Cadoles
/
ansible-role-sso
10
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

feat: generalize variables usage

This commit is contained in:
wpetit 2022-07-21 14:19:23 +02:00
parent 20f5ef8faa
commit 4152fa2e3d
14 changed files with 94 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
defaults/main.yml
View File

@ -4,6 +4,14 @@ cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
cadoles_pod_debian_repository: bullseye-dev
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
# packages versions
haproxy_package_version: '*'
cadoles_pod_hydra_v1_package_version: '*'
cadoles_pod_hydra_dispatcher_v1_package_version: '*'
cadoles_pod_shibboleth_sp_v3_package_version: '*'
cadoles_pod_hydra_remote_user_v1_package_version: '*'
cadoles_pod_hydra_passwordless_v1_package_version: '*'
# Hydra database configuration
hydra_use_external_database: no
hydra_database_name: hydra
@ -12,17 +20,35 @@ hydra_database_password: hydra
hydra_database_host: 10.0.2.2
hydra_database_port: 3306
# HAProxy configuration
haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
haproxy_hydra_dispatcher_base_path: /auth/dispatcher
haproxy_hydra_passwordless_base_path: /auth/passwordless
haproxy_hydra_saml_base_path: /auth/saml
haproxy_forwarded_proto: https
haproxy_forwarded_host: "%[req.hdr(Host)]"
haproxy_forwarded_port: "%[dst_port]"
# Hydra OIDC configuration
public_scheme: http
public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}"
hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
hydra_log_level: warn
hydra_log_leak_sensitive_values: no
# This value should not be changed after first deployment !
hydra_secrets_seed: "{{ inventory_hostname }}"
# Hydra clients
hydra_clients:
- client_id: default-client
client_name: Default client
redirect_uris: ["{{ public_scheme }}://{{ public_host }}"]
# Hydra Passwordless configuration
@ -51,5 +77,6 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
# OIDC Test configuration
enable_oidc_test_app: yes
oidc_test_app_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}:8080
oidc_test_app_client_id: oidc-test
oidc_test_app_client_secret: '$oidc-test&123456$'

257
files/shibboleth2.xml.gotmpl
View File

@ -1,257 +0,0 @@
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess
logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
<!-- <Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions> -->
</OutOfProcess>
<!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section (or to the defaults here).
-->
<ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
and should be a relative path, with the SP computing the full value based on the virtual
host. Using handlerSSL="true" will force the protocol to be https. You should also set
cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
"false", this makes an assertion stolen in transit easier for attackers to misuse.
-->
<Sessions lifetime="28800" timeout="3600"
handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
checkAddress="false"
consistentAddress="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
The "stripped down" files use the shorthand syntax for configuring handlers.
This uses the old "every handler specified directly" syntax. You can supplement
the new syntax following these examples but it is NOT advisable to use this
approach wholesale.
-->
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
or to an IdP if possible. Automatic/active session rules will use the default
or first element (or requireSessionWith can specify a specific id to use).
-->
<!-- Default directs to a specific IdP. -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
<!--
To allow for >1 IdP, remove entityID property from Chaining element and add
*either* of the SAMLDS or WAYF handlers below:
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
<SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
-->
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
are used when sessions are initiated to determine how to tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- Administrative logout, separate from user-driven logout above. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add your own attributes with values that can be plugged into the
templates, e.g., helpLocation below.
-->
<Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!--
Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
generally match those allowed by the <ApplicationDefaults> element.
-->
<!--
<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-->
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" validate="true"
url="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
<DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
-->
<!-- Example of remotely supplied "on-demand" signed metadata. -->
<!--
<MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
baseUrl="http://mdq.federation.org" ignoreTransport="true">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="mdqsigner.pem" />
</MetadataProvider>
-->
<MetadataProvider type="Dynamic"
verifyHost="false"
ignoreTransport="true"
uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
</MetadataProvider>
<!-- TrustEngines run in order to evaluate peer keys and certificates. -->
<TrustEngine type="ExplicitKey"/>
<!-- <TrustEngine type="PKIX"/> -->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Extracts support information for IdP from its metadata. -->
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
<CredentialResolver type="File" use="encryption"
key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements.
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
This "canonical" use case of overriding the SP's entityID alone is now obsolete;
you can apply selfEntityID as a content setting based on host or path to control
the SP's own identity.
Avoid overrides: ask on the list or refer to the wiki for examples of how to do
whatever you want to do without them.
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

4
tasks/hydra-passwordless.yml
View File

@ -3,9 +3,9 @@
- name: Install cadoles-pod-hydra-passwordless-v1 package
ansible.builtin.apt:
name:
- cadoles-pod-hydra-passwordless-v1
- "cadoles-pod-hydra-passwordless-v1={{ cadoles_pod_hydra_passwordless_v1_package_version }}"
update_cache: yes
state: latest
state: present
become: true
- name: Configure cadoles-pod-hydra-passwordless-v1

14
tasks/hydra-saml.yml
View File

@ -3,10 +3,10 @@
- name: Install cadoles-pod-hydra-remote-user-v1 package
ansible.builtin.apt:
name:
- cadoles-pod-shibboleth-sp-v3
- cadoles-pod-hydra-remote-user-v1
- "cadoles-pod-shibboleth-sp-v3={{ cadoles_pod_shibboleth_sp_v3_package_version }}"
- "cadoles-pod-hydra-remote-user-v1={{ cadoles_pod_hydra_remote_user_v1_package_version }}"
update_cache: yes
state: latest
state: present
become: true
- name: Configure cadoles-pod-hydra-remote-user-v1
@ -51,11 +51,3 @@
notify:
- Restart cadoles-pod-shibboleth-sp-v3
become: true
- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
ansible.builtin.copy:
src: shibboleth2.xml.gotmpl
dest: /etc/shibboleth/shibboleth2.xml.gotmpl
notify:
- Restart cadoles-pod-shibboleth-sp-v3
become: true

8
tasks/main.yml
View File

@ -31,11 +31,11 @@
- name: Install core packages
ansible.builtin.apt:
name:
- haproxy
- cadoles-pod-hydra-v1
- cadoles-pod-hydra-dispatcher-v1
- haproxy={{ haproxy_package_version }}
- cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
- cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
update_cache: yes
state: latest
state: present
become: true
- name: Configure Hydra local database

13
tasks/oidc-test.yml
View File

@ -8,8 +8,8 @@
- client_id: "{{ oidc_test_app_client_id }}"
client_secret: "{{ oidc_test_app_client_secret }}"
client_name: "OIDC Test"
redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"]
post_logout_redirect_uris: ["{{ public_scheme }}://{{ public_host }}:8080"]
redirect_uris: ["{{ oidc_test_app_public_base_url }}/oauth2/callback"]
post_logout_redirect_uris: ["{{ oidc_test_app_public_base_url }}"]
logo_uri: https://www.cadoles.com/images/logo.svg
notify:
@ -19,7 +19,7 @@
- name: Start oidc-test app
containers.podman.podman_container:
name: oidc-test
image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
image: docker.io/bornholm/oidc-test:v0.0.0-3-g5beae19
state: started
network: host
recreate: yes
@ -27,8 +27,9 @@
OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
LOG_LEVEL: 0
OIDC_ISSUER_URL: "http://{{ public_host }}/"
OIDC_REDIRECT_URL: "http://{{ public_host }}:8080"
OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
OIDC_ISSUER_URL: "{{ hydra_urls_self_issuer_url }}/"
OIDC_INSECURE_SKIP_VERIFY: true
OIDC_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
OIDC_POST_LOGOUT_REDIRECT_URL: "{{ oidc_test_app_public_base_url }}"
HTTP_ADDRESS: 0.0.0.0:8080
become: true

8
templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
View File

@ -9,8 +9,8 @@ PODMAN_ARGS="\
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
-e HYDRA_BASE_URL=http://10.0.2.2:4444 \
-e HYDRA_REWRITE_ISSUER=no \
-e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
-e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
-e 'COOKIE_PATH=/auth/dispatcher' \
-e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
-e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
-e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
-e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
"

2
templates/cadoles-pod-hydra-passwordless-v1.conf.j2
View File

@ -2,7 +2,7 @@ PODMAN_ARGS="\
-p 127.0.0.1:3001:3000 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-hydra-passwordless-v1' \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
-e HTTP_BASE_URL={{ haproxy_public_base_url }}/auth/passwordless \
-e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
-e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
-e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \

6
templates/cadoles-pod-hydra-remote-user-v1.conf.j2
View File

@ -6,9 +6,9 @@ PODMAN_ARGS="\
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
-e APP_ENV=prod \
-e APP_DEBUG=no \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
-e COOKIE_PATH=/auth/saml \
-e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
-e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
-e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
"

