/httpd.conf.j2 index db5293aa6b..ba5ce263c3 100644 --- a/roles/ipsilon/templates/httpd.conf.j2 +++ b/roles/ipsilon/templates/httpd.conf.j2 @@ -2,11 +2,9 @@ RewriteEngine on RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] #Alias /ui /usr/share/ipsilon/ui Alias /ui /usr/share/ipsilon/themes/Fedora -{% if env == "staging" %} Alias /.well-known /var/lib/ipsilon/root/public/well-known Alias /cache /var/cache/ipsilon Redirect /.well-known/webfinger /webfinger -{% endif %} # This is for mapping $username.id.fp.o -> id.fp.o/id/$username RewriteEngine on @@ -23,15 +21,10 @@ RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] WSGIScriptAlias / /usr/libexec/ipsilon -{% if env == "staging" %} WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000 WSGISocketPrefix run/wsgi -{% else %} -WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 -WSGISocketPrefix /httpdir/run/wsgi -WSGIRestrictStdout Off -WSGIRestrictSignal Off -{% endif %} +#WSGIRestrictStdout Off +#WSGIRestrictSignal Off # This header is required to be passed for OIDC client_secret_basic WSGIPassAuthorization On # Without this, getting the private key in jwcrypto/jwk.py, line 430, fails @@ -52,11 +45,7 @@ WSGIApplicationGroup %{GLOBAL} Require all granted -{% if env == "staging" %} -{% else %} - -{% endif %} Require all granted @@ -66,11 +55,7 @@ WSGIApplicationGroup %{GLOBAL} AuthName "GSSAPI Single Sign On Login" -{% if env == "staging" %} GssapiCredStore keytab:/etc/httpd/conf/http.keytab -{% else %} - GssapiCredStore keytab:/etc/keytabs/service.keytab -{% endif %} AuthType GSSAPI # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS GssapiSSLonly Off @@ -80,7 +65,6 @@ WSGIApplicationGroup %{GLOBAL} ErrorDocument 500 /login/gssapi/failed -{% if env == "staging" %} LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so LoadModule authnz_pam_module modules/mod_authnz_pam.so @@ -104,4 +88,3 @@ LoadModule authnz_pam_module modules/mod_authnz_pam.so Allow from All -{% endif %} diff --git a/roles/ipsilon/templates/httpd.conf.staging.j2 b/roles/ipsilon/templates/httpd.conf.staging.j2 deleted file mode 100644 index db5293aa6b..0000000000 --- a/roles/ipsilon/templates/httpd.conf.staging.j2 +++ /dev/null @@ -1,107 +0,0 @@ -RewriteEngine on -RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] -#Alias /ui /usr/share/ipsilon/ui -Alias /ui /usr/share/ipsilon/themes/Fedora -{% if env == "staging" %} -Alias /.well-known /var/lib/ipsilon/root/public/well-known -Alias /cache /var/cache/ipsilon -Redirect /.well-known/webfinger /webfinger -{% endif %} - -# This is for mapping $username.id.fp.o -> id.fp.o/id/$username -RewriteEngine on -RewriteMap lowercase int:tolower -{% if env == "staging" %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.stg\.fedoraproject\.org$ -RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] -RewriteRule ^([a-z0-9_-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT] -{% else %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9_-]+\.id\.fedoraproject\.org$ -RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] -RewriteRule ^([a-z0-9_-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT] -{% endif %} - - -WSGIScriptAlias / /usr/libexec/ipsilon -{% if env == "staging" %} -WSGIDaemonProcess ipsilon user=ipsilon group=ipsilon home=/var/lib/ipsilon/root display-name=ipsilon processes=2 threads=2 maximum-requests=1000 -WSGISocketPrefix run/wsgi -{% else %} -WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 -WSGISocketPrefix /httpdir/run/wsgi -WSGIRestrictStdout Off -WSGIRestrictSignal Off -{% endif %} -# This header is required to be passed for OIDC client_secret_basic -WSGIPassAuthorization On -# Without this, getting the private key in jwcrypto/jwk.py, line 430, fails -# Fix from https://github.com/pyca/cryptography/issues/2299#issuecomment-197075190 -WSGIApplicationGroup %{GLOBAL} - - - - WSGIProcessGroup ipsilon - - - - Require all granted - - - - Options +SymLinksIfOwnerMatch - Require all granted - - -{% if env == "staging" %} - -{% else %} - -{% endif %} - Require all granted - - - - ForceType application/json - - - - AuthName "GSSAPI Single Sign On Login" -{% if env == "staging" %} - GssapiCredStore keytab:/etc/httpd/conf/http.keytab -{% else %} - GssapiCredStore