diff --git a/inventory/group_vars/pdc-web b/inventory/group_vars/pdc-web
index 81b26484d3..7a01eedaf7 100644
--- a/inventory/group_vars/pdc-web
+++ b/inventory/group_vars/pdc-web
@@ -15,6 +15,10 @@ tcp_ports: [ 80 ]
fas_client_groups: sysadmin-noc,sysadmin-releng
+# This just defines the CN of the saml2 cert we pull from the private repo
+# Don't be confused. The app is actually served at apps.stg.fp.o/pdc
+pdc_domain: pdc.stg.fedoraproject.org
+
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
diff --git a/inventory/group_vars/pdc-web-stg b/inventory/group_vars/pdc-web-stg
index de5bfd3c2e..1c55f0735b 100644
--- a/inventory/group_vars/pdc-web-stg
+++ b/inventory/group_vars/pdc-web-stg
@@ -15,6 +15,10 @@ tcp_ports: [ 80 ]
fas_client_groups: sysadmin-noc,sysadmin-releng
+# This just defines the CN of the saml2 cert we pull from the private repo
+# Don't be confused. The app is actually served at apps.stg.fp.o/pdc
+pdc_domain: pdc.stg.fedoraproject.org
+
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:
- service: shell
diff --git a/inventory/host_vars/pdc.fedorainfracloud.org b/inventory/host_vars/pdc.fedorainfracloud.org
index c978e031ca..ef8df5b771 100644
--- a/inventory/host_vars/pdc.fedorainfracloud.org
+++ b/inventory/host_vars/pdc.fedorainfracloud.org
@@ -10,6 +10,7 @@ inventory_tenant: persistent
inventory_instance_name: pdc
hostbase: pdc.fedorainfracloud.org
hostname: pdc.fedorainfracloud.org
+pdc_domain: pdc.fedorainfracloud.org
public_ip: 209.132.184.106
root_auth_users: pingou
description: pdc development instance
diff --git a/roles/pdc/frontend/files/idp-metadata.xml b/roles/pdc/frontend/files/idp-metadata.xml
deleted file mode 100644
index cb32a83035..0000000000
--- a/roles/pdc/frontend/files/idp-metadata.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-
-
-
-
-
-
- MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
- BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
- MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
- cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
- AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
- sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
- ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
- wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
- gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
- zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
- Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
- aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
- yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
- KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
- 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
- LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
- IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
- DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
- yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
- /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
- 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
- hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
- Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
- GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
- FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
- DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
- 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
-
-
-
-
-
-
-
- MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
- BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
- MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
- cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
- AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
- sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
- ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
- wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
- gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
- zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
- Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
- aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
- yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
- KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
- 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
- LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
- IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
- DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
- yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
- /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
- 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
- hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
- Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
- GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
- FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
- DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
- 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
-
-
-
-
-
-
-
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
-
-
diff --git a/roles/pdc/frontend/files/metadata.xml b/roles/pdc/frontend/files/metadata.xml
deleted file mode 100644
index 2e70121628..0000000000
--- a/roles/pdc/frontend/files/metadata.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-
-
-
-
-
-
- MIIDGTCCAgGgAwIBAgIJAISFaB3/KZDhMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
- BAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9yZzAeFw0xNTA5MzAxMDM4NTFaFw0y
- MDA5MjgxMDM4NTFaMCMxITAfBgNVBAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9y
- ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA2h4tYn7tAFwFZ2JB
- xLLcpIY55/NpdQP1yLSfvD4huT3rWRLoojiEpIM61qgnJmVsZ4oPkkSmU3pWLrjw
- ZeD5XQimtg6GPHitjIIHhUgPDncpdGsbD1J/Jv7V/gj0CvI9ak0i9d0zxaKGaejP
- 0VL78xeaEPf53LQywqrV9iGDRpcJzQZrqwUvrSIDRn7SmUNvDYQL6voAO6la/43C
- O8oIMiGE/qNs8sK/KupifxjN4BvZzK6ofpYqhycwJFHUTZ5mAEXspINIOr8I43Ap
- F6+RDWyIt2G2GK7gwkLfNfb/3Lht8/oMjyiPvKuhSqaDbfcSwsU2A9k9vqV0ufL+
- +VUCAwEAAaNQME4wHQYDVR0OBBYEFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMB8GA1Ud
- IwQYMBaAFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMAwGA1UdEwQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggEBAHWk0SZYofIu0HP96D2RFghS7bcFGoTzG4uOK8v9cYtM3f3N
- O5NlmMNYeLG3wbBA+7pZgmIEReZkGlGq4kR4PqulKE4yymyuzIEUYFwlHfxrWCIH
- 7/A211WxTQRXBGT2h4+uwpqOOOUdd8KHBdRIzYKiNEBjUgbya9fObxPZK2jx7zUq
- qa7KneEXaZ86LqPQU6+dv3i4yZE7PkeJ3Pl5wVSIJ7dxIN+81YhfuL3poknqDYmJ
- 4QHNMcbS3gBaTTsUAUyfPXlAbWaGdypAuzxkwt9etX/bExs/0k28REwtZo9q04R4
- 8Ejlv4ckKIOFY7aO8saseB4A/n/oLfrW+/8qBnM=
-
-
-
-
-
-
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-
-
-
diff --git a/roles/pdc/frontend/tasks/main.yml b/roles/pdc/frontend/tasks/main.yml
index 7564e32127..9f4bd6902b 100644
--- a/roles/pdc/frontend/tasks/main.yml
+++ b/roles/pdc/frontend/tasks/main.yml
@@ -49,20 +49,18 @@
owner=apache group=apache mode=0775
tags: pdc
-- name: Install saml2 xml files
- copy: >
- src="{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
- owner="apache" group="apache" mode=0600
- with_items:
- - metadata.xml
- - idp-metadata.xml
+- name: Install saml2 idp file (which describes our ipsilon instances).
