soc-ops/global/overlay/etc/puppet/modules/soc/manifests/sso.pp

# General SSO class for SOC. Based on cnaas::sso
#
# @param hostname FQDN of the host this is running on.
#
# @param email Support email used in error messages etc.
#
# @param service_endpoint Location of service to reverse proxy for.
#
# @param groups
#   List of user groups from sso_groups in global/overlay/etc/hiera/data/common.yaml. The
#   default is a non-existing placeholder group, added to make the Apache config valid.
#
# @param passthrough List of paths to disable SAML protection for, e.g. API paths.
#
# @param x_remote_user
#   If true, EPPN is put in the HTTP header X-Remote-User instead of REMOTE_USER.
#
# @param single_user
#   If true, EPPN is discarded and X-Remote-User is set to "soc-user". This is useful in
#   cases where the service we reverse proxy for can't create new accounts automatically.
#   We use this only for Graylog at the time of writing.
#
# @param satos
#   If we have a satosa proxy or not, default true.
#
# @param proxy
#   Hostname of the satosa proxy.
#
# @param entityID
#   EntityID of the satosa proxy, must not be the same as the proxy hostname.
#   Default set to value of proxy.

class soc::sso(
  String            $ssotype          = 'docker',
  String            $hostname         = $facts['networking']['fqdn'],
  String            $email            = 'cert@cert.sunet.se',
  Optional[String]  $service_endpoint = undef,
  Array             $groups           = ['PLACEHOLDER'],
  Array             $passthrough      = [],
  Boolean           $x_remote_user    = false,
  Boolean           $single_user      = false,
  Boolean           $satosa           = true,
  Boolean           $satosa_certbot   = false,
  String            $translog         = 'INFO',
  String            $proxy            = 'https://shared-sso-proxy1.cert.sunet.se/idp',
  String            $entityID         = $proxy,
) {

  if $ssotype == "docker" {
    file { '/opt/sso':
      ensure => directory,
    }

    #
    # Apache files
    #

    file { '/opt/sso/apache':
      ensure => directory,
    }

    file { '/opt/sso/apache/site.conf':
      ensure  => file,
      content => template('soc/sso/apache-site.conf.erb'),
    }

    # SSL defaults copied from certbot:
    # https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
    file { '/opt/sso/apache/ssl.conf':
      ensure  => file,
      content => file('soc/sso/apache-ssl.conf'),
    }
  }

  if $ssotype == 'docker' {
    $apache_groups = '/opt/sso/apache/groups.txt'
  } elsif $ssotype == 'apache' {
    $apache_groups = '/etc/apache2/groups.txt'
  } else {
    $apache_groups = '/tmp/groups.txt'
  }

  file { $apache_groups:
    ensure  => file,
    content => template('soc/sso/apache-groups.txt.erb')
  }

  #
  # Shibboleth files
  #

  if $ssotype == 'apache' {
    package { ['libapache2-mod-shib', 'shibboleth-sp-utils']:
      ensure => installed,
    }

    exec { 'Make sure mod_shib is loaded':
      command => 'a2enmod shib',
      creates => '/etc/apache2/mods-enabled/shib.load',
    }

    exec { 'Make sure authz_groupfile is loaded':
      command => 'a2enmod authz_groupfile',
      creates => '/etc/apache2/mods-enabled/authz_groupfile.load',
    }

    $shibbase = '/etc/shibboleth'

  } elsif $ssotype == 'docker' {
    $shibbase = '/opt/sso/shibboleth'

    file { $shibbase:
      ensure => directory,
    }
  }

  file { "${shibbase}/shibboleth2.xml":
    ensure  => file,
    content => template('soc/sso/shibboleth2.xml.erb'),
  }

  file { "${shibbase}/shibd.logger":
    ensure  => file,
    content => template('soc/sso/shibd.logger.erb'),
  }

  file { "${shibbase}/attribute-map.xml":
    ensure  => file,
    content => file('soc/sso/attribute-map.xml'),
  }

  file { "${shibbase}/md-signer2.crt":
    ensure  => file,
    content => file('soc/sso/md-signer2.crt'),
  }

  if $satosa {
    file { "${shibbase}/frontend.xml":
      ensure  => file,
      content => file('soc/sso/frontend.xml'),
    }

    file { "${shibbase}/attribute-policy.xml":
      ensure  => file,
      content => file('soc/sso/attribute-policy.xml'),
    }

    if lookup('sso_sp_key', undef, undef, undef) != undef {
      sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
        hiera_key => 'sso_sp_key'
      }
    } else {
      sunet::snippets::keygen {'shib_cert':
        key_file  => "${shibbase}/sp-key.pem",
        cert_file => "${shibbase}/sp-cert.pem"
      }
    }
  } else {
    sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
      hiera_key => 'sso_sp_key'
    }
  }

