Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Add Ipsilon role and config

Browse source 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk 2015-02-24 17:58:29 +00:00
parent 94a9deb8dc
commit 86338b0703
14 changed files with 350 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
roles/ipsilon/files/templates/index.html Normal file
View file

@ -0,0 +1,7 @@
{% extends "layout.html" %}
{% block toptext %}
This is the Federated Open Authentication provider homepage.
{% endblock %}
{% block main %}
You will be redirected to this application whenever another application requires you to authenticate.
{% endblock %}

15
roles/ipsilon/files/templates/internalerror.html Normal file
View file

@ -0,0 +1,15 @@
{% extends "layout.html" %}
{% block toptext %}
500 - Internal Server Error
{% endblock %}
{% block main %}
{% if message: %}
<p>{{ message }}</p>
{% else %}
<p>Ipsilon encountered an unexpected internal error while trying to
fulfill your request.</p>
{% endif %}
<p>Please retry again.</p>
<p>If the error persists, contact the server administrator to resolve
the problem.</p>
{% endblock %}

35
roles/ipsilon/files/templates/layout.html Normal file
View file

@ -0,0 +1,35 @@
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>{{ title }}</title>
<link rel="shortcut icon" type="image/vnd.microsoft.icon"
href="//fedoraproject.org/static/images/favicon.ico"/>
<link rel="stylesheet" href="{{ basepath }}/ui/fedora/fedora.css">
<meta name="generator" content="Ipsilon">
{%- if heads %}
{%- for group, value in heads.items() %}
{%- for head in value %}
{{ head }}
{%- endfor %}
{%- endfor %}
{%- endif %}
</head>
<body>
<div class="header_bg">
<div class="body header">
<img id="logo" alt="logo" src="{{ basepath }}/ui/fedora/fedora-authn-logo-white.png"/>
</div>
</div>
<div class="body main">
<p id="toptext">{% block toptext %}{% endblock %}</p>
<div class="middlebox">
{% block main %}{% endblock %}
</div>
</div>
</body>
</html>

13
roles/ipsilon/files/templates/logout.html Normal file
View file

@ -0,0 +1,13 @@
{% extends "master.html" %}
{% block toptext %}
Logged out
{% endblock %}
{% block main %}
{% if user.name %}
<p>Something prevented a successful logout</p>
<p>You are still logged in as {{ user.fullname }}</p>
{% else %}
<p>Successfully logged out.</p>
<p>Return to <a href="{{ basepath }}/">Home</a> page</p>
{% endif %}
{% endblock %}

13
roles/ipsilon/files/templates/notfound.html Normal file
View file

@ -0,0 +1,13 @@
{% extends "layout.html" %}
{% block toptext %}
404 - Not Found
{% endblock %}
{% block main %}
{% if message: %}
<p>{{ message }}</p>
{% else %}
<p>This page does not exist.</p>
{% endif %}
<p>If you think this is an error, contact the server administrator to resolve
the problem.</p>
{% endblock %}

36
roles/ipsilon/files/templates/openid/consent_form.html Normal file
View file

@ -0,0 +1,36 @@
{% extends "layout.html" %}
{% block toptext %}
{{trustroot}} is asking to authenticate via OpenID using FedOAuth
{% endblock %}
{% block main %}
Review the authorization details
<div>
<form method="post" action="{{action}}" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="ipsilon_transaction_id" id="ipsilon_transaction_id" value="{{ ipsilon_transaction_id }}" />
<p class="form_item">
<table class="details">
{% for entry in authz_details|dictsort %}
<tr>
<td>{{entry[0]}}</td>
<td>{{entry[1]}}</td>
</tr>
{% endfor %}
<tr>
<td>Remember approval for</td>
<td><select name="remember_for_days">
<option value="0">never</option>
<option value="3">3 days</option>
<option value="7">7 days</option>
</select>
</td>
</tr>
</table>
</p>
<p class="form_item">
<input type="submit" name="decided_deny" value="Reject">
<input type="submit" name="decided_allow" value="Allow">
</p>
</form>
</div>
{% endblock %}

