Add support for Mellon auth (directly copied from Bhanu Prasad's changes here: OSC#135)

Author: dmf24

README.md

@@ -121,6 +121,19 @@ openondemand::oidc_settings:
   OIDCStripCookies: 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1'
 ```
 
+Setup OnDemand to authenticate with SAML using apache Mellon. Puppet creates a script `/usr/local/bin/mellon_ood_metadata.sh` to generate certs and relevant metadata files. This script needs to be run (once) manually.
+
+```yaml
+openondemand::servername: ondemand.osc.edu
+openondemand::auth_type: 'mellon'
+openondemand::auth_configs:
+  - 'Require valid-user'
+openondemand::mellon_config:
+  MellonEndpointPath: '/mellon'
+  MellonEnable: 'auth'
+  MellonIdPMetadataFile: '/etc/httpd/mellon/idpmetadata.xml'
+```
+
 Configure OnDemand via git repo that contains app configs, locales, public, and annoucement files
 
 ```yaml

REFERENCE.md

@@ -71,12 +71,14 @@ The following parameters are available in the `openondemand` class:
 * [`ondemand_package_ensure`](#-openondemand--ondemand_package_ensure)
 * [`ondemand_dex_package_ensure`](#-openondemand--ondemand_dex_package_ensure)
 * [`mod_auth_openidc_ensure`](#-openondemand--mod_auth_openidc_ensure)
+* [`mod_auth_mellon_ensure`](#-openondemand--mod_auth_mellon_ensure)
 * [`install_apps`](#-openondemand--install_apps)
 * [`declare_apache`](#-openondemand--declare_apache)
 * [`apache_user`](#-openondemand--apache_user)
 * [`generator_insecure`](#-openondemand--generator_insecure)
 * [`listen_addr_port`](#-openondemand--listen_addr_port)
 * [`servername`](#-openondemand--servername)
+* [`proxy_server`](#-openondemand--proxy_server)
 * [`server_aliases`](#-openondemand--server_aliases)
 * [`ssl`](#-openondemand--ssl)
 * [`disable_logs`](#-openondemand--disable_logs)
@@ -132,6 +134,7 @@ The following parameters are available in the `openondemand` class:
 * [`oidc_settings`](#-openondemand--oidc_settings)
 * [`dex_uri`](#-openondemand--dex_uri)
 * [`dex_config`](#-openondemand--dex_config)
+* [`mellon_config`](#-openondemand--mellon_config)
 * [`web_directory`](#-openondemand--web_directory)
 * [`nginx_log_group`](#-openondemand--nginx_log_group)
 * [`nginx_stage_clean_cron_schedule`](#-openondemand--nginx_stage_clean_cron_schedule)
@@ -304,6 +307,14 @@ mod_auth_openidc package ensure
 
 Default value: `'present'`
 
+##### <a name="-openondemand--mod_auth_mellon_ensure"></a>`mod_auth_mellon_ensure`
+
+Data type: `String`
+
+mod_auth_mellon package ensure
+
+Default value: `'present'`
+
 ##### <a name="-openondemand--install_apps"></a>`install_apps`
 
 Data type: `Hash`
@@ -354,6 +365,14 @@ ood_portal.yml servername
 
 Default value: `undef`
 
+##### <a name="-openondemand--proxy_server"></a>`proxy_server`
+
+Data type: `Optional[String]`
+
+ood_portal.yml proxy_server
+
+Default value: ``undef``
+
 ##### <a name="-openondemand--server_aliases"></a>`server_aliases`
 
 Data type: `Optional[Array]`
@@ -794,6 +813,14 @@ Dex configuration Hash
 
 Default value: `{}`
 
+##### <a name="-openondemand--mellon_config"></a>`mellon_config`
+
+Data type: `Hash`
+
+Mellon configuration Hash for Overwrite
+
+Default value: `{}`
+
 ##### <a name="-openondemand--web_directory"></a>`web_directory`
 
 Data type: `Stdlib::Absolutepath`
@@ -1149,7 +1176,7 @@ Manage Open OnDemand dev app
 
 #### Examples
 
-##### 
+#####
 
 ```puppet
 openondemand::app::dev { 'user1': }
@@ -1221,7 +1248,7 @@ Manage Open OnDemand user app
 
 #### Examples
 
-##### 
+#####
 
 ```puppet
 openondemand::app::usr { 'user1':
@@ -1946,7 +1973,7 @@ Manage Open OnDemand app
 
 #### Examples
 
-##### 
+#####
 
 ```puppet
 openondemand::install::app { 'bc_osc_foo':

manifests/apache.pp

@@ -45,20 +45,28 @@
   include apache::mod::proxy_http
   include apache::mod::proxy_connect
   include apache::mod::proxy_wstunnel
-  if $openondemand::auth_type == 'CAS' {
-    include apache::mod::auth_cas
-  }
   apache::mod { 'lua': }
   include apache::mod::headers
   include apache::mod::rewrite
 
-  if $openondemand::auth_type in ['dex','openid-connect'] {
-    apache::mod { 'auth_openidc':
-      package        => $openidc_package,
-      package_ensure => $openondemand::mod_auth_openidc_ensure,
+  case $openondemand::auth_type {
+    'CAS': {
+      include ::apache::mod::auth_cas
+    }
+    '(dex|openid-connect)': {
+      ::apache::mod { 'auth_openidc':
+        package        => "${package_prefix}mod_auth_openidc",
+        package_ensure => $openondemand::mod_auth_openidc_ensure,
+      }
     }
+    'mellon': {
+      ::apache::mod { 'auth_mellon':
+        package        => "${package_prefix}mod_auth_mellon",
+        package_ensure => $openondemand::mod_auth_openidc_ensure,
+      }
+    }
+    default: {}
   }
-
   systemd::dropin_file { 'ood.conf':
     unit    => "${apache::service_name}.service",
     content => join([

manifests/config.pp

@@ -301,6 +301,16 @@
     }
   }
 
+  # deploy script to generate mellon metadata
+  if $openondemand::auth_type == 'mellon' {
+    file { '/usr/local/bin/mellon_ood_metadata.sh':
+      content => template('openondemand/generate_ood_mellon_metadata.sh.erb'),
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+    }
+  }
+
   file { '/etc/ood/config/nginx_stage.yml':
     ensure  => 'file',
     owner   => 'root',

manifests/init.pp

@@ -32,6 +32,8 @@
 #   ondemand-dex package ensure
 # @param mod_auth_openidc_ensure
 #   mod_auth_openidc package ensure
+# @param mod_auth_mellon_ensure
+#   mod_auth_mellon package ensure
 # @param install_apps
 #   Hash of apps to install, passed to ondemand::install::app
 # @param declare_apache
@@ -46,6 +48,8 @@
 #   ood_portal.yml listen_addr_port
 # @param servername
 #   ood_portal.yml servername
+# @param proxy_server
+#   ood_portal.yml proxy_server
 # @param server_aliases
 #   ood_porta.yml server_aliases
 # @param ssl
@@ -156,6 +160,8 @@
 #   Dex URI if put behind Apache reverse proxy
 # @param dex_config
 #   Dex configuration Hash
+# @param mellon_config
+#   Additional Mellon override config for apache
 # @param web_directory
 #   Path to main web directory for OnDemand
 # @param nginx_log_group
@@ -268,6 +274,7 @@
   String $ondemand_package_ensure                 = 'present',
   String $ondemand_dex_package_ensure             = 'present',
   String $mod_auth_openidc_ensure                 = 'present',
+  String $mod_auth_mellon_ensure                  = 'present',
   Hash $install_apps                              = {},
 
   # Apache
@@ -278,6 +285,7 @@
   Boolean $generator_insecure = false,
   Variant[Array, String, Undef] $listen_addr_port = undef,
   Optional[String] $servername = undef,
+  Optional[String] $proxy_server = undef,
   Optional[Array] $server_aliases = undef,
   Optional[Array] $ssl = undef,
   Boolean $disable_logs = false,
@@ -297,7 +305,7 @@
   Optional[String] $user_map_cmd  = undef,
   Optional[String] $user_env = undef,
   Optional[String] $map_fail_uri = undef,
-  Variant[Enum['CAS', 'openid-connect', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
+  Variant[Enum['CAS', 'openid-connect', 'mellon', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
   Optional[Array] $auth_configs = undef,
   Array $custom_vhost_directives = [],
   Array $custom_location_directives = [],
@@ -338,6 +346,19 @@
   Variant[String[1],Boolean] $dex_uri = '/dex',
   Openondemand::Dex_config $dex_config = {},
 
+  # Mellon Configs
+  Optional[Hash] $mellon_default_config = {
+    'MellonSPPrivateKeyFile' => '/etc/httpd/mellon/mellon.key',
+    'MellonSPCertFile' => '/etc/httpd/mellon/mellon.cer',
+    'MellonSPMetadataFile' => '/etc/httpd/mellon/mellon_metadata.xml',
+    'MellonIdPMetadataFile' => '/etc/httpd/mellon/idp_metadata.xml',
+    'MellonEnable' => 'auth',
+    'MellonEndpointPath' => '/mellon',
+  },
+  Optional[Hash] $mellon_config = {}
+  # Merge default config with updated configs
+  Optional[Hash] $mellon_merged_config = merge($mellon_default_config, $mellon_config)
+
   # Misc configs
   Stdlib::Absolutepath $web_directory = '/var/www/ood',
   String $nginx_log_group = 'ondemand-nginx',
@@ -445,11 +466,11 @@
 
   if $ssl {
     $port = '443'
-    $listen_ports = ['443', '80']
+    $listen_ports = pick($listen_addr_port, ['443', '80'])
     $protocol = 'https'
   } else {
     $port = '80'
-    $listen_ports = ['80']
+    $listen_ports = pick($listen_addr_port, ['80'])
     $protocol = 'http'
   }
 
@@ -510,6 +531,7 @@
   $ood_portal_config = {
     'listen_addr_port'                 => $listen_ports,
     'servername'                       => $servername,
+    'proxy_server'                     => $proxy_server,
     'server_aliases'                   => $server_aliases,
     'port'                             => $port,
     'ssl'                              => $ssl,

templates/auth_mellon_conf.erb

@@ -0,0 +1,8 @@
+<Location ~ "^/(?!public)">
+<% scope['openondemand::auth'].each do |k| -%>
+  <%= k %>
+<% end %>
+<% scope['openondemand::mellon_merged_config'].each do |k,v| -%>
+  <%= k %> <%= v %>
+<% end %>
+</Location>

templates/generate_ood_mellon_metadata.sh.erb

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+MELLON_DIR="<%= scope['apache::params::httpd_dir'] -%>/mellon"
+
+[ -d ${MELLON_DIR} ] || mkdir ${MELLON_DIR}
+
+pushd $MELLON_DIR
+<% if scope['openondemand::proxy_server'] -%>
+export mellon_endpoint="https://<%= scope['openondemand::proxy_server'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
+<% else -%>
+export mellon_endpoint="https://<%= scope['openondemand::servername'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
+<% end -%>
+<%= scope['apache::params::httpd_root'] %>/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}"
+
+mv *mellon_metadata.cert ./mellon.cert
+mv *mellon_metadata.key ./mellon.key
+mv *mellon_metadata.xml ./mellon_metadata.xml
+
+openssl pkcs12 -export -inkey ./mellon.key -in ./mellon.cert -out ./mellon.pfx -passout pass:
+
+popd
+echo "Mellon files are generated at ${MELLON_DIR}"