[ansible] Add hotfix for openid auth
by Nicolas Chauvet
commit 2ce0a59c69007dee0fe9f86dfce022eaf19c1861
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Feb 26 19:51:21 2018 +0100
Add hotfix for openid auth
roles/ipsilon/files/openid_auth.py | 274 ++++++++++++++++++++++++++++++++++++
roles/ipsilon/tasks/main.yml | 5 +
2 files changed, 279 insertions(+), 0 deletions(-)
---
diff --git a/roles/ipsilon/files/openid_auth.py b/roles/ipsilon/files/openid_auth.py
new file mode 100644
index 0000000..6db65ad
--- /dev/null
+++ b/roles/ipsilon/files/openid_auth.py
@@ -0,0 +1,274 @@
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
+
+from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.common import AuthenticationError, InvalidRequest
+from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler
+from ipsilon.providers.openid.meta import IDHandler
+from ipsilon.util.policy import Policy
+from ipsilon.util.trans import Transaction
+from ipsilon.util.user import UserSession
+
+from openid.server.server import ProtocolError, EncodingError
+
+import cherrypy
+import time
+import json
+
+
+class AuthenticateRequest(ProviderPageBase):
+
+ def __init__(self, site, provider, *args, **kwargs):
+ super(AuthenticateRequest, self).__init__(site, provider)
+ self.stage = 'init'
+ self.trans = None
+
+ def _preop(self, *args, **kwargs):
+ try:
+ # generate a new id or get current one
+ self.trans = Transaction('openid', **kwargs)
+ if (self.trans.cookie and
+ self.trans.cookie.value != self.trans.provider):
+ self.debug('Invalid transaction, %s != %s' % (
+ self.trans.cookie.value, self.trans.provider))
+ except Exception, e: # pylint: disable=broad-except
+ self.debug('Transaction initialization failed: %s' % repr(e))
+ raise cherrypy.HTTPError(400, 'Invalid transaction id')
+
+ def pre_GET(self, *args, **kwargs):
+ self._preop(*args, **kwargs)
+
+ def pre_POST(self, *args, **kwargs):
+ self._preop(*args, **kwargs)
+
+ def _get_form(self, *args):
+ form = None
+ if args is not None:
+ first = args[0] if len(args) > 0 else None
+ second = first[0] if len(first) > 0 else None
+ if isinstance(second, dict):
+ form = second.get('form', None)
+ return form
+
+ def auth(self, *args, **kwargs):
+ request = None
+ form = self._get_form(args)
+ try:
+ request = self._parse_request(**kwargs)
+ return self._openid_checks(request, form, **kwargs)
+ except InvalidRequest, e:
+ raise cherrypy.HTTPError(e.code, e.message)
+ except AuthenticationError, e:
+ if request is None:
+ raise cherrypy.HTTPError(e.code, e.message)
+ return self._respond(request.answer(False))
+
+ # get attributes, and apply policy mapping and filtering
+ def _source_attributes(self, session):
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = session.get_user_attrs()
+ if 'email' not in userattrs and self.cfg.default_email_domain:
+ userattrs['email'] = '%s@%s' % (userattrs['username'],
+ self.cfg.default_email_domain)
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+ self.debug('Filterd attributes: %s' % repr(attributes))
+ return attributes
+
+ def _parse_request(self, **kwargs):
+ request = None
+ try:
+ request = self.cfg.server.decodeRequest(kwargs)
+ except ProtocolError, openid_error:
+ self.debug('ProtocolError: %s' % openid_error)
+ raise InvalidRequest('Invalid OpenID request')
+
+ if request is None:
+ self.debug('No request')
+ raise cherrypy.HTTPRedirect(self.basepath or '/')
+
+ return request
+
+ def _openid_checks(self, request, form, **kwargs):
+ us = UserSession()
+ user = us.get_user()
+ immediate = False
+
+ self.debug('Mode: %s Stage: %s User: %s' % (
