Puppet Class: apereo_cas

Defined in:
modules/apereo_cas/manifests/init.pp

Summary

Class to configure Apero CAS

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • idp_nodes (Array[Stdlib::Fqdn])

    list of idp nodes

  • tgc_signing_key (Optional[String[1]]) (defaults to: undef)

    the tgc signing key

  • tgc_encryption_key (Optional[String[1]]) (defaults to: undef)

    the tgc encyption key

  • tgc_cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: 'none')

    set the SameSite policy for the TGC cookie

  • tgc_cookie_pin_to_session (Boolean) (defaults to: true)

    If true the TGC cookie is pined to the users IP address and user agent

  • webflow_signing_key (Optional[String[1]]) (defaults to: undef)

    the webflow signing key

  • webflow_encryption_key (Optional[String[1]]) (defaults to: undef)

    the webflow encyption key

  • enable_u2f (Boolean) (defaults to: true)

    If to enable u2f

  • u2f_signing_key (Optional[String[1]]) (defaults to: undef)

    the utf signing key

  • u2f_encryption_key (Optional[String[1]]) (defaults to: undef)

    the utf encyption key

  • web_authn_signing_key (Optional[String[1]]) (defaults to: undef)

    the utf signing key

  • web_authn_encryption_key (Optional[String[1]]) (defaults to: undef)

    the utf encyption key

  • oauth_crypto_signing_key (Optional[String[1]]) (defaults to: undef)

    the utf signing key

  • oauth_crypto_encryption_key (Optional[String[1]]) (defaults to: undef)

    the utf encyption key

  • oauth_token_signing_key (Optional[String[1]]) (defaults to: undef)

    the utf signing key

  • oauth_token_encryption_key (Optional[String[1]]) (defaults to: undef)

    the utf encyption key

  • spring_username (String[1]) (defaults to: 'casuser')

    spring.security.user.name

  • spring_password (Optional[String[1]]) (defaults to: undef)

    spring.security.user.password

  • keystore_source (Optional[Stdlib::Filesource]) (defaults to: undef)

    the keystore source location. only one of keystore_source and keystore_content can be presetn

  • keystore_content (Optional[String[1]]) (defaults to: undef)

    the keystore content. only one of keystore_source and keystore_content can be presetn

  • max_session_length (Integer[60,604800]) (defaults to: 604800)
  • max_rememberme_session_length (Integer[60,604800]) (defaults to: $max_session_length)
  • session_inactivity_timeout (Integer[60,86400]) (defaults to: 3600)
  • groovy_source (Optional[Stdlib::Filesource]) (defaults to: undef)

    source of groovy authentication script

  • prometheus_nodes (Array[Stdlib::Host]) (defaults to: [])

    list of preometheus nodes

  • actuators (Array[String]) (defaults to: [])

    list of actuators

  • base_dir (Stdlib::Unixpath) (defaults to: '/etc/cas')

    base directory for config

  • log_dir (Stdlib::Unixpath) (defaults to: '/var/log/cas')

    logging directory

  • tomcat_basedir (Stdlib::Unixpath) (defaults to: "${log_dir}/tomcat")

    tomecat base directory

  • keystore_path (Stdlib::Unixpath) (defaults to: "${base_dir}/thekeystore")

    path to store the keystore

  • keystore_password (String[1]) (defaults to: 'changeit')

    keystore password

  • key_password (String[1]) (defaults to: 'changeit')

    key password

  • server_name (Stdlib::HTTPSUrl) (defaults to: "https://${facts['networking']['fqdn']}:8443")

    the location of the idp site

  • server_port (Stdlib::Port) (defaults to: 8443)

    port cas will listen on

  • server_prefix (Stdlib::Unixpath) (defaults to: '/cas')

    URL path cas app will be deployed to

  • server_enable_ssl (Boolean) (defaults to: true)

    if ssl is enabled

  • tomcat_proxy (Boolean) (defaults to: false)

    if using external tomecat proxy

  • enable_ldap (Boolean) (defaults to: true)

    configure cas to authenticate agains ldap

  • ldap_attribute_list (Array[String[1]]) (defaults to: ['cn', 'memberOf', 'mail'])

    list of ldap attributes to fetch

  • ldap_uris (Array[Apereo_cas::LDAPUri]) (defaults to: [])

    list of ldap uris to use for authentication

  • ldap_auth (Apereo_cas::Ldapauth) (defaults to: 'AUTHENTICATED')

    ldap authentication method to use

  • ldap_connection (Apereo_cas::Ldapconnection) (defaults to: 'ACTIVE_PASSIVE')

    ldap connection type to maintain

  • ldap_start_tls (Boolean) (defaults to: true)

    use STARTLS for ldap connections

  • ldap_base_dn (String) (defaults to: 'dc=example,dc=org')

    ldap base dn

  • ldap_group_cn (String) (defaults to: 'ou=groups')

    ldap groups cn

  • ldap_search_filter (String) (defaults to: 'cn={user}')

    ldap filter to use when searching useres

  • ldap_bind_dn (String) (defaults to: 'cn=user,dc=example,dc=org')

    bind dn to use to search ldap

  • ldap_bind_pass (String) (defaults to: 'changeme')

    bind password to use to search ldap

  • log_level (Wmflib::Syslog::Level::Log4j) (defaults to: 'WARN')

    log level to configure

  • daemon_user (String) (defaults to: 'cas')

    system useres used to run the daemon

  • services (Hash[String, Hash]) (defaults to: {})

    list of trusted services

  • java_opts (Optional[String[1]]) (defaults to: undef)

    java options

  • memcached_enable (Boolean) (defaults to: false)

    if we should use memcached

  • memcached_port (Stdlib::Port) (defaults to: 11211)

    memcached port

  • memcached_server (Stdlib::Host) (defaults to: 'localhost')

    memcached address

  • memcached_transcoder (Apereo_cas::Memcached::Transcoder) (defaults to: 'KRYO')

    memcached encoder to use

  • u2f_jpa_enable (Boolean) (defaults to: false)

    use JPA for utf token storage

  • u2f_jpa_username (String) (defaults to: 'cas')

    u2f JPA username

  • u2f_jpa_password (String) (defaults to: 'changeme')

    u2f JPA password

  • u2f_jpa_server (String) (defaults to: '127.0.0.1')

    u2f JPA server

  • u2f_jpa_db (String) (defaults to: 'cas')

    u2f JPA database name

  • u2f_token_expiry_days (Optional[Integer]) (defaults to: undef)

    number of days of inactivity before u2f tokens are automatically removed

  • enable_cors (Boolean) (defaults to: false)

    Enable CORS protection

  • cors_allow_credentials (Boolean) (defaults to: false)

    if we shuold allow authentication credentials with CORS

  • cors_allowed_origins (Array[Stdlib::HTTPSUrl]) (defaults to: [])

    list of origins allowed to use CORS

  • cors_allowed_headers (Array[String]) (defaults to: [])

    list of headers allowed to in CORS requests

  • cors_allowed_methods (Array[Wmflib::HTTP::Method]) (defaults to: ['GET'])

    list of methods allowed with CORS

  • delegated_authenticators (Array[Apereo_cas::Delegate]) (defaults to: [])

    list of delegated authenticators

  • oidc_issuers_pattern (String) (defaults to: 'a^')

    defines the regular expression pattern that is matched against the calculated issuer from the request.

  • oidc_id_token_claims (Boolean) (defaults to: false)


73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# File 'modules/apereo_cas/manifests/init.pp', line 73

