From 4ae3cee36c1e5e63ae9a1bc96b0605f335bea8d4 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Mon, 1 Sep 2025 16:41:33 +0200 Subject: [PATCH] web-svc-logout: merge logout domains into CSP connect-src and refactor task flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Add tasks/01_core.yml to set applications[application_id].server.csp.whitelist['connect-src'] = LOGOUT_CONNECT_SRC_NEW. • Switch tasks/main.yml to include 01_core.yml (run-once guard preserved). • Update templates/env.j2 to emit LOGOUT_DOMAINS as a comma-separated list. • Rework vars/main.yml: compute LOGOUT_DOMAINS, derive LOGOUT_ORIGINS with WEB_PROTOCOL, read connect-src via the get_app_conf filter, and merge/dedupe (unique). Rationale: ensure CSP allows cross-domain logout requests for all configured services. Conversation: https://chatgpt.com/share/68b5b07d-b208-800f-b6b2-f26934607c8a --- roles/web-svc-logout/tasks/01_core.yml | 31 ++++++++++++++++++++++++++ roles/web-svc-logout/tasks/main.yml | 12 +--------- roles/web-svc-logout/templates/env.j2 | 2 +- roles/web-svc-logout/vars/main.yml | 8 +++---- 4 files changed, 37 insertions(+), 16 deletions(-) create mode 100644 roles/web-svc-logout/tasks/01_core.yml diff --git a/roles/web-svc-logout/tasks/01_core.yml b/roles/web-svc-logout/tasks/01_core.yml new file mode 100644 index 00000000..9a4111e1 --- /dev/null +++ b/roles/web-svc-logout/tasks/01_core.yml @@ -0,0 +1,31 @@ +- name: "Add logout domains to CSP connect-src" + set_fact: + applications: >- + {{ + applications | combine( + { + application_id: { + 'server': { + 'csp': { + 'whitelist': { + 'connect-src': LOGOUT_CONNECT_SRC_NEW + } + } + } + } + }, + recursive=True + ) + }} + +- name: "load docker, proxy for '{{ application_id }}'" + include_role: + name: sys-stk-full-stateless + +- name: Create symbolic link from .env file to repository + file: + src: "{{ docker_compose.files.env }}" + dest: "{{ [ docker_repository_path, '.env' ] | path_join }}" + state: link + +- include_tasks: utils/run_once.yml \ No newline at end of file diff --git a/roles/web-svc-logout/tasks/main.yml b/roles/web-svc-logout/tasks/main.yml index 2fdf8c33..bff786dd 100644 --- a/roles/web-svc-logout/tasks/main.yml +++ b/roles/web-svc-logout/tasks/main.yml @@ -1,14 +1,4 @@ --- - block: - - name: "load docker, proxy for '{{ application_id }}'" - include_role: - name: sys-stk-full-stateless - - - name: Create symbolic link from .env file to repository - file: - src: "{{ docker_compose.files.env }}" - dest: "{{ [ docker_repository_path, '.env' ] | path_join }}" - state: link - - - include_tasks: utils/run_once.yml + - include_tasks: 01_core.yml when: run_once_web_svc_logout is not defined \ No newline at end of file diff --git a/roles/web-svc-logout/templates/env.j2 b/roles/web-svc-logout/templates/env.j2 index 51813496..c869d44d 100644 --- a/roles/web-svc-logout/templates/env.j2 +++ b/roles/web-svc-logout/templates/env.j2 @@ -1,5 +1,5 @@ # Comma‑separated list of all subdomains to log out (no spaces) -LOGOUT_DOMAINS={{ logout_domains }} +LOGOUT_DOMAINS={{ LOGOUT_DOMAINS | join(',') }} # Port the logout service will listen on inside the container LOGOUT_PORT={{ container_port }} diff --git a/roles/web-svc-logout/vars/main.yml b/roles/web-svc-logout/vars/main.yml index f17da19a..0b693e70 100644 --- a/roles/web-svc-logout/vars/main.yml +++ b/roles/web-svc-logout/vars/main.yml @@ -6,7 +6,7 @@ container_port: 8000 # The following line leads to that services which arent listed directly in the inventory, # but are called over other roles, aren't listed here # @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names) -logout_domains: >- - {{ - (applications | logout_domains(group_names)) | unique | join(',') - }} +LOGOUT_DOMAINS: "{{ (applications | logout_domains(group_names)) | unique }}" +LOGOUT_ORIGINS: "{{ LOGOUT_DOMAINS | map('regex_replace', '^(.*)$', WEB_PROTOCOL ~ '://\\1') | list }}" +LOGOUT_CONNECT_SRC_OLD: "{{ applications | get_app_conf(application_id,'server.csp.whitelist.connect-src') }}" +LOGOUT_CONNECT_SRC_NEW: "{{ (LOGOUT_CONNECT_SRC_OLD + LOGOUT_ORIGINS) | unique }}" \ No newline at end of file