From 9fbe2c3d7e67f8278852684e31a31a25b8f071dc Mon Sep 17 00:00:00 2001 From: Michal Konecny Date: Apr 08 2024 13:08:32 +0000 Subject: [mailman3] Enable OIDC Enable OIDC support for mailman3 staging deployment. Signed-off-by: Michal Konecny --- diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index 560666b..f3fa5a2 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -109,6 +109,8 @@ mailman_hyperkitty_db_pass: "{{ mailman_hk_db_pass }}" mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}" mailman_hyperkitty_archiver_key: "{{ mailman_hk_stg_archiver_key }}" + mailman_openidc_server_url: https://id.stg.fedoraproject.org/openidc + mailman_openidc_secret: "{{ mailman_stg_oidc_pass }}" mailman_httpd_hostname: lists.stg.fedoraproject.org when: env == "staging" - {role: fedmsg/base, diff --git a/roles/mailman3/defaults/main.yml b/roles/mailman3/defaults/main.yml index 3336b92..865d11e 100644 --- a/roles/mailman3/defaults/main.yml +++ b/roles/mailman3/defaults/main.yml @@ -32,3 +32,12 @@ mailman_domains: - lists.example.com - lists.example.org mailman_social_login: [] + +# OpenID-connect settings +# Attention that you should ensure that callback/redirect_url set at the provider side will end with / +# see https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html#openid-connect +mailman_openidc_provider_id: fedora +mailman_openidc_name: Fedora Account +mailman_openidc_server_url: https://id.fedoraproject.org/openidc +mailman_openidc_client_id: mailman3 +mailman_openidc_secret: boooooooooooooyoushouldnotreadthisasnotused diff --git a/roles/mailman3/templates/mailmanweb.conf.j2 b/roles/mailman3/templates/mailmanweb.conf.j2 index 3fc4d44..bae2012 100644 --- a/roles/mailman3/templates/mailmanweb.conf.j2 +++ b/roles/mailman3/templates/mailmanweb.conf.j2 @@ -1,5 +1,12 @@ ServerName lists{{ env_suffix }}.fedoraproject.org +Header always set Strict-Transport-Security "max-age=31536000" +Header always set X-Frame-Options "SAMEORIGIN" +Header always set X-Xss-Protection "1; mode=block" +Header always set X-Content-Type-Options "nosniff" +Header always set Referrer-Policy "same-origin" +RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + Alias /favicon.ico {{ mailman_webui_basedir }}/static/favicon.ico Alias /robots.txt {{ mailman_webui_basedir }}/static/robots.txt Alias /static {{ mailman_webui_basedir }}/static diff --git a/roles/mailman3/templates/settings.py.j2 b/roles/mailman3/templates/settings.py.j2 index 9ab67c1..d57e8e3 100644 --- a/roles/mailman3/templates/settings.py.j2 +++ b/roles/mailman3/templates/settings.py.j2 @@ -64,7 +64,6 @@ INSTALLED_APPS = ( 'django_extensions', 'django_gravatar', 'django_mailman3', - 'django_mailman3.lib.auth.fedora', 'django_q', 'hyperkitty', 'postorius', @@ -228,6 +227,19 @@ ACCOUNT_ADAPTER = "django_fedora_nosignup.NoLocalSignUpAdapter" SOCIALACCOUNT_ADAPTER = "django_fedora_nosignup.SignUpEnabledSocialAdapter" SOCIALACCOUNT_PROVIDERS = { + 'openid_connect': { + "SERVERS": [ + { + "id": "{{ mailman3_openidc_provider_id }}", + "name": "{{ mailman3_openidc_name }}", + "server_url": "{{ mailman3_openidc_server_url }}", + "APP": { + "client_id": "{{ mailman3_openidc_client_id }}", + "secret": "{{ mailman3_openidc_secret }}", + }, + }, + ] + }, 'openid': { 'SERVERS': [ dict(id='yahoo',