Puppet Class: profile::idp

Defined in:
modules/profile/manifests/idp.pp

Summary

profile to configure the idp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ldap_config (Hash) (defaults to: lookup('ldap'))

    a hash containing the ldap configeration

  • prometheus_nodes (Array[Stdlib::Host]) (defaults to: lookup('prometheus_nodes'))
  • log_level (Wmflib::Syslog::Level::Log4j) (defaults to: lookup('profile::idp::log_level'))
  • ldap_schema (Enum['ldaps', 'ldap']) (defaults to: lookup('profile::idp::ldap_schema'))
  • enable_ldap (Boolean) (defaults to: lookup('profile::idp::enable_ldap'))
  • ldap_start_tls (Boolean) (defaults to: lookup('profile::idp::ldap_start_tls'))
  • keystore_password (String) (defaults to: lookup('profile::idp::keystore_password'))
  • key_password (String) (defaults to: lookup('profile::idp::key_password'))
  • tgc_signing_key (String) (defaults to: lookup('profile::idp::tgc_signing_key'))
  • tgc_encryption_key (String) (defaults to: lookup('profile::idp::tgc_encryption_key'))
  • tgc_cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: lookup('profile::idp::tgc_cookie_same_site'))
  • tgc_cookie_pin_to_session (Boolean) (defaults to: lookup('profile::idp::tgc_cookie_pin_to_session'))
  • webflow_signing_key (String) (defaults to: lookup('profile::idp::webflow_signing_key'))
  • webflow_encryption_key (String) (defaults to: lookup('profile::idp::webflow_encryption_key'))
  • u2f_signing_key (String) (defaults to: lookup('profile::idp::u2f_signing_key'))
  • u2f_encryption_key (String) (defaults to: lookup('profile::idp::u2f_encryption_key'))
  • web_authn_signing_key (String) (defaults to: lookup('profile::idp::web_authn_signing_key'))
  • web_authn_encryption_key (String) (defaults to: lookup('profile::idp::web_authn_encryption_key'))
  • oauth_crypto_signing_key (String) (defaults to: lookup('profile::idp::oauth_crypto_signing_key'))
  • oauth_crypto_encryption_key (String) (defaults to: lookup('profile::idp::oauth_crypto_encryption_key'))
  • oauth_token_signing_key (String) (defaults to: lookup('profile::idp::oauth_token_signing_key'))
  • oauth_token_encryption_key (String) (defaults to: lookup('profile::idp::oauth_token_encryption_key'))
  • spring_password (String) (defaults to: lookup('profile::idp::spring_password'))
  • max_session_length (Integer) (defaults to: lookup('profile::idp::max_session_length'))
  • services (Hash[String,Hash]) (defaults to: lookup('profile::idp::services'))
  • ldap_attribute_list (Array[String[1]]) (defaults to: lookup('profile::idp::ldap_attributes'))
  • actuators (Array[String]) (defaults to: lookup('profile::idp::actuators'))
  • server_name (Stdlib::HTTPSUrl) (defaults to: lookup('profile::idp::server_name'))
  • idp_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::idp::idp_nodes'))
  • is_staging_host (Boolean) (defaults to: lookup('profile::idp::is_staging_host'))
  • memcached_enable (Boolean) (defaults to: lookup('profile::idp::memcached_enable'))
  • memcached_port (Stdlib::Port) (defaults to: lookup('profile::idp::memcached_port'))
  • memcached_transcoder (Apereo_cas::Memcached::Transcoder) (defaults to: lookup('profile::idp::memcached_transcoder'))
  • enable_u2f (Boolean) (defaults to: lookup('profile::idp::enable_u2f'))
  • u2f_jpa_enable (Boolean) (defaults to: lookup('profile::idp::u2f_jpa_enable'))
  • u2f_jpa_username (String) (defaults to: lookup('profile::idp::u2f_jpa_username'))
  • u2f_jpa_password (String) (defaults to: lookup('profile::idp::u2f_jpa_password'))
  • u2f_jpa_server (Stdlib::Host) (defaults to: lookup('profile::idp::u2f_jpa_server'))
  • u2f_jpa_db (String) (defaults to: lookup('profile::idp::u2f_jpa_db'))
  • enable_cors (Boolean) (defaults to: lookup('profile::idp::enable_cors'))
  • cors_allow_credentials (Boolean) (defaults to: lookup('profile::idp::cors_allow_credentials'))
  • cors_allowed_origins (Array[Stdlib::HTTPSUrl]) (defaults to: lookup('profile::idp::cors_allowed_origins'))
  • cors_allowed_headers (Array[String]) (defaults to: lookup('profile::idp::cors_allowed_headers'))
  • cors_allowed_methods (Array[Wmflib::HTTP::Method]) (defaults to: lookup('profile::idp::cors_allowed_methods'))
  • u2f_token_expiry_days (Optional[Integer]) (defaults to: lookup('profile::idp::u2f_token_expiry_days'))
  • envoy_termination (Boolean) (defaults to: lookup('profile::idp::envoy_termination'))
  • delegated_authenticators (Array[Apereo_cas::Delegate]) (defaults to: lookup('profile::idp::delegated_authenticators'))
  • enable_webauthn (Boolean) (defaults to: lookup('profile::idp::enable_webauthn'))
  • webauthn_relaying_party (Stdlib::Fqdn) (defaults to: lookup('profile::idp::webauthn_relaying_party')) 


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
 
# File 'modules/profile/manifests/idp.pp', line 4

class profile::idp(
    Array[Stdlib::Host]               $prometheus_nodes            = lookup('prometheus_nodes'),
    Hash                              $ldap_config                 = lookup('ldap'),
    Wmflib::Syslog::Level::Log4j      $log_level                   = lookup('profile::idp::log_level'),
    Enum['ldaps', 'ldap']             $ldap_schema                 = lookup('profile::idp::ldap_schema'),
    Boolean                           $enable_ldap                 = lookup('profile::idp::enable_ldap'),
    Boolean                           $ldap_start_tls              = lookup('profile::idp::ldap_start_tls'),
    String                            $keystore_password           = lookup('profile::idp::keystore_password'),
    String                            $key_password                = lookup('profile::idp::key_password'),
    String                            $tgc_signing_key             = lookup('profile::idp::tgc_signing_key'),
    String                            $tgc_encryption_key          = lookup('profile::idp::tgc_encryption_key'),
    Wmflib::HTTP::SameSite            $tgc_cookie_same_site        = lookup('profile::idp::tgc_cookie_same_site'),
    Boolean                           $tgc_cookie_pin_to_session   = lookup('profile::idp::tgc_cookie_pin_to_session'),
    String                            $webflow_signing_key         = lookup('profile::idp::webflow_signing_key'),
    String                            $webflow_encryption_key      = lookup('profile::idp::webflow_encryption_key'),
    String                            $u2f_signing_key             = lookup('profile::idp::u2f_signing_key'),
    String                            $u2f_encryption_key          = lookup('profile::idp::u2f_encryption_key'),
    String                            $web_authn_signing_key       = lookup('profile::idp::web_authn_signing_key'),
    String                            $web_authn_encryption_key    = lookup('profile::idp::web_authn_encryption_key'),
    String                            $oauth_crypto_signing_key    = lookup('profile::idp::oauth_crypto_signing_key'),
    String                            $oauth_crypto_encryption_key = lookup('profile::idp::oauth_crypto_encryption_key'),
    String                            $oauth_token_signing_key     = lookup('profile::idp::oauth_token_signing_key'),
    String                            $oauth_token_encryption_key  = lookup('profile::idp::oauth_token_encryption_key'),
    String                            $spring_password             = lookup('profile::idp::spring_password'),
    Integer                           $max_session_length          = lookup('profile::idp::max_session_length'),
    Hash[String,Hash]                 $services                    = lookup('profile::idp::services'),
    Array[String[1]]                  $ldap_attribute_list         = lookup('profile::idp::ldap_attributes'),
    Array[String]                     $actuators                   = lookup('profile::idp::actuators'),
    Stdlib::HTTPSUrl                  $server_name                 = lookup('profile::idp::server_name'),
    Array[Stdlib::Fqdn]               $idp_nodes                   = lookup('profile::idp::idp_nodes'),
    Boolean                           $is_staging_host             = lookup('profile::idp::is_staging_host'),
    Boolean                           $memcached_enable            = lookup('profile::idp::memcached_enable'),
    Stdlib::Port                      $memcached_port              = lookup('profile::idp::memcached_port'),
    Apereo_cas::Memcached::Transcoder $memcached_transcoder      = lookup('profile::idp::memcached_transcoder'),
    Boolean                           $enable_u2f                = lookup('profile::idp::enable_u2f'),
    Boolean                           $u2f_jpa_enable            = lookup('profile::idp::u2f_jpa_enable'),
    String                            $u2f_jpa_username          = lookup('profile::idp::u2f_jpa_username'),
    String                            $u2f_jpa_password          = lookup('profile::idp::u2f_jpa_password'),
    Stdlib::Host                      $u2f_jpa_server            = lookup('profile::idp::u2f_jpa_server'),
    String                            $u2f_jpa_db                = lookup('profile::idp::u2f_jpa_db'),
    Boolean                           $enable_cors               = lookup('profile::idp::enable_cors'),
    Boolean                           $cors_allow_credentials    = lookup('profile::idp::cors_allow_credentials'),
    Array[Stdlib::HTTPSUrl]           $cors_allowed_origins      = lookup('profile::idp::cors_allowed_origins'),
    Array[String]                     $cors_allowed_headers      = lookup('profile::idp::cors_allowed_headers'),
    Array[Wmflib::HTTP::Method]       $cors_allowed_methods      = lookup('profile::idp::cors_allowed_methods'),
    Optional[Integer]                 $u2f_token_expiry_days     = lookup('profile::idp::u2f_token_expiry_days'),
    Boolean                           $envoy_termination         = lookup('profile::idp::envoy_termination'),
    Array[Apereo_cas::Delegate]       $delegated_authenticators  = lookup('profile::idp::delegated_authenticators'),
    Boolean                           $enable_webauthn           = lookup('profile::idp::enable_webauthn'),
    Stdlib::Fqdn                      $webauthn_relaying_party   = lookup('profile::idp::webauthn_relaying_party'),
){

    ensure_packages(['python3-pymysql'])
    include passwords::ldap::production
    include profile::java
    class{ 'sslcert::dhparam': }
    if $envoy_termination {
      include profile::tlsproxy::envoy
      $firewall_port = 443
      profile::auto_restarts::service { 'envoyproxy': }
    } else {
      # In Cloud VPS we use the shared web proxy for tls termination
      $firewall_port = 8080
    }

    class {'tomcat': }

    $jmx_port = 9200
    $jmx_config = '/etc/prometheus/cas_jmx_exporter.yaml'
    $jmx_jar = '/usr/share/java/prometheus/jmx_prometheus_javaagent.jar'
    $java_opts = "-javaagent:${jmx_jar}=${facts['networking']['ip']}:${jmx_port}:${jmx_config}"
    $groovy_source = 'puppet:///modules/profile/idp/global_principal_attribute_predicate.groovy'
    $log_dir = '/var/log/cas'

    $cas_daemon_user = 'tomcat'

    $ldap_port = $ldap_schema ? {
      'ldap'  => 389,
      default => 636,
    }
    $ldap_uris = ["${ldap_schema}://${ldap_config[ro-server]}:${ldap_port}",
                  "${ldap_schema}://${ldap_config[ro-server-fallback]}:${ldap_port}"]
    class { 'apereo_cas':
        server_name                 => $server_name,
        server_prefix               => '/',
        server_port                 => 8080,
        server_enable_ssl           => false,
        tomcat_proxy                => true,
        groovy_source               => $groovy_source,
        prometheus_nodes            => $prometheus_nodes,
        keystore_content            => secret('casserver/thekeystore'),
        keystore_password           => $keystore_password,
        key_password                => $key_password,
        tgc_signing_key             => $tgc_signing_key,
        tgc_encryption_key          => $tgc_encryption_key,
        tgc_cookie_same_site        => $tgc_cookie_same_site,
        tgc_cookie_pin_to_session   => $tgc_cookie_pin_to_session,
        webflow_signing_key         => $webflow_signing_key,
        webflow_encryption_key      => $webflow_encryption_key,
        u2f_signing_key             => $u2f_signing_key,
        u2f_encryption_key          => $u2f_encryption_key,
        web_authn_signing_key       => $web_authn_signing_key,
        web_authn_encryption_key    => $web_authn_encryption_key,
        oauth_crypto_signing_key    => $oauth_crypto_signing_key,
        oauth_crypto_encryption_key => $oauth_crypto_encryption_key,
        oauth_token_signing_key     => $oauth_token_signing_key,
        oauth_token_encryption_key  => $oauth_token_encryption_key,
        spring_password             => $spring_password,
        enable_ldap                 => $enable_ldap,
        ldap_start_tls              => $ldap_start_tls,
        ldap_uris                   => $ldap_uris,
        ldap_base_dn                => $ldap_config['base-dn'],
        ldap_group_cn               => $ldap_config['group_cn'],
        ldap_attribute_list         => $ldap_attribute_list,
        log_level                   => $log_level,
        ldap_bind_pass              => $passwords::ldap::production::proxypass,
        ldap_bind_dn                => $ldap_config['proxyagent'],
        services                    => $services,
        idp_nodes                   => $idp_nodes,
        java_opts                   => $java_opts,
        max_session_length          => $max_session_length,
        actuators                   => $actuators,
        daemon_user                 => $cas_daemon_user,
        log_dir                     => $log_dir,
        memcached_enable            => $memcached_enable,
        memcached_port              => $memcached_port,
        memcached_transcoder        => $memcached_transcoder,
        enable_u2f                  => $enable_u2f,
        u2f_jpa_enable              => $u2f_jpa_enable,
        u2f_jpa_username            => $u2f_jpa_username,
        u2f_jpa_password            => $u2f_jpa_password,
        u2f_jpa_server              => $u2f_jpa_server,
        u2f_jpa_db                  => $u2f_jpa_db,
        u2f_token_expiry_days       => $u2f_token_expiry_days,
        enable_cors                 => $enable_cors,
        cors_allow_credentials      => $cors_allow_credentials,
        cors_allowed_origins        => $cors_allowed_origins,
        cors_allowed_headers        => $cors_allowed_headers,
        cors_allowed_methods        => $cors_allowed_methods,
        delegated_authenticators    => $delegated_authenticators,
        enable_webauthn             => $enable_webauthn,
        webauthn_relaying_party     => $webauthn_relaying_party,
    }

    systemd::unit{'tomcat9':
        override => true,
        restart  => true,
        content  => "[Service]\nReadWritePaths=${apereo_cas::log_dir}\nEnvironment=JAVA_HOME=${profile::java::default_java_home}",
    }

    firewall::service {'cas-https':
        proto => 'tcp',
        port  => $firewall_port,
    }

    profile::prometheus::jmx_exporter{ "idp_${facts['networking']['hostname']}":
        hostname    => $facts['networking']['hostname'],
        port        => $jmx_port,
        config_dir  => $jmx_config.dirname,
        config_file => $jmx_config,
        content     => file('profile/idp/cas_jmx_exporter.yaml'),
    }
    if $memcached_enable {
        class {'profile::idp::memcached':
            idp_nodes => $idp_nodes,
        }
    }
    file {'/usr/local/sbin/cas-manage-u2f':
      ensure => file,
      owner  => root,
      mode   => '0500',
      source => 'puppet:///modules/profile/idp/cas_manage_u2f.py',
    }

    profile::logoutd::script {'idp':
        source => 'puppet:///modules/apereo_cas/idp-logout.py',
    }

}