Prepare ipsilon for a VM deployment in staging

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2020-10-05 17:24:48 +02:00 · 2020-10-05 17:24:48 +02:00 · d1edc6db3d
commit d1edc6db3d
parent 32330de141
5 changed files with 275 additions and 107 deletions
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@ -8,13 +8,15 @@
  package: name={{ item }} state=present update_cache=yes
  with_items:
  - ipsilon
-  - ipsilon-authfas
  - ipsilon-openid
  - ipsilon-saml2
-  - ipsilon-persona
-  - ipsilon-infofas
-  - ipsilon-authgssapi
+  # - ipsilon-persona
  - ipsilon-openidc
+  - ipsilon-authgssapi
+  - ipsilon-authform
+  - ipsilon-infosssd
+  - ipsilon-theme-Fedora
+  - mod_auth_openidc
  - mod_auth_gssapi
  - python-psycopg2
  tags:
@ -80,139 +82,212 @@
 #  tags:
 #  - ipsilon

- name: copy ipsilon templates
-  copy: src=templates/
-        dest=/usr/share/ipsilon/templates-fedora
-        owner=ipsilon group=ipsilon mode=0666
-  notify:
-  - reload apache
+# - name: copy ipsilon templates
+#   copy: src=templates/
+#         dest=/usr/share/ipsilon/templates-fedora
+#         owner=ipsilon group=ipsilon mode=0666
+#   notify:
+#   - reload apache
+#   tags:
+#   - ipsilon
+# 
+# - name: copy ipsilon ui assets
+#   copy: src=ui-fedora/
+#         dest=/usr/share/ipsilon/ui/fedora
+#         owner=ipsilon group=ipsilon mode=0666
+#   notify:
+#   - reload apache
+#   tags:
+#   - ipsilon
+
+- name: Download Fedora-specific code
+  git:
+    repo: https://pagure.io/fedora-infra/ipsilon-fedora.git
+    dest: /opt/ipsilon-fedora
+    version: "{{ env }}"
+    force: yes
  tags:
  - ipsilon

- name: copy ipsilon ui assets
-  copy: src=ui-fedora/
-        dest=/usr/share/ipsilon/ui/fedora
-        owner=ipsilon group=ipsilon mode=0666
-  notify:
-  - reload apache
+- name: Install Fedora-specific code
+  command:
+    cmd: ./install.sh
+    chdir: /opt/ipsilon-fedora
+    creates: /usr/lib/python3.8/site-packages/ipsilon/providers/openidc/plugins/account-scopes.py
  tags:
  - ipsilon

- name: copy ipsilon configuration
-  template: src={{ item }}.conf
-            dest=/etc/ipsilon/{{ item }}.conf
-            owner=ipsilon group=ipsilon mode=0600
-  with_items:
-  - ipsilon
-  - configuration
+
+- name: Get admin ticket
+  shell: echo "{{ipa_admin_password}}" | kinit admin
+  check_mode: no
  tags:
  - ipsilon
-  - config
-  notify:
-  - restart apache
+
+- name: Install ipsilon
+  command:
+    cmd: ipsilon-server-install --admin-user {{ ipa_admin_user }} --ipa yes --openidc yes --openid yes --saml2 yes --info-sssd yes --form=yes
+    creates: /etc/ipsilon/idp/ipsilon.conf
+  tags:
+  - ipsilon
+
+- name: Destroy admin ticket
+  command: kdestroy -A
+  tags:
+  - ipsilon
+
+## - name: copy ipsilon configuration
+##   template:
+##     src: "ipsilon.conf"
+##     dest: "/etc/ipsilon/idp/ipsilon.conf"
+##     owner: ipsilon
+##     group: ipsilon
+##     mode: 0600
+##   tags:
+##   - ipsilon
+##   - config
+##   notify:
+##   - restart apache
+## 
+## - name: copy ipsilon admin configuration
+##   template:
+##     src: "configuration.conf"
+##     dest: "/etc/ipsilon/configuration.conf"
+##     owner: ipsilon
+##     group: ipsilon
+##     mode: 0600
+##   tags:
+##   - ipsilon
+##   - config
+##   notify:
+##   - restart apache

 - name: copy ipsilon OIDC client config
-  copy: src={{ private }}/files/ipsilon/openidc.{{env}}.static dest=/etc/ipsilon/openidc.static.cfg
-            owner=ipsilon group=ipsilon mode=0600
+  copy:
+    src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
+    dest: /etc/ipsilon/openidc.static.cfg
+    owner: ipsilon
+    group: ipsilon
+    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy ipsilon httpd config
-  template: src=ipsilon-httpd.conf.j2
-            dest=/etc/httpd/conf.d/ipsilon.conf
-  tags:
-  - ipsilon
+## - name: copy ipsilon httpd config
+##   template:
+##     src: "httpd.conf.{{ env }}.j2"
+##     dest: /etc/httpd/conf.d/ipsilon.conf
+##   tags:
+##   - ipsilon

- name: Create Ipsilon config symlink
-  file: dest=/var/lib/ipsilon/ipsilon.conf
-        src=/etc/ipsilon/ipsilon.conf
-        state=link
-  tags:
-  - ipsilon
-  notify:
-  - reload apache
+# - name: Create Ipsilon config symlink
+#   file:
+#     dest: /var/lib/ipsilon/ipsilon.conf
+#     src: /etc/ipsilon/ipsilon.conf
+#     state: link
+#   tags:
+#   - ipsilon
+#   notify:
+#   - reload apache

- name: create wellknown directory
-  file: path=/etc/ipsilon/wellknown state=directory
-        owner=ipsilon group=ipsilon mode=0755
-  tags:
-  - ipsilon
-  notify:
-  - reload apache
+# - name: create wellknown directory
+#   file: path=/etc/ipsilon/wellknown state=directory
+#         owner=ipsilon group=ipsilon mode=0755
+#   tags:
+#   - ipsilon
+#   notify:
+#   - reload apache

- name: copy persona private key
-  copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
-        owner=ipsilon group=ipsilon mode=0600
-  when: env != "staging"
-  tags:
-  - ipsilon
-
- name: copy persona public key
-  copy: src=browserid dest=/etc/ipsilon/wellknown/browserid
-        owner=ipsilon group=ipsilon mode=0644
-  when: env != "staging"
-  tags:
-  - ipsilon
-
- name: copy persona STG private key
-  copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
-        owner=ipsilon group=ipsilon mode=0600
-  when: env == "staging"
-  tags:
-  - ipsilon
-
- name: copy persona STG public key
-  copy: src=browserid.stg dest=/etc/ipsilon/wellknown/browserid
-        owner=ipsilon group=ipsilon mode=0644
-  when: env == "staging"
-  tags:
-  - ipsilon
+# - name: copy persona private key
+#   copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
+#         owner=ipsilon group=ipsilon mode=0600
+#   when: env != "staging"
+#   tags:
+#   - ipsilon
+# 
+# - name: copy persona public key
+#   copy: src=browserid dest=/etc/ipsilon/wellknown/browserid
+#         owner=ipsilon group=ipsilon mode=0644
+#   when: env != "staging"
+#   tags:
+#   - ipsilon
+# 
+# - name: copy persona STG private key
+#   copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
+#         owner=ipsilon group=ipsilon mode=0600
+#   when: env == "staging"
+#   tags:
+#   - ipsilon
+# 
+# - name: copy persona STG public key
+#   copy: src=browserid.stg dest=/etc/ipsilon/wellknown/browserid
+#         owner=ipsilon group=ipsilon mode=0644
+#   when: env == "staging"
+#   tags:
+#   - ipsilon

 - name: copy OIDC private key
-  copy: src={{ private }}/files/ipsilon/openidc.key dest=/etc/ipsilon/openidc.key
-        owner=ipsilon group=ipsilon mode=0600
+  copy:
+    src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
+    dest: /etc/ipsilon/openidc.key
+    owner: ipsilon
+    group: ipsilon
+    mode: 0600
  when: env != "staging"
  tags:
  - ipsilon

- name: copy OIDC STG private key
-  copy: src={{ private }}/files/ipsilon/openidc.stg.key dest=/etc/ipsilon/openidc.stg.key
-        owner=ipsilon group=ipsilon mode=0600
-  when: env == "staging"
-  tags:
-  - ipsilon
+# - name: copy OIDC STG private key
+#   copy: src={{ private }}/files/ipsilon/openidc.stg.key dest=/etc/ipsilon/openidc.stg.key
+#         owner=ipsilon group=ipsilon mode=0600
+#   when: env == "staging"
+#   tags:
+#   - ipsilon

 - name: create SAML2 dir
-  file: path=/etc/ipsilon/saml2 state=directory mode=0700
-        owner=ipsilon group=ipsilon setype=httpd_var_lib_t
+  file:
+    path: /etc/ipsilon/saml2
+    state: directory
+    mode: 0700
+    owner: ipsilon
+    group: ipsilon
+    setype: httpd_var_lib_t
  tags:
  - ipsilon

 - name: copy SAML2 private key
-  copy: src={{ private }}/files/saml2/{{ env }}/keys/idp.key dest=/etc/ipsilon/saml2/idp.key
-        owner=ipsilon group=ipsilon mode=0600
+  copy:
+    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
+    dest: /etc/ipsilon/saml2/idp.key
+    owner: ipsilon
+    group: ipsilon
+    mode: 0600
  tags:
  - ipsilon

 - name: copy SAML2 public key
-  copy: src={{ private }}/files/saml2/{{ env }}/keys/idp.crt dest=/etc/ipsilon/saml2/idp.crt
-        owner=ipsilon group=ipsilon mode=0644
+  copy:
+    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
+    dest: /etc/ipsilon/saml2/idp.crt
+    owner: ipsilon
+    group: ipsilon
+    mode: 0644
  tags:
  - ipsilon

 - name: set sebooleans so ipsilon can talk to the db
-  seboolean: name=httpd_can_network_connect_db
-                    state=true
-                    persistent=true
+  seboolean:
+    name: httpd_can_network_connect_db
+    state: true
+    persistent: true
  tags:
  - ipsilon

 - name: apply selinux type to the wsgi file
-  file: >
-    dest=/usr/libexec/ipsilon
-    setype=httpd_sys_content_t
+  file:
+    dest: /usr/libexec/ipsilon
+    setype: httpd_sys_content_t
  tags:
  - ipsilon
--- a/roles/ipsilon/templates/configmap.yml
+++ b/roles/ipsilon/templates/configmap.yml
@ -94,7 +94,7 @@ data:
    CoreDumpDirectory /tmp

    # Ipsilon stuff
-    {{ load_file('ipsilon-httpd.conf.j2') | indent() }}
+    {{ load_file('httpd.conf.production.j2') | indent() }}
  ipsilon.conf: |-
    {{ load_file('ipsilon.conf') | indent() }}
  configuration.conf: |-
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -1,9 +1,12 @@
 [login_config]
-global enabled=gssapi,ldap
-ldap server url=ldap://{{ ipa_server }}
-ldap bind dn template=uid=%(username)s,cn=users,cn=accounts,{% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
-ldap base dn=,cn=users,cn=accounts,{% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
-ldap get user info=False
+{% if env == "production" %}
+global enabled=gssapi,fas
+fas FAS url=https://admin{{env_suffix}}.fedoraproject.org/accounts/
+fas FAS Proxy client user Agent=Fedora Ipsilon
+fas FAS Insecure Auth=False
+{% else %}
+global enabled=gssapi,form
+{% endif %}

 [info_config]
 {% if env == "production" %}
@ -14,8 +17,8 @@ fas FAS Insecure Auth=False
 fas Bind Username={{ ipsilon_fasinfo_username }}
 fas Bind Password={{ ipsilon_fasinfo_prod_password }}
 {% else %}
-global enabled=fasjson
-fasjson FASJSON url=https://fasjson{{env_suffix}}.fedoraproject.org/
+sssd preconfigured = True
+global enabled = sssd
 {% endif %}

 [authz_config]
@ -46,6 +49,7 @@ openidc idp sig key id=20161031-sig
 openidc allow dynamic client registration=False
 {% if env == 'staging' %}
 openidc default attribute mapping=[["*", "*"]]
+openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasGPGKeyId", "gpgkeyids"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"], ["nsAccountLock", "locked"]]
 {% else %}
 openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
 {% endif %}
@ -61,15 +65,15 @@ openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{
 openid untrusted roots=
 openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API

-saml2 idp storage path=/etc/ipsilon
-saml2 idp metadata file=/httpdir/metadata.xml
+saml2 idp storage path=/etc/ipsilon/saml2
+saml2 idp metadata file=metadata.xml
 {% if env == 'staging' %}
 saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }}
 {% else %}
 saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
 {% endif %}
-saml2 idp certificate file=saml2_idp.crt
-saml2 idp key file=saml2_idp.key
+saml2 idp certificate file=idp.crt
+saml2 idp key file=idp.key
 saml2 allow self registration=False
 saml2 default nameid=transient
 saml2 default email domain=fedoraproject.org
--- a/roles/ipsilon/templates/httpd.conf.production.j2
+++ b/roles/ipsilon/templates/httpd.conf.production.j2
--- a/roles/ipsilon/templates/httpd.conf.staging.j2
+++ b/roles/ipsilon/templates/httpd.conf.staging.j2
@ -0,0 +1,89 @@
+#RewriteEngine on
+#RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+Redirect /.well-known/webfinger /webfinger
+Alias /.well-known /var/lib/ipsilon/idp/public/well-known
+Alias /cache /var/cache/ipsilon
+
+# This is for mapping $username.id.fp.o -> id.fp.o/id/$username
+RewriteEngine on
+RewriteMap lowercase int:tolower
+{% if env == "staging" %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% else %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* /openid/id/$1/ [PT]
+{% endif %}
+
+
+Alias /ui /usr/share/ipsilon/themes/Fedora
+#Alias /ui /usr/share/ipsilon/ui
+WSGIScriptAlias / /usr/libexec/ipsilon
+WSGIPassAuthorization On
+WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+WSGIApplicationGroup %{GLOBAL}
+WSGISocketPrefix run/wsgi
+#WSGIRestrictStdout Off
+#WSGIRestrictSignal Off
+
+
+<Location />
+    WSGIProcessGroup ipsilon
+</Location>
+
+<Directory /usr/libexec>
+    Require all granted
+</Directory>
+
+<Directory /usr/share/ipsilon>
+    Options +SymLinksIfOwnerMatch
+    Require all granted
+</Directory>
+
+#<Directory /etc/ipsilon/wellknown>
+<Directory /var/lib/ipsilon/idp/public/well-known>
+    Require all granted
+</Directory>
+
+<Location /.well-known/browserid>
+    ForceType application/json
+</Location>
+
+<Directory "/var/cache/ipsilon">
+  SetHandler None
+  AllowOverride None
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    Order Allow,Deny
+    Allow from All
+  </IfModule>
+</Directory>
+
+<Location /login/gssapi/negotiate>
+    AuthName "GSSAPI Single Sign On Login"
+    #GssapiCredStore keytab:/etc/keytabs/service.keytab
+    GssapiCredStore keytab:/etc/httpd/conf/http.keytab
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    Require valid-user
+    ErrorDocument 401 /login/gssapi/unauthorized
+    ErrorDocument 500 /login/gssapi/failed
+</Location>
+
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+
+<Location /login/form>
+  InterceptFormPAMService ipsilon
+  InterceptFormLogin login_name
+  InterceptFormPassword login_password
+  # InterceptFormLoginSkip admin
+  # InterceptFormClearRemoteUserForSkipped on
+  InterceptFormPasswordRedact on
+</Location>