Trying to get SSO class work with both docker and apache2

2024-11-20 12:40:41 +01:00 · 2024-11-20 12:40:41 +01:00 · 8ed157c256
commit 8ed157c256
parent fd1e6820c5
1 changed files with 105 additions and 83 deletions
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -1,5 +1,4 @@
-#
-# General SSO documentation: https://wiki.sunet.se/x/sZGLBg
+# General SSO class for SOC. Based on cnaas::sso
 #
 # @param hostname FQDN of the host this is running on.
 #
@ -21,25 +20,33 @@
 #   cases where the service we reverse proxy for can't create new accounts automatically.
 #   We use this only for Graylog at the time of writing.
 #
-# @param swamid_testing Set this to true if your SP is registered in swamid-testing.
+# @param satos
+#   If we have a satosa proxy or not, default true.
+#
+# @param proxy
+#   Hostname of the satosa proxy.
+#
+# @param entityID
+#   EntityID of the satosa proxy, must not be the same as the proxy hostname.
+#   Default set to value of proxy.

 class soc::sso(
-  $hostname,
-  $email,
-  $service_endpoint,
-  $groups = ['PLACEHOLDER'],
-  $passthrough = [],
-  $x_remote_user = false,
-  $swamid_testing = false,
-  $single_user = false,
-  $satosa = true,
-  $satosa_certbot = false,
-  $translog = 'INFO',
-  $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
-  $entityID = $proxy,
-  $norpan = false,
+  String  $ssotype          = "docker",
+  String  $hostname         = undef,
+  String  $email            = "cert@cert.sunet.se",
+  String  $service_endpoint = undef,
+  Array   $groups           = ['PLACEHOLDER'],
+  Array   $passthrough      = [],
+  Boolean $x_remote_user    = false,
+  Boolean $single_user      = false,
+  Boolean $satosa           = true,
+  Boolean $satosa_certbot   = false,
+  String  $translog         = 'INFO',
+  String  $proxy            = 'https://shared-sso-proxy1.cert.sunet.se/idp',
+  Strnng  $entityID         = $proxy,
 ) {

+  if $ssotype == "docker" { 
    file { '/opt/sso':
      ensure => directory,
    }
@ -63,8 +70,17 @@ class soc::sso(
      ensure  => file,
      content => file('soc/sso/apache-ssl.conf'),
    }
+  }

-  file { '/opt/sso/apache/groups.txt':
+  if $ssotype == 'docker' {
+    $apache_groups = '/opt/sso/apache/groups.txt'
+  } elsif $ssotype == 'apache' {
+    $apache_groups = '/etc/apache2/groups.txt'
+  } else {
+    $apache_groups = '/tmp/groups.txt'
+  }
+
+  file { $apache_groups:
    ensure  => file,
    content => template('soc/sso/apache-groups.txt.erb')
  }
@ -73,60 +89,63 @@ class soc::sso(
  # Shibboleth files
  #

-  file { '/opt/sso/shibboleth':
-    ensure => directory,
+  if $ssotype == 'apache' {
+    pakage { ['apache2', 'libapache2-mod-shib', 'shibboleth-sp-utils']:
+      ensure => present
    }

-  file { '/opt/sso/shibboleth/shibboleth2.xml':
+    $shibbase = '/etc/shibboleth'
+  } elsif $ssotype == 'docker' {
+    $shibbase = '/opt/sso/shibboleth'
+
+    file { $shibbase:
+      ensure => directory,
+    }
+  }
+
+  file { "${shibbase}/shibboleth2.xml":
    ensure  => file,
    content => template('soc/sso/shibboleth2.xml.erb'),
  }

-  file { '/opt/sso/shibboleth/shibd.logger':
+  file { "${shibbase}/shibd.logger":
    ensure  => file,
    content => template('soc/sso/shibd.logger.erb'),
  }

-  file { '/opt/sso/shibboleth/attribute-map.xml':
+  file { "${shibbase}/attribute-map.xml":
    ensure  => file,
    content => file('soc/sso/attribute-map.xml'),
  }

-  file { '/opt/sso/shibboleth/md-signer2.crt':
+  file { "${shibbase}/md-signer2.crt":
    ensure  => file,
    content => file('soc/sso/md-signer2.crt'),
  }
+
  if $satosa {
-    if $norpan {
-        file { '/opt/sso/shibboleth/frontend.xml':
-          ensure  => file,
-          content => file('soc/sso/frontend_norpan.xml'),
-        }
-    } else {
-        file { '/opt/sso/shibboleth/frontend.xml':
+    file { "${shibbase}/frontend.xml":
      ensure  => file,
      content => file('soc/sso/frontend.xml'),
    }
-    }

-    file { '/opt/sso/shibboleth/attribute-policy.xml':
+    file { "${shibbase}/attribute-policy.xml":
      ensure  => file,
      content => file('soc/sso/attribute-policy.xml'),
    }

    if lookup('sso_sp_key', undef, undef, undef) != undef {
-      sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+      sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
        hiera_key => 'sso_sp_key'
      }
    } else {
      sunet::snippets::keygen {'shib_cert':
-        key_file  => '/opt/sso/shibboleth/sp-key.pem',
-        cert_file => '/opt/sso/shibboleth/sp-cert.pem'
+        key_file  => "${shibbase}/sp-key.pem",
+        cert_file => "${shibbase}/sp-cert.pem"
      }
    }
-
  } else {
-    sunet::snippets::secret_file { '/opt/sso/shibboleth/sp-key.pem':
+    sunet::snippets::secret_file { "${shibbase}/sp-key.pem":
      hiera_key => 'sso_sp_key'
    }
  }
@ -162,6 +181,8 @@ class soc::sso(
  # Docker
  #

+  if $ssotype == 'docker' {
+
    exec {"Create Docker network \"sso\" to talk to service":
      # We OR with true to ignore errors, since the network often already exists.
      # We specify a subnet so that services which have the option/requirement can
@ -190,5 +211,6 @@ class soc::sso(
      port          => 443,
      iif           => 'ens3',
    }
+  }

 }