Defined Type: apereo_cas::service

Defined in:
modules/apereo_cas/manifests/service.pp

Summary

define a apereo_cas services

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • id (Integer)

    the numerical id

  • service_id (String)

    the id of the services i.e. the url pattern

  • service_class (Apereo_cas::Service::Class) (defaults to: 'CasRegisteredService')

    The services class to use

  • release_policy (Apereo_cas::Service::Release_policy) (defaults to: 'ReturnAllAttributeReleasePolicy')

    the release policy to use

  • access_strategy (Apereo_cas::Service::Access_strategy) (defaults to: 'DefaultRegisteredServiceAccessStrategy')

    the access strategy to use

  • profile_format (ENUM['FLAT', 'NESTED']) (defaults to: 'NESTED')

    set the OIDC/OAuth2 profile view data format

  • required_groups (Array[String]) (defaults to: [])

    a list of required ldap groups for the services

  • properties (Hash) (defaults to: {})

    a list of addtional properties for the services

  • allowed_delegate (Optional[String[1]]) (defaults to: undef)

    add an allowed delegated authentication provider

  • client_secret (Optional[String[1]]) (defaults to: undef)

    the client_secret used for OIDC

  • response_type (String) (defaults to: 'code')
  • member_of_exclude (Optional[String[1]]) (defaults to: undef) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'modules/apereo_cas/manifests/service.pp', line 13

define apereo_cas::service (
    Integer                              $id,
    String                               $service_id,
    Apereo_cas::Service::Class           $service_class      = 'CasRegisteredService',
    Apereo_cas::Service::Release_policy  $release_policy     = 'ReturnAllAttributeReleasePolicy',
    Apereo_cas::Service::Access_strategy $access_strategy    = 'DefaultRegisteredServiceAccessStrategy',
    ENUM['FLAT', 'NESTED']               $profile_format     = 'NESTED',
    String                               $response_type      = 'code',
    Array[String]                        $required_groups    = [],
    Hash                                 $properties         = {},
    Optional[String[1]]                  $allowed_delegate   = undef,
    Optional[String[1]]                  $client_secret      = undef,
    Optional[String[1]]                  $member_of_exclude  = undef,
) {
    if $service_class == 'OidcRegisteredService' {
        if !$client_secret {
            fail("${title}: \$client_secret required when using OidcRegisteredService")
        }

        $additional_params = {
            'clientId'               => $title,
            'clientSecret'           => $client_secret,
            'userProfileViewType'    => $profile_format,
            'bypassApprovalPrompt'   => true,
            'supportedResponseTypes' => [ 'java.util.HashSet', [ $response_type ] ],
            'supportedGrantTypes'    => [ 'java.util.HashSet', [ 'authorization_code' ] ],
            'scopes'                 => [ 'java.util.HashSet', [ 'profile', 'openid', 'email', 'groups', 'memberOf'] ],
        }
    } else {
        $additional_params = {}
    }

    include apereo_cas
    $delegate = $allowed_delegate ? {
        undef   => {},
        default => {
            'delegatedAuthenticationPolicy' => {
                '@class'           => 'org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy',
                'allowedProviders' => [ 'java.util.ArrayList', [ $allowed_delegate ]],
            },
        }
    }
    $ldap_root = "${apereo_cas::ldap_group_cn},${apereo_cas::ldap_base_dn}"
    if $required_groups.empty() {
        $_access_strategy = { '@class' => "org.apereo.cas.services.${access_strategy}" }
    } else {
        $ldap_groups = $required_groups.map |$group| { "cn=${group},${ldap_root}" }
        $_access_strategy = {
            '@class'             => "org.apereo.cas.services.${access_strategy}",
            'requiredAttributes' => {
                '@class'   => 'java.util.HashMap',
                'memberOf' => [
                    'java.util.HashSet',
                    $ldap_groups,
                ],
            },
        }
    }

    if $member_of_exclude {
        $attribute_release_policy = {
            '@class'            => "org.apereo.cas.services.${release_policy}",
            'attributeFilter'   => {
                '@class' => 'org.apereo.cas.services.support.RegisteredServiceReverseMappedRegexAttributeFilter',
                'patterns'                  => {
                    '@class'   => 'java.util.TreeMap',
                    'memberOf' => $member_of_exclude
                },
                'excludeUnmappedAttributes' => true,
                'completeMatch'             => false,
                'caseInsensitive'           => true,
                'order'                     => 0
            },
            'allowedAttributes' => [ 'java.util.HashSet', [ 'cn', 'sn', 'mail', 'memberOf', 'uid' ]]
        }
    } else {
        $attribute_release_policy = { '@class' => "org.apereo.cas.services.${release_policy}" }
    }

    $base_data = {
        '@class'                 => "org.apereo.cas.services.${service_class}",
        'name'                   => $title,
        'serviceId'              => $service_id,
        'attributeReleasePolicy' => $attribute_release_policy,
        'id'                     => $id,
        'accessStrategy'         => $_access_strategy + $delegate,
    } + $additional_params

    $data = $properties.empty ? {
        true    => $base_data,
        default => $base_data + { 'properties' => $properties },
    }
    file { "${apereo_cas::services_dir}/${title}-${id}.json":
        ensure  => file,
        content => $data.to_json(),
    }
}