class apereo_cas (
    Array[Stdlib::Fqdn]               $idp_nodes,
    Optional[String[1]]               $tgc_signing_key               = undef,
    Optional[String[1]]               $tgc_encryption_key            = undef,
    Wmflib::HTTP::SameSite            $tgc_cookie_same_site          = 'none',
    Boolean                           $tgc_cookie_pin_to_session     = true,
    Optional[String[1]]               $webflow_signing_key           = undef,
    Optional[String[1]]               $webflow_encryption_key        = undef,
    Boolean                           $enable_u2f                    = true,
    Optional[String[1]]               $u2f_signing_key               = undef,
    Optional[String[1]]               $u2f_encryption_key            = undef,
    Optional[String[1]]               $web_authn_signing_key         = undef,
    Optional[String[1]]               $web_authn_encryption_key      = undef,
    Optional[String[1]]               $oauth_crypto_signing_key      = undef,
    Optional[String[1]]               $oauth_crypto_encryption_key   = undef,
    Optional[String[1]]               $oauth_token_signing_key       = undef,
    Optional[String[1]]               $oauth_token_encryption_key    = undef,
    String[1]                         $spring_username               = 'casuser',
    Optional[String[1]]               $spring_password               = undef,
    Optional[Stdlib::Filesource]      $keystore_source               = undef,
    Optional[String[1]]               $keystore_content              = undef,
    Integer[60,604800]                $max_session_length            = 604800,
    Integer[60,604800]                $max_rememberme_session_length = $max_session_length,
    Integer[60,86400]                 $session_inactivity_timeout    = 3600,
    Optional[Stdlib::Filesource]      $groovy_source                 = undef,
    Array[Stdlib::Host]               $prometheus_nodes              = [],
    Array[String]                     $actuators                     = [],
    Stdlib::Unixpath                  $base_dir                      = '/etc/cas',
    Stdlib::Unixpath                  $log_dir                       = '/var/log/cas',
    Stdlib::Unixpath                  $tomcat_basedir                = "${log_dir}/tomcat",
    Stdlib::Unixpath                  $keystore_path                 = "${base_dir}/thekeystore",
    String[1]                         $keystore_password             = 'changeit',
    String[1]                         $key_password                  = 'changeit',
    Stdlib::HTTPSUrl                  $server_name                   = "https://${facts['networking']['fqdn']}:8443",
    Stdlib::Port                      $server_port                   = 8443,
    Stdlib::Unixpath                  $server_prefix                 = '/cas',
    Boolean                           $server_enable_ssl             = true,
    Boolean                           $tomcat_proxy                  = false,
    Boolean                           $enable_ldap                   = true,
    Array[String[1]]                  $ldap_attribute_list           = ['cn', 'memberOf', 'mail'],
    Array[Apereo_cas::LDAPUri]        $ldap_uris                     = [],
    Apereo_cas::Ldapauth              $ldap_auth                     = 'AUTHENTICATED',
    Apereo_cas::Ldapconnection        $ldap_connection               = 'ACTIVE_PASSIVE',
    Boolean                           $ldap_start_tls                = true,
    String                            $ldap_base_dn                  = 'dc=example,dc=org',
    String                            $ldap_group_cn                 = 'ou=groups',
    String                            $ldap_search_filter            = 'cn={user}',
    String                            $ldap_bind_dn                  = 'cn=user,dc=example,dc=org',
    String                            $ldap_bind_pass                = 'changeme',
    Wmflib::Syslog::Level::Log4j      $log_level                     = 'WARN',
    String                            $daemon_user                   = 'cas',
    Hash[String, Hash]                $services                      = {},
    Optional[String[1]]               $java_opts                     = undef,
    Boolean                           $memcached_enable              = false,
    Stdlib::Port                      $memcached_port                = 11211,
    Stdlib::Host                      $memcached_server              = 'localhost',
    Apereo_cas::Memcached::Transcoder $memcached_transcoder          = 'KRYO',
    Boolean                           $u2f_jpa_enable                = false,
    String                            $u2f_jpa_username              = 'cas',
    String                            $u2f_jpa_password              = 'changeme',
    String                            $u2f_jpa_server                = '127.0.0.1',
    String                            $u2f_jpa_db                    = 'cas',
    Optional[Integer]                 $u2f_token_expiry_days         = undef,
    String                            $oidc_issuers_pattern          = 'a^',
    Boolean                           $oidc_id_token_claims          = false,
    Boolean                           $enable_cors                   = false,
    Boolean                           $cors_allow_credentials        = false,
    Array[Stdlib::HTTPSUrl]           $cors_allowed_origins          = [],
    Array[String]                     $cors_allowed_headers          = [],
    # TODO: switch to Stdlib::Http::Method
    # https://github.com/puppetlabs/puppetlabs-stdlib/pull/1192
    Array[Wmflib::HTTP::Method]       $cors_allowed_methods          = ['GET'],
    Array[Apereo_cas::Delegate]       $delegated_authenticators      = [],
) {
    if $keystore_source == undef and $keystore_content == undef and $server_enable_ssl {
        fail('you must provide either $keystore_source or $keystore_content')
    }
    if $keystore_source and $keystore_content {
        fail('you cannot provide $keystore_source and $keystore_content')
    }
    $config_dir = "${base_dir}/config"
    $services_dir = "${base_dir}/services"

    ensure_packages(['cas', 'python3-memcache'])

    $groovy_file = '/etc/cas/global_principal_attribute_predicate.groovy'
    if $groovy_source {
        file{$groovy_file:
            source => $groovy_source,
        }
    }
    file{$config_dir:
        ensure => directory,
        owner  => $daemon_user,
    }
    file{$services_dir:
        ensure  => directory,
        recurse => true,
        purge   => true,
    }
    file{[$base_dir, $log_dir]:
        ensure  => directory,
        owner   => $daemon_user,
        mode    => '0600',
        recurse => true,
    }
    file {"${config_dir}/cas.properties":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/cas.properties.erb'),
    }
    file {"${config_dir}/log4j2.xml":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/log4j2.xml.erb'),
    }
    $keystore_ensure = $server_enable_ssl ? {
        true    => file,
        default => absent,
    }
    file {$keystore_path:
        ensure  => $keystore_ensure,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => $keystore_content,
        source  => $keystore_source,
    }

    # /usr/bin/memcdump is needed by memcached-dump tool
    ensure_packages('libmemcached-tools')

    file { '/usr/local/sbin/memcached-dump':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/memcached-dump.py',
    }

    file { '/usr/local/sbin/return-tgt-for-user':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/return-tgt-for-user.py',
    }
    file { '/usr/local/sbin/cas-remove-u2f':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/cas_remove_u2f.py',
    }

    $services.each |String $service, Hash $config| {
        apereo_cas::service {$service:
            * => $config,
        }
    }
}