From 58b3155e30477eea198e4296c53820c697c642c8 Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Tue, 10 Dec 2024 10:15:30 -0500
Subject: [PATCH] 4.0 portal (#256)

* add option for http_redirect_host

* rm maintenance_ip_whitelist

* add oidc_crypto_passphrase option
---
 defaults/main/ood_portal.yml                   |  2 ++
 .../config/ood_portal.yml.custom.apache2       | 12 ++++++++++++
 .../config/ood_portal.yml.custom.httpd         | 12 ++++++++++++
 .../config/ood_portal.yml.default.apache2      | 12 ++++++++++++
 .../config/ood_portal.yml.default.httpd        | 12 ++++++++++++
 .../config/ood_portal.yml.oidc.apache2         | 12 ++++++++++++
 .../fixtures/config/ood_portal.yml.oidc.httpd  | 12 ++++++++++++
 templates/ood_portal.yml.j2                    | 18 ++++++++++++++----
 8 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/defaults/main/ood_portal.yml b/defaults/main/ood_portal.yml
index 6754cef..5a8915f 100644
--- a/defaults/main/ood_portal.yml
+++ b/defaults/main/ood_portal.yml
@@ -15,6 +15,7 @@
 # - 443
 
 httpd_use_rewrites: true
+ood_http_redirect_host: '%{HTTP_HOST}'
 maintenance_ip_allowlist: []
 use_maintenance: true
 # security_csp_frame_ancestors:
@@ -118,6 +119,7 @@ oidc_settings_samefile: false
 # oidc_state_max_number_of_cookies: "10 true"
 # oidc_cookie_same_site: "On"
 # oidc_settings: {}
+# ood_oidc_crypto_passphrase: changeme
 # dex_uri: null
 # dex_settings: |
 #   dex:
diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2
index d6b712e..d7a7d5d 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2
+++ b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2
@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd
index 06568df..4afce90 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd
+++ b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd
@@ -82,6 +82,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -386,6 +392,12 @@ oidc_uri: /custom-oidc-path
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 b/molecule/default/fixtures/config/ood_portal.yml.default.apache2
index 2f8aede..3625f81 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.default.apache2
+++ b/molecule/default/fixtures/config/ood_portal.yml.default.apache2
@@ -80,6 +80,12 @@ logroot: "/var/log/apache2"
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -380,6 +386,12 @@ pun_max_retries: 5
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd
index e1c89b2..9188b02 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.default.httpd
+++ b/molecule/default/fixtures/config/ood_portal.yml.default.httpd
@@ -80,6 +80,12 @@ logroot: "/var/log/httpd"
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -380,6 +386,12 @@ pun_max_retries: 5
 # Default: "openid profile email"
 #oidc_scope: "openid profile email"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2
index 4c724bf..9bc1908 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2
+++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2
@@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -381,6 +387,12 @@ oidc_remote_user_claim: email
 # Default: "openid profile email"
 oidc_scope: "openid profile email groups"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd
index 5e0ab2b..e20ae6b 100644
--- a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd
+++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd
@@ -81,6 +81,12 @@ logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e
 # Default: true
 use_rewrites: true
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '%{HTTP_HOST}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -381,6 +387,12 @@ oidc_remote_user_claim: email
 # Default: "openid profile email"
 oidc_scope: "openid profile email groups"
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+#oidc_crypto_passphrase: ~
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800
diff --git a/templates/ood_portal.yml.j2 b/templates/ood_portal.yml.j2
index 803892d..c47cfb7 100644
--- a/templates/ood_portal.yml.j2
+++ b/templates/ood_portal.yml.j2
@@ -108,6 +108,12 @@ logroot: "{{ apache_log_dir }}"
 # Default: true
 use_rewrites: {{ httpd_use_rewrites | bool | lower }}
 
+# Specify the host to redirect to when redirecting from port 80
+# Example:
+#     http_redirect_host: my.proxy.host
+# Default: '%{HTTP_HOST}'
+http_redirect_host: '{{ ood_http_redirect_host }}'
+
 # Should Maintenance Rewrite rules be added
 # Example:
 #   use_maintenance: false
@@ -125,10 +131,6 @@ maintenance_ip_allowlist:
 {% for item in maintenance_ip_allowlist  %}
   - '{{ item }}'
 {% endfor %}
-{% elif maintenance_ip_whitelist is defined and maintenance_ip_whitelist|length > 0 %}
-{% for item in maintenance_ip_whitelist  %}
-  - '{{ item }}'
-{% endfor %}
 {% else %}
 maintenance_ip_allowlist: []
 {% endif %}
@@ -477,6 +479,14 @@ pun_max_retries: {{ pun_max_retries }}
 {% else %}#oidc_scope: "openid profile email"
 {% endif %}
 
+# OIDC crypto passphrase
+# Example:
+#   oidc_crypto_passphrase: "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+# Default: SHA1 sum of servername
+{% if oidc_crypto_passphrase is defined %}oidc_crypto_passphrase: {{ ood_oidc_crypto_passphrase }}
+{% else %}#oidc_crypto_passphrase: ~
+{% endif %}
+
 # OIDC session inactivity timeout
 # Example:
 #     oidc_session_inactivity_timeout: 28800