Puppet Class: profile::idp

Defined in:
modules/profile/manifests/idp.pp

Overview

Parameters:

  • ldap_config (Hash) (defaults to: lookup('ldap', Hash, hash, {}))
  • prometheus_nodes (Array[Stdlib::Host]) (defaults to: lookup('prometheus_nodes'))
  • keystore_password (String) (defaults to: lookup('profile::idp::keystore_password'))
  • key_password (String) (defaults to: lookup('profile::idp::key_password'))
  • tgc_signing_key (String) (defaults to: lookup('profile::idp::tgc_signing_key'))
  • tgc_encryption_key (String) (defaults to: lookup('profile::idp::tgc_encryption_key'))
  • webflow_signing_key (String) (defaults to: lookup('profile::idp::webflow_signing_key'))
  • webflow_encryption_key (String) (defaults to: lookup('profile::idp::webflow_encryption_key'))
  • u2f_signing_key (String) (defaults to: lookup('profile::idp::u2f_signing_key'))
  • u2f_encryption_key (String) (defaults to: lookup('profile::idp::u2f_encryption_key'))
  • max_session_length (Integer) (defaults to: lookup('profile::idp::max_session_length'))
  • services (Hash[String,Hash]) (defaults to: lookup('profile::idp::services'))
  • ldap_attribute_list (Array[String[1]]) (defaults to: lookup('profile::idp::ldap_attributes'))
  • actuators (Array[String]) (defaults to: lookup('profile::idp::actuators'))
  • idp_primary (Stdlib::Fqdn) (defaults to: lookup('profile::idp::idp_primary'))
  • is_staging_host (Boolean) (defaults to: lookup('profile::idp::is_staging_host'))
  • memcached_enable (Boolean) (defaults to: lookup('profile::idp::memcached_enable'))
  • u2f_jpa_enable (Boolean) (defaults to: lookup('profile::idp::u2f_jpa_enable'))
  • u2f_jpa_username (String) (defaults to: lookup('profile::idp::u2f_jpa_username'))
  • u2f_jpa_password (String) (defaults to: lookup('profile::idp::u2f_jpa_password'))
  • u2f_jpa_server (Stdlib::Host) (defaults to: lookup('profile::idp::u2f_jpa_server'))
  • u2f_jpa_db (String) (defaults to: lookup('profile::idp::u2f_jpa_db'))
  • idp_failover (Optional[Stdlib::Fqdn]) (defaults to: lookup('profile::idp::idp_failover', {'default_value' => undef}))
  • totp_signing_key (Optional[String]) (defaults to: lookup('profile::idp::totp_signing_key', {'default_value' => undef}))
  • totp_encryption_key (Optional[String]) (defaults to: lookup('profile::idp::totp_encryption_key', {'default_value' => undef}))
  • u2f_token_expiry_days (Optional[Integer]) (defaults to: lookup('profile::idp::u2f_token_expiry_days', {'default_value' => undef}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'modules/profile/manifests/idp.pp', line 1

class profile::idp(
    Hash                   $ldap_config            = lookup('ldap', Hash, hash, {}),
    Array[Stdlib::Host]    $prometheus_nodes       = lookup('prometheus_nodes'),
    String                 $keystore_password      = lookup('profile::idp::keystore_password'),
    String                 $key_password           = lookup('profile::idp::key_password'),
    String                 $tgc_signing_key        = lookup('profile::idp::tgc_signing_key'),
    String                 $tgc_encryption_key     = lookup('profile::idp::tgc_encryption_key'),
    String                 $webflow_signing_key    = lookup('profile::idp::webflow_signing_key'),
    String                 $webflow_encryption_key = lookup('profile::idp::webflow_encryption_key'),
    String                 $u2f_signing_key        = lookup('profile::idp::u2f_signing_key'),
    String                 $u2f_encryption_key     = lookup('profile::idp::u2f_encryption_key'),
    Integer                $max_session_length     = lookup('profile::idp::max_session_length'),
    Hash[String,Hash]      $services               = lookup('profile::idp::services'),
    Array[String[1]]       $ldap_attribute_list    = lookup('profile::idp::ldap_attributes'),
    Array[String]          $actuators              = lookup('profile::idp::actuators'),
    Stdlib::Fqdn           $idp_primary            = lookup('profile::idp::idp_primary'),
    Boolean                $is_staging_host        = lookup('profile::idp::is_staging_host'),
    Boolean                $memcached_enable       = lookup('profile::idp::memcached_enable'),
    Boolean                $u2f_jpa_enable         = lookup('profile::idp::u2f_jpa_enable'),
    String                 $u2f_jpa_username       = lookup('profile::idp::u2f_jpa_username'),
    String                 $u2f_jpa_password       = lookup('profile::idp::u2f_jpa_password'),
    Stdlib::Host           $u2f_jpa_server         = lookup('profile::idp::u2f_jpa_server'),
    String                 $u2f_jpa_db             = lookup('profile::idp::u2f_jpa_db'),
    Optional[Stdlib::Fqdn] $idp_failover           = lookup('profile::idp::idp_failover',
                                                            {'default_value' => undef}),
    Optional[String]       $totp_signing_key       = lookup('profile::idp::totp_signing_key',
                                                            {'default_value' => undef}),
    Optional[String]       $totp_encryption_key    = lookup('profile::idp::totp_encryption_key',
                                                            {'default_value' => undef}),
    Optional[Integer]      $u2f_token_expiry_days  = lookup('profile::idp::u2f_token_expiry_days',
                                                            {'default_value' => undef}),
){

    include passwords::ldap::production
    class{ 'sslcert::dhparam': }
    include profile::tlsproxy::envoy

    class { 'rsync::server':
        wrap_with_stunnel => true,
    }

    class {'tomcat':}

    backup::set { 'idp': }

    $jmx_port = 9200
    $jmx_config = '/etc/prometheus/cas_jmx_exporter.yaml'
    $jmx_jar = '/usr/share/java/prometheus/jmx_prometheus_javaagent.jar'
    $java_opts = "-javaagent:${jmx_jar}=${facts['networking']['ip']}:${jmx_port}:${jmx_config}"
    $groovy_source = 'puppet:///modules/profile/idp/global_principal_attribute_predicate.groovy'
    $devices_dir = '/srv/cas/devices'
    $log_dir = '/var/log/cas'

    $cas_daemon_user = 'tomcat'
    $cas_manage_user = false

    if $is_staging_host {
        apt::repository{ 'component-idp-test':
            uri        => 'http://apt.wikimedia.org/wikimedia',
            dist       => "${::lsbdistcodename}-wikimedia",
            components => 'component/idp-test',
        }
    }

    class { 'apereo_cas':
        server_name            => 'https://idp.wikimedia.org',
        server_prefix          => '/',
        server_port            => 8080,
        server_enable_ssl      => false,
        tomcat_proxy           => true,
        devices_dir            => $devices_dir,
        groovy_source          => $groovy_source,
        prometheus_nodes       => $prometheus_nodes,
        keystore_content       => secret('casserver/thekeystore'),
        keystore_password      => $keystore_password,
        key_password           => $key_password,
        tgc_signing_key        => $tgc_signing_key,
        tgc_encryption_key     => $tgc_encryption_key,
        webflow_signing_key    => $webflow_signing_key,
        webflow_encryption_key => $webflow_encryption_key,
        u2f_signing_key        => $u2f_signing_key,
        u2f_encryption_key     => $u2f_encryption_key,
        totp_signing_key       => $totp_signing_key,
        totp_encryption_key    => $totp_encryption_key,
        ldap_start_tls         => false,
        ldap_uris              => ["ldaps://${ldap_config[ro-server]}:636",
                                    "ldaps://${ldap_config[ro-server-fallback]}:636",],
        ldap_base_dn           => $ldap_config['base-dn'],
        ldap_attribute_list    => $ldap_attribute_list,
        log_level              => 'DEBUG',
        ldap_bind_pass         => $passwords::ldap::production::proxypass,
        ldap_bind_dn           => "cn=proxyagent,ou=profile,${ldap_config['base-dn']}",
        services               => $services,
        idp_primary            => $idp_primary,
        idp_failover           => $idp_failover,
        java_opts              => $java_opts,
        max_session_length     => $max_session_length,
        actuators              => $actuators,
        daemon_user            => $cas_daemon_user,
        manage_user            => $cas_manage_user,
        log_dir                => $log_dir,
        memcached_enable       => $memcached_enable,
        memcached_port         => 11213,  # we use mcrouter which is on this port
        u2f_jpa_enable         => $u2f_jpa_enable,
        u2f_jpa_username       => $u2f_jpa_username,
        u2f_jpa_password       => $u2f_jpa_password,
        u2f_jpa_server         => $u2f_jpa_server,
        u2f_jpa_db             => $u2f_jpa_db,
        u2f_token_expiry_days  => $u2f_token_expiry_days,
    }

    ferm::service {'cas-https':
        proto => 'tcp',
        port  => 443,
    }

    profile::prometheus::jmx_exporter{ "idp_${facts['networking']['hostname']}":
        hostname         => $facts['networking']['hostname'],
        port             => $jmx_port,
        prometheus_nodes => $prometheus_nodes,
        config_dir       => $jmx_config.dirname,
        config_file      => $jmx_config,
        content          => file('profile/idp/cas_jmx_exporter.yaml'),
    }
    if $memcached_enable {
        class {'profile::idp::memcached':
            idp_nodes => $apereo_cas::idp_nodes,
        }
    }

}