Update soc::cert to latest version

2025-02-12 13:58:48 +01:00 · 2025-02-12 13:58:48 +01:00 · d6cd5e6a30
commit d6cd5e6a30
parent 43d367e1cb
3 changed files with 53 additions and 15 deletions
--- a/global/overlay/etc/puppet/modules/soc/files/sso/services-frontend.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/services-frontend.xml
--- a/global/overlay/etc/puppet/modules/soc/files/sso/test-frontend.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/test-frontend.xml
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -1,10 +1,14 @@
 # General SSO class for SOC. Based on cnaas::sso
 #
+# @param ssotype Deploy either using docker och plain apache
+#
 # @param hostname FQDN of the host this is running on.
 #
 # @param email Support email used in error messages etc.
 #
-# @param service_endpoint Location of service to reverse proxy for.
+# @param service_endpoint Location of service to reverse proxy for. [docker]
+#
+# @param use_groups Should we use groups (default) or are anyone allowed to login.
 #
 # @param groups
 #   List of user groups from sso_groups in global/overlay/etc/hiera/data/common.yaml. The
@ -12,9 +16,19 @@
 #
 # @param passthrough List of paths to disable SAML protection for, e.g. API paths.
 #
-# @param x_remote_user
+# @param x_remote_user (DEPRECATED)
 #   If true, EPPN is put in the HTTP header X-Remote-User instead of REMOTE_USER.
 #
+# @param remote_user (DEPRECATED)
+#   If true, EPPN is put in the HTTP header Remote-User
+#
+# @param user_header
+#   Name of header to put EPPN in. Only used if both x_remote_user and remote_user are false
+#
+# @param unset_auth_header
+#   If set always clear auth_header to not confuse application that normally rely on
+#   basic auth. I.e. graylog4+
+#
 # @param single_user
 #   If true, EPPN is discarded and X-Remote-User is set to "soc-user". This is useful in
 #   cases where the service we reverse proxy for can't create new accounts automatically.
@ -26,14 +40,22 @@
 # @param proxy
 #   Hostname of the satosa proxy.
 #
+# @param fronted
+#   Which frontend.xml file to use if we use a proxy (could be cleaner)
+#
 # @param entityID
-#   EntityID of the satosa proxy, must not be the same as the proxy hostname.
+#   EntityID of the satosa proxy, might not be the same as the proxy hostname.
 #   Default set to value of proxy.
+#
+# @param extra_proxy_conf
+#   Extra apache configuration files to inlcude in sso-proxy-conf (docker)
+#
 class soc::sso(
  String            $ssotype            = 'docker',
  String            $hostname           = $facts['networking']['fqdn'],
  String            $email              = 'cert@cert.sunet.se',
  Optional[String]  $service_endpoint   = undef,
+  Boolean           $use_groups         = true,
  Array             $groups             = ['PLACEHOLDER'],
  Array             $passthrough        = [],
  Boolean           $x_remote_user      = false,
@ -44,8 +66,9 @@ class soc::sso(
  Boolean           $satosa             = true,
  Boolean           $satosa_certbot     = false,
  String            $translog           = 'INFO',
-  String            $proxy              = 'https://shared-sso-proxy1.cert.sunet.se/idp',
-  String            $entityID           = $proxy,
+  String            $proxy              = 'https://test-sso-proxy1.cert.sunet.se/idp',
+  String            $frontend           = 'test',
+  String            $entity_id          = $proxy,
  Optional[String]  $extra_proxy_conf   = undef,
 ) {

@ -77,8 +100,10 @@ class soc::sso(
      content => file('soc/sso/apache-ssl.conf'),
    }
  } elsif $ssotype == 'apache' {
-    package { ['apache2',]:
-      ensure => installed,
+    unless Package['apache2'] {
+      package { ['apache2',]:
+        ensure => installed,
+      }
    }
  }

@ -90,9 +115,11 @@ class soc::sso(
    $apache_groups = '/tmp/groups.txt'
  }

-  file { $apache_groups:
-    ensure  => file,
-    content => template('soc/sso/apache-groups.txt.erb')
+  if $use_groups {
+    file { $apache_groups:
+      ensure  => file,
+      content => template('soc/sso/apache-groups.txt.erb')
+    }
  }

  #
@ -124,7 +151,6 @@ class soc::sso(
    exec { 'Enable custom 401 error document':
      command => 'a2enconf apache-errors',
      creates => '/etc/apache2/conf-enabled/apache-errors.conf',
-      notify  => Service['apache2'],
    }
  } elsif $ssotype == 'docker' {
    $shibbase = '/opt/sso/shibboleth'
@ -157,7 +183,7 @@ class soc::sso(
  if $satosa {
    file { "${shibbase}/frontend.xml":
      ensure  => file,
-      content => file('soc/sso/frontend.xml'),
+      content => file("soc/sso/${frontend}-frontend.xml"),
    }

    file { "${shibbase}/attribute-policy.xml":
@ -170,9 +196,9 @@ class soc::sso(
        hiera_key => 'sso_sp_key'
      }
    } else {
-      sunet::snippets::keygen {'shib_cert':
-        key_file  => "${shibbase}/sp-key.pem",
-        cert_file => "${shibbase}/sp-cert.pem"
+      sunet::snippets::keygen {'shib_soc':
+        key_file => "${shibbase}/sp-key.pem",
+        soc_file => "${shibbase}/sp-cert.pem"
      }
    }
  } else {