verglasz/soc-ops
0
0
Fork 0
forked from SUNET/soc-ops
Code Pull requests Activity

Added custom 401 for SSO proxy, fixed inclusion of extra proxy config, added possibility to remove http header Authorization

Browse source
This commit is contained in:
Johan Björklund 2025-01-14 10:08:47 +01:00
parent 264ec25329
commit 4bb3a317ff
Signed by untrusted user: bjorklund
GPG key ID: 5E8401339C7F5037
4 changed files with 63 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
global/overlay/etc/puppet/modules/soc/files/sso/401.html Normal file
View file

@ -0,0 +1,31 @@
<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Centrumtext</title>
<style>
/* Styla body för att ta upp hela skärmen och centrera innehållet */
body, html {
height: 100%;
margin: 0;
display: flex;
justify-content: center; /* Horisontell centrering */
align-items: center; /* Vertikal centrering */
font-family: Arial, sans-serif;
}
/* Anpassa stilen för texten */
.centered-text {
text-align: center;
font-size: 24px;
color: #333;
}
</style>
</head>
<body>
<div class="centered-text">
<h1>401 - Unauthorized</h1>
<p />The SSO proxy did not find your user in any required user groups defined in the SSO proxy config.
</div>
</body>
</html>

30
global/overlay/etc/puppet/modules/soc/manifests/sso.pp
View file

@ -31,20 +31,22 @@
# Default set to value of proxy.
class soc::sso(
String $ssotype = 'docker',
String $hostname = $facts['networking']['fqdn'],
String $email = 'cert@cert.sunet.se',
Optional[String] $service_endpoint = undef,
Array $groups = ['PLACEHOLDER'],
Array $passthrough = [],
Boolean $x_remote_user = false,
Boolean $single_user = false,
Boolean $satosa = true,
Boolean $satosa_certbot = false,
String $translog = 'INFO',
String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
String $entityID = $proxy,
Optional[String] $extra_proxy_conf = undef,
String $ssotype = 'docker',
String $hostname = $facts['networking']['fqdn'],
String $email = 'cert@cert.sunet.se',
Optional[String] $service_endpoint = undef,
Array $groups = ['PLACEHOLDER'],
Array $passthrough = [],
Boolean $x_remote_user = false,
Boolean $remote_user = false,
Boolean $unset_auth_header = false,
Boolean $single_user = false,
Boolean $satosa = true,
Boolean $satosa_certbot = false,
String $translog = 'INFO',
String $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
String $entityID = $proxy,
Optional[String] $extra_proxy_conf = undef,
) {
if $ssotype == "docker" {

14
global/overlay/etc/puppet/modules/soc/templates/sso/apache-site.conf.erb
View file

@ -27,6 +27,13 @@
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Alias /error /var/www/error
<Directory /var/www/error>
AuthType None
Require all granted
</Directory>
ErrorDocument 401 /error/401.html
<Location />
AuthType shibboleth
ShibRequestSetting requireSession On
@ -38,7 +45,9 @@
<%- else -%>
ShibUseHeaders On
<%- end -%>
<%- if @unset_auth_header -%>
RequestHeader unset Authorization
<%- end -%>
<%- if @extra_proxy_conf -%>
IncludeOptional <%= @extra_proxy_conf %>
<%- end -%>
@ -46,14 +55,15 @@
AuthGroupFile /etc/apache2/groups.txt
Require group <% @groups.each.with_index do |group, i| %><%= group %><%= ' ' if i < (@groups.size - 1) %><% end %>
</Location>
<%- @passthrough.each do |path| -%>
<%- @passthrough.each do |path| -%>
<Location <%= path %>>
AuthType None
Require all granted
</Location>
<%- end -%>
ProxyPass "/error" !
ProxyPass "/" "<%= @service_endpoint %>/"
ProxyPassReverse "/" "<%= @service_endpoint %>/"
UseCanonicalName On

4
global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
View file

@ -23,6 +23,10 @@ services:
<% end -%>
- ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
- ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
- ./apache/401.html:/var/www/error/401.html:ro
<% if @extra_proxy_conf -%>
- @extra_proxy_conf:@extra_proxy_conf
<% end -%>
networks:
sso:
external: true