Fixes with auth..

2024-11-20 14:24:22 +01:00 · 2024-11-20 14:24:22 +01:00 · c36ed664ff
commit c36ed664ff
parent fd68ed866d
3 changed files with 32 additions and 20 deletions
--- a/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
@ -5,6 +5,7 @@ class soc::intelmq(
  String              $servername = $facts['networking']['fqdn'],
  Boolean             $use_snakeoil = false,
  String              $apache_group = 'sunet-cert',
+  Boolean             $use_shib   = false,
 ) {
  include sunet::systemd_reload

--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -94,7 +94,18 @@ class soc::sso(
      ensure => installed,
    }

+    exec { 'Make sure mod_shib is loaded':
+      command => 'a2enmod shib',
+      creates => '/etc/apache2/mods-enabled/shib.load',
+    }
+
+    exec { 'Make sure authz_groupfile is loaded':
+      command => 'a2enmod authz_groupfile',
+      creates => '/etc/apache2/mods-enabled/authz_groupfile.load',
+    }
+
    $shibbase = '/etc/shibboleth'
+
  } elsif $ssotype == 'docker' {
    $shibbase = '/opt/sso/shibboleth'

--- a/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
@ -33,17 +33,20 @@
        SSLSessionTickets       off
        Header                  always set Strict-Transport-Security "max-age=63072000"

-        <IfModule mod_shib.c>
-          <Location />
-            AuthType shibboleth
-            ShibRequestSetting requireSession On
-            ShibUseHeaders On
+        <Location />
+        <% if $use_shib -%>
+          AuthType shibboleth
+          ShibRequestSetting requireSession On
+          ShibUseHeaders On
+
+          AuthGroupFile /etc/apache2/groups.txt
+          Require group <%= @apache_group %>
+        <% else -%>
+          Require all granted
+        <% end -%>
+        </Location>

-            AuthGroupFile /etc/apache2/groups.txt
-            Require group <%= @apache_group %>
-          </Location>
        </IfModule>
-
        <IfModule mod_proxy.c>
                ProxyRequests   Off
                <Location "/api">
@ -69,19 +72,16 @@

        Alias /intelmq-manager /opt/intelmq/www/intelmq-manager
        <Directory /opt/intelmq/www/intelmq-manager> 
-        <IfModule mod_shib.c>
-          <Location />
-            AuthType shibboleth
-            ShibRequestSetting requireSession On
-            ShibUseHeaders On
+        <% if $use_shib -%>
+          AuthType shibboleth
+          ShibRequestSetting requireSession On
+          ShibUseHeaders On

-            AuthGroupFile /etc/apache2/groups.txt
-            Require group <%= @apache_group %>
-          </Location>
-        </IfModule>
-        <IfModule !mod_shib.c>
+          AuthGroupFile /etc/apache2/groups.txt
+          Require group <%= @apache_group %>
+        <% else -%>
          Require all granted
-        </IfModule>
+        <% end -%>

            <IfModule mod_headers.c>
                    Header set Content-Security-Policy "script-src 'self'"