From fb773a98d10db81c4ec783446bad1e1fc2199c44 Mon Sep 17 00:00:00 2001 From: William Petit Date: Wed, 10 Aug 2022 17:46:19 +0200 Subject: [PATCH] feat: hydra-oidc deployment --- defaults/main.yml | 47 ++++++++++++++++++- handlers/main.yml | 6 +++ tasks/hydra-oidc.yml | 20 ++++++++ tasks/main.yml | 4 ++ tasks/start-oidc-test.yml | 2 +- .../cadoles-pod-hydra-dispatcher-v1.conf.j2 | 5 +- templates/cadoles-pod-hydra-oidc-v1.conf.j2 | 20 ++++++++ templates/haproxy.cfg.j2 | 19 +++++++- templates/hydra-dispatcher-apps.yml.j2 | 24 ++++++++-- 9 files changed, 137 insertions(+), 10 deletions(-) create mode 100644 tasks/hydra-oidc.yml create mode 100644 templates/cadoles-pod-hydra-oidc-v1.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index f7f4752..f2c66e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,7 @@ cadoles_pod_hydra_dispatcher_v1_package_version: '*' cadoles_pod_shibboleth_sp_v3_package_version: '*' cadoles_pod_hydra_remote_user_v1_package_version: '*' cadoles_pod_hydra_passwordless_v1_package_version: '*' +cadoles_pod_hydra_oidc_v1_package_version: '*' # Hydra database configuration hydra_use_external_database: no @@ -28,7 +29,8 @@ haproxy_hydra_base_path: /auth haproxy_hydra_dispatcher_base_path: /auth/dispatcher haproxy_hydra_passwordless_base_path: /auth/passwordless haproxy_hydra_saml_base_path: /auth/saml -haproxy_oidc_test_base_path: /auth/oidc-test +haproxy_hydra_oidc_base_path: /auth/oidc +haproxy_oidc_test_base_path: /auth/test haproxy_forwarded_proto: https haproxy_forwarded_host: "%[req.hdr(Host)]" @@ -57,6 +59,14 @@ hydra_clients: hydra_dispatcher_cookie_path: "{{ haproxy_hydra_dispatcher_base_path }}" hydra_dispatcher_debug: no +hydra_dispatcher_admin_authorized_hosts: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' +hydra_dispatcher_default_locale: fr +hydra_dispatcher_available_locales: + - fr + - en # Hydra Passwordless configuration @@ -134,4 +144,37 @@ saml_attribute_policies: [] enable_oidc_test_app: yes oidc_test_app_client_id: oidc-test oidc_test_app_client_secret: '$oidc-test&123456$' -oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}" \ No newline at end of file +oidc_test_app_public_base_url: "{{ haproxy_public_base_url }}{{ haproxy_oidc_test_base_path }}" + +# Hydra OIDC configuration + +enable_hydra_oidc: no +hydra_oidc_debug: no +hydra_oidc_cookie_path: "{{ haproxy_hydra_oidc_base_path }}" +hydra_oidc_app_title: OpenID Connect +hydra_oidc_app_description: Authentification via OpenID Connect +hydra_oidc_app_icon_url: https://openid.net/wordpress-content/uploads/2014/09/openid-r-logo-900x360.png +hydra_oidc_authorize_endpoint: +hydra_oidc_token_endpoint: +hydra_oidc_userinfo_endpoint: +hydra_oidc_logout_url_pattern: +hydra_oidc_post_logout_redirect_url: +hydra_oidc_scope: openid email +hydra_oidc_client_id: +hydra_oidc_client_secret: + +hydra_oidc_attributes_rewrite_rules: + email: + - consent.session.id_token.email + family_name: + - consent.session.id_token.family_name + given_name: + - consent.session.id_token.given_name + birthdate: + - consent.session.id_token.birthdate + gender: + - consent.session.id_token.gender + birthplace: + - consent.session.id_token.birthplace + birthcountry: + - consent.session.id_token.birthcountry \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml index 43ccb0f..e83d351 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -35,6 +35,12 @@ state: restarted become: true +- name: Restart cadoles-pod-hydra-oidc-v1 + service: + name: cadoles-pod-hydra-oidc-v1 + state: restarted + become: true + - name: Reload hydra clients