3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
# File 'modules/profile/manifests/idp.pp', line 3
class profile::idp(
Array[Stdlib::Host] $prometheus_nodes = lookup('prometheus_nodes'),
Hash $ldap_config = lookup('ldap', Hash, hash, {}),
Enum['ldaps', 'ldap'] $ldap_schema = lookup('profile::idp::ldap_schema'),
Boolean $enable_ldap = lookup('profile::idp::enable_ldap'),
Boolean $ldap_start_tls = lookup('profile::idp::ldap_start_tls'),
String $keystore_password = lookup('profile::idp::keystore_password'),
String $key_password = lookup('profile::idp::key_password'),
String $tgc_signing_key = lookup('profile::idp::tgc_signing_key'),
String $tgc_encryption_key = lookup('profile::idp::tgc_encryption_key'),
String $webflow_signing_key = lookup('profile::idp::webflow_signing_key'),
String $webflow_encryption_key = lookup('profile::idp::webflow_encryption_key'),
String $u2f_signing_key = lookup('profile::idp::u2f_signing_key'),
String $u2f_encryption_key = lookup('profile::idp::u2f_encryption_key'),
Integer $max_session_length = lookup('profile::idp::max_session_length'),
Hash[String,Hash] $services = lookup('profile::idp::services'),
Array[String[1]] $ldap_attribute_list = lookup('profile::idp::ldap_attributes'),
Array[String] $actuators = lookup('profile::idp::actuators'),
Stdlib::HTTPSUrl $server_name = lookup('profile::idp::server_name'),
Array[Stdlib::Fqdn] $idp_nodes = lookup('profile::idp::idp_nodes'),
Boolean $is_staging_host = lookup('profile::idp::is_staging_host'),
Boolean $memcached_enable = lookup('profile::idp::memcached_enable'),
Stdlib::Port $memcached_port = lookup('profile::idp::memcached_port'),
Apereo_cas::Memcached::Transcoder $memcached_transcoder = lookup('profile::idp::memcached_transcoder'),
Boolean $enable_mfa = lookup('profile::idp::enable_mfa'),
Boolean $enable_u2f = lookup('profile::idp::enable_u2f'),
Boolean $u2f_jpa_enable = lookup('profile::idp::u2f_jpa_enable'),
String $u2f_jpa_username = lookup('profile::idp::u2f_jpa_username'),
String $u2f_jpa_password = lookup('profile::idp::u2f_jpa_password'),
Stdlib::Host $u2f_jpa_server = lookup('profile::idp::u2f_jpa_server'),
String $u2f_jpa_db = lookup('profile::idp::u2f_jpa_db'),
Boolean $enable_cors = lookup('profile::idp::enable_cors'),
Boolean $cors_allow_credentials = lookup('profile::idp::cors_allow_credentials'),
Array[Stdlib::HTTPSUrl] $cors_allowed_origins = lookup('profile::idp::cors_allowed_origins'),
Array[String] $cors_allowed_headers = lookup('profile::idp::cors_allowed_headers'),
Array[Wmflib::HTTP::Method] $cors_allowed_methods = lookup('profile::idp::cors_allowed_methods'),
Optional[Integer] $u2f_token_expiry_days = lookup('profile::idp::u2f_token_expiry_days'),
Boolean $envoy_termination = lookup('profile::idp::envoy_termination'),
Array[Apereo_cas::Delegate] $delegated_authenticators = lookup('profile::idp::delegated_authenticators'),
){
ensure_packages(['python3-pymysql'])
include passwords::ldap::production
class{ 'sslcert::dhparam': }
if $envoy_termination {
include profile::tlsproxy::envoy
$ferm_port = 443
} else {
# In cloud we use the shared wmfcloud proxy for tls termination
$ferm_port = 8080
}
class {'tomcat': }
$jmx_port = 9200
$jmx_config = '/etc/prometheus/cas_jmx_exporter.yaml'
$jmx_jar = '/usr/share/java/prometheus/jmx_prometheus_javaagent.jar'
$java_opts = "-javaagent:${jmx_jar}=${facts['networking']['ip']}:${jmx_port}:${jmx_config}"
$groovy_source = 'puppet:///modules/profile/idp/global_principal_attribute_predicate.groovy'
$log_dir = '/var/log/cas'
$cas_daemon_user = 'tomcat'
if $is_staging_host {
apt::repository{ 'component-idp-test':
uri => 'http://apt.wikimedia.org/wikimedia',
dist => "${::lsbdistcodename}-wikimedia",
components => 'component/idp-test',
}
}
$ldap_port = $ldap_schema ? {
'ldap' => 389,
default => 636,
}
$ldap_uris = ["${ldap_schema}://${ldap_config[ro-server]}:${ldap_port}",
"${ldap_schema}://${ldap_config[ro-server-fallback]}:${ldap_port}"]
class { 'apereo_cas':
server_name => $server_name,
server_prefix => '/',
server_port => 8080,
server_enable_ssl => false,
tomcat_proxy => true,
groovy_source => $groovy_source,
prometheus_nodes => $prometheus_nodes,
keystore_content => secret('casserver/thekeystore'),
keystore_password => $keystore_password,
key_password => $key_password,
tgc_signing_key => $tgc_signing_key,
tgc_encryption_key => $tgc_encryption_key,
webflow_signing_key => $webflow_signing_key,
webflow_encryption_key => $webflow_encryption_key,
u2f_signing_key => $u2f_signing_key,
u2f_encryption_key => $u2f_encryption_key,
enable_ldap => $enable_ldap,
ldap_start_tls => $ldap_start_tls,
ldap_uris => $ldap_uris,
ldap_base_dn => $ldap_config['base-dn'],
ldap_group_cn => $ldap_config['group_cn'],
ldap_attribute_list => $ldap_attribute_list,
log_level => 'DEBUG',
ldap_bind_pass => $passwords::ldap::production::proxypass,
ldap_bind_dn => $ldap_config['proxyagent'],
services => $services,
idp_nodes => $idp_nodes,
java_opts => $java_opts,
max_session_length => $max_session_length,
actuators => $actuators,
daemon_user => $cas_daemon_user,
log_dir => $log_dir,
memcached_enable => $memcached_enable,
memcached_port => $memcached_port,
memcached_transcoder => $memcached_transcoder,
enable_u2f => $enable_u2f,
enable_mfa => $enable_mfa,
u2f_jpa_enable => $u2f_jpa_enable,
u2f_jpa_username => $u2f_jpa_username,
u2f_jpa_password => $u2f_jpa_password,
u2f_jpa_server => $u2f_jpa_server,
u2f_jpa_db => $u2f_jpa_db,
u2f_token_expiry_days => $u2f_token_expiry_days,
enable_cors => $enable_cors,
cors_allow_credentials => $cors_allow_credentials,
cors_allowed_origins => $cors_allowed_origins,
cors_allowed_headers => $cors_allowed_headers,
cors_allowed_methods => $cors_allowed_methods,
delegated_authenticators => $delegated_authenticators,
}
systemd::unit{'tomcat9':
override => true,
restart => true,
content => "[Service]\nReadWritePaths=${apereo_cas::log_dir}\n",
}
ferm::service {'cas-https':
proto => 'tcp',
port => $ferm_port,
}
profile::prometheus::jmx_exporter{ "idp_${facts['networking']['hostname']}":
hostname => $facts['networking']['hostname'],
port => $jmx_port,
prometheus_nodes => $prometheus_nodes,
config_dir => $jmx_config.dirname,
config_file => $jmx_config,
content => file('profile/idp/cas_jmx_exporter.yaml'),
}
if $memcached_enable {
class {'profile::idp::memcached':
idp_nodes => $idp_nodes,
}
}
file {'/usr/local/sbin/cas-manage-u2f':
ensure => file,
owner => root,
mode => '0500',
source => 'puppet:///modules/profile/idp/cas_manage_u2f.py',
}
profile::logoutd::script {'idp':
source => 'puppet:///modules/apereo_cas/idp-logout.py',
}
}
|