From cd86b6d29ae29019c3b66911eeb9fcab98052e76 Mon Sep 17 00:00:00 2001
From: William Petit <wpetit@cadoles.com>
Date: Tue, 2 Aug 2022 16:56:06 +0200
Subject: [PATCH] =?UTF-8?q?Possibilit=C3=A9=20de=20personnaliser=20les=20v?=
 =?UTF-8?q?ariables=20COOKIE=5FPATH=20d'hydra-dispatcher=20&=20hydra-remot?=
 =?UTF-8?q?e-user?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 defaults/main.yml                                  |  7 +++++++
 tasks/main.yml                                     |  8 ++++++--
 tasks/{oidc-test.yml => start-oidc-test.yml}       |  0
 tasks/stop-oidc-test.yml                           | 13 +++++++++++++
 templates/cadoles-pod-hydra-dispatcher-v1.conf.j2  |  4 ++--
 templates/cadoles-pod-hydra-remote-user-v1.conf.j2 |  4 ++--
 templates/hydra-dispatcher-apps.yml.j2             | 12 ++++++------
 7 files changed, 36 insertions(+), 12 deletions(-)
 rename tasks/{oidc-test.yml => start-oidc-test.yml} (100%)
 create mode 100644 tasks/stop-oidc-test.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 73e73bf..fac6c69 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -51,6 +51,11 @@ hydra_clients:
   - client_id: default-client
     client_name: Default client
 
+# Hydra dispatcher configuration
+
+hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}"
+hydra_dispatcher_debug: no
+
 # Hydra Passwordless configuration
 
 enable_hydra_passwordless: yes
@@ -75,6 +80,8 @@ hydra_saml_app_icon_url:
 hydra_saml_idp_entity_id: https://samltest.id/saml/idp
 hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
 hydra_saml_allowed_redirects: []
+hydra_saml_cookie_path: "{{ haproxy_hydra_saml_base_path }}"
+hydra_saml_debug: no
 
 hydra_saml_subject_header: subject-id
 hydra_saml_headers_attributes_mapping:
diff --git a/tasks/main.yml b/tasks/main.yml
index d2115ff..e9b08cd 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -92,6 +92,10 @@
   ansible.builtin.include_tasks: hydra-saml.yml
   when: enable_hydra_saml
 
-- name: Sart OIDC Test app if enabled
-  ansible.builtin.include_tasks: oidc-test.yml
+- name: Start OIDC Test app if enabled
+  ansible.builtin.include_tasks: start-oidc-test.yml
   when: enable_oidc_test_app
+
+- name: Stop OIDC Test app if disabled
+  ansible.builtin.include_tasks: stop-oidc-test.yml
+  when: not enable_oidc_test_app
\ No newline at end of file
diff --git a/tasks/oidc-test.yml b/tasks/start-oidc-test.yml
similarity index 100%
rename from tasks/oidc-test.yml
rename to tasks/start-oidc-test.yml
diff --git a/tasks/stop-oidc-test.yml b/tasks/stop-oidc-test.yml
new file mode 100644
index 0000000..bf0384c
--- /dev/null
+++ b/tasks/stop-oidc-test.yml
@@ -0,0 +1,13 @@
+- name: Create oidc-test OpenID Connect client configuration
+  file:
+    path: "/etc/hydra/clients.d/{{ oidc_test_app_client_id }}.json"
+    state: absent
+  notify:
+    - Reload hydra clients
+  become: true
+
+- name: Stop oidc-test app
+  containers.podman.podman_container:
+    name: oidc-test
+    state: absent
+  become: true
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
index 8c5665e..78a8893 100644
--- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@@ -5,12 +5,12 @@ PODMAN_ARGS="\
     -p 127.0.0.1:3000:80 \
     -v /etc/hydra-dispatcher/conf.d:/var/www/config/hydra \
     -e APP_ENV=prod \
-    -e APP_DEBUG=yes \
+    -e 'APP_DEBUG={{ hydra_dispatcher_debug }}' \
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
     -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
     -e HYDRA_REWRITE_ISSUER=no \
     -e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \
     -e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \
     -e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \
-    -e 'COOKIE_PATH={{ haproxy_hydra_dispatcher_base_path }}' \
+    -e 'COOKIE_PATH={{ hydra_dispatcher_cookie_path }}' \
 "
\ No newline at end of file
diff --git a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2 b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
index e4c3e23..d290aed 100644
--- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@@ -5,9 +5,9 @@ PODMAN_ARGS="\
     -v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
     -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
     -e APP_ENV=prod \
-    -e APP_DEBUG=no \
+    -e 'APP_DEBUG={{ hydra_saml_debug }}' \
     -e 'HTTP_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}' \
-    -e COOKIE_PATH={{ haproxy_hydra_saml_base_path }} \
+    -e 'COOKIE_PATH={{ hydra_saml_cookie_path }}' \
     -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
     -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
     -e 'LOGOUT_REDIRECT_URL_PATTERN={{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/Shibboleth.sso/Logout?return=%s' \
diff --git a/templates/hydra-dispatcher-apps.yml.j2 b/templates/hydra-dispatcher-apps.yml.j2
index 4c43e82..8f1b77a 100644
--- a/templates/hydra-dispatcher-apps.yml.j2
+++ b/templates/hydra-dispatcher-apps.yml.j2
@@ -4,9 +4,9 @@ hydra:
     - id: passwordless
       title: "{{ hydra_passwordless_app_title }}"
       description: "{{ hydra_passwordless_app_description }}"
-      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login
-      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent
-      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout
+      login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login"
+      consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent"
+      logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout"
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email
@@ -16,9 +16,9 @@ hydra:
     - id: saml
       title: "{{ hydra_saml_app_title }}"
       description: "{{ hydra_saml_app_description }}"
-      login_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login
-      consent_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent
-      logout_url: {{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout
+      login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login"
+      consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent"
+      logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout"
       attributes_rewrite_rules:
         email:
           - consent.session.id_token.email