Try to clean up saml config.

2016-01-12 11:17:50 -05:00 · 2016-01-12 11:17:50 -05:00 · b3a3466dcc
commit b3a3466dcc
parent a93ec459da
8 changed files with 26 additions and 176 deletions
--- a/inventory/group_vars/pdc-web
+++ b/inventory/group_vars/pdc-web
@ -15,6 +15,10 @@ tcp_ports: [ 80 ]
 fas_client_groups: sysadmin-noc,sysadmin-releng
 # This just defines the CN of the saml2 cert we pull from the private repo
 # Don't be confused.  The app is actually served at apps.stg.fp.o/pdc
 pdc_domain: pdc.stg.fedoraproject.org
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
--- a/inventory/group_vars/pdc-web-stg
+++ b/inventory/group_vars/pdc-web-stg
@ -15,6 +15,10 @@ tcp_ports: [ 80 ]
 fas_client_groups: sysadmin-noc,sysadmin-releng
 # This just defines the CN of the saml2 cert we pull from the private repo
 # Don't be confused.  The app is actually served at apps.stg.fp.o/pdc
 pdc_domain: pdc.stg.fedoraproject.org
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
 - service: shell
--- a/inventory/host_vars/pdc.fedorainfracloud.org
+++ b/inventory/host_vars/pdc.fedorainfracloud.org
@ -10,6 +10,7 @@ inventory_tenant: persistent
 inventory_instance_name: pdc
 hostbase: pdc.fedorainfracloud.org
 hostname: pdc.fedorainfracloud.org
 pdc_domain: pdc.fedorainfracloud.org
 public_ip: 209.132.184.106
 root_auth_users: pingou
 description: pdc development instance
--- a/roles/pdc/frontend/files/idp-metadata.xml
+++ b/roles/pdc/frontend/files/idp-metadata.xml
@ -1,83 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" val
 idUntil="2020-09-28T11:14:04.923891" entityID="http://id.stg.fedoraproject.org/saml2/metadata">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
 BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
 MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
 cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
 AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
 sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
 ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
 wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
 gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
 zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
 Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
 aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
 yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
 KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
 LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
 IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
 hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
 DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
 yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
 /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
 hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
 Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
 GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
 FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
 DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
 </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIFOTCCAyGgAwIBAgIJAOtrg+MpYNUgMA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNV
 BAMMKGlkLmZlZG9yYXByb2plY3Qub3JnIFNURyBURU1QT1JBUlkgU0FNTDIwHhcN
 MTUwOTMwMDkxMzU3WhcNMTUxMDMwMDkxMzU3WjAzMTEwLwYDVQQDDChpZC5mZWRv
 cmFwcm9qZWN0Lm9yZyBTVEcgVEVNUE9SQVJZIFNBTUwyMIICIjANBgkqhkiG9w0B
 AQEFAAOCAg8AMIICCgKCAgEAt1mvOsVxRm9O+dT0QIYxl0vmqQQ4MhQA3wboEeBp
 sQYjM2te+2Q/7OOwklVdD5g/rgXuDwOH6ztt1Y6UJmMC9RQCSJ5YNFe95hOE0H+P
 ar9/9xm6hlwqxp9S1NftO7G6x7Zad/QHURcQit2EeDJAox/LEk3FEti03Q2tSPBa
 wpNk/AUwkXnGn+bQ142JxvfJaO8sdxPpww1955SxKnJ3ClaPw3Qs0SLbD7cQQnyu
