Merge pull request #35 from nasa/grc-atf-dev

Pull updates from GRC-ATF-DEV into GRC-ATF
nasa · Sep 6, 2023 · 221e317 · 221e317
2 parents 7f10859 + 3ea70e6
commit 221e317
Show file tree

Hide file tree

Showing 7 changed files with 376 additions and 276 deletions.
diff --git a/config/MezaCoreExtensions.yml b/config/MezaCoreExtensions.yml
diff --git a/config/defaults.yml b/config/defaults.yml
@@ -10,7 +10,7 @@ meza_repository: https://github.com/nasa/meza.git
 m_use_production_settings: True
 
 m_httpd_server_admin: "[email protected]"
-m_timezone: "America/Chicago"
+m_timezone: "America/New_York"
 
 # Poorly documented and not really used method to specify networking zone
 m_private_networking_zone: public
@@ -75,7 +75,7 @@ do_cleanup_sql_backup: False
 # sshd_config defaults
 sshd_config_UsePAM: "yes"
 sshd_config_PasswordAuthentication: "yes"
-use_default_ssh_config: True
+use_default_ssh_config: False
 
 m_modify_etc_sudoers: true
 m_meza_sudeoers_file: "/etc/sudoers.d/meza-ansible"

diff --git a/src/roles/apache-php/templates/php.ini.j2 b/src/roles/apache-php/templates/php.ini.j2
@@ -372,7 +372,7 @@ expose_php = On
 ; Maximum execution time of each script, in seconds
 ; http://php.net/max-execution-time
 ; Note: This directive is hardcoded to 0 for the CLI SAPI
-max_execution_time = 30
+max_execution_time = 600
 
 ; Maximum amount of time each script may spend parsing request data. It's a good
 ; idea to limit this time on productions servers in order to eliminate unexpectedly
@@ -382,7 +382,7 @@ max_execution_time = 30
 ; Development Value: 60 (60 seconds)
 ; Production Value: 60 (60 seconds)
 ; http://php.net/max-input-time
-max_input_time = 60
+max_input_time = 240
 
 ; Maximum input variable nesting level
 ; http://php.net/max-input-nesting-level
@@ -394,7 +394,7 @@ max_input_vars = {{ php_max_input_vars }}
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 ;memory_limit = 128M ; Original value. Probably should set this as a variable to allow this to be set manually
-memory_limit = 1024M
+memory_limit = 8G
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; Error handling and logging ;

diff --git a/src/roles/haproxy/tasks/main.yml b/src/roles/haproxy/tasks/main.yml
@@ -271,11 +271,12 @@
     fully_open_ports:
       - 80
       - 443
+      - 20000
 
-- name: Add port 20000 to world-accessible list if installing netdata
-  set_fact:
-    fully_open_ports: "{{ fully_open_ports }} + [ 20000 ]"
-  when: m_install_netdata
+#- name: Add port 20000 to world-accessible list if installing netdata
+#  set_fact:
+#    fully_open_ports: "{{ fully_open_ports }} + [ 20000 ]"
+#  when: m_install_netdata
 
 - name: Ensure port {{ fully_open_ports | join(', ') }} open to the world for haproxy
   include_role:

diff --git a/src/roles/haproxy/templates/haproxy.cfg.j2 b/src/roles/haproxy/templates/haproxy.cfg.j2
@@ -65,7 +65,7 @@ frontend www-http
 	default_backend www-backend
 
 frontend www-https
-	bind *:443 ssl crt /etc/haproxy/certs/meza.pem
+	bind *:443 ssl crt /etc/haproxy/certs/
 	reqadd X-Forwarded-Proto:\ https
 
 	# Keep letsencrypt stuff here for now. Probably add it back later.

diff --git a/src/roles/mediawiki/templates/LocalSettings.php.j2 b/src/roles/mediawiki/templates/LocalSettings.php.j2
@@ -55,9 +55,39 @@ else {
  *  Perform authentication up front, immediately after $wikiId is setup.
  *
  **/
-require "{{ m_deploy }}/samlLocalSettings.php";
-{% endif %}
+## This is commented out because we are no longer using Extension:SimpleSamlAuth
+## Instead we will be using Extension:PluggableAuth with Extension:SimpleSamlphp
+## which is configued as by the user in MezaLocalExtensions.yml
+#require "{{ m_deploy }}/samlLocalSettings.php";
+
+
+if ( in_array( $wikiId, array( 'mywiki1','mywiki2', ) ) )
+{
+ # Skip  "PluggableAuth" AND "SimpleSAMLphp" so that localhost bots can access the wikis
+} else {
+
+wfLoadExtension( "PluggableAuth" );
+$wgPluggableAuth_EnableAutoLogin = true;
+
+if     (!empty($_SERVER['HTTP_CLIENT_IP']))       { $ip_address = $_SERVER['HTTP_CLIENT_IP']; }
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; }
+elseif (isset($_SERVER['REMOTE_ADDR'] ) )         { $ip_address = $_SERVER['REMOTE_ADDR']; }
 
+if (isset($ip_address) && $ip_address == '127.0.0.1') { $wgPluggableAuth_EnableLocalLogin = true;  }
+else                                                  { $wgPluggableAuth_EnableLocalLogin = false; }
+
+$wgPluggableAuth_EnableLocalProperties = false;
+$wgPluggableAuth_ButtonLabel = 'Click Here for Auto-Logon';
+
+wfLoadExtension( "SimpleSAMLphp" );
+$wgSimpleSAMLphp_InstallDir        = '/opt/simplesamlphp';
+$wgSimpleSAMLphp_AuthSourceId      = 'default-sp';
+$wgSimpleSAMLphp_UsernameAttribute = 'AUID';
+$wgSimpleSAMLphp_RealNameAttribute = 'displayName';
+$wgSimpleSAMLphp_EmailAttribute    = 'Email';
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+}
+{% endif %}
 
 {% if wiki_id_redirects is defined and wiki_id_redirects|length > 0 %}
 

diff --git a/src/roles/update.php/tasks/main.yml b/src/roles/update.php/tasks/main.yml
@@ -58,7 +58,7 @@
 
     - name: Run update.php on this wiki
       shell: >
-        WIKI="{{ wiki_id }}" php "{{ m_mediawiki }}/maintenance/update.php" --quick >> {{ update_php_log }} 2>&1
+        WIKI="{{ wiki_id }}" php "{{ m_mediawiki }}/maintenance/update.php" --quick --doshared >> {{ update_php_log }} 2>&1
       # run_once see [1]
       run_once: true