From cd4c8ceabe0d770740b56236d02b1a8eac6453e5 Mon Sep 17 00:00:00 2001 From: William Petit Date: Wed, 3 Aug 2022 21:06:02 +0200 Subject: [PATCH] feat: multiple fixes and enhancements --- defaults/main.yml | 18 ++++++++++++++++-- tasks/hydra-saml.yml | 9 +++++++++ tasks/main.yml | 3 +++ tasks/stop-oidc-test.yml | 2 +- .../cadoles-pod-hydra-remote-user-v1.conf.j2 | 1 + templates/cadoles-pod-shibboleth-sp-v3.conf.j2 | 4 ++++ templates/haproxy.cfg.j2 | 1 + templates/hydra-dispatcher-apps.yml.j2 | 8 ++------ templates/shibboleth-attribute-map.inc.xml.j2 | 6 +++++- .../shibboleth-attribute-policy.inc.xml.j2 | 14 ++++++++++++++ 10 files changed, 56 insertions(+), 10 deletions(-) create mode 100644 templates/shibboleth-attribute-policy.inc.xml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index fac6c69..a783029 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,6 +23,8 @@ hydra_database_port: 3306 # HAProxy configuration haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }} + +haproxy_hydra_base_path: /auth haproxy_hydra_dispatcher_base_path: /auth/dispatcher haproxy_hydra_passwordless_base_path: /auth/passwordless haproxy_hydra_saml_base_path: /auth/saml @@ -34,7 +36,7 @@ haproxy_forwarded_port: "%[dst_port]" # Hydra OIDC configuration -hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}" +hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}" hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent" hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login" hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout" @@ -70,6 +72,9 @@ hydra_passwordless_smtp_insecure_skip_verify: no hydra_passwordless_smtp_use_start_tls: no hydra_passwordless_sender_address: noreply@localhost hydra_passwordless_sender_name: "[hydra-passwordless]" +hydra_passwordless_attributes_rewrite_rules: + email: + - consent.session.id_token.email # Hydra SAML configuration @@ -82,8 +87,15 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp hydra_saml_allowed_redirects: [] hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}" hydra_saml_debug: no +hydra_saml_sp_log_level: WARN +hydra_saml_include_sp_default_attributes_mapping: "yes" +hydra_saml_include_sp_default_attributes_policy: "yes" +hydra_saml_attributes_rewrite_rules: + email: + - consent.session.id_token.email -hydra_saml_subject_header: subject-id + +hydra_saml_subject_header: REMOTE_USER hydra_saml_headers_attributes_mapping: - header: mail attribute: email @@ -97,6 +109,8 @@ saml_attributes: name: urn:oid:0.9.2342.19200300.100.1.3 nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri +saml_attribute_policies: [] + # OIDC Test configuration enable_oidc_test_app: yes diff --git a/tasks/hydra-saml.yml b/tasks/hydra-saml.yml index f43b906..6a8ca43 100644 --- a/tasks/hydra-saml.yml +++ b/tasks/hydra-saml.yml @@ -13,11 +13,14 @@ template: src: "{{ item.src }}" dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: cadoles-pod-hydra-remote-user-v1.conf.j2 dest: /etc/cadoles-pod-hydra-remote-user-v1.conf + mode: u=rw,g=r - src: hydra-remote-user.yml.j2 dest: /etc/hydra-remote-user/conf.d/remote-user.yml + mode: u=rw,g=r,o=r notify: - Restart cadoles-pod-hydra-remote-user-v1 become: true @@ -43,11 +46,17 @@ ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: cadoles-pod-shibboleth-sp-v3.conf.j2 dest: /etc/cadoles-pod-shibboleth-sp-v3.conf + mode: u=rw,g=r,o=r - src: shibboleth-attribute-map.inc.xml.j2 dest: /etc/shibboleth/attribute-map.inc.xml + mode: u=rw,g=r,o=r + - src: shibboleth-attribute-policy.inc.xml.j2 + dest: /etc/shibboleth/attribute-policy.inc.xml + mode: u=rw,g=r,o=r notify: - Restart cadoles-pod-shibboleth-sp-v3 become: true \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index e9b08cd..7b28807 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -75,11 +75,14 @@ template: src: "{{ item.src }}" dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: cadoles-pod-hydra-dispatcher-v1.conf.j2 dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf + mode: u=rw,g=r - src: hydra-dispatcher-apps.yml.j2 dest: /etc/hydra-dispatcher/conf.d/apps.yml + mode: u=rw,g=r,o=r notify: - Restart cadoles-pod-hydra-dispatcher-v1 become: true diff --git a/tasks/stop-oidc-test.yml b/tasks/stop-oidc-test.yml index bf0384c..24a699b 100644 --- a/tasks/stop-oidc-test.yml +++ b/tasks/stop-oidc-test.yml @@ -1,4 +1,4 @@ -- name: Create oidc-test OpenID Connect