From 92401e1c0f5742b7f35f9f57ab95e2e5ef5b7673 Mon Sep 17 00:00:00 2001
From: Ricky Elrod <relrod@redhat.com>
Date: Wed, 4 Apr 2018 19:38:25 +0000
Subject: [PATCH] modernpaste config for oidc

Signed-off-by: Ricky Elrod <relrod@redhat.com>
---
 roles/modernpaste/tasks/main.yml              |  8 +++++++
 .../modernpaste/templates/client_secrets.json | 23 +++++++++++++++++++
 roles/modernpaste/templates/config.py         | 10 ++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 roles/modernpaste/templates/client_secrets.json

diff --git a/roles/modernpaste/tasks/main.yml b/roles/modernpaste/tasks/main.yml
index 767c3df221..e3acb4088b 100644
--- a/roles/modernpaste/tasks/main.yml
+++ b/roles/modernpaste/tasks/main.yml
@@ -33,6 +33,14 @@
   - modernpaste
   notify: reload httpd
 
+- name: modernpaste oidc secrets
+  template: src=client_secrets.json dest=/etc/modern-paste/client_secrets.json owner=apache group=apache mode=600
+  when: env == 'staging'
+  tags:
+  - config
+  - modernpaste
+  notify: reload httpd
+
 - name: modernpaste apache config
   copy: src=modern-paste.conf dest=/etc/httpd/conf.d/modern-paste.conf owner=root group=root mode=644
   tags:
diff --git a/roles/modernpaste/templates/client_secrets.json b/roles/modernpaste/templates/client_secrets.json
new file mode 100644
index 0000000000..cd5802767c
--- /dev/null
+++ b/roles/modernpaste/templates/client_secrets.json
@@ -0,0 +1,23 @@
+{% if env == 'staging' %}
+{"web": {
+  "redirect_uris": ["https://modernpaste.stg.fedoraproject.org/oidc_callback"],
+  "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+  "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+  "client_id": "modernpaste",
+  "client_secret": "{{stg_modernpaste_oidc_secret}}",
+  "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo",
+  "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+  }
+}
+{% else %}
+{"web": {
+  "redirect_uris": ["https://modernpaste.stg.fedoraproject.org/oidc_callback"],
+  "token_uri": "https://id.fedoraproject.org/openidc/Token",
+  "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
+  "client_id": "modernpaste",
+  "client_secret": "{{prod_modernpaste_oidc_secret}}",
+  "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo",
+  "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo"
+  }
+}
+{% endif %}
diff --git a/roles/modernpaste/templates/config.py b/roles/modernpaste/templates/config.py
index 565b288876..20ceb6ff6a 100644
--- a/roles/modernpaste/templates/config.py
+++ b/roles/modernpaste/templates/config.py
@@ -50,6 +50,16 @@ ENABLE_USER_REGISTRATION = False
 # This is useful for private or internal installations that aren't intended for public use.
 REQUIRE_LOGIN_TO_PASTE = False
 
+# Authentication method
+# This selects between either local users or oidc (OpenID Connect)
+AUTH_METHOD = 'oidc'
+
+# OpenID Connect client secrets file
+AUTH_OIDC_CLIENT_SECRETS = '/etc/modern-paste/client_secrets.json'
+
+# Required scope for OAuth2 API calls
+AUTH_OIDC_SCOPE = 'modernpaste'
+
 # AES key for generating encrypted IDs
 # This is only relevant if USE_ENCRYPTED_IDS above is True. If not, this config parameter can be ignored.
 # It is recommended, but not strictly required, for you to replace the string below with the output of os.urandom(32),