summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClark Boylan <clark.boylan@gmail.com>2016-11-14 17:51:05 -0800
committerClark Boylan <clark.boylan@gmail.com>2016-11-15 14:05:18 -0800
commit981685152423b563f51ffd0e72f4b200228d6530 (patch)
tree81c306a675e3e101c0679f65b27fc9caee2da712
parentcbe2ba87241e719c0b49487db45605d630c04032 (diff)
Support openid authentication
Whether to thwart spam or to make more private pads add support for very simple auth mechanism using mod_auth_openid. Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
Notes
Notes (review): Code-Review+2: Jeremy Stanley <fungi@yuggoth.org> Code-Review+2: Paul Belanger <pabelanger@redhat.com> Workflow+1: Clark Boylan <cboylan@sapwetik.org> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 06 Jan 2017 17:23:43 +0000 Reviewed-on: https://review.openstack.org/397479 Project: openstack-infra/puppet-ethercalc Branch: refs/heads/master
-rw-r--r--manifests/apache.pp28
-rw-r--r--templates/etherpadlite.vhost.erb20
2 files changed, 48 insertions, 0 deletions
diff --git a/manifests/apache.pp b/manifests/apache.pp
index 52b1548..b3c60f0 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -10,6 +10,21 @@ class etherpad_lite::apache (
10 $ssl_key_file = '', 10 $ssl_key_file = '',
11 $ssl_key_file_contents = '', # If left empty puppet will not create file. 11 $ssl_key_file_contents = '', # If left empty puppet will not create file.
12 $vhost_name = $::fqdn, 12 $vhost_name = $::fqdn,
13 # Table containing openid auth details. If undef not enabled
14 # Example dict:
15 # {
16 # banner => "Welcome",
17 # singleIdp => "https://openstackid.org",
18 # trusted => '^https://openstackid.org/.*$',
19 # any_valid_user => false,
20 # users => ['https://openstackid.org/foo',
21 # 'https://openstackid.org/bar'],
22 # }
23 # Note that if you care which users get access set any_valid_user to false
24 # and then provide an explicit list of openids in the users list. Otherwise
25 # set any_valid_user to true and any successfully authenticated user will
26 # get access.
27 $auth_openid = undef,
13) { 28) {
14 29
15 package { 'ssl-cert': 30 package { 'ssl-cert':
@@ -40,6 +55,19 @@ class etherpad_lite::apache (
40 ensure => present, 55 ensure => present,
41 } 56 }
42 } 57 }
58 if ($auth_openid != undef) {
59 if !defined(Package['libapache2-mod-auth-openid']) {
60 package { 'libapache2-mod-auth-openid':
61 ensure => present,
62 }
63 }
64 if !defined(Mod['auth_openid']) {
65 httpd::mod { 'auth_openid':
66 ensure => present,
67 require => Package['libapache2-mod-auth-openid'],
68 }
69 }
70 }
43 71
44 file { '/etc/apache2': 72 file { '/etc/apache2':
45 ensure => directory, 73 ensure => directory,
diff --git a/templates/etherpadlite.vhost.erb b/templates/etherpadlite.vhost.erb
index c579e43..e20fe09 100644
--- a/templates/etherpadlite.vhost.erb
+++ b/templates/etherpadlite.vhost.erb
@@ -38,6 +38,26 @@
38 # MSIE 7 and newer should be able to use keepalive 38 # MSIE 7 and newer should be able to use keepalive
39 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 39 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
40 40
41 <% if @auth_openid != nil %>
42 <Location /p/>
43 AuthType OpenID
44 AuthName "<%= @auth_openid['banner'] %>"
45 AuthOpenIDSecureCookie On
46 AuthOpenIDCookieLifespan 3600
47 AuthOpenIDTrustRoot <%= @vhost_name %>
48 AuthOpenIDServerName <%= @vhost_name %>
49 AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
50 AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
51 <% if @auth_openid['any_valid_user'] %>
52 Require valid-user
53 <% elsif !@auth_openid['users'].empty? %>
54 <% @auth_openid['users'].each do |user| -%>
55 Require user <%= user %>
56 <% end -%>
57 <% end %>
58 </Location>
59 <% end %>
60
41 <IfModule mod_proxy.c> 61 <IfModule mod_proxy.c>
42 # The following redirects "nice" urls such as https://etherpad.example.org/padname 62 # The following redirects "nice" urls such as https://etherpad.example.org/padname
43 # to https://etherpad.example.org/p/padname. It was problematic directly 63 # to https://etherpad.example.org/p/padname. It was problematic directly