diff --git a/playbooks/groups/fedoauth.yml b/playbooks/groups/fedoauth.yml index 2ae4b582d8..9debab9908 100644 --- a/playbooks/groups/fedoauth.yml +++ b/playbooks/groups/fedoauth.yml @@ -65,8 +65,7 @@ - "{{ vars_path }}/{{ ansible_distribution }}.yml" roles: - - { role: fedoauth, when: env != 'staging' } - - { role: fedoauth-stg, when: env == 'staging' } + - fedoauth handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/fedoauth-stg/tasks/main.yml b/roles/fedoauth-stg/tasks/main.yml deleted file mode 100644 index c37a3ffea4..0000000000 --- a/roles/fedoauth-stg/tasks/main.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -# Configuration for the fedoauth webapp - -- name: clean yum metadata - command: yum clean all - tags: - - packages - -- name: install needed packages - yum: pkg={{ item }} state=installed - with_items: - - fedoauth - - fedoauth-template-fedora - - fedoauth-backend-fedora - - fedoauth-provider-openid - - fedoauth-provider-persona - - python-psycopg2 - - libsemanage-python - tags: - - packages - -- name: copy fedoauth configuration - template: src=fedoauth.cfg - dest=/etc/fedoauth/fedoauth.cfg - owner=fedoauth group=fedoauth mode=0600 - tags: - - config - notify: - - restart apache - -- name: copy fedoauth logging configuration - template: src=fedoauth.log.cfg - dest=/etc/fedoauth/fedoauth.log.cfg - owner=fedoauth group=fedoauth mode=0600 - tags: - - config - notify: - - restart apache - -- name: copy fedoauth private key - copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key - owner=fedoauth group=fedoauth mode=0600 - when: env != "staging" - -- name: copy fedoauth STG private key - copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key - owner=fedoauth group=fedoauth mode=0600 - when: env == "staging" - -- name: create the database scheme - command: /usr/bin/python2 /usr/share/fedoauth/createdb.py - environment: - FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg - -- name: set sebooleans so fedoauth can talk to the db - action: seboolean name=httpd_can_network_connect_db - state=true - persistent=true - -- name: set sebooleans so fedoauth can send error logs - action: seboolean name=httpd_can_network_connect - state=true - persistent=true - -- name: apply selinux type to the wsgi file - file: > - dest=/usr/share/fedoauth/fedoauth.wsgi - setype=httpd_sys_content_t diff --git a/roles/fedoauth-stg/templates/fedoauth.cfg b/roles/fedoauth-stg/templates/fedoauth.cfg deleted file mode 100644 index 0d11e39d3a..0000000000 --- a/roles/fedoauth-stg/templates/fedoauth.cfg +++ /dev/null @@ -1,85 +0,0 @@ -# Beware that the quotes around the values are mandatory - -# GENERAL CONFIGURATION -{% if env == 'staging' %} -SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" -{% else %} -SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" -{% endif %} - - -GLOBAL = {'reverse_proxied': True, - 'cookies_secure': True, - 'transactions_timeout': 5, - 'template_dir': '/usr/share/fedoauth/templates/fedora/', - 'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg', - 'secret_key': '{{ fedoauth_secret_key }}', - -{% if env == 'staging' %} - 'url_root': 'https://id.stg.fedoraproject.org', - 'static_content_root': 'https://id.stg.fedoraproject.org/static', - 'enable_test_endpoint': True, -{% else %} - 'url_root': 'https://id.fedoraproject.org', - 'static_content_root': 'https://id.fedoraproject.org/static', - 'enable_test_endpoint': False, -{% endif %} -} - - -AUTH_MODULE_CONFIGURATION = { - # This module authenticates against the Fedora Account System - # (https://admin.fedoraproject.org/accounts/) - 'fedoauth.auth.fas.Auth_FAS': {'enabled': True, - 'listed': True, - 'select_image': '/static/fedora/fedora-authn-logo-white.png', - 'reauth_timeout': 5, - 'user_agent': 'FedOAuth', - 'check_cert': True, -{% if env == 'staging' %} - 'email_auth_domains': ['stg.fedoraproject.org'], - 'base_url': 'https://admin.stg.fedoraproject.org/accounts/', -{% else %} - 'email_auth_domains': ['fedoraproject.org'], - 'base_url': 