Trying to get SSO class work with both docker and apache2

2024-11-20 12:40:41 +01:00 · 2024-11-20 12:40:41 +01:00 · 8ed157c256
commit 8ed157c256
parent fd1e6820c5
1 changed files with 105 additions and 83 deletions
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -1,5 +1,4 @@
-#
-# General SSO documentation: https://wiki.sunet.se/x/sZGLBg
+# General SSO class for SOC. Based on cnaas::sso
 #
 # @param hostname FQDN of the host this is running on.
 #
@ -21,50 +20,67 @@
 #   cases where the service we reverse proxy for can't create new accounts automatically.
 #   We use this only for Graylog at the time of writing.
 #
-# @param swamid_testing Set this to true if your SP is registered in swamid-testing.
+# @param satos
+#   If we have a satosa proxy or not, default true.
+#
+# @param proxy
+#   Hostname of the satosa proxy.
+#
+# @param entityID
+#   EntityID of the satosa proxy, must not be the same as the proxy hostname.
+#   Default set to value of proxy.

 class soc::sso(
-  $hostname,
-  $email,
-  $service_endpoint,
-  $groups = ['PLACEHOLDER'],
-  $passthrough = [],
-  $x_remote_user = false,
-  $swamid_testing = false,
-  $single_user = false,
-  $satosa = true,
-  $satosa_certbot = false,
-  $translog = 'INFO',
-  $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
-  $entityID = $proxy,
-  $norpan = false,
+  String  $ssotype          = "docker",
+  String  $hostname         = undef,
+  String  $email            = "cert@cert.sunet.se",
+  String  $service_endpoint = undef,
+  Array   $groups           = ['PLACEHOLDER'],
+  Array   $passthrough      = [],
+  Boolean $x_remote_user    = false,
+  Boolean $single_user      = false,
+  Boolean $satosa           = true,
+  Boolean $satosa_certbot   = false,
+  String  $translog         = 'INFO',
+  String  $proxy            = 'https://shared-sso-proxy1.cert.sunet.se/idp',
+  Strnng  $entityID         = $proxy,
 ) {

-  file { '/opt/sso':
-    ensure => directory,
+  if $ssotype == "docker" { 
+    file { '/opt/sso':
+      ensure => directory,
+    }
+
+    #
+    # Apache files
+    #
+
+    file { '/opt/sso/apache':
+      ensure => directory,
+    }
+
+    file { '/opt/sso/apache/site.conf':
+      ensure  => file,
+      content => template('soc/sso/apache-site.conf.erb'),
+    }
+
+    # SSL defaults copied from certbot:
+    # https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+    file { '/opt/sso/apache/ssl.conf':
+      ensure  => file,
+      content => file('soc/sso/apache-ssl.conf'),
+    }
  }

-  #
-  # Apache files
-  #
-
-  file { '/opt/sso/apache':
-    ensure => directory,
+  if $ssotype == 'docker' {
+    $apache_groups = '/opt/sso/apache/groups.txt'
+  } elsif $ssotype == 'apache' {
+    $apache_groups = '/etc/apache2/groups.txt'
+  } else {
+    $apache_groups = '/tmp/groups.txt'
  }

-  file { '/opt/sso/apache/site.conf':
-    ensure  => file,
-    content => template('soc/sso/apache-site.conf.erb'),
-  }
-
-  # SSL defaults copied from certbot:
-  # https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
-  file { '/opt/sso/apache/ssl.conf':
-    ensure  => file,
-    content => file('soc/sso/apache-ssl.conf'),
-  }
-
-  file { '/opt/sso/apache/groups.txt':
+  file { $apache_groups:
    ensure  => file,
    content => template('soc/sso/apache-groups.txt.erb')
  }
@ -73,60 +89,63 @@ class soc::sso(
  # Shibboleth files
  #

-  file { '/opt/sso/shibboleth':
-    ensure => directory,
+  if $ssotype == 'apache' {
+    pakage { ['apache2', 'libapache2-mod-shib', 'shibboleth-sp-utils']:
+      ensure => present
+    }
+
+    $shibbase = '/etc/shibboleth'
+  } elsif $ssotype == 'docker' {
+    $shibbase = '/opt/sso/shibboleth'
+
+    file { $shibbase:
+      ensure => directory,
+    }
  }

