feat: initial commit

This commit is contained in:
wpetit 2022-07-19 14:26:08 +02:00
commit f93f90f594
20 changed files with 914 additions and 0 deletions

47
defaults/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
# cadoles-pod repository configuration
cadoles_pod_debian_repository_url: https://vulcain.cadoles.com
cadoles_pod_debian_repository: bullseye-dev
cadoles_pod_debian_repository_key_url: https://vulcain.cadoles.com/cadoles.gpg
# Hydra database configuration
hydra_database_name: hydra
hydra_database_user: hydra
hydra_database_password: hydra
hydra_database_host: 10.0.2.2
hydra_database_port: 3306
# Hydra OIDC configuration
public_scheme: http
public_host: "{{ ansible_default_ipv4.address | default(ansible_all_ipv4_addresses[0]) }}"
# Hydra Passwordless configuration
enable_hydra_passwordless: yes
hydra_passwordless_app_title: Adresse courriel
hydra_passwordless_app_description: Authentification via adresse courriel
hydra_passwordless_app_icon_url: https://upload.wikimedia.org/wikipedia/commons/4/48/You%27ve_got_mail.png
hydra_passwordless_smtp_host: smtp-server
hydra_passwordless_smtp_port: 25
hydra_passwordless_smtp_user: smtp-user
hydra_passwordless_smtp_password: smtp-password
hydra_passwordless_smtp_insecure_skip_verify: no
hydra_passwordless_smtp_use_start_tls: no
hydra_passwordless_sender_address: noreply@localhost
hydra_passwordless_sender_name: "[hydra-passwordless]"
# Hydra SAML configuration
enable_hydra_saml: yes
hydra_saml_app_title: SAML
hydra_saml_app_description: Authentification via SAML
hydra_saml_app_icon_url:
hydra_saml_idp_entity_id: https://samltest.id/saml/idp
hydra_saml_idp_metadata_url: https://samltest.id/saml/idp
# OIDC Test configuration
enable_oidc_test_app: yes
oidc_test_app_client_id: oidc-test
oidc_test_app_client_secret: '$oidc-test&123456$'

110
doc/overview.plantuml Normal file
View File

@ -0,0 +1,110 @@
@startuml
!theme vibrant
skinparam linetype ortho
left to right direction
package "External Ports (0.0.0.0)" as ExternalPorts {
interface "tcp/80 (HTTP)" as PortServerHTTP
}
node "SSO Server" as SSOServer {
package "Internal Ports (127.0.0.1)" as InternalPorts {
interface "tcp/4444 (Hydra Public)" as PortHydraPublic
interface "tcp/4445 (Hydra Admin)" as PortHydraAdmin
interface "tcp/3000 (Hydra Dispatcher)" as PortHydraDispatcher
interface "tcp/3001 (Hydra Passwordless)" as PortHydraPasswordless
interface "tcp/3002 (Shibboleth SP)" as PortShibbolethSP
interface "tcp/3003 (Hydra Remote User)" as PortHydraRemoteUser
}
package "Containers" as Containers {
[cadoles-pod-hydra-v1] as ContainerHydra
[cadoles-pod-hydra-dispatcher-v1] as ContainerHydraDispatcher
[cadoles-pod-hydra-passwordless-v1] as ContainerHydraPasswordless
[cadoles-pod-hydra-remote-user-v1] as ContainerHydraRemoteUser
[cadoles-pod-shibboleth-sp-v3] as ContainerShibbolethSP
}
package "Files" as Filesystem {
frame "/etc/haproxy/haproxy.cfg" as HAProxyConfFile
frame "/etc/cadoles-pod-hydra-v1.conf" as HydraConfFile
frame "/etc/cadoles-pod-hydra-dispatcher-v1.conf" as HydraDispatcherConfFile
frame "/etc/hydra-dispatcher/conf.d/*.yml" as HydraDispatcherAppsConfFile
frame "/etc/hydra/clients.d/*.json" as HydraClientConfFile
frame "/etc/cadoles-pod-hydra-remote-user-v1.conf" as HydraRemoteUserConfFile
frame "/etc/hydra-remote-user/conf.d/*.yml" as HydraRemoteUserMappingsConfFile
frame "/etc/cadoles-pod-hydra-passwordless-v1.conf" as HydraPasswordlessConfFile
frame "/etc/cadoles-pod-shibboleth-sp-v3.conf" as ShibbolethSPConfFile
frame "/etc/shibboleth/credentials/*" as ShibbolethSPCredentialsFile
}
package "Packages" as Packages {
[cadoles-pod-hydra-v1] as PackageHydra
[cadoles-pod-hydra-dispatcher-v1] as PackageHydraDispatcher
[cadoles-pod-hydra-remote-user-v1] as PackageHydraRemoteUser
[cadoles-pod-hydra-shibboleth-sp-v3] as PackageShibbolethSP
[cadoles-pod-hydra-passwordless-v1] as PackageHydraPasswordless
[haproxy] as PackageHAProxy
}
package "Services" as Services {
[cadoles-pod-hydra-v1] as ServiceHydra
[cadoles-pod-hydra-dispatcher-v1] as ServiceHydraDispatcher
[cadoles-pod-shibboleth-sp-v3] as ServiceShibbolethSP
[cadoles-pod-hydra-remote-user-v1] as ServiceHydraRemoteUser
[cadoles-pod-hydra-passwordless-v1] as ServiceHydraPasswordless
[haproxy] as ServiceHAProxy
}
PackageHAProxy ..up.> PortServerHTTP: binds
ServiceHAProxy ...> PortHydraPublic : exposes (/)
ServiceHAProxy ...> PortHydraDispatcher : exposes (/auth/dispatcher)
ServiceHAProxy ...> PortHydraPasswordless : exposes (/auth/passwordless)
ServiceHAProxy ...> PortShibbolethSP : exposes (/auth/saml)
ContainerHydra ...> PortHydraPublic : binds
ContainerHydra ...> PortHydraAdmin : binds
ContainerHydraDispatcher ...> PortHydraDispatcher : binds
ContainerShibbolethSP ...> PortShibbolethSP : binds
ContainerHydraPasswordless ...> PortHydraPasswordless : binds
ContainerHydraRemoteUser ...> PortHydraRemoteUser : binds
ContainerShibbolethSP ..> PortHydraRemoteUser : proxies
ServiceHydra ...> ContainerHydra: manages
ServiceHydraDispatcher ...> ContainerHydraDispatcher: manages
ServiceShibbolethSP ...> ContainerShibbolethSP: manages
ServiceHydraPasswordless ...> ContainerHydraPasswordless: manages
ServiceHydraRemoteUser ...> ContainerHydraRemoteUser: manages
ContainerHydra ...> HydraConfFile : uses
ContainerHydra ...> HydraClientConfFile : uses
ContainerHydraDispatcher ...> HydraDispatcherConfFile : uses
ContainerHydraDispatcher ...> HydraDispatcherAppsConfFile : uses
ContainerHydraPasswordless ...> HydraPasswordlessConfFile : uses
ContainerHydraRemoteUser ...> HydraRemoteUserConfFile : uses
ContainerHydraRemoteUser ...> HydraRemoteUserMappingsConfFile : uses
ContainerShibbolethSP ...> ShibbolethSPConfFile : uses
ContainerShibbolethSP ...> ShibbolethSPCredentialsFile : creates
PackageHAProxy ...> HAProxyConfFile : deploys
PackageHydra ...> HydraConfFile : deploys
PackageHydraDispatcher ...> HydraDispatcherConfFile : deploys
PackageHydraRemoteUser ...> HydraRemoteUserConfFile : deploys
PackageShibbolethSP ...> ShibbolethSPConfFile : deploys
PackageHAProxy ...> ServiceHAProxy : deploys
PackageHydra ...> ServiceHydra : deploys
PackageHydraDispatcher ...> ServiceHydraDispatcher : deploys
PackageHydraRemoteUser ...> ServiceHydraRemoteUser : deploys
PackageHydraPasswordless ...> ServiceHydraPasswordless : deploys
PackageHydra ...> ContainerHydra : deploys
PackageHydraDispatcher ...> ContainerHydraDispatcher : deploys
PackageHydraRemoteUser ...> ContainerHydraRemoteUser : deploys
PackageShibbolethSP ...> ContainerShibbolethSP : deploys
PackageHydraPasswordless ...> ContainerHydraPasswordless : deploys
}
@enduml

View File

@ -0,0 +1,32 @@
<VirtualHost *:80>
DocumentRoot /var/www/public
SetEnv APP_DEBUG ${APP_DEBUG}
SetEnv APP_ENV ${APP_ENV}
SetEnv HYDRA_ADMIN_BASE_URL ${HYDRA_ADMIN_BASE_URL}
SetEnv TRUSTED_PROXIES ${TRUSTED_PROXIES}
SetEnv LOGOUT_REDIRECT_URL_PATTERN ${LOGOUT_REDIRECT_URL_PATTERN}
# Création d'un alias pour réécrire gérer le préfixe /auth/saml
Alias "/auth/saml" "/var/www/public"
<Directory /var/www/public>
AllowOverride None
Order Allow,Deny
Allow from All
<IfModule mod_rewrite.c>
RewriteEngine On
# Remapping de l'ensemble des chemins en /auth/saml
RewriteBase /auth/saml
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>
</Directory>
CustomLog /dev/stdout combined
ErrorLog /dev/stderr
</VirtualHost>

View File

@ -0,0 +1,257 @@
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess
logger="shibd.logger" tranLogFormat="[TRANSACTION] %u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
<!-- <Extensions>
<Library path="odbc-store.so" fatal="true"/>
</Extensions> -->
</OutOfProcess>
<!-- <InProcess logger="native.logger" checkSpoofing="false"/> -->
<!-- Only one listener can be defined, to connect in-process modules to shibd. -->
<UnixListener address="shibd.sock"/>
<!-- <TCPListener address="127.0.0.1" port="1600" acl="127.0.0.1"/> -->
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheAssertions="false"
cacheAllowance="900" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db" cacheAssertions="false"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<!--
The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped by the RequestMapper to an applicationId that
points into to this section (or to the defaults here).
-->
<ApplicationDefaults entityID="{{ getenv "SP_ENTITY_ID" "http://sp-entity-id" }}"
REMOTE_USER="{{ getenv "SP_REMOTE_USER" "eppn subject-id pairwise-id persistent-id" }}"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
and should be a relative path, with the SP computing the full value based on the virtual
host. Using handlerSSL="true" will force the protocol to be https. You should also set
cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
"false", this makes an assertion stolen in transit easier for attackers to misuse.
-->
<Sessions lifetime="28800" timeout="3600"
handlerURL="{{ getenv "SP_HANDLER_BASE_PATH" "" }}/Shibboleth.sso" handlerSSL="false" cookieProps="http" relayState="ss:mem"
redirectLimit="{{ getenv "SP_SESSIONS_REDIRECT_LIMIT" "host" }}"
checkAddress="false"
consistentAddress="false"
exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">
<!--
The "stripped down" files use the shorthand syntax for configuring handlers.
This uses the old "every handler specified directly" syntax. You can supplement
the new syntax following these examples but it is NOT advisable to use this
approach wholesale.
-->
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
or to an IdP if possible. Automatic/active session rules will use the default
or first element (or requireSessionWith can specify a specific id to use).
-->
<!-- Default directs to a specific IdP. -->
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login"
entityID="{{ getenv "IDP_ENTITY_ID" "http://idp-entity-id" }}">
<SessionInitiator type="SAML2" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1"/>
<!--
To allow for >1 IdP, remove entityID property from Chaining element and add
*either* of the SAMLDS or WAYF handlers below:
<SessionInitiator type="SAMLDS" URL="https://ds.example.org/DS/WAYF"/>
<SessionInitiator type="WAYF" URL="https://wayf.example.org/WAYF"/>
-->
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
are used when sessions are initiated to determine how to tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<!-- Administrative logout, separate from user-driven logout above. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<!--
md:ArtifactResolutionService locations resolve artifacts issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
-->
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add your own attributes with values that can be plugged into the
templates, e.g., helpLocation below.
-->
<Errors supportContact="{{ getenv "CONTACT_EMAIL" "admin@localhost" }}"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!--
Uncomment and modify to tweak settings for specific IdPs or groups. Settings here
generally match those allowed by the <ApplicationDefaults> element.
-->
<!--
<RelyingParty Name="SpecialFederation" keyName="SpecialKey"/>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
-->
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" validate="true"
url="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
<DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>
-->
<!-- Example of remotely supplied "on-demand" signed metadata. -->
<!--
<MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
baseUrl="http://mdq.federation.org" ignoreTransport="true">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="mdqsigner.pem" />
</MetadataProvider>
-->
<MetadataProvider type="Dynamic"
verifyHost="false"
ignoreTransport="true"
uri="{{ getenv "IDP_METADATA_URL" "http://idp/idp/shibboleth" }}">
</MetadataProvider>
<!-- TrustEngines run in order to evaluate peer keys and certificates. -->
<TrustEngine type="ExplicitKey"/>
<!-- <TrustEngine type="PKIX"/> -->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Extracts support information for IdP from its metadata. -->
<AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="/etc/shibboleth/credentials/sp-signing.key" certificate="/etc/shibboleth/credentials/sp-signing.crt"/>
<CredentialResolver type="File" use="encryption"
key="/etc/shibboleth/credentials/sp-encrypt.key" certificate="/etc/shibboleth/credentials/sp-encrypt.crt"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements.
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
This "canonical" use case of overriding the SP's entityID alone is now obsolete;
you can apply selfEntityID as a content setting based on host or path to control
the SP's own identity.
Avoid overrides: ask on the list or refer to the wiki for examples of how to do
whatever you want to do without them.
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

