WIP for private / public inviter keys for encryption / decryption

OpenConext · Nov 29, 2023 · 4ffdc12 · 4ffdc12
1 parent d00167e
commit 4ffdc12
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml
@@ -18,6 +18,24 @@
     - serverapplication.yml
   notify: restart inviteserver
 
+- name: Copy / create private key
+  copy:
+    content: "{{ invite_private_key_pkcs8 }}"
+    dest: /opt/openconext/invite/private_key_pkcs8.pem
+    owner: "root"
+    group: root
+    mode: 0740
+  notify: restart inviteserver
+
+- name: copy / create certificate
+  copy:
+    src: "{{ inventory_dir }}/files/certs/invite/public_key.pem"
+    dest: /opt/openconext/invite/public_key.pem
+    owner: "root"
+    group: root
+    mode: 0740
+  notify: restart inviteserver
+
 - name: Place the mockapplication configfiles
   ansible.builtin.template:
     src: "{{ item }}.j2"
@@ -43,6 +61,12 @@
       - source: /opt/openconext/invite/serverapplication.yml
         target: /application.yml
         type: bind
+      - source: /opt/openconext/invite/private_key_pkcs8.pem
+        target: /private_key_pkcs8.pem
+        type: bind
+      - source: /opt/openconext/invite/public_key.pem
+        target: /public_key.pem
+        type: bind
     command: '--spring.config.location=./'
     etc_hosts:
       host.docker.internal: host-gateway

diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2
@@ -62,6 +62,9 @@ spring:
   mail:
     host: {{ smtp_host }}
 
+crypto:
+  development-mode: False
+  private-key-location: classpath:private_key_pkcs8.pem
 
 cron:
   node-cron-job-responsible: true

diff --git a/roles/manage-server/tasks/main.yml b/roles/manage-server/tasks/main.yml
@@ -58,7 +58,7 @@
     owner: manage
     group: manage
     mode: "0640"
-  with_items: 
+  with_items:
     - "{{ manage_tabs_enabled }}"
   notify:
     - "restart manage"
@@ -75,6 +75,17 @@
   notify:
     - "restart manage"
 
+- name: copy / create certificate
+  copy:
+    src: "{{ inventory_dir }}/files/certs/invite/public_key.pem"
+    dest: "{{ manage_dir }}/public_invite_key.pem"
+    owner: "root"
+    group: root
+    mode: "0740"
+  notify:
+    - "restart manage"
+
+
 - meta: flush_handlers
 
 - name: Include the role manage_provision_entities to provision the Manage sp to Manage

diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2
@@ -57,6 +57,10 @@ security:
   backdoor_password: {{ manage_backdoor_api_password }}
   api_users_config_path: file://{{ manage_dir }}/manage-api-users.yml
 
+crypto:
+  development-mode: False
+  public-key-location: file://{{ manage_dir }}/public_invite_key.pem
+
 spring:
   mail:
     host: localhost