ansible.builtin.include_tasks: file: hydra-reload-clients.yml \ No newline at end of file diff --git a/tasks/hydra-oidc.yml b/tasks/hydra-oidc.yml new file mode 100644 index 0000000..ef516c9 --- /dev/null +++ b/tasks/hydra-oidc.yml @@ -0,0 +1,20 @@ +--- + +- name: Install cadoles-pod-hydra-oidc-v1 package + ansible.builtin.apt: + name: + - "cadoles-pod-hydra-oidc-v1={{ cadoles_pod_hydra_oidc_v1_package_version }}" + update_cache: yes + state: present + become: true + +- name: Configure cadoles-pod-hydra-oidc-v1 + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: cadoles-pod-hydra-oidc-v1.conf.j2 + dest: /etc/cadoles-pod-hydra-oidc-v1.conf + notify: + - Restart cadoles-pod-hydra-oidc-v1 + become: true \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 7b28807..faf7ad2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,6 +95,10 @@ ansible.builtin.include_tasks: hydra-saml.yml when: enable_hydra_saml +- name: Configure OIDC authentification if enabled + ansible.builtin.include_tasks: hydra-oidc.yml + when: enable_hydra_oidc + - name: Start OIDC Test app if enabled ansible.builtin.include_tasks: start-oidc-test.yml when: enable_oidc_test_app diff --git a/tasks/start-oidc-test.yml b/tasks/start-oidc-test.yml index 9d77f13..5fe8e5f 100644 --- a/tasks/start-oidc-test.yml +++ b/tasks/start-oidc-test.yml @@ -18,7 +18,7 @@ - name: Start oidc-test app containers.podman.podman_container: name: oidc-test - image: docker.io/bornholm/oidc-test:v0.0.0-4-gd786d3a + image: docker.io/bornholm/oidc-test:v0.0.0-6-g96f1f8f state: started network: host restart_policy: on-failure diff --git a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 index c5002ad..c9ca1ba 100644 --- a/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 +++ b/templates/cadoles-pod-hydra-dispatcher-v1.conf.j2 @@ -12,6 +12,9 @@ PODMAN_ARGS="\ -e HYDRA_REWRITE_ISSUER=no \ -e 'HYDRA_ORIGINAL_ISSUER={{ haproxy_public_base_url }}' \ -e 'HYDRA_NEW_ISSUER={{ haproxy_public_base_url }}' \ - -e 'ASSETS_BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \ + -e 'BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_dispatcher_base_path }}' \ -e 'COOKIE_PATH={{ hydra_dispatcher_cookie_path }}' \ + -e 'DEFAULT_LOCALE={{ hydra_dispatcher_default_locale }}' \ + -e 'APP_LOCALES={{ hydra_dispatcher_available_locales | join(',') }}' \ + -e 'HYDRA_ADMIN_AUTHORIZED_HOSTS={{ hydra_dispatcher_admin_authorized_hosts | join(',') }}' \ " \ No newline at end of file diff --git a/templates/cadoles-pod-hydra-oidc-v1.conf.j2 b/templates/cadoles-pod-hydra-oidc-v1.conf.j2 new file mode 100644 index 0000000..25d13a3 --- /dev/null +++ b/templates/cadoles-pod-hydra-oidc-v1.conf.j2 @@ -0,0 +1,20 @@ +PODMAN_ARGS="\ + --name 'cadoles-pod-hydra-oidc-v1' \ + --replace \ + --network=slirp4netns:allow_host_loopback=true \ + --tz=local \ + -p 127.0.0.1:3004:80 \ + -e APP_ENV=prod \ + -e 'APP_DEBUG={{ hydra_oidc_debug }}' \ + -e 'HYDRA_ADMIN_BASE_URL=http://10.0.2.2:4445' \ + -e 'COOKIE_PATH={{ hydra_oidc_cookie_path }}' \ + -e 'URL_FRANCE_CONNECT_AUTHORIZE={{ hydra_oidc_authorize_endpoint }}' \ + -e 'URL_FRANCE_CONNECT_TOKEN={{ hydra_oidc_token_endpoint }}' \ + -e 'URL_FRANCE_CONNECT_USERINFO={{ hydra_oidc_userinfo_endpoint }}' \ + -e 'LOGOUT_REDIRECT_URL_PATTERN={{ hydra_oidc_logout_url_pattern }}' \ + -e 'POST_LOGOUT_REDIRECT_URL={{ hydra_oidc_post_logout_redirect_url }}' \ + -e 'BASE_URL={{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}' \ + -e 'SCOPE_FRANCE_CONNECT={{ hydra_oidc_scope }}' \ + -e 'CLIENT_ID_FC={{ hydra_oidc_client_id }}' \ + -e 'CLIENT_SECRET_FC={{ hydra_oidc_client_secret }}' \ +" \ No newline at end of file diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index 036792f..275c663 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -46,6 +46,9 @@ frontend http-in {% if enable_hydra_saml %} acl login_saml path_beg -i {{ haproxy_hydra_saml_base_path }} {% endif %} +{% if enable_hydra_oidc %} + acl login_oidc path_beg -i {{ haproxy_hydra_oidc_base_path }} +{% endif %} {% if enable_oidc_test_app %} acl oidc_test path_beg -i {{ haproxy_oidc_test_base_path }} {% endif %} @@ -57,6 +60,9 @@ frontend http-in {% if enable_hydra_saml %} use_backend hydra_saml if login_saml {% endif %} +{% if enable_hydra_oidc %} + use_backend hydra_oidc if login_oidc +{% endif %} {% if enable_oidc_test_app %} use_backend oidc_test if oidc_test {% endif %} @@ -90,6 +96,15 @@ backend hydra_passwordless server hydra-login-passwordless 127.0.0.1:3001 check {%- endif %} +{% if enable_hydra_oidc %} +# Backend Hydra OIDC +backend hydra_oidc + balance roundrobin + # Suppression du préfixe /auth/oidc dans l'URL + http-request set-path %[path,regsub(^{{ haproxy_hydra_oidc_base_path }},)] + server hydra-login-oidc 127.0.0.1:3004 check +{%- endif %} + {% if enable_hydra_saml %} # Backend Hydra SAML backend hydra_saml @@ -100,7 +115,7 @@ backend hydra_saml {% if enable_oidc_test_app %} backend oidc_test balance roundrobin - # Suppression du préfixe /auth/oidc-test dans l'URL - http-request set-path %[path,regsub(^{{ haproxy_oidc_test_base_path }},)] + # Suppression du préfixe /auth/test dans l'URL + http-request set-path %[path,regsub(^{{ haproxy_oidc_test_base_path }},/)] server oidc-test 127.0.0.1:8080 check {% endif %} \ No newline at end of file diff --git a/templates/hydra-dispatcher-apps.yml.j2 b/templates/hydra-dispatcher-apps.yml.j2 index d12286b..8717754 100644 --- a/templates/hydra-dispatcher-apps.yml.j2 +++ b/templates/hydra-dispatcher-apps.yml.j2 @@ -2,8 +2,10 @@ hydra: apps: {% if enable_hydra_passwordless %} - id: passwordless - title: "{{ hydra_passwordless_app_title }}" - description: "{{ hydra_passwordless_app_description }}" + title: + fr: "{{ hydra_passwordless_app_title }}" + description: + fr: "{{ hydra_passwordless_app_description }}" login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/login" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/consent" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_passwordless_base_path }}/logout" @@ -12,11 +14,25 @@ hydra: {% endif %} {% if enable_hydra_saml %} - id: saml - title: "{{ hydra_saml_app_title }}" - description: "{{ hydra_saml_app_description }}" + title: + fr: "{{ hydra_saml_app_title }}" + description: + fr: "{{ hydra_saml_app_description }}" login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/login" consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/consent" logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_saml_base_path }}/logout" attributes_rewrite_rules: {{ hydra_saml_attributes_rewrite_rules | to_json }} icon_url: "{{ hydra_saml_app_icon_url }}" +{% endif %} +{% if enable_hydra_oidc %} + - id: oidc + title: + fr: "{{ hydra_oidc_app_title }}" + description: + fr: "{{ hydra_oidc_app_description }}" + login_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}/login" + consent_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}/consent" + logout_url: "{{ haproxy_public_base_url }}{{ haproxy_hydra_oidc_base_path }}/logout" + attributes_rewrite_rules: {{ hydra_oidc_attributes_rewrite_rules | to_json }} + icon_url: "{{ hydra_oidc_app_icon_url }}" {% endif %} \ No newline at end of file