Switch Koschei web auth to OpenIDC

2018-02-08 12:28:19 +01:00 · 2018-02-08 12:28:19 +01:00 · 0eec23dcd8
commit 0eec23dcd8
parent d5db6392b4
5 changed files with 9 additions and 27 deletions
--- a/inventory/group_vars/koschei-web
+++ b/inventory/group_vars/koschei-web
@ -12,9 +12,11 @@ koschei_pgsql_hostname: db01.phx2.fedoraproject.org
 koschei_koji_hub: koji02.phx2.fedoraproject.org
 koschei_kojipkgs: kojipkgs.fedoraproject.org
 koschei_koji_web: koji.fedoraproject.org
-koschei_openid_provider: id.fedoraproject.org
+koschei_oidc_provider: id.fedoraproject.org
 koschei_bugzilla: bugzilla.redhat.com

+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_prod }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_prod }}"

 tcp_ports: [ 80, 443 ]

--- a/inventory/group_vars/koschei-web-stg
+++ b/inventory/group_vars/koschei-web-stg
@ -11,9 +11,12 @@ koschei_topurl: https://apps.stg.fedoraproject.org/koschei
 koschei_pgsql_hostname: pgbdr.stg.phx2.fedoraproject.org
 koschei_kojipkgs: koji.stg.fedoraproject.org
 koschei_koji_web: koji.stg.fedoraproject.org
-koschei_openid_provider: id.stg.fedoraproject.org
+koschei_oidc_provider: id.stg.fedoraproject.org
 koschei_bugzilla: partner-bugzilla.redhat.com

+koschei_oidc_client_secret: "{{ koschei_oidc_client_secret_stg }}"
+koschei_oidc_crypto_secret: "{{ koschei_oidc_crypto_secret_stg }}"
+
 tcp_ports: [ 80, 443 ]

 custom_rules: [
--- a/roles/koschei/frontend/tasks/main.yml
+++ b/roles/koschei/frontend/tasks/main.yml
@ -4,7 +4,7 @@
  - koschei-frontend
  - koschei-frontend-fedora
  - koschei-frontend-copr
-  - "{{ 'mod_auth_openidc' if env == 'staging' else 'mod_auth_openid' }}"
+  - mod_auth_openidc
  tags:
  - koschei
  - packages
--- a/roles/koschei/frontend/templates/config-frontend.cfg.j2
+++ b/roles/koschei/frontend/templates/config-frontend.cfg.j2
@ -61,20 +61,13 @@ config = {
    "frontend": {
        "builds_per_page": 8,
        "auth": {
-            {% if env == 'staging' %}
            "user_re": "(.+)",
            "user_env": "OIDC_CLAIM_nickname",
-            {% else %}
-            "user_re": "http://(.+)\\.id{{ env_prefix }}\\.fedoraproject\\.org/",
-            {% endif %}
        },
        "fedora_assets_url": "/global",
        "fedmenu_url": "/fedmenu",
        "fedmenu_data_url": "/js/data.js",
    },
-    "openid": {
-        "openid_provider": "{{ koschei_openid_provider }}",
-    },
    "links": [
        {"name": "Packages",
         "url": "https://apps{{ env_prefix }}.fedoraproject.org/packages/{package.name}"},
--- a/roles/koschei/frontend/templates/httpd.conf.j2
+++ b/roles/koschei/frontend/templates/httpd.conf.j2
@ -16,17 +16,11 @@
        Require all granted
    </Directory>

-{% if env == 'staging' %}
    OIDCRedirectURI "{{ koschei_topurl }}/login/redirect_uri"
-    OIDCProviderMetadataURL "https://{{ koschei_openid_provider }}/openidc/wellknown_openid_configuration"
+    OIDCProviderMetadataURL "https://{{ koschei_oidc_provider }}/openidc/wellknown_openid_configuration"
    OIDCClientID "koschei"
-    {% if env == 'staging' %}
-    OIDCClientSecret "{{ koschei_oidc_client_secret_stg }}"
-    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret_stg }}"
-    {% else %}
    OIDCClientSecret "{{ koschei_oidc_client_secret }}"
    OIDCCryptoPassphrase "{{ koschei_oidc_crypto_secret }}"
-    {% endif %}
    OIDCSSLValidateServer On
    OIDCResponseType "code"

@ -36,14 +30,4 @@
        AuthType openid-connect
        Require valid-user
    </Location>
-{% else %}
-    <Location /koschei/login>
-        Require valid-user
-        AuthType OpenID
-        AuthOpenIDSingleIdP https://{{ koschei_openid_provider }}/
-        AuthOpenIDServerName https://apps.fedoraproject.org
-        AuthOpenIDTrustRoot https://apps.fedoraproject.org/koschei/
-        AuthOpenIDUseCookie off
-    </Location>
-{% endif %}
 </VirtualHost>