7
roles/ipsilon/files/templates/openid/userpage.html Normal file
View file

@ -0,0 +1,7 @@
{% extends "layout.html" %}
{% block toptext %}
This is the OpenID page for {{username}}.
{% endblock %}
{% block main %}
This page is primarily used internally
{% endblock %}

16
roles/ipsilon/files/templates/openid/xrds.xml Normal file
View file

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service>
{%- for t in types %}
<Type>{{ t }}</Type>
{%- endfor %}
{%- if uri %}
<URI>{{ uri }}</URI>
{%- endif %}
{%- if localid %}
<LocalID>{{ localid }}</LocalID>
{%- endif %}
</Service>
</XRD>
</xrds:XRDS>

59
roles/ipsilon/files/templates/persona/provisioning.html Normal file
View file

@ -0,0 +1,59 @@
{% extends "layout.html" %}
{% block toptext %}
This page is used internally
{% endblock %}
{% block main %}
<script type="text/javascript" src="https://login.persona.org/provisioning_api.js"></script>
<script type="text/javascript">
var xmlhttp = new XMLHttpRequest()
var loggedin = {{ loggedin|lower }};
xmlhttp.onreadystatechange = function()
{
if(xmlhttp.readyState == 4)
{
if(xmlhttp.status == 200)
{
navigator.id.registerCertificate(xmlhttp.responseText);
}
else if((xmlhttp.status == 401) || (xmlhttp.status == 403))
{
navigator.id.raiseProvisioningFailure('Error in provisioning!');
}
else
{
alert("Response code: " + xmlhttp.status);
alert("Response text: " + xmlhttp.responseText);
}
}
}
function generateServerSide(email, publicKey, certDuration, callback)
{
xmlhttp.open("POST", "Sign/", true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("email=" + encodeURIComponent(email)
+ "&publicKey=" + encodeURIComponent(publicKey)
+ "&certDuration=" + encodeURIComponent(certDuration));
}
function startProvisioning()
{
navigator.id.beginProvisioning(function(email, certDuration)
{
if(loggedin)
{
navigator.id.genKeyPair(function(publicKey)
{
generateServerSide(email, publicKey, certDuration);
});
} else {
navigator.id.raiseProvisioningFailure('user is not authenticated');
}
});
}
startProvisioning();
</script>
{% endblock %}

19
roles/ipsilon/files/templates/persona/signin_result.html Normal file
View file

@ -0,0 +1,19 @@
{% extends "layout.html" %}
{% block toptext %}
This page is used internally
{% endblock %}
{% block main %}
<script type="text/javascript" src="https://login.persona.org/authentication_api.js"></script>
<script type="text/javascript">
var loggedin = {{ loggedin|lower }};
if(loggedin)
{
navigator.id.beginAuthentication(function(email) {
navigator.id.completeAuthentication();
});
} else {
navigator.id.raiseAuthenticationFailure('User cancelled signon');
}
</script>
{% endblock %}

12
roles/ipsilon/files/templates/unauthorized.html Normal file
View file

@ -0,0 +1,12 @@
{% extends "layout.html" %}
{% block toptext %}
401 - Unauthorized
{% endblock %}
{% block main %}
{% if message: %}
<p>{{ message }}</p>
{% else %}
<p>Authentication was not succesful</p>
{% endif %}
<p><a href="{{ basepath }}/login" title="Login">Try to login again</a></p>
{% endblock %}

