From 213157dc0f205aca3d280e1ce85c82fa8083f2b6 Mon Sep 17 00:00:00 2001
From: Stasiek Michalski <hellcp@opensuse.org>
Date: Apr 10 2020 17:43:38 +0000
Subject: Use sso.opensuse.org and remove persona capabilities


---

diff --git a/salt/profile/identification/apache.sls b/salt/profile/identification/apache.sls
index 94d2cc8..d05a08e 100644
--- a/salt/profile/identification/apache.sls
+++ b/salt/profile/identification/apache.sls
@@ -1,8 +1,8 @@
 {% set roles = salt['grains.get']('roles', []) %}
 
-/etc/apache2/vhosts.d/id.opensuse.org.conf:
+/etc/apache2/vhosts.d/sso.opensuse.org.conf:
   file.managed:
     - listen_in:
       - service: apache2
-    - source: salt://profile/identification/files/id.opensuse.org.conf
+    - source: salt://profile/identification/files/sso.opensuse.org.conf
     - template: jinja
diff --git a/salt/profile/identification/config.sls b/salt/profile/identification/config.sls
index fe2d0a9..8106bdf 100644
--- a/salt/profile/identification/config.sls
+++ b/salt/profile/identification/config.sls
@@ -1,27 +1,23 @@
 {% set roles = salt['grains.get']('roles', []) %}
 
-ipsilon_wellknown_dir:
-  file.directory:
-    - name: /etc/ipsilon/wellknown
-    - mode: 755
-    - user: ipsilon
-
 ipsilon_saml2_dir:
   file.directory:
     - name: /etc/ipsilon/saml2
     - mode: 700
     - user: ipsilon
 
-ipsilon_configuration_file:
-  file.managed:
-    - name: /etc/ipsilon/configuration.conf
-    - source: salt://profile/identification/files/configuration.conf
-    - template: jinja
-    - mode: 600
-    - require_in:
-      - service: id_apache_service
-    - watch_in:
-      - module: id_apache_restart
+# # This will be exported from the UI once we set everything up there
+#
+# ipsilon_configuration_file:
+#   file.managed:
+#     - name: /etc/ipsilon/configuration.conf
+#     - source: salt://profile/identification/files/configuration.conf
+#     - template: jinja
+#     - mode: 600
+#     - require_in:
+#       - service: id_apache_service
+#     - watch_in:
+#       - module: id_apache_restart
 
 ipsilon_conf_file:
   file.managed:
@@ -49,18 +45,6 @@ ipsilon_oidc_conf_file:
     - watch_in:
       - module: id_apache_restart
 
-/etc/ipsilon/persona.key:
-  file.managed:
-    - contents_pillar: profile:matrix:persona_priv_key
-    - mode: 600
-    - user: ipsilon
-
-/etc/ipsilon/wellknown/browserid:
-  file.managed:
-    - contents_pillar: profile:matrix:persona_pub_key
-    - mode: 644
-    - user: ipsilon
-
 /etc/ipsilon/openidc.key:
   file.managed:
     - contents_pillar: profile:matrix:openidc_priv_key
diff --git a/salt/profile/identification/files/configuration.conf b/salt/profile/identification/files/configuration.conf
deleted file mode 100644
index e3bfd41..0000000
--- a/salt/profile/identification/files/configuration.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-[login_config]
-global enabled=gssapi
-
-[info_config]
-global enabled=
-
-
-[authz_config]
-global enabled=allow
-
-[provider_config]
-global enabled=openid,saml2,openidc
-
-openidc enabled extensions=
-
-openidc subject salt={{ ipsilon_openidc_subject_salt }}
-openidc endpoint url=https://id.opensuse.org/openidc/
-openidc idp key file=/etc/ipsilon/openidc.key
-openidc database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid
-openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg
-openidc documentation url=
-openidc policy url=https://en.opensuse.org/Terms_of_site
-openidc tos url=https://en.opensuse.org/Terms_of_site
-openidc idp sig key id=20200224-sig
-openidc allow dynamic client registration=False
-openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]]
-
-openid endpoint url=https://id.opensuse.org/openid/
-openid identity url template=http://%(username)s.id.opensuse.org/
-openid trusted roots=
-openid database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid
-openid untrusted roots=
-openid enabled extensions=
-
-saml2 idp storage path=/etc/ipsilon
-saml2 idp metadata file=/httpdir/metadata.xml
-saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
-saml2 idp certificate file=saml2_idp.crt
-saml2 idp key file=saml2_idp.key
-saml2 allow self registration=False
-saml2 default nameid=transient
-saml2 default email domain=opensuse.org
-saml2 session database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_saml2
-
-[saml2_data]
diff --git a/salt/profile/identification/files/id.opensuse.org.conf b/salt/profile/identification/files/id.opensuse.org.conf
deleted file mode 100644
index 3211444..0000000
--- a/salt/profile/identification/files/id.opensuse.org.conf
+++ /dev/null
@@ -1,54 +0,0 @@
-<VirtualHost *:80>
-    ServerName id.opensuse.org
-    RewriteEngine on
-    RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
-
-    # This is for mapping $username.id.fp.o -> id.fp.o/id/$username
-    RewriteEngine on
-    RewriteMap lowercase int:tolower
-    RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.opensuse\.org$
-    RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-    RewriteRule ^([a-z0-9-]+)\.id\.opensuse\.org/.* /openid/id/$1/ [PT]
-
-
-    Alias /ui /usr/share/ipsilon/ui
-    WSGIScriptAlias / /usr/libexec/ipsilon
-    WSGIPassAuthorization On
-    WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
-    WSGIApplicationGroup %{GLOBAL}
-    WSGISocketPrefix /httpdir/run/wsgi
-    WSGIRestrictStdout Off
-    WSGIRestrictSignal Off
-
-
-    <Location />
-        WSGIProcessGroup ipsilon
-    </Location>
-
-    <Location /login/gssapi/negotiate>
-        AuthName "GSSAPI Single Sign On Login"
-        GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
-        AuthType GSSAPI
-        # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
-        GssapiSSLonly Off
-        GssapiLocalName on
-        Require valid-user
-        ErrorDocument 401 /login/gssapi/unauthorized
-        ErrorDocument 500 /login/gssapi/failed
-    </Location>
-
-    <Directory /usr/libexec>
-        Require all granted
-    </Directory>
-
-    <Directory /usr/share/ipsilon>
-        Require all granted
-    </Directory>
-
-    <Directory /etc/ipsilon/wellknown>
-        Require all granted
-    </Directory>
-    <Location /.well-known/browserid>
-        ForceType application/json
-    </Location>
-</VirtualHost>
diff --git a/salt/profile/identification/files/ipsilon.conf b/salt/profile/identification/files/ipsilon.conf
index ef70878..74b96f8 100644
--- a/salt/profile/identification/files/ipsilon.conf
+++ b/salt/profile/identification/files/ipsilon.conf
@@ -20,4 +20,4 @@ tools.sessions.secure = True
 tools.sessions.locking = 'explicit'
 
 tools.proxy.on = True
-tools.proxy.base = "https://id.opensuse.org"
+tools.proxy.base = "https://sso.opensuse.org"
diff --git a/salt/profile/identification/files/sso.opensuse.org.conf b/salt/profile/identification/files/sso.opensuse.org.conf
new file mode 100644
index 0000000..d395b5d
--- /dev/null
+++ b/salt/profile/identification/files/sso.opensuse.org.conf
@@ -0,0 +1,47 @@
+<VirtualHost *:80>
+    ServerName sso.opensuse.org
+    RewriteEngine on
+    RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT]
+
+    # This is for mapping $username.sso.o.o -> sso.o.o/id/$username
+    RewriteEngine on
+    RewriteMap lowercase int:tolower
+    RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.sso\.opensuse\.org$
+    RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+    RewriteRule ^([a-z0-9-]+)\.sso\.opensuse\.org/.* /openid/id/$1/ [PT]
+
+
+    Alias /ui /usr/share/ipsilon/ui
+    WSGIScriptAlias / /usr/libexec/ipsilon
+    WSGIPassAuthorization On
+    WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000
+    WSGIApplicationGroup %{GLOBAL}
+    WSGISocketPrefix /httpdir/run/wsgi
+    WSGIRestrictStdout Off
+    WSGIRestrictSignal Off
+
+
+    <Location />
+        WSGIProcessGroup ipsilon
+    </Location>
+
+    <Location /login/gssapi/negotiate>
+        AuthName "GSSAPI Single Sign On Login"
+        GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab
+        AuthType GSSAPI
+        # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+        GssapiSSLonly Off
+        GssapiLocalName on
+        Require valid-user
+        ErrorDocument 401 /login/gssapi/unauthorized
+        ErrorDocument 500 /login/gssapi/failed
+    </Location>
+
+    <Directory /usr/libexec>
+        Require all granted
+    </Directory>
+
+    <Directory /usr/share/ipsilon>
+        Require all granted
+    </Directory>
+</VirtualHost>
diff --git a/salt/profile/identification/ipsilon.sls b/salt/profile/identification/ipsilon.sls
index 4502d7c..e6b1774 100644
--- a/salt/profile/identification/ipsilon.sls
+++ b/salt/profile/identification/ipsilon.sls
@@ -3,10 +3,10 @@
 ipsilon_dependencies:
   pkg.installed:
     - pkgs:
+      - apache2
       - ipsilon
-      - ipsilon-openid
+      - ipsilon-tools-ipa
       - ipsilon-saml2
-      - ipsilon-persona
-      - ipsilon-authgssapi
+      - ipsilon-openid
       - ipsilon-openidc
-
+      - ipsilon-theme-openSUSE