From 0a6f0389ec8979f0c217c7de250bf06acb4a5d96 Mon Sep 17 00:00:00 2001
From: Christian Boltz <cboltz@opensuse.org>
Date: Apr 10 2020 19:36:20 +0000
Subject: Merge branch 'hellcp/introduce-ipsilon' into 'production'


Introduce ipsilon

See merge request infra/salt!361
---

diff --git a/salt/profile/identification/apache.sls b/salt/profile/identification/apache.sls
new file mode 100644
index 0000000..ea5a0f5
--- /dev/null
+++ b/salt/profile/identification/apache.sls
@@ -0,0 +1,5 @@
+/etc/apache2/vhosts.d/sso.opensuse.org.conf:
+  file.managed:
+    - listen_in:
+      - service: apache2
+    - source: salt://profile/identification/files/sso.opensuse.org.conf
diff --git a/salt/profile/identification/config.sls b/salt/profile/identification/config.sls
new file mode 100644
index 0000000..58d38c4
--- /dev/null
+++ b/salt/profile/identification/config.sls
@@ -0,0 +1,61 @@
+ipsilon_saml2_dir:
+  file.directory:
+    - name: /etc/ipsilon/saml2
+    - mode: 700
+    - user: ipsilon
+
+# # This will be exported from the UI once we set everything up there
+#
+# ipsilon_configuration_file:
+#   file.managed:
+#     - name: /etc/ipsilon/configuration.conf
+#     - source: salt://profile/identification/files/configuration.conf
+#     - template: jinja
+#     - mode: 600
+#     - require_in:
+#       - service: id_apache_service
+#     - watch_in:
+#       - module: id_apache_restart
+
+ipsilon_conf_file:
+  file.managed:
+    - name: /etc/ipsilon/ipsilon.conf
+    - source: salt://profile/identification/files/ipsilon.conf
+    - template: jinja
+    - mode: 600
+    - require_in:
+      - service: id_apache_service
+    - watch_in:
+      - module: id_apache_restart
+
+/var/lib/ipsilon/ipsilon.conf:
+  file.symlink:
+    - target: /etc/ipsilon/ipsilon.conf
+
+ipsilon_oidc_conf_file:
+  file.managed:
+    - name: /etc/ipsilon/openidc.static.cfg
+    - source: salt://profile/identification/files/openidc.static.cfg
+    - mode: 600
+    - require_in:
+      - service: id_apache_service
+    - watch_in:
+      - module: id_apache_restart
+
+/etc/ipsilon/openidc.key:
+  file.managed:
+    - contents_pillar: profile:matrix:openidc_priv_key
+    - mode: 600
+    - user: ipsilon
+
+/etc/ipsilon/saml2/idp.key:
+  file.managed:
+    - contents_pillar: profile:matrix:saml2_priv_key
+    - mode: 600
+    - user: ipsilon
+
+/etc/ipsilon/saml2/idp.crt:
+  file.managed:
+    - contents_pillar: profile:matrix:saml2_pub_key
+    - mode: 644
+    - user: ipsilon
diff --git a/salt/profile/identification/files/ipsilon.conf b/salt/profile/identification/files/ipsilon.conf
new file mode 100644
index 0000000..74b96f8
--- /dev/null
+++ b/salt/profile/identification/files/ipsilon.conf
@@ -0,0 +1,23 @@
+[global]
+debug = True
+tools.log_request_response.on = False
+theme_dir = "themes/openSUSE"
+template_dir = "/usr/share/ipsilon/templates"
+
+log.screen = True
+base.dir = "/usr/share/ipsilon"
+admin.config.db = "configfile:///etc/ipsilon/configuration.conf"
+user.prefs.db = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_user_prefs"
+transactions.db = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_transactions"
+
+tools.sessions.on = True
+tools.sessions.name = "opensuse_ipsilon_session_id"
+tools.sessions.storage_type = "sql"
+tools.sessions.storage_dburi = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_sessions"
+tools.sessions.timeout = 15
+tools.sessions.httponly = True
+tools.sessions.secure = True
+tools.sessions.locking = 'explicit'
+
+tools.proxy.on = True
+tools.proxy.base = "https://sso.opensuse.org"
diff --git a/salt/profile/identification/files/openidc.static.cfg b/salt/profile/identification/files/openidc.static.cfg
new file mode 100644
index 0000000..792d600
--- /dev/null
+++ b/salt/profile/identification/files/openidc.static.cfg
@@ -0,0 +1 @@
+#
diff --git a/salt/profile/identification/files/sso.opensuse.org.conf b/salt/profile/identification/files/sso.opensuse.org.conf
new file mode 100644
index 0000000..d395b5d
--- /dev/null
+++ b/salt/profile/identification/files/sso.opensuse.org.conf
@@ -0,0 +1,47 @@
+<VirtualHost *:80>
+    ServerName sso.opensuse.org
+    RewriteEngine on
+    RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+
+    # This is for mapping $username.sso.o.o -> sso.o.o/id/$username
+    RewriteEngine on
+    RewriteMap lowercase int:tolower
+    RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.sso\.opensuse\.org$
+    RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+    RewriteRule ^([a-z0-9-]+)\.sso\.opensuse\.org/.* /openid/id/$1/ [PT]
+
+
+    Alias /ui /usr/share/ipsilon/ui
+    WSGIScriptAlias / /usr/libexec/ipsilon
+    WSGIPassAuthorization On
+    WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+    WSGIApplicationGroup %{GLOBAL}
+    WSGISocketPrefix /httpdir/run/wsgi
+    WSGIRestrictStdout Off
+    WSGIRestrictSignal Off
+
+
+    <Location />
+        WSGIProcessGroup ipsilon
+    </Location>
+
+    <Location /login/gssapi/negotiate>
+        AuthName "GSSAPI Single Sign On Login"
+        GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
+        AuthType GSSAPI
+        # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+        GssapiSSLonly Off
+        GssapiLocalName on
+        Require valid-user
+        ErrorDocument 401 /login/gssapi/unauthorized
+        ErrorDocument 500 /login/gssapi/failed
+    </Location>
+
+    <Directory /usr/libexec>
+        Require all granted
+    </Directory>
+
+    <Directory /usr/share/ipsilon>
+        Require all granted
+    </Directory>
+</VirtualHost>
diff --git a/salt/profile/identification/init.sls b/salt/profile/identification/init.sls
new file mode 100644
index 0000000..a9ea967
--- /dev/null
+++ b/salt/profile/identification/init.sls
@@ -0,0 +1,11 @@
+id_apache_service:
+  service.running:
+    - name: apache2
+    - enable: True
+
+id_apache_restart:
+  module.wait:
+    - name: service.restart
+    - m_name: apache2
+    - require:
+      - service: synapse_service
diff --git a/salt/profile/identification/ipsilon.sls b/salt/profile/identification/ipsilon.sls
new file mode 100644
index 0000000..6158cba
--- /dev/null
+++ b/salt/profile/identification/ipsilon.sls
@@ -0,0 +1,10 @@
+ipsilon_dependencies:
+  pkg.installed:
+    - pkgs:
+      - apache2
+      - ipsilon
+      - ipsilon-tools-ipa
+      - ipsilon-saml2
+      - ipsilon-openid
+      - ipsilon-openidc
+      - ipsilon-theme-openSUSE