Cadoles
/
ansible-role-sso
10
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

feat: multiple fixes and enhancements

This commit is contained in:
wpetit 2022-08-03 21:06:02 +02:00
parent cd86b6d29a
commit cd4c8ceabe
10 changed files with 56 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
defaults/main.yml
View File

@ -23,6 +23,8 @@ hydra_database_port: 3306
# HAProxy configuration # HAProxy configuration
haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }} haproxy_public_base_url: http://{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}
haproxy_hydra_base_path: /auth
haproxy_hydra_dispatcher_base_path: /auth/dispatcher haproxy_hydra_dispatcher_base_path: /auth/dispatcher
haproxy_hydra_passwordless_base_path: /auth/passwordless haproxy_hydra_passwordless_base_path: /auth/passwordless
haproxy_hydra_saml_base_path: /auth/saml haproxy_hydra_saml_base_path: /auth/saml
@ -34,7 +36,7 @@ haproxy_forwarded_port: "%[dst_port]"
# Hydra OIDC configuration # Hydra OIDC configuration
hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}" hydra_urls_self_issuer_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_base_path }}"
hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent" hydra_urls_consent: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/consent"
hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login" hydra_urls_login: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/login"
hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout" hydra_urls_logout: "{{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}/logout"
@ -70,6 +72,9 @@ hydra_passwordless_smtp_insecure_skip_verify: no
hydra_passwordless_smtp_use_start_tls: no hydra_passwordless_smtp_use_start_tls: no
hydra_passwordless_sender_address: noreply@localhost hydra_passwordless_sender_address: noreply@localhost
hydra_passwordless_sender_name: "[hydra-passwordless]" hydra_passwordless_sender_name: "[hydra-passwordless]"
hydra_passwordless_attributes_rewrite_rules:
email:
- consent.session.id_token.email
# Hydra SAML configuration # Hydra SAML configuration
@ -82,8 +87,15 @@ hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
hydra_saml_allowed_redirects: [] hydra_saml_allowed_redirects: []
hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}" hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}"
hydra_saml_debug: no hydra_saml_debug: no
hydra_saml_sp_log_level: WARN
hydra_saml_include_sp_default_attributes_mapping: "yes"
hydra_saml_include_sp_default_attributes_policy: "yes"
hydra_saml_attributes_rewrite_rules:
email:
- consent.session.id_token.email
hydra_saml_subject_header: subject-id
hydra_saml_subject_header: REMOTE_USER
hydra_saml_headers_attributes_mapping: hydra_saml_headers_attributes_mapping:
- header: mail - header: mail
attribute: email attribute: email
@ -97,6 +109,8 @@ saml_attributes:
name: urn:oid:0.9.2342.19200300.100.1.3 name: urn:oid:0.9.2342.19200300.100.1.3
nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri nameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
saml_attribute_policies: []
# OIDC Test configuration # OIDC Test configuration
enable_oidc_test_app: yes enable_oidc_test_app: yes

9
tasks/hydra-saml.yml
View File

@ -13,11 +13,14 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items: with_items:
- src: cadoles-pod-hydra-remote-user-v1.conf.j2 - src: cadoles-pod-hydra-remote-user-v1.conf.j2
dest: /etc/cadoles-pod-hydra-remote-user-v1.conf dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
mode: u=rw,g=r
- src: hydra-remote-user.yml.j2 - src: hydra-remote-user.yml.j2
dest: /etc/hydra-remote-user/conf.d/remote-user.yml dest: /etc/hydra-remote-user/conf.d/remote-user.yml
mode: u=rw,g=r,o=r
notify: notify:
- Restart cadoles-pod-hydra-remote-user-v1 - Restart cadoles-pod-hydra-remote-user-v1
become: true become: true
@ -43,11 +46,17 @@
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items: with_items:
- src: cadoles-pod-shibboleth-sp-v3.conf.j2 - src: cadoles-pod-shibboleth-sp-v3.conf.j2
dest: /etc/cadoles-pod-shibboleth-sp-v3.conf dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
mode: u=rw,g=r,o=r
- src: shibboleth-attribute-map.inc.xml.j2 - src: shibboleth-attribute-map.inc.xml.j2
dest: /etc/shibboleth/attribute-map.inc.xml dest: /etc/shibboleth/attribute-map.inc.xml
mode: u=rw,g=r,o=r
- src: shibboleth-attribute-policy.inc.xml.j2
dest: /etc/shibboleth/attribute-policy.inc.xml
mode: u=rw,g=r,o=r
notify: notify:
- Restart cadoles-pod-shibboleth-sp-v3 - Restart cadoles-pod-shibboleth-sp-v3
become: true become: true

3
tasks/main.yml
View File

@ -75,11 +75,14 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items: with_items:
- src: cadoles-pod-hydra-dispatcher-v1.conf.j2 - src: cadoles-pod-hydra-dispatcher-v1.conf.j2
dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf
mode: u=rw,g=r
- src: hydra-dispatcher-apps.yml.j2 - src: hydra-dispatcher-apps.yml.j2
dest: /etc/hydra-dispatcher/conf.d/apps.yml dest: /etc/hydra-dispatcher/conf.d/apps.yml
mode: u=rw,g=r,o=r
notify: notify:
- Restart cadoles-pod-hydra-dispatcher-v1 - Restart cadoles-pod-hydra-dispatcher-v1
become: true become: true

