Add OIDC config to settings template

2018-05-31 13:41:43 +02:00 · 2018-05-31 13:41:43 +02:00 · 46f60fd676
commit 46f60fd676
parent 10dbfd4e8f
3 changed files with 14 additions and 0 deletions
--- a/inventory/group_vars/resultsdb-dev
+++ b/inventory/group_vars/resultsdb-dev
@ -54,6 +54,7 @@ execdb_secret_key: "{{ dev_execdb_secret_key }}"
 ############################################################
 # vault details
 ############################################################
+vault_public_url: "https://taskotron-dev.fedoraproject.org/vault"
 vault_db_host_machine: db-qa01.qa.fedoraproject.org
 vault_db_host: "{{ vault_db_host_machine }}"
 vault_db_port: 5432
--- a/roles/taskotron/vault/tasks/main.yml
+++ b/roles/taskotron/vault/tasks/main.yml
@ -35,6 +35,14 @@
 - name: ensure selinux lets httpd talk to postgres
  seboolean: name=httpd_can_network_connect_db persistent=yes state=yes

+- name: register with iddev
+  command: python /usr/lib/python2.7/site-packages/flask_oidc/registration_util.py https://iddev.fedorainfracloud.org {{ vault_public_url }}
+  args:
+      chdir: /etc/vault
+      creates: /etc/vault/client_secrets.json
+  notify:
+    - reload httpd
+
 - name: generate vault config
  template: src=settings.py.j2 dest=/etc/vault/settings.py owner=root group=root mode=0644
  notify:
--- a/roles/taskotron/vault/templates/settings.py.j2
+++ b/roles/taskotron/vault/templates/settings.py.j2
@ -7,3 +7,8 @@ SYSLOG_LOGGING = False
 STREAM_LOGGING = True

 MASTERKEY = '{{vault_masterkey}}'
+
+OIDC_CLIENT_SECRETS = '/etc/vault/client_secrets.json'
+OIDC_ID_TOKEN_COOKIE_SECURE = True
+OVERWRITE_REDIRECT_URI = '{{vault_public_url}}/oidc_callback'
+OIDC_SCOPES = ['openid', 'email', 'profile', 'https://id.fedoraproject.org/scope/groups', 'https://id.fedoraproject.org/scope/cla', ]