Refactor and cleanup OIDC, desktop, and web-app roles

- Improved OