From 9f6dafbe935122c80341d1cacd62f4d41f02ba09 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Wed, 15 Feb 2017 15:52:03 +0000
Subject: [PATCH] Set OIDC secrets in place for MBS service provider.

---
 roles/mbs/common/tasks/main.yml                       |  5 +++--
 .../common/templates/client_secrets.json.production   | 11 +++++------
 .../mbs/common/templates/client_secrets.json.staging  | 11 +++++------
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/roles/mbs/common/tasks/main.yml b/roles/mbs/common/tasks/main.yml
index 5a1126d3bb..a2518479c9 100644
--- a/roles/mbs/common/tasks/main.yml
+++ b/roles/mbs/common/tasks/main.yml
@@ -26,10 +26,11 @@
   - mbs
   - mbs/common
 
-- name: copy client secrets that aren't really secret.
+- name: copy client secrets
   template: >
     src=client_secrets.json.{{env}} dest=/etc/module-build-service/client_secrets.json
-    owner=root group=root mode=0644
+    owner=root group=apache mode=0640
+  when: inventory_hostname.startswith('mbs-web')
   notify:
   - restart apache
   tags:
diff --git a/roles/mbs/common/templates/client_secrets.json.production b/roles/mbs/common/templates/client_secrets.json.production
index e25c1b49a8..9b12f4cc78 100644
--- a/roles/mbs/common/templates/client_secrets.json.production
+++ b/roles/mbs/common/templates/client_secrets.json.production
@@ -1,12 +1,11 @@
 {
     "web": {
         "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
-        "client_id": "mbs-authorizer",
-        "client_secret": "notsecret",
-        "redirect_uris": [
-            "http://localhost:13747/"
-        ],
+        "client_id": "mbs-prod",
+        "client_secret": "{{ mbs_prod_oidc_client_secret }}",
+        "redirect_uris": [],
         "token_uri": "https://id.fedoraproject.org/openidc/Token",
-        "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo"
+        "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo",
+        "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo"
     }
 }
diff --git a/roles/mbs/common/templates/client_secrets.json.staging b/roles/mbs/common/templates/client_secrets.json.staging
index 7fd5069dae..f78371caf8 100644
--- a/roles/mbs/common/templates/client_secrets.json.staging
+++ b/roles/mbs/common/templates/client_secrets.json.staging
@@ -1,12 +1,11 @@
 {
     "web": {
         "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
-        "client_id": "mbs-authorizer",
-        "client_secret": "notsecret",
-        "redirect_uris": [
-            "http://localhost:13747/"
-        ],
+        "client_id": "mbs-stg",
+        "client_secret": "{{ mbs_stg_oidc_client_secret }}",
+        "redirect_uris": [],
         "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
-        "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+        "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo",
+        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
     }
 }