From 4bf9c2e7a792b7ab9f24a3b783cffc94931add08 Mon Sep 17 00:00:00 2001 From: Stasiek Michalski Date: Apr 10 2020 17:43:38 +0000 Subject: Update salt/profile/identification/ipsilon.sls, salt/profile/identification/apache.sls, salt/profile/identification/config.sls, salt/profile/identification/files/openidc.static.cfg, salt/profile/identification/files/ipsilon.conf, salt/profile/identification/files/configuration.conf, salt/profile/identification/files/id.opensuse.org.conf, salt/profile/identification/init.sls files --- diff --git a/salt/profile/identification/apache.sls b/salt/profile/identification/apache.sls new file mode 100644 index 0000000..94d2cc8 --- /dev/null +++ b/salt/profile/identification/apache.sls @@ -0,0 +1,8 @@ +{% set roles = salt['grains.get']('roles', []) %} + +/etc/apache2/vhosts.d/id.opensuse.org.conf: + file.managed: + - listen_in: + - service: apache2 + - source: salt://profile/identification/files/id.opensuse.org.conf + - template: jinja diff --git a/salt/profile/identification/config.sls b/salt/profile/identification/config.sls new file mode 100644 index 0000000..fe2d0a9 --- /dev/null +++ b/salt/profile/identification/config.sls @@ -0,0 +1,80 @@ +{% set roles = salt['grains.get']('roles', []) %} + +ipsilon_wellknown_dir: + file.directory: + - name: /etc/ipsilon/wellknown + - mode: 755 + - user: ipsilon + +ipsilon_saml2_dir: + file.directory: + - name: /etc/ipsilon/saml2 + - mode: 700 + - user: ipsilon + +ipsilon_configuration_file: + file.managed: + - name: /etc/ipsilon/configuration.conf + - source: salt://profile/identification/files/configuration.conf + - template: jinja + - mode: 600 + - require_in: + - service: id_apache_service + - watch_in: + - module: id_apache_restart + +ipsilon_conf_file: + file.managed: + - name: /etc/ipsilon/ipsilon.conf + - source: salt://profile/identification/files/ipsilon.conf + - template: jinja + - mode: 600 + - require_in: + - service: id_apache_service + - watch_in: + - module: id_apache_restart + +/etc/ipsilon/ipsilon.conf: + file.symlink: + - target: /var/lib/ipsilon/ipsilon.conf + +ipsilon_oidc_conf_file: + file.managed: + - name: /etc/ipsilon/openidc.static.cfg + - source: salt://profile/identification/files/openidc.static.cfg + - template: jinja + - mode: 600 + - require_in: + - service: id_apache_service + - watch_in: + - module: id_apache_restart + +/etc/ipsilon/persona.key: + file.managed: + - contents_pillar: profile:matrix:persona_priv_key + - mode: 600 + - user: ipsilon + +/etc/ipsilon/wellknown/browserid: + file.managed: + - contents_pillar: profile:matrix:persona_pub_key + - mode: 644 + - user: ipsilon + +/etc/ipsilon/openidc.key: + file.managed: + - contents_pillar: profile:matrix:openidc_priv_key + - mode: 600 + - user: ipsilon + +/etc/ipsilon/saml2/idp.key: + file.managed: + - contents_pillar: profile:matrix:saml2_priv_key + - mode: 600 + - user: ipsilon + +/etc/ipsilon/saml2/idp.crt: + file.managed: + - contents_pillar: profile:matrix:saml2_pub_key + - mode: 644 + - user: ipsilon diff --git a/salt/profile/identification/files/configuration.conf b/salt/profile/identification/files/configuration.conf new file mode 100644 index 0000000..e3bfd41 --- /dev/null +++ b/salt/profile/identification/files/configuration.conf @@ -0,0 +1,45 @@ +[login_config] +global enabled=gssapi + +[info_config] +global enabled= + + +[authz_config] +global enabled=allow + +[provider_config] +global enabled=openid,saml2,openidc + +openidc enabled extensions= + +openidc subject salt={{ ipsilon_openidc_subject_salt }} +openidc endpoint url=https://id.opensuse.org/openidc/ +openidc idp key file=/etc/ipsilon/openidc.key +openidc database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid +openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg +openidc documentation url= +openidc policy url=https://en.opensuse.org/Terms_of_site +openidc tos url=https://en.opensuse.org/Terms_of_site +openidc idp sig key id=20200224-sig +openidc allow dynamic client registration=False +openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]] + +openid endpoint url=https://id.opensuse.org/openid/ +openid identity url template=http://%(username)s.id.opensuse.org/ +openid trusted roots= +openid database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_openid +openid untrusted roots= +openid enabled extensions= + +saml2 idp storage path=/etc/ipsilon +saml2 idp metadata file=/httpdir/metadata.xml +saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }} +saml2 idp certificate file=saml2_idp.crt +saml2 idp key file=saml2_idp.key +saml2 allow self registration=False +saml2 default nameid=transient +saml2 default email domain=opensuse.org +saml2 session database url=postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_saml2 + +[saml2_data] diff --git a/salt/profile/identification/files/id.opensuse.org.conf b/salt/profile/identification/files/id.opensuse.org.conf new file mode 100644 index 0000000..3211444 --- /dev/null +++ b/salt/profile/identification/files/id.opensuse.org.conf @@ -0,0 +1,54 @@ + + ServerName id.opensuse.org + RewriteEngine on + RewriteRule /.well-known/openid-configuration /openidc/.well-known/openid-configuration [PT] + + # This is for mapping $username.id.fp.o -> id.fp.o/id/$username + RewriteEngine on + RewriteMap lowercase int:tolower + RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.opensuse\.org$ + RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] + RewriteRule ^([a-z0-9-]+)\.id\.opensuse\.org/.* /openid/id/$1/ [PT] + + + Alias /ui /usr/share/ipsilon/ui + WSGIScriptAlias / /usr/libexec/ipsilon + WSGIPassAuthorization On + WSGIDaemonProcess ipsilon home=/var/lib/ipsilon processes=2 threads=2 maximum-requests=1000 + WSGIApplicationGroup %{GLOBAL} + WSGISocketPrefix /httpdir/run/wsgi + WSGIRestrictStdout Off + WSGIRestrictSignal Off + + + + WSGIProcessGroup ipsilon + + + + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:/etc/keytabs/ipsilon-keytab + AuthType GSSAPI + # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS + GssapiSSLonly Off + GssapiLocalName on + Require valid-user + ErrorDocument 401 /login/gssapi/unauthorized + ErrorDocument 500 /login/gssapi/failed + + + + Require all granted + + + + Require all granted + + + + Require all granted + + + ForceType application/json + + diff --git a/salt/profile/identification/files/ipsilon.conf b/salt/profile/identification/files/ipsilon.conf new file mode 100644 index 0000000..ef70878 --- /dev/null +++ b/salt/profile/identification/files/ipsilon.conf @@ -0,0 +1,23 @@ +[global] +debug = True +tools.log_request_response.on = False +theme_dir = "themes/openSUSE" +template_dir = "/usr/share/ipsilon/templates" + +log.screen = True +base.dir = "/usr/share/ipsilon" +admin.config.db = "configfile:///etc/ipsilon/configuration.conf" +user.prefs.db = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_user_prefs" +transactions.db = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_transactions" + +tools.sessions.on = True +tools.sessions.name = "opensuse_ipsilon_session_id" +tools.sessions.storage_type = "sql" +tools.sessions.storage_dburi = "postgresql://{{ pillar['profile']['identification']['database_user'] }}:{{ pillar['postgres']['users']['identification']['password'] }}@{{ pillar['profile']['identification']['database_host'] }}/ipsilon_sessions" +tools.sessions.timeout = 15 +tools.sessions.httponly = True +tools.sessions.secure = True +tools.sessions.locking = 'explicit' + +tools.proxy.on = True +tools.proxy.base = "https://id.opensuse.org" diff --git a/salt/profile/identification/files/openidc.static.cfg b/salt/profile/identification/files/openidc.static.cfg new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/salt/profile/identification/files/openidc.static.cfg diff --git a/salt/profile/identification/init.sls b/salt/profile/identification/init.sls new file mode 100644 index 0000000..dde9b1b --- /dev/null +++ b/salt/profile/identification/init.sls @@ -0,0 +1,13 @@ +{% set roles = salt['grains.get']('roles', []) %} + +id_apache_service: + service.running: + - name: apache2 + - enable: True + +id_apache_restart: + module.wait: + - name: service.restart + - m_name: apache2 + - require: + - service: synapse_service diff --git a/salt/profile/identification/ipsilon.sls b/salt/profile/identification/ipsilon.sls new file mode 100644 index 0000000..4502d7c --- /dev/null +++ b/salt/profile/identification/ipsilon.sls @@ -0,0 +1,12 @@ +{% set roles = salt['grains.get']('roles', []) %} + +ipsilon_dependencies: + pkg.installed: + - pkgs: + - ipsilon + - ipsilon-openid + - ipsilon-saml2 + - ipsilon-persona + - ipsilon-authgssapi + - ipsilon-openidc +