Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Move FedOAuth 3 to production

Browse source
This commit is contained in:
Patrick Uiterwijk 2014-06-22 00:57:52 +00:00
parent 9ac7e0dd64
commit c3a57dcaee
6 changed files with 86 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

3
playbooks/groups/fedoauth.yml
View file

@ -65,8 +65,7 @@
- "{{ vars_path }}/{{ ansible_distribution }}.yml" - "{{ vars_path }}/{{ ansible_distribution }}.yml"
roles: roles:
- { role: fedoauth, when: env != 'staging' } - fedoauth
- { role: fedoauth-stg, when: env == 'staging' }
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"

68
roles/fedoauth-stg/tasks/main.yml
View file

@ -1,68 +0,0 @@
---
# Configuration for the fedoauth webapp
- name: clean yum metadata
command: yum clean all
tags:
- packages
- name: install needed packages
yum: pkg={{ item }} state=installed
with_items:
- fedoauth
- fedoauth-template-fedora
- fedoauth-backend-fedora
- fedoauth-provider-openid
- fedoauth-provider-persona
- python-psycopg2
- libsemanage-python
tags:
- packages
- name: copy fedoauth configuration
template: src=fedoauth.cfg
dest=/etc/fedoauth/fedoauth.cfg
owner=fedoauth group=fedoauth mode=0600
tags:
- config
notify:
- restart apache
- name: copy fedoauth logging configuration
template: src=fedoauth.log.cfg
dest=/etc/fedoauth/fedoauth.log.cfg
owner=fedoauth group=fedoauth mode=0600
tags:
- config
notify:
- restart apache
- name: copy fedoauth private key
copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key
owner=fedoauth group=fedoauth mode=0600
when: env != "staging"
- name: copy fedoauth STG private key
copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key
owner=fedoauth group=fedoauth mode=0600
when: env == "staging"
- name: create the database scheme
command: /usr/bin/python2 /usr/share/fedoauth/createdb.py
environment:
FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
- name: set sebooleans so fedoauth can talk to the db
action: seboolean name=httpd_can_network_connect_db
state=true
persistent=true
- name: set sebooleans so fedoauth can send error logs
action: seboolean name=httpd_can_network_connect
state=true
persistent=true
- name: apply selinux type to the wsgi file
file: >
dest=/usr/share/fedoauth/fedoauth.wsgi
setype=httpd_sys_content_t

85
roles/fedoauth-stg/templates/fedoauth.cfg
View file

@ -1,85 +0,0 @@
# Beware that the quotes around the values are mandatory
# GENERAL CONFIGURATION
{% if env == 'staging' %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
{% else %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
{% endif %}
GLOBAL = {'reverse_proxied': True,
'cookies_secure': True,
'transactions_timeout': 5,
'template_dir': '/usr/share/fedoauth/templates/fedora/',
'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg',
'secret_key': '{{ fedoauth_secret_key }}',
{% if env == 'staging' %}
'url_root': 'https://id.stg.fedoraproject.org',
'static_content_root': 'https://id.stg.fedoraproject.org/static',
'enable_test_endpoint': True,
{% else %}
'url_root': 'https://id.fedoraproject.org',
'static_content_root': 'https://id.fedoraproject.org/static',
'enable_test_endpoint': False,
{% endif %}
}
AUTH_MODULE_CONFIGURATION = {
# This module authenticates against the Fedora Account System
# (https://admin.fedoraproject.org/accounts/)
'fedoauth.auth.fas.Auth_FAS': {'enabled': True,
'listed': True,
'select_image': '/static/fedora/fedora-authn-logo-white.png',
'reauth_timeout': 5,
'user_agent': 'FedOAuth',
'check_cert': True,
{% if env == 'staging' %}
'email_auth_domains': ['stg.fedoraproject.org'],
'base_url': 'https://admin.stg.fedoraproject.org/accounts/',
{% else %}
'email_auth_domains': ['fedoraproject.org'],
'base_url': 'https://admin.fedoraproject.org/accounts/',
{% endif %}
}
}
AUTH_PROVIDER_CONFIGURATION = {
'fedoauth.provider.persona': {'enabled': True,
{% if env == 'staging' %}
'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'],
'private_key': {'path': '/etc/fedoauth/persona.stg.key',
'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
{% else %}
'domains': ['id.fedoraproject.org', 'fedoraproject.org'],
'private_key': {'path': '/etc/fedoauth/persona.key',
'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
{% endif %}
},
'fedoauth.provider.openid': {'enabled': True,
{% if env == 'staging' %}
'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/',
'trusted_roots': [],
{% else %}
'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/',
'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
'https://ask.fedoraproject.org/',
'https://fedorahosted.org/',
'https://badges.fedoraproject.org',
'https://apps.fedoraproject.org/tagger/',
'https://apps.fedoraproject.org/nuancier/',
'https://apps.fedoraproject.org/datagrepper/',
'https://apps.fedoraproject.org/calendar/',
'http://apps.fedoraproject.org/notifications/',
'http://copr.fedoraproject.org/',
'http://copr-fe.cloud.fedoraproject.org/',
'https://admin.fedoraproject.org/pkgdb/',
'https://apps.fedoraproject.org/github2fedmsg'],
{% endif %}
'non_trusted_roots': [],
'handle_magic_groups_value': True
}
}

16
roles/fedoauth/tasks/main.yml
View file

@ -12,6 +12,8 @@
- fedoauth - fedoauth
- fedoauth-template-fedora - fedoauth-template-fedora
- fedoauth-backend-fedora - fedoauth-backend-fedora
- fedoauth-provider-openid
- fedoauth-provider-persona
- python-psycopg2 - python-psycopg2
- libsemanage-python - libsemanage-python
tags: tags:
@ -26,6 +28,15 @@
notify: notify:
- restart apache - restart apache
- name: copy fedoauth logging configuration
template: src=fedoauth.log.cfg
dest=/etc/fedoauth/fedoauth.log.cfg
owner=fedoauth group=fedoauth mode=0600
tags:
- config
notify:
- restart apache
- name: copy fedoauth private key - name: copy fedoauth private key
copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key
owner=fedoauth group=fedoauth mode=0600 owner=fedoauth group=fedoauth mode=0600
@ -46,6 +57,11 @@
state=true state=true
persistent=true persistent=true
- name: set sebooleans so fedoauth can send error logs
action: seboolean name=httpd_can_network_connect
state=true
persistent=true
- name: apply selinux type to the wsgi file - name: apply selinux type to the wsgi file
file: > file: >
dest=/usr/share/fedoauth/fedoauth.wsgi dest=/usr/share/fedoauth/fedoauth.wsgi

