Cadoles/ansible-role-sso
10
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

feat: generalize variables usage

Browse Source
This commit is contained in:
wpetit
2022-07-21 14:19:23 +02:00
parent 20f5ef8faa
commit 4152fa2e3d
14 changed files with 94 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
View File

@ -9,8 +9,8 @@ PODMAN_ARGS="\
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
-e HYDRA_BASE_URL=http://10.0.2.2:4444 \
-e HYDRA_REWRITE_ISSUER=no \
-e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
-e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
-e 'COOKIE_PATH=/auth/dispatcher' \
-e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
-e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
-e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
-e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
"

2
templates/cadoles-pod-hydra-passwordless-v1.conf.j2
View File

@ -2,7 +2,7 @@ PODMAN_ARGS="\
-p 127.0.0.1:3001:3000 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-hydra-passwordless-v1' \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
-e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
-e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
-e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
-e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \

6
templates/cadoles-pod-hydra-remote-user-v1.conf.j2
View File

@ -6,9 +6,9 @@ PODMAN_ARGS="\
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
-e APP_ENV=prod \
-e APP_DEBUG=no \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
-e COOKIE_PATH=/auth/saml \
-e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
-e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
-e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
"

18
templates/cadoles-pod-hydra-v1.conf.j2
View File

@ -6,13 +6,15 @@ PODMAN_ARGS="\
-p 127.0.0.1:4445:4445 \
--tmpfs /tmp \
-e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-e LOG_LEVEL=debug \
-e LOG_LEAK_SENSITIVE_VALUES=true \
-e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
-e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
-e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
-e HYDRA_ALLOW_INSECURE=yes \
-e HYDRA_LEVEL=debug \
-e 'LOG_LEVEL={{ hydra_log_level }}' \
-e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
-e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
-e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
-e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
-e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
-e 'HYDRA_ALLOW_INSECURE=yes' \
-e 'HYDRA_LEVEL={{ hydra_log_level }}' \
-e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
-e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
"

5
templates/cadoles-pod-shibboleth-sp-v3.conf.j2
View File

@ -2,11 +2,12 @@ PODMAN_ARGS="\
-p 127.0.0.1:3002:80 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-shibboleth-sp-v3' \
-e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
-e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
-e 'SP_HANDLER_BASE_PATH=/auth/saml' \
-e 'APACHE_FORCE_HTTPS={{ "true" if haproxy_public_base_url.startswith('https') else "false" }}' \
-e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
-v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \

64
templates/haproxy.cfg.j2
View File

@ -37,66 +37,49 @@ frontend http-in
bind 0.0.0.0:80
mode http
maxconn 2000
maxconn 2000
acl login_dispatcher path_beg -i /auth/dispatcher
{% if enable_hydra_passwordless %}
acl login_passwordless path_beg -i /auth/passwordless
{% endif %}
{% if enable_hydra_saml %}
acl login_saml path_beg -i /auth/saml
{% endif %}
acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
{% if enable_hydra_passwordless %}
acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
{% endif %}
{% if enable_hydra_saml %}
acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
{% endif %}
use_backend hydra_dispatcher if login_dispatcher
{% if enable_hydra_passwordless %}
{% if enable_hydra_passwordless %}
use_backend hydra_passwordless if login_passwordless
{% endif %}
{% if enable_hydra_saml %}
{% endif %}
{% if enable_hydra_saml %}
use_backend hydra_saml if login_saml
{% endif %}
{% endif %}
use_backend hydra
option forwardfor
http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
# Backend Hydra
backend hydra
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra 127.0.0.1:4444 check
# Backend Hydra Dispatcher
backend hydra_dispatcher
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/dispatcher dans l'URL
http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
server hydra-login-dispatcher 127.0.0.1:3000 check
{% if enable_hydra_passwordless %}
# Backend Hydra Passwordless
backend hydra_passwordless
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/passwordless dans l'URL
http-request set-path %[path,regsub(^/auth/passwordless,)]
http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
server hydra-login-passwordless 127.0.0.1:3001 check
{%- endif %}
@ -104,12 +87,5 @@ backend hydra_passwordless
# Backend Hydra SAML
backend hydra_saml
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra-login-saml 127.0.0.1:3002 check
{%- endif %}

2
templates/hydra-client.json.j2
View File

@ -1,7 +1,7 @@
{
"client_id": {{ item.client_id | to_json }},
"client_name": {{ item.client_name | default(item.client_id) | to_json }},
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32')) | to_json }},
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32 seed=inventory_hostname')) | to_json }},
"grant_types": {{ item.grant_types | default(["authorization_code","refresh_token"]) | to_json }},
"jwks": {},
"metadata": {},

12
templates/hydra-dispatcher-apps.yml.j2
View File

@ -4,9 +4,9 @@ hydra:
- id: passwordless
title: "{{ hydra_passwordless_app_title }}"
description: "{{ hydra_passwordless_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email
@ -16,9 +16,9 @@ hydra:
- id: saml
title: "{{ hydra_saml_app_title }}"
description: "{{ hydra_saml_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email