From 58feb5f1ab2e016464cea2f13b7f1f28cb14b6b7 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 29 Nov 2023 23:45:35 +0100
Subject: nginx/auth/whawty-sso: add support for release 0.2 and revokable
 sessions

---
 roles/nginx/auth/whawty-sso/auth/defaults/main.yml  | 11 +++++++++--
 roles/nginx/auth/whawty-sso/auth/tasks/main.yml     | 15 ++++++++++++++-
 roles/nginx/auth/whawty-sso/login/defaults/main.yml | 16 ++++++++++++----
 roles/nginx/auth/whawty-sso/login/tasks/main.yml    | 12 ++++++++++++
 4 files changed, 47 insertions(+), 7 deletions(-)

(limited to 'roles/nginx')

diff --git a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
index ca08addb..e42a4b44 100644
--- a/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/auth/defaults/main.yml
@@ -10,8 +10,10 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             public-key: |-
+#             public-key-data: |-
 #               ....
+#         backend:
+#           bolt: {}
 #       web:
 #         listen: 127.0.0.1:1234
 #   foo:
@@ -24,7 +26,12 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             public-key: |-
+#             public-key-data: |-
 #               ....
+#         backend:
+#           sync:
+#             base-url: http://192.0.2.1:1234
+#           bolt:
+#             path: /path/to/db.bolt
 #       web:
 #         listen: 127.0.0.1:2345
diff --git a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
index fa6048dd..5ae64b9b 100644
--- a/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
+++ b/roles/nginx/auth/whawty-sso/auth/tasks/main.yml
@@ -4,6 +4,15 @@
     path: /etc/nginx/auth/whawty-sso
     state: directory
 
+- name: make sure store backend directories exist
+  loop: "{{ whawty_nginx_sso_auths | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
+    state: directory
+    mode: 0700
+
 - name: generate configuration file
   loop: "{{ whawty_nginx_sso_auths | dict2items }}"
   loop_control:
@@ -11,7 +20,11 @@
   copy:
     content: |
       # ansible generated
-      {{ item.value.config | to_nice_yaml(indent=2) }}
+      {% set ssoconf = item.value.config %}
+      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
+      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
+      {% endif %}
+      {{ ssoconf | to_nice_yaml(indent=2) }}
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
     mode: 0400
   notify: restart whawty-nginx-sso
diff --git a/roles/nginx/auth/whawty-sso/login/defaults/main.yml b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
index 6f7afe04..6e6249e7 100644
--- a/roles/nginx/auth/whawty-sso/login/defaults/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/defaults/main.yml
@@ -14,17 +14,19 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt: {}
 #       auth:
 #         ldap:
 #           servers:
 #           - ldaps://ldap1.example.com
 #           - ldaps://ldap2.example.com
+#           start-tls: false
 #           tls:
-#             start-tls: false
 #             insecure-skip-verify: false
-#             ca-certificates: |-
+#             ca-certificates-data: |-
 #               -----BEGIN CERTIFICATE-----
 #               ...
 #               -----END CERTIFICATE-----
@@ -46,8 +48,11 @@
 #         keys:
 #         - name: 2023-11
 #           ed25519:
-#             private-key: |-
+#             private-key-data: |-
 #               ....
+#         backend:
+#           bolt:
+#             path: /path/to/db.bolt
 #       auth:
 #         static:
 #           autoreload: yes
@@ -55,6 +60,9 @@
 #         listen: 127.0.0.1:2345
 #         login:
 #           title: "foobar - Login"
+#         revocations:
+#           tokens:
+#           - secret
 
 # whawty_nginx_sso_login_static_credentials__foo:
 #   admin: "very-secret"
diff --git a/roles/nginx/auth/whawty-sso/login/tasks/main.yml b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
index 342c8521..e2267238 100644
--- a/roles/nginx/auth/whawty-sso/login/tasks/main.yml
+++ b/roles/nginx/auth/whawty-sso/login/tasks/main.yml
@@ -16,6 +16,15 @@
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
     mode: 0400
 
+- name: make sure store backend directories exist
+  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  file:
+    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
+    state: directory
+    mode: 0700
+
 
 - name: generate configuration file
   loop: "{{ whawty_nginx_sso_logins | dict2items }}"
@@ -28,6 +37,9 @@
       {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
       {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
       {% endif %}
+      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
+      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
+      {% endif %}
       {{ ssoconf | to_nice_yaml(indent=2) }}
     dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
     mode: 0400
-- 
cgit v1.2.3