Defined Type: profile::idp::client::httpd::site

Defined in:
modules/profile/manifests/idp/client/httpd/site.pp

Overview

Parameters:

  • vhost_content (String[1])

    an erb template file to use for the apache vhost configuration

  • server_aliases (Array[Stdlib::Host]) (defaults to: [])

    an array of additional server aliases

  • document_root (Stdlib::Unixpath) (defaults to: '/var/www')

    the document root to configure for the apache vhost

  • cookie_path

    The location where cas stores information relating to authentication cookies issued

  • certificate_path

    the SSL certificate path used for validation

  • apereo_cas

    hash holding the login and validation

  • authn_header (String[1]) (defaults to: 'CAS-User')

    The prefix to use when adding CAS or SAML attributes to the HTTP headers

  • debug (Boolean) (defaults to: false)

    Enable cas debug

  • priority (Integer[1,99]) (defaults to: 50)

    the priority of the vhost site. default: 99

  • validate_saml (Boolean) (defaults to: false)

    if true set CASValidateSAML On

  • enable_monitor (Boolean) (defaults to: true)

    if true an icinga check to make sure the site correctly redirects

  • protected_uri (String[1]) (defaults to: '/')

    The protected URI endpoint which is validated if “enable_monitor” is set. default: '/'

  • required_groups (Optional[Array[String[1]]]) (defaults to: [])

    An array of LDAP groups allowed to access this resource

  • acme_chief_cert (Optional[String[1]]) (defaults to: undef)

    the name of the acme chief certificate to use

  • vhost_settings (Optional[Hash[String,Any]]) (defaults to: {})

    Allows to pass settings to the vhost config which are unrelated to the IDP setup

  • proxied_as_https (Boolean) (defaults to: false)

    if true set the proxied_as address to (defaults to: $title)

  • attribute_prefix (String[1]) (defaults to: 'X-CAS-')
  • cookie_scope (String[1]) (defaults to: $protected_uri)
  • environment (Enum['staging', 'production']) (defaults to: 'production')


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'modules/profile/manifests/idp/client/httpd/site.pp', line 18

define profile::idp::client::httpd::site (
    String[1]                     $vhost_content,
    Stdlib::Host                  $virtual_host      = $title,
    Stdlib::Unixpath              $document_root    = '/var/www',
    Array[Stdlib::Host]           $server_aliases   = [],
    String[1]                     $authn_header     = 'CAS-User',
    String[1]                     $attribute_prefix = 'X-CAS-',
    Boolean                       $debug            = false,
    Integer[1,99]                 $priority         = 50,
    Boolean                       $validate_saml    = false,
    Boolean                       $enable_monitor   = true,
    String[1]                     $protected_uri    = '/',
    String[1]                     $cookie_scope     = $protected_uri,
    Boolean                       $proxied_as_https = false,
    Enum['staging', 'production'] $environment      = 'production',
    Optional[Hash[String,Any]]    $vhost_settings   = {},
    Optional[Array[String[1]]]    $required_groups  = [],
    Optional[String[1]]           $acme_chief_cert  = undef,
) {
    include profile::idp::client::httpd
    $apereo_cas        = $profile::idp::client::httpd::apereo_cas
    $apache_owner      = $profile::idp::client::httpd::apache_owner
    $apache_group      = $profile::idp::client::httpd::apache_group
    $certificate_path  = $profile::idp::client::httpd::certificate_path
    $cookie_path       = "${profile::idp::client::httpd::cookie_path}/${title}/"
    $ssl_settings      = ssl_ciphersuite('apache', 'strong', true)
    $proxied_as = $proxied_as_https ? {
        true    => "https://${title}",
        default => undef,
    }
    $cas_settings = {
        'CASLoginURL'        => $apereo_cas[$environment]['login_url'],
        'CASValidateURL'     => $apereo_cas[$environment]['validate_url'],
        'CASDebug'           => $debug ? { true => 'On', default => 'Off' },
        'CASRootProxiedAs'   => $proxied_as,
        'CASVersion'         => 2,
        'CASCertificatePath' => $certificate_path,
        'CASCookiePath'      => $cookie_path,
        'CASAttributePrefix' => $attribute_prefix,
        'CASValidateSAML'    => $validate_saml ? { true => 'On', default => 'Off' },
    }

    $cas_auth_require = $required_groups.empty? {
        true    => ['valid-user' ],
        default => $required_groups.map |$group| { "cas-attribute memberOf:${group}" },
    }
    $cas_auth_settings = {
        'AuthType'       => 'CAS',
        'CASAuthNHeader' => $authn_header,
        'CASScope'       => $cookie_scope,
        'Require'        => $cas_auth_require,
    }
    file{$cookie_path:
        ensure => directory,
        owner  => $apache_owner,
        group  => $apache_group,
    }

    if $acme_chief_cert and !defined(Acme_chief::Cert[$acme_chief_cert]) {
        acme_chief::cert { $acme_chief_cert:
            puppet_svc => 'apache2',
        }
    }

    httpd::site {$title:
        content  => template($vhost_content),
        priority => $priority,
    }

    if $enable_monitor {
        monitoring::service {"https-${title}-unauthorized":
            description   => "${title} requires authentication",
            check_command => "check_https_sso_redirect!${title}!${protected_uri}",
            notes_url     => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration',
        }
    }
}