Move FedOAuth 3 to production

playbooks/groups/fedoauth.yml

@@ -65,8 +65,7 @@
    - "{{ vars_path }}/{{ ansible_distribution }}.yml"
 
   roles:
-  - { role: fedoauth, when: env != 'staging' }
-  - { role: fedoauth-stg, when: env == 'staging' }
+  - fedoauth
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"

roles/fedoauth-stg/tasks/main.yml

@@ -1,68 +0,0 @@
----
-# Configuration for the fedoauth webapp
-
-- name: clean yum metadata
-  command: yum clean all
-  tags:
-  - packages
-
-- name: install needed packages
-  yum: pkg={{ item }} state=installed
-  with_items:
-  - fedoauth
-  - fedoauth-template-fedora
-  - fedoauth-backend-fedora
-  - fedoauth-provider-openid
-  - fedoauth-provider-persona
-  - python-psycopg2
-  - libsemanage-python
-  tags:
-  - packages
-
-- name: copy fedoauth configuration
-  template: src=fedoauth.cfg
-            dest=/etc/fedoauth/fedoauth.cfg
-            owner=fedoauth group=fedoauth mode=0600
-  tags:
-  - config
-  notify:
-  - restart apache
-
-- name: copy fedoauth logging configuration
-  template: src=fedoauth.log.cfg
-            dest=/etc/fedoauth/fedoauth.log.cfg
-            owner=fedoauth group=fedoauth mode=0600
-  tags:
-  - config
-  notify:
-  - restart apache
-
-- name: copy fedoauth private key
-  copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key
-        owner=fedoauth group=fedoauth mode=0600
-  when: env != "staging"
-
-- name: copy fedoauth STG private key
-  copy: src={{ private }}/files/fedoauth/persona.stg.key dest=/etc/fedoauth/persona.stg.key
-        owner=fedoauth group=fedoauth mode=0600
-  when: env == "staging"
-
-- name: create the database scheme
-  command: /usr/bin/python2 /usr/share/fedoauth/createdb.py
-  environment:
-      FEDOAUTH_CONFIG: /etc/fedoauth/fedoauth.cfg
-
-- name: set sebooleans so fedoauth can talk to the db
-  action: seboolean name=httpd_can_network_connect_db
-                    state=true
-                    persistent=true
-
-- name: set sebooleans so fedoauth can send error logs
-  action: seboolean name=httpd_can_network_connect
-                    state=true
-                    persistent=true
-
-- name: apply selinux type to the wsgi file
-  file: >
-    dest=/usr/share/fedoauth/fedoauth.wsgi
-    setype=httpd_sys_content_t

roles/fedoauth-stg/templates/fedoauth.cfg

@@ -1,85 +0,0 @@
-# Beware that the quotes around the values are mandatory
-
-# GENERAL CONFIGURATION
-{% if env == 'staging' %}
-SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
-{% else %}
-SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
-{% endif %}
-
-
-GLOBAL = {'reverse_proxied': True,
-          'cookies_secure': True,
-          'transactions_timeout': 5,
-          'template_dir': '/usr/share/fedoauth/templates/fedora/',
-          'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg',
-          'secret_key': '{{ fedoauth_secret_key }}',
-
-{% if env == 'staging' %}
-          'url_root': 'https://id.stg.fedoraproject.org',
-          'static_content_root': 'https://id.stg.fedoraproject.org/static',
-          'enable_test_endpoint': True,
-{% else %}
-          'url_root': 'https://id.fedoraproject.org',
-          'static_content_root': 'https://id.fedoraproject.org/static',
-          'enable_test_endpoint': False,
-{% endif %}
-}
-
-
-AUTH_MODULE_CONFIGURATION = {
-    # This module authenticates against the Fedora Account System
-    # (https://admin.fedoraproject.org/accounts/)
-    'fedoauth.auth.fas.Auth_FAS': {'enabled': True,
-                                   'listed': True,
-                                   'select_image': '/static/fedora/fedora-authn-logo-white.png',
-                                   'reauth_timeout': 5,
-                                   'user_agent': 'FedOAuth',
-                                   'check_cert': True,
-{% if env == 'staging' %}
-                                   'email_auth_domains': ['stg.fedoraproject.org'],
-                                   'base_url': 'https://admin.stg.fedoraproject.org/accounts/',
-{% else %}
-                                   'email_auth_domains': ['fedoraproject.org'],
-                                   'base_url': 'https://admin.fedoraproject.org/accounts/',
-{% endif %}
-                                  }
-}
-
-
-AUTH_PROVIDER_CONFIGURATION = {
-    'fedoauth.provider.persona': {'enabled': True,
-{% if env == 'staging' %}
-                                  'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'],
-                                  'private_key': {'path': '/etc/fedoauth/persona.stg.key',
-                                                  'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
-{% else %}
-                                  'domains': ['id.fedoraproject.org', 'fedoraproject.org'],
-                                  'private_key': {'path': '/etc/fedoauth/persona.key',
-                                                  'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
-{% endif %}
-                                 },
-    'fedoauth.provider.openid': {'enabled': True,
-{% if env == 'staging' %}
-                                 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/',
-                                 'trusted_roots': [],
-{% else %}
-                                 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/',
-                                 'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
-                                                   'https://ask.fedoraproject.org/',
-                                                   'https://fedorahosted.org/',
-                                                   'https://badges.fedoraproject.org',
-                                                   'https://apps.fedoraproject.org/tagger/',
-                                                   'https://apps.fedoraproject.org/nuancier/',
-                                                   'https://apps.fedoraproject.org/datagrepper/',
-                                                   'https://apps.fedoraproject.org/calendar/',
-                                                   'http://apps.fedoraproject.org/notifications/',
-                                                   'http://copr.fedoraproject.org/',
-                                                   'http://copr-fe.cloud.fedoraproject.org/',
-                                                   'https://admin.fedoraproject.org/pkgdb/',
-                                                   'https://apps.fedoraproject.org/github2fedmsg'],
-{% endif %}
-                                 'non_trusted_roots': [],
-                                 'handle_magic_groups_value': True
-                                }
-}

roles/fedoauth/tasks/main.yml

@@ -12,6 +12,8 @@
   - fedoauth
   - fedoauth-template-fedora
   - fedoauth-backend-fedora
+  - fedoauth-provider-openid
+  - fedoauth-provider-persona
   - python-psycopg2
   - libsemanage-python
   tags:
@@ -26,6 +28,15 @@
   notify:
   - restart apache
 
+- name: copy fedoauth logging configuration
+  template: src=fedoauth.log.cfg
+            dest=/etc/fedoauth/fedoauth.log.cfg
+            owner=fedoauth group=fedoauth mode=0600
+  tags:
+  - config
+  notify:
+  - restart apache
+
 - name: copy fedoauth private key
   copy: src={{ private }}/files/fedoauth/persona.key dest=/etc/fedoauth/persona.key
         owner=fedoauth group=fedoauth mode=0600
@@ -46,6 +57,11 @@
                     state=true
                     persistent=true
 
+- name: set sebooleans so fedoauth can send error logs
+  action: seboolean name=httpd_can_network_connect
+                    state=true
+                    persistent=true
+
 - name: apply selinux type to the wsgi file
   file: >
     dest=/usr/share/fedoauth/fedoauth.wsgi

roles/fedoauth/templates/fedoauth.cfg

@@ -1,55 +1,71 @@
 # Beware that the quotes around the values are mandatory
 
 # GENERAL CONFIGURATION
-### url to the database server:
 {% if env == 'staging' %}
 SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
 {% else %}
 SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
 {% endif %}
 
-# This is the OpenID endpoint url, at which the server is available
+
+GLOBAL = {'reverse_proxied': True,
+          'cookies_secure': True,
+          'transactions_timeout': 5,
+          'template_dir': '/usr/share/fedoauth/templates/fedora/',
+          'logging_config_location': '/etc/fedoauth/fedoauth.log.cfg',
+          'secret_key': '{{ fedoauth_secret_key }}',
+
 {% if env == 'staging' %}
-WEBSITE_ROOT = 'https://id.stg.fedoraproject.org'
-COOKIE_DOMAIN = 'id.stg.fedoraproject.org'
-OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/'
-PERSONA_DOMAIN = 'stg.fedoraproject.org'
-PERSONA_ISSUER = 'id.stg.fedoraproject.org'
-PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key'
+          'url_root': 'https://id.stg.fedoraproject.org',
+          'static_content_root': 'https://id.stg.fedoraproject.org/static',
+          'enable_test_endpoint': True,
 {% else %}
-WEBSITE_ROOT = 'https://id.fedoraproject.org'
-COOKIE_DOMAIN = 'id.fedoraproject.org'
-OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/'
-PERSONA_DOMAIN = 'fedoraproject.org'
-PERSONA_ISSUER = 'id.fedoraproject.org'
-PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key'
+          'url_root': 'https://id.fedoraproject.org',
+          'static_content_root': 'https://id.fedoraproject.org/static',
+          'enable_test_endpoint': False,
 {% endif %}
-# This needs to be disabled because we use reverse proxies
-COOKIE_CHECK_REMOTE_ADDR = False
-COOKIE_SECURE = True
+}
 
