From d1dc3f649bca512486db3aeb2d0c684fe8be1e23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= <mkonecny@redhat.com>
Date: Mon, 17 Jul 2023 17:35:38 +0200
Subject: [PATCH] [Pagure] Enable OIDC in staging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michal Konečný <mkonecny@redhat.com>
---
 roles/pagure/tasks/main.yml                | 11 +++++++++++
 roles/pagure/templates/client_secrets.json | 17 +++++++++++++++++
 roles/pagure/templates/pagure.cfg          |  5 +++++
 3 files changed, 33 insertions(+)
 create mode 100644 roles/pagure/templates/client_secrets.json

diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml
index 7b4214a924..63be729d28 100644
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@@ -348,6 +348,17 @@
   notify:
   - restart apache
 
+- name: Install client_secrets for ipsilon
+  template: src=client_secrets.json
+            dest=/etc/pagure
+            owner=root group=root mode=0600
+  tags:
+  - config
+  - web
+  - pagure
+  when: env == 'pagure-staging'
+
+
 - name: create the database scheme
   command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
   changed_when: "1 != 1"
diff --git a/roles/pagure/templates/client_secrets.json b/roles/pagure/templates/client_secrets.json
new file mode 100644
index 0000000000..fd481b7121
--- /dev/null
+++ b/roles/pagure/templates/client_secrets.json
@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ pagure_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ pagure_oidc_client_secret_stg }}",
+{% else %}
+        "client_secret": "{{ pagure_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://{{env_suffix}}.pagure.io/login"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}
diff --git a/roles/pagure/templates/pagure.cfg b/roles/pagure/templates/pagure.cfg
index 09ab643165..a5d33d4667 100644
--- a/roles/pagure/templates/pagure.cfg
+++ b/roles/pagure/templates/pagure.cfg
@@ -196,7 +196,12 @@ DISABLED_PLUGINS = ['IRC']
 # Specify which authentication method to use, defaults to `fas` can be or
 # `local`
 # Default: ``fas``.
+{% if env == 'staging' %}
+PAGURE_AUTH = 'oidc'
+OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+{% else %}
 PAGURE_AUTH = 'openid'
+{% endif %}
 
 # When this is set to True, the session cookie will only be returned to the
 # server via ssl (https). If you connect to the server via plain http, the