  #
  # Certbot
  #

  if $satosa_certbot {
    package { ['certbot', 'python3-requests']:
      ensure => 'latest',
    }

    file { '/etc/letsencrypt/acme-dns-auth.py':
      ensure  => file,
      content => file('soc/sso/acme-dns-auth.py'),
      mode    => '0744',
    }

    file { '/etc/letsencrypt/renewal-hooks/deploy/soc-sso-reload':
      ensure  => file,
      mode    => '0700',
      content => "#!/bin/sh -eu\ndocker exec sso service apache2 reload",
    }

    sunet::scriptherder::cronjob { 'le_renew':
      cmd     => '/bin/echo "Keeping this cronjob, but disabled to avoid scriptherder complainign about unknown check"',
      special => 'daily',
    }
  }

  #
  # Docker
  #

  if $ssotype == 'docker' {

    exec {"Create Docker network \"sso\" to talk to service":
      # We OR with true to ignore errors, since the network often already exists.
      # We specify a subnet so that services which have the option/requirement can
      # specify this subnet as source of trusted proxies. This is used in Graylog,
      # for example; see setting "trusted_proxies".
      command => 'docker network create sso --subnet 172.29.0.0/24 || true',
      unless  => 'docker network ls | grep -q sso 2>&1'
    }

    file { '/opt/sso/docker-compose.yml':
      ensure  => file,
      mode    => '0600',
      content => template('soc/sso/docker-compose.yml.erb'),
    }

    sunet::docker_compose_service { 'sso':
      description  =>  '',
      compose_file => '/opt/sso/docker-compose.yml',
    }

    #
    # NFT Rules
    #

    sunet::nftables::docker_expose { 'apache_sso_https' :
      allow_clients => ['0.0.0.0/0'],
      port          => 443,
      iif           => 'ens3',
    }
  }

}
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`# General SSO class for SOC. Based on cnaas::sso`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`#`
			`# @param hostname FQDN of the host this is running on.`
			`#`
			`# @param email Support email used in error messages etc.`
			`#`
			`# @param service_endpoint Location of service to reverse proxy for.`
			`#`
			`# @param groups`
			`# List of user groups from sso_groups in global/overlay/etc/hiera/data/common.yaml. The`
			`# default is a non-existing placeholder group, added to make the Apache config valid.`
			`#`
			`# @param passthrough List of paths to disable SAML protection for, e.g. API paths.`
			`#`
			`# @param x_remote_user`
			`# If true, EPPN is put in the HTTP header X-Remote-User instead of REMOTE_USER.`
			`#`
			`# @param single_user`
Fixes for certbot, no certbot script just yet. 2024-10-28 15:55:35 +01:00			`# If true, EPPN is discarded and X-Remote-User is set to "soc-user". This is useful in`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`# cases where the service we reverse proxy for can't create new accounts automatically.`
			`# We use this only for Graylog at the time of writing.`
			`#`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`# @param satos`
			`# If we have a satosa proxy or not, default true.`
			`#`
			`# @param proxy`
			`# Hostname of the satosa proxy.`
			`#`
			`# @param entityID`
			`# EntityID of the satosa proxy, must not be the same as the proxy hostname.`
			`# Default set to value of proxy.`
fixes. 2024-10-31 14:05:47 +01:00
Spellcheck class ... 2024-10-28 15:23:49 +01:00			`class soc::sso(`
Fixes with auth.. 2024-11-20 13:45:47 +01:00			`String $ssotype = 'docker',`
			`String $hostname = $facts['networking']['fqdn'],`
			`String $email = 'cert@cert.sunet.se',`
Bugfix. 2024-11-20 13:31:52 +01:00			`Optional[String] $service_endpoint = undef,`
			`Array $groups = ['PLACEHOLDER'],`
			`Array $passthrough = [],`
			`Boolean $x_remote_user = false,`
			`Boolean $single_user = false,`
			`Boolean $satosa = true,`
			`Boolean $satosa_certbot = false,`
			`String $translog = 'INFO',`
			`String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',`
			`String $entityID = $proxy,`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`) {`

Don't add docker network if it exists 2024-11-20 13:17:13 +01:00			`if $ssotype == "docker" {`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { '/opt/sso':`
			`ensure => directory,`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`#`
			`# Apache files`
			`#`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { '/opt/sso/apache':`
			`ensure => directory,`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { '/opt/sso/apache/site.conf':`
			`ensure => file,`
			`content => template('soc/sso/apache-site.conf.erb'),`
			`}`

			`# SSL defaults copied from certbot:`
			`# https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf`
			`file { '/opt/sso/apache/ssl.conf':`
			`ensure => file,`
			`content => file('soc/sso/apache-ssl.conf'),`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`if $ssotype == 'docker' {`
			`$apache_groups = '/opt/sso/apache/groups.txt'`
			`} elsif $ssotype == 'apache' {`
			`$apache_groups = '/etc/apache2/groups.txt'`
			`} else {`
			`$apache_groups = '/tmp/groups.txt'`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { $apache_groups:`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`ensure => file,`
			`content => template('soc/sso/apache-groups.txt.erb')`
			`}`

			`#`
			`# Shibboleth files`
			`#`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`if $ssotype == 'apache' {`
Bugfix. 2024-11-20 13:36:12 +01:00			`package { ['libapache2-mod-shib', 'shibboleth-sp-utils']:`
Bugfix. 2024-11-20 13:33:55 +01:00			`ensure => installed,`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`}`

Fixes with auth.. 2024-11-20 14:24:22 +01:00			`exec { 'Make sure mod_shib is loaded':`
			`command => 'a2enmod shib',`
			`creates => '/etc/apache2/mods-enabled/shib.load',`
			`}`

			`exec { 'Make sure authz_groupfile is loaded':`
			`command => 'a2enmod authz_groupfile',`
			`creates => '/etc/apache2/mods-enabled/authz_groupfile.load',`
			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`$shibbase = '/etc/shibboleth'`
Fixes with auth.. 2024-11-20 14:24:22 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`} elsif $ssotype == 'docker' {`
			`$shibbase = '/opt/sso/shibboleth'`

			`file { $shibbase:`
			`ensure => directory,`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/shibboleth2.xml":`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`ensure => file,`
			`content => template('soc/sso/shibboleth2.xml.erb'),`
			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/shibd.logger":`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`ensure => file,`
			`content => template('soc/sso/shibd.logger.erb'),`
			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/attribute-map.xml":`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`ensure => file,`
			`content => file('soc/sso/attribute-map.xml'),`
			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/md-signer2.crt":`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`ensure => file,`
			`content => file('soc/sso/md-signer2.crt'),`
			`}`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`if $satosa {`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/frontend.xml":`
			`ensure => file,`
			`content => file('soc/sso/frontend.xml'),`
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`}`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { "${shibbase}/attribute-policy.xml":`
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`ensure => file,`
			`content => file('soc/sso/attribute-policy.xml'),`
			`}`

			`if lookup('sso_sp_key', undef, undef, undef) != undef {`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`sunet::snippets::secret_file { "${shibbase}/sp-key.pem":`
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`hiera_key => 'sso_sp_key'`
			`}`
			`} else {`
			`sunet::snippets::keygen {'shib_cert':`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`key_file => "${shibbase}/sp-key.pem",`
			`cert_file => "${shibbase}/sp-cert.pem"`
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`}`
			`}`
			`} else {`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`sunet::snippets::secret_file { "${shibbase}/sp-key.pem":`
Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`hiera_key => 'sso_sp_key'`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`}`

			`#`
			`# Certbot`
			`#`

Added a lot of SSO stuff and base for SSO proxy. 2024-10-29 10:59:13 +01:00			`if $satosa_certbot {`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`package { ['certbot', 'python3-requests']:`
			`ensure => 'latest',`
			`}`

			`file { '/etc/letsencrypt/acme-dns-auth.py':`
			`ensure => file,`
Fixes for certbot, no certbot script just yet. 2024-10-28 15:55:35 +01:00			`content => file('soc/sso/acme-dns-auth.py'),`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`mode => '0744',`
			`}`

			`file { '/etc/letsencrypt/renewal-hooks/deploy/soc-sso-reload':`
			`ensure => file,`
			`mode => '0700',`
			`content => "#!/bin/sh -eu\ndocker exec sso service apache2 reload",`
			`}`

			`sunet::scriptherder::cronjob { 'le_renew':`
			`cmd => '/bin/echo "Keeping this cronjob, but disabled to avoid scriptherder complainign about unknown check"',`
			`special => 'daily',`
			`}`
			`}`

			`#`
			`# Docker`
			`#`

Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`if $ssotype == 'docker' {`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`exec {"Create Docker network \"sso\" to talk to service":`
			`# We OR with true to ignore errors, since the network often already exists.`
			`# We specify a subnet so that services which have the option/requirement can`
			`# specify this subnet as source of trusted proxies. This is used in Graylog,`
			`# for example; see setting "trusted_proxies".`
Typo. 2024-11-20 13:25:02 +01:00			`command => 'docker network create sso --subnet 172.29.0.0/24 \|\| true',`
Don't add docker network if it exists 2024-11-20 13:17:13 +01:00			`unless => 'docker network ls \| grep -q sso 2>&1'`
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`file { '/opt/sso/docker-compose.yml':`
			`ensure => file,`
			`mode => '0600',`
			`content => template('soc/sso/docker-compose.yml.erb'),`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`sunet::docker_compose_service { 'sso':`
			`description => '',`
			`compose_file => '/opt/sso/docker-compose.yml',`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00
Trying to get SSO class work with both docker and apache2 2024-11-20 12:40:41 +01:00			`#`
			`# NFT Rules`
			`#`

			`sunet::nftables::docker_expose { 'apache_sso_https' :`
			`allow_clients => ['0.0.0.0/0'],`
			`port => 443,`
			`iif => 'ens3',`
			`}`
First sekelton for shib-proxy. 2024-10-28 13:32:11 +01:00			`}`

			`}`