From 9642eb3d237fe9b9885a478582ff286dd939e6ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= Date: Thu, 30 Jan 2025 14:57:24 +0100 Subject: [PATCH] Updating sso class to enable custom 401 for apache env as well --- .../modules/soc/files/sso/apache-errors.conf | 8 +++ .../etc/puppet/modules/soc/manifests/sso.pp | 51 ++++++++++++------- .../soc/templates/sso/docker-compose.yml.erb | 2 +- 3 files changed, 42 insertions(+), 19 deletions(-) create mode 100644 global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf b/global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf new file mode 100644 index 0000000..2dc05e4 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/files/sso/apache-errors.conf @@ -0,0 +1,8 @@ +Alias /.ssoerror /opt/sso/apache + + Satisfy any + Allow from all + AuthType None + Require all granted + +ErrorDocument 401 /.ssoerror/401.html diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp index 6308cbb..ba52a7a 100644 --- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp +++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp @@ -29,7 +29,6 @@ # @param entityID # EntityID of the satosa proxy, must not be the same as the proxy hostname. # Default set to value of proxy. - class soc::sso( String $ssotype = 'docker', String $hostname = $facts['networking']['fqdn'], @@ -50,19 +49,22 @@ class soc::sso( Optional[String] $extra_proxy_conf = undef, ) { + file { '/opt/sso': + ensure => directory, + } + file { '/opt/sso/apache': + ensure => directory, + } + file { '/opt/sso/apache/ssoerror': + ensure => directory, + } + + file { '/opt/sso/apache/ssoerror/401.html': + ensure => file, + content => file('soc/sso/401.html'), + } + if $ssotype == 'docker' { - file { '/opt/sso': - ensure => directory, - } - - # - # Apache files - # - - file { '/opt/sso/apache': - ensure => directory, - } - file { '/opt/sso/apache/site.conf': ensure => file, content => template('soc/sso/apache-site.conf.erb'), @@ -76,6 +78,9 @@ class soc::sso( } } + if $ssotype == 'apache' { + } + file { '/opt/sso/apache/401.html': ensure => file, content => file('soc/sso/401.html'), @@ -99,22 +104,32 @@ class soc::sso( # if $ssotype == 'apache' { + $shibbase = '/etc/shibboleth' + service { 'apache2': + ensure => 'running', + enable => true, + require => Package['apache2'], + } package { ['libapache2-mod-shib', 'shibboleth-sp-utils']: ensure => installed, } - exec { 'Make sure mod_shib is loaded': command => 'a2enmod shib', creates => '/etc/apache2/mods-enabled/shib.load', } - exec { 'Make sure authz_groupfile is loaded': command => 'a2enmod authz_groupfile', creates => '/etc/apache2/mods-enabled/authz_groupfile.load', } - - $shibbase = '/etc/shibboleth' - + file { '/etc/apache2/conf-available/apache-errors.conf': + ensure => file, + content => file('soc/sso/apache-errors.conf'), + } + exec { 'Enable custom 401 error document': + command => 'a2enconf apache-errors', + creates => '/etc/apache2/conf-enabled/apache-errors.conf', + notify => Service['apache2'], + } } elsif $ssotype == 'docker' { $shibbase = '/opt/sso/shibboleth' diff --git a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb index 9ee8a7c..705bb7e 100644 --- a/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb +++ b/global/overlay/etc/puppet/modules/soc/templates/sso/docker-compose.yml.erb @@ -23,7 +23,7 @@ services: <% end -%> - ./shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem - ./shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem - - ./apache/401.html:/var/www/ssoerror/401.html:ro + - ./apache/ssoerror/401.html:/var/www/ssoerror/401.html:ro <% if @extra_proxy_conf -%> - <%= @extra_proxy_conf %>:<%= @extra_proxy_conf %> <% end -%>