modernpaste config for oidc

Signed-off-by: Ricky Elrod <relrod@redhat.com>
2018-04-04 19:38:25 +00:00 · 2018-04-04 19:38:25 +00:00 · 92401e1c0f
commit 92401e1c0f
parent 5f12f40dfb
3 changed files with 41 additions and 0 deletions
--- a/roles/modernpaste/tasks/main.yml
+++ b/roles/modernpaste/tasks/main.yml
@ -33,6 +33,14 @@
  - modernpaste
  notify: reload httpd

+- name: modernpaste oidc secrets
+  template: src=client_secrets.json dest=/etc/modern-paste/client_secrets.json owner=apache group=apache mode=600
+  when: env == 'staging'
+  tags:
+  - config
+  - modernpaste
+  notify: reload httpd
+
 - name: modernpaste apache config
  copy: src=modern-paste.conf dest=/etc/httpd/conf.d/modern-paste.conf owner=root group=root mode=644
  tags:
--- a/roles/modernpaste/templates/client_secrets.json
+++ b/roles/modernpaste/templates/client_secrets.json
@ -0,0 +1,23 @@
+{% if env == 'staging' %}
+{"web": {
+  "redirect_uris": ["https://modernpaste.stg.fedoraproject.org/oidc_callback"],
+  "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+  "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+  "client_id": "modernpaste",
+  "client_secret": "{{stg_modernpaste_oidc_secret}}",
+  "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo",
+  "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+  }
+}
+{% else %}
+{"web": {
+  "redirect_uris": ["https://modernpaste.stg.fedoraproject.org/oidc_callback"],
+  "token_uri": "https://id.fedoraproject.org/openidc/Token",
+  "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
+  "client_id": "modernpaste",
+  "client_secret": "{{prod_modernpaste_oidc_secret}}",
+  "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo",
+  "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo"
+  }
+}
+{% endif %}
--- a/roles/modernpaste/templates/config.py
+++ b/roles/modernpaste/templates/config.py
@ -50,6 +50,16 @@ ENABLE_USER_REGISTRATION = False
 # This is useful for private or internal installations that aren't intended for public use.
 REQUIRE_LOGIN_TO_PASTE = False

+# Authentication method
+# This selects between either local users or oidc (OpenID Connect)
+AUTH_METHOD = 'oidc'
+
+# OpenID Connect client secrets file
+AUTH_OIDC_CLIENT_SECRETS = '/etc/modern-paste/client_secrets.json'
+
+# Required scope for OAuth2 API calls
+AUTH_OIDC_SCOPE = 'modernpaste'
+
 # AES key for generating encrypted IDs
 # This is only relevant if USE_ENCRYPTED_IDS above is True. If not, this config parameter can be ignored.
 # It is recommended, but not strictly required, for you to replace the string below with the output of os.urandom(32),