From 86338b07032655ba6f4cfcd71c53eb44a1e1f27a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 24 Feb 2015 17:58:29 +0000
Subject: [PATCH] Add Ipsilon role and config

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/ipsilon/files/templates/index.html      |  7 +++
 .../files/templates/internalerror.html        | 15 +++++
 roles/ipsilon/files/templates/layout.html     | 35 +++++++++++
 roles/ipsilon/files/templates/logout.html     | 13 ++++
 roles/ipsilon/files/templates/notfound.html   | 13 ++++
 .../files/templates/openid/consent_form.html  | 36 +++++++++++
 .../files/templates/openid/userpage.html      |  7 +++
 roles/ipsilon/files/templates/openid/xrds.xml | 16 +++++
 .../files/templates/persona/provisioning.html | 59 +++++++++++++++++++
 .../templates/persona/signin_result.html      | 19 ++++++
 .../ipsilon/files/templates/unauthorized.html | 12 ++++
 roles/ipsilon/tasks/main.yml                  | 56 ++++++++++++++++++
 roles/ipsilon/templates/configuration.cfg     | 40 +++++++++++++
 roles/ipsilon/templates/ipsilon.cfg           | 22 +++++++
 14 files changed, 350 insertions(+)
 create mode 100644 roles/ipsilon/files/templates/index.html
 create mode 100644 roles/ipsilon/files/templates/internalerror.html
 create mode 100644 roles/ipsilon/files/templates/layout.html
 create mode 100644 roles/ipsilon/files/templates/logout.html
 create mode 100644 roles/ipsilon/files/templates/notfound.html
 create mode 100644 roles/ipsilon/files/templates/openid/consent_form.html
 create mode 100644 roles/ipsilon/files/templates/openid/userpage.html
 create mode 100644 roles/ipsilon/files/templates/openid/xrds.xml
 create mode 100644 roles/ipsilon/files/templates/persona/provisioning.html
 create mode 100644 roles/ipsilon/files/templates/persona/signin_result.html
 create mode 100644 roles/ipsilon/files/templates/unauthorized.html
 create mode 100644 roles/ipsilon/tasks/main.yml
 create mode 100644 roles/ipsilon/templates/configuration.cfg
 create mode 100644 roles/ipsilon/templates/ipsilon.cfg

diff --git a/roles/ipsilon/files/templates/index.html b/roles/ipsilon/files/templates/index.html
new file mode 100644
index 0000000000..d217b7a6c9
--- /dev/null
+++ b/roles/ipsilon/files/templates/index.html
@@ -0,0 +1,7 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This is the Federated Open Authentication provider homepage.
+{% endblock %}
+{% block main %}
+You will be redirected to this application whenever another application requires you to authenticate.
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/internalerror.html b/roles/ipsilon/files/templates/internalerror.html
new file mode 100644
index 0000000000..055e903062
--- /dev/null
+++ b/roles/ipsilon/files/templates/internalerror.html
@@ -0,0 +1,15 @@
+{% extends "layout.html" %}
+{% block toptext %}
+500 - Internal Server Error
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>Ipsilon encountered an unexpected internal error while trying to
+       fulfill your request.</p>
+  {% endif %}
+  <p>Please retry again.</p>
+  <p>If the error persists, contact the server administrator to resolve
+     the problem.</p>
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/layout.html b/roles/ipsilon/files/templates/layout.html
new file mode 100644
index 0000000000..cdb8e06bdb
--- /dev/null
+++ b/roles/ipsilon/files/templates/layout.html
@@ -0,0 +1,35 @@
+<!doctype html>
+<html>
+    <head>
+        <meta charset="UTF-8">
+        <title>{{ title }}</title>
+
+        <link rel="shortcut icon" type="image/vnd.microsoft.icon"
+            href="//fedoraproject.org/static/images/favicon.ico"/>
+
+        <link rel="stylesheet" href="{{ basepath }}/ui/fedora/fedora.css">
+
+        <meta name="generator" content="Ipsilon">
+
+        {%- if heads %}
+          {%- for group, value in heads.items() %}
+            {%- for head in value %}
+              {{ head }}
+            {%- endfor %}
+          {%- endfor %}
+        {%- endif %}
+    </head>
+    <body>
+        <div class="header_bg">
+            <div class="body header">
+                <img id="logo" alt="logo" src="{{ basepath }}/ui/fedora/fedora-authn-logo-white.png"/>
+            </div>
+        </div>
+        <div class="body main">
+            <p id="toptext">{% block toptext %}{% endblock %}</p>
+            <div class="middlebox">
+                {% block main %}{% endblock %}
+            </div>
+        </div>
+    </body>
+</html>
diff --git a/roles/ipsilon/files/templates/logout.html b/roles/ipsilon/files/templates/logout.html
new file mode 100644
index 0000000000..d2383d16e1
--- /dev/null
+++ b/roles/ipsilon/files/templates/logout.html
@@ -0,0 +1,13 @@
+{% extends "master.html" %}
+{% block toptext %}
+Logged out
+{% endblock %}
+{% block main %}
+{% if user.name %}
+    <p>Something prevented a successful logout</p>
+    <p>You are still logged in as {{ user.fullname }}</p>
+{% else %}
+    <p>Successfully logged out.</p>
+    <p>Return to <a href="{{ basepath }}/">Home</a> page</p>
+{% endif %}
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/notfound.html b/roles/ipsilon/files/templates/notfound.html
new file mode 100644
index 0000000000..38203cb0ed
--- /dev/null
+++ b/roles/ipsilon/files/templates/notfound.html
@@ -0,0 +1,13 @@
+{% extends "layout.html" %}
+{% block toptext %}
+404 - Not Found
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>This page does not exist.</p>
+  {% endif %}
+  <p>If you think this is an error, contact the server administrator to resolve
+     the problem.</p>
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/openid/consent_form.html b/roles/ipsilon/files/templates/openid/consent_form.html
new file mode 100644
index 0000000000..102d7e4913
--- /dev/null
+++ b/roles/ipsilon/files/templates/openid/consent_form.html
@@ -0,0 +1,36 @@
+{% extends "layout.html" %}
+{% block toptext %}
+{{trustroot}} is asking to authenticate via OpenID using FedOAuth
+{% endblock %}
+{% block main %}
+    Review the authorization details
+    <div>
+        <form method="post" action="{{action}}" enctype="application/x-www-form-urlencoded">
+            <input type="hidden" name="ipsilon_transaction_id" id="ipsilon_transaction_id" value="{{ ipsilon_transaction_id }}" />
+            <p class="form_item">
+                <table class="details">
+                    {% for entry in authz_details|dictsort %}
+                        <tr>
+                            <td>{{entry[0]}}</td>
+                            <td>{{entry[1]}}</td>
+                        </tr>
+                    {% endfor %}
+
+                    <tr>
+                        <td>Remember approval for</td>
+                        <td><select name="remember_for_days">
+                                <option value="0">never</option>
+                                <option value="3">3 days</option>
+                                <option value="7">7 days</option>
+                            </select>
+                        </td>
+                    </tr>
+                </table>
+            </p>
+            <p class="form_item">
+                <input type="submit" name="decided_deny" value="Reject">
+                <input type="submit" name="decided_allow" value="Allow">
+            </p>
+        </form>
+    </div>
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/openid/userpage.html b/roles/ipsilon/files/templates/openid/userpage.html
new file mode 100644
index 0000000000..74ae88a689
--- /dev/null
+++ b/roles/ipsilon/files/templates/openid/userpage.html
@@ -0,0 +1,7 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This is the OpenID page for {{username}}.
