From 6d5113b6ea96b6eb70d027d443a32e00cbf5f083 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Mon, 24 Feb 2025 21:00:22 +0100 Subject: [PATCH] Updated security for OAuth2 and optimized CSS --- group_vars/all/07_applications.yml | 13 +++++++----- .../templates/oauth2-proxy-keycloak.cfg.j2 | 8 +++---- roles/docker-openproject/vars/main.yml | 2 +- .../templates/global.css.j2 | 21 +++++++++++++++---- 4 files changed, 30 insertions(+), 14 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 1974c96b..ff0742e9 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -126,6 +126,7 @@ defaults_applications: enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface application: lam # Needs to be the same as webinterface port: 80 # If you use phpldapadmin set it to 8080 +# cookie_secret: None # Set via openssl rand -hex 16 database: central_storage: false # LDAP doesn't use an database in the current configuration. Propably a good idea to implement one later. # administrator_password: # CHANGE for security reasons in inventory file @@ -164,6 +165,7 @@ defaults_applications: version: "latest" oauth2_proxy: enabled: false # Deactivated atm. @todo implement +# cookie_secret: None # Set via openssl rand -hex 16 # database_password: Null # Needs to be set in inventory file # auth_token: Null # Needs to be set in inventory file css: @@ -237,15 +239,13 @@ defaults_applications: # database_password: Null # Needs to be set in inventory file administrator_username: "{{administrator_username}}" administrator_initial_password: "{{administrator_initial_password}}" - - + ## OAuth2 Proxy oauth2_proxy: configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it version: "latest" # Docker Image version redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups - cookie_secret: "{{ applications.oauth2_proxy.cookie_secret if applications.oauth2_proxy is defined else '' }}" # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16 ## Open Project openproject: @@ -254,6 +254,7 @@ defaults_applications: enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed application: "proxy" port: "80" +# cookie_secret: None # Set via openssl rand -hex 16 ldap_enabled: True # Enables LDAP by default database: central_storage: True @@ -275,10 +276,11 @@ defaults_applications: enabled: true port: "80" application: "application" +# cookie_secret: None # Set via openssl rand -hex 16 database: central_storage: True css: - enabled: True # The css needs more optimation for PHPMyAdmin + enabled: False # The css needs more optimation for PHPMyAdmin ## Pixelfed pixelfed: @@ -316,7 +318,8 @@ defaults_applications: enabled: true application: "application" port: "80" - location: "/admin/" # Protects the admin area + location: "/admin/" # Protects the admin area +# cookie_secret: None # Set via openssl rand -hex 16 database: central_storage: True diff --git a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index e9678410..403a3e3c 100644 --- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -1,7 +1,7 @@ http_address = "0.0.0.0:4180" -cookie_secret = "{{applications.oauth2_proxy.cookie_secret}}" +cookie_secret = "{{applications[application_id].oauth2_proxy.cookie_secret}}" email_domains = "{{primary_domain}}" -cookie_secure = "false" +cookie_secure = "true" # True is necessary to force the cookie set via https upstreams = "http://{{applications[application_id].oauth2_proxy.application}}:{{applications[application_id].oauth2_proxy.port}}" cookie_domains = ["{{domain}}", "{{domains.keycloak}}"] # Required so cookie can be read on all subdomains. whitelist_domains = [".{{primary_domain}}"] # Required to allow redirection back to original requested target. @@ -15,5 +15,5 @@ provider = "oidc" provider_display_name = "Keycloak" # role restrictions -#cookie_roles = "realm_access.roles" -allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" \ No newline at end of file +#cookie_roles = "realm_access.roles" +allowed_roles = "{{applications.oauth2_proxy.allowed_roles}}" # This is not correct here. needs to be placed in applications @todo move there when implementing \ No newline at end of file diff --git a/roles/docker-openproject/vars/main.yml b/roles/docker-openproject/vars/main.yml index 45840bc0..2c27281c 100644 --- a/roles/docker-openproject/vars/main.yml +++ b/roles/docker-openproject/vars/main.yml @@ -1,6 +1,6 @@ application_id: "openproject" docker_repository_address: "https://github.com/opf/openproject-deploy" -database_password: "{{openproject_database_password}}" +database_password: "{{applications[application_id].credentials.database_password}}" database_type: "postgres" openproject_plugins_service: "{{docker_compose.directories.services}}plugins/" diff --git a/roles/nginx-modifier-css/templates/global.css.j2 b/roles/nginx-modifier-css/templates/global.css.j2 index 1b5be685..67b7603a 100644 --- a/roles/nginx-modifier-css/templates/global.css.j2 +++ b/roles/nginx-modifier-css/templates/global.css.j2 @@ -847,6 +847,7 @@ html[native-dark-active] .btn, .btn { /* New Gradient based on original background (90 -5, 90, 90 +1, 90 +5) */ background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-85), var(--color-90), var(--color-91), var(--color-95)); border-color: var(--color-85); + color: var(--color-12); } .card-body { @@ -877,7 +878,7 @@ html[native-dark-active] .btn, .btn { color: var(--color-40); } -/* Keycloak Header */ +/* Keycloak */ div#app header, div#app header *{ background-color: var(--color-60); /* New Gradient based on original background (60 -5, 60, 60 +1, 60 +5) */ @@ -998,7 +999,6 @@ div#mastodon .dropdown-button{ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, div#mastodon .button:hover{ background-color: var(--color-71); - /* New Gradient based on original background (71 -5, 71, 71 +1, 71 +5) */ background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-66), var(--color-71), var(--color-72), var(--color-76)); } @@ -1009,16 +1009,29 @@ div#mastodon .button, div#mastodon .button:active, div#mastodon .button:focus, d /** OpenProject **/ header.op-app-header{ background-color: var(--color-40); - /* New Gradient based on original background (40 -5, 40, 40 +1, 40 +5) */ background: linear-gradient({{ range(0, 361) | random }}deg, var(--color-35), var(--color-40), var(--color-41), var(--color-45)); color: var(--color-40); } -/** Open Project **/ div#wrapper button, div#wrapper input, button.top-menu-search-button, div.menu-sidebar a{ background-color: transparent; } +/* OAuth2 Proxy */ +{# The variables look like they are bootstrap variables. @todo Verify and generalize if possible #} +.box { + background-color: var(--color-92); + color: var(--color-10); +} + +.subtitle { + color: inherit; +} + +.has-background-light { + background-color: var(--color-96) !important; +} + /* Pixelfed */ div.page-wrapper{ background: none;