keytab:/etc/keytabs/service.keytab -{% endif %} - AuthType GSSAPI - # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS - GssapiSSLonly Off - GssapiLocalName on - Require valid-user - ErrorDocument 401 /login/gssapi/unauthorized - ErrorDocument 500 /login/gssapi/failed - - -{% if env == "staging" %} -LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so -LoadModule authnz_pam_module modules/mod_authnz_pam.so - - - InterceptFormPAMService ipsilon - InterceptFormLogin login_name - InterceptFormPassword login_password - # InterceptFormLoginSkip admin - # InterceptFormClearRemoteUserForSkipped on - InterceptFormPasswordRedact on - - - - SetHandler None - AllowOverride None - - Require all granted - - - Order Allow,Deny - Allow from All - - -{% endif %} diff --git a/roles/ipsilon/templates/ipsilon.conf b/roles/ipsilon/templates/ipsilon.conf index bcb7c3261a..a10c7b66cc 100644 --- a/roles/ipsilon/templates/ipsilon.conf +++ b/roles/ipsilon/templates/ipsilon.conf @@ -4,17 +4,12 @@ tools.log_request_response.on = False theme_dir = "/usr/share/ipsilon/themes/Fedora" template_dir = "/usr/share/ipsilon/templates" base.dir = "/usr/share/ipsilon" -{% if env == 'staging' %} cache_dir = "/var/cache/ipsilon" cleanup_interval = 30 db.conn.log = False db.echo = False # base.mount = "" admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" -{% else %} -admin.config.db = "configfile:///etc/ipsilon/configuration.conf" -log.screen = True -{% endif %} user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" diff --git a/roles/ipsilon/templates/ipsilon.conf.production b/roles/ipsilon/templates/ipsilon.conf.production deleted file mode 100644 index bcb7c3261a..0000000000 --- a/roles/ipsilon/templates/ipsilon.conf.production +++ /dev/null @@ -1,32 +0,0 @@ -[global] -debug = {{ (env == 'production')|ternary('False', 'True') }} -tools.log_request_response.on = False -theme_dir = "/usr/share/ipsilon/themes/Fedora" -template_dir = "/usr/share/ipsilon/templates" -base.dir = "/usr/share/ipsilon" -{% if env == 'staging' %} -cache_dir = "/var/cache/ipsilon" -cleanup_interval = 30 -db.conn.log = False -db.echo = False -# base.mount = "" -admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" -{% else %} -admin.config.db = "configfile:///etc/ipsilon/configuration.conf" -log.screen = True -{% endif %} -user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" -transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" - -tools.sessions.on = True -tools.sessions.name = "fedora_ipsilon_session_id" -tools.sessions.storage_type = "sql" -tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" -tools.sessions.timeout = 15 -tools.sessions.httponly = True -tools.sessions.secure = True -tools.sessions.locking = 'explicit' - -tools.proxy.on = True -tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org" - diff --git a/roles/ipsilon/templates/ipsilon.conf.staging b/roles/ipsilon/templates/ipsilon.conf.staging deleted file mode 100644 index bcb7c3261a..0000000000 --- a/roles/ipsilon/templates/ipsilon.conf.staging +++ /dev/null @@ -1,32 +0,0 @@ -[global] -debug = {{ (env == 'production')|ternary('False', 'True') }} -tools.log_request_response.on = False -theme_dir = "/usr/share/ipsilon/themes/Fedora" -template_dir = "/usr/share/ipsilon/templates" -base.dir = "/usr/share/ipsilon" -{% if env == 'staging' %} -cache_dir = "/var/cache/ipsilon" -cleanup_interval = 30 -db.conn.log = False -db.echo = False -# base.mount = "" -admin.config.db = "configfile:///etc/ipsilon/root/configuration.conf" -{% else %} -admin.config.db = "configfile:///etc/ipsilon/configuration.conf" -log.screen = True -{% endif %} -user.prefs.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_prefs_name }}" -transactions.db = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_transactions_name }}" - -tools.sessions.on = True -tools.sessions.name = "fedora_ipsilon_session_id" -tools.sessions.storage_type = "sql" -tools.sessions.storage_dburi = "postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_sessions_name }}" -tools.sessions.timeout = 15 -tools.sessions.httponly = True -tools.sessions.secure = True -tools.sessions.locking = 'explicit' - -tools.proxy.on = True -tools.proxy.base = "https://id{{ env_suffix }}.fedoraproject.org" -