+{% endblock %}
+{% block main %}
+This page is primarily used internally
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/openid/xrds.xml b/roles/ipsilon/files/templates/openid/xrds.xml
new file mode 100644
index 0000000000..86b3e0f849
--- /dev/null
+++ b/roles/ipsilon/files/templates/openid/xrds.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service>
+{%- for t in types %}
+      <Type>{{ t }}</Type>
+{%- endfor %}
+{%- if uri %}
+      <URI>{{ uri }}</URI>
+{%- endif %}
+{%- if localid %}
+      <LocalID>{{ localid }}</LocalID>
+{%- endif %}
+    </Service>
+  </XRD>
+</xrds:XRDS>
diff --git a/roles/ipsilon/files/templates/persona/provisioning.html b/roles/ipsilon/files/templates/persona/provisioning.html
new file mode 100644
index 0000000000..0ced48f48b
--- /dev/null
+++ b/roles/ipsilon/files/templates/persona/provisioning.html
@@ -0,0 +1,59 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This page is used internally
+{% endblock %}
+{% block main %}
+<script type="text/javascript" src="https://login.persona.org/provisioning_api.js"></script>
+<script type="text/javascript">
+    var xmlhttp = new XMLHttpRequest()
+
+    var loggedin = {{ loggedin|lower }};
+
+    xmlhttp.onreadystatechange = function()
+    {
+        if(xmlhttp.readyState == 4)
+        {
+            if(xmlhttp.status == 200)
+            {
+                navigator.id.registerCertificate(xmlhttp.responseText);
+            }
+            else if((xmlhttp.status == 401) || (xmlhttp.status == 403))
+            {
+                navigator.id.raiseProvisioningFailure('Error in provisioning!');
+            }
+            else
+            {
+                alert("Response code: " + xmlhttp.status);
+                alert("Response text: " + xmlhttp.responseText);
+            }
+        }
+    }
+
+    function generateServerSide(email, publicKey, certDuration, callback)
+    {
+        xmlhttp.open("POST", "Sign/", true);
+        xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xmlhttp.send("email=" + encodeURIComponent(email)
+                     + "&publicKey=" + encodeURIComponent(publicKey)
+                     + "&certDuration=" + encodeURIComponent(certDuration));
+    }
+
+    function startProvisioning()
+    {
+        navigator.id.beginProvisioning(function(email, certDuration)
+        {
+            if(loggedin)
+            {
+                navigator.id.genKeyPair(function(publicKey)
+                {
+                    generateServerSide(email, publicKey, certDuration);
+                });
+            } else {
+                navigator.id.raiseProvisioningFailure('user is not authenticated');
+            }
+        });
+    }
+
+    startProvisioning();
+</script>
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/persona/signin_result.html b/roles/ipsilon/files/templates/persona/signin_result.html
new file mode 100644
index 0000000000..a2fc18b93b
--- /dev/null
+++ b/roles/ipsilon/files/templates/persona/signin_result.html
@@ -0,0 +1,19 @@
+{% extends "layout.html" %}
+{% block toptext %}
+This page is used internally
+{% endblock %}
+{% block main %}
+<script type="text/javascript" src="https://login.persona.org/authentication_api.js"></script>
+<script type="text/javascript">
+    var loggedin = {{ loggedin|lower }};
+
+    if(loggedin)
+    {
+        navigator.id.beginAuthentication(function(email) {
+            navigator.id.completeAuthentication();
+        });
+    } else {
+        navigator.id.raiseAuthenticationFailure('User cancelled signon');
+    }
+</script>
+{% endblock %}
diff --git a/roles/ipsilon/files/templates/unauthorized.html b/roles/ipsilon/files/templates/unauthorized.html
new file mode 100644
index 0000000000..49a4506668
--- /dev/null
+++ b/roles/ipsilon/files/templates/unauthorized.html
@@ -0,0 +1,12 @@
+{% extends "layout.html" %}
+{% block toptext %}
+401 - Unauthorized
+{% endblock %}
+{% block main %}
+  {% if message: %}
+    <p>{{ message }}</p>
+  {% else %}
+    <p>Authentication was not succesful</p>
+  {% endif %}
+  <p><a href="{{ basepath }}/login" title="Login">Try to login again</a></p>
+{% endblock %}
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
new file mode 100644
index 0000000000..c80d42f0b2
--- /dev/null
+++ b/roles/ipsilon/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+# Configuration for the ipsilon webapp
+
+- name: clean yum metadata
+  command: yum clean all
+  tags:
+  - packages
+
+- name: install needed packages
+  yum: pkg={{ item }} state=present
+  with_items:
+  - ipsilon
+  - ipsilon-authfas
+  - ipsilon-openid
+  - ipsilon-persona
+  - python-psycopg2
+  - libsemanage-python
+  tags:
+  - packages
+
+- name: copy ipsilon templates
+  copy: src=templates
+        dest=/usr/share/ipsilon/templates-fedora
+        owner=ipsilon group=ipsilon mode=0666 
+
+- name: copy ipsilon configuration
+  template: src={{ item }}.cfg
+            dest=/etc/ipsilon/{{ item }}.cfg
+            owner=ipsilon group=ipsilon mode=0600
+  with_items:
+  - ipsilon
+  - configuration
+  tags:
+  - config
+  notify:
+  - restart apache
+
+- name: copy persona private key
+  copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env != "staging"
+
+- name: copy persona STG private key
+  copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
+        owner=ipsilon group=ipsilon mode=0600
+  when: env == "staging"
+
+- name: set sebooleans so ipsilon can talk to the db
+  action: seboolean name=httpd_can_network_connect_db
+                    state=true
+                    persistent=true
+
+- name: apply selinux type to the wsgi file
+  file: >
+    dest=/usr/sbin/ipsilon
+    setype=httpd_sys_content_t
diff --git a/roles/ipsilon/templates/configuration.cfg b/roles/ipsilon/templates/configuration.cfg
new file mode 100644
index 0000000000..72713f9eb5
--- /dev/null
+++ b/roles/ipsilon/templates/configuration.cfg
@@ -0,0 +1,40 @@
+[login_config]
+global enabled=fas
+{% if env == 'staging' %}
+fas FAS url=https://admin.stg.fedoraproject.org/accounts/
+{% else %}
+fas FAS url=https://admin.fedoraproject.org/accounts/
+{% endif %}
+fas FAS Proxy client user Agent=Fedora Ipsilon
+fas FAS Insecure Auth=False
+
+
+
+
+[provider_config]
+global enabled=persona,openid
+
+{% if env == 'staging' %}
+persona allowed domains=stg.fedoraproject.org
+persona issuer domain=id.stg.fedoraproject.org
+persona idp key file=/etc/fedoauth/persona.stg.key
+{% else %}
+persona allowed domains=fedoraproject.org
+persona issuer domain=id.fedoraproject.org
+persona idp key file=/etc/fedoauth/persona.key
+{% endif %}
+
+{% if env == 'staging' %}
+openid database url="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
+openid endpoint url=https://id.stg.fedoraproject.org/openid/
+openid identity url template=http://localhost/openid/id/%(username)s/
+openid trusted roots=
+{% else %}
+openid database url="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
+openid endpoint url=https://id.fedoraproject.org/openid/
+openid identity url template=http://%(username)s.id.fedoraproject.org/
+openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/
+{% endif %}
+openid untrusted roots=
+openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration
+
diff --git a/roles/ipsilon/templates/ipsilon.cfg b/roles/ipsilon/templates/ipsilon.cfg
new file mode 100644
index 0000000000..cb0ddfb980
--- /dev/null
+++ b/roles/ipsilon/templates/ipsilon.cfg
@@ -0,0 +1,22 @@
+[global]
+debug = False
+tools.log_request_response.on = False
+template_dir = "/srv/ipsilon/templates"
+
+log.screen = False
+base.mount = ""
+base.dir = "/usr/share/ipsilon"
+admin.config.db = "configfile:///etc/ipsilon/configuration.cfg"
+user.prefs.db = "configfile:///etc/ipsilon/configuration.cfg"
+{% if env == 'staging' %}
+transactions.db = "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
+{% else %}
+transactions.db = "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
+{% endif %}
+
+tools.sessions.on = True
+tools.sessions.name = "fedora_ipsilon_session_id"
+tools.sessions.storage_type = "Sql"
+tools.sessions.timeout = 60
+tools.sessions.httponly = True
+tools.sessions.secure = True