SUNET/soc-ops
9
0
Fork 1
Code Activity

Fixes with auth..

Browse source
This commit is contained in:
Johan Björklund 2024-11-20 14:24:22 +01:00
parent fd68ed866d
commit c36ed664ff
Signed by: bjorklund
GPG key ID: 5E8401339C7F5037
3 changed files with 32 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
View file

@ -5,6 +5,7 @@ class soc::intelmq(
String $servername = $facts['networking']['fqdn'], String $servername = $facts['networking']['fqdn'],
Boolean $use_snakeoil = false, Boolean $use_snakeoil = false,
String $apache_group = 'sunet-cert', String $apache_group = 'sunet-cert',
Boolean $use_shib = false,
) { ) {
include sunet::systemd_reload include sunet::systemd_reload

11
global/overlay/etc/puppet/modules/soc/manifests/sso.pp
View file

@ -94,7 +94,18 @@ class soc::sso(
ensure => installed, ensure => installed,
} }
exec { 'Make sure mod_shib is loaded':
command => 'a2enmod shib',
creates => '/etc/apache2/mods-enabled/shib.load',
}
exec { 'Make sure authz_groupfile is loaded':
command => 'a2enmod authz_groupfile',
creates => '/etc/apache2/mods-enabled/authz_groupfile.load',
}
$shibbase = '/etc/shibboleth' $shibbase = '/etc/shibboleth'
} elsif $ssotype == 'docker' { } elsif $ssotype == 'docker' {
$shibbase = '/opt/sso/shibboleth' $shibbase = '/opt/sso/shibboleth'

40
global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
View file

@ -33,17 +33,20 @@
SSLSessionTickets off SSLSessionTickets off
Header always set Strict-Transport-Security "max-age=63072000" Header always set Strict-Transport-Security "max-age=63072000"
<IfModule mod_shib.c> <Location />
<Location /> <% if $use_shib -%>
AuthType shibboleth AuthType shibboleth
ShibRequestSetting requireSession On ShibRequestSetting requireSession On
ShibUseHeaders On ShibUseHeaders On
AuthGroupFile /etc/apache2/groups.txt
Require group <%= @apache_group %>
<% else -%>
Require all granted
<% end -%>
</Location>
AuthGroupFile /etc/apache2/groups.txt
Require group <%= @apache_group %>
</Location>
</IfModule> </IfModule>
<IfModule mod_proxy.c> <IfModule mod_proxy.c>
ProxyRequests Off ProxyRequests Off
<Location "/api"> <Location "/api">
@ -69,19 +72,16 @@
Alias /intelmq-manager /opt/intelmq/www/intelmq-manager Alias /intelmq-manager /opt/intelmq/www/intelmq-manager
<Directory /opt/intelmq/www/intelmq-manager> <Directory /opt/intelmq/www/intelmq-manager>
<IfModule mod_shib.c> <% if $use_shib -%>
<Location /> AuthType shibboleth
AuthType shibboleth ShibRequestSetting requireSession On
ShibRequestSetting requireSession On ShibUseHeaders On
ShibUseHeaders On
AuthGroupFile /etc/apache2/groups.txt AuthGroupFile /etc/apache2/groups.txt
Require group <%= @apache_group %> Require group <%= @apache_group %>
</Location> <% else -%>
</IfModule>
<IfModule !mod_shib.c>
Require all granted Require all granted
</IfModule> <% end -%>
<IfModule mod_headers.c> <IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'" Header set Content-Security-Policy "script-src 'self'"