Defined Type: profile::idp::client::httpd::site

Defined in:
modules/profile/manifests/idp/client/httpd/site.pp

Summary

private define used to configure an apache vhost using mod_auth_cas

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • vhost_content (String[1])

    an erb template file to use for the apache vhost configuration

  • virtual_host (Stdlib::Host) (defaults to: $title)

    FQDN of vhost

  • server_aliases (Array[Stdlib::Host]) (defaults to: [])

    an array of additional server aliases

  • document_root (Stdlib::Unixpath) (defaults to: '/var/www')

    the document root to configure for the apache vhost

  • cookie_scope (String[1]) (defaults to: $protected_uri)

    The location where cas stores information relating to authentication cookies issued

  • authn_header (String[1]) (defaults to: 'CAS-User')

    The prefix to use when adding CAS or SAML attributes to the HTTP headers

  • attribute_prefix (String[1]) (defaults to: 'X-CAS-')

    string to use as a prefix for header attribute mapping

  • debug (Boolean) (defaults to: false)

    Enable cas debug

  • priority (Integer[1,99]) (defaults to: 50)

    the priority of the vhost site. default: 99

  • validate_saml (Boolean) (defaults to: false)

    if true set CASValidateSAML On

  • enable_monitor (Boolean) (defaults to: true)

    if true an icinga check to make sure the site correctly redirects

  • protected_uri (String[1]) (defaults to: '/')

    The protected URI endpoint which is validated if “enable_monitor” is set. default: '/'

  • required_groups (Array[String[1]]) (defaults to: [])

    An array of LDAP groups allowed to access this resource

  • vhost_settings (Hash[String,Any]) (defaults to: {})

    Allows to pass settings to the vhost config which are unrelated to the IDP setup

  • proxied_as_https (Boolean) (defaults to: false)

    if true set the proxied_as address to String[1,1]) (defaults to: ':')

    delimeter to use when mapping lists

  • environment (Enum['staging', 'production']) (defaults to: 'production')

    either production or staging environment

  • enable_slo (Boolean) (defaults to: true)

    enable the Single Logout (SLO) endpoint, this is called by CAS when someone logs out of the sso session

  • cookie_same_site (Wmflib::HTTP::SameSite) (defaults to: 'Lax')

    Specify the value for the 'SameSite=' parameter in the Set-Cookie header. Allowed values are 'None', 'Lax', and 'Strict'.

  • cookie_secure (Enum['Auto', 'On', 'Off']) (defaults to: 'On')

    Set the optional 'Secure' attribute for cookies issued by mod_auth_cas. Set the Secure attribute as described in in RFC 6265. This flag prevents the mod_auth_cas cookies from being sent over an unencrypted HTTP connection. By default, mod_auth_cas sets the 'Secure' attribute depending on information about the connection (the 'Auto' option). The options 'On' and 'Off' can be used to override the automatic behaviour.

  • acme_chief_cert (Optional[String[1]]) (defaults to: undef)

    the name of the acme chief certificate to use



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'modules/profile/manifests/idp/client/httpd/site.pp', line 31

define profile::idp::client::httpd::site (
    String[1]                     $vhost_content,
    Stdlib::Host                  $virtual_host         = $title,
    Stdlib::Unixpath              $document_root       = '/var/www',
    Array[Stdlib::Host]           $server_aliases      = [],
    String[1]                     $authn_header        = 'CAS-User',
    String[1]                     $attribute_prefix    = 'X-CAS-',
    Boolean                       $debug               = false,
    Integer[1,99]                 $priority            = 50,
    Boolean                       $validate_saml       = false,
    Boolean                       $enable_monitor      = true,
    String[1]                     $protected_uri       = '/',
    String[1]                     $cookie_scope        = $protected_uri,
    Boolean                       $proxied_as_https    = false,
    String[1,1]                   $attribute_delimiter = ':',
    Enum['staging', 'production'] $environment         = 'production',
    Boolean                       $enable_slo          = true,
    Wmflib::HTTP::SameSite        $cookie_same_site    = 'Lax',
    Enum['Auto', 'On', 'Off']     $cookie_secure       = 'On',
    Hash[String,Any]              $vhost_settings      = {},
    Array[String[1]]              $required_groups     = [],
    Optional[String[1]]           $acme_chief_cert     = undef,
) {
    include profile::idp::client::httpd
    $apereo_cas        = $profile::idp::client::httpd::apereo_cas
    $apache_owner      = $profile::idp::client::httpd::apache_owner
    $apache_group      = $profile::idp::client::httpd::apache_group
    $certificate_path  = $profile::idp::client::httpd::certificate_path
    $cookie_path       = "${profile::idp::client::httpd::cookie_path}/${title}/"
    $ssl_settings      = ssl_ciphersuite('apache', 'strong', true)
    $proxied_as = $proxied_as_https ? {
        true    => "https://${title}",
        default => undef,
    }
    $validate_url_key = $validate_saml.bool2str('validate_url_saml', 'validate_url')
    $validate_url = $apereo_cas[$environment][$validate_url_key]
    $cas_settings = {
        'CASLoginURL'           => $apereo_cas[$environment]['login_url'],
        'CASValidateURL'        => $validate_url,
        'CASDebug'              => $debug.bool2str('On', 'Off'),
        'CASRootProxiedAs'      => $proxied_as,
        'CASVersion'            => 2,
        'CASCertificatePath'    => $certificate_path,
        'CASCookiePath'         => $cookie_path,
        'CASAttributePrefix'    => $attribute_prefix,
        'CASAttributeDelimiter' => $attribute_delimiter,
        'CASValidateSAML'       => $validate_saml.bool2str('On', 'Off'),
        'CASSSOEnabled'         => $enable_slo.bool2str('On', 'Off'),
        'CASCookieSameSite'     => $cookie_same_site,
        'CASCookieSecure'       => $cookie_secure,
    }

    $cas_auth_require = $required_groups.empty? {
        true    => ['valid-user' ],
        default => $required_groups.map |$group| { "cas-attribute memberOf:${group}" },
    }
    $cas_auth_settings = {
        'AuthType'       => 'CAS',
        'CASAuthNHeader' => $authn_header,
        'CASScope'       => $cookie_scope,
        'Require'        => $cas_auth_require,
    }
    file{$cookie_path:
        ensure => directory,
        owner  => $apache_owner,
        group  => $apache_group,
    }

    if $acme_chief_cert and !defined(Acme_chief::Cert[$acme_chief_cert]) {
        acme_chief::cert { $acme_chief_cert:
            puppet_svc => 'apache2',
        }
    }

    httpd::site {$title:
        content  => template($vhost_content),
        priority => $priority,
    }

    if $enable_monitor {
        monitoring::service {"https-${title}-unauthorized":
            description   => "${title} requires authentication",
            check_command => "check_https_sso_redirect!${title}!${protected_uri}",
            notes_url     => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration',
        }
        monitoring::service {"https-${title}-expiry":
            description   => "${title} tls expiry",
            check_command => "check_https_expiry!${title}!443",
            notes_url     => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration',
        }
    }
}