Verified Commit eacdda3e authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Fix for archlinux realm

parent 5ae977a3
#!/usr/bin/env bash #!/usr/bin/env bash
curl -s https://accounts.archlinux.org/auth/realms/master/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]' curl -s https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/descriptor | xmllint --xpath '//*[local-name()="X509Certificate"]/text()' - | base64 -d | sha1sum | cut -d ' ' -f1 | sed -e 's/.\{2\}/&:/g' | sed 's/:$//' | tr '[:lower:]' '[:upper:]'
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
# 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run # 1. In order to figure out what needs to go into 'idp_cert_fingerprint', run
# one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field. # one-shots/keycloak-keyfetcher/get_fingerprint.sh and copy the resulting SHA1 fingerprint into that field.
# 2. In order to logout properly we need to configure the "After sign out path" and set it to # 2. In order to logout properly we need to configure the "After sign out path" and set it to
# https://accounts.archlinux.org/auth/realms/master/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org # https://accounts.archlinux.org/auth/realms/archlinux/protocol/openid-connect/logout?redirect_uri=https%3A//gitlab.archlinux.org
# https://gitlab.com/gitlab-org/gitlab/issues/14414 # https://gitlab.com/gitlab-org/gitlab/issues/14414
GITLAB_OMNIBUS_CONFIG: | GITLAB_OMNIBUS_CONFIG: |
external_url 'https://{{ gitlab_domain }}' external_url 'https://{{ gitlab_domain }}'
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
letsencrypt['contact_emails'] = ['webmaster@archlinux.org'] letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
gitlab_rails['lfs_enabled'] = true gitlab_rails['lfs_enabled'] = true
gitlab_rails['gitlab_shell_ssh_port'] = 222 gitlab_rails['gitlab_shell_ssh_port'] = 222
gitlab_rails['gitlab_default_can_create_group'] = false
gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}" gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = 'mail.archlinux.org' gitlab_rails['smtp_address'] = 'mail.archlinux.org'
...@@ -54,9 +55,9 @@ ...@@ -54,9 +55,9 @@
admin_groups: ['DevOps'], admin_groups: ['DevOps'],
args: { args: {
assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback', assertion_consumer_service_url: 'https://gitlab.archlinux.org/users/auth/saml/callback',
idp_cert_fingerprint: '83:AB:61:8E:8C:8A:78:F6:D9:A6:8E:25:6F:DA:04:4D:77:0E:CD:B2', idp_cert_fingerprint: '75:43:93:1D:7A:F3:B6:16:51:FA:90:3C:E6:46:93:EA:DF:B6:28:8B',
idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/master/protocol/saml/clients/saml_gitlab', idp_sso_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml/clients/saml_gitlab',
idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/master/protocol/saml', idp_slo_target_url: 'https://accounts.archlinux.org/auth/realms/archlinux/protocol/saml',
issuer: 'saml_gitlab', issuer: 'saml_gitlab',
attribute_statements: { attribute_statements: {
first_name: ['first_name'], first_name: ['first_name'],
......
...@@ -36,6 +36,6 @@ server { ...@@ -36,6 +36,6 @@ server {
} }
location = / { location = / {
return 301 https://$server_name/auth/; return 301 https://$server_name/auth/realms/archlinux/account;
} }
} }
...@@ -42,6 +42,7 @@ resource "keycloak_realm" "archlinux" { ...@@ -42,6 +42,7 @@ resource "keycloak_realm" "archlinux" {
reset_password_allowed = true reset_password_allowed = true
verify_email = true verify_email = true
login_with_email_allowed = true
smtp_server { smtp_server {
host = "mail.archlinux.org" host = "mail.archlinux.org"
...@@ -82,6 +83,22 @@ resource "keycloak_saml_client" "saml_gitlab" { ...@@ -82,6 +83,22 @@ resource "keycloak_saml_client" "saml_gitlab" {
assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url assertion_consumer_post_url = var.gitlab_instance.saml_redirect_url
} }
// This client is only used for the return URL redirect hack!
// See roles/gitlab/tasks/main.yml
resource "keycloak_openid_client" "openid_gitlab" {
realm_id = "archlinux"
client_id = "openid_gitlab"
name = "Arch Linux Accounts"
enabled = true
access_type = "PUBLIC"
standard_flow_enabled = true
valid_redirect_uris = [
"https://gitlab.archlinux.org"
]
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" { resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "archlinux" realm_id = "archlinux"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment