Puppet Class: apereo_cas

Defined in:
modules/apereo_cas/manifests/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • idp_nodes (Array[Stdlib::Fqdn])

    list of idp nodes

  • tgc_signing_key (Optional[String[1]]) (defaults to: undef)

    the tgc signing key

  • tgc_encryption_key (Optional[String[1]]) (defaults to: undef)

    the tgc encyption key

  • tgc_cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: 'none')

    set the SameSite policy for the TGC cookie

  • tgc_cookie_pin_to_session (Boolean) (defaults to: true)

    If true the TGC cookie is pined to the users IP address and user agent

  • webflow_signing_key (Optional[String[1]]) (defaults to: undef)

    the webflow signing key

  • webflow_encryption_key (Optional[String[1]]) (defaults to: undef)

    the webflow encyption key

  • enable_u2f (Boolean) (defaults to: true)

    If to enable u2f

  • u2f_signing_key (Optional[String[1]]) (defaults to: undef)

    the utf signing key

  • u2f_encryption_key (Optional[String[1]]) (defaults to: undef)

    the utf encyption key

  • keystore_source (Optional[Stdlib::Filesource]) (defaults to: undef)

    the keystore source location. only one of keystore_source and keystore_content can be presetn

  • keystore_content (Optional[String[1]]) (defaults to: undef)

    the keystore content. only one of keystore_source and keystore_content can be presetn

  • max_session_length (Integer[60,604800]) (defaults to: 604800)
  • max_rememberme_session_length (Integer[60,604800]) (defaults to: $max_session_length)
  • session_inactivity_timeout (Integer[60,86400]) (defaults to: 3600)
  • groovy_source (Optional[Stdlib::Filesource]) (defaults to: undef)

    source of groovy authentication script

  • prometheus_nodes (Array[Stdlib::Host]) (defaults to: [])

    list of preometheus nodes

  • actuators (Array[String]) (defaults to: [])

    list of actuators

  • base_dir (Stdlib::Unixpath) (defaults to: '/etc/cas')

    base directory for config

  • log_dir (Stdlib::Unixpath) (defaults to: '/var/log/cas')

    logging directory

  • tomcat_basedir (Stdlib::Unixpath) (defaults to: "${log_dir}/tomcat")

    tomecat base directory

  • keystore_path (Stdlib::Unixpath) (defaults to: "${base_dir}/thekeystore")

    path to store the keystore

  • keystore_password (String[1]) (defaults to: 'changeit')

    keystore password

  • key_password (String[1]) (defaults to: 'changeit')

    key password

  • server_name (Stdlib::HTTPSUrl) (defaults to: "https://${facts['networking']['fqdn']}:8443")

    the location of the idp site

  • server_port (Stdlib::Port) (defaults to: 8443)

    port cas will listen on

  • server_prefix (Stdlib::Unixpath) (defaults to: '/cas')

    URL path cas app will be deployed to

  • server_enable_ssl (Boolean) (defaults to: true)

    if ssl is enabled

  • tomcat_proxy (Boolean) (defaults to: false)

    if using external tomecat proxy

  • enable_ldap (Boolean) (defaults to: true)

    configure cas to authenticate agains ldap

  • ldap_attribute_list (Array[String[1]]) (defaults to: ['cn', 'memberOf', 'mail'])

    list of ldap attributes to fetch

  • ldap_uris (Array[Apereo_cas::LDAPUri]) (defaults to: [])

    list of ldap uris to use for authentication

  • ldap_auth (Apereo_cas::Ldapauth) (defaults to: 'AUTHENTICATED')

    ldap authentication method to use

  • ldap_connection (Apereo_cas::Ldapconnection) (defaults to: 'ACTIVE_PASSIVE')

    ldap connection type to maintain

  • ldap_start_tls (Boolean) (defaults to: true)

    use STARTLS for ldap connections

  • ldap_base_dn (String) (defaults to: 'dc=example,dc=org')

    ldap base dn

  • ldap_group_cn (String) (defaults to: 'ou=groups')

    ldap groups cn

  • ldap_search_filter (String) (defaults to: 'cn={user}')

    ldap filter to use when searching useres

  • ldap_bind_dn (String) (defaults to: 'cn=user,dc=example,dc=org')

    bind dn to use to search ldap

  • ldap_bind_pass (String) (defaults to: 'changeme')

    bind password to use to search ldap

  • log_level (Apereo_cas::LogLevel) (defaults to: 'WARN')

    log level to configure

  • daemon_user (String) (defaults to: 'cas')

    system useres used to run the daemon

  • services (Hash[String, Hash]) (defaults to: {})

    list of trusted services

  • java_opts (Optional[String[1]]) (defaults to: undef)

    java options

  • memcached_enable (Boolean) (defaults to: false)

    if we should use memcached

  • memcached_port (Stdlib::Port) (defaults to: 11211)

    memcached port

  • memcached_server (Stdlib::Host) (defaults to: 'localhost')

    memcached address

  • memcached_transcoder (Apereo_cas::Memcached::Transcoder) (defaults to: 'KRYO')

    memcached encoder to use

  • u2f_jpa_enable (Boolean) (defaults to: false)

    use JPA for utf token storage

  • u2f_jpa_username (String) (defaults to: 'cas')

    u2f JPA username

  • u2f_jpa_password (String) (defaults to: 'changeme')

    u2f JPA password

  • u2f_jpa_server (String) (defaults to: '127.0.0.1')

    u2f JPA server

  • u2f_jpa_db (String) (defaults to: 'cas')

    u2f JPA database name

  • u2f_token_expiry_days (Optional[Integer]) (defaults to: undef)

    number of days of inactivity before u2f tokens are automatically removed

  • enable_cors (Boolean) (defaults to: false)

    Enable CORS protection

  • cors_allow_credentials (Boolean) (defaults to: false)

    if we shuold allow authentication credentials with CORS

  • cors_allowed_origins (Array[Stdlib::HTTPSUrl]) (defaults to: [])

    list of origins allowed to use CORS

  • cors_allowed_headers (Array[String]) (defaults to: [])

    list of headers allowed to in CORS requests

  • cors_allowed_methods (Array[Wmflib::HTTP::Method]) (defaults to: ['GET'])

    list of methods allowed with CORS

  • delegated_authenticators (Array[Apereo_cas::Delegate]) (defaults to: [])

    list of delegated authenticators



63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
# File 'modules/apereo_cas/manifests/init.pp', line 63

class apereo_cas (
    Array[Stdlib::Fqdn]               $idp_nodes,
    Optional[String[1]]               $tgc_signing_key               = undef,
    Optional[String[1]]               $tgc_encryption_key            = undef,
    Wmflib::HTTP::SameSite            $tgc_cookie_same_site          = 'none',
    Boolean                           $tgc_cookie_pin_to_session     = true,
    Optional[String[1]]               $webflow_signing_key           = undef,
    Optional[String[1]]               $webflow_encryption_key        = undef,
    Boolean                           $enable_u2f                    = true,
    Optional[String[1]]               $u2f_signing_key               = undef,
    Optional[String[1]]               $u2f_encryption_key            = undef,
    Optional[Stdlib::Filesource]      $keystore_source               = undef,
    Optional[String[1]]               $keystore_content              = undef,
    Integer[60,604800]                $max_session_length            = 604800,
    Integer[60,604800]                $max_rememberme_session_length = $max_session_length,
    Integer[60,86400]                 $session_inactivity_timeout    = 3600,
    Optional[Stdlib::Filesource]      $groovy_source                 = undef,
    Array[Stdlib::Host]               $prometheus_nodes              = [],
    Array[String]                     $actuators                     = [],
    Stdlib::Unixpath                  $base_dir                      = '/etc/cas',
    Stdlib::Unixpath                  $log_dir                       = '/var/log/cas',
    Stdlib::Unixpath                  $tomcat_basedir                = "${log_dir}/tomcat",
    Stdlib::Unixpath                  $keystore_path                 = "${base_dir}/thekeystore",
    String[1]                         $keystore_password             = 'changeit',
    String[1]                         $key_password                  = 'changeit',
    Stdlib::HTTPSUrl                  $server_name                   = "https://${facts['networking']['fqdn']}:8443",
    Stdlib::Port                      $server_port                   = 8443,
    Stdlib::Unixpath                  $server_prefix                 = '/cas',
    Boolean                           $server_enable_ssl             = true,
    Boolean                           $tomcat_proxy                  = false,
    Boolean                           $enable_ldap                   = true,
    Array[String[1]]                  $ldap_attribute_list           = ['cn', 'memberOf', 'mail'],
    Array[Apereo_cas::LDAPUri]        $ldap_uris                     = [],
    Apereo_cas::Ldapauth              $ldap_auth                     = 'AUTHENTICATED',
    Apereo_cas::Ldapconnection        $ldap_connection               = 'ACTIVE_PASSIVE',
    Boolean                           $ldap_start_tls                = true,
    String                            $ldap_base_dn                  = 'dc=example,dc=org',
    String                            $ldap_group_cn                 = 'ou=groups',
    String                            $ldap_search_filter            = 'cn={user}',
    String                            $ldap_bind_dn                  = 'cn=user,dc=example,dc=org',
    String                            $ldap_bind_pass                = 'changeme',
    Apereo_cas::LogLevel              $log_level                     = 'WARN',
    String                            $daemon_user                   = 'cas',
    Hash[String, Hash]                $services                      = {},
    Optional[String[1]]               $java_opts                     = undef,
    Boolean                           $memcached_enable              = false,
    Stdlib::Port                      $memcached_port                = 11211,
    Stdlib::Host                      $memcached_server              = 'localhost',
    Apereo_cas::Memcached::Transcoder $memcached_transcoder          = 'KRYO',
    Boolean                           $u2f_jpa_enable                = false,
    String                            $u2f_jpa_username              = 'cas',
    String                            $u2f_jpa_password              = 'changeme',
    String                            $u2f_jpa_server                = '127.0.0.1',
    String                            $u2f_jpa_db                    = 'cas',
    Optional[Integer]                 $u2f_token_expiry_days         = undef,
    Boolean                           $enable_cors                   = false,
    Boolean                           $cors_allow_credentials        = false,
    Array[Stdlib::HTTPSUrl]           $cors_allowed_origins          = [],
    Array[String]                     $cors_allowed_headers          = [],
    # TODO: switch to Stdlib::Http::Method
    # https://github.com/puppetlabs/puppetlabs-stdlib/pull/1192
    Array[Wmflib::HTTP::Method]       $cors_allowed_methods          = ['GET'],
    Array[Apereo_cas::Delegate]       $delegated_authenticators      = [],
) {
    if $keystore_source == undef and $keystore_content == undef and $server_enable_ssl {
        fail('you must provide either $keystore_source or $keystore_content')
    }
    if $keystore_source and $keystore_content {
        fail('you cannot provide $keystore_source and $keystore_content')
    }
    $config_dir = "${base_dir}/config"
    $services_dir = "${base_dir}/services"

    ensure_packages(['cas', 'python3-memcache'])

    $groovy_file = '/etc/cas/global_principal_attribute_predicate.groovy'
    if $groovy_source {
        file{$groovy_file:
            source => $groovy_source,
        }
    }
    file{$config_dir:
        ensure => directory,
    }
    file{$services_dir:
        ensure  => directory,
        recurse => true,
        purge   => true,
    }
    file{[$base_dir, $log_dir]:
        ensure  => directory,
        owner   => $daemon_user,
        mode    => '0600',
        recurse => true,
    }
    file {"${config_dir}/cas.properties":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/cas.properties.erb'),
    }
    file {"${config_dir}/log4j2.xml":
        ensure  => file,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => template('apereo_cas/log4j2.xml.erb'),
    }
    $keystore_ensure = $server_enable_ssl ? {
        true    => file,
        default => absent,
    }
    file {$keystore_path:
        ensure  => $keystore_ensure,
        owner   => $daemon_user,
        group   => 'root',
        mode    => '0400',
        content => $keystore_content,
        source  => $keystore_source,
    }

    file { '/usr/local/sbin/memcached-dump':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/memcached-dump.py',
    }

    file { '/usr/local/sbin/return-tgt-for-user':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/return-tgt-for-user.py',
    }
    file { '/usr/local/sbin/cas-remove-u2f':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/apereo_cas/cas_remove_u2f.py',
    }

    $services.each |String $service, Hash $config| {
        apereo_cas::service {$service:
            * => $config,
        }
    }
}