Prepare dist-git for OIDC

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2024-11-13 09:53:32 +01:00 · 2024-11-13 09:53:32 +01:00 · 901c843706
commit 901c843706
parent 99a1afaa32
3 changed files with 43 additions and 2 deletions
--- a/roles/distgit/pagure/templates/client_secrets.json
+++ b/roles/distgit/pagure/templates/client_secrets.json
@ -0,0 +1,24 @@
+{
+    "web": {
+        "client_id": "src-verifier",
+{% if env == 'pagure-staging' %}
+        "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+        "client_secret": "{{ distgit_oidc_client_secret_stg }}",
+        "issuer": "https://id.stg.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://src.stg.fedoraproject.org/authorize"
+        ],
+        "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
+{% else %}
+        "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
+        "client_secret": "{{ distgit_oidc_client_secret_prod }}",
+        "issuer": "https://id.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://src.fedoraproject.org/authorize"
+        ],
+        "token_uri": "https://id.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo"
+{% endif %}
+    }
+}
--- a/roles/distgit/pagure/templates/pagure.cfg
+++ b/roles/distgit/pagure/templates/pagure.cfg
@ -109,7 +109,24 @@ SHORT_LENGTH = 7
 # Specify which authentication method to use, defaults to `fas` can be or
 # `local`
 # Default: ``fas``.
+{% if env == "staging" %}
+PAGURE_AUTH = 'oidc'
+OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+OIDC_ID_TOKEN_COOKIE_SECURE = True
+OIDC_SCOPES = [
+    'openid', 'email', 'profile',
+    'https://id.fedoraproject.org/scope/groups',
+    'https://id.fedoraproject.org/scope/agreements',
+]
+OIDC_PAGURE_EMAIL = 'email'
+OIDC_PAGURE_FULLNAME = 'fullname'
+OIDC_PAGURE_USERNAME = 'preferred_username'
+OIDC_PAGURE_SSH_KEY = 'ssh_key'
+OIDC_PAGURE_GROUPS = 'groups'
+OIDC_PAGURE_USERNAME_FALLBACK = 'nickname'
+{% else %}
 PAGURE_AUTH = 'fas'
+{% endif %}

 # When this is set to True, the session cookie will only be returned to the
 # server via ssl (https). If you connect to the server via plain http, the
--- a/roles/pagure/templates/client_secrets.json
+++ b/roles/pagure/templates/client_secrets.json
@ -6,7 +6,7 @@
        "client_secret": "{{ pagure_stg_oidc_client_secret }}",
        "issuer": "https://id.stg.fedoraproject.org/openidc/",
        "redirect_uris": [
-            "https://stg.pagure.io/login"
+            "https://stg.pagure.io/authorize"
        ],
        "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
@ -15,7 +15,7 @@
        "client_secret": "{{ pagure_oidc_client_secret }}",
        "issuer": "https://id.fedoraproject.org/openidc/",
        "redirect_uris": [
-            "https://pagure.io/login"
+            "https://pagure.io/authorize"
        ],
        "token_uri": "https://id.fedoraproject.org/openidc/Token",
        "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo"