commit 3b244f319c1e2e77aafc50ff973e01836c5d76cc Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Sun Mar 14 20:43:09 2021 +0100 Update ipsilon roles/ipsilon/files/templates/index.html | 2 +- roles/ipsilon/files/templates/internalerror.html | 2 +- roles/ipsilon/files/templates/login/form.html | 7 ++- roles/ipsilon/files/templates/login/index.html | 2 +- roles/ipsilon/files/templates/master-user.html | 68 +++++++++++++++++++ roles/ipsilon/files/templates/notfound.html | 2 +- .../files/templates/openid/consent_form.html | 15 +--- roles/ipsilon/files/templates/openid/userpage.html | 2 +- .../files/templates/openidc/consent_form.html | 58 ++++++++++++++++ .../files/templates/persona/provisioning.html | 2 +- .../files/templates/persona/signin_result.html | 2 +- roles/ipsilon/files/templates/unauthorized.html | 2 +- roles/ipsilon/handlers/main.yml | 5 ++ roles/ipsilon/templates/configuration.conf | 71 +++++++++++++++++--- 14 files changed, 210 insertions(+), 30 deletions(-) --- diff --git a/roles/ipsilon/files/templates/index.html b/roles/ipsilon/files/templates/index.html index d217b7a..8a80614 100644 --- a/roles/ipsilon/files/templates/index.html +++ b/roles/ipsilon/files/templates/index.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} This is the Federated Open Authentication provider homepage. {% endblock %} diff --git a/roles/ipsilon/files/templates/internalerror.html b/roles/ipsilon/files/templates/internalerror.html index 055e903..6979f17 100644 --- a/roles/ipsilon/files/templates/internalerror.html +++ b/roles/ipsilon/files/templates/internalerror.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} 500 - Internal Server Error {% endblock %} diff --git a/roles/ipsilon/files/templates/login/form.html b/roles/ipsilon/files/templates/login/form.html index 5a8a725..881ebf0 100644 --- a/roles/ipsilon/files/templates/login/form.html +++ b/roles/ipsilon/files/templates/login/form.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block title %}Login{% endblock %} {% block toptext %} @@ -29,6 +29,11 @@ </div> <div class="form-group row m-b-0"> <div class="col-xs-12"> + By using Fedora services, you agree to the terms of Fedora's <a href="https://fedoraproject.org/wiki/Legal:PrivacyPolicy">pr... policy</a> + </div> + </div> + <div class="form-group row m-b-0"> + <div class="col-xs-12"> <input class="btn btn-primary" type="submit" id="loginbutton" value="Log in" /> </div> </div> diff --git a/roles/ipsilon/files/templates/login/index.html b/roles/ipsilon/files/templates/login/index.html index 14ec837..944cb7b 100644 --- a/roles/ipsilon/files/templates/login/index.html +++ b/roles/ipsilon/files/templates/login/index.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block title %}Login{% endblock %} {% block toptext %} {{ login_target }} is asking to authenticate using Ipsilon diff --git a/roles/ipsilon/files/templates/master-user.html b/roles/ipsilon/files/templates/master-user.html new file mode 100644 index 0000000..935a3ee --- /dev/null +++ b/roles/ipsilon/files/templates/master-user.html @@ -0,0 +1,68 @@ +<!doctype html> +<html> + <head> + <meta charset="UTF-8"> + <title>{{ title }}</title> + + <link rel="shortcut icon" type="image/vnd.microsoft.icon" + href="//fedoraproject.org/static/images/favicon.ico"/> + + <!--<link rel="stylesheet" href="{{ basepath }}/ui/fedora/fedora.css?v=0c4c5a3ae8781de41b62d3f5862a8e46">--> + <link href="https://apps.fedoraproject.org/global/fedora-bootstrap-1.0/fed... rel="stylesheet"> + <link href='/ui/fedora/fonts/fonts.css?v=67bec19c506ab613d1922c53f63ae4ba' rel='stylesheet' type='text/css'> + <meta name="generator" content="Ipsilon"> + <style> + .bodycontent { min-height: 85vh; } + </style> + + + {%- if heads %} + {%- for group, value in heads.items() %} + {%- for head in value %} + {{ head | safe }} + {%- endfor %} + {%- endfor %} + {%- endif %} + </head> + <body> + <div class="masthead"> + <div class="container text-center"> + <img alt="logo" src="{{ basepath }}/ui/fedora/fedora-authn-logo-white.png?v=dcabcce440f62c6282cfffb82f2f5614" height=40px /> + </div> + </div> + <div class="bodycontent p-t-lg"> + <div class="container"> + <div class="row"> + <div class="col-sm-10 col-sm-offset-1"> + <div class="row"> + <div class="col-xs-12 text-center"> + {% block toptext %}{% endblock %} + </div> + </div> + <div class="row p-b-lg"> + <div class="{% block cardwidths %}{% endblock %}"> + <div class="card"> + <div class="card-header small"> + {% block maintitle %}{% endblock %} + </div> + <div class="card-block"> + {% block main %}{% endblock %} + </div> + </div> + {% block after_card %}{% endblock %} + </div> + </div> + </div> + </div> + </div> + </div> + + <div class="footer p-t p-b text-center"> + <div class="container"> + <p class="text-muted credit"> + <a href="https://fedoraproject.org/wiki/Legal:PrivacyPolicy">Pr... Policy</a> | RPM Fusion FAS Login is powered by <a href="https://ipsilon-project.org/" target="_blank">Ipsilon</a> + </p> + </div> + </div> + </body> +</html> diff --git a/roles/ipsilon/files/templates/notfound.html b/roles/ipsilon/files/templates/notfound.html index 38203cb..b853c95 100644 --- a/roles/ipsilon/files/templates/notfound.html +++ b/roles/ipsilon/files/templates/notfound.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} 404 - Not Found {% endblock %} diff --git a/roles/ipsilon/files/templates/openid/consent_form.html b/roles/ipsilon/files/templates/openid/consent_form.html index afa9011..cefff1f 100644 --- a/roles/ipsilon/files/templates/openid/consent_form.html +++ b/roles/ipsilon/files/templates/openid/consent_form.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} <p><small><strong>{{trustroot}}</strong> requests to use the following details from your FAS Account</small></p> {% endblock %} @@ -18,16 +18,9 @@ {%- endif -%} </div> {% endfor %} - - <div class="row m-b"> - <div class="col-sm-5"><strong>Remember&nbsp;approval</strong></div> - <div class="col-sm-7"><select name="remember_for_days" class="c-select-sm c-select"> - <option value="0">never</option> - <option value="3">3 days</option> - <option value="7">7 days</option> - </select> - </div> - </div> + <div class="row m-b"> + Please note that this service is hosted outside of Fedora Project, and thus has its own privacy policy. + </div> <p class="form_item"> <input class="btn btn-primary" name="decided_allow" type="submit" value="Approve" /> <input class="btn btn-link" name="decided_deny" type="submit" value="Reject" /> diff --git a/roles/ipsilon/files/templates/openid/userpage.html b/roles/ipsilon/files/templates/openid/userpage.html index 74ae88a..efe6e9f 100644 --- a/roles/ipsilon/files/templates/openid/userpage.html +++ b/roles/ipsilon/files/templates/openid/userpage.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} This is the OpenID page for {{username}}. {% endblock %} diff --git a/roles/ipsilon/files/templates/openidc/consent_form.html b/roles/ipsilon/files/templates/openidc/consent_form.html new file mode 100644 index 0000000..a1e2699 --- /dev/null +++ b/roles/ipsilon/files/templates/openidc/consent_form.html @@ -0,0 +1,58 @@ +{% extends "master-user.html" %} +{% block main %} + +<div> + <p>The OpenID Connect client <b> +{%- if client['homepage'] %} + <a href="{{ client['homepage'] }}">{{ client['name'] }}</a> +{% else %} + {{ client['name'] }} +{%- endif %} + </b> is asking + to authorize access for <b>{{ username }}</b>.