Puppet Class: apereo_cas

Defined in:: modules/apereo_cas/manifests/init.pp

Summary

Class to configure Apero CAS

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

idp_nodes (Array[Stdlib::Fqdn]) —

list of idp nodes
tgc_signing_key (Optional[String[1]]) (defaults to: undef) —

the tgc signing key
tgc_encryption_key (Optional[String[1]]) (defaults to: undef) —

the tgc encyption key
tgc_cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: 'none') —

set the SameSite policy for the TGC cookie
tgc_cookie_pin_to_session (Boolean) (defaults to: true) —

If true the TGC cookie is pined to the users IP address and user agent
webflow_signing_key (Optional[String[1]]) (defaults to: undef) —

the webflow signing key
webflow_encryption_key (Optional[String[1]]) (defaults to: undef) —

the webflow encyption key
enable_u2f (Boolean) (defaults to: true) —

If to enable u2f
u2f_signing_key (Optional[String[1]]) (defaults to: undef) —

the utf signing key
u2f_encryption_key (Optional[String[1]]) (defaults to: undef) —

the utf encyption key
web_authn_signing_key (Optional[String[1]]) (defaults to: undef) —

the utf signing key
web_authn_encryption_key (Optional[String[1]]) (defaults to: undef) —

the utf encyption key
oauth_crypto_signing_key (Optional[String[1]]) (defaults to: undef) —

the utf signing key
oauth_crypto_encryption_key (Optional[String[1]]) (defaults to: undef) —

the utf encyption key
oauth_token_signing_key (Optional[String[1]]) (defaults to: undef) —

the utf signing key
oauth_token_encryption_key (Optional[String[1]]) (defaults to: undef) —

the utf encyption key
spring_username (String[1]) (defaults to: 'casuser') —

spring.security.user.name
spring_password (Optional[String[1]]) (defaults to: undef) —

spring.security.user.password
keystore_source (Optional[Stdlib::Filesource]) (defaults to: undef) —

the keystore source location. only one of keystore_source and keystore_content can be presetn
keystore_content (Optional[String[1]]) (defaults to: undef) —

the keystore content. only one of keystore_source and keystore_content can be presetn
max_session_length (Integer[60,604800]) (defaults to: 604800) —

maximum session length in seconds. wikitech.wikimedia.org/wiki/CAS-SSO/Administration#Session_timeout_handling
max_rememberme_session_length (Integer[60,604800]) (defaults to: $max_session_length) —

maximum rember me session length: wikitech.wikimedia.org/wiki/CAS-SSO/Administration#Session_timeout_handling
session_inactivity_timeout (Integer[60,86400]) (defaults to: 3600) —

session inactivity time out wikitech.wikimedia.org/wiki/CAS-SSO/Administration#Session_timeout_handling
groovy_source (Optional[Stdlib::Filesource]) (defaults to: undef) —

source of groovy authentication script
prometheus_nodes (Array[Stdlib::Host]) (defaults to: []) —

list of preometheus nodes
actuators (Array[String]) (defaults to: []) —

list of actuators
base_dir (Stdlib::Unixpath) (defaults to: '/etc/cas') —

base directory for config
log_dir (Stdlib::Unixpath) (defaults to: '/var/log/cas') —

logging directory
tomcat_basedir (Stdlib::Unixpath) (defaults to: "${log_dir}/tomcat") —

tomecat base directory
keystore_path (Stdlib::Unixpath) (defaults to: "${base_dir}/thekeystore") —

path to store the keystore
keystore_password (String[1]) (defaults to: 'changeit') —

keystore password
key_password (String[1]) (defaults to: 'changeit') —

key password
server_name (Stdlib::HTTPSUrl) (defaults to: "https://${facts['networking']['fqdn']}:8443") —

the location of the idp site
server_port (Stdlib::Port) (defaults to: 8443) —

port cas will listen on
server_prefix (Stdlib::Unixpath) (defaults to: '/cas') —

URL path cas app will be deployed to
server_enable_ssl (Boolean) (defaults to: true) —

if ssl is enabled
tomcat_proxy (Boolean) (defaults to: false) —

if using external tomecat proxy
enable_ldap (Boolean) (defaults to: true) —

configure cas to authenticate agains ldap
ldap_attribute_list (Array[String[1]]) (defaults to: ['cn', 'memberOf', 'mail']) —

list of ldap attributes to fetch
ldap_uris (Array[Apereo_cas::LDAPUri]) (defaults to: []) —

list of ldap uris to use for authentication
ldap_auth (Apereo_cas::Ldapauth) (defaults to: 'AUTHENTICATED') —

ldap authentication method to use
ldap_connection (Apereo_cas::Ldapconnection) (defaults to: 'ACTIVE_PASSIVE') —

ldap connection type to maintain
ldap_start_tls (Boolean) (defaults to: true) —

use STARTLS for ldap connections
ldap_base_dn (String) (defaults to: 'dc=example,dc=org') —

ldap base dn
ldap_group_cn (String) (defaults to: 'ou=groups') —

ldap groups cn
ldap_search_filter (String) (defaults to: 'cn={user}') —

ldap filter to use when searching useres
ldap_bind_dn (String) (defaults to: 'cn=user,dc=example,dc=org') —

bind dn to use to search ldap
ldap_bind_pass (String) (defaults to: 'changeme') —

bind password to use to search ldap
log_level (Wmflib::Syslog::Level::Log4j) (defaults to: 'WARN') —

log level to configure
daemon_user (String) (defaults to: 'cas') —

system useres used to run the daemon
services (Hash[String, Hash]) (defaults to: {}) —

list of trusted services
java_opts (Optional[String[1]]) (defaults to: undef) —

java options
memcached_enable (Boolean) (defaults to: false) —

if we should use memcached
memcached_port (Stdlib::Port) (defaults to: 11211) —

memcached port
memcached_server (Stdlib::Host) (defaults to: 'localhost') —

memcached address
memcached_transcoder (Apereo_cas::Memcached::Transcoder) (defaults to: 'KRYO') —

memcached encoder to use
u2f_jpa_enable (Boolean) (defaults to: false) —

use JPA for utf token storage
u2f_jpa_username (String) (defaults to: 'cas') —

u2f JPA username
u2f_jpa_password (String) (defaults to: 'changeme') —

u2f JPA password
u2f_jpa_server (String) (defaults to: '127.0.0.1') —

u2f JPA server
u2f_jpa_db (String) (defaults to: 'cas') —

u2f JPA database name
u2f_token_expiry_days (Optional[Integer]) (defaults to: undef) —

number of days of inactivity before u2f tokens are automatically removed
enable_cors (Boolean) (defaults to: false) —

Enable CORS protection
cors_allow_credentials (Boolean) (defaults to: false) —

if we shuold allow authentication credentials with CORS
cors_allowed_origins (Array[Stdlib::HTTPSUrl]) (defaults to: []) —

list of origins allowed to use CORS
cors_allowed_headers (Array[String]) (defaults to: []) —

list of headers allowed to in CORS requests
cors_allowed_methods (Array[Wmflib::HTTP::Method]) (defaults to: ['GET']) —

list of methods allowed with CORS
delegated_authenticators (Array[Apereo_cas::Delegate]) (defaults to: []) —

list of delegated authenticators
oidc_issuers_pattern (String) (defaults to: 'a^') —

defines the regular expression pattern that is matched against the calculated issuer from the request.
oidc_id_token_claims (Boolean) (defaults to: false) —

weather to support id token claims
enable_webauthn (Boolean) (defaults to: false) —

Whether to enable WebAuthN support or not
webauthn_relaying_party (Stdlib::Fqdn) (defaults to: 'example.org') —

The relying party ID to be used for WebAuthN

# File 'modules/apereo_cas/manifests/init.pp', line 76

class apereo_cas (
    Array[Stdlib::Fqdn]               $idp_nodes,
    Optional[String[1]]               $tgc_signing_key               = undef,
    Optional[String[1]]               $tgc_encryption_key            = undef,
    Wmflib::HTTP::SameSite            $tgc_cookie_same_site          = 'none',
    Boolean                           $tgc_cookie_pin_to_session     = true,
    Optional[String[1]]               $webflow_signing_key           = undef,
    Optional[String[1]]               $webflow_encryption_key        = undef,
    Boolean                           $enable_u2f                    = true,
    Optional[String[1]]               $u2f_signing_key               = undef,
    Optional[String[1]]               $u2f_encryption_key            = undef,
    Optional[String[1]]               $web_authn_signing_key         = undef,
    Optional[String[1]]               $web_authn_encryption_key      = undef,
    Optional[String[1]]               $oauth_crypto_signing_key      = undef,
    Optional[String[1]]               $oauth_crypto_encryption_key   = undef,
    Optional[String[1]]               $oauth_token_signing_key       = undef,
    Optional[String[1]]               $oauth_token_encryption_key    = undef,
    String[1]                         $spring_username               = 'casuser',
    Optional[String[1]]               $spring_password               = undef,
    Optional[Stdlib::Filesource]      $keystore_source               = undef,
    Optional[String[1]]               $keystore_content              = undef,
    Integer[60,604800]                $max_session_length            = 604800,
    Integer[60,604800]                $max_rememberme_session_length = $max_session_length,
    Integer[60,86400]                 $session_inactivity_timeout    = 3600,
    Optional[Stdlib::Filesource]      $groovy_source                 = undef,
    Array[Stdlib::Host]               $prometheus_nodes              = [],
    Array[String]                     $actuators                     = [],
    Stdlib::Unixpath                  $base_dir                      = '/etc/cas',
    Stdlib::Unixpath                  $log_dir                       = '/var/log/cas',
    Stdlib::Unixpath                  $tomcat_basedir                = "${log_dir}/tomcat",
    Stdlib::Unixpath                  $keystore_path                 = "${base_dir}/thekeystore",
    String[1]                         $keystore_password             = 'changeit',
    String[1]                         $key_password                  = 'changeit',
    Stdlib::HTTPSUrl                  $server_name                   = "https://${facts['networking']['fqdn']}:8443",
    Stdlib::Port                      $server_port                   = 8443,
    Stdlib::Unixpath                  $server_prefix                 = '/cas',
    Boolean                           $server_enable_ssl             = true,
    Boolean                           $tomcat_proxy                  = false,
    Boolean                           $enable_ldap                   = true,
    Array[String[1]]                  $ldap_attribute_list           = ['cn', 'memberOf', 'mail'],
    Array[Apereo_cas::LDAPUri]        $ldap_uris                     = [],
    Apereo_cas::Ldapauth              $ldap_auth                     = 'AUTHENTICATED',
    Apereo_cas::Ldapconnection        $ldap_connection               = 'ACTIVE_PASSIVE',
    Boolean                           $ldap_start_tls                = true,
    String                            $ldap_base_dn                  = 'dc=example,dc=org',
    String                            $ldap_group_cn                 = 'ou=groups',
    String                            $ldap_search_filter            = 'cn={user}',
    String                            $ldap_bind_dn                  = 'cn=user,dc=example,dc=org',
    String                            $ldap_bind_pass                = 'changeme',
    Wmflib::Syslog::Level::Log4j      $log_level                     = 'WARN',
    String                            $daemon_user                   = 'cas',
    Hash[String, Hash]                $services                      = {},
    Optional[String[1]]               $java_opts                     = undef,
    Boolean                           $memcached_enable              = false,
    Stdlib::Port                      $memcached_port                = 11211,
    Stdlib::Host                      $memcached_server              = 'localhost',
    Apereo_cas::Memcached::Transcoder $memcached_transcoder          = 'KRYO',
    Boolean                           $u2f_jpa_enable                = false,
    String                            $u2f_jpa_username              = 'cas',
    String                            $u2f_jpa_password              = 'changeme',
    String                            $u2f_jpa_server                = '127.0.0.1',
    String                            $u2f_jpa_db                    = 'cas',
    Optional[Integer]                 $u2f_token_expiry_days         = undef,
    String                            $oidc_issuers_pattern          = 'a^',
    Boolean                           $oidc_id_token_claims          = false,
    Boolean                           $enable_cors                   = false,
    Boolean                           $cors_allow_credentials        = false,
    Array[Stdlib::HTTPSUrl]           $cors_allowed_origins          = [],
    Array[String]                     $cors_allowed_headers          = [],
    # TODO: switch to Stdlib::Http::Method
    # https://github.com/puppetlabs/puppetlabs-stdlib/pull/1192
    Array[Wmflib::HTTP::Method]       $cors_allowed_methods          = ['GET'],
    Array[Apereo_cas::Delegate]       $delegated_authenticators      = [],
    Boolean                           $enable_webauthn               = false,
    Stdlib::Fqdn                      $webauthn_relaying_party       = 'example.org',
) {
    if $keystore_source == undef and $keystore_content == undef and $server_enable_ssl {
        fail('you must provide either $keystore_source or $keystore_content')
    }
    if $keystore_source and $keystore_content {
        fail('you cannot provide $keystore_source and $keystore_content')
    }
    $config_dir = "${base_dir}/config"
    $services_dir = "${base_dir}/services"

    ensure_packages(['cas', 'python3-memcache'])

    $groovy_file = '/etc/cas/global_principal_attribute_predicate.groovy'
    if $groovy_source {
        file { $groovy_file:
            source => $groovy_source,
        }
    }
    file { $config_dir:
        ensure => directory,
        owner  => $daemon_user,
    }
    file { $services_dir:
        ensure  => directory,
        recurse => true,
        purge   => true,
    }
    file { [$base_dir, $log_dir]:
        ensure => directory,
        owner  => $daemon_user,
        mode   => '0600',
    }
    $prometheus_ips = $prometheus_nodes.map |$node| { dnsquery::lookup($node) }.flatten
    $idp_ips = $idp_nodes.map |$node| { dnsquery::lookup($node) }.flatten
    file { "${config_dir}/cas.properties":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/cas.properties.erb'),
    }
    file { "${config_dir}/log4j2.xml":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/log4j2.xml.erb'),
    }
    $keystore_ensure = $server_enable_ssl ? {
        true    => file,
        default => absent,
    }
    file { $keystore_path:
        ensure  => $keystore_ensure,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => $keystore_content,
        source  => $keystore_source,
    }

    # /usr/bin/memcdump is needed by memcached-dump tool
    ensure_packages('libmemcached-tools')

    file { '/usr/local/sbin/memcached-dump':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/memcached-dump.py',
    }

    file { '/usr/local/sbin/return-tgt-for-user':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/return-tgt-for-user.py',
    }
    file { '/usr/local/sbin/cas-remove-u2f':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/cas_remove_u2f.py',
    }

    $services.each |String $service, Hash $config| {
        apereo_cas::service { $service:
            * => $config,
        }
    }
}