35
handlers/main.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Restart HAProxy
service:
name: haproxy
state: restarted
- name: Restart cadoles-pod-hydra-v1
service:
name: cadoles-pod-hydra-v1
state: restarted
- name: Restart cadoles-pod-hydra-dispatcher-v1
service:
name: cadoles-pod-hydra-dispatcher-v1
state: restarted
- name: Restart cadoles-pod-hydra-passwordless-v1
service:
name: cadoles-pod-hydra-passwordless-v1
state: restarted
- name: Restart cadoles-pod-hydra-remote-user-v1
service:
name: cadoles-pod-hydra-remote-user-v1
state: restarted
- name: Restart cadoles-pod-shibboleth-sp-v3
service:
name: cadoles-pod-shibboleth-sp-v3
state: restarted
- name: Restart MySQL
service:
name: mysql
state: restarted

1
meta/main.yml Normal file
View File

@ -0,0 +1 @@
---

View File

@ -0,0 +1,18 @@
---
- name: Install cadoles-pod-hydra-passwordless-v1 package
ansible.builtin.apt:
name:
- cadoles-pod-hydra-passwordless-v1
update_cache: yes
state: latest
- name: Configure cadoles-pod-hydra-passwordless-v1
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-hydra-passwordless-v1.conf.j2
dest: /etc/cadoles-pod-hydra-passwordless-v1.conf
notify:
- Restart cadoles-pod-hydra-passwordless-v1

55
tasks/hydra-saml.yml Normal file
View File

@ -0,0 +1,55 @@
---
- name: Install cadoles-pod-hydra-remote-user-v1 package
ansible.builtin.apt:
name:
- cadoles-pod-shibboleth-sp-v3
- cadoles-pod-hydra-remote-user-v1
update_cache: yes
state: latest
- name: Configure cadoles-pod-hydra-remote-user-v1
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-hydra-remote-user-v1.conf.j2
dest: /etc/cadoles-pod-hydra-remote-user-v1.conf
- src: hydra-remote-user.yml.j2
dest: /etc/hydra-remote-user/conf.d/remote-user.yml
notify:
- Restart cadoles-pod-hydra-remote-user-v1
- name: Configure cadoles-pod-hydra-remote-user-v1 (2)
ansible.builtin.copy:
src: hydra-remote-user-v1-apache.conf
dest: /etc/hydra-remote-user/apache.conf
notify:
- Restart cadoles-pod-hydra-remote-user-v1
- name: Create cadoles-pod-shibboleth-sp-v3 expected directories
file:
name: "{{ item }}"
state: directory
with_items:
- /etc/shibboleth
- /etc/shibboleth/credentials
- name: Configure cadoles-pod-shibboleth-sp-v3
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-shibboleth-sp-v3.conf.j2
dest: /etc/cadoles-pod-shibboleth-sp-v3.conf
- src: shibboleth-attribute-map.inc.xml.j2
dest: /etc/shibboleth/attribute-map.inc.xml
notify:
- Restart cadoles-pod-shibboleth-sp-v3
- name: Configure cadoles-pod-shibboleth-sp-v3 (2)
ansible.builtin.copy:
src: shibboleth2.xml.gotmpl
dest: /etc/shibboleth/shibboleth2.xml.gotmpl
notify:
- Restart cadoles-pod-shibboleth-sp-v3

98
tasks/main.yml Normal file
View File

@ -0,0 +1,98 @@
---
- name: Add required utilities
ansible.builtin.apt:
name:
- gpg
- wget
- openssl
update_cache: yes
state: present
- name: Add LetsEncrypt missing intermediate certificates
command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'"
args:
creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem
- name: Add cadoles-pod debian repository key
ansible.builtin.apt_key:
url: "{{ cadoles_pod_debian_repository_key_url }}"
state: present
- name: Configure cadoles-pod debian repository
ansible.builtin.apt_repository:
repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main"
state: present
- name: Install core packages
ansible.builtin.apt:
name:
- haproxy
- mariadb-server
- python3-pip
- cadoles-pod-hydra-v1
- cadoles-pod-hydra-dispatcher-v1
update_cache: yes
state: latest
- name: Install PyMySQL python package
ansible.builtin.pip:
name: PyMySQL
- name: Create Hydra database
community.mysql.mysql_db:
name: "{{ hydra_database_name }}"
login_unix_socket: /var/run/mysqld/mysqld.sock
state: present
- name: Create Hydra database user
community.mysql.mysql_user:
name: "{{ hydra_database_user }}"
password: "{{ hydra_database_password }}"
login_unix_socket: /var/run/mysqld/mysqld.sock
priv: '{{ hydra_database_name }}.*:ALL,GRANT'
state: present
- name: Configure HAProxy
template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
validate: "haproxy -c -f %s"
notify:
- Restart HAProxy
- name: Configure cadoles-pod-hydra-v1
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-hydra-v1.conf.j2
dest: /etc/cadoles-pod-hydra-v1.conf
- src: oidc-test-client.json.j2
dest: /etc/hydra/clients.d/oidc-test.json
notify:
- Restart cadoles-pod-hydra-v1
- name: Configure cadoles-pod-hydra-dispatcher-v1
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: cadoles-pod-hydra-dispatcher-v1.conf.j2
dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf
- src: hydra-dispatcher-apps.yml.j2
dest: /etc/hydra-dispatcher/conf.d/apps.yml
notify:
- Restart cadoles-pod-hydra-dispatcher-v1
- name: Configure passwordless authentification if enabled
ansible.builtin.include_tasks: hydra-passwordless.yml
when: enable_hydra_passwordless
- name: Configure SAML authentification if enabled
ansible.builtin.include_tasks: hydra-saml.yml
when: enable_hydra_saml
- name: Sart OIDC Test app if enabled
ansible.builtin.include_tasks: oidc-test.yml
when: enable_oidc_test_app

17
tasks/oidc-test.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Start oidc-test app
containers.podman.podman_container:
name: oidc-test
image: docker.io/bornholm/oidc-test:v0.0.0-2-gd0583cc
state: started
network: host
recreate: yes
env:
OIDC_CLIENT_ID: "{{ oidc_test_app_client_id }}"
OIDC_CLIENT_SECRET: "{{ oidc_test_app_client_secret }}"
LOG_LEVEL: 0
OIDC_ISSUER_URL: "http://{{ public_host }}/"
OIDC_REDIRECT_URL: "http://{{ public_host }}:8080"
OIDC_POST_LOGOUT_REDIRECT_URL: "http://{{ public_host }}:8080"
HTTP_ADDRESS: 0.0.0.0:8080