+ copy: src="{{ private }}/files/saml2/idp-{{env}}"
+ dest="/etc/httpd/saml2/idp-metadata.xml"
+ owner="apache" group="apache" mode=0600
tags: pdc
-- name: Install saml2 certs
- copy: >
- src="{{ private}}/files/httpd/{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
- owner="apache" group="apache" mode=0600
+- name: Install domain-specific saml2 certs and metadata
+ copy: src="{{ private }}/files/saml2/{{ pdc_domain }}/{{ item }}"
+ dest="/etc/httpd/saml2/{{ item }}"
+ owner="apache" group="apache" mode=0600
with_items:
- - pdc.fedorainfracloud.org.pem
- - pdc.fedorainfracloud.org.key
+ - certificate.pem
+ - certificate.key
+ - metadata.xml
tags: pdc
diff --git a/roles/pdc/frontend/templates/pdc.conf b/roles/pdc/frontend/templates/pdc.conf
index 9f38cbaf25..f33b1f5c3b 100644
--- a/roles/pdc/frontend/templates/pdc.conf
+++ b/roles/pdc/frontend/templates/pdc.conf
@@ -3,25 +3,11 @@ WSGIPythonOptimize 1
WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-name=pdc processes=2 threads=1 shutdown-timeout=10
- ServerName {{ hostname }}
- Redirect permanent / https://{{ hostname }}/
-
-
-
-
ServerName {{ hostname }}
CustomLog /var/log/httpd/pdc-access.log combined
ErrorLog /var/log/httpd/pdc-error.log
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- # Use secure TLSv1.1 and TLSv1.2 ciphers
- Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
-
- SSLCertificateFile /etc/pki/tls/certs/localhost.crt
- SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
Alias /docs/ /usr/share/doc/pdc/docs/build/html/
Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
@@ -49,15 +35,14 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
Require all granted
MellonEnable "info"
- MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
- MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
- MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
- MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
+ MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
+ MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
+ MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
+ MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
MellonEndpointPath /saml2
MellonVariable "saml-sesion-cookie"
# Comment out the next two lines if you want to allow logins on bare HTTP
MellonsecureCookie On
- SSLRequireSSL
MellonUser "NAME_ID"
MellonIdP "IDP"
MellonSessionLength 3600
@@ -70,38 +55,12 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
WSGIProcessGroup pdc
MellonEnable "auth"
Header append Cache-Control "no-cache"
-
- ## Kerberos authentication:
- #AuthType Kerberos
- #AuthName "PDC - Kerberos login"
- #KrbMethodNegotiate on
- #KrbMethodK5Passwd on
- #KrbAuthoritative on
- #KrbServiceName HTTP
- #KrbAuthRealm EXAMPLE.COM
- #KrbVerifyKDC on
- #Krb5Keytab /etc/httpd/conf/httpd.keytab
- #KrbSaveCredentials off
- #Require valid-user
WSGIPassAuthorization On
WSGIProcessGroup pdc
-
- ## Kerberos authentication:
- #AuthType Kerberos
- #AuthName "PDC - Kerberos login"
- #KrbMethodNegotiate on
- #KrbMethodK5Passwd off
- #KrbAuthoritative on
- #KrbServiceName HTTP
- #KrbAuthRealm EXAMPLE.COM
- #KrbVerifyKDC on
- #Krb5Keytab /etc/httpd/conf/httpd.keytab
- #KrbSaveCredentials off
- #Require valid-user
diff --git a/roles/pdc/frontend/templates/settings_local.py b/roles/pdc/frontend/templates/settings_local.py
index 91bd8cf52f..9c65d77887 100644
--- a/roles/pdc/frontend/templates/settings_local.py
+++ b/roles/pdc/frontend/templates/settings_local.py
@@ -43,7 +43,7 @@ DEBUG = False
# NOTE: this is needed when DEGUB is False.
# https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = ['{{ hostname }}']
+ALLOWED_HOSTS = ['{{ inventory_hostname }}']
# Database settings
DATABASES = {
@@ -62,7 +62,7 @@ REST_API_VERSION = 'v1'
BROWSABLE_DOCUMENT_MACROS = {
# need to be rewrite with the real host name when deploy.
- 'HOST_NAME': 'http://{{ hostname }}:80',
+ 'HOST_NAME': 'http://{{ inventory_hostname }}:80',
# make consistent with rest api root.
'API_PATH': '%s%s' % (REST_API_URL, REST_API_VERSION),
}