2
tasks/stop-oidc-test.yml
View File

@ -1,4 +1,4 @@
- name: Create oidc-test OpenID Connect client configuration - name: Remove oidc-test OpenID Connect client configuration
file: file:
path: "/etc/hydra/clients.d/{{ oidc_test_app_client_id }}.json" path: "/etc/hydra/clients.d/{{ oidc_test_app_client_id }}.json"
state: absent state: absent

1
templates/cadoles-pod-hydra-remote-user-v1.conf.j2
View File

@ -4,6 +4,7 @@ PODMAN_ARGS="\
--replace --name 'cadoles-pod-hydra-remote-user-v1' \ --replace --name 'cadoles-pod-hydra-remote-user-v1' \
-v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \ -v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \ -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
-v /etc/hosts:/etc/hosts:ro \
-e APP_ENV=prod \ -e APP_ENV=prod \
-e 'APP_DEBUG={{ hydra_saml_debug }}' \ -e 'APP_DEBUG={{ hydra_saml_debug }}' \
-e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \ -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \

4
templates/cadoles-pod-shibboleth-sp-v3.conf.j2
View File

@ -3,6 +3,7 @@ PODMAN_ARGS="\
--network=slirp4netns:allow_host_loopback=true \ --network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-shibboleth-sp-v3' \ --replace --name 'cadoles-pod-shibboleth-sp-v3' \
-e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \ -e 'SP_ENTITY_ID={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-e 'SP_LOG_LEVEL={{ hydra_saml_sp_log_level }}' \
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \ -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \ -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \ -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
@ -10,6 +11,9 @@ PODMAN_ARGS="\
-e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \ -e 'SP_HANDLER_BASE_PATH={{ haproxy_hydra_saml_base_path }}' \
-e 'SP_SESSIONS_REDIRECT_LIMIT=host+allow' \ -e 'SP_SESSIONS_REDIRECT_LIMIT=host+allow' \
-e 'SP_SESSIONS_REDIRECT_ALLOW={{ hydra_saml_allowed_redirects | join(',') }}' \ -e 'SP_SESSIONS_REDIRECT_ALLOW={{ hydra_saml_allowed_redirects | join(',') }}' \
-e 'SP_INCLUDE_DEFAULT_ATTRIBUTES_MAPPING={{ hydra_saml_include_sp_default_attributes_mapping }}' \
-e 'SP_INCLUDE_DEFAULT_ATTRIBUTES_POLICY={{ hydra_saml_include_sp_default_attributes_policy }}' \
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \ -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
-v '/etc/shibboleth/attribute-policy.inc.xml:/etc/shibboleth/attribute-policy.inc.xml' \
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \ -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
" "

1
templates/haproxy.cfg.j2
View File

@ -71,6 +71,7 @@ http-request set-header X-Forwarded-Port {{ haproxy_forwarded_port }}
# Backend Hydra # Backend Hydra
backend hydra backend hydra
balance roundrobin balance roundrobin
http-request set-path %[path,regsub(^{{ haproxy_hydra_base_path }},)]
server hydra 127.0.0.1:4444 check server hydra 127.0.0.1:4444 check
# Backend Hydra Dispatcher # Backend Hydra Dispatcher

8
templates/hydra-dispatcher-apps.yml.j2
View File

@ -7,9 +7,7 @@ hydra:
login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login" login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login"
consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent"
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout"
attributes_rewrite_rules: attributes_rewrite_rules: {{ hydra_passwordless_attributes_rewrite_rules | to_json }}
email:
- consent.session.id_token.email
icon_url: "{{ hydra_passwordless_app_icon_url }}" icon_url: "{{ hydra_passwordless_app_icon_url }}"
{% endif %} {% endif %}
{% if enable_hydra_saml %} {% if enable_hydra_saml %}
@ -19,8 +17,6 @@ hydra:
login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login" login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login"
consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent"
logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout"
attributes_rewrite_rules: attributes_rewrite_rules: {{ hydra_saml_attributes_rewrite_rules | to_json }}
email:
- consent.session.id_token.email
icon_url: "{{ hydra_saml_app_icon_url }}" icon_url: "{{ hydra_saml_app_icon_url }}"
{% endif %} {% endif %}

6
templates/shibboleth-attribute-map.inc.xml.j2
View File

@ -1,3 +1,7 @@
{% for item in saml_attributes %} {% for item in saml_attributes %}
<Attribute name="{{ item.name }}" nameFormat="{{ item.nameFormat }}" id="{{ item.id }}" /> <Attribute {% for key,value in item.items() %}{% if value is not mapping %}{{ key }}="{{ value }}" {% endif %}{% endfor %}>
{% if item.attributeDecoder is defined %}
<AttributeDecoder {% for key,value in item.attributeDecoder.items() %}{{ key }}="{{ value }}" {% endfor %}/>
{% endif %}
</Attribute>
{% endfor %} {% endfor %}

14
templates/shibboleth-attribute-policy.inc.xml.j2 Normal file
View File

@ -0,0 +1,14 @@
{%- macro xmlnode(node) -%}
<{{node.tag}}{% if node.attributes is defined %}{% for key,value in node.attributes.items() %} {{ key }}="{{ value }}"{% endfor %}{% endif %}{% if node.children is not defined %}/{% endif %}>
{% if node.children is defined %}
{% for child in node.children %}
{{ xmlnode(child) }}
{% endfor %}
{% endif %}
{% if node.children is defined %}
</{{node.tag}}>
{% endif %}
{%- endmacro -%}
{%- for node in saml_attribute_policies %}
{{ xmlnode(node) }}
{% endfor -%}