From 46f60fd67670172a8102f2f0d38be31d0e37c2d6 Mon Sep 17 00:00:00 2001
From: Josef Skladanka <jskladan@redhat.com>
Date: Thu, 31 May 2018 13:41:43 +0200
Subject: [PATCH] Add OIDC config to settings template

---
 inventory/group_vars/resultsdb-dev             | 1 +
 roles/taskotron/vault/tasks/main.yml           | 8 ++++++++
 roles/taskotron/vault/templates/settings.py.j2 | 5 +++++
 3 files changed, 14 insertions(+)

diff --git a/inventory/group_vars/resultsdb-dev b/inventory/group_vars/resultsdb-dev
index ce246078ae..179aed526a 100644
--- a/inventory/group_vars/resultsdb-dev
+++ b/inventory/group_vars/resultsdb-dev
@@ -54,6 +54,7 @@ execdb_secret_key: "{{ dev_execdb_secret_key }}"
 ############################################################
 # vault details
 ############################################################
+vault_public_url: "https://taskotron-dev.fedoraproject.org/vault"
 vault_db_host_machine: db-qa01.qa.fedoraproject.org
 vault_db_host: "{{ vault_db_host_machine }}"
 vault_db_port: 5432
diff --git a/roles/taskotron/vault/tasks/main.yml b/roles/taskotron/vault/tasks/main.yml
index c5a95ea412..b0e4ed6974 100644
--- a/roles/taskotron/vault/tasks/main.yml
+++ b/roles/taskotron/vault/tasks/main.yml
@@ -35,6 +35,14 @@
 - name: ensure selinux lets httpd talk to postgres
   seboolean: name=httpd_can_network_connect_db persistent=yes state=yes
 
+- name: register with iddev
+  command: python /usr/lib/python2.7/site-packages/flask_oidc/registration_util.py https://iddev.fedorainfracloud.org {{ vault_public_url }}
+  args:
+      chdir: /etc/vault
+      creates: /etc/vault/client_secrets.json
+  notify:
+    - reload httpd
+
 - name: generate vault config
   template: src=settings.py.j2 dest=/etc/vault/settings.py owner=root group=root mode=0644
   notify:
diff --git a/roles/taskotron/vault/templates/settings.py.j2 b/roles/taskotron/vault/templates/settings.py.j2
index 845d4f6bb3..47c99eee6e 100644
--- a/roles/taskotron/vault/templates/settings.py.j2
+++ b/roles/taskotron/vault/templates/settings.py.j2
@@ -7,3 +7,8 @@ SYSLOG_LOGGING = False
 STREAM_LOGGING = True
 
 MASTERKEY = '{{vault_masterkey}}'
+
+OIDC_CLIENT_SECRETS = '/etc/vault/client_secrets.json'
+OIDC_ID_TOKEN_COOKIE_SECURE = True
+OVERWRITE_REDIRECT_URI = '{{vault_public_url}}/oidc_callback'
+OIDC_SCOPES = ['openid', 'email', 'profile', 'https://id.fedoraproject.org/scope/groups', 'https://id.fedoraproject.org/scope/cla', ]