sunet-cert/soc-ops
0
0
Fork 0
Code Pull requests Activity

Trying to get SSO class work with both docker and apache2

Browse source
This commit is contained in:
Johan Björklund 2024-11-20 12:40:41 +01:00
parent fd1e6820c5
commit 8ed157c256
Signed by: bjorklund
GPG key ID: 5E8401339C7F5037
1 changed files with 105 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
global/overlay/etc/puppet/modules/soc/manifests/sso.pp
View file

@ -1,5 +1,4 @@
# # General SSO class for SOC. Based on cnaas::sso
# General SSO documentation: https://wiki.sunet.se/x/sZGLBg
# #
# @param hostname FQDN of the host this is running on. # @param hostname FQDN of the host this is running on.
# #
@ -21,25 +20,33 @@
# cases where the service we reverse proxy for can't create new accounts automatically. # cases where the service we reverse proxy for can't create new accounts automatically.
# We use this only for Graylog at the time of writing. # We use this only for Graylog at the time of writing.
# #
# @param swamid_testing Set this to true if your SP is registered in swamid-testing. # @param satos
# If we have a satosa proxy or not, default true.
#
# @param proxy
# Hostname of the satosa proxy.
#
# @param entityID
# EntityID of the satosa proxy, must not be the same as the proxy hostname.
# Default set to value of proxy.
class soc::sso( class soc::sso(
$hostname, String $ssotype = "docker",
$email, String $hostname = undef,
$service_endpoint, String $email = "cert@cert.sunet.se",
$groups = ['PLACEHOLDER'], String $service_endpoint = undef,
$passthrough = [], Array $groups = ['PLACEHOLDER'],
$x_remote_user = false, Array $passthrough = [],
$swamid_testing = false, Boolean $x_remote_user = false,
$single_user = false, Boolean $single_user = false,
$satosa = true, Boolean $satosa = true,
$satosa_certbot = false, Boolean $satosa_certbot = false,
$translog = 'INFO', String $translog = 'INFO',
$proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp', String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
$entityID = $proxy, Strnng $entityID = $proxy,
$norpan = false,
) { ) {
if $ssotype == "docker" {
file { '/opt/sso': file { '/opt/sso':
ensure => directory, ensure => directory,
} }
@ -63,8 +70,17 @@ class soc::sso(
ensure => file, ensure => file,
content => file('soc/sso/apache-ssl.conf'), content => file('soc/sso/apache-ssl.conf'),
} }
}
file { '/opt/sso/apache/groups.txt': if $ssotype == 'docker' {
$apache_groups = '/opt/sso/apache/groups.txt'
} elsif $ssotype == 'apache' {
$apache_groups = '/etc/apache2/groups.txt'
} else {
$apache_groups = '/tmp/groups.txt'
}
file { $apache_groups:
ensure => file, ensure => file,
content => template('soc/sso/apache-groups.txt.erb') content => template('soc/sso/apache-groups.txt.erb')
} }
@ -73,60 +89,63 @@ class soc::sso(
# Shibboleth files # Shibboleth files
# #
file { '/opt/sso/shibboleth': if $ssotype == 'apache' {
ensure => directory, pakage { ['apache2', 'libapache2-mod-shib', 'shibboleth-sp-utils']:
ensure => present
} }
file { '/opt/sso/shibboleth/shibboleth2.xml': $shibbase = '/etc/shibboleth'
} elsif $ssotype == 'docker' {
$shibbase = '/opt/sso/shibboleth'
file { $shibbase:
ensure => directory,
}
}
file { "${shibbase}/shibboleth2.xml":
ensure => file, ensure => file,
content => template('soc/sso/shibboleth2.xml.erb'), content => template('soc/sso/shibboleth2.xml.erb'),
} }
file { '/opt/sso/shibboleth/shibd.logger': file { "${shibbase}/shibd.logger":
ensure => file, ensure => file,
content => template('soc/sso/shibd.logger.erb'), content => template('soc/sso/shibd.logger.erb'),
} }
file { '/opt/sso/shibboleth/attribute-map.xml': file { "${shibbase}/attribute-map.xml":
ensure => file, ensure => file,
content => file('soc/sso/attribute-map.xml'), content => file('soc/sso/attribute-map.xml'),
} }
file { '/opt/sso/shibboleth/md-signer2.crt': file { "${shibbase}/md-signer2.crt":
ensure => file, ensure => file,
content => file('soc/sso/md-signer2.crt'), content => file('soc/sso/md-signer2.crt'),
} }
if $satosa { if $satosa {
if $norpan { file { "${shibbase}/frontend.xml":
file { '/opt/sso/shibboleth/frontend.xml':
ensure => file,
content => file('soc/sso/frontend_norpan.xml'),
}
} else {
file { '/opt/sso/shibboleth/frontend.xml':
ensure => file, ensure => file,
content => file('soc/sso/frontend.xml'), content => file('soc/sso/frontend.xml'),
} }
}
file { '/opt/sso/shibboleth/attribute-policy.xml': file { "${shibbase}/attribute-policy.xml":
ensure => file, ensure => file,
content => file('soc/sso/attribute-policy.xml'), content => file('soc/sso/attribute-policy.xml'),
} }
if lookup('sso_sp_key', undef, undef, undef) != undef { if lookup('sso_sp_key', undef, undef, undef) != undef {
sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
hiera_key => 'sso_sp_key' hiera_key => 'sso_sp_key'
} }
} else { } else {
sunet::snippets::keygen {'shib_cert': sunet::snippets::keygen {'shib_cert':
key_file => '/opt/sso/shibboleth/sp-key.pem', key_file => "${shibbase}/sp-key.pem",
cert_file => '/opt/sso/shibboleth/sp-cert.pem' cert_file => "${shibbase}/sp-cert.pem"
} }
} }
} else { } else {
sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
hiera_key => 'sso_sp_key' hiera_key => 'sso_sp_key'
} }
} }
@ -162,6 +181,8 @@ class soc::sso(
# Docker # Docker
# #
if $ssotype == 'docker' {
exec {"Create Docker network \"sso\" to talk to service": exec {"Create Docker network \"sso\" to talk to service":
# We OR with true to ignore errors, since the network often already exists. # We OR with true to ignore errors, since the network often already exists.
# We specify a subnet so that services which have the option/requirement can # We specify a subnet so that services which have the option/requirement can
@ -190,5 +211,6 @@ class soc::sso(
port => 443, port => 443,
iif => 'ens3', iif => 'ens3',
} }
}
} }