18
templates/cadoles-pod-hydra-v1.conf.j2
View File

@ -6,13 +6,15 @@ PODMAN_ARGS="\
-p 127.0.0.1:4445:4445 \
--tmpfs /tmp \
-e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-e LOG_LEVEL=debug \
-e LOG_LEAK_SENSITIVE_VALUES=true \
-e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
-e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
-e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
-e HYDRA_ALLOW_INSECURE=yes \
-e HYDRA_LEVEL=debug \
-e 'LOG_LEVEL={{ hydra_log_level }}' \
-e 'LOG_LEAK_SENSITIVE_VALUES={{ hydra_log_leak_sensitive_values }}' \
-e 'HYDRA_URLS_SELF_ISSUER={{ hydra_urls_self_issuer_url }}' \
-e 'HYDRA_URLS_CONSENT={{ hydra_urls_consent }}' \
-e 'HYDRA_URLS_LOGIN={{ hydra_urls_login }}' \
-e 'HYDRA_URLS_LOGOUT={{ hydra_urls_logout }}' \
-e 'HYDRA_ALLOW_INSECURE=yes' \
-e 'HYDRA_LEVEL={{ hydra_log_level }}' \
-e 'HYDRA_SECRETS_SYSTEM={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
-e 'HYDRA_OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT={{ lookup('ansible.builtin.password', '/dev/null length=32 seed=hydra_secrets_seed') }}' \
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
"

5
templates/cadoles-pod-shibboleth-sp-v3.conf.j2
View File

@ -2,11 +2,12 @@ PODMAN_ARGS="\
-p 127.0.0.1:3002:80 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-shibboleth-sp-v3' \
-e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
-e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
-e 'SP_HANDLER_BASE_PATH=/auth/saml' \
-e 'APACHE_FORCE_HTTPS={{ "true" if haproxy_public_base_url.startswith('https') else "false" }}' \
-e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
-v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \

62
templates/haproxy.cfg.j2
View File

@ -39,64 +39,47 @@ frontend http-in
maxconn 2000
acl login_dispatcher path_beg -i /auth/dispatcher
{% if enable_hydra_passwordless %}
acl login_passwordless path_beg -i /auth/passwordless
{% endif %}
{% if enable_hydra_saml %}
acl login_saml path_beg -i /auth/saml
{% endif %}
acl login_dispatcher path_beg -i {{ haproxy_hydra_dispatcher_base_path }}
{% if enable_hydra_passwordless %}
acl login_passwordless path_beg -i {{ haproxy_hydra_passwordless_base_path }}
{% endif %}
{% if enable_hydra_saml %}
acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }}
{% endif %}
use_backend hydra_dispatcher if login_dispatcher
{% if enable_hydra_passwordless %}
{% if enable_hydra_passwordless %}
use_backend hydra_passwordless if login_passwordless
{% endif %}
{% if enable_hydra_saml %}
{% endif %}
{% if enable_hydra_saml %}
use_backend hydra_saml if login_saml
{% endif %}
{% endif %}
use_backend hydra
option forwardfor
http-request set-header X-Forwarded-Proto {{ haproxy_forwarded_proto }}
http-request set-header X-Forwarded-Host {{ haproxy_forwarded_host }}
http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
# Backend Hydra
backend hydra
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra 127.0.0.1:4444 check
# Backend Hydra Dispatcher
backend hydra_dispatcher
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/dispatcher dans l'URL
http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
http-request set-path %[path,regsub(^{{ haproxy_hydra_dispatcher_base_path }}/,/)]
server hydra-login-dispatcher 127.0.0.1:3000 check
{% if enable_hydra_passwordless %}
# Backend Hydra Passwordless
backend hydra_passwordless
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/passwordless dans l'URL
http-request set-path %[path,regsub(^/auth/passwordless,)]
http-request set-path %[path,regsub(^{{ haproxy_hydra_passwordless_base_path }},)]
server hydra-login-passwordless 127.0.0.1:3001 check
{%- endif %}
@ -104,12 +87,5 @@ backend hydra_passwordless
# Backend Hydra SAML
backend hydra_saml
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra-login-saml 127.0.0.1:3002 check
{%- endif %}

2
templates/hydra-client.json.j2
View File

@ -1,7 +1,7 @@
{
"client_id": {{ item.client_id | to_json }},
"client_name": {{ item.client_name | default(item.client_id) | to_json }},
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32')) | to_json }},
"client_secret": {{ item.client_secret | default(lookup('ansible.builtin.password', '/dev/null chars=ascii_lowercase,digits length=32 seed=inventory_hostname')) | to_json }},
"grant_types": {{ item.grant_types | default(["authorization_code","refresh_token"]) | to_json }},
"jwks": {},
"metadata": {},

12
templates/hydra-dispatcher-apps.yml.j2
View File

@ -4,9 +4,9 @@ hydra:
- id: passwordless
title: "{{ hydra_passwordless_app_title }}"
description: "{{ hydra_passwordless_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email
@ -16,9 +16,9 @@ hydra:
- id: saml
title: "{{ hydra_saml_app_title }}"
description: "{{ hydra_saml_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email