Skip to content

Commit 3cabb49

Browse files
committed
Add support for Mellon auth (directly copied from Bhanu Prasad's changes here: OSC#135)
1 parent 48390b5 commit 3cabb49

File tree

7 files changed

+124
-14
lines changed

7 files changed

+124
-14
lines changed

README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,19 @@ openondemand::oidc_settings:
121121
OIDCStripCookies: 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1'
122122
```
123123
124+
Setup OnDemand to authenticate with SAML using apache Mellon. Puppet creates a script `/usr/local/bin/mellon_ood_metadata.sh` to generate certs and relevant metadata files. This script needs to be run (once) manually.
125+
126+
```yaml
127+
openondemand::servername: ondemand.osc.edu
128+
openondemand::auth_type: 'mellon'
129+
openondemand::auth_configs:
130+
- 'Require valid-user'
131+
openondemand::mellon_config:
132+
MellonEndpointPath: '/mellon'
133+
MellonEnable: 'auth'
134+
MellonIdPMetadataFile: '/etc/httpd/mellon/idpmetadata.xml'
135+
```
136+
124137
Configure OnDemand via git repo that contains app configs, locales, public, and annoucement files
125138

126139
```yaml

REFERENCE.md

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -71,12 +71,14 @@ The following parameters are available in the `openondemand` class:
7171
* [`ondemand_package_ensure`](#-openondemand--ondemand_package_ensure)
7272
* [`ondemand_dex_package_ensure`](#-openondemand--ondemand_dex_package_ensure)
7373
* [`mod_auth_openidc_ensure`](#-openondemand--mod_auth_openidc_ensure)
74+
* [`mod_auth_mellon_ensure`](#-openondemand--mod_auth_mellon_ensure)
7475
* [`install_apps`](#-openondemand--install_apps)
7576
* [`declare_apache`](#-openondemand--declare_apache)
7677
* [`apache_user`](#-openondemand--apache_user)
7778
* [`generator_insecure`](#-openondemand--generator_insecure)
7879
* [`listen_addr_port`](#-openondemand--listen_addr_port)
7980
* [`servername`](#-openondemand--servername)
81+
* [`proxy_server`](#-openondemand--proxy_server)
8082
* [`server_aliases`](#-openondemand--server_aliases)
8183
* [`ssl`](#-openondemand--ssl)
8284
* [`disable_logs`](#-openondemand--disable_logs)
@@ -132,6 +134,7 @@ The following parameters are available in the `openondemand` class:
132134
* [`oidc_settings`](#-openondemand--oidc_settings)
133135
* [`dex_uri`](#-openondemand--dex_uri)
134136
* [`dex_config`](#-openondemand--dex_config)
137+
* [`mellon_config`](#-openondemand--mellon_config)
135138
* [`web_directory`](#-openondemand--web_directory)
136139
* [`nginx_log_group`](#-openondemand--nginx_log_group)
137140
* [`nginx_stage_clean_cron_schedule`](#-openondemand--nginx_stage_clean_cron_schedule)
@@ -304,6 +307,14 @@ mod_auth_openidc package ensure
304307

305308
Default value: `'present'`
306309

310+
##### <a name="-openondemand--mod_auth_mellon_ensure"></a>`mod_auth_mellon_ensure`
311+
312+
Data type: `String`
313+
314+
mod_auth_mellon package ensure
315+
316+
Default value: `'present'`
317+
307318
##### <a name="-openondemand--install_apps"></a>`install_apps`
308319

309320
Data type: `Hash`
@@ -354,6 +365,14 @@ ood_portal.yml servername
354365

355366
Default value: `undef`
356367

368+
##### <a name="-openondemand--proxy_server"></a>`proxy_server`
369+
370+
Data type: `Optional[String]`
371+
372+
ood_portal.yml proxy_server
373+
374+
Default value: ``undef``
375+
357376
##### <a name="-openondemand--server_aliases"></a>`server_aliases`
358377

359378
Data type: `Optional[Array]`
@@ -794,6 +813,14 @@ Dex configuration Hash
794813

795814
Default value: `{}`
796815

816+
##### <a name="-openondemand--mellon_config"></a>`mellon_config`
817+
818+
Data type: `Hash`
819+
820+
Mellon configuration Hash for Overwrite
821+
822+
Default value: `{}`
823+
797824
##### <a name="-openondemand--web_directory"></a>`web_directory`
798825

799826
Data type: `Stdlib::Absolutepath`
@@ -1149,7 +1176,7 @@ Manage Open OnDemand dev app
11491176

11501177
#### Examples
11511178

1152-
#####
1179+
#####
11531180

11541181
```puppet
11551182
openondemand::app::dev { 'user1': }
@@ -1221,7 +1248,7 @@ Manage Open OnDemand user app
12211248

12221249
#### Examples
12231250

1224-
#####
1251+
#####
12251252

12261253
```puppet
12271254
openondemand::app::usr { 'user1':
@@ -1946,7 +1973,7 @@ Manage Open OnDemand app
19461973

19471974
#### Examples
19481975

1949-
#####
1976+
#####
19501977

19511978
```puppet
19521979
openondemand::install::app { 'bc_osc_foo':

manifests/apache.pp

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -45,20 +45,28 @@
4545
include apache::mod::proxy_http
4646
include apache::mod::proxy_connect
4747
include apache::mod::proxy_wstunnel
48-
if $openondemand::auth_type == 'CAS' {
49-
include apache::mod::auth_cas
50-
}
5148
apache::mod { 'lua': }
5249
include apache::mod::headers
5350
include apache::mod::rewrite
5451

55-
if $openondemand::auth_type in ['dex','openid-connect'] {
56-
apache::mod { 'auth_openidc':
57-
package => $openidc_package,
58-
package_ensure => $openondemand::mod_auth_openidc_ensure,
52+
case $openondemand::auth_type {
53+
'CAS': {
54+
include ::apache::mod::auth_cas
55+
}
56+
'(dex|openid-connect)': {
57+
::apache::mod { 'auth_openidc':
58+
package => "${package_prefix}mod_auth_openidc",
59+
package_ensure => $openondemand::mod_auth_openidc_ensure,
60+
}
5961
}
62+
'mellon': {
63+
::apache::mod { 'auth_mellon':
64+
package => "${package_prefix}mod_auth_mellon",
65+
package_ensure => $openondemand::mod_auth_openidc_ensure,
66+
}
67+
}
68+
default: {}
6069
}
61-
6270
systemd::dropin_file { 'ood.conf':
6371
unit => "${apache::service_name}.service",
6472
content => join([

manifests/config.pp

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -301,6 +301,16 @@
301301
}
302302
}
303303

304+
# deploy script to generate mellon metadata
305+
if $openondemand::auth_type == 'mellon' {
306+
file { '/usr/local/bin/mellon_ood_metadata.sh':
307+
content => template('openondemand/generate_ood_mellon_metadata.sh.erb'),
308+
owner => 'root',
309+
group => 'root',
310+
mode => '0755',
311+
}
312+
}
313+
304314
file { '/etc/ood/config/nginx_stage.yml':
305315
ensure => 'file',
306316
owner => 'root',

manifests/init.pp

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,8 @@
3232
# ondemand-dex package ensure
3333
# @param mod_auth_openidc_ensure
3434
# mod_auth_openidc package ensure
35+
# @param mod_auth_mellon_ensure
36+
# mod_auth_mellon package ensure
3537
# @param install_apps
3638
# Hash of apps to install, passed to ondemand::install::app
3739
# @param declare_apache
@@ -46,6 +48,8 @@
4648
# ood_portal.yml listen_addr_port
4749
# @param servername
4850
# ood_portal.yml servername
51+
# @param proxy_server
52+
# ood_portal.yml proxy_server
4953
# @param server_aliases
5054
# ood_porta.yml server_aliases
5155
# @param ssl
@@ -156,6 +160,8 @@
156160
# Dex URI if put behind Apache reverse proxy
157161
# @param dex_config
158162
# Dex configuration Hash
163+
# @param mellon_config
164+
# Additional Mellon override config for apache
159165
# @param web_directory
160166
# Path to main web directory for OnDemand
161167
# @param nginx_log_group
@@ -268,6 +274,7 @@
268274
String $ondemand_package_ensure = 'present',
269275
String $ondemand_dex_package_ensure = 'present',
270276
String $mod_auth_openidc_ensure = 'present',
277+
String $mod_auth_mellon_ensure = 'present',
271278
Hash $install_apps = {},
272279

273280
# Apache
@@ -278,6 +285,7 @@
278285
Boolean $generator_insecure = false,
279286
Variant[Array, String, Undef] $listen_addr_port = undef,
280287
Optional[String] $servername = undef,
288+
Optional[String] $proxy_server = undef,
281289
Optional[Array] $server_aliases = undef,
282290
Optional[Array] $ssl = undef,
283291
Boolean $disable_logs = false,
@@ -297,7 +305,7 @@
297305
Optional[String] $user_map_cmd = undef,
298306
Optional[String] $user_env = undef,
299307
Optional[String] $map_fail_uri = undef,
300-
Variant[Enum['CAS', 'openid-connect', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
308+
Variant[Enum['CAS', 'openid-connect', 'mellon', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
301309
Optional[Array] $auth_configs = undef,
302310
Array $custom_vhost_directives = [],
303311
Array $custom_location_directives = [],
@@ -338,6 +346,19 @@
338346
Variant[String[1],Boolean] $dex_uri = '/dex',
339347
Openondemand::Dex_config $dex_config = {},
340348

349+
# Mellon Configs
350+
Optional[Hash] $mellon_default_config = {
351+
'MellonSPPrivateKeyFile' => '/etc/httpd/mellon/mellon.key',
352+
'MellonSPCertFile' => '/etc/httpd/mellon/mellon.cer',
353+
'MellonSPMetadataFile' => '/etc/httpd/mellon/mellon_metadata.xml',
354+
'MellonIdPMetadataFile' => '/etc/httpd/mellon/idp_metadata.xml',
355+
'MellonEnable' => 'auth',
356+
'MellonEndpointPath' => '/mellon',
357+
},
358+
Optional[Hash] $mellon_config = {}
359+
# Merge default config with updated configs
360+
Optional[Hash] $mellon_merged_config = merge($mellon_default_config, $mellon_config)
361+
341362
# Misc configs
342363
Stdlib::Absolutepath $web_directory = '/var/www/ood',
343364
String $nginx_log_group = 'ondemand-nginx',
@@ -445,11 +466,11 @@
445466

446467
if $ssl {
447468
$port = '443'
448-
$listen_ports = ['443', '80']
469+
$listen_ports = pick($listen_addr_port, ['443', '80'])
449470
$protocol = 'https'
450471
} else {
451472
$port = '80'
452-
$listen_ports = ['80']
473+
$listen_ports = pick($listen_addr_port, ['80'])
453474
$protocol = 'http'
454475
}
455476

@@ -510,6 +531,7 @@
510531
$ood_portal_config = {
511532
'listen_addr_port' => $listen_ports,
512533
'servername' => $servername,
534+
'proxy_server' => $proxy_server,
513535
'server_aliases' => $server_aliases,
514536
'port' => $port,
515537
'ssl' => $ssl,

templates/auth_mellon_conf.erb

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<Location ~ "^/(?!public)">
2+
<% scope['openondemand::auth'].each do |k| -%>
3+
<%= k %>
4+
<% end %>
5+
<% scope['openondemand::mellon_merged_config'].each do |k,v| -%>
6+
<%= k %> <%= v %>
7+
<% end %>
8+
</Location>
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#!/usr/bin/env bash
2+
3+
MELLON_DIR="<%= scope['apache::params::httpd_dir'] -%>/mellon"
4+
5+
[ -d ${MELLON_DIR} ] || mkdir ${MELLON_DIR}
6+
7+
pushd $MELLON_DIR
8+
<% if scope['openondemand::proxy_server'] -%>
9+
export mellon_endpoint="https://<%= scope['openondemand::proxy_server'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
10+
<% else -%>
11+
export mellon_endpoint="https://<%= scope['openondemand::servername'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
12+
<% end -%>
13+
<%= scope['apache::params::httpd_root'] %>/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}"
14+
15+
mv *mellon_metadata.cert ./mellon.cert
16+
mv *mellon_metadata.key ./mellon.key
17+
mv *mellon_metadata.xml ./mellon_metadata.xml
18+
19+
openssl pkcs12 -export -inkey ./mellon.key -in ./mellon.cert -out ./mellon.pfx -passout pass:
20+
21+
popd
22+
echo "Mellon files are generated at ${MELLON_DIR}"

0 commit comments

Comments
 (0)