Solved missing logout injection bug and refactored srv-web-7-7-inj-compose

2025-08-29 15:06:26 +02:00 · 2025-08-15 23:55:19 +02:00
parent 5b64b47754
commit 3b4821f7e7
19 changed files with 343 additions and 118 deletions
--- a/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
+++ b/roles/srv-proxy-6-6-domain/tasks/01_cloudflare.yml
@@ -9,7 +9,7 @@
    cf_zone_id: "{{ (cf_zone_ids | default({})).get(domain | to_primary_domain, false) }}"

 # Only look up from Cloudflare if we still don't have it
- name: "Ensure Cloudflare Zone ID is known for {{ domain }}"
+- name: "Ensure Cloudflare Zone ID is known for '{{ domain }}'"
  vars:
    cf_api_url: "https://api.cloudflare.com/client/v4/zones"
  ansible.builtin.uri:
--- a/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/flavors/dedicated.yml
@@ -1,10 +1,10 @@
- name: "Check if certificate already exists for {{ domain }}"
+- name: "Check if certificate already exists for '{{ domain }}'"
  cert_check_exists:
    domain: "{{ domain }}"
    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
  register: cert_check

- name: "receive certificate for {{ domain }}"
+- name: "receive certificate for '{{ domain }}'"
  command: >-
    certbot certonly 
    --agree-tos 
--- a/roles/srv-web-6-6-tls-core/tasks/main.yml
+++ b/roles/srv-web-6-6-tls-core/tasks/main.yml
@@ -9,7 +9,7 @@
 - name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
  include_tasks: "{{ role_path }}/tasks/flavors/{{ CERTBOT_FLAVOR }}.yml"

-#- name: "Cleanup dedicated cert for {{ domain }}"
+#- name: "Cleanup dedicated cert for '{{ domain }}'"
 #  command: >-
 #    certbot delete --cert-name {{ domain }} --non-interactive
 #  when: 
--- a/roles/srv-web-7-6-composer/tasks/main.yml
+++ b/roles/srv-web-7-6-composer/tasks/main.yml
@@ -1,9 +1,9 @@
 # run_once_srv_web_7_6_composer: deactivated

- name: "include role srv-web-7-7-inj-compose for {{ domain }}"
+- name: "include role srv-web-7-7-inj-compose for '{{ domain }}'"
  include_role: 
    name: srv-web-7-7-inj-compose

- name: "include role srv-web-6-6-tls-core for {{ domain }}"
+- name: "include role srv-web-6-6-tls-core for '{{ domain }}'"
  include_role: 
    name: srv-web-6-6-tls-core
--- a/roles/srv-web-7-7-inj-compose/init.py
+++ b/roles/srv-web-7-7-inj-compose/init.py
--- a/roles/srv-web-7-7-inj-compose/filter_plugins/init.py
+++ b/roles/srv-web-7-7-inj-compose/filter_plugins/init.py
--- a/roles/srv-web-7-7-inj-compose/filter_plugins/inj_enabled.py
+++ b/roles/srv-web-7-7-inj-compose/filter_plugins/inj_enabled.py
@@ -0,0 +1,35 @@
+# roles/srv-web-7-7-inj-compose/filter_plugins/inj_enabled.py
+#
+# Usage in tasks:
+#   - set_fact:
+#       inj_enabled: "{{ applications | inj_enabled(application_id, ['javascript','logout','css','matomo','desktop']) }}"
+
+import sys
+import os
+
+# allow imports from module_utils (same trick as your get_app_conf filter)
+base = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..', '..'))
+mu = os.path.join(base, 'module_utils')
+for p in (base, mu):
+    if p not in sys.path:
+        sys.path.insert(0, p)
+
+from module_utils.config_utils import get_app_conf
+
+def inj_enabled_filter(applications, application_id, features, prefix="features", default=False):
+    """
+    Build a dict {feature: value} by reading the feature flags under the given prefix for the selected application.
+    Uses get_app_conf with strict=False so missing keys just return the default.
+    """
+    result = {}
+    for f in features:
+        path = f"{prefix}.{f}" if prefix else f
+        result[f] = get_app_conf(applications, application_id, path, strict=False, default=default)
+    return result
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            "inj_enabled": inj_enabled_filter,
+        }
--- a/roles/srv-web-7-7-inj-compose/tasks/main.yml
+++ b/roles/srv-web-7-7-inj-compose/tasks/main.yml
@@ -1,11 +1,6 @@
- name: Set inj_enabled dictionary
+- name: Build inj_enabled
  set_fact:
-    inj_enabled:
-      javascript: "{{ applications | get_app_conf(application_id, 'features.javascript', False) }}"
-      logout:     "{{ (applications | get_app_conf(application_id, 'features.logout', False) or domain == PRIMARY_DOMAIN) }}"
-      css:        "{{ applications | get_app_conf(application_id, 'features.css', False) }}"
-      matomo:     "{{ applications | get_app_conf(application_id, 'features.matomo', False) }}"
-      desktop:    "{{ applications | get_app_conf(application_id, 'features.desktop', False) }}"
+    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"

 - block:
  - name: Include dependency 'srv-web-7-4-core'
@@ -15,13 +10,13 @@
  - include_tasks: utils/run_once.yml
  when: run_once_srv_web_7_7_inj_compose is not defined

- name: "Activate Portfolio iFrame notifier for {{ domain }}"
+- name: "Activate Portfolio iFrame notifier for '{{ domain }}'"
  include_role:
    name:   srv-web-7-7-inj-desktop
    public: true # Vars used in templates
  when: inj_enabled.desktop

- name: "Load CDN for {{ domain }}"
+- name: "Load CDN for '{{ domain }}'"
  include_role:
    name: web-svc-cdn
    public: false
@@ -41,24 +36,28 @@
  vars:
    handler_role_name: "{{ item }}"

- name: "Activate Corporate CSS for {{ domain }}"
+- name: Reinitialize 'inj_enabled' for '{{ domain }}', after modification by CDN
+  set_fact:
+    inj_enabled: "{{ applications | inj_enabled(application_id, SRV_WEB_INJ_COMP_FEATURES_ALL) }}"
+
+- name: "Activate Corporate CSS for '{{ domain }}'"
  include_role:
    name: srv-web-7-7-inj-css
  when:
  - inj_enabled.css
  - run_once_srv_web_7_7_inj_css is not defined

- name: "Activate Matomo Tracking for {{ domain }}"
+- name: "Activate Matomo Tracking for '{{ domain }}'"
  include_role:
    name: srv-web-7-7-inj-matomo
  when: inj_enabled.matomo

- name: "Activate Javascript for {{ domain }}"
+- name: "Activate Javascript for '{{ domain }}'"
  include_role:
    name: srv-web-7-7-inj-javascript
  when: inj_enabled.javascript

- name: "Activate logout proxy for {{ domain }}"
+- name: "Activate logout proxy for '{{ domain }}'"
  include_role:
    name: srv-web-7-7-inj-logout
    public: true # Vars used in templates
--- a/roles/srv-web-7-7-inj-compose/templates/location.lua.j2
+++ b/roles/srv-web-7-7-inj-compose/templates/location.lua.j2
@@ -1,3 +1,17 @@
+{% macro push_snippets(list_name, features) -%}
+{% for f in features -%}
+{% if inj_enabled.get(f) -%}
+{{ list_name }}[#{{ list_name }} + 1] = [=[
+  {%- include
+     'roles/srv-web-7-7-inj-' ~ f ~
+     '/templates/' ~
+     ('head' if list_name == 'head_snippets' else 'body') ~
+     '_sub.j2'
+  -%}
+]=]
+{% endif -%}
+{% endfor -%}
+{%- endmacro %}

 lua_need_request_body on;

@@ -43,13 +57,7 @@ body_filter_by_lua_block {
    -- build a list of head-injection snippets
    local head_snippets = {}

-    {% for head_feature in ['css', 'matomo', 'desktop', 'javascript', 'logout' ] %}
-    {% if applications | get_app_conf(application_id, 'features.' ~ head_feature, false) %}
-    head_snippets[#head_snippets + 1] = [=[
-        {%- include "roles/srv-web-7-7-inj-" ~ head_feature ~ "/templates/head_sub.j2" -%}
-    ]=]
-    {% endif %}
-    {% endfor %}
+    {{ push_snippets('head_snippets', ['css','matomo','desktop','javascript','logout']) }}

    -- inject all collected snippets right before </head>
    local head_payload = table.concat(head_snippets, "\n") .. "</head>"
@@ -58,13 +66,7 @@ body_filter_by_lua_block {
    -- build a list of body-injection snippets
    local body_snippets = {}

-    {% for body_feature in ['matomo', 'logout', 'desktop'] %}
-    {% if applications | get_app_conf(application_id, 'features.' ~ body_feature, false) %}
-    body_snippets[#body_snippets + 1] = [=[
-        {%- include "roles/srv-web-7-7-inj-" ~ body_feature ~ "/templates/body_sub.j2" -%}
-    ]=]
-    {% endif %}
-    {% endfor %}
+    {{ push_snippets('body_snippets', ['matomo','logout','desktop']) }}

    -- inject all collected snippets right before </body>
    local body_payload = table.concat(body_snippets, "\n") .. "</body>"
--- a/roles/srv-web-7-7-inj-compose/vars/main.yml
+++ b/roles/srv-web-7-7-inj-compose/vars/main.yml
@@ -1,2 +1,9 @@
 # Docker
-docker_pull_git_repository: false # Deactivated here to don't inhire this
+docker_pull_git_repository: false # Deactivated here to don't inhire this
+
+SRV_WEB_INJ_COMP_FEATURES_ALL:
+  - 'javascript'
+  - 'logout'
+  - 'css'
+  - 'matomo'
+  - 'desktop'
--- a/roles/srv-web-7-7-inj-matomo/tasks/main.yml
+++ b/roles/srv-web-7-7-inj-matomo/tasks/main.yml
@@ -37,7 +37,7 @@
  uri:
    url: "{{ matomo_index_php_url }}"
    method: POST
-    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
+    body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls={{ WEB_PROTOCOL }}://{{ base_domain }}&token_auth={{ matomo_auth_token }}&format=json"
    body_format: form-urlencoded
    status_code: 200
    return_content: yes
--- a/roles/srv-web-7-7-inj-matomo/vars/main.yml
+++ b/roles/srv-web-7-7-inj-matomo/vars/main.yml
@@ -1,4 +1,4 @@
 base_domain:              "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}"
 matomo_index_php_url:     "{{ domains | get_url('web-app-matomo', WEB_PROTOCOL) }}/index.php"
 matomo_auth_token:        "{{ applications['web-app-matomo'].credentials.auth_token }}"
-matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"
+matomo_verification_url:  "{{ matomo_index_php_url }}?module=API&method=SitesManager.getSitesIdFromSiteUrl&url={{ WEB_PROTOCOL }}://{{ base_domain }}&format=json&token_auth={{ matomo_auth_token }}"
--- a/roles/web-app-discourse/handlers/main.yml
+++ b/roles/web-app-discourse/handlers/main.yml
@@ -21,4 +21,5 @@
  args:
    executable: /bin/bash  
    chdir: "{{ DISCOURSE_REPOSITORY_DIR }}"
-  listen: recreate discourse
+  listen: recreate discourse
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
--- a/roles/web-app-discourse/tasks/03_docker.yml
+++ b/roles/web-app-discourse/tasks/03_docker.yml
@@ -33,11 +33,20 @@
  notify: recreate discourse

 - name: "Verify that '{{ DISCOURSE_CONTAINER }}' is running"
-  command:      docker compose ps --filter status=running --format '{{"{{"}}.Name{{"}}"}}' | grep -x {{ DISCOURSE_CONTAINER }}
-  register:     docker_ps
-  changed_when: docker_ps.rc == 1
-  failed_when:  docker_ps.rc not in [0, 1]
-  notify:       recreate discourse
+  ansible.builtin.command:
+    argv:
+      - docker
+      - ps
+      - --filter
+      - "name=^{{ DISCOURSE_CONTAINER }}$"
+      - --filter
+      - status=running
+      - --format
+      - "{{ '{{.Names}}' }}"
+  register: docker_ps
+  changed_when: docker_ps.stdout.strip() == ""
+  failed_when: docker_ps.rc != 0
+  notify: recreate discourse

 - name: flush, to recreate discourse app
  meta: flush_handlers
--- a/roles/web-opt-rdr-domains/tasks/redirect-domain.yml
+++ b/roles/web-opt-rdr-domains/tasks/redirect-domain.yml
@@ -2,7 +2,7 @@
  include_role: 
    name: srv-web-6-6-tls-core

- name: "Deploying NGINX redirect configuration for {{ domain }}"
+- name: "Deploying NGINX redirect configuration for '{{ domain }}'"
  template:
    src:  redirect.domain.nginx.conf.j2
    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf"