Add support for OIDC

Highly inspried by @abompard 's work on bodhi.

Signed-off-by: Ryan Lerch <[email protected]>

devel/ansible/playbook.yml

@@ -2,7 +2,11 @@
 - hosts: all
   become: true
   become_method: sudo
-  vars:
+  vars_files:
+    - vars.yml
   roles:
     - core
+    - ipa-client
+    - cert
+    - oidc-register
     - dev

devel/ansible/roles/cert/defaults/main.yml

@@ -0,0 +1,3 @@
+krb_service: HTTP
+cert_hostname: "{{ ansible_fqdn }}"
+cert_basename: server

devel/ansible/roles/cert/tasks/main.yml

@@ -0,0 +1,26 @@
+
+
+- name: Generate and get SSL cert
+  shell: ipa-getcert request -f /etc/pki/tls/certs/{{ cert_basename }}.pem -k /etc/pki/tls/private/{{ cert_basename }}.key -K {{ krb_service }}/{{ cert_hostname }} -N {{ cert_hostname }}
+  args:
+    creates: /etc/pki/tls/certs/{{ cert_basename }}.pem
+
+- name: Check the cert is there
+  wait_for:
+    path: /etc/pki/tls/certs/{{ cert_basename }}.pem
+    state: present
+
+- name: Check the key is there
+  wait_for:
+    path: /etc/pki/tls/private/{{ cert_basename }}.key
+    state: present
+
+- name: Change file ownership, group and permissions
+  ansible.builtin.file:
+    path: /etc/pki/tls/certs/{{ cert_basename }}.pem
+    mode: '0644'
+
+- name: Change file ownership, group and permissions
+  ansible.builtin.file:
+    path: /etc/pki/tls/private/{{ cert_basename }}.key
+    mode: '0644'

devel/ansible/roles/dev/files/development.ini

@@ -1,7 +1,51 @@
+# Begin logging configuration
+
+[loggers]
+keys = root, tahrir, sqlalchemy
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_tahrir]
+level = DEBUG
+handlers =
+qualname = tahrir
+
+[logger_sqlalchemy]
+level = INFO
+handlers =
+qualname = sqlalchemy.engine
+# "level = INFO" logs SQL queries.
+# "level = DEBUG" logs SQL queries and results.
+# "level = WARN" logs neither.  (Recommended for production systems.)
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
+
+# End logging configuration
+
+
+
 [server:main]
-use = egg:pyramid#wsgiref
+use = egg:gunicorn
 host = 0.0.0.0
-port = 8000
+port = 443
+certfile= /etc/pki/tls/certs/server.pem
+keyfile= /etc/pki/tls/private/server.key
+
 
 [pipeline:main]
 pipeline =
@@ -28,9 +72,9 @@ tahrir.admin = [email protected], [email protected], [email protected], oddsho
 tahrir.title = Fedora Badges
 tahrir.pngs.uri = %(here)s/data/pngs
 tahrir.base_url = http://localhost:8000
-tahrir.openid_identifier = https://id.fedoraproject.org/
-tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?id\.fedoraproject\.org(/)?$
-tahrir.openid_realm = http://localhost:8000
+#tahrir.openid_identifier = https://id.fedoraproject.org/
+#tahrir.trusted_openid = ^http(s)?:\/\/([a-zA-Z0-9]+\.)?id\.fedoraproject\.org(/)?$
+#tahrir.openid_realm = http://localhost:8000
 tahrir.secure_cookies = False
 tahrir.httponly_cookies = False
 tahrir.allow_changenick = True
@@ -40,7 +84,7 @@ tahrir.openbadges_modal = True
 tahrir.display_tags = account,event
 tahrir.secret_config_path = /home/vagrant/secret.ini
 
-tahrir.sitedocs_dir = %(here)s/fedora-sitedocs
+tahrir.sitedocs_dir = %(here)s/tahrir/fedora-sitedocs
 
 tahrir.social.twitter = True
 tahrir.social.twitter_user_text = Check out all these #fedorabadges :trophy:
@@ -57,42 +101,4 @@ tahrir.use_openid_email = False
 # Specify a python module name that contains static/{css,js,img} dirs.
 # By default, tahrir's own static/ folder contents are used.
 #tahrir.theme_name = tahrir
-
-# Begin logging configuration
-
-[loggers]
-keys = root, tahrir, sqlalchemy
-
-[handlers]
-keys = console
-
-[formatters]
-keys = generic
-
-[logger_root]
-level = INFO
-handlers = console
-
-[logger_tahrir]
-level = DEBUG
-handlers =
-qualname = tahrir
-
-[logger_sqlalchemy]
-level = INFO
-handlers =
-qualname = sqlalchemy.engine
-# "level = INFO" logs SQL queries.
-# "level = DEBUG" logs SQL queries and results.
-# "level = WARN" logs neither.  (Recommended for production systems.)
-
-[handler_console]
-class = StreamHandler
-args = (sys.stderr,)
-level = NOTSET
-formatter = generic
-
-[formatter_generic]
-format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s
-
-# End logging configuration
+oidc.fedora.server_metadata_url = https://ipsilon.tinystage.test/idp/openidc/.well-known/openid-configuration

devel/ansible/roles/dev/files/tahrir.service

@@ -5,6 +5,7 @@ Wants=network-online.target
 
 [Service]
 AmbientCapabilities = CAP_NET_BIND_SERVICE
+Environment=REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
 User=vagrant
 WorkingDirectory=/home/vagrant/tahrir
 ExecStart=poetry run pserve --reload /home/vagrant/development.ini

devel/ansible/roles/dev/tasks/main.yml

@@ -15,6 +15,28 @@
     group: vagrant
 
 
+- name: read client_secrets.json
+  register: client_secrets_json
+  ansible.builtin.slurp:
+    path: /home/vagrant/client_secrets.json
+
+- name: extract stuff from client_secrets.json
+  set_fact:
+    client_secrets: "{{ client_secrets_json.content |b64decode | from_json }}"
+
+- name: Update development.ini
+  lineinfile:
+    dest: /home/vagrant/development.ini
+    line: "oidc.fedora.client_id = {{client_secrets.web.client_id}}"
+    owner: vagrant
+
+- name: Update development.ini
+  lineinfile:
+    dest: /home/vagrant/development.ini
+    line: "oidc.fedora.client_secret = {{client_secrets.web.client_secret}}"
+    owner: vagrant
+
+
 - name: copy the secret.ini file
   copy:
     src: secret.ini

devel/ansible/roles/ipa-client/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Install RPM packages
+  dnf:
+    name:
+      - ipa-client
+    state: present
+
+- name: Enroll system as IPA client
+  shell: |
+    ipa-client-install \
+      --hostname {{ ansible_fqdn }} \
+      --domain {{ ansible_domain }} \
+      --realm {{ ansible_domain | upper }} \
+      --server ipa.{{ ansible_domain }} \
+      -p {{ ipa_admin_user }} \
+      -w {{ ipa_admin_password }} \
+      -U -N --force-join
+  args:
+    creates: /etc/ipa/default.conf

devel/ansible/roles/oidc-register/defaults/main.yml

@@ -0,0 +1,4 @@
+ipsilon_hostname: ipsilon.tinystage.test
+redirect_path: "oidc/authorize"
+redirect_url: https://{{ ansible_fqdn }}/{{ redirect_path }}
+dest: /home/vagrant/client_secrets.json

devel/ansible/roles/oidc-register/tasks/main.yml

@@ -0,0 +1,54 @@
+- name: Install RPM packages
+  dnf:
+    name:
+      - python3-pip
+      - python3-devel
+    state: present
+
+- name: Determine Python version
+  command:
+    argv:
+      - python3
+      - -c
+      - "from sys import version_info as vi; print(f'{vi[0]}.{vi[1]}')"
+  register: _python3_version_result
+  changed_when: False
+
+- name: Prepare the facts dir
+  file:
+    path: /etc/ansible/facts.d
+    state: directory
+
+- name: Set Python version fact
+  ini_file:
+    path: /etc/ansible/facts.d/python.fact
+    section: py3
+    option: version
+    value: "{{ _python3_version_result.stdout | trim }}"
+  register: fact_ini
+
+- name: Re-read facts after adding custom fact
+  ansible.builtin.setup:
+    filter: ansible_local
+  when: fact_ini.changed
+
+- name: install oidc_register with pip
+  pip:
+    name: oidc-register
+
+# not sure of how to do this another way, but without this, oidc_register fails
+- name: Get the content of the CA cert
+  slurp:
+    src: /etc/ipa/ca.crt
+  register: ca_crt
+- name: Put tinystage root CA in the list of CA's for httplib2
+  blockinfile:
+    block: "{{ ca_crt.content | b64decode }}"
+    path: /usr/local/lib/python{{ ansible_local["python"]["py3"]["version"] }}/site-packages/httplib2/cacerts.txt
+
+- name: register the application with oidc-register
+  shell:
+    cmd: oidc-register --debug --output-file {{ dest }} https://{{ ipsilon_hostname }}/idp/openidc/ {{ redirect_url }}
+    creates: "{{ dest }}"
+  become: yes
+  become_user: vagrant

devel/ansible/vars.yml

@@ -0,0 +1,3 @@
+---
+ipa_admin_user: admin
+ipa_admin_password: password