+ kwargs['openid.mode'], self.stage, user.name))
+ if kwargs.get('openid.mode', None) == 'checkid_setup':
+ if user.is_anonymous:
+ if self.stage == 'init':
+ returl = '%s/openid/Continue?%s' % (
+ self.basepath, self.trans.get_GET_arg())
+ data = {'openid_stage': 'auth',
+ 'openid_request': json.dumps(kwargs),
+ 'login_return': returl,
+ 'login_target': request.trust_root}
+ self.trans.store(data)
+ redirect = '%s/login?%s' % (self.basepath,
+ self.trans.get_GET_arg())
+ self.debug('Redirecting: %s' % redirect)
+ raise cherrypy.HTTPRedirect(redirect)
+ else:
+ raise AuthenticationError("unknown user", 401)
+
+ elif kwargs.get('openid.mode', None) == 'checkid_immediate':
+ # This is immediate, so we need to assert or fail
+ if user.is_anonymous:
+ return self._respond(request.answer(False))
+
+ immediate = True
+
+ else:
+ return self._respond(self.cfg.server.handleRequest(request))
+
+ # check if this is discovery or needs identity matching checks
+ if not request.idSelect():
+ idurl = self.cfg.identity_url_template % {'username': user.name}
+ if request.identity != idurl:
+ raise AuthenticationError("User ID mismatch!", 401)
+
+ # check if the relying party is trusted
+ if request.trust_root in self.cfg.untrusted_roots:
+ raise AuthenticationError("Untrusted Relying party", 401)
+
+ # if the party is explicitly whitelisted just respond
+ if request.trust_root in self.cfg.trusted_roots:
+ return self._respond(self._response(request, us))
+
+ allowroot = 'allow-%s' % request.trust_root
+
+ try:
+ userdata = user.load_plugin_data(self.cfg.name)
+ expiry = int(userdata[allowroot])
+ except Exception, e: # pylint: disable=broad-except
+ self.debug(e)
+ expiry = 0
+ if expiry > int(time.time()):
+ self.debug("User has unexpired previous authorization")
+ return self._respond(self._response(request, us))
+
+ if immediate:
+ raise AuthenticationError("No consent for immediate", 401)
+
+ if self.stage == 'consent':
+ if form is None:
+ raise AuthenticationError("Unintelligible consent", 401)
+ allow = form.get('decided_allow', False)
+ if not allow:
+ raise AuthenticationError("User declined", 401)
+ try:
+ days = int(form.get('remember_for_days', '0'))
+ if days < 0 or days > 7:
+ raise InvalidRequest('Invalid number of days to ' +
+ 'remember specified')
+ userdata = {allowroot: str(int(time.time()) + (days*86400))}
+ user.save_plugin_data(self.cfg.name, userdata)
+ except Exception, e: # pylint: disable=broad-except
+ self.debug(e)
+ days = 0
+
+ # all done we consent!
+ return self._respond(self._response(request, us))
+
+ else:
+ data = {'openid_stage': 'consent',
+ 'openid_request': json.dumps(kwargs)}
+ self.trans.store(data)
+
+ # Add extension data to this dictionary
+ ad = {
+ "Trust Root": request.trust_root,
+ }
+ userattrs = self._source_attributes(us)
+ for n, e in self.cfg.extensions.available().items():
+ data = e.get_display_data(request, userattrs)
+ self.debug('%s returned %s' % (n, repr(data)))
+ for key, value in data.items():
+ ad[self.cfg.mapping.display_name(key)] = value
+
+ context = {
+ "title": 'Consent',
+ "action": '%s/openid/Consent' % (self.basepath),
+ "trustroot": request.trust_root,
+ "username": user.name,
+ "authz_details": ad,
+ }
+ context.update(dict((self.trans.get_POST_tuple(),)))
+ return self._template('openid/consent_form.html', **context)
+
+ def _response(self, request, session):
+ user = session.get_user()
+ identity_url = self.cfg.identity_url_template % {'username': user.name}
+ response = request.answer(
+ True,
+ identity=identity_url,
+ claimed_id=identity_url
+ )
+ userattrs = self._source_attributes(session)
+ for _, e in self.cfg.extensions.available().items():
+ resp = e.get_response(request, userattrs)
+ if resp is not None:
+ response.addExtension(resp)
+ return response
+
+ def _respond(self, response):
+ try:
+ self.debug('Response: %s' % response)
+ webresponse = self.cfg.server.encodeResponse(response)
+ cherrypy.response.headers.update(webresponse.headers)
+ cherrypy.response.status = webresponse.code
+ return webresponse.body
+ except EncodingError, encoding_error:
+ self.debug('Unable to respond because: %s' % encoding_error)
+ cherrypy.response.headers = {
+ 'Content-Type': 'text/plain; charset=UTF-8'
+ }
+ cherrypy.response.status = 400
+ return encoding_error.response.encodeToKVForm()
+
+
+class Continue(AuthenticateRequest):
+
+ def GET(self, *args, **kwargs):
+ transdata = self.trans.retrieve()
+ self.stage = transdata.get('openid_stage', None)
+ openid_request = transdata.get('openid_request', None)
+ if self.stage is None or openid_request is None:
+ raise AuthenticationError("unknown state", 400)
+
+ kwargs = json.loads(openid_request)
+ return self.auth(**kwargs)
+
+
+class Consent(AuthenticateRequest):
+
+ def POST(self, *args, **kwargs):
+ transdata = self.trans.retrieve()
+ self.stage = transdata.get('openid_stage', None)
+ openid_request = transdata.get('openid_request', None)
+ if self.stage is None or openid_request is None:
+ raise AuthenticationError("unknown state", 400)
+
+ args = ({'form': kwargs},)
+ kwargs = json.loads(openid_request)
+ return self.auth(*args, **kwargs)
+
+
+class OpenID(AuthenticateRequest):
+
+ def __init__(self, *args, **kwargs):
+ super(OpenID, self).__init__(*args, **kwargs)
+ self.XRDS = XRDSHandler(*args, **kwargs)
+ self.yadis = UserXRDSHandler(*args, **kwargs)
+ self.id = IDHandler(*args, **kwargs)
+ self.Continue = Continue(*args, **kwargs)
+ self.Consent = Consent(*args, **kwargs)
+ self.trans = None
+
+ def GET(self, *args, **kwargs):
+ return self.auth(**kwargs)
+
+ def POST(self, *args, **kwargs):
+ return self.auth(**kwargs)
diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 0da93b0..54fa8de 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -23,6 +23,11 @@
dest=/usr/lib/python2.7/site-packages/openid/server/server.py
owner=root group=root mode=0644
+- name: Apply hotfix for openid auth
+ copy: src=openid_auth.py
+ dest=/usr/lib/python2.7/site-packages/ipsilon/providers/openid/auth.py
+ owner=root group=root mode=0644
+
- name: copy ipsilon templates
copy: src=templates/
dest=/usr/share/ipsilon/templates-fedora
6 years, 7 months
[ansible] Add Services accounts
by Nicolas Chauvet
commit a9a72742cfd59bb1d18a3e5b676b03d0cd890868
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Feb 24 22:23:37 2018 +0100
Add Services accounts
files/aliases.template | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
---
diff --git a/files/aliases.template b/files/aliases.template
index 62b21c3..258f7f6 100644
--- a/files/aliases.template
+++ b/files/aliases.template
@@ -103,4 +103,9 @@ retired-packages: /dev/null
control-center-maint: /dev/null
gecko-bugs-nobody: /dev/null
+# Services Accounts
+twitter: twitter-members
+paypal: paypal-members
+
+
# Account System
6 years, 7 months
[ansible] Remove old aliases.template
by Nicolas Chauvet
commit 2c36093d5ee0053ad3bfb58b6a76dc1bc131d47d
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Feb 24 22:23:00 2018 +0100
Remove old aliases.template
roles/fas_client/files/aliases.template | 105 -------------------------------
1 files changed, 0 insertions(+), 105 deletions(-)
6 years, 7 months
[ansible] Add bastion03
by Nicolas Chauvet
commit 654f37109aca898e8b8315edef4d52cec19dd6f8
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Feb 21 21:56:10 2018 +0100
Add bastion03
inventory/group_vars/home-arm | 1 +
inventory/host_vars/bastion03.virt.rpmfusion.net | 24 ++++++++++++++++++++++
inventory/host_vars/srv03.kwizart.net | 5 ++++
3 files changed, 30 insertions(+), 0 deletions(-)
---
diff --git a/inventory/group_vars/home-arm b/inventory/group_vars/home-arm
new file mode 100644
index 0000000..a3e1d22
--- /dev/null
+++ b/inventory/group_vars/home-arm
@@ -0,0 +1 @@
+datacenter: home
diff --git a/inventory/host_vars/bastion03.virt.rpmfusion.net b/inventory/host_vars/bastion03.virt.rpmfusion.net
new file mode 100644
index 0000000..926948d
--- /dev/null
+++ b/inventory/host_vars/bastion03.virt.rpmfusion.net
@@ -0,0 +1,24 @@
+---
+vmhost: srv03.kwizart.net
+eth0_ip: 192.168.122.103
+gw: 192.168.122.1
+#ks_url: http://192.168.181.254/install/ks/buildvm-05.ks
+ks_repo: http://dl.fedoraproject.org/pub/fedora/linux/releases/27/Server/x86_64/os/
+nm: 255.255.255.0
+gw: 192.168.122.1
+dns: 8.8.8.8
+ks_url: http://dl.kwizart.net/bastion03.ks
+volgroup: /dev/vg_kvm
+datacenter: virt
+
+
+tcp_ports: [ 25, 3128 ]
+udp_ports: [ ]
+custom_rules: [ ]
+
+#
+# We need to mount koji storage rw here so run_root can work.
+# The rest of the group can be ro, it's only builders in the
+# compose channel that need a rw mount
+
+nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
diff --git a/inventory/host_vars/srv03.kwizart.net b/inventory/host_vars/srv03.kwizart.net
new file mode 100644
index 0000000..6584dd3
--- /dev/null
+++ b/inventory/host_vars/srv03.kwizart.net
@@ -0,0 +1,5 @@
+---
+
+ansible_ifcfg_blacklist: true
+freezes: true
+
6 years, 7 months
[ansible] Update koji_builder
by Nicolas Chauvet
commit 1609621734c656d9dd37d3342d857e90d5fb1e53
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Tue Feb 20 14:56:42 2018 +0100
Update koji_builder
roles/koji_builder/tasks/main.yml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml
index 5d79281..f74e2bc 100644
--- a/roles/koji_builder/tasks/main.yml
+++ b/roles/koji_builder/tasks/main.yml
@@ -122,7 +122,7 @@
service: name=virtlogd state=started enabled=yes
tags:
- koji_builder
- when: ansible_distribution_major_version|int > 23 and ansible_architecture != 's390x'
+ when: ansible_distribution_major_version|int > 23 and ansible_architecture != 'armv7l'
- name: create kojid service override directory
file: path=/etc/systemd/system/kojid.service.d state=directory
@@ -187,7 +187,7 @@
# oz.cfg upstream ram and cpu definitions are not enough
- name: oz.cfg
copy: src=oz.cfg dest=/etc/oz/oz.cfg
- when: not inventory_hostname.startswith(('buildppc','buildvm-s390x'))
+ when: ansible_architecture != 'armv7l'
tags:
- koji_builder
@@ -202,7 +202,7 @@
- restart libvirtd
tags:
- koji_builder
- when: ansible_architecture != 's390x'
+ when: ansible_architecture != 'armv7l'
#
# On primary we want to make a /mnt/koji link to /mnt/rpmfusion_koji/koji
6 years, 7 months
[ansible] Various fixes
by Nicolas Chauvet
commit 9385066151ad1584cb010430f3c4efa37e07e0db
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Feb 21 21:50:44 2018 +0100
Various fixes
playbooks/groups/bastion.yml | 2 +-
playbooks/groups/fas.yml | 5 ++---
playbooks/groups/koji-hub.yml | 2 +-
roles/fas_client/files/fas-client.cron | 2 +-
4 files changed, 5 insertions(+), 6 deletions(-)
---
diff --git a/playbooks/groups/bastion.yml b/playbooks/groups/bastion.yml
index c7316e7..3ed10ea 100644