'https://admin.fedoraproject.org/accounts/', -{% endif %} - } -} - - -AUTH_PROVIDER_CONFIGURATION = { - 'fedoauth.provider.persona': {'enabled': True, -{% if env == 'staging' %} - 'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'], - 'private_key': {'path': '/etc/fedoauth/persona.stg.key', - 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, -{% else %} - 'domains': ['id.fedoraproject.org', 'fedoraproject.org'], - 'private_key': {'path': '/etc/fedoauth/persona.key', - 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, -{% endif %} - }, - 'fedoauth.provider.openid': {'enabled': True, -{% if env == 'staging' %} - 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/', - 'trusted_roots': [], -{% else %} - 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/', - 'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', - 'https://ask.fedoraproject.org/', - 'https://fedorahosted.org/', - 'https://badges.fedoraproject.org', - 'https://apps.fedoraproject.org/tagger/', - 'https://apps.fedoraproject.org/nuancier/', - 'https://apps.fedoraproject.org/datagrepper/', - 'https://apps.fedoraproject.org/calendar/', - 'http://apps.fedoraproject.org/notifications/', - 'http://copr.fedoraproject.org/', - 'http://copr-fe.cloud.fedoraproject.org/', - 'https://admin.fedoraproject.org/pkgdb/', - 'https://apps.fedoraproject.org/github2fedmsg'], -{% endif %} - 'non_trusted_roots': [], - 'handle_magic_groups_value': True - } -} diff --git a/roles/fedoauth/tasks/main.yml b/roles/fedoauth/tasks/main.yml index 5e9b5c84c0..c37a3ffea4 100644 --- a/roles/fedoauth/tasks/main.yml +++ b/roles/fedoauth/tasks/main.yml @@ -12,6 +12,8 @@ - fedoauth - fedoauth-template-fedora - fedoauth-backend-fedora + - fedoauth-provider-openid + - fedoauth-provider-persona - python-psycopg2 - libsemanage-python tags: @@ -26,6 +28,15 @@ notify: - restart apache +- name: copy fedoauth logging configuration + template: src=fedoauth.log.cfg + dest=/etc/fedoauth/fedoauth.log.cfg + owner=fedoauth group=fedoauth mode=0600 + tags: + - config + notify: + - restart apache + - name: copy fedoauth private key copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key owner=fedoauth group=fedoauth mode=0600 @@ -46,6 +57,11 @@ state=true persistent=true +- name: set sebooleans so fedoauth can send error logs + action: seboolean name=httpd_can_network_connect + state=true + persistent=true + - name: apply selinux type to the wsgi file file: > dest=/usr/share/fedoauth/fedoauth.wsgi diff --git a/roles/fedoauth/templates/fedoauth.cfg b/roles/fedoauth/templates/fedoauth.cfg index 6dbf1792b9..0d11e39d3a 100644 --- a/roles/fedoauth/templates/fedoauth.cfg +++ b/roles/fedoauth/templates/fedoauth.cfg @@ -1,67 +1,85 @@ # Beware that the quotes around the values are mandatory # GENERAL CONFIGURATION -### url to the database server: {% if env == 'staging' %} SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" {% else %} SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" {% endif %} -# This is the OpenID endpoint url, at which the server is available + +GLOBAL = {'reverse_proxied': True, + 'cookies_secure': True, + 'transactions_timeout': 5, + 'template_dir': '/usr/share/fedoauth/templates/fedora/', + 'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg', + 'secret_key': '{{ fedoauth_secret_key }}', + {% if env == 'staging' %} -WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' -COOKIE_DOMAIN = 'id.stg.fedoraproject.org' -OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' -PERSONA_DOMAIN = 'stg.fedoraproject.org' -PERSONA_ISSUER = 'id.stg.fedoraproject.org' -PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key' + 'url_root': 'https://id.stg.fedoraproject.org', + 'static_content_root': 'https://id.stg.fedoraproject.org/static', + 'enable_test_endpoint': True, {% else %} -WEBSITE_ROOT = 'https://id.fedoraproject.org' -COOKIE_DOMAIN = 'id.fedoraproject.org' -OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/' -PERSONA_DOMAIN = 'fedoraproject.org' -PERSONA_ISSUER = 