From 244fde79f9d00aea62c0f323bd9f851f0f94d5c0 Mon Sep 17 00:00:00 2001
From: Aurélien Bompard <aurelien@bompard.org>
Date: Feb 21 2018 10:21:18 +0000
Subject: Adapt Ansible role to the infra staging env


---

diff --git a/ansible/roles/hubs/defaults/main.yml b/ansible/roles/hubs/defaults/main.yml
index 72e2e48..11be883 100644
--- a/ansible/roles/hubs/defaults/main.yml
+++ b/ansible/roles/hubs/defaults/main.yml
@@ -7,7 +7,10 @@ hubs_conf_dir: "{{ hubs_base_dir }}/config"
 hubs_var_dir: "{{ hubs_base_dir }}/var"
 hubs_log_dir: "{{ hubs_base_dir }}/log"
 hubs_db_type: sqlite
+hubs_db_user: hubs
 hubs_db_password: changeme
+hubs_db_host: localhost
+hubs_db_name: hubs
 hubs_url_hostname: "{{ ansible_fqdn }}"
 hubs_url: http{% if not hubs_dev_mode %}s{% endif %}://{{ hubs_url_hostname }}{% if hubs_dev_mode %}:5000{% endif %}
 hubs_ssl_cert: /etc/pki/tls/certs/{{ hubs_url_hostname }}.crt
diff --git a/ansible/roles/hubs/tasks/main.yml b/ansible/roles/hubs/tasks/main.yml
index 6f858e8..4f49510 100644
--- a/ansible/roles/hubs/tasks/main.yml
+++ b/ansible/roles/hubs/tasks/main.yml
@@ -37,15 +37,31 @@
   notify: "hubs configuration change"
 
 
-- name: Configure application to authenticate with iddev.fedorainfracloud.org
-  command:
-    oidc-register
-    --output-file {{ hubs_conf_dir }}/client_secrets.json
-    https://{{ hubs_oidc_url }}/ {{ hubs_url }}
-  args:
-    creates: "{{ hubs_conf_dir }}/client_secrets.json"
-
-- name: Set permissions on the oidc credentials file
+- name: Configure application to authenticate with the OIDC provider (dev)
+  block:
+  - dnf: name=python3-flask-oidc state=present
+  - command:
+      oidc-register
+      --output-file {{ hubs_conf_dir }}/client_secrets.json
+      https://{{ hubs_oidc_url }}/ {{ hubs_url }}
+    args:
+      creates: "{{ hubs_conf_dir }}/client_secrets.json"
+    notify: "hubs configuration change"
+  when: hubs_oidc_url == "iddev.fedorainfracloud.org"
+
+
+- name: Configure application to authenticate with the OIDC provider
+  template:
+    src: oidc_client_secrets.json
+    dest: "{{ hubs_conf_dir }}/client_secrets.json"
+    owner: root
+    group: "{{ main_user }}"
+    mode: 0640
+  notify: "hubs configuration change"
+  when: hubs_oidc_url != "iddev.fedorainfracloud.org"
+
+
+- name: Fix the permissions on the OIDC secrets file
   file:
     path: "{{ hubs_conf_dir }}/client_secrets.json"
     owner: root
diff --git a/ansible/roles/hubs/tasks/webserver.yml b/ansible/roles/hubs/tasks/webserver.yml
index 767cd19..1c52378 100644
--- a/ansible/roles/hubs/tasks/webserver.yml
+++ b/ansible/roles/hubs/tasks/webserver.yml
@@ -10,11 +10,13 @@
 
 - name: install python3-certbot-nginx
   dnf: name=python3-certbot-nginx state=present
+  when: hubs_ssl_cert != None
 
 - name: get the letsencrypt cert
-  command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ ansible_fqdn }} --agree-tos --email admin@fedoraproject.org
+  command: certbot certonly -n --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d {{ hubs_url_hostname }} --agree-tos --email admin@fedoraproject.org
   args:
-    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/privkey.pem
+    creates: "{{ hubs_ssl_key }}"
+  when: hubs_ssl_cert != None
   notify:
     - restart nginx
 
@@ -34,6 +36,7 @@
   with_first_found:
     - nginx_ssl_params.{{ ansible_hostname }}
     - nginx_ssl_params
+  when: hubs_ssl_cert != None
   notify:
     - restart nginx
 
diff --git a/ansible/roles/hubs/templates/fedmsg_config b/ansible/roles/hubs/templates/fedmsg_config
index a5562dd..b8f7d27 100644
--- a/ansible/roles/hubs/templates/fedmsg_config
+++ b/ansible/roles/hubs/templates/fedmsg_config
@@ -2,7 +2,7 @@ config = {
 
     # Database
     {% if hubs_db_type == "postgresql" %}
-    'hubs.sqlalchemy.uri': 'postgresql://hubs:{{ hubs_db_password }}@localhost/hubs',
+    'hubs.sqlalchemy.uri': 'postgresql://{{ hubs_db_user }}:{{ hubs_db_password }}@{{ hubs_db_host }}/{{ hubs_db_name }}',
     {% else %}
     'hubs.sqlalchemy.uri': 'sqlite:///{{ hubs_var_dir }}/hubs.db',
     {% endif %}
@@ -21,6 +21,9 @@ config = {
     'fas_credentials': {
         'username': '{{ hubs_fas_username }}',
         'password': '{{ hubs_fas_password }}',
+        {% if env == "staging" %}
+        'base_url': "https://admin.stg.fedoraproject.org/accounts/",
+        {% endif %}
     },
     {% endif %}
 
diff --git a/ansible/roles/hubs/templates/hubs_config b/ansible/roles/hubs/templates/hubs_config
index f901915..0ddfa53 100644
--- a/ansible/roles/hubs/templates/hubs_config
+++ b/ansible/roles/hubs/templates/hubs_config
@@ -9,12 +9,20 @@ OIDC_ID_TOKEN_COOKIE_SECURE = False
 
 OIDC_CLIENT_SECRETS = "{{ hubs_conf_dir }}/client_secrets.json"
 OIDC_OPENID_REALM = "{{ hubs_url }}/oidc_callback"
+{% if hubs_ssl_cert == None %}
+# There's an SSL proxy, flask_oidc will generate a redirect_uri without https
+# if we don't overwrite it here.
+OVERWRITE_REDIRECT_URI = "{{ hubs_url }}/oidc_callback"
+{% endif %}
 
 SSE_URL = {
     # "host": "sse.example.com",
     {% if hubs_dev_mode %}
     "port": "8080",
     {% else %}
+    {% if hubs_ssl_cert == None %}
+    "scheme": "https",  # Because of the SSL proxy
+    {% endif %}
     "path": "/sse",
     {% endif %}
 }
diff --git a/ansible/roles/hubs/templates/nginx.conf b/ansible/roles/hubs/templates/nginx.conf
index 853ba74..d36c412 100644
--- a/ansible/roles/hubs/templates/nginx.conf
+++ b/ansible/roles/hubs/templates/nginx.conf
@@ -14,24 +14,20 @@ upstream hubs-sse {
     server 127.0.0.1:8080 fail_timeout=0;
 }
 
-
-# Redirect cleartext traffic to HTTPS
+# Main server block
 server {
+{% if hubs_ssl_cert == None %}
     listen 80;
     listen [::]:80;
-    server_name {{ hubs_url_hostname }};
-    return 301 https://$server_name$request_uri;
-}
-
-# Main server block
-server {
+{% else %}
     listen 443 deferred;
     listen [::]:443 deferred;
-    client_max_body_size 4G;
+    include ssl_params;
+{% endif %}
 
     server_name {{ hubs_url_hostname }};
 
-    include ssl_params;
+    client_max_body_size 4G;
     keepalive_timeout 5;
 
     location / {
@@ -67,3 +63,14 @@ server {
     #  root /path/to/app/current/public;
     #}
   }
+
+
+{% if hubs_ssl_cert != None %}
+# Redirect cleartext traffic to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ hubs_url_hostname }};
+    return 301 https://$server_name$request_uri;
+}
+{% endif %}
diff --git a/ansible/roles/hubs/templates/oidc_client_secrets.json b/ansible/roles/hubs/templates/oidc_client_secrets.json
new file mode 100644
index 0000000..bf40300
--- /dev/null
+++ b/ansible/roles/hubs/templates/oidc_client_secrets.json
@@ -0,0 +1,13 @@
+{
+    "web": {
+        "client_id": "hubs",
+        "auth_uri": "https://{{ hubs_oidc_url }}/openidc/Authorization",
+        "issuer": "https://{{ hubs_oidc_url }}/openidc/",
+        "client_secret": "{{ hubs_stg_oidc_secret }}",
+        "token_uri": "https://{{ hubs_oidc_url }}/openidc/Token",
+        "userinfo_uri": "https://{{ hubs_oidc_url }}/openidc/UserInfo",
+        "redirect_uris": [
+            "{{ hubs_url }}/oidc_callback"
+        ]
+    }
+}