</p> + <p>Please review the authorization details</p> + +{%- if client['policy'] %} + <p><a href="{{ client['policy'] }}">Client privacy policy</a></p> +{% endif %} +{%- if client['tos'] %} + <p><a href="{{ client['tos'] }}">Client terms of service</a></p> +{%- endif %} +</div> + +<div> + <form class="form-horizontal" role="form" id="consent_form" action="{{ action }}" method="post" enctype="application/x-www-form-urlencoded"> + <input type="hidden" name="ipsilon_transaction_id" id="ipsilon_transaction_id" value="{{ ipsilon_transaction_id }}"> + + <div class="list-group"> +{%- for item in claim_requests|dictsort %} + <div class="list-group-item"> + <div> + <strong>{{ item[1]['display_name'] }}</strong> + </div> + <div>{{ item[1]['value'] }}</div> + </div> +{%- endfor %} +{%- for item in scopes|dictsort %} + <div class="m-t-md"><strong>{{ item[0] }}</strong></div> +{%- for item in item[1]|dictsort %} + <div class="list-group-item"> + <div> + <!-- Empty, so that values come on the right hand --> + </div> + <div>{{ item[1] }}</div> + </div> +{%- endfor %} +{%- endfor %} + </div> + + <div class="form-group text-right m-t-md"> + <div class="submit"> + <button type="submit" name="decided_deny" value="Reject" class="btn btn-secondary btn-lg" tabindex="3">Reject</button> + <button type="submit" name="decided_allow" value="Allow" class="btn btn-primary btn-lg" tabindex="3">Allow</button> + </div> + </div> + </form> +</div> + +{% endblock %} diff --git a/roles/ipsilon/files/templates/persona/provisioning.html b/roles/ipsilon/files/templates/persona/provisioning.html index 0ced48f..1142c11 100644 --- a/roles/ipsilon/files/templates/persona/provisioning.html +++ b/roles/ipsilon/files/templates/persona/provisioning.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} This page is used internally {% endblock %} diff --git a/roles/ipsilon/files/templates/persona/signin_result.html b/roles/ipsilon/files/templates/persona/signin_result.html index a2fc18b..b2ab0e8 100644 --- a/roles/ipsilon/files/templates/persona/signin_result.html +++ b/roles/ipsilon/files/templates/persona/signin_result.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block toptext %} This page is used internally {% endblock %} diff --git a/roles/ipsilon/files/templates/unauthorized.html b/roles/ipsilon/files/templates/unauthorized.html index 9762691..0de3ebf 100644 --- a/roles/ipsilon/files/templates/unauthorized.html +++ b/roles/ipsilon/files/templates/unauthorized.html @@ -1,4 +1,4 @@ -{% extends "layout.html" %} +{% extends "master-user.html" %} {% block maintitle %} 401 - Unauthorized {% endblock %} diff --git a/roles/ipsilon/handlers/main.yml b/roles/ipsilon/handlers/main.yml new file mode 100644 index 0000000..8121eba --- /dev/null +++ b/roles/ipsilon/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart sssd + service: + name: sssd + state: restarted + diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf index 52d0ab0..6067b47 100644 --- a/roles/ipsilon/templates/configuration.conf +++ b/roles/ipsilon/templates/configuration.conf @@ -4,25 +4,47 @@ fas FAS url=https://admin.rpmfusion.org/accounts/ fas FAS Proxy client user Agent=RPM Fusion Ipsilon fas FAS Insecure Auth=True - - +[authz_config] +global enabled=allow [provider_config] -global enabled=persona,openid +global enabled=openid,saml2,openidc + +{% if env == "production" %} +openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest +{% else %} +openidc enabled extensions=fedora-account,mbs,beaker,waiverdb,odcs,wiki,src,fpdc,kerneltest +{% endif %} {% if env == 'staging' %} -persona allowed domains=stg.fedoraproject.org -persona issuer domain=id.stg.fedoraproject.org -persona idp key file=/etc/ipsilon/persona.stg.key +openidc subject salt={{ ipsilon_stg_openidc_subject_salt }} +{% else %} +openidc subject salt={{ ipsilon_openidc_subject_salt }} +{% endif %} +openidc endpoint url=https://id{{env_suffix}}.rpmfusion.org/openidc/ +{% if env == 'staging' %} +openidc idp key file=/etc/ipsilon/root/openidc.key +openidc static database url=configfile:///etc/ipsilon/root/openidc.static.cfg +{% else %} +openidc idp key file=/etc/ipsilon/openidc.key +openidc static database url=configfile:///etc/ipsilon/openidc.static.cfg +{% endif %} +openidc database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} +openidc documentation url=https://fedoraproject.org/wiki/Infrastructure/Authentication +openidc policy url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy +openidc tos url=https://fedoraproject.org/wiki/Legal:PrivacyPolicy +openidc idp sig key id=20161031-sig +openidc allow dynamic client registration=False +{% if env == 'staging' %} +openidc default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] {% else %} -persona allowed domains=fedoraproject.org -persona issuer domain=id.rpmfusion.org -persona idp key file=/etc/ipsilon/persona.key +openidc default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]] {% endif %} {% if env == 'staging' %} openid endpoint url=https://id.stg.rpmfusion.org/openid/ -openid identity url template=http://%(username)s.id.stg.rpmfusion.org/ +#openid identity url template=http://%(username)s.id.stg.rpmfusion.org/ +openid identity url template=http://id.rpmfusion.org/openid/id/%(username)s/ openid trusted roots= {% else %} openid endpoint url=https://id.rpmfusion.org/openid/ @@ -32,4 +54,33 @@ openid trusted roots=https://admin.rpmfusion.org/pkgdb/,https://admin.rpmfusion. openid database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_openid_name }} openid untrusted roots= openid enabled extensions=Fedora Teams,Attribute Exchange,CLAs,Simple Registration,API +{% if env == 'staging' %} +openid default attribute mapping=[["*", "*"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "nickname"], ["_username", "preferred_username"], ["fasIRCNick", "ircnick"], ["fasLocale", "locale"], ["fasTimeZone", "zoneinfo"], ["fasTimeZone", "timezone"], ["fasWebsiteURL", "website"], ["fasGPGKeyId", "gpg_keyid"], ["ipaSshPubKey", "ssh_key"], ["fasIsPrivate", "privacy"], ["fullname", "human_name"]] +{% else %} +openid default attribute mapping=[["*", "*"], ["timezone", "zoneinfo"], ["_groups", "groups"], [["_extras", "cla"], "cla"], ["fullname", "name"], ["_username", "preferred_username"]] +{% endif %} +{% if env == 'staging' %} +saml2 idp metadata file=metadata.xml +saml2 idp storage path=/etc/ipsilon/root/saml2 +saml2 idp nameid salt={{ ipsilon_stg_saml2_nameid_salt }} +saml2 idp certificate file=idp.crt +saml2 idp key file=idp.key +{% else %} +saml2 idp metadata file=/httpdir/metadata.xml +saml2 idp storage path=/etc/ipsilon +saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }} +saml2 idp certificate file=saml2_idp.crt +saml2 idp key file=saml2_idp.key +{% endif %} +saml2 allow self registration=False +saml2 default nameid=transient +saml2 default email domain=rpmfusion.org +saml2 session database url=postgresql://{{ ipsilon_db_user }}:{{ ipsilon_db_pass }}@{{ ipsilon_db_host }}/{{ ipsilon_db_saml2_name }} + +[saml2_data] +{% if env == 'staging' %} +{% include "saml2_data_stg" %} +{% else %} +{% include "saml2_data" %} +{% endif %}