client configuration +- name: Remove oidc-test OpenID Connect client configuration file: path: "/etc/hydra/clients.d/{{ oidc_test_app_client_id }}.json" state: absent diff --git a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 index d290aed..f21355a 100644 --- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 +++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 @@ -4,6 +4,7 @@ PODMAN_ARGS="\ --replace --name 'cadoles-pod-hydra-remote-user-v1' \ -v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \ -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \ + -v /etc/hosts:/etc/hosts:ro \ -e APP_ENV=prod \ -e 'APP_DEBUG={{ hydra_saml_debug }}' \ -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \ diff --git a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 index 72816b1..8fae66e 100644 --- a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 +++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2 @@ -3,6 +3,7 @@ PODMAN_ARGS="\ --network=slirp4netns:allow_host_loopback=true \ --replace --name 'cadoles-pod-shibboleth-sp-v3' \ -e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \ + -e 'SP_LOG_LEVEL={{ hydra_saml_sp_log_level }}' \ -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \ -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \ -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \ @@ -10,6 +11,9 @@ PODMAN_ARGS="\ -e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \ -e 'SP_SESSIONS_REDIRECT_LIMIT=host+allow' \ -e 'SP_SESSIONS_REDIRECT_ALLOW={{ hydra_saml_allowed_redirects | join(',') }}' \ + -e 'SP_INCLUDE_DEFAULT_ATTRIBUTES_MAPPING={{ hydra_saml_include_sp_default_attributes_mapping }}' \ + -e 'SP_INCLUDE_DEFAULT_ATTRIBUTES_POLICY={{ hydra_saml_include_sp_default_attributes_policy }}' \ -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \ + -v '/etc/shibboleth/attribute-policy.inc.xml:/etc/shibboleth/attribute-policy.inc.xml' \ -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \ " \ No newline at end of file diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index fb6acc3..036792f 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -71,6 +71,7 @@ http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }} # Backend Hydra backend hydra balance roundrobin + http-request set-path %[path,regsub(^{{ haproxy_hydra_base_path }},)] server hydra 127.0.0.1:4444 check # Backend Hydra Dispatcher diff --git a/templates/hydra-dispatcher-apps.yml.j2 b/templates/hydra-dispatcher-apps.yml.j2 index 8f1b77a..d12286b 100644 --- a/templates/hydra-dispatcher-apps.yml.j2 +++ b/templates/hydra-dispatcher-apps.yml.j2 @@ -7,9 +7,7 @@ hydra: login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout" - attributes_rewrite_rules: - email: - - consent.session.id_token.email + attributes_rewrite_rules: {{ hydra_passwordless_attributes_rewrite_rules | to_json }} icon_url: "{{ hydra_passwordless_app_icon_url }}" {% endif %} {% if enable_hydra_saml %} @@ -19,8 +17,6 @@ hydra: login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout" - attributes_rewrite_rules: - email: - - consent.session.id_token.email + attributes_rewrite_rules: {{ hydra_saml_attributes_rewrite_rules | to_json }} icon_url: "{{ hydra_saml_app_icon_url }}" {% endif %} \ No newline at end of file diff --git a/templates/shibboleth-attribute-map.inc.xml.j2 b/templates/shibboleth-attribute-map.inc.xml.j2 index a9027d9..5750d22 100644 --- a/templates/shibboleth-attribute-map.inc.xml.j2 +++ b/templates/shibboleth-attribute-map.inc.xml.j2 @@ -1,3 +1,7 @@ {% for item in saml_attributes %} - + + {% if item.attributeDecoder is defined %} + + {% endif %} + {% endfor %} \ No newline at end of file diff --git a/templates/shibboleth-attribute-policy.inc.xml.j2 b/templates/shibboleth-attribute-policy.inc.xml.j2 new file mode 100644 index 0000000..b405e65 --- /dev/null +++ b/templates/shibboleth-attribute-policy.inc.xml.j2 @@ -0,0 +1,14 @@ +{%- macro xmlnode(node) -%} +<{{node.tag}}{% if node.attributes is defined %}{% for key,value in node.attributes.items() %} {{ key }}="{{ value }}"{% endfor %}{% endif %}{% if node.children is not defined %}/{% endif %}> +{% if node.children is defined %} +{% for child in node.children %} + {{ xmlnode(child) }} +{% endfor %} +{% endif %} +{% if node.children is defined %} + +{% endif %} +{%- endmacro -%} +{%- for node in saml_attribute_policies %} +{{ xmlnode(node) }} +{% endfor -%}