'id.fedoraproject.org' -PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key' + 'url_root': 'https://id.fedoraproject.org', + 'static_content_root': 'https://id.fedoraproject.org/static', + 'enable_test_endpoint': False, {% endif %} -# This needs to be disabled because we use reverse proxies -COOKIE_CHECK_REMOTE_ADDR = False -COOKIE_SECURE = True +} -# Modules to use -AUTH_MODULE='fedoauth.auth.fas.Auth_FAS' -# FAS PROVIDER CONFIGURATION -FAS_USER_AGENT = 'FAS-OpenID' -FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' -FAS_CHECK_CERT=True -FAS_HTTPS_REQUIRED=True -FAS_HANDLE_GROUPS_MAGIC_VALUE=True +AUTH_MODULE_CONFIGURATION = { + # This module authenticates against the Fedora Account System + # (https://admin.fedoraproject.org/accounts/) + 'fedoauth.auth.fas.Auth_FAS': {'enabled': True, + 'listed': True, + 'select_image': '/static/fedora/fedora-authn-logo-white.png', + 'reauth_timeout': 5, + 'user_agent': 'FedOAuth', + 'check_cert': True, +{% if env == 'staging' %} + 'email_auth_domains': ['stg.fedoraproject.org'], + 'base_url': 'https://admin.stg.fedoraproject.org/accounts/', +{% else %} + 'email_auth_domains': ['fedoraproject.org'], + 'base_url': 'https://admin.fedoraproject.org/accounts/', +{% endif %} + } +} -# Enable a filter to make this only available to a specific list of users -FAS_AVAILABLE_FILTER = False -FAS_AVAILABLE_TO = [] -# PERSONA CONFIGURATION -# This is the domain for which we are willing to sign -PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' - -# OPENID CONFIGURATION -# This is the OpenID url provided to users. Add %(username)s where the username should be entered -# A list of trust roots for which the user will not need to confirm again -OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', - 'https://ask.fedoraproject.org/', - 'https://fedorahosted.org/', - 'https://badges.fedoraproject.org', - 'https://apps.fedoraproject.org/tagger/', - 'https://apps.fedoraproject.org/nuancier/', - 'https://apps.fedoraproject.org/datagrepper/', - 'https://apps.fedoraproject.org/calendar/', - 'http://apps.fedoraproject.org/notifications/', - 'http://copr.fedoraproject.org/', - 'http://copr-fe.cloud.fedoraproject.org/', - 'https://admin.fedoraproject.org/pkgdb/', - 'https://apps.fedoraproject.org/github2fedmsg'] -OPENID_NON_TRUSTED_ROOTS = [] -### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) -OPENID_MAX_AUTH_TIME = 120 +AUTH_PROVIDER_CONFIGURATION = { + 'fedoauth.provider.persona': {'enabled': True, +{% if env == 'staging' %} + 'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'], + 'private_key': {'path': '/etc/fedoauth/persona.stg.key', + 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, +{% else %} + 'domains': ['id.fedoraproject.org', 'fedoraproject.org'], + 'private_key': {'path': '/etc/fedoauth/persona.key', + 'passphrase': '{{ fedoauth_persona_key_passphrase }}'}, +{% endif %} + }, + 'fedoauth.provider.openid': {'enabled': True, +{% if env == 'staging' %} + 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/', + 'trusted_roots': [], +{% else %} + 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/', + 'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', + 'https://ask.fedoraproject.org/', + 'https://fedorahosted.org/', + 'https://badges.fedoraproject.org', + 'https://apps.fedoraproject.org/tagger/', + 'https://apps.fedoraproject.org/nuancier/', + 'https://apps.fedoraproject.org/datagrepper/', + 'https://apps.fedoraproject.org/calendar/', + 'http://apps.fedoraproject.org/notifications/', + 'http://copr.fedoraproject.org/', + 'http://copr-fe.cloud.fedoraproject.org/', + 'https://admin.fedoraproject.org/pkgdb/', + 'https://apps.fedoraproject.org/github2fedmsg'], +{% endif %} + 'non_trusted_roots': [], + 'handle_magic_groups_value': True + } +} diff --git a/roles/fedoauth-stg/templates/fedoauth.log.cfg b/roles/fedoauth/templates/fedoauth.log.cfg similarity index 100% rename from roles/fedoauth-stg/templates/fedoauth.log.cfg rename to roles/fedoauth/templates/fedoauth.log.cfg