From 4b11e53200b6b8a70408854ed9397e435b669ac5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= Date: Tue, 29 Oct 2024 10:59:13 +0100 Subject: [PATCH] Added a lot of SSO stuff and base for SSO proxy. --- global/overlay/etc/puppet/cosmos-rules.yaml | 23 ++++++---- .../puppet/modules/soc/files/sso/frontend.xml | 1 + .../etc/puppet/modules/soc/manifests/sso.pp | 45 ++++++++++++++++--- .../soc/templates/sso/apache-site.conf.erb | 2 +- .../soc/templates/sso/docker-compose.yml.erb | 5 +++ .../soc/templates/sso/shibboleth2.xml.erb | 7 +++ 6 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 01f05e4..af3312e 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -6,11 +6,18 @@ ssh_allow_from_anywhere: false '^internal-sto1-dev-vulndash-1.cert.sunet.se$': - soc::sso: - hostname: 'vd-dev.cert.sunet.se' - email: 'cert@cert.sunet.se' - service_endpoint: 'http://nginx:80' - x_remote_user: true - groups: - - 'sunet-cert' - certbot: false +# soc::sso: +# hostname: 'vd-dev.cert.sunet.se' +# email: 'cert@cert.sunet.se' +# service_endpoint: 'http://nginx:80' +# x_remote_user: true +# groups: +# - 'sunet-cert' +# certbot: false + +test-sso-proxy1.cert.sunet.se: + sunet::starship: + sunet::dockerhost2: + sunet::satosa: + satosa_tag: 8.4.0 +# dehydrated_name: 'test-sso-proxy1.cert.sunet.se' diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml @@ -0,0 +1 @@ + diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp index 30eaf63..7ae51a6 100644 --- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp +++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp @@ -1,4 +1,3 @@ -## Copy from CNAAS, modifications for Sunet CERT # # General SSO documentation: https://wiki.sunet.se/x/sZGLBg # @@ -22,7 +21,7 @@ # cases where the service we reverse proxy for can't create new accounts automatically. # We use this only for Graylog at the time of writing. # -# @param swamid_testing Set this to true if your SP is registered in swamid-testing. +/ @param swamid_testing Set this to true if your SP is registered in swamid-testing. # # @param front_clients # Hiera field, defined at common.yaml, with the the frontend IP prefixes that require access @@ -38,8 +37,11 @@ class soc::sso( $swamid_testing = false, $single_user = false, $front_clients = '', + $satosa = true, + $satosa_certbot = true, $translog = 'INFO', - $certbot = true, + $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp', + $norpan = false, ) { file { '/opt/sso': @@ -98,15 +100,46 @@ class soc::sso( ensure => file, content => file('soc/sso/md-signer2.crt'), } - sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': - hiera_key => 'sso_sp_key' + if $satosa { + if $norpan { + file { '/opt/sso/shibboleth/frontend.xml': + ensure => file, + content => file('soc/sso/frontend_norpan.xml'), + } + } else { + file { '/opt/sso/shibboleth/frontend.xml': + ensure => file, + content => file('soc/sso/frontend.xml'), + } + } + + file { '/opt/sso/shibboleth/attribute-policy.xml': + ensure => file, + content => file('soc/sso/attribute-policy.xml'), + } + + if lookup('sso_sp_key', undef, undef, undef) != undef { + sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': + hiera_key => 'sso_sp_key' + } + } else { + sunet::snippets::keygen {'shib_cert': + key_file => '/opt/sso/shibboleth/sp-key.pem', + cert_file => '/opt/sso/shibboleth/sp-cert.pem' + } + } + + } else { + sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': + hiera_key => 'sso_sp_key' + } } # # Certbot # - if $certbot { + if $satosa_certbot { package { ['certbot', 'python3-requests']: ensure => 'latest', } diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb index 5dfd133..538db71 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb @@ -34,7 +34,7 @@ <%- if @x_remote_user -%> RequestHeader set X-Remote-User %{REMOTE_USER}s <%- elsif @single_user -%> - RequestHeader set X-Remote-User soc-user + RequestHeader set X-Remote-User cnaas-user <%- else -%> ShibUseHeaders On <%- end -%> diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb index e1813f8..ecc0b79 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb @@ -15,7 +15,12 @@ services: - ./shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml - ./shibboleth/shibd.logger:/etc/shibboleth/shibd.logger - ./shibboleth/attribute-map.xml:/etc/shibboleth/attribute-map.xml +<% if @satosa -%> + - ./shibboleth/frontend.xml:/etc/shibboleth/frontend.xml + - ./shibboleth/attribute-policy.xml:/etc/shibboleth/attribute-policy.xml +<% else -%> - ./shibboleth/md-signer2.crt:/etc/shibboleth/md-signer2.crt +<% end -%> - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem networks: diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb index cae74ac..0bd3413 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/shibboleth2.xml.erb @@ -40,6 +40,12 @@ SAML2 Local +<% if @satosa -%> + + + +<% else -%> @@ -49,6 +55,7 @@ <%- end -%> +<% end -%>