Merge branch 'sec_tracker_sso'

1e36109d · Levente Polyak · 8a1bfa64 · 1a4a742e · 1e36109d · 1e36109d
Verified Commit 1e36109d authored 2 years ago by Levente Polyak
--- a/group_vars/all/vault_security_tracker.yml
+++ b/group_vars/all/vault_security_tracker.yml
 $ANSIBLE_VAULT;1.1;AES256
-62386537326331346332353038653137616430366531626637653762636135353232653835333831
-6431393138396537373937663963646365313464326565380a386266316266316463663163343434
-62333165643134663564366136633238613238373636353033303136653662343465326665616239
-3161326364306430350a343138653566363464333366353131383430336431363964613831303561
-34636163313064643830336665386635396231646533356163623938323165626236336633393863
-63313338316639333033393239336131306231346237353934393838323861646264656361346533
-32363864663436613333373130383462656134386632636337376539323562366137313762623433
-34663561626265626165383736656566353135336630656638373139353238636262313035366265
-61653965636331626162323539353635626337313830616634323236656463316331
+62336563323762646634643633386665333866653263363636326665396132653433336635366439
+6138343537306135663332306465643337333733613530390a353331666236633437666237383536
+39373036373963633234663234386164373663366530323963363732393061333562363636303431
+6530353331613734330a343065366162346263396262316133323362656234343036623861626164
+32316337666433386162656534376533383064666365303261393534306134643831666265656637
+33353239623830323039343237303164316636636431346361336437333037356635363461366434
+36326365313663363939393565663535396130383961303763303461303961636639623136623039
+31646630613161633835613636613339303038633961383930623165646366396361343933396464
+38623937623633326463303734623738663535393332356361646136313331656135383639623866
+37386332653964323636333063323439653436386436383263316465313262633532393839636633
+65346336346264343730323330633333336366633065336230316234386661373235356330346339
+61353835646665396363336232633733626661336361623364623433303065383131373062663965
+34353033396636343165373061653834653862343962373630636630373164646139
--- a/roles/security_tracker/defaults/main.yml
+++ b/roles/security_tracker/defaults/main.yml
 ---
-security_tracker_version: "780b05c5d7d47b3f298f801df6cbe16a56746379"
+security_tracker_version: "8ce112b697b81a6df5a3f8c8650344549a124614"
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -16,7 +16,8 @@
      - git
      - make
      - python
-      - python-sqlalchemy1.3
+      - python-authlib
+      - python-sqlalchemy
      - python-sqlalchemy-continuum
      - python-flask
      - python-flask-sqlalchemy
@@ -29,6 +30,7 @@
      - python-feedgen
      - python-pytz
      - python-email-validator
+      - python-markupsafe
      - pyalpm
      - sqlite
      - expac
@@ -102,7 +104,7 @@
 - name: deploy new release
  become: true
  become_user: security
-  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
+  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
  when: release.changed

 - name: start and enable security-tracker timer

--- a/roles/security_tracker/templates/20-user.local.conf.j2
+++ b/roles/security_tracker/templates/20-user.local.conf.j2
 [flask]
 secret_key = '{{ vault_security_tracker.secret_key }}'
+
+[sso]
+enabled = yes
+metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
+client_id = openid_security_tracker
+client_secret = {{ vault_security_tracker_openid_client_secret }}
+administrator_group = /Arch Linux Staff/Security Team/Admins
+security_team_group = /Arch Linux Staff/Security Team/Members
+reporter_group = /External Contributors/Security Team/Reporters
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -46,6 +46,12 @@ data "external" "vault_matrix" {
  "--format", "json"]
 }

+data "external" "vault_security_tracker" {
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
+    "vault_security_tracker_openid_client_secret",
+  "--format", "json"]
+}
+
 provider "keycloak" {
  client_id = "admin-cli"
  username  = data.external.vault_keycloak.result.vault_keycloak_admin_user
@@ -855,3 +861,27 @@ resource "keycloak_openid_client" "gluebuddy_openid_client" {
    "https://gitlab.archlinux.org/"
  ]
 }
+
+resource "keycloak_openid_client" "security_tracker_openid_client" {
+  realm_id      = "archlinux"
+  client_id     = "openid_security_tracker"
+  client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
+
+  name    = "Security Tracker"
+  enabled = true
+
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  valid_redirect_uris   = [
+    "https://security.archlinux.org/*",
+  ]
+  web_origins           = []
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.security_tracker_openid_client.id
+  name      = "group-membership-mapper"
+
+  claim_name = "groups"
+}