Use mod_auth_openidc for koschei

2017-12-19 17:01:49 +02:00 · 2017-12-19 17:01:49 +02:00 · db5fa411a0
commit db5fa411a0
parent eb2848250b
3 changed files with 28 additions and 6 deletions
--- a/roles/koschei/frontend/tasks/main.yml
+++ b/roles/koschei/frontend/tasks/main.yml
@ -4,7 +4,7 @@
  - koschei-frontend
  - koschei-frontend-fedora
  - koschei-frontend-copr
-  - mod_auth_openid
+  - "{{ 'mod_auth_openidc' if env == 'staging' else 'mod_auth_openid' }}"
  tags:
  - koschei
  - packages
--- a/roles/koschei/frontend/templates/config-frontend.cfg.j2
+++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2
@ -61,7 +61,12 @@ config = {
    "frontend": {
        "builds_per_page": 8,
        "auth": {
+            {% if env == 'staging' %}
+            "user_re": "(.+)",
+            "user_env": "OIDC_CLAIM_nickname",
+            {% else %}
            "user_re": "http://(.+)\\.id{{ env_prefix }}\\.fedoraproject\\.org/",
+            {% endif %}
        },
        "fedora_assets_url": "/global",
        "fedmenu_url": "/fedmenu",
--- a/roles/koschei/frontend/templates/httpd.conf.j2
+++ b/roles/koschei/frontend/templates/httpd.conf.j2
@ -16,17 +16,34 @@
        Require all granted
    </Directory>

+{% if env == 'staging' %}
+    OIDCRedirectURI "{{ koschei_topurl }}/login/redirect_uri"
+    OIDCProviderMetadataURL "https://{{ koschei_openid_provider }}/openidc/wellknown_openid_configuration"
+    OIDCClientID "koschei"
+    {% if env == 'staging' %}
+    OIDCClientSecret "{{ koschei_oidc_client_secret_stg }}"
+    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret_stg }}"
+    {% else %}
+    OIDCClientSecret "{{ koschei_oidc_client_secret }}"
+    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
+    {% endif %}
+    OIDCSSLValidateServer On
+    OIDCResponseType "code"
+
+    OIDCScope "openid profile"
+
+    <Location /koschei/login>
+        AuthType openid-connect
+        Require valid-user
+    </Location>
+{% else %}
    <Location /koschei/login>
        Require valid-user
        AuthType OpenID
        AuthOpenIDSingleIdP https://{{ koschei_openid_provider }}/
-{% if env == 'staging' %}
-        AuthOpenIDServerName https://apps.stg.fedoraproject.org
-        AuthOpenIDTrustRoot https://apps.stg.fedoraproject.org/koschei/
-{% else %}
        AuthOpenIDServerName https://apps.fedoraproject.org
        AuthOpenIDTrustRoot https://apps.fedoraproject.org/koschei/
-{% endif %}
        AuthOpenIDUseCookie off
    </Location>
+{% endif %}
 </VirtualHost>