120
roles/fedoauth/templates/fedoauth.cfg
View file

@ -1,67 +1,85 @@
# Beware that the quotes around the values are mandatory # Beware that the quotes around the values are mandatory
# GENERAL CONFIGURATION # GENERAL CONFIGURATION
### url to the database server:
{% if env == 'staging' %} {% if env == 'staging' %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}" SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
{% else %} {% else %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}" SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
{% endif %} {% endif %}
# This is the OpenID endpoint url, at which the server is available
GLOBAL = {'reverse_proxied': True,
'cookies_secure': True,
'transactions_timeout': 5,
'template_dir': '/usr/share/fedoauth/templates/fedora/',
'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg',
'secret_key': '{{ fedoauth_secret_key }}',
{% if env == 'staging' %} {% if env == 'staging' %}
WEBSITE_ROOT = 'https://id.stg.fedoraproject.org' 'url_root': 'https://id.stg.fedoraproject.org',
COOKIE_DOMAIN = 'id.stg.fedoraproject.org' 'static_content_root': 'https://id.stg.fedoraproject.org/static',
OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/' 'enable_test_endpoint': True,
PERSONA_DOMAIN = 'stg.fedoraproject.org'
PERSONA_ISSUER = 'id.stg.fedoraproject.org'
PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key'
{% else %} {% else %}
WEBSITE_ROOT = 'https://id.fedoraproject.org' 'url_root': 'https://id.fedoraproject.org',
COOKIE_DOMAIN = 'id.fedoraproject.org' 'static_content_root': 'https://id.fedoraproject.org/static',
OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/' 'enable_test_endpoint': False,
PERSONA_DOMAIN = 'fedoraproject.org'
PERSONA_ISSUER = 'id.fedoraproject.org'
PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key'
{% endif %} {% endif %}
# This needs to be disabled because we use reverse proxies }
COOKIE_CHECK_REMOTE_ADDR = False
COOKIE_SECURE = True
# Modules to use
AUTH_MODULE='fedoauth.auth.fas.Auth_FAS'
# FAS PROVIDER CONFIGURATION AUTH_MODULE_CONFIGURATION = {
FAS_USER_AGENT = 'FAS-OpenID' # This module authenticates against the Fedora Account System
FAS_BASE_URL='https://admin.fedoraproject.org/accounts/' # (https://admin.fedoraproject.org/accounts/)
FAS_CHECK_CERT=True 'fedoauth.auth.fas.Auth_FAS': {'enabled': True,
FAS_HTTPS_REQUIRED=True 'listed': True,
FAS_HANDLE_GROUPS_MAGIC_VALUE=True 'select_image': '/static/fedora/fedora-authn-logo-white.png',
'reauth_timeout': 5,
'user_agent': 'FedOAuth',
'check_cert': True,
{% if env == 'staging' %}
'email_auth_domains': ['stg.fedoraproject.org'],
'base_url': 'https://admin.stg.fedoraproject.org/accounts/',
{% else %}
'email_auth_domains': ['fedoraproject.org'],
'base_url': 'https://admin.fedoraproject.org/accounts/',
{% endif %}
}
}
# Enable a filter to make this only available to a specific list of users
FAS_AVAILABLE_FILTER = False
FAS_AVAILABLE_TO = []
# PERSONA CONFIGURATION AUTH_PROVIDER_CONFIGURATION = {
# This is the domain for which we are willing to sign 'fedoauth.provider.persona': {'enabled': True,
PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}' {% if env == 'staging' %}
'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'],
# OPENID CONFIGURATION 'private_key': {'path': '/etc/fedoauth/persona.stg.key',
# This is the OpenID url provided to users. Add %(username)s where the username should be entered 'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
# A list of trust roots for which the user will not need to confirm again {% else %}
OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin', 'domains': ['id.fedoraproject.org', 'fedoraproject.org'],
'https://ask.fedoraproject.org/', 'private_key': {'path': '/etc/fedoauth/persona.key',
'https://fedorahosted.org/', 'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
'https://badges.fedoraproject.org', {% endif %}
'https://apps.fedoraproject.org/tagger/', },
'https://apps.fedoraproject.org/nuancier/', 'fedoauth.provider.openid': {'enabled': True,
'https://apps.fedoraproject.org/datagrepper/', {% if env == 'staging' %}
'https://apps.fedoraproject.org/calendar/', 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/',
'http://apps.fedoraproject.org/notifications/', 'trusted_roots': [],
'http://copr.fedoraproject.org/', {% else %}
'http://copr-fe.cloud.fedoraproject.org/', 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/',
'https://admin.fedoraproject.org/pkgdb/', 'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
'https://apps.fedoraproject.org/github2fedmsg'] 'https://ask.fedoraproject.org/',
OPENID_NON_TRUSTED_ROOTS = [] 'https://fedorahosted.org/',
### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit) 'https://badges.fedoraproject.org',
OPENID_MAX_AUTH_TIME = 120 'https://apps.fedoraproject.org/tagger/',
'https://apps.fedoraproject.org/nuancier/',
'https://apps.fedoraproject.org/datagrepper/',
'https://apps.fedoraproject.org/calendar/',
'http://apps.fedoraproject.org/notifications/',
'http://copr.fedoraproject.org/',
'http://copr-fe.cloud.fedoraproject.org/',
'https://admin.fedoraproject.org/pkgdb/',
'https://apps.fedoraproject.org/github2fedmsg'],
{% endif %}
'non_trusted_roots': [],
'handle_magic_groups_value': True
}
}

0
roles/fedoauth-stg/templates/fedoauth.log.cfg → roles/fedoauth/templates/fedoauth.log.cfg
View file