Skip to content
Snippets Groups Projects
Verified Commit 1e36109d authored by Levente Polyak's avatar Levente Polyak :rocket:
Browse files

Merge branch 'sec_tracker_sso'

parents 8a1bfa64 1a4a742e
No related branches found
No related tags found
1 merge request!545Prepare Security Tracker SSO configuration
Pipeline #16936 failed
$ANSIBLE_VAULT;1.1;AES256
62386537326331346332353038653137616430366531626637653762636135353232653835333831
6431393138396537373937663963646365313464326565380a386266316266316463663163343434
62333165643134663564366136633238613238373636353033303136653662343465326665616239
3161326364306430350a343138653566363464333366353131383430336431363964613831303561
34636163313064643830336665386635396231646533356163623938323165626236336633393863
63313338316639333033393239336131306231346237353934393838323861646264656361346533
32363864663436613333373130383462656134386632636337376539323562366137313762623433
34663561626265626165383736656566353135336630656638373139353238636262313035366265
61653965636331626162323539353635626337313830616634323236656463316331
62336563323762646634643633386665333866653263363636326665396132653433336635366439
6138343537306135663332306465643337333733613530390a353331666236633437666237383536
39373036373963633234663234386164373663366530323963363732393061333562363636303431
6530353331613734330a343065366162346263396262316133323362656234343036623861626164
32316337666433386162656534376533383064666365303261393534306134643831666265656637
33353239623830323039343237303164316636636431346361336437333037356635363461366434
36326365313663363939393565663535396130383961303763303461303961636639623136623039
31646630613161633835613636613339303038633961383930623165646366396361343933396464
38623937623633326463303734623738663535393332356361646136313331656135383639623866
37386332653964323636333063323439653436386436383263316465313262633532393839636633
65346336346264343730323330633333336366633065336230316234386661373235356330346339
61353835646665396363336232633733626661336361623364623433303065383131373062663965
34353033396636343165373061653834653862343962373630636630373164646139
---
security_tracker_version: "780b05c5d7d47b3f298f801df6cbe16a56746379"
security_tracker_version: "8ce112b697b81a6df5a3f8c8650344549a124614"
......@@ -16,7 +16,8 @@
- git
- make
- python
- python-sqlalchemy1.3
- python-authlib
- python-sqlalchemy
- python-sqlalchemy-continuum
- python-flask
- python-flask-sqlalchemy
......@@ -29,6 +30,7 @@
- python-feedgen
- python-pytz
- python-email-validator
- python-markupsafe
- pyalpm
- sqlite
- expac
......@@ -102,7 +104,7 @@
- name: deploy new release
become: true
become_user: security
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
when: release.changed
- name: start and enable security-tracker timer
......
[flask]
secret_key = '{{ vault_security_tracker.secret_key }}'
[sso]
enabled = yes
metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
client_id = openid_security_tracker
client_secret = {{ vault_security_tracker_openid_client_secret }}
administrator_group = /Arch Linux Staff/Security Team/Admins
security_team_group = /Arch Linux Staff/Security Team/Members
reporter_group = /External Contributors/Security Team/Reporters
......@@ -46,6 +46,12 @@ data "external" "vault_matrix" {
"--format", "json"]
}
data "external" "vault_security_tracker" {
program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
"vault_security_tracker_openid_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
......@@ -855,3 +861,27 @@ resource "keycloak_openid_client" "gluebuddy_openid_client" {
"https://gitlab.archlinux.org/"
]
}
resource "keycloak_openid_client" "security_tracker_openid_client" {
realm_id = "archlinux"
client_id = "openid_security_tracker"
client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
name = "Security Tracker"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://security.archlinux.org/*",
]
web_origins = []
}
resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
realm_id = "archlinux"
client_id = keycloak_openid_client.security_tracker_openid_client.id
name = "group-membership-mapper"
claim_name = "groups"
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment