Defined Type: profile::idp::client::httpd::site
- Defined in:
- modules/profile/manifests/idp/client/httpd/site.pp
Summary
private define used to configure an apache vhost using mod_auth_casOverview
SPDX-License-Identifier: Apache-2.0
Parameters:
-
vhost_content
(String[1])
—
an erb template file to use for the apache vhost configuration
-
virtual_host
(Stdlib::Host)
(defaults to: $title)
—
FQDN of vhost
-
server_aliases
(Array[Stdlib::Host])
(defaults to: [])
—
an array of additional server aliases
-
document_root
(Stdlib::Unixpath)
(defaults to: '/var/www')
—
the document root to configure for the apache vhost
-
cookie_scope
(String[1])
(defaults to: $protected_uri)
—
The location where cas stores information relating to authentication cookies issued
-
authn_header
(String[1])
(defaults to: 'CAS-User')
—
The prefix to use when adding CAS or SAML attributes to the HTTP headers
-
attribute_prefix
(String[1])
(defaults to: 'X-CAS-')
—
string to use as a prefix for header attribute mapping
-
debug
(Boolean)
(defaults to: false)
—
Enable cas debug
-
priority
(Integer[1,99])
(defaults to: 50)
—
the priority of the vhost site. default: 99
-
validate_saml
(Boolean)
(defaults to: false)
—
if true set CASValidateSAML On
-
enable_monitor
(Boolean)
(defaults to: true)
—
if true an icinga check to make sure the site correctly redirects
-
protected_uri
(String[1])
(defaults to: '/')
—
The protected URI endpoint which is validated if “enable_monitor” is set. default: '/'
-
required_groups
(Array[String[1]])
(defaults to: [])
—
An array of LDAP groups allowed to access this resource
-
vhost_settings
(Hash[String,Any])
(defaults to: {})
—
Allows to pass settings to the vhost config which are unrelated to the IDP setup
-
proxied_as_https
(Boolean)
(defaults to: false)
—
if true set the proxied_as address to String[1,1]) (defaults to: ':') —
delimeter to use when mapping lists
- environment (Enum['staging', 'production']) (defaults to: 'production') —
either production or staging environment
- enable_slo (Boolean) (defaults to: true) —
enable the Single Logout (SLO) endpoint, this is called by CAS when someone logs out of the sso session
- cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: 'Lax') —
Specify the value for the 'SameSite=' parameter in the Set-Cookie header. Allowed values are 'None', 'Lax', and 'Strict'.
- cookie_secure (Enum['Auto', 'On', 'Off']) (defaults to: 'On') —
Set the optional 'Secure' attribute for cookies issued by mod_auth_cas. Set the Secure attribute as described in in RFC 6265. This flag prevents the mod_auth_cas cookies from being sent over an unencrypted HTTP connection. By default, mod_auth_cas sets the 'Secure' attribute depending on information about the connection (the 'Auto' option). The options 'On' and 'Off' can be used to override the automatic behaviour.
- acme_chief_cert (Optional[String[1]]) (defaults to: undef) —
the name of the acme chief certificate to use
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
# File 'modules/profile/manifests/idp/client/httpd/site.pp', line 31 define profile::idp::client::httpd::site ( String[1] $vhost_content, Stdlib::Host $virtual_host = $title, Stdlib::Unixpath $document_root = '/var/www', Array[Stdlib::Host] $server_aliases = [], String[1] $authn_header = 'CAS-User', String[1] $attribute_prefix = 'X-CAS-', Boolean $debug = false, Integer[1,99] $priority = 50, Boolean $validate_saml = false, Boolean $enable_monitor = true, String[1] $protected_uri = '/', String[1] $cookie_scope = $protected_uri, Boolean $proxied_as_https = false, String[1,1] $attribute_delimiter = ':', Enum['staging', 'production'] $environment = 'production', Boolean $enable_slo = true, Wmflib::HTTP::SameSite $cookie_same_site = 'Lax', Enum['Auto', 'On', 'Off'] $cookie_secure = 'On', Hash[String,Any] $vhost_settings = {}, Array[String[1]] $required_groups = [], Optional[String[1]] $acme_chief_cert = undef, ) { include profile::idp::client::httpd $apereo_cas = $profile::idp::client::httpd::apereo_cas $apache_owner = $profile::idp::client::httpd::apache_owner $apache_group = $profile::idp::client::httpd::apache_group $certificate_path = $profile::idp::client::httpd::certificate_path $cookie_path = "${profile::idp::client::httpd::cookie_path}/${title}/" $ssl_settings = ssl_ciphersuite('apache', 'strong', true) $proxied_as = $proxied_as_https ? { true => "https://${title}", default => undef, } $validate_url_key = $validate_saml.bool2str('validate_url_saml', 'validate_url') $validate_url = $apereo_cas[$environment][$validate_url_key] $cas_settings = { 'CASLoginURL' => $apereo_cas[$environment]['login_url'], 'CASValidateURL' => $validate_url, 'CASDebug' => $debug.bool2str('On', 'Off'), 'CASRootProxiedAs' => $proxied_as, 'CASVersion' => 2, 'CASCertificatePath' => $certificate_path, 'CASCookiePath' => $cookie_path, 'CASAttributePrefix' => $attribute_prefix, 'CASAttributeDelimiter' => $attribute_delimiter, 'CASValidateSAML' => $validate_saml.bool2str('On', 'Off'), 'CASSSOEnabled' => $enable_slo.bool2str('On', 'Off'), 'CASCookieSameSite' => $cookie_same_site, 'CASCookieSecure' => $cookie_secure, } $cas_auth_require = $required_groups.empty? { true => ['valid-user' ], default => $required_groups.map |$group| { "cas-attribute memberOf:${group}" }, } $cas_auth_settings = { 'AuthType' => 'CAS', 'CASAuthNHeader' => $authn_header, 'CASScope' => $cookie_scope, 'Require' => $cas_auth_require, } file{$cookie_path: ensure => directory, owner => $apache_owner, group => $apache_group, } if $acme_chief_cert and !defined(Acme_chief::Cert[$acme_chief_cert]) { acme_chief::cert { $acme_chief_cert: puppet_svc => 'apache2', } } httpd::site {$title: content => template($vhost_content), priority => $priority, } if $enable_monitor { monitoring::service {"https-${title}-unauthorized": description => "${title} requires authentication", check_command => "check_https_sso_redirect!${title}!${protected_uri}", notes_url => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration', } monitoring::service {"https-${title}-expiry": description => "${title} tls expiry", check_command => "check_https_expiry!${title}!443", notes_url => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration', } } }
- environment (Enum['staging', 'production']) (defaults to: 'production') —