From e5d5d996701b4d9490a02cddb8b25d92a63b1fed Mon Sep 17 00:00:00 2001 From: bp85 Date: Tue, 11 Jul 2023 13:30:07 -0400 Subject: [PATCH] Add support for mellon auth --- README.md | 13 ++++++++ REFERENCE.md | 33 +++++++++++++++++-- manifests/apache.pp | 20 ++++++++--- manifests/config.pp | 10 ++++++ manifests/init.pp | 28 ++++++++++++++-- templates/auth_mellon.conf.erb | 8 +++++ templates/generate_ood_mellon_metadata.sh.erb | 22 +++++++++++++ 7 files changed, 124 insertions(+), 10 deletions(-) create mode 100644 templates/auth_mellon.conf.erb create mode 100755 templates/generate_ood_mellon_metadata.sh.erb diff --git a/README.md b/README.md index 62ace8e..4ce39b3 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,19 @@ openondemand::oidc_settings: OIDCStripCookies: 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1' ``` +Setup OnDemand to authenticate with SAML using apache Mellon. Puppet creates a script `/usr/local/bin/mellon_ood_metadata.sh` to generate certs and relevant metadata files. This script needs to be run (once) manually. + +```yaml +openondemand::servername: ondemand.osc.edu +openondemand::auth_type: 'mellon' +openondemand::auth_configs: + - 'Require valid-user' +openondemand::mellon_config: + MellonEndpointPath: '/mellon' + MellonEnable: 'auth' + MellonIdPMetadataFile: '/etc/httpd/mellon/idpmetadata.xml' +``` + Configure OnDemand via git repo that contains app configs, locales, public, and annoucement files ```yaml diff --git a/REFERENCE.md b/REFERENCE.md index 38c2c27..ac7c646 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -65,11 +65,13 @@ The following parameters are available in the `openondemand` class: * [`ondemand_package_ensure`](#ondemand_package_ensure) * [`ondemand_dex_package_ensure`](#ondemand_dex_package_ensure) * [`mod_auth_openidc_ensure`](#mod_auth_openidc_ensure) +* [`mod_auth_mellon_ensure`](#mod_auth_mellon_ensure) * [`install_apps`](#install_apps) * [`declare_apache`](#declare_apache) * [`apache_scls`](#apache_scls) * [`listen_addr_port`](#listen_addr_port) * [`servername`](#servername) +* [`proxy_server`](#proxy_server) * [`ssl`](#ssl) * [`logroot`](#logroot) * [`use_rewrites`](#use_rewrites) @@ -117,6 +119,7 @@ The following parameters are available in the `openondemand` class: * [`oidc_state_max_number_of_cookies`](#oidc_state_max_number_of_cookies) * [`oidc_settings`](#oidc_settings) * [`dex_config`](#dex_config) +* [`mellon_config`](#mellon_config) * [`web_directory`](#web_directory) * [`nginx_log_group`](#nginx_log_group) * [`nginx_stage_clean_cron_schedule`](#nginx_stage_clean_cron_schedule) @@ -249,6 +252,14 @@ mod_auth_openidc package ensure Default value: `'present'` +##### `mod_auth_mellon_ensure` + +Data type: `String` + +mod_auth_mellon package ensure + +Default value: `'present'` + ##### `install_apps` Data type: `Hash` @@ -289,6 +300,14 @@ ood_portal.yml servername Default value: ``undef`` +##### `proxy_server` + +Data type: `Optional[String]` + +ood_portal.yml proxy_server + +Default value: ``undef`` + ##### `ssl` Data type: `Optional[Array]` @@ -665,6 +684,14 @@ Dex configuration Hash Default value: `{}` +##### `mellon_config` + +Data type: `Hash` + +Mellon configuration Hash for Overwrite + +Default value: `{}` + ##### `web_directory` Data type: `Stdlib::Absolutepath` @@ -1020,7 +1047,7 @@ Manage Open OnDemand dev app #### Examples -##### +##### ```puppet openondemand::app::dev { 'user1': } @@ -1092,7 +1119,7 @@ Manage Open OnDemand user app #### Examples -##### +##### ```puppet openondemand::app::usr { 'user1': @@ -1800,7 +1827,7 @@ Manage Open OnDemand app #### Examples -##### +##### ```puppet openondemand::install::app { 'bc_osc_foo': diff --git a/manifests/apache.pp b/manifests/apache.pp index cca71b8..02e03c1 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -53,11 +53,23 @@ ::apache::mod { 'lua': } include ::apache::mod::headers - if $openondemand::auth_type in ['dex','openid-connect'] { - ::apache::mod { 'auth_openidc': - package => "${package_prefix}mod_auth_openidc", - package_ensure => $openondemand::mod_auth_openidc_ensure, + case $openondemand::auth_type { + 'CAS': { + include ::apache::mod::auth_cas } + '(dex|openid-connect)': { + ::apache::mod { 'auth_openidc': + package => "${package_prefix}mod_auth_openidc", + package_ensure => $openondemand::mod_auth_openidc_ensure, + } + } + 'mellon': { + ::apache::mod { 'auth_mellon': + package => "${package_prefix}mod_auth_mellon", + package_ensure => $openondemand::mod_auth_openidc_ensure, + } + } + default: {} } if $openondemand::scl_apache { diff --git a/manifests/config.pp b/manifests/config.pp index 6f8a463..bf05fcd 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -242,6 +242,16 @@ } } + # deploy script to generate mellon metadata + if $openondemand::auth_type == 'mellon' { + file { '/usr/local/bin/mellon_ood_metadata.sh': + content => template('openondemand/generate_ood_mellon_metadata.sh.erb'), + owner => 'root', + group => 'root', + mode => '0755', + } + } + file { '/etc/ood/config/nginx_stage.yml': ensure => 'file', owner => 'root', diff --git a/manifests/init.pp b/manifests/init.pp index fd83426..f511971 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,8 @@ # ondemand-dex package ensure # @param mod_auth_openidc_ensure # mod_auth_openidc package ensure +# @param mod_auth_mellon_ensure +# mod_auth_mellon package ensure # @param install_apps # Hash of apps to install, passed to ondemand::install::app # @param declare_apache @@ -32,6 +34,8 @@ # ood_portal.yml listen_addr_port # @param servername # ood_portal.yml servername +# @param proxy_server +# ood_portal.yml proxy_server # @param ssl # ood_portal.yml ssl # @param logroot @@ -126,6 +130,8 @@ # Hash of OIDC settings passsed directly to Apache config # @param dex_config # Dex configuration Hash +# @param mellon_config +# Additional Mellon override config for apache # @param web_directory # Path to main web directory for OnDemand # @param nginx_log_group @@ -233,6 +239,7 @@ String $ondemand_package_ensure = 'present', String $ondemand_dex_package_ensure = 'present', String $mod_auth_openidc_ensure = 'present', + String $mod_auth_mellon_ensure = 'present', Hash $install_apps = {}, # Apache @@ -242,6 +249,7 @@ # ood_portal.yml Variant[Array, String, Undef] $listen_addr_port = undef, Optional[String] $servername = undef, + Optional[String] $proxy_server = undef, Optional[Array] $ssl = undef, String $logroot = 'logs', Boolean $use_rewrites = true, @@ -257,7 +265,7 @@ Optional[String] $user_map_cmd = undef, Optional[String] $user_env = undef, Optional[String] $map_fail_uri = undef, - Enum['CAS', 'openid-connect', 'shibboleth', 'dex'] $auth_type = 'dex', + Enum['CAS', 'openid-connect', 'mellon', 'shibboleth', 'dex'] $auth_type = 'dex', Optional[Array] $auth_configs = undef, String $root_uri = '/pun/sys/dashboard', Optional[Struct[{url => String, id => String}]] $analytics = undef, @@ -294,6 +302,19 @@ # Dex configs Openondemand::Dex_config $dex_config = {}, + # Mellon Configs + Optional[Hash] $mellon_default_config = { + 'MellonSPPrivateKeyFile' => '/etc/httpd/mellon/mellon.key', + 'MellonSPCertFile' => '/etc/httpd/mellon/mellon.cer', + 'MellonSPMetadataFile' => '/etc/httpd/mellon/mellon_metadata.xml', + 'MellonIdPMetadataFile' => '/etc/httpd/mellon/idp_metadata.xml', + 'MellonEnable' => 'auth', + 'MellonEndpointPath' => '/mellon', + }, + Optional[Hash] $mellon_config = {} + # Merge default config with updated configs + Optional[Hash] $mellon_merged_config = merge($mellon_default_config, $mellon_config) + # Misc configs Stdlib::Absolutepath $web_directory = '/var/www/ood', String $nginx_log_group = 'ondemand-nginx', @@ -387,11 +408,11 @@ if $ssl { $port = '443' - $listen_ports = ['443', '80'] + $listen_ports = pick($listen_addr_port, ['443', '80']) $protocol = 'https' } else { $port = '80' - $listen_ports = ['80'] + $listen_ports = pick($listen_addr_port, ['80']) $protocol = 'http' } @@ -446,6 +467,7 @@ $ood_portal_config = { 'listen_addr_port' => $listen_ports, 'servername' => $servername, + 'proxy_server' => $proxy_server, 'port' => $port, 'ssl' => $ssl, 'logroot' => $logroot, diff --git a/templates/auth_mellon.conf.erb b/templates/auth_mellon.conf.erb new file mode 100644 index 0000000..21cf3ee --- /dev/null +++ b/templates/auth_mellon.conf.erb @@ -0,0 +1,8 @@ + +<% scope['openondemand::auth'].each do |k| -%> + <%= k %> +<% end %> +<% scope['openondemand::mellon_merged_config'].each do |k,v| -%> + <%= k %> <%= v %> +<% end %> + diff --git a/templates/generate_ood_mellon_metadata.sh.erb b/templates/generate_ood_mellon_metadata.sh.erb new file mode 100755 index 0000000..e440b3e --- /dev/null +++ b/templates/generate_ood_mellon_metadata.sh.erb @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +MELLON_DIR="<%= scope['apache::params::httpd_dir'] -%>/mellon" + +[ -d ${MELLON_DIR} ] || mkdir ${MELLON_DIR} + +pushd $MELLON_DIR +<% if scope['openondemand::proxy_server'] -%> +export mellon_endpoint="https://<%= scope['openondemand::proxy_server'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>" +<% else -%> +export mellon_endpoint="https://<%= scope['openondemand::servername'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>" +<% end -%> +<%= scope['apache::params::httpd_root'] %>/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}" + +mv *mellon_metadata.cert ./mellon.cert +mv *mellon_metadata.key ./mellon.key +mv *mellon_metadata.xml ./mellon_metadata.xml + +openssl pkcs12 -export -inkey ./mellon.key -in ./mellon.cert -out ./mellon.pfx -passout pass: + +popd +echo "Mellon files are generated at ${MELLON_DIR}"