sunet-cert/soc-ops
0
0
Fork 0
Code Pull requests Activity

Trying to get SSO class work with both docker and apache2

Browse source
This commit is contained in:
Johan Björklund 2024-11-20 12:40:41 +01:00
parent fd1e6820c5
commit 8ed157c256
Signed by: bjorklund
GPG key ID: 5E8401339C7F5037
1 changed files with 105 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

188
global/overlay/etc/puppet/modules/soc/manifests/sso.pp
View file

@ -1,5 +1,4 @@
# # General SSO class for SOC. Based on cnaas::sso
# General SSO documentation: https://wiki.sunet.se/x/sZGLBg
# #
# @param hostname FQDN of the host this is running on. # @param hostname FQDN of the host this is running on.
# #
@ -21,50 +20,67 @@
# cases where the service we reverse proxy for can't create new accounts automatically. # cases where the service we reverse proxy for can't create new accounts automatically.
# We use this only for Graylog at the time of writing. # We use this only for Graylog at the time of writing.
# #
# @param swamid_testing Set this to true if your SP is registered in swamid-testing. # @param satos
# If we have a satosa proxy or not, default true.
#
# @param proxy
# Hostname of the satosa proxy.
#
# @param entityID
# EntityID of the satosa proxy, must not be the same as the proxy hostname.
# Default set to value of proxy.
class soc::sso( class soc::sso(
$hostname, String $ssotype = "docker",
$email, String $hostname = undef,
$service_endpoint, String $email = "cert@cert.sunet.se",
$groups = ['PLACEHOLDER'], String $service_endpoint = undef,
$passthrough = [], Array $groups = ['PLACEHOLDER'],
$x_remote_user = false, Array $passthrough = [],
$swamid_testing = false, Boolean $x_remote_user = false,
$single_user = false, Boolean $single_user = false,
$satosa = true, Boolean $satosa = true,
$satosa_certbot = false, Boolean $satosa_certbot = false,
$translog = 'INFO', String $translog = 'INFO',
$proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp', String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
$entityID = $proxy, Strnng $entityID = $proxy,
$norpan = false,
) { ) {
file { '/opt/sso': if $ssotype == "docker" {
ensure => directory, file { '/opt/sso':
ensure => directory,
}
#
# Apache files
#
file { '/opt/sso/apache':
ensure => directory,
}
file { '/opt/sso/apache/site.conf':
ensure => file,
content => template('soc/sso/apache-site.conf.erb'),
}
# SSL defaults copied from certbot:
# https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
file { '/opt/sso/apache/ssl.conf':
ensure => file,
content => file('soc/sso/apache-ssl.conf'),
}
} }
# if $ssotype == 'docker' {
# Apache files $apache_groups = '/opt/sso/apache/groups.txt'
# } elsif $ssotype == 'apache' {
$apache_groups = '/etc/apache2/groups.txt'
file { '/opt/sso/apache': } else {
ensure => directory, $apache_groups = '/tmp/groups.txt'
} }
file { '/opt/sso/apache/site.conf': file { $apache_groups:
ensure => file,
content => template('soc/sso/apache-site.conf.erb'),
}
# SSL defaults copied from certbot:
# https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
file { '/opt/sso/apache/ssl.conf':
ensure => file,
content => file('soc/sso/apache-ssl.conf'),
}
file { '/opt/sso/apache/groups.txt':
ensure => file, ensure => file,
content => template('soc/sso/apache-groups.txt.erb') content => template('soc/sso/apache-groups.txt.erb')
} }
@ -73,60 +89,63 @@ class soc::sso(
# Shibboleth files # Shibboleth files
# #
file { '/opt/sso/shibboleth': if $ssotype == 'apache' {
ensure => directory, pakage { ['apache2', 'libapache2-mod-shib', 'shibboleth-sp-utils']:
ensure => present
}
$shibbase = '/etc/shibboleth'
} elsif $ssotype == 'docker' {
$shibbase = '/opt/sso/shibboleth'
file { $shibbase:
ensure => directory,
}
} }