View File

@ -0,0 +1,16 @@
PODMAN_ARGS="\
--name 'cadoles-pod-hydra-dispatcher-v1' \
--replace \
--network=slirp4netns:allow_host_loopback=true \
-p 127.0.0.1:3000:80 \
-v /etc/hydra-dispatcher/conf.d:/var/www/config/hydra \
-e APP_ENV=prod \
-e APP_DEBUG=yes \
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445 \
-e HYDRA_BASE_URL=http://10.0.2.2:4444 \
-e HYDRA_REWRITE_ISSUER=no \
-e HYDRA_ORIGINAL_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_NEW_ISSUER={{ public_scheme }}://{{ public_host }} \
-e 'ASSETS_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/dispatcher' \
-e 'COOKIE_PATH=/auth/dispatcher' \
"

View File

@ -0,0 +1,15 @@
PODMAN_ARGS="\
-p 127.0.0.1:3001:3000 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-hydra-passwordless-v1' \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/passwordless \
-e 'SMTP_HOST={{ hydra_passwordless_smtp_host }}' \
-e 'SMTP_PORT={{ hydra_passwordless_smtp_port }}' \
-e 'SMTP_USER={{ hydra_passwordless_smtp_user }}' \
-e 'SMTP_PASSWORD={{ hydra_passwordless_smtp_password }}' \
-e 'SMTP_INSECURE_SKIP_VERIFY={{ hydra_passwordless_smtp_insecure_skip_verify }}' \
-e 'SMTP_SENDER_ADDRESS={{ hydra_passwordless_sender_address }}' \
-e 'SMTP_USE_START_TLS={{ hydra_passwordless_smtp_use_start_tls }}' \
-e 'SMTP_SENDER_NAME={{ hydra_passwordless_sender_name }}' \
-e HYDRA_BASE_URL=http://10.0.2.2:3000 \
"

View File

@ -0,0 +1,14 @@
PODMAN_ARGS="\
-p 127.0.0.1:3003:80 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-hydra-remote-user-v1' \
-v /etc/hydra-remote-user/conf.d:/var/www/config/remote_user \
-v /etc/hydra-remote-user/apache.conf:/etc/apache2/sites-available/000-default.conf \
-e APP_ENV=prod \
-e APP_DEBUG=no \
-e HTTP_BASE_URL={{ public_scheme }}://{{ public_host }}/auth/saml \
-e COOKIE_PATH=/auth/saml \
-e HYDRA_ADMIN_BASE_URL=http://10.0.2.2:3000 \
-e 'TRUSTED_PROXIES=127.0.0.1,10.0.2.0/24' \
-e LOGOUT_REDIRECT_URL_PATTERN={{ public_scheme }}://{{ public_host }}/auth/saml/Shibboleth.sso/Logout?return=%s \
"

View File

@ -0,0 +1,18 @@
PODMAN_ARGS="\
--name 'cadoles-pod-hydra-v1' \
--replace \
--network=slirp4netns:allow_host_loopback=true \
-p 127.0.0.1:4444:4444 \
-p 127.0.0.1:4445:4445 \
--tmpfs /tmp \
-e 'HYDRA_DSN=mysql://{{ hydra_database_user }}:{{ hydra_database_password }}@tcp({{ hydra_database_host }}:{{ hydra_database_port }})/{{ hydra_database_name }}?parseTime=true' \
-e LOG_LEVEL=debug \
-e LOG_LEAK_SENSITIVE_VALUES=true \
-e HYDRA_URLS_SELF_ISSUER={{ public_scheme }}://{{ public_host }} \
-e HYDRA_URLS_CONSENT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/consent \
-e HYDRA_URLS_LOGIN={{ public_scheme }}://{{ public_host }}/auth/dispatcher/login \
-e HYDRA_URLS_LOGOUT={{ public_scheme }}://{{ public_host }}/auth/dispatcher/logout \
-e HYDRA_ALLOW_INSECURE=yes \
-e HYDRA_LEVEL=debug \
-v /etc/hydra/clients.d:/etc/hydra/clients.d \
"

