feat: initial commit

2022-07-19 14:26:08 +02:00
commit f93f90f594
20 changed files with 914 additions and 0 deletions
--- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2
@ -0,0 +1,16 @@
+PODMAN_ARGS="\
+    --name 'cadoles-pod-hydra-dispatcher-v1' \
+    --replace \
+    --network=slirp4netns:allow_host_loopback=true \
+    -p 127.0.0.1:3000:80 \
+    -v /etc/hydra-dispatcher/conf.d:/var/www/config/hydra \
+    -e APP_ENV=prod \
+    -e APP_DEBUG=yes \
+    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
+    -e HYDRA_BASE_URL=http://10.0.2.2:4444 \
+    -e HYDRA_REWRITE_ISSUER=no \
+    -e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
+    -e 'COOKIE_PATH=/auth/dispatcher' \
+"
--- a/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-passwordless-v1.conf.j2
@ -0,0 +1,15 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3001:3000 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-passwordless-v1' \
+    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
+    -e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
+    -e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
+    -e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
+    -e 'SMTP_PASSWORD={{ hydra_passwordless_smtp_password }}' \
+    -e 'SMTP_INSECURE_SKIP_VERIFY={{ hydra_passwordless_smtp_insecure_skip_verify }}' \
+    -e 'SMTP_SENDER_ADDRESS={{ hydra_passwordless_sender_address }}' \
+    -e 'SMTP_USE_START_TLS={{ hydra_passwordless_smtp_use_start_tls }}' \
+    -e 'SMTP_SENDER_NAME={{ hydra_passwordless_sender_name }}' \
+    -e HYDRA_BASE_URL=http://10.0.2.2:3000 \
+"
--- a/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-remote-user-v1.conf.j2
@ -0,0 +1,14 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3003:80 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-hydra-remote-user-v1' \
+    -v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
+    -v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
+    -e APP_ENV=prod \
+    -e APP_DEBUG=no \
+    -e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
+    -e COOKIE_PATH=/auth/saml \
+    -e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
+    -e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
+    -e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
+"
--- a/templates/cadoles-pod-hydra-v1.conf.j2
+++ b/templates/cadoles-pod-hydra-v1.conf.j2
@ -0,0 +1,18 @@
+PODMAN_ARGS="\
+    --name 'cadoles-pod-hydra-v1' \
+    --replace \
+    --network=slirp4netns:allow_host_loopback=true \
+    -p 127.0.0.1:4444:4444 \
+    -p 127.0.0.1:4445:4445 \
+    --tmpfs /tmp \
+    -e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
+    -e LOG_LEVEL=debug \
+    -e LOG_LEAK_SENSITIVE_VALUES=true \
+    -e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
+    -e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
+    -e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
+    -e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
+    -e HYDRA_ALLOW_INSECURE=yes \
+    -e HYDRA_LEVEL=debug \
+    -v /etc/hydra/clients.d:/etc/hydra/clients.d \
+"
--- a/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
+++ b/templates/cadoles-pod-shibboleth-sp-v3.conf.j2
@ -0,0 +1,13 @@
+PODMAN_ARGS="\
+    -p 127.0.0.1:3002:80 \
+    --network=slirp4netns:allow_host_loopback=true \
+    --replace --name 'cadoles-pod-shibboleth-sp-v3' \
+    -e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
+    -e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
+    -e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
+    -e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
+    -e 'SP_HANDLER_BASE_PATH=/auth/saml' \
+    -v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
+    -v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
+    -v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
+"
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@ -0,0 +1,115 @@
+global
+    log /dev/log	local0
+    log /dev/log	local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log	global
+    mode	http
+    option	httplog
+    option	dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+frontend http-in
+    bind 0.0.0.0:80
+    mode http
+    
+    maxconn 2000    
+
+    acl login_dispatcher path_beg -i /auth/dispatcher
+    {% if enable_hydra_passwordless %}
+    acl login_passwordless path_beg -i /auth/passwordless
+    {% endif %}
+    {% if enable_hydra_saml %}
+    acl login_saml path_beg -i /auth/saml
+    {% endif %}
+
+    use_backend hydra_dispatcher if login_dispatcher
+    {% if enable_hydra_passwordless %}
+    use_backend hydra_passwordless if login_passwordless
+    {% endif %}
+    {% if enable_hydra_saml %}
+    use_backend hydra_saml if login_saml
+    {% endif %}
+    use_backend hydra
+
+# Backend Hydra
+backend hydra
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+    
+    server hydra 127.0.0.1:4444 check
+
+# Backend Hydra Dispatcher
+backend hydra_dispatcher
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    # Suppression du préfixe /auth/dispatcher dans l'URL
+    http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
+
+    server hydra-login-dispatcher 127.0.0.1:3000 check
+
+{% if enable_hydra_passwordless %}
+# Backend Hydra Passwordless
+backend hydra_passwordless
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    # Suppression du préfixe /auth/passwordless dans l'URL
+    http-request set-path %[path,regsub(^/auth/passwordless,)]
+
+    server hydra-login-passwordless 127.0.0.1:3001 check
+{%- endif %}
+
+{% if enable_hydra_saml %}
+# Backend Hydra SAML
+backend hydra_saml
+    balance roundrobin
+
+    # Headers HTTP des requêtes
+    option forwardfor
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Proto http
+    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+
+    server hydra-login-saml 127.0.0.1:3002 check
+{%- endif %}
--- a/templates/hydra-dispatcher-apps.yml.j2
+++ b/templates/hydra-dispatcher-apps.yml.j2
@ -0,0 +1,26 @@
+hydra:
+  apps:
+{% if enable_hydra_passwordless %}
+    - id: passwordless
+      title: "{{ hydra_passwordless_app_title }}"
+      description: "{{ hydra_passwordless_app_description }}"
+      login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
+      consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
+      logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
+      attributes_rewrite_rules:
+        email:
+          - consent.session.id_token.email
+      icon_url: "{{ hydra_passwordless_app_icon_url }}"
+{% endif %}
+{% if enable_hydra_saml %}
+    - id: saml
+      title: "{{ hydra_saml_app_title }}"
+      description: "{{ hydra_saml_app_description }}"
+      login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
+      consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
+      logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
+      attributes_rewrite_rules:
+        email:
+          - consent.session.id_token.email
+      icon_url: "{{ hydra_saml_app_icon_url }}"
+{% endif %}
--- a/templates/hydra-remote-user.yml.j2
+++ b/templates/hydra-remote-user.yml.j2
@ -0,0 +1,6 @@
+remote_user:
+  subject_header: subject-id
+  headers_attributes_mapping:
+    - header: mail
+      attribute: email
+      required: true
--- a/templates/oidc-test-client.json.j2
+++ b/templates/oidc-test-client.json.j2
@ -0,0 +1,19 @@
+{
+	"client_id": "{{ oidc_test_app_client_id }}",
+	"client_name": "OIDC Test",
+	"client_secret": "{{ oidc_test_app_client_secret }}",
+	"grant_types": [
+		"authorization_code",
+		"refresh_token"
+	],
+	"jwks": {},
+	"metadata": {},
+	"post_logout_redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080"],
+	"redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"],
+	"response_types": [
+		"code"
+	],
+	"logo_uri": "https://www.cadoles.com/images/logo.svg",
+	"scope": "openid profile email",
+	"token_endpoint_auth_method": "client_secret_post"
+}
--- a/templates/shibboleth-attribute-map.inc.xml.j2
+++ b/templates/shibboleth-attribute-map.inc.xml.j2
@ -0,0 +1,2 @@
+<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uid" />
+<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="mail" />