Updating sso class to enable custom 401 for apache env as well

2025-01-30 14:57:24 +01:00 · 2025-01-30 14:57:24 +01:00 · 9642eb3d23
commit 9642eb3d23
parent f8c1cc16f5
3 changed files with 42 additions and 19 deletions
--- a/global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf
@ -0,0 +1,8 @@
+Alias /.ssoerror /opt/sso/apache
+<Directory /opt/sso/apache>
+  Satisfy any
+  Allow from all
+  AuthType None
+  Require all granted
+</Directory>
+ErrorDocument 401 /.ssoerror/401.html
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@ -29,7 +29,6 @@
 # @param entityID
 #   EntityID of the satosa proxy, must not be the same as the proxy hostname.
 #   Default set to value of proxy.
-
 class soc::sso(
  String            $ssotype            = 'docker',
  String            $hostname           = $facts['networking']['fqdn'],
@ -50,19 +49,22 @@ class soc::sso(
  Optional[String]  $extra_proxy_conf   = undef,
 ) {

+  file { '/opt/sso':
+    ensure => directory,
+  }
+  file { '/opt/sso/apache':
+    ensure => directory,
+  }
+  file { '/opt/sso/apache/ssoerror':
+    ensure => directory,
+  }
+
+  file { '/opt/sso/apache/ssoerror/401.html':
+    ensure  => file,
+    content => file('soc/sso/401.html'),
+  }
+
  if $ssotype == 'docker' {
-    file { '/opt/sso':
-      ensure => directory,
-    }
-
-    #
-    # Apache files
-    #
-
-    file { '/opt/sso/apache':
-      ensure => directory,
-    }
-
    file { '/opt/sso/apache/site.conf':
      ensure  => file,
      content => template('soc/sso/apache-site.conf.erb'),
@ -76,6 +78,9 @@ class soc::sso(
    }
  }

+  if $ssotype == 'apache' {
+  }
+
  file { '/opt/sso/apache/401.html':
    ensure  => file,
    content => file('soc/sso/401.html'),
@ -99,22 +104,32 @@ class soc::sso(
  #

  if $ssotype == 'apache' {
+    $shibbase = '/etc/shibboleth'
+    service { 'apache2':
+      ensure  => 'running',
+      enable  => true,
+      require => Package['apache2'],
+    }
    package { ['libapache2-mod-shib', 'shibboleth-sp-utils']:
      ensure => installed,
    }
-
    exec { 'Make sure mod_shib is loaded':
      command => 'a2enmod shib',
      creates => '/etc/apache2/mods-enabled/shib.load',
    }
-
    exec { 'Make sure authz_groupfile is loaded':
      command => 'a2enmod authz_groupfile',
      creates => '/etc/apache2/mods-enabled/authz_groupfile.load',
    }
-
-    $shibbase = '/etc/shibboleth'
-
+    file { '/etc/apache2/conf-available/apache-errors.conf':
+      ensure  => file,
+      content => file('soc/sso/apache-errors.conf'),
+    }
+    exec { 'Enable custom 401 error document':
+      command => 'a2enconf apache-errors',
+      creates => '/etc/apache2/conf-enabled/apache-errors.conf',
+      notify  => Service['apache2'],
+    }
  } elsif $ssotype == 'docker' {
    $shibbase = '/opt/sso/shibboleth'

--- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb
@ -23,7 +23,7 @@ services:
 <% end -%>
      - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem
      - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem
-      - ./apache/401.html:/var/www/ssoerror/401.html:ro
+      - ./apache/ssoerror/401.html:/var/www/ssoerror/401.html:ro
 <% if @extra_proxy_conf -%>
      - <%= @extra_proxy_conf %>:<%= @extra_proxy_conf %>
 <% end -%>