View File

@ -0,0 +1,13 @@
PODMAN_ARGS="\
-p 127.0.0.1:3002:80 \
--network=slirp4netns:allow_host_loopback=true \
--replace --name 'cadoles-pod-shibboleth-sp-v3' \
-e 'SP_ENTITY_ID={{ public_scheme }}://{{ public_host }}/auth/saml' \
-e 'IDP_ENTITY_ID={{ hydra_saml_idp_entity_id }}' \
-e 'IDP_METADATA_URL={{ hydra_saml_idp_metadata_url }}' \
-e 'APACHE_BACKEND_URL=http://10.0.2.2:3003' \
-e 'SP_HANDLER_BASE_PATH=/auth/saml' \
-v '/etc/shibboleth/attribute-map.inc.xml:/etc/shibboleth/attribute-map.inc.xml' \
-v '/etc/shibboleth/shibboleth2.xml.gotmpl:/etc/shibboleth/shibboleth2.xml.gotmpl' \
-v '/etc/shibboleth/credentials:/etc/shibboleth/credentials' \
"

115
templates/haproxy.cfg.j2 Normal file
View File

@ -0,0 +1,115 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind 0.0.0.0:80
mode http
maxconn 2000
acl login_dispatcher path_beg -i /auth/dispatcher
{% if enable_hydra_passwordless %}
acl login_passwordless path_beg -i /auth/passwordless
{% endif %}
{% if enable_hydra_saml %}
acl login_saml path_beg -i /auth/saml
{% endif %}
use_backend hydra_dispatcher if login_dispatcher
{% if enable_hydra_passwordless %}
use_backend hydra_passwordless if login_passwordless
{% endif %}
{% if enable_hydra_saml %}
use_backend hydra_saml if login_saml
{% endif %}
use_backend hydra
# Backend Hydra
backend hydra
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra 127.0.0.1:4444 check
# Backend Hydra Dispatcher
backend hydra_dispatcher
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/dispatcher dans l'URL
http-request set-path %[path,regsub(^/auth/dispatcher/,/)]
server hydra-login-dispatcher 127.0.0.1:3000 check
{% if enable_hydra_passwordless %}
# Backend Hydra Passwordless
backend hydra_passwordless
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
# Suppression du préfixe /auth/passwordless dans l'URL
http-request set-path %[path,regsub(^/auth/passwordless,)]
server hydra-login-passwordless 127.0.0.1:3001 check
{%- endif %}
{% if enable_hydra_saml %}
# Backend Hydra SAML
backend hydra_saml
balance roundrobin
# Headers HTTP des requêtes
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server hydra-login-saml 127.0.0.1:3002 check
{%- endif %}

View File

@ -0,0 +1,26 @@
hydra:
apps:
{% if enable_hydra_passwordless %}
- id: passwordless
title: "{{ hydra_passwordless_app_title }}"
description: "{{ hydra_passwordless_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/passwordless/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email
icon_url: "{{ hydra_passwordless_app_icon_url }}"
{% endif %}
{% if enable_hydra_saml %}
- id: saml
title: "{{ hydra_saml_app_title }}"
description: "{{ hydra_saml_app_description }}"
login_url: {{ public_scheme }}://{{ public_host }}/auth/saml/login
consent_url: {{ public_scheme }}://{{ public_host }}/auth/saml/consent
logout_url: {{ public_scheme }}://{{ public_host }}/auth/saml/logout
attributes_rewrite_rules:
email:
- consent.session.id_token.email
icon_url: "{{ hydra_saml_app_icon_url }}"
{% endif %}

View File

@ -0,0 +1,6 @@
remote_user:
subject_header: subject-id
headers_attributes_mapping:
- header: mail
attribute: email
required: true

View File

@ -0,0 +1,19 @@
{
"client_id": "{{ oidc_test_app_client_id }}",
"client_name": "OIDC Test",
"client_secret": "{{ oidc_test_app_client_secret }}",
"grant_types": [
"authorization_code",
"refresh_token"
],
"jwks": {},
"metadata": {},
"post_logout_redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080"],
"redirect_uris": ["{{ public_scheme }}://{{ public_host }}:8080/oauth2/callback"],
"response_types": [
"code"
],
"logo_uri": "https://www.cadoles.com/images/logo.svg",
"scope": "openid profile email",
"token_endpoint_auth_method": "client_secret_post"
}

View File

@ -0,0 +1,2 @@
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="uid" />
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" id="mail" />