--- a/playbooks/groups/bastion.yml
+++ b/playbooks/groups/bastion.yml
@@ -36,6 +36,6 @@
tasks:
- name: install needed packages
- yum: pkg={{ item }} state=present
+ package: name={{ item }} state=present
with_items:
- ipmitool
diff --git a/playbooks/groups/fas.yml b/playbooks/groups/fas.yml
index b766734..3e5e2d4 100644
--- a/playbooks/groups/fas.yml
+++ b/playbooks/groups/fas.yml
@@ -7,7 +7,7 @@
user: root
gather_facts: True
- vars_files:
+ vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
@@ -21,7 +21,7 @@
- collectd/base
- rsyncd
- memcached
- - apache
+ - mod_wsgi
- fas_server
- fedmsg/base
- sudo
@@ -32,7 +32,6 @@
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
- - import_tasks: "{{ tasks_path }}/mod_wsgi.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml
index 1f4c6a6..40854fe 100644
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@@ -2,7 +2,7 @@
# NOTE: should be used with --limit most of the time
# NOTE: most of these vars_path come from group_vars/koji-hub or from hostvars
-- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=koji-stg:koji01.rpmfusion.org:koji02.rpmfusion.org:s390-koji01.qa..."
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=koji-stg:koji"
# Once the instance exists, configure it.
diff --git a/roles/fas_client/files/fas-client.cron b/roles/fas_client/files/fas-client.cron
index 6c9a948..f86928c 100644
--- a/roles/fas_client/files/fas-client.cron
+++ b/roles/fas_client/files/fas-client.cron
@@ -1 +1 @@
-00 20 * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 900)); /usr/bin/fasClient -i | /usr/local/bin/nag-once fassync 1d 2>&1"
+00 20 * * * root /usr/local/bin/lock-wrapper fasClient "/bin/sleep $(($RANDOM \% 900)); /usr/bin/fasClient -i |& grep -vi deprecation | /usr/local/bin/nag-once fassync 1d 2>&1"
6 years, 7 months
[ansible] Fix custom_redirect for aarch64
by Nicolas Chauvet
commit a3f0c2f13ca4d1244a95e36802bd180ca7cfc3b4
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Wed Feb 21 21:49:53 2018 +0100
Fix custom_redirect for aarch64
files/squid/custom_redirect.py | 23 ++++++++++++++++-------
1 files changed, 16 insertions(+), 7 deletions(-)
---
diff --git a/files/squid/custom_redirect.py b/files/squid/custom_redirect.py
index 00f4f03..614a7fc 100755
--- a/files/squid/custom_redirect.py
+++ b/files/squid/custom_redirect.py
@@ -14,24 +14,33 @@ def modify_url(line):
# do remember that the new_url should contain a '\n' at the end.
if 'dl.fedoraproject.org' in old_url:
#if 'rawhide' or '/26/' or '/27/' in old_url:
- if '/fedora/linux/' in old_url:
- if '/25/' not in old_url:
- if '/i386/' in old_url:
- new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n'
- elif '/ppc64' in old_url:
- new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n'
- elif '/aarch64/' in old_url:
+ if '/fedora/' in old_url:
+ if '/i386/' in old_url:
+ new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n'
+ return new_url
+
+ elif '/ppc64' in old_url:
+ new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n'
+ return new_url
+
+ if '/27/' in old_url or '/26/' in old_url :
+ if '/aarch64/' in old_url:
new_url = old_url.replace('/fedora/linux/', '/fedora-secondary/') + '\n'
+ return new_url
if '/epel/7/' in old_url:
if '/i386/' in old_url:
new_url = old_url.replace('/i386/', '/x86_64/') + '\n'
+ return new_url
+
+ return new_url
#altarch support for centos
if 'mirror.centos.org' in old_url:
if '/centos/6/' not in old_url:
if '/x86_64/' not in old_url:
new_url = old_url.replace('/centos/', '/altarch/') + '\n'
+ return new_url
return new_url
6 years, 7 months