56
roles/ipsilon/tasks/main.yml Normal file
View file

@ -0,0 +1,56 @@
---
# Configuration for the ipsilon webapp
- name: clean yum metadata
command: yum clean all
tags:
- packages
- name: install needed packages
yum: pkg={{ item }} state=present
with_items:
- ipsilon
- ipsilon-authfas
- ipsilon-openid
- ipsilon-persona
- python-psycopg2
- libsemanage-python
tags:
- packages
- name: copy ipsilon templates
copy: src=templates
dest=/usr/share/ipsilon/templates-fedora
owner=ipsilon group=ipsilon mode=0666
- name: copy ipsilon configuration
template: src={{ item }}.cfg
dest=/etc/ipsilon/{{ item }}.cfg
owner=ipsilon group=ipsilon mode=0600
with_items:
- ipsilon
- configuration
tags:
- config
notify:
- restart apache
- name: copy persona private key
copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
owner=ipsilon group=ipsilon mode=0600
when: env != "staging"
- name: copy persona STG private key
copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
owner=ipsilon group=ipsilon mode=0600
when: env == "staging"
- name: set sebooleans so ipsilon can talk to the db
action: seboolean name=httpd_can_network_connect_db
state=true
persistent=true
- name: apply selinux type to the wsgi file
file: >
dest=/usr/sbin/ipsilon
setype=httpd_sys_content_t

40
roles/ipsilon/templates/configuration.cfg Normal file
View file

@ -0,0 +1,40 @@
[login_config]
global enabled=fas
{% if env == 'staging' %}
fas FAS url=https://admin.stg.fedoraproject.org/accounts/
{% else %}
fas FAS url=https://admin.fedoraproject.org/accounts/
{% endif %}
fas FAS Proxy client user Agent=Fedora Ipsilon
fas FAS Insecure Auth=False
[provider_config]
global enabled=persona,openid
{% if env == 'staging' %}
persona allowed domains=stg.fedoraproject.org
persona issuer domain=id.stg.fedoraproject.org
persona idp key file=/etc/fedoauth/persona.stg.key
{% else %}
persona allowed domains=fedoraproject.org
persona issuer domain=id.fedoraproject.org
persona idp key file=/etc/fedoauth/persona.key
{% endif %}
{% if env == 'staging' %}
openid database url="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
openid endpoint url=https://id.stg.fedoraproject.org/openid/
openid identity url template=http://localhost/openid/id/%(username)s/
openid trusted roots=
{% else %}
openid database url="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
openid endpoint url=https://id.fedoraproject.org/openid/
openid identity url template=http://%(username)s.id.fedoraproject.org/
openid trusted roots=http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin,https://ask.fedoraproject.org/,https://fedorahosted.org/,https://badges.fedoraproject.org,https://apps.fedoraproject.org/tagger/,https://apps.fedoraproject.org/nuancier/,https://apps.fedoraproject.org/datagrepper/,https://apps.fedoraproject.org/calendar/,http://apps.fedoraproject.org/notifications/,http://copr.fedoraproject.org/,http://copr-fe.cloud.fedoraproject.org/,https://admin.fedoraproject.org/pkgdb/,https://admin.fedoraproject.org/voting/,https://apps.fedoraproject.org/github2fedmsg,https://admin.fedoraproject.org,https://apps.fedoraproject.org/,https://release-monitoring.org/
{% endif %}
openid untrusted roots=
openid enabled extensions=Teams,Attribute Exchange,CLAs,Simple Registration

22
roles/ipsilon/templates/ipsilon.cfg Normal file
View file

@ -0,0 +1,22 @@
[global]
debug = False
tools.log_request_response.on = False
template_dir = "/srv/ipsilon/templates"
log.screen = False
base.mount = ""
base.dir = "/usr/share/ipsilon"
admin.config.db = "configfile:///etc/ipsilon/configuration.cfg"
user.prefs.db = "configfile:///etc/ipsilon/configuration.cfg"
{% if env == 'staging' %}
transactions.db = "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
{% else %}
transactions.db = "postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
{% endif %}
tools.sessions.on = True
tools.sessions.name = "fedora_ipsilon_session_id"
tools.sessions.storage_type = "Sql"
tools.sessions.timeout = 60
tools.sessions.httponly = True
tools.sessions.secure = True