Defined Type: profile::idp::client::httpd::site
- Defined in:
- modules/profile/manifests/idp/client/httpd/site.pp
Overview
Parameters:
-
vhost_content
(String[1])
—
an erb template file to use for the apache vhost configuration
-
server_aliases
(Array[Stdlib::Host])
(defaults to: [])
—
an array of additional server aliases
-
document_root
(Stdlib::Unixpath)
(defaults to: '/var/www')
—
the document root to configure for the apache vhost
-
cookie_path
—
The location where cas stores information relating to authentication cookies issued
-
certificate_path
—
the SSL certificate path used for validation
-
apereo_cas
—
hash holding the login and validation
-
authn_header
(String[1])
(defaults to: 'CAS-User')
—
The prefix to use when adding CAS or SAML attributes to the HTTP headers
-
debug
(Boolean)
(defaults to: false)
—
Enable cas debug
-
priority
(Integer[1,99])
(defaults to: 50)
—
the priority of the vhost site. default: 99
-
validate_saml
(Boolean)
(defaults to: false)
—
if true set CASValidateSAML On
-
enable_monitor
(Boolean)
(defaults to: true)
—
if true an icinga check to make sure the site correctly redirects
-
protected_uri
(String[1])
(defaults to: '/')
—
The protected URI endpoint which is validated if “enable_monitor” is set. default: '/'
-
required_groups
(Optional[Array[String[1]]])
(defaults to: [])
—
An array of LDAP groups allowed to access this resource
-
acme_chief_cert
(Optional[String[1]])
(defaults to: undef)
—
the name of the acme chief certificate to use
-
vhost_settings
(Optional[Hash[String,Any]])
(defaults to: {})
—
Allows to pass settings to the vhost config which are unrelated to the IDP setup
-
proxied_as_https
(Boolean)
(defaults to: false)
—
if true set the proxied_as address to (defaults to: $title)
- attribute_prefix (String[1]) (defaults to: 'X-CAS-')
- cookie_scope (String[1]) (defaults to: $protected_uri)
- environment (Enum['staging', 'production']) (defaults to: 'production')
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
# File 'modules/profile/manifests/idp/client/httpd/site.pp', line 18 define profile::idp::client::httpd::site ( String[1] $vhost_content, Stdlib::Host $virtual_host = $title, Stdlib::Unixpath $document_root = '/var/www', Array[Stdlib::Host] $server_aliases = [], String[1] $authn_header = 'CAS-User', String[1] $attribute_prefix = 'X-CAS-', Boolean $debug = false, Integer[1,99] $priority = 50, Boolean $validate_saml = false, Boolean $enable_monitor = true, String[1] $protected_uri = '/', String[1] $cookie_scope = $protected_uri, Boolean $proxied_as_https = false, Enum['staging', 'production'] $environment = 'production', Optional[Hash[String,Any]] $vhost_settings = {}, Optional[Array[String[1]]] $required_groups = [], Optional[String[1]] $acme_chief_cert = undef, ) { include profile::idp::client::httpd $apereo_cas = $profile::idp::client::httpd::apereo_cas $apache_owner = $profile::idp::client::httpd::apache_owner $apache_group = $profile::idp::client::httpd::apache_group $certificate_path = $profile::idp::client::httpd::certificate_path $cookie_path = "${profile::idp::client::httpd::cookie_path}/${title}/" $ssl_settings = ssl_ciphersuite('apache', 'strong', true) $proxied_as = $proxied_as_https ? { true => "https://${title}", default => undef, } $cas_settings = { 'CASLoginURL' => $apereo_cas[$environment]['login_url'], 'CASValidateURL' => $apereo_cas[$environment]['validate_url'], 'CASDebug' => $debug ? { true => 'On', default => 'Off' }, 'CASRootProxiedAs' => $proxied_as, 'CASVersion' => 2, 'CASCertificatePath' => $certificate_path, 'CASCookiePath' => $cookie_path, 'CASAttributePrefix' => $attribute_prefix, 'CASValidateSAML' => $validate_saml ? { true => 'On', default => 'Off' }, } $cas_auth_require = $required_groups.empty? { true => ['valid-user' ], default => $required_groups.map |$group| { "cas-attribute memberOf:${group}" }, } $cas_auth_settings = { 'AuthType' => 'CAS', 'CASAuthNHeader' => $authn_header, 'CASScope' => $cookie_scope, 'Require' => $cas_auth_require, } file{$cookie_path: ensure => directory, owner => $apache_owner, group => $apache_group, } if $acme_chief_cert and !defined(Acme_chief::Cert[$acme_chief_cert]) { acme_chief::cert { $acme_chief_cert: puppet_svc => 'apache2', } } httpd::site {$title: content => template($vhost_content), priority => $priority, } if $enable_monitor { monitoring::service {"https-${title}-unauthorized": description => "${title} requires authentication", check_command => "check_https_sso_redirect!${title}!${protected_uri}", notes_url => 'https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration', } } }