Try to clean up saml config.

2016-01-12 11:17:50 -05:00 · 2016-01-12 11:17:50 -05:00 · b3a3466dcc
commit b3a3466dcc
parent a93ec459da
8 changed files with 26 additions and 176 deletions
--- a/inventory/group_vars/pdc-web
+++ b/inventory/group_vars/pdc-web
@ -15,6 +15,10 @@ tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-releng

+# This just defines the CN of the saml2 cert we pull from the private repo
+# Don't be confused.  The app is actually served at apps.stg.fp.o/pdc
+pdc_domain: pdc.stg.fedoraproject.org
+
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
--- a/inventory/group_vars/pdc-web-stg
+++ b/inventory/group_vars/pdc-web-stg
@ -15,6 +15,10 @@ tcp_ports: [ 80 ]

 fas_client_groups: sysadmin-noc,sysadmin-releng

+# This just defines the CN of the saml2 cert we pull from the private repo
+# Don't be confused.  The app is actually served at apps.stg.fp.o/pdc
+pdc_domain: pdc.stg.fedoraproject.org
+
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
--- a/inventory/host_vars/pdc.fedorainfracloud.org
+++ b/inventory/host_vars/pdc.fedorainfracloud.org
@ -10,6 +10,7 @@ inventory_tenant: persistent
 inventory_instance_name: pdc
 hostbase: pdc.fedorainfracloud.org
 hostname: pdc.fedorainfracloud.org
+pdc_domain: pdc.fedorainfracloud.org
 public_ip: 209.132.184.106
 root_auth_users: pingou
 description: pdc development instance
--- a/roles/pdc/frontend/files/idp-metadata.xml
+++ b/roles/pdc/frontend/files/idp-metadata.xml
@ -1,83 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" val
-idUntil="2020-09-28T11:14:04.923891" entityID="http://id.stg.fedoraproject.org/saml2/metadata">
-  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
- BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
- MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
- cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
- AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
- sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
- ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
- wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
- gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
- zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
- Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
- aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
- yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
- KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
- 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
- LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
- IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
- DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
- yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
- /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
- 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
- hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
- Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
- GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
- FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
- DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
- 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:KeyDescriptor use="encryption">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
- BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
- MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
- cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
- AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
- sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
- ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
- wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
- gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
- zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
- Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
- aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
- yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
- KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
- 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
- LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
- IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
- DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
- yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
- /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
- 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
- hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
- Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
- GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
- FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
- DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
- 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.stg.fedoraproject.org/saml2/SSO/POST"/>
-    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SSO/Redirect"/>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SLO/Redirect"/>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
-  </md:IDPSSODescriptor>
-</md:EntityDescriptor>
-
--- a/roles/pdc/frontend/files/metadata.xml
+++ b/roles/pdc/frontend/files/metadata.xml
@ -1,33 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" cacheDuration="P7D" entityID="https://pdc.fedorainfracloud.org/saml2">
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:KeyDescriptor use="signing">
-      <ds:KeyInfo>
-        <ds:X509Data>
-          <ds:X509Certificate>MIIDGTCCAgGgAwIBAgIJAISFaB3/KZDhMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
- BAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9yZzAeFw0xNTA5MzAxMDM4NTFaFw0y
- MDA5MjgxMDM4NTFaMCMxITAfBgNVBAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9y
- ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA2h4tYn7tAFwFZ2JB
- xLLcpIY55/NpdQP1yLSfvD4huT3rWRLoojiEpIM61qgnJmVsZ4oPkkSmU3pWLrjw
- ZeD5XQimtg6GPHitjIIHhUgPDncpdGsbD1J/Jv7V/gj0CvI9ak0i9d0zxaKGaejP
- 0VL78xeaEPf53LQywqrV9iGDRpcJzQZrqwUvrSIDRn7SmUNvDYQL6voAO6la/43C
- O8oIMiGE/qNs8sK/KupifxjN4BvZzK6ofpYqhycwJFHUTZ5mAEXspINIOr8I43Ap
- F6+RDWyIt2G2GK7gwkLfNfb/3Lht8/oMjyiPvKuhSqaDbfcSwsU2A9k9vqV0ufL+
- +VUCAwEAAaNQME4wHQYDVR0OBBYEFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMB8GA1Ud
- IwQYMBaAFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggEBAHWk0SZYofIu0HP96D2RFghS7bcFGoTzG4uOK8v9cYtM3f3N
- O5NlmMNYeLG3wbBA+7pZgmIEReZkGlGq4kR4PqulKE4yymyuzIEUYFwlHfxrWCIH
- 7/A211WxTQRXBGT2h4+uwpqOOOUdd8KHBdRIzYKiNEBjUgbya9fObxPZK2jx7zUq
- qa7KneEXaZ86LqPQU6+dv3i4yZE7PkeJ3Pl5wVSIJ7dxIN+81YhfuL3poknqDYmJ
- 4QHNMcbS3gBaTTsUAUyfPXlAbWaGdypAuzxkwt9etX/bExs/0k28REwtZo9q04R4
- 8Ejlv4ckKIOFY7aO8saseB4A/n/oLfrW+/8qBnM=
-</ds:X509Certificate>
-        </ds:X509Data>
-      </ds:KeyInfo>
-    </md:KeyDescriptor>
-    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pdc.fedorainfracloud.org/saml2/logout"/>
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pdc.fedorainfracloud.org/saml2/postResponse" index="0"/>
-    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
-  </md:SPSSODescriptor>
-</md:EntityDescriptor>
-
--- a/roles/pdc/frontend/tasks/main.yml
+++ b/roles/pdc/frontend/tasks/main.yml
@ -49,20 +49,18 @@
        owner=apache group=apache mode=0775
  tags: pdc

- name: Install saml2 xml files
-  copy: >
-    src="{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
-    owner="apache" group="apache" mode=0600
-  with_items:
-    - metadata.xml
-    - idp-metadata.xml
+- name: Install saml2 idp file (which describes our ipsilon instances).
+  copy: src="{{ private }}/files/saml2/idp-{{env}}"
+        dest="/etc/httpd/saml2/idp-metadata.xml"
+        owner="apache" group="apache" mode=0600
  tags: pdc

- name: Install saml2 certs
-  copy: >
-    src="{{ private}}/files/httpd/{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
-    owner="apache" group="apache" mode=0600
+- name: Install domain-specific saml2 certs and metadata
+  copy: src="{{ private }}/files/saml2/{{ pdc_domain }}/{{ item }}"
+        dest="/etc/httpd/saml2/{{ item }}"
+        owner="apache" group="apache" mode=0600
  with_items:
-    - pdc.fedorainfracloud.org.pem
-    - pdc.fedorainfracloud.org.key
+    - certificate.pem
+    - certificate.key
+    - metadata.xml
  tags: pdc
--- a/roles/pdc/frontend/templates/pdc.conf
+++ b/roles/pdc/frontend/templates/pdc.conf
@ -3,25 +3,11 @@ WSGIPythonOptimize 1
 WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10

 <VirtualHost *:80>
-  ServerName {{ hostname }}
-  Redirect permanent / https://{{ hostname }}/
-</VirtualHost>
-
-
-<VirtualHost *:443>
    ServerName {{ hostname }}

    CustomLog /var/log/httpd/pdc-access.log combined
    ErrorLog /var/log/httpd/pdc-error.log

-    SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
-    # Use secure TLSv1.1 and TLSv1.2 ciphers
-    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
-
-    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
    Alias /docs/ /usr/share/doc/pdc/docs/build/html/
    Alias /saml2protected /usr/share/ipsilon/ui/saml2sp

@ -49,15 +35,14 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
        Require all granted
        MellonEnable "info"
-        MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
-        MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
-        MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
-        MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
+        MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
+        MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
        MellonEndpointPath /saml2
        MellonVariable "saml-sesion-cookie"
        # Comment out the next two lines if you want to allow logins on bare HTTP
        MellonsecureCookie On
-        SSLRequireSSL
        MellonUser "NAME_ID"
        MellonIdP "IDP"
        MellonSessionLength 3600
@ -70,38 +55,12 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
        WSGIProcessGroup pdc
        MellonEnable "auth"
        Header append Cache-Control "no-cache"
-
-        ## Kerberos authentication:
-        #AuthType Kerberos
-        #AuthName "PDC - Kerberos login"
-        #KrbMethodNegotiate on
-        #KrbMethodK5Passwd on
-        #KrbAuthoritative on
-        #KrbServiceName HTTP
-        #KrbAuthRealm EXAMPLE.COM
-        #KrbVerifyKDC on
-        #Krb5Keytab /etc/httpd/conf/httpd.keytab
-        #KrbSaveCredentials off
-        #Require valid-user
    </Location>


    WSGIPassAuthorization On
    <Location /rest_api/v1/auth/token>
        WSGIProcessGroup pdc
-
-        ## Kerberos authentication:
-        #AuthType Kerberos
-        #AuthName "PDC - Kerberos login"
-        #KrbMethodNegotiate on
-        #KrbMethodK5Passwd off
-        #KrbAuthoritative on
-        #KrbServiceName HTTP
-        #KrbAuthRealm EXAMPLE.COM
-        #KrbVerifyKDC on
-        #Krb5Keytab /etc/httpd/conf/httpd.keytab
-        #KrbSaveCredentials off
-        #Require valid-user
    </Location>

    <Location "/static">
--- a/roles/pdc/frontend/templates/settings_local.py
+++ b/roles/pdc/frontend/templates/settings_local.py
@ -43,7 +43,7 @@ DEBUG = False

 # NOTE: this is needed when DEGUB is False.
 #       https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = ['{{ hostname }}']
+ALLOWED_HOSTS = ['{{ inventory_hostname }}']

 # Database settings
 DATABASES = {
@ -62,7 +62,7 @@ REST_API_VERSION = 'v1'

 BROWSABLE_DOCUMENT_MACROS = {
    # need to be rewrite with the real host name when deploy.
-    'HOST_NAME': 'http://{{ hostname }}:80',
+    'HOST_NAME': 'http://{{ inventory_hostname }}:80',
    # make consistent with rest api root.
    'API_PATH': '%s%s' % (REST_API_URL, REST_API_VERSION),
 }