-# Modules to use
-AUTH_MODULE='fedoauth.auth.fas.Auth_FAS'
 
-# FAS PROVIDER CONFIGURATION
-FAS_USER_AGENT = 'FAS-OpenID'
-FAS_BASE_URL='https://admin.fedoraproject.org/accounts/'
-FAS_CHECK_CERT=True
-FAS_HTTPS_REQUIRED=True
-FAS_HANDLE_GROUPS_MAGIC_VALUE=True
+AUTH_MODULE_CONFIGURATION = {
+    # This module authenticates against the Fedora Account System
+    # (https://admin.fedoraproject.org/accounts/)
+    'fedoauth.auth.fas.Auth_FAS': {'enabled': True,
+                                   'listed': True,
+                                   'select_image': '/static/fedora/fedora-authn-logo-white.png',
+                                   'reauth_timeout': 5,
+                                   'user_agent': 'FedOAuth',
+                                   'check_cert': True,
+{% if env == 'staging' %}
+                                   'email_auth_domains': ['stg.fedoraproject.org'],
+                                   'base_url': 'https://admin.stg.fedoraproject.org/accounts/',
+{% else %}
+                                   'email_auth_domains': ['fedoraproject.org'],
+                                   'base_url': 'https://admin.fedoraproject.org/accounts/',
+{% endif %}
+                                  }
+}
 
-# Enable a filter to make this only available to a specific list of users
-FAS_AVAILABLE_FILTER = False
-FAS_AVAILABLE_TO = []
 
-# PERSONA CONFIGURATION
-# This is the domain for which we are willing to sign
-PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}'
-
-# OPENID CONFIGURATION
-# This is the OpenID url provided to users. Add %(username)s where the username should be entered
-# A list of trust roots for which the user will not need to confirm again
-OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
+AUTH_PROVIDER_CONFIGURATION = {
+    'fedoauth.provider.persona': {'enabled': True,
+{% if env == 'staging' %}
+                                  'domains': ['id.stg.fedoraproject.org', 'stg.fedoraproject.org'],
+                                  'private_key': {'path': '/etc/fedoauth/persona.stg.key',
+                                                  'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
+{% else %}
+                                  'domains': ['id.fedoraproject.org', 'fedoraproject.org'],
+                                  'private_key': {'path': '/etc/fedoauth/persona.key',
+                                                  'passphrase': '{{ fedoauth_persona_key_passphrase }}'},
+{% endif %}
+                                 },
+    'fedoauth.provider.openid': {'enabled': True,
+{% if env == 'staging' %}
+                                 'identity_url_pattern': 'http://%(username)s.id.stg.fedoraproject.org/',
+                                 'trusted_roots': [],
+{% else %}
+                                 'identity_url_pattern': 'http://%(username)s.id.fedoraproject.org/',
+                                 'trusted_roots': ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
                                                    'https://ask.fedoraproject.org/',
                                                    'https://fedorahosted.org/',
                                                    'https://badges.fedoraproject.org',
@@ -61,7 +77,9 @@ OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/fi
                                                    'http://copr.fedoraproject.org/',
                                                    'http://copr-fe.cloud.fedoraproject.org/',
                                                    'https://admin.fedoraproject.org/pkgdb/',
-			'https://apps.fedoraproject.org/github2fedmsg']
-OPENID_NON_TRUSTED_ROOTS = []
-### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit)
-OPENID_MAX_AUTH_TIME = 120
+                                                   'https://apps.fedoraproject.org/github2fedmsg'],
+{% endif %}
+                                 'non_trusted_roots': [],
+                                 'handle_magic_groups_value': True
+                                }
+}