file { '/opt/sso/shibboleth/shibboleth2.xml': file { "${shibbase}/shibboleth2.xml":
ensure => file, ensure => file,
content => template('soc/sso/shibboleth2.xml.erb'), content => template('soc/sso/shibboleth2.xml.erb'),
} }
file { '/opt/sso/shibboleth/shibd.logger': file { "${shibbase}/shibd.logger":
ensure => file, ensure => file,
content => template('soc/sso/shibd.logger.erb'), content => template('soc/sso/shibd.logger.erb'),
} }
file { '/opt/sso/shibboleth/attribute-map.xml': file { "${shibbase}/attribute-map.xml":
ensure => file, ensure => file,
content => file('soc/sso/attribute-map.xml'), content => file('soc/sso/attribute-map.xml'),
} }
file { '/opt/sso/shibboleth/md-signer2.crt': file { "${shibbase}/md-signer2.crt":
ensure => file, ensure => file,
content => file('soc/sso/md-signer2.crt'), content => file('soc/sso/md-signer2.crt'),
} }
if $satosa { if $satosa {
if $norpan { file { "${shibbase}/frontend.xml":
file { '/opt/sso/shibboleth/frontend.xml': ensure => file,
ensure => file, content => file('soc/sso/frontend.xml'),
content => file('soc/sso/frontend_norpan.xml'),
}
} else {
file { '/opt/sso/shibboleth/frontend.xml':
ensure => file,
content => file('soc/sso/frontend.xml'),
}
} }
file { '/opt/sso/shibboleth/attribute-policy.xml': file { "${shibbase}/attribute-policy.xml":
ensure => file, ensure => file,
content => file('soc/sso/attribute-policy.xml'), content => file('soc/sso/attribute-policy.xml'),
} }
if lookup('sso_sp_key', undef, undef, undef) != undef { if lookup('sso_sp_key', undef, undef, undef) != undef {
sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
hiera_key => 'sso_sp_key' hiera_key => 'sso_sp_key'
} }
} else { } else {
sunet::snippets::keygen {'shib_cert': sunet::snippets::keygen {'shib_cert':
key_file => '/opt/sso/shibboleth/sp-key.pem', key_file => "${shibbase}/sp-key.pem",
cert_file => '/opt/sso/shibboleth/sp-cert.pem' cert_file => "${shibbase}/sp-cert.pem"
} }
} }
} else { } else {
sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem': sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
hiera_key => 'sso_sp_key' hiera_key => 'sso_sp_key'
} }
} }
@ -162,33 +181,36 @@ class soc::sso(
# Docker # Docker
# #
exec {"Create Docker network \"sso\" to talk to service": if $ssotype == 'docker' {
# We OR with true to ignore errors, since the network often already exists.
# We specify a subnet so that services which have the option/requirement can
# specify this subnet as source of trusted proxies. This is used in Graylog,
# for example; see setting "trusted_proxies".
command => 'docker network create sso --subnet 172.29.0.0/24 || true'
}
file { '/opt/sso/docker-compose.yml': exec {"Create Docker network \"sso\" to talk to service":
ensure => file, # We OR with true to ignore errors, since the network often already exists.
mode => '0600', # We specify a subnet so that services which have the option/requirement can
content => template('soc/sso/docker-compose.yml.erb'), # specify this subnet as source of trusted proxies. This is used in Graylog,
} # for example; see setting "trusted_proxies".
command => 'docker network create sso --subnet 172.29.0.0/24 || true'
}
sunet::docker_compose_service { 'sso': file { '/opt/sso/docker-compose.yml':
description => '', ensure => file,
compose_file => '/opt/sso/docker-compose.yml', mode => '0600',
} content => template('soc/sso/docker-compose.yml.erb'),
}
# sunet::docker_compose_service { 'sso':
# NFT Rules description => '',
# compose_file => '/opt/sso/docker-compose.yml',
}
sunet::nftables::docker_expose { 'apache_sso_https' : #
allow_clients => ['0.0.0.0/0'], # NFT Rules
port => 443, #
iif => 'ens3',
sunet::nftables::docker_expose { 'apache_sso_https' :
allow_clients => ['0.0.0.0/0'],
port => 443,
iif => 'ens3',
}
} }
} }