 gQne0jBNPS5LkXS7DKmPBXY7R7der2gx3Wr6TxHNCcqMruL/RHmGKEB/KnFqxDK1
 zNrcUyyghHGBRtGqbJw37kQBWtuoE67iyAiHQWnn4onNHTFeP1SfpzFIM3ya8Iew
 Awh93IH2YAAd3SxNsCE27iZej2+8OikkWp6rpG36apskwKLAmOTKATqAII49u32o
 aYqMe3LEORzmoR45/FGmQ8fPTxIXoT9kkA8nS3Xa1f6BaGnlxPu+VNAYEQx5hzX1
 yhjSEiIcyowIx4/Frp+XHn7USQHb0jBkBGTWlo3QRO3LDarTmcoJZIrMK1fISggv
 KJ1jUisrboFm0hX4O0F6TAx9UbWGIpgTiEjynDbBgIWsElGaTOfafPOFAVVusW5W
 6na5R0sKDiaw5Ej3tMz5gTlSLk+0Vfc/tQphqIgXu1BIQ5gghyDUAEZRIe7iFEnu
 LqUCAwEAAaNQME4wHQYDVR0OBBYEFFIneEZsGOpk6nVXammdrrRVyG5/MB8GA1Ud
 IwQYMBaAFFIneEZsGOpk6nVXammdrrRVyG5/MAwGA1UdEwQFMAMBAf8wDQYJKoZI
 hvcNAQELBQADggIBAGqXB//gUKBAUFHB4i45/70vWID2lYMu2nFvd7SWI1oc0n78
 DTlqFDYDyV05V/qCnezjAb+6KUyyeyAevgZPaDswCVd2aygYGDE9RsvOy60UhZ1c
 yfgVx2l/YLzO4bWNKllxpfbLVHTfKo8MfFa99ClN6Y+t8+fucTS2+WOq5MYd5lKS
 /4FY7QYq645oYHAlQzOV2PHAcMDbhtaEJJ4CXh4//ArM/NE73NYaH4SGQW1xVD7D
 8zS/0TGYDX6MNQvRwzihtKVEtUAGj1zIZZUYFd9+mx4Ir3OBnRozSe8LkfaWYd13
 hlRLINzOEQ3ebSGGRlgeFYXw+cTpn64KoyE56CcL//dxZS27LGBIMAul0eARoa6U
 Y1DYkZ178QugycphmLCkxe2/Qe9xZjn0ghycxiYAlPqGFG87pW8UC162B7eklOuR
 GO/BqcKZcO5GPyWkuslUpx8w0bOnCgXKxVzbt5BGBMvSMxe/QCw9x4sXnKGUtHaV
 FqnKqa/sxkfQ8HltSvft8goNw13/I+J5ERHdif0EyI83ba+CyGwEjCe8uZYjp2G3
 DqtUXjiYReHTYZr6R9Xgts0RKf44wVJ3D7Fs7P2dBGI7b/R/8HHv9HM+/HcbkRhA
 25vdCBgg+KF3u3bZZlUp82PkOtRFcr4kb3GwS4FAaxRC5i/8Z4qI2ICNZFPN
 </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://id.stg.fedoraproject.org/saml2/SSO/POST"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SSO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://id.stg.fedoraproject.org/saml2/SLO/Redirect"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
  </md:IDPSSODescriptor>
 </md:EntityDescriptor>
--- a/roles/pdc/frontend/files/metadata.xml
+++ b/roles/pdc/frontend/files/metadata.xml
@ -1,33 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" cacheDuration="P7D" entityID="https://pdc.fedorainfracloud.org/saml2">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIDGTCCAgGgAwIBAgIJAISFaB3/KZDhMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
 BAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9yZzAeFw0xNTA5MzAxMDM4NTFaFw0y
 MDA5MjgxMDM4NTFaMCMxITAfBgNVBAMMGHBkYy5mZWRvcmFpbmZyYWNsb3VkLm9y
 ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLA2h4tYn7tAFwFZ2JB
 xLLcpIY55/NpdQP1yLSfvD4huT3rWRLoojiEpIM61qgnJmVsZ4oPkkSmU3pWLrjw
 ZeD5XQimtg6GPHitjIIHhUgPDncpdGsbD1J/Jv7V/gj0CvI9ak0i9d0zxaKGaejP
 0VL78xeaEPf53LQywqrV9iGDRpcJzQZrqwUvrSIDRn7SmUNvDYQL6voAO6la/43C
 O8oIMiGE/qNs8sK/KupifxjN4BvZzK6ofpYqhycwJFHUTZ5mAEXspINIOr8I43Ap
 F6+RDWyIt2G2GK7gwkLfNfb/3Lht8/oMjyiPvKuhSqaDbfcSwsU2A9k9vqV0ufL+
 +VUCAwEAAaNQME4wHQYDVR0OBBYEFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMB8GA1Ud
 IwQYMBaAFMy2MUOk6B9kN0nLDO4w7Ja/oL2dMAwGA1UdEwQFMAMBAf8wDQYJKoZI
 hvcNAQELBQADggEBAHWk0SZYofIu0HP96D2RFghS7bcFGoTzG4uOK8v9cYtM3f3N
 O5NlmMNYeLG3wbBA+7pZgmIEReZkGlGq4kR4PqulKE4yymyuzIEUYFwlHfxrWCIH
 7/A211WxTQRXBGT2h4+uwpqOOOUdd8KHBdRIzYKiNEBjUgbya9fObxPZK2jx7zUq
 qa7KneEXaZ86LqPQU6+dv3i4yZE7PkeJ3Pl5wVSIJ7dxIN+81YhfuL3poknqDYmJ
 4QHNMcbS3gBaTTsUAUyfPXlAbWaGdypAuzxkwt9etX/bExs/0k28REwtZo9q04R4
 8Ejlv4ckKIOFY7aO8saseB4A/n/oLfrW+/8qBnM=
 </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pdc.fedorainfracloud.org/saml2/logout"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pdc.fedorainfracloud.org/saml2/postResponse" index="0"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
  </md:SPSSODescriptor>
 </md:EntityDescriptor>
--- a/roles/pdc/frontend/tasks/main.yml
+++ b/roles/pdc/frontend/tasks/main.yml
@ -49,20 +49,18 @@
        owner=apache group=apache mode=0775
  tags: pdc
- name: Install saml2 xml files
+- name: Install saml2 idp file (which describes our ipsilon instances).
