From c36ed664ff0a71f2420c9051e817523fe99e8794 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= <bjorklund@sunet.se>
Date: Wed, 20 Nov 2024 14:24:22 +0100
Subject: [PATCH] Fixes with auth..

---
 .../puppet/modules/soc/manifests/intelmq.pp   |  1 +
 .../etc/puppet/modules/soc/manifests/sso.pp   | 11 +++++
 .../templates/intelmq/intelmq-vhost.conf.erb  | 40 +++++++++----------
 3 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp b/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
index fdade8b..428ef06 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
@@ -5,6 +5,7 @@ class soc::intelmq(
   String              $servername = $facts['networking']['fqdn'],
   Boolean             $use_snakeoil = false,
   String              $apache_group = 'sunet-cert',
+  Boolean             $use_shib   = false,
 ) {
   include sunet::systemd_reload
 
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index 8d6094c..5db0f9f 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -94,7 +94,18 @@ class soc::sso(
       ensure => installed,
     }
 
+    exec { 'Make sure mod_shib is loaded':
+      command => 'a2enmod shib',
+      creates => '/etc/apache2/mods-enabled/shib.load',
+    }
+
+    exec { 'Make sure authz_groupfile is loaded':
+      command => 'a2enmod authz_groupfile',
+      creates => '/etc/apache2/mods-enabled/authz_groupfile.load',
+    }
+
     $shibbase = '/etc/shibboleth'
+
   } elsif $ssotype == 'docker' {
     $shibbase = '/opt/sso/shibboleth'
 
diff --git a/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
index 11738b7..d058f64 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
@@ -33,17 +33,20 @@
         SSLSessionTickets       off
         Header                  always set Strict-Transport-Security "max-age=63072000"
 
-        <IfModule mod_shib.c>
-          <Location />
-            AuthType shibboleth
-            ShibRequestSetting requireSession On
-            ShibUseHeaders On
+        <Location />
+        <% if $use_shib -%>
+          AuthType shibboleth
+          ShibRequestSetting requireSession On
+          ShibUseHeaders On
+
+          AuthGroupFile /etc/apache2/groups.txt
+          Require group <%= @apache_group %>
+        <% else -%>
+          Require all granted
+        <% end -%>
+        </Location>
 
-            AuthGroupFile /etc/apache2/groups.txt
-            Require group <%= @apache_group %>
-          </Location>
         </IfModule>
-
         <IfModule mod_proxy.c>
                 ProxyRequests   Off
                 <Location "/api">
@@ -69,19 +72,16 @@
 
         Alias /intelmq-manager /opt/intelmq/www/intelmq-manager
         <Directory /opt/intelmq/www/intelmq-manager> 
-        <IfModule mod_shib.c>
-          <Location />
-            AuthType shibboleth
-            ShibRequestSetting requireSession On
-            ShibUseHeaders On
+        <% if $use_shib -%>
+          AuthType shibboleth
+          ShibRequestSetting requireSession On
+          ShibUseHeaders On
 
-            AuthGroupFile /etc/apache2/groups.txt
-            Require group <%= @apache_group %>
-          </Location>
-        </IfModule>
-        <IfModule !mod_shib.c>
+          AuthGroupFile /etc/apache2/groups.txt
+          Require group <%= @apache_group %>
+        <% else -%>
           Require all granted
-        </IfModule>
+        <% end -%>
 
             <IfModule mod_headers.c>
                     Header set Content-Security-Policy "script-src 'self'"