-  file { '/opt/sso/shibboleth/shibboleth2.xml':
+  file { "${shibbase}/shibboleth2.xml":
    ensure  => file,
    content => template('soc/sso/shibboleth2.xml.erb'),
  }

-  file { '/opt/sso/shibboleth/shibd.logger':
+  file { "${shibbase}/shibd.logger":
    ensure  => file,
    content => template('soc/sso/shibd.logger.erb'),
  }

-  file { '/opt/sso/shibboleth/attribute-map.xml':
+  file { "${shibbase}/attribute-map.xml":
    ensure  => file,
    content => file('soc/sso/attribute-map.xml'),
  }

-  file { '/opt/sso/shibboleth/md-signer2.crt':
+  file { "${shibbase}/md-signer2.crt":
    ensure  => file,
    content => file('soc/sso/md-signer2.crt'),
  }
+
  if $satosa {
-    if $norpan {
-        file { '/opt/sso/shibboleth/frontend.xml':
-          ensure  => file,
-          content => file('soc/sso/frontend_norpan.xml'),
-        }
-    } else {
-        file { '/opt/sso/shibboleth/frontend.xml':
-          ensure  => file,
-          content => file('soc/sso/frontend.xml'),
-        }
+    file { "${shibbase}/frontend.xml":
+      ensure  => file,
+      content => file('soc/sso/frontend.xml'),
    }

-    file { '/opt/sso/shibboleth/attribute-policy.xml':
+    file { "${shibbase}/attribute-policy.xml":
      ensure  => file,
      content => file('soc/sso/attribute-policy.xml'),
    }

    if lookup('sso_sp_key', undef, undef, undef) != undef {
-      sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+      sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
        hiera_key => 'sso_sp_key'
      }
    } else {
      sunet::snippets::keygen {'shib_cert':
-        key_file  => '/opt/sso/shibboleth/sp-key.pem',
-        cert_file => '/opt/sso/shibboleth/sp-cert.pem'
+        key_file  => "${shibbase}/sp-key.pem",
+        cert_file => "${shibbase}/sp-cert.pem"
      }
    }
-
  } else {
-    sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+    sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
      hiera_key => 'sso_sp_key'
    }
  }
@ -162,33 +181,36 @@ class soc::sso(
  # Docker
  #

-  exec {"Create Docker network \"sso\" to talk to service":
-    # We OR with true to ignore errors, since the network often already exists.
-    # We specify a subnet so that services which have the option/requirement can
-    # specify this subnet as source of trusted proxies. This is used in Graylog,
-    # for example; see setting "trusted_proxies".
-    command => 'docker network create sso --subnet 172.29.0.0/24 || true'
-  }
+  if $ssotype == 'docker' {

-  file { '/opt/sso/docker-compose.yml':
-    ensure  => file,
-    mode    => '0600',
-    content => template('soc/sso/docker-compose.yml.erb'),
-  }
+    exec {"Create Docker network \"sso\" to talk to service":
+      # We OR with true to ignore errors, since the network often already exists.
+      # We specify a subnet so that services which have the option/requirement can
+      # specify this subnet as source of trusted proxies. This is used in Graylog,
+      # for example; see setting "trusted_proxies".
+      command => 'docker network create sso --subnet 172.29.0.0/24 || true'
+    }

-  sunet::docker_compose_service { 'sso':
-    description  =>  '',
-    compose_file => '/opt/sso/docker-compose.yml',
-  }
+    file { '/opt/sso/docker-compose.yml':
+      ensure  => file,
+      mode    => '0600',
+      content => template('soc/sso/docker-compose.yml.erb'),
+    }

-  #
-  # NFT Rules
-  #
+    sunet::docker_compose_service { 'sso':
+      description  =>  '',
+      compose_file => '/opt/sso/docker-compose.yml',
+    }

-  sunet::nftables::docker_expose { 'apache_sso_https' :
-    allow_clients => ['0.0.0.0/0'],
-    port          => 443,
-    iif           => 'ens3',
+    #
+    # NFT Rules
+    #
+
+    sunet::nftables::docker_expose { 'apache_sso_https' :
+      allow_clients => ['0.0.0.0/0'],
+      port          => 443,
+      iif           => 'ens3',
+    }
  }

 }