From ab8915019171bbf46a628d79930acbd9de163ed6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Tue, 20 Feb 2018 13:47:52 +0000
Subject: [PATCH] Hubs: OIDC authentication

---
 roles/hubs/tasks/main.yml                     | 32 ++++++++++++++-----
 roles/hubs/templates/oidc_client_secrets.json | 13 ++++++++
 2 files changed, 37 insertions(+), 8 deletions(-)
 create mode 100644 roles/hubs/templates/oidc_client_secrets.json

diff --git a/roles/hubs/tasks/main.yml b/roles/hubs/tasks/main.yml
index 6f858e896f..7a6bf6ad18 100644
--- a/roles/hubs/tasks/main.yml
+++ b/roles/hubs/tasks/main.yml
@@ -37,15 +37,31 @@
   notify: "hubs configuration change"
 
 
-- name: Configure application to authenticate with iddev.fedorainfracloud.org
-  command:
-    oidc-register
-    --output-file {{ hubs_conf_dir }}/client_secrets.json
-    https://{{ hubs_oidc_url }}/ {{ hubs_url }}
-  args:
-    creates: "{{ hubs_conf_dir }}/client_secrets.json"
+- name: Configure application to authenticate with the OIDC provider (dev)
+  block:
+  - dnf: name=python3-flask-oidc state=present
+  - command:
+      oidc-register
+      --output-file {{ hubs_conf_dir }}/client_secrets.json
+      https://{{ hubs_oidc_url }}/ {{ hubs_url }}
+    args:
+      creates: "{{ hubs_conf_dir }}/client_secrets.json"
+  notify: "hubs configuration change"
+  when: inventory_hostname == 'hubs-dev.fedorainfracloud.org'
 
-- name: Set permissions on the oidc credentials file
+
+- name: Configure application to authenticate with the OIDC provider
+  template:
+    src: oidc_client_secrets.json
+    dest: "{{ hubs_conf_dir }}/client_secrets.json"
+    owner: root
+    group: "{{ main_user }}"
+    mode: 0640
+  notify: "hubs configuration change"
+  when: inventory_hostname != 'hubs-dev.fedorainfracloud.org'
+
+
+- name: Fix the permissions on the OIDC secrets file
   file:
     path: "{{ hubs_conf_dir }}/client_secrets.json"
     owner: root
diff --git a/roles/hubs/templates/oidc_client_secrets.json b/roles/hubs/templates/oidc_client_secrets.json
new file mode 100644
index 0000000000..7ea0e9b021
--- /dev/null
+++ b/roles/hubs/templates/oidc_client_secrets.json
@@ -0,0 +1,13 @@
+{
+    "web": {
+        "client_id": "hubs",
+        "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+        "issuer": "https://id.stg.fedoraproject.org/openidc/",
+        "client_secret": "{{ hubs_stg_oidc_secret }}",
+        "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo",
+        "redirect_uris": [
+            "https://hubs.stg.fedoraproject.org/oidc_callback"
+        ]
+    }
+}