-  copy: >
+  copy: src="{{ private }}/files/saml2/idp-{{env}}"
-    src="{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
+        dest="/etc/httpd/saml2/idp-metadata.xml"
        owner="apache" group="apache" mode=0600
  with_items:
    - metadata.xml
    - idp-metadata.xml
  tags: pdc
- name: Install saml2 certs
+- name: Install domain-specific saml2 certs and metadata
-  copy: >
+  copy: src="{{ private }}/files/saml2/{{ pdc_domain }}/{{ item }}"
-    src="{{ private}}/files/httpd/{{ item }}" dest="/etc/httpd/saml2/{{ item }}"
+        dest="/etc/httpd/saml2/{{ item }}"
        owner="apache" group="apache" mode=0600
  with_items:
-    - pdc.fedorainfracloud.org.pem
+    - certificate.pem
-    - pdc.fedorainfracloud.org.key
+    - certificate.key
    - metadata.xml
  tags: pdc
--- a/roles/pdc/frontend/templates/pdc.conf
+++ b/roles/pdc/frontend/templates/pdc.conf
@ -4,24 +4,10 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
 <VirtualHost *:80>
    ServerName {{ hostname }}
  Redirect permanent / https://{{ hostname }}/
 </VirtualHost>
 <VirtualHost *:443>
    ServerName {{ hostname }}
    CustomLog /var/log/httpd/pdc-access.log combined
    ErrorLog /var/log/httpd/pdc-error.log
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    Alias /docs/ /usr/share/doc/pdc/docs/build/html/
    Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
@ -49,15 +35,14 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript application/x-javascript text/css
        Require all granted
        MellonEnable "info"
-        MellonSPPrivateKeyFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.key"
+        MellonSPPrivateKeyFile "/etc/httpd/saml2/certificate.key"
-        MellonSPCertFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/certificate.pem"
+        MellonSPCertFile "/etc/httpd/saml2/certificate.pem"
-        MellonSPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/metadata.xml"
+        MellonSPMetadataFile "/etc/httpd/saml2/metadata.xml"
-        MellonIdPMetadataFile "/etc/httpd/saml2/pdc.fedorainfracloud.org/idp-metadata.xml"
+        MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
        MellonEndpointPath /saml2
        MellonVariable "saml-sesion-cookie"
        # Comment out the next two lines if you want to allow logins on bare HTTP
        MellonsecureCookie On
        SSLRequireSSL
        MellonUser "NAME_ID"
        MellonIdP "IDP"
        MellonSessionLength 3600
@ -70,38 +55,12 @@ WSGIDaemonProcess pdc user=apache group=apache maximum-requests=1000 display-nam
        WSGIProcessGroup pdc
        MellonEnable "auth"
        Header append Cache-Control "no-cache"
        ## Kerberos authentication:
        #AuthType Kerberos
        #AuthName "PDC - Kerberos login"
        #KrbMethodNegotiate on
        #KrbMethodK5Passwd on
        #KrbAuthoritative on
        #KrbServiceName HTTP
        #KrbAuthRealm EXAMPLE.COM
        #KrbVerifyKDC on
        #Krb5Keytab /etc/httpd/conf/httpd.keytab
        #KrbSaveCredentials off
        #Require valid-user
    </Location>
    WSGIPassAuthorization On
    <Location /rest_api/v1/auth/token>
        WSGIProcessGroup pdc
        ## Kerberos authentication:
        #AuthType Kerberos
        #AuthName "PDC - Kerberos login"
        #KrbMethodNegotiate on
        #KrbMethodK5Passwd off
        #KrbAuthoritative on
        #KrbServiceName HTTP
        #KrbAuthRealm EXAMPLE.COM
        #KrbVerifyKDC on
        #Krb5Keytab /etc/httpd/conf/httpd.keytab
        #KrbSaveCredentials off
        #Require valid-user
    </Location>
    <Location "/static">
--- a/roles/pdc/frontend/templates/settings_local.py
+++ b/roles/pdc/frontend/templates/settings_local.py
@ -43,7 +43,7 @@ DEBUG = False
 # NOTE: this is needed when DEGUB is False.
 #       https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
-ALLOWED_HOSTS = ['{{ hostname }}']
+ALLOWED_HOSTS = ['{{ inventory_hostname }}']
 # Database settings
 DATABASES = {
@ -62,7 +62,7 @@ REST_API_VERSION = 'v1'
 BROWSABLE_DOCUMENT_MACROS = {
    # need to be rewrite with the real host name when deploy.
-    'HOST_NAME': 'http://{{ hostname }}:80',
+    'HOST_NAME': 'http://{{ inventory_hostname }}:80',
    # make consistent with rest api root.
    'API_PATH': '%s%s' % (REST_API_URL, REST_API_VERSION),
 }