diff --git a/README.md b/README.md
index 02f5b1d..a390f03 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,19 @@ openondemand::oidc_settings:
OIDCStripCookies: 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1'
```
+Setup OnDemand to authenticate with SAML using apache Mellon. Puppet creates a script `/usr/local/bin/mellon_ood_metadata.sh` to generate certs and relevant metadata files. This script needs to be run (once) manually.
+
+```yaml
+openondemand::servername: ondemand.osc.edu
+openondemand::auth_type: 'mellon'
+openondemand::auth_configs:
+ - 'Require valid-user'
+openondemand::mellon_config:
+ MellonEndpointPath: '/mellon'
+ MellonEnable: 'auth'
+ MellonIdPMetadataFile: '/etc/httpd/mellon/idpmetadata.xml'
+```
+
Configure OnDemand via git repo that contains app configs, locales, public, and annoucement files
```yaml
diff --git a/REFERENCE.md b/REFERENCE.md
index 4a5b94d..f727353 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -68,12 +68,14 @@ The following parameters are available in the `openondemand` class:
* [`ondemand_package_ensure`](#-openondemand--ondemand_package_ensure)
* [`ondemand_dex_package_ensure`](#-openondemand--ondemand_dex_package_ensure)
* [`mod_auth_openidc_ensure`](#-openondemand--mod_auth_openidc_ensure)
+* [`mod_auth_mellon_ensure`](#-openondemand--mod_auth_mellon_ensure)
* [`install_apps`](#-openondemand--install_apps)
* [`declare_apache`](#-openondemand--declare_apache)
* [`apache_scls`](#-openondemand--apache_scls)
* [`generator_insecure`](#-openondemand--generator_insecure)
* [`listen_addr_port`](#-openondemand--listen_addr_port)
* [`servername`](#-openondemand--servername)
+* [`proxy_server`](#-openondemand--proxy_server)
* [`server_aliases`](#-openondemand--server_aliases)
* [`ssl`](#-openondemand--ssl)
* [`logroot`](#-openondemand--logroot)
@@ -123,6 +125,7 @@ The following parameters are available in the `openondemand` class:
* [`oidc_settings`](#-openondemand--oidc_settings)
* [`dex_uri`](#-openondemand--dex_uri)
* [`dex_config`](#-openondemand--dex_config)
+* [`mellon_config`](#-openondemand--mellon_config)
* [`web_directory`](#-openondemand--web_directory)
* [`nginx_log_group`](#-openondemand--nginx_log_group)
* [`nginx_stage_clean_cron_schedule`](#-openondemand--nginx_stage_clean_cron_schedule)
@@ -271,6 +274,14 @@ mod_auth_openidc package ensure
Default value: `'present'`
+##### `mod_auth_mellon_ensure`
+
+Data type: `String`
+
+mod_auth_mellon package ensure
+
+Default value: `'present'`
+
##### `install_apps`
Data type: `Hash`
@@ -321,6 +332,14 @@ ood_portal.yml servername
Default value: `undef`
+##### `proxy_server`
+
+Data type: `Optional[String]`
+
+ood_portal.yml proxy_server
+
+Default value: ``undef``
+
##### `server_aliases`
Data type: `Optional[Array]`
@@ -713,6 +732,14 @@ Dex configuration Hash
Default value: `{}`
+##### `mellon_config`
+
+Data type: `Hash`
+
+Mellon configuration Hash for Overwrite
+
+Default value: `{}`
+
##### `web_directory`
Data type: `Stdlib::Absolutepath`
@@ -1068,7 +1095,7 @@ Manage Open OnDemand dev app
#### Examples
-#####
+#####
```puppet
openondemand::app::dev { 'user1': }
@@ -1140,7 +1167,7 @@ Manage Open OnDemand user app
#### Examples
-#####
+#####
```puppet
openondemand::app::usr { 'user1':
@@ -1856,7 +1883,7 @@ Manage Open OnDemand app
#### Examples
-#####
+#####
```puppet
openondemand::install::app { 'bc_osc_foo':
diff --git a/manifests/apache.pp b/manifests/apache.pp
index 7ce45cb..6309c17 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -57,18 +57,27 @@
include apache::mod::proxy_http
include apache::mod::proxy_connect
include apache::mod::proxy_wstunnel
- if $openondemand::auth_type == 'CAS' {
- include apache::mod::auth_cas
- }
apache::mod { 'lua': }
include apache::mod::headers
include apache::mod::rewrite
- if $openondemand::auth_type in ['dex','openid-connect'] {
- apache::mod { 'auth_openidc':
- package => $openidc_package,
- package_ensure => $openondemand::mod_auth_openidc_ensure,
+ case $openondemand::auth_type {
+ 'CAS': {
+ include ::apache::mod::auth_cas
+ }
+ '(dex|openid-connect)': {
+ ::apache::mod { 'auth_openidc':
+ package => "${package_prefix}mod_auth_openidc",
+ package_ensure => $openondemand::mod_auth_openidc_ensure,
+ }
+ }
+ 'mellon': {
+ ::apache::mod { 'auth_mellon':
+ package => "${package_prefix}mod_auth_mellon",
+ package_ensure => $openondemand::mod_auth_openidc_ensure,
+ }
}
+ default: {}
}
if $openondemand::scl_apache {
diff --git a/manifests/config.pp b/manifests/config.pp
index 963b99f..d4f34b5 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -277,6 +277,16 @@
}
}
+ # deploy script to generate mellon metadata
+ if $openondemand::auth_type == 'mellon' {
+ file { '/usr/local/bin/mellon_ood_metadata.sh':
+ content => template('openondemand/generate_ood_mellon_metadata.sh.erb'),
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
+ }
+
file { '/etc/ood/config/nginx_stage.yml':
ensure => 'file',
owner => 'root',
diff --git a/manifests/init.pp b/manifests/init.pp
index f9adcb8..506c49b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -26,6 +26,8 @@
# ondemand-dex package ensure
# @param mod_auth_openidc_ensure
# mod_auth_openidc package ensure
+# @param mod_auth_mellon_ensure
+# mod_auth_mellon package ensure
# @param install_apps
# Hash of apps to install, passed to ondemand::install::app
# @param declare_apache
@@ -40,6 +42,8 @@
# ood_portal.yml listen_addr_port
# @param servername
# ood_portal.yml servername
+# @param proxy_server
+# ood_portal.yml proxy_server
# @param server_aliases
# ood_porta.yml server_aliases
# @param ssl
@@ -138,6 +142,8 @@
# Dex URI if put behind Apache reverse proxy
# @param dex_config
# Dex configuration Hash
+# @param mellon_config
+# Additional Mellon override config for apache
# @param web_directory
# Path to main web directory for OnDemand
# @param nginx_log_group
@@ -247,6 +253,7 @@
String $ondemand_package_ensure = 'present',
String $ondemand_dex_package_ensure = 'present',
String $mod_auth_openidc_ensure = 'present',
+ String $mod_auth_mellon_ensure = 'present',
Hash $install_apps = {},
# Apache
@@ -257,6 +264,7 @@
Boolean $generator_insecure = false,
Variant[Array, String, Undef] $listen_addr_port = undef,
Optional[String] $servername = undef,
+ Optional[String] $proxy_server = undef,
Optional[Array] $server_aliases = undef,
Optional[Array] $ssl = undef,
String $logroot = 'logs',
@@ -273,7 +281,7 @@
Optional[String] $user_map_cmd = undef,
Optional[String] $user_env = undef,
Optional[String] $map_fail_uri = undef,
- Variant[Enum['CAS', 'openid-connect', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
+ Variant[Enum['CAS', 'openid-connect', 'mellon', 'shibboleth', 'dex'], String[1]] $auth_type = 'dex',
Optional[Array] $auth_configs = undef,
String $root_uri = '/pun/sys/dashboard',
Optional[Struct[{ url => String, id => String }]] $analytics = undef,
@@ -311,6 +319,19 @@
Variant[String[1],Boolean] $dex_uri = '/dex',
Openondemand::Dex_config $dex_config = {},
+ # Mellon Configs
+ Optional[Hash] $mellon_default_config = {
+ 'MellonSPPrivateKeyFile' => '/etc/httpd/mellon/mellon.key',
+ 'MellonSPCertFile' => '/etc/httpd/mellon/mellon.cer',
+ 'MellonSPMetadataFile' => '/etc/httpd/mellon/mellon_metadata.xml',
+ 'MellonIdPMetadataFile' => '/etc/httpd/mellon/idp_metadata.xml',
+ 'MellonEnable' => 'auth',
+ 'MellonEndpointPath' => '/mellon',
+ },
+ Optional[Hash] $mellon_config = {}
+ # Merge default config with updated configs
+ Optional[Hash] $mellon_merged_config = merge($mellon_default_config, $mellon_config)
+
# Misc configs
Stdlib::Absolutepath $web_directory = '/var/www/ood',
String $nginx_log_group = 'ondemand-nginx',
@@ -403,11 +424,11 @@
if $ssl {
$port = '443'
- $listen_ports = ['443', '80']
+ $listen_ports = pick($listen_addr_port, ['443', '80'])
$protocol = 'https'
} else {
$port = '80'
- $listen_ports = ['80']
+ $listen_ports = pick($listen_addr_port, ['80'])
$protocol = 'http'
}
@@ -468,6 +489,7 @@
$ood_portal_config = {
'listen_addr_port' => $listen_ports,
'servername' => $servername,
+ 'proxy_server' => $proxy_server,
'server_aliases' => $server_aliases,
'port' => $port,
'ssl' => $ssl,
diff --git a/templates/auth_mellon.conf.erb b/templates/auth_mellon.conf.erb
new file mode 100644
index 0000000..21cf3ee
--- /dev/null
+++ b/templates/auth_mellon.conf.erb
@@ -0,0 +1,8 @@
+
+<% scope['openondemand::auth'].each do |k| -%>
+ <%= k %>
+<% end %>
+<% scope['openondemand::mellon_merged_config'].each do |k,v| -%>
+ <%= k %> <%= v %>
+<% end %>
+
diff --git a/templates/generate_ood_mellon_metadata.sh.erb b/templates/generate_ood_mellon_metadata.sh.erb
new file mode 100755
index 0000000..e440b3e
--- /dev/null
+++ b/templates/generate_ood_mellon_metadata.sh.erb
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+MELLON_DIR="<%= scope['apache::params::httpd_dir'] -%>/mellon"
+
+[ -d ${MELLON_DIR} ] || mkdir ${MELLON_DIR}
+
+pushd $MELLON_DIR
+<% if scope['openondemand::proxy_server'] -%>
+export mellon_endpoint="https://<%= scope['openondemand::proxy_server'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
+<% else -%>
+export mellon_endpoint="https://<%= scope['openondemand::servername'] %><%= scope['openondemand::mellon_merged_config']['MellonEndpointPath'] %>"
+<% end -%>
+<%= scope['apache::params::httpd_root'] %>/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh "${mellon_endpoint}/metadata" "${mellon_endpoint}"
+
+mv *mellon_metadata.cert ./mellon.cert
+mv *mellon_metadata.key ./mellon.key
+mv *mellon_metadata.xml ./mellon_metadata.xml
+
+openssl pkcs12 -export -inkey ./mellon.key -in ./mellon.cert -out ./mellon.pfx -passout pass:
+
+popd
+echo "Mellon files are generated at ${MELLON_DIR}"