Puppet Class: apereo_cas

Defined in:
modules/apereo_cas/manifests/init.pp

Overview

Parameters:

  • idp_nodes (Array[Stdlib::Fqdn])
  • tgc_signing_key (Optional[String[1]]) (defaults to: undef)
  • tgc_encryption_key (Optional[String[1]]) (defaults to: undef)
  • webflow_signing_key (Optional[String[1]]) (defaults to: undef)
  • webflow_encryption_key (Optional[String[1]]) (defaults to: undef)
  • enable_u2f (Boolean) (defaults to: true)
  • u2f_signing_key (Optional[String[1]]) (defaults to: undef)
  • u2f_encryption_key (Optional[String[1]]) (defaults to: undef)
  • enable_totp (Boolean) (defaults to: false)
  • totp_signing_key (Optional[String[1]]) (defaults to: undef)
  • totp_encryption_key (Optional[String[1]]) (defaults to: undef)
  • keystore_source (Optional[Stdlib::Filesource]) (defaults to: undef)
  • keystore_content (Optional[String[1]]) (defaults to: undef)
  • max_session_length (Integer[60,604800]) (defaults to: 604800)
  • max_rememberme_session_length (Integer[60,604800]) (defaults to: $max_session_length)
  • session_inactivity_timeout (Integer[60,86400]) (defaults to: 3600)
  • groovy_source (Optional[Stdlib::Filesource]) (defaults to: undef)
  • prometheus_nodes (Optional[Array[Stdlib::Host]]) (defaults to: [])
  • actuators (Optional[Array[String]]) (defaults to: [])
  • base_dir (Stdlib::Unixpath) (defaults to: '/etc/cas')
  • log_dir (Stdlib::Unixpath) (defaults to: '/var/log/cas')
  • tomcat_basedir (Stdlib::Unixpath) (defaults to: "${log_dir}/tomcat")
  • keystore_path (Stdlib::Unixpath) (defaults to: "${base_dir}/thekeystore")
  • keystore_password (String[1]) (defaults to: 'changeit')
  • key_password (String[1]) (defaults to: 'changeit')
  • server_name (Stdlib::HTTPSUrl) (defaults to: "https://${facts['fqdn']}:8443")
  • server_port (Stdlib::Port) (defaults to: 8443)
  • server_prefix (Stdlib::Unixpath) (defaults to: '/cas')
  • server_enable_ssl (Boolean) (defaults to: true)
  • tomcat_proxy (Boolean) (defaults to: false)
  • enable_ldap (Boolean) (defaults to: true)
  • ldap_attribute_list (Array[String[1]]) (defaults to: ['cn', 'memberOf', 'mail'])
  • ldap_uris (Array[Apereo_cas::LDAPUri]) (defaults to: [])
  • ldap_auth (Apereo_cas::Ldapauth) (defaults to: 'AUTHENTICATED')
  • ldap_connection (Apereo_cas::Ldapconnection) (defaults to: 'ACTIVE_PASSIVE')
  • ldap_start_tls (Boolean) (defaults to: true)
  • ldap_base_dn (String) (defaults to: 'dc=example,dc=org')
  • ldap_group_cn (String) (defaults to: 'ou=groups')
  • ldap_search_filter (String) (defaults to: 'cn={user}')
  • ldap_bind_dn (String) (defaults to: 'cn=user,dc=example,dc=org')
  • ldap_bind_pass (String) (defaults to: 'changeme')
  • log_level (Apereo_cas::LogLevel) (defaults to: 'WARN')
  • enable_mfa (Boolean) (defaults to: true)
  • mfa_attribute_trigger (String) (defaults to: 'memberOf')
  • mfa_attribut_value (Array[String[1]]) (defaults to: ['mfa'])
  • daemon_user (String) (defaults to: 'cas')
  • services (Hash[String, Hash]) (defaults to: {})
  • java_opts (Optional[String[1]]) (defaults to: undef)
  • memcached_enable (Boolean) (defaults to: false)
  • memcached_port (Stdlib::Port) (defaults to: 11211)
  • memcached_server (Stdlib::Host) (defaults to: 'localhost')
  • memcached_transcoder (Apereo_cas::Memcached::Transcoder) (defaults to: 'KRYO')
  • u2f_jpa_enable (Boolean) (defaults to: false)
  • u2f_jpa_username (String) (defaults to: 'cas')
  • u2f_jpa_password (String) (defaults to: 'changeme')
  • u2f_jpa_server (String) (defaults to: '127.0.0.1')
  • u2f_jpa_db (String) (defaults to: 'cas')
  • u2f_token_expiry_days (Optional[Integer]) (defaults to: undef)
  • enable_cors (Boolean) (defaults to: false)
  • cors_allow_credentials (Boolean) (defaults to: false)
  • cors_allowed_origins (Array[Stdlib::HTTPSUrl]) (defaults to: [])
  • cors_allowed_headers (Array[String]) (defaults to: [])
  • cors_allowed_methods (Array[Wmflib::HTTP::Method]) (defaults to: ['GET'])
  • delegated_authenticators (Array[Apereo_cas::Delegate]) (defaults to: [])


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# File 'modules/apereo_cas/manifests/init.pp', line 2

class apereo_cas (
    Array[Stdlib::Fqdn]               $idp_nodes,
    Optional[String[1]]               $tgc_signing_key               = undef,
    Optional[String[1]]               $tgc_encryption_key            = undef,
    Optional[String[1]]               $webflow_signing_key           = undef,
    Optional[String[1]]               $webflow_encryption_key        = undef,
    Boolean                           $enable_u2f                    = true,
    Optional[String[1]]               $u2f_signing_key               = undef,
    Optional[String[1]]               $u2f_encryption_key            = undef,
    Boolean                           $enable_totp                   = false,
    Optional[String[1]]               $totp_signing_key              = undef,
    Optional[String[1]]               $totp_encryption_key           = undef,
    Optional[Stdlib::Filesource]      $keystore_source               = undef,
    Optional[String[1]]               $keystore_content              = undef,
    Integer[60,604800]                $max_session_length            = 604800,
    Integer[60,604800]                $max_rememberme_session_length = $max_session_length,
    Integer[60,86400]                 $session_inactivity_timeout    = 3600,
    Optional[Stdlib::Filesource]      $groovy_source                 = undef,
    Optional[Array[Stdlib::Host]]     $prometheus_nodes              = [],
    Optional[Array[String]]           $actuators                     = [],
    Stdlib::Unixpath                  $base_dir                      = '/etc/cas',
    Stdlib::Unixpath                  $log_dir                       = '/var/log/cas',
    Stdlib::Unixpath                  $tomcat_basedir                = "${log_dir}/tomcat",
    Stdlib::Unixpath                  $keystore_path                 = "${base_dir}/thekeystore",
    String[1]                         $keystore_password             = 'changeit',
    String[1]                         $key_password                  = 'changeit',
    Stdlib::HTTPSUrl                  $server_name                   = "https://${facts['fqdn']}:8443",
    Stdlib::Port                      $server_port                   = 8443,
    Stdlib::Unixpath                  $server_prefix                 = '/cas',
    Boolean                           $server_enable_ssl             = true,
    Boolean                           $tomcat_proxy                  = false,
    Boolean                           $enable_ldap                   = true,
    Array[String[1]]                  $ldap_attribute_list           = ['cn', 'memberOf', 'mail'],
    Array[Apereo_cas::LDAPUri]        $ldap_uris                     = [],
    Apereo_cas::Ldapauth              $ldap_auth                     = 'AUTHENTICATED',
    Apereo_cas::Ldapconnection        $ldap_connection               = 'ACTIVE_PASSIVE',
    Boolean                           $ldap_start_tls                = true,
    String                            $ldap_base_dn                  = 'dc=example,dc=org',
    String                            $ldap_group_cn                 = 'ou=groups',
    String                            $ldap_search_filter            = 'cn={user}',
    String                            $ldap_bind_dn                  = 'cn=user,dc=example,dc=org',
    String                            $ldap_bind_pass                = 'changeme',
    Apereo_cas::LogLevel              $log_level                     = 'WARN',
    Boolean                           $enable_mfa                    = true,
    String                            $mfa_attribute_trigger         = 'memberOf',
    Array[String[1]]                  $mfa_attribut_value            = ['mfa'],
    String                            $daemon_user                   = 'cas',
    Hash[String, Hash]                $services                      = {},
    Optional[String[1]]               $java_opts                     = undef,
    Boolean                           $memcached_enable              = false,
    Stdlib::Port                      $memcached_port                = 11211,
    Stdlib::Host                      $memcached_server              = 'localhost',
    Apereo_cas::Memcached::Transcoder $memcached_transcoder          = 'KRYO',
    Boolean                           $u2f_jpa_enable                = false,
    String                            $u2f_jpa_username              = 'cas',
    String                            $u2f_jpa_password              = 'changeme',
    String                            $u2f_jpa_server                = '127.0.0.1',
    String                            $u2f_jpa_db                    = 'cas',
    Optional[Integer]                 $u2f_token_expiry_days         = undef,
    Boolean                           $enable_cors                   = false,
    Boolean                           $cors_allow_credentials        = false,
    Array[Stdlib::HTTPSUrl]           $cors_allowed_origins          = [],
    Array[String]                     $cors_allowed_headers          = [],
    # TODO: switch to Stdlib::Http::Method
    # https://github.com/puppetlabs/puppetlabs-stdlib/pull/1192
    Array[Wmflib::HTTP::Method]       $cors_allowed_methods          = ['GET'],
    Array[Apereo_cas::Delegate]       $delegated_authenticators      = [],
) {
    if $keystore_source == undef and $keystore_content == undef and $server_enable_ssl {
        fail('you must provide either $keystore_source or $keystore_content')
    }
    if $keystore_source and $keystore_content {
        fail('you cannot provide $keystore_source and $keystore_content')
    }
    $config_dir = "${base_dir}/config"
    $services_dir = "${base_dir}/services"

    ensure_packages(['cas', 'python3-memcache'])

    $groovy_file = '/etc/cas/global_principal_attribute_predicate.groovy'
    if $groovy_source {
        file{$groovy_file:
            source => $groovy_source,
        }
    }
    file{$config_dir:
        ensure => directory,
    }
    file{$services_dir:
        ensure  => directory,
        recurse => true,
        purge   => true,
    }
    file{[$base_dir, $log_dir]:
        ensure  => directory,
        owner   => $daemon_user,
        mode    => '0600',
        recurse => true,
    }
    file {"${config_dir}/cas.properties":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/cas.properties.erb'),
    }
    file {"${config_dir}/log4j2.xml":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/log4j2.xml.erb'),
    }
    $keystore_ensure = $server_enable_ssl ? {
        true    => file,
        default => absent,
    }
    file {$keystore_path:
        ensure  => $keystore_ensure,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => $keystore_content,
        source  => $keystore_source,
    }

    file { '/usr/local/sbin/memcached-dump':
        ensure => present,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/memcached-dump.py',
    }

    file { '/usr/local/sbin/return-tgt-for-user':
        ensure => present,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/return-tgt-for-user.py',
    }
    file { '/usr/local/sbin/cas-remove-u2f':
        ensure => present,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/cas_remove_u2f.py',
    }

    $services.each |String $service, Hash $config| {
        apereo_cas::service {$service:
            * => $config
        }
    }
}