kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-09 03:37:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

web-svc-logout: merge logout domains into CSP connect-src and refactor task flow

Browse Source 
• Add tasks/01_core.yml to set applications[application_id].server.csp.whitelist['connect-src'] = LOGOUT_CONNECT_SRC_NEW.

• Switch tasks/main.yml to include 01_core.yml (run-once guard preserved).

• Update templates/env.j2 to emit LOGOUT_DOMAINS as a comma-separated list.

• Rework vars/main.yml: compute LOGOUT_DOMAINS, derive LOGOUT_ORIGINS with WEB_PROTOCOL, read connect-src via the get_app_conf filter, and merge/dedupe (unique).

Rationale: ensure CSP allows cross-domain logout requests for all configured services.

Conversation: https://chatgpt.com/share/68b5b07d-b208-800f-b6b2-f26934607c8a
This commit is contained in:
Kevin Veen-Birkenbach
2025-09-01 16:41:33 +02:00
parent b834f0c95c
commit 4ae3cee36c
4 changed files with 37 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
roles/web-svc-logout/tasks/01_core.yml Normal file
View File

@@ -0,0 +1,31 @@
- name: "Add logout domains to CSP connect-src"
set_fact:
applications: >-
{{
applications | combine(
{
application_id: {
'server': {
'csp': {
'whitelist': {
'connect-src': LOGOUT_CONNECT_SRC_NEW
}
}
}
}
},
recursive=True
)
}}
- name: "load docker, proxy for '{{ application_id }}'"
include_role:
name: sys-stk-full-stateless
- name: Create symbolic link from .env file to repository
file:
src: "{{ docker_compose.files.env }}"
dest: "{{ [ docker_repository_path, '.env' ] | path_join }}"
state: link
- include_tasks: utils/run_once.yml

12
roles/web-svc-logout/tasks/main.yml
View File

@@ -1,14 +1,4 @@
--- ---
- block: - block:
- name: "load docker, proxy for '{{ application_id }}'" - include_tasks: 01_core.yml
include_role:
name: sys-stk-full-stateless
- name: Create symbolic link from .env file to repository
file:
src: "{{ docker_compose.files.env }}"
dest: "{{ [ docker_repository_path, '.env' ] | path_join }}"
state: link
- include_tasks: utils/run_once.yml
when: run_once_web_svc_logout is not defined when: run_once_web_svc_logout is not defined

2
roles/web-svc-logout/templates/env.j2
View File

@@ -1,5 +1,5 @@
# Commaseparated list of all subdomains to log out (no spaces) # Commaseparated list of all subdomains to log out (no spaces)
LOGOUT_DOMAINS={{ logout_domains }} LOGOUT_DOMAINS={{ LOGOUT_DOMAINS | join(',') }}
# Port the logout service will listen on inside the container # Port the logout service will listen on inside the container
LOGOUT_PORT={{ container_port }} LOGOUT_PORT={{ container_port }}

8
roles/web-svc-logout/vars/main.yml
View File

@@ -6,7 +6,7 @@ container_port: 8000
# The following line leads to that services which arent listed directly in the inventory, # The following line leads to that services which arent listed directly in the inventory,
# but are called over other roles, aren't listed here # but are called over other roles, aren't listed here
# @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names) # @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names)
logout_domains: >- LOGOUT_DOMAINS: "{{ (applications | logout_domains(group_names)) | unique }}"
{{ LOGOUT_ORIGINS: "{{ LOGOUT_DOMAINS | map('regex_replace', '^(.*)$', WEB_PROTOCOL ~ '://\\1') | list }}"
(applications | logout_domains(group_names)) | unique | join(',') LOGOUT_CONNECT_SRC_OLD: "{{ applications | get_app_conf(application_id,'server.csp.whitelist.connect-src') }}"
}} LOGOUT_CONNECT_SRC_NEW: "{{ (LOGOUT_CONNECT_SRC_OLD + LOGOUT_ORIGINS) | unique }}"