4.0 portal (#256)

* add option for http_redirect_host * rm maintenance_ip_whitelist * add oidc_crypto_passphrase option
OSC · Dec 10, 2024 · 58b3155 · 58b3155
1 parent 2a364db
commit 58b3155
Show file tree

Hide file tree

Showing 8 changed files with 88 additions and 4 deletions.
diff --git a/defaults/main/ood_portal.yml b/defaults/main/ood_portal.yml
@@ -15,6 +15,7 @@
 # - 443
 
 httpd_use_rewrites: true
+ood_http_redirect_host: '%{HTTP_HOST}'
 maintenance_ip_allowlist: []
 use_maintenance: true
 # security_csp_frame_ancestors:
@@ -118,6 +119,7 @@ oidc_settings_samefile: false
 # oidc_state_max_number_of_cookies: "10 true"
 # oidc_cookie_same_site: "On"
 # oidc_settings: {}
+# ood_oidc_crypto_passphrase: changeme
 # dex_uri: null
 # dex_settings: |
 #   dex:

diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2
@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd
@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 b/molecule/default/fixtures/config/ood_portal.yml.default.apache2
@@ -80,6 +80,12 @@ logroot: "/var/log/apache2"
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -380,6 +386,12 @@ pun_max_retries: 5
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd
@@ -80,6 +80,12 @@ logroot: "/var/log/httpd"
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -380,6 +386,12 @@ pun_max_retries: 5
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2
@@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -381,6 +387,12 @@ oidc_remote_user_claim: email
 # Default: "openid profile email"
 oidc_scope: "openid profile email groups"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd
@@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -381,6 +387,12 @@ oidc_remote_user_claim: email
 # Default: "openid profile email"
 oidc_scope: "openid profile email groups"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800

diff --git a/templates/ood_portal.yml.j2 b/templates/ood_portal.yml.j2
@@ -108,6 +108,12 @@ logroot: "{{ apache_log_dir }}"
 # Default: true
 use_rewrites: {{ httpd_use_rewrites | bool | lower }}
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '{{ ood_http_redirect_host }}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -125,10 +131,6 @@ maintenance_ip_allowlist:
 {% for item in maintenance_ip_allowlist  %}
   - '{{ item }}'
 {% endfor %}
-{% elif maintenance_ip_whitelist is defined and maintenance_ip_whitelist|length > 0 %}
-{% for item in maintenance_ip_whitelist  %}
-  - '{{ item }}'
-{% endfor %}
 {% else %}
 maintenance_ip_allowlist: []
 {% endif %}
@@ -477,6 +479,14 @@ pun_max_retries: {{ pun_max_retries }}
 {% else %}#oidc_scope: "openid profile email"
 {% endif %}
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+{% if oidc_crypto_passphrase is defined %}oidc_crypto_passphrase: {{ ood_oidc_crypto_passphrase }}
+{% else %}#oidc_crypto_passphrase: ~
+{% endif %}
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800