From b1e6a00d5d16fce114027f87a315c8f8f9db777a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johan=20Bj=C3=B6rklund?= <bjorklund@sunet.se>
Date: Wed, 22 Jan 2025 13:13:24 +0100
Subject: [PATCH] Make soc::satosa: nicer

---
 global/overlay/etc/puppet/cosmos-rules.yaml   |  4 +-
 .../puppet/modules/soc/manifests/satosa.pp    | 57 +++++++++++++++----
 .../templates/satosa/docker-compose.yml.erb   |  6 +-
 .../etc/satosa/metadata/zammad-app.xml        | 14 +++++
 4 files changed, 63 insertions(+), 18 deletions(-)
 create mode 100644 test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/zammad-app.xml

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index cf3f783..0ca9d93 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -41,9 +41,7 @@ test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:
   sunet::certbot::acmed:
   soc::satosa:
-    ext_cert: '/etc/letsencrypt/live/test-sso-proxy1.cert.sunet.se/fullchain.pem'
-    ext_cert_key: '/etc/letsencrypt/live/test-sso-proxy1.cert.sunet.se/privkey.pem'
-    ext_cert_vol: '/etc/letsencrypt'
+    certprovider: 'certbot'
 
 intelmq-dev.cert.sunet.se:
   soc::intelmq:
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp b/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
index 053a93c..bb78a75 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
@@ -1,16 +1,29 @@
 # Class to run Satosa in docker-compose
 class soc::satosa(
-  Optional[String] $ext_cert        = undef,
-  Optional[String] $ext_cert_key    = undef,
-  Optional[String] $ext_cert_vol    = undef,
-  Optional[String] $dehydrated_name = undef,
-  String           $image           = 'docker.sunet.se/satosa',
-  String           $interface       = $::facts['interface_default'],
-  String           $satosa_tag      = '8.4.0',
-  Optional[String] $redirect_uri    = lookup('redirect_uri', Optional[String], undef, ''),
-  Boolean          $enable_oidc     = false,
+  Enum['none','dehydrated','certbot'] $certprovider    = 'none',
+  String                              $certname        = $facts['networking']['fqdn'],
+  Optional[String]                    $dehydrated_name = undef,
+  String                              $image           = 'docker.sunet.se/satosa',
+  String                              $interface       = $::facts['interface_default'],
+  String                              $satosa_tag      = '8.4.0',
+  Optional[String]                    $redirect_uri    = lookup('redirect_uri', Optional[String], undef, ''),
+  Boolean                             $enable_oidc     = false,
 ) {
 
+  $certfile = undef
+  $certkey  = undef
+  $certvol  = undef
+
+  if ( $certprovider == 'dehydrated' ) {
+    $certfile = '/etc/dehydrated/certs/${certname}/fullchain.pem'
+    $certkey  = '/etc/dehydrated/certs/${certname}.key'
+    $certvol  = '/etc/dehydrated'
+  } elif ( $certprovider == 'certbot' ) {
+    $certfile = '/etc/letsencrypt/live/${certname}/fullchain.pem'
+    $certkey  = '/etc/letsencrypt/live/${certname}/privkey.pem'
+    $certvol  = '/etc/letsencrypt'
+  }
+
   if ($::facts['sunet_satosa_exists'] == 'yes') {
     $service_to_notify = Service['sunet-satosa']
   }
@@ -109,9 +122,29 @@ class soc::satosa(
     }
     file { '/etc/satosa/https.key': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}.key" }
     file { '/etc/satosa/https.crt': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}/fullchain.pem" }
-  } elsif ($ext_cert) and ($ext_cert_key) {
-      file { '/etc/satosa/https.key': ensure => link, target => $ext_cert_key }
-      file { '/etc/satosa/https.crt': ensure => link, target => $ext_cert }
+  } elif ($certprovider == 'dehydrated') {
+    class { 'sunet::dehydrated::client':
+      domain    => $certname,
+      ssl_links => true,
+    }
+
+    if $::facts['sunet_nftables_enabled'] == 'yes' {
+      sunet::nftables::docker_expose { 'allow_http' :
+        iif           => $interface,
+        allow_clients => 'any',
+        port          => 80,
+      }
+    } else {
+      sunet::misc::ufw_allow { 'allow-http':
+        from => 'any',
+        port => '80'
+      }
+    }
+    file { '/etc/satosa/https.key': ensure => link, target => $certkey }
+    file { '/etc/satosa/https.crt': ensure => link, target => $certfile }
+  } elsif ($certprovider == 'certbot') {
+      file { '/etc/satosa/https.key': ensure => link, target => $certkey }
+      file { '/etc/satosa/https.crt': ensure => link, target => $certfile }
   } else {
     sunet::snippets::keygen {'satosa_https':
       key_file  => '/etc/satosa/https.key',
diff --git a/global/overlay/etc/puppet/modules/soc/templates/satosa/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/satosa/docker-compose.yml.erb
index 9980f2a..d37d5cd 100644
--- a/global/overlay/etc/puppet/modules/soc/templates/satosa/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/soc/templates/satosa/docker-compose.yml.erb
@@ -1,7 +1,7 @@
 version: '3.2'
 
 services:
-<% if @dehydrated_name -%>
+<% if @dehydrated_name || $certprovider == 'dehydrated' -%>
   always-https:
     image: docker.sunet.se/always-https
     ports:
@@ -16,8 +16,8 @@ services:
 <% if @dehydrated_name -%>
       - '/etc/dehydrated:/etc/dehydrated'
 <% end -%>
-<% if @ext_cert_vol -%>
-      - '<%= @ext_cert_vol %>:<%= @ext_cert_vol %>'
+<% if @certprovider != 'none' -%>
+      - '<%= @certvol %>:<%= @certvol %>'
 <% end -%>
     ports:
       - '443:8000'
diff --git a/test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/zammad-app.xml b/test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/zammad-app.xml
new file mode 100644
index 0000000..5ac38b0
--- /dev/null
+++ b/test-sso-proxy1.cert.sunet.se/overlay/etc/satosa/metadata/zammad-app.xml
@@ -0,0 +1,14 @@
+<md:EntityDescriptor ID="_9af62f43-eb6a-41bf-a2ed-005b19c4fd0b" entityID="https://zammad-test.cert.sunet.se/auth/saml/metadata">
+<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://zammad-test.cert.sunet.se/auth/saml/slo" ResponseLocation="https://zammad-test.cert.sunet.se/auth/saml/slo"/>
+<md:NameIDFormat>urn:oid:1.3.6.1.4.1.5923.1.1.1.6</md:NameIDFormat>
+<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://zammad-test.cert.sunet.se/auth/saml/callback" index="0" isDefault="true"/>
+<md:AttributeConsumingService index="1" isDefault="true">
+<md:ServiceName xml:lang="en">Required attributes</md:ServiceName>
+<md:RequestedAttribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
+<md:RequestedAttribute FriendlyName="Full name" Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
+<md:RequestedAttribute FriendlyName="Given name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
+<md:RequestedAttribute FriendlyName="Family name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="false"/>
+</md:AttributeConsumingService>
+</md:SPSSODescriptor>
+</md:EntityDescriptor>