Browse Source

Support openid authentication

Whether to thwart spam or to make more private pads add support for very
simple auth mechanism using mod_auth_openid.

Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
changes/21/422921/1
Clark Boylan 2 years ago
parent
commit
9816851524
2 changed files with 48 additions and 0 deletions
  1. 28
    0
      manifests/apache.pp
  2. 20
    0
      templates/etherpadlite.vhost.erb

+ 28
- 0
manifests/apache.pp View File

@@ -10,6 +10,21 @@ class etherpad_lite::apache (
10 10
   $ssl_key_file            = '',
11 11
   $ssl_key_file_contents   = '', # If left empty puppet will not create file.
12 12
   $vhost_name              = $::fqdn,
13
+  # Table containing openid auth details. If undef not enabled
14
+  # Example dict:
15
+  # {
16
+  #   banner         => "Welcome",
17
+  #   singleIdp      => "https://openstackid.org",
18
+  #   trusted        => '^https://openstackid.org/.*$',
19
+  #   any_valid_user => false,
20
+  #   users          => ['https://openstackid.org/foo',
21
+  #                      'https://openstackid.org/bar'],
22
+  # }
23
+  # Note that if you care which users get access set any_valid_user to false
24
+  # and then provide an explicit list of openids in the users list. Otherwise
25
+  # set any_valid_user to true and any successfully authenticated user will
26
+  # get access.
27
+  $auth_openid             = undef,
13 28
 ) {
14 29
 
15 30
   package { 'ssl-cert':
@@ -40,6 +55,19 @@ class etherpad_lite::apache (
40 55
       ensure => present,
41 56
     }
42 57
   }
58
+  if ($auth_openid != undef) {
59
+    if !defined(Package['libapache2-mod-auth-openid']) {
60
+      package { 'libapache2-mod-auth-openid':
61
+        ensure => present,
62
+      }
63
+    }
64
+    if !defined(Mod['auth_openid']) {
65
+      httpd::mod { 'auth_openid':
66
+        ensure  => present,
67
+        require => Package['libapache2-mod-auth-openid'],
68
+      }
69
+    }
70
+  }
43 71
 
44 72
   file { '/etc/apache2':
45 73
     ensure => directory,

+ 20
- 0
templates/etherpadlite.vhost.erb View File

@@ -38,6 +38,26 @@
38 38
   # MSIE 7 and newer should be able to use keepalive
39 39
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
40 40
 
41
+  <% if @auth_openid != nil %>
42
+  <Location /p/>
43
+      AuthType OpenID
44
+      AuthName "<%= @auth_openid['banner'] %>"
45
+      AuthOpenIDSecureCookie On
46
+      AuthOpenIDCookieLifespan 3600
47
+      AuthOpenIDTrustRoot <%= @vhost_name %>
48
+      AuthOpenIDServerName <%= @vhost_name %>
49
+      AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
50
+      AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
51
+      <% if @auth_openid['any_valid_user'] %>
52
+      Require valid-user
53
+      <% elsif !@auth_openid['users'].empty? %>
54
+      <% @auth_openid['users'].each do |user| -%>
55
+      Require user <%= user %>
56
+      <% end -%>
57
+      <% end %>
58
+  </Location>
59
+  <% end %>
60
+
41 61
   <IfModule mod_proxy.c>
42 62
       # The following redirects "nice" urls such as https://etherpad.example.org/padname
43 63
       # to https://etherpad.example.org/p/padname. It was problematic directly

Loading…
Cancel
Save