Support openid authentication

Whether to thwart spam or to make more private pads add support for very
simple auth mechanism using mod_auth_openid.

Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
This commit is contained in:
Clark Boylan 2016-11-14 17:51:05 -08:00
parent cbe2ba8724
commit 9816851524
2 changed files with 48 additions and 0 deletions

View File

@ -10,6 +10,21 @@ class etherpad_lite::apache (
$ssl_key_file = '',
$ssl_key_file_contents = '', # If left empty puppet will not create file.
$vhost_name = $::fqdn,
# Table containing openid auth details. If undef not enabled
# Example dict:
# {
# banner => "Welcome",
# singleIdp => "https://openstackid.org",
# trusted => '^https://openstackid.org/.*$',
# any_valid_user => false,
# users => ['https://openstackid.org/foo',
# 'https://openstackid.org/bar'],
# }
# Note that if you care which users get access set any_valid_user to false
# and then provide an explicit list of openids in the users list. Otherwise
# set any_valid_user to true and any successfully authenticated user will
# get access.
$auth_openid = undef,
) {
package { 'ssl-cert':
@ -40,6 +55,19 @@ class etherpad_lite::apache (
ensure => present,
}
}
if ($auth_openid != undef) {
if !defined(Package['libapache2-mod-auth-openid']) {
package { 'libapache2-mod-auth-openid':
ensure => present,
}
}
if !defined(Mod['auth_openid']) {
httpd::mod { 'auth_openid':
ensure => present,
require => Package['libapache2-mod-auth-openid'],
}
}
}
file { '/etc/apache2':
ensure => directory,

View File

@ -38,6 +38,26 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<% if @auth_openid != nil %>
<Location /p/>
AuthType OpenID
AuthName "<%= @auth_openid['banner'] %>"
AuthOpenIDSecureCookie On
AuthOpenIDCookieLifespan 3600
AuthOpenIDTrustRoot <%= @vhost_name %>
AuthOpenIDServerName <%= @vhost_name %>
AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
<% if @auth_openid['any_valid_user'] %>
Require valid-user
<% elsif !@auth_openid['users'].empty? %>
<% @auth_openid['users'].each do |user| -%>
Require user <%= user %>
<% end -%>
<% end %>
</Location>
<% end %>
<IfModule mod_proxy.c>
# The following redirects "nice" urls such as https://etherpad.example.org/padname
# to https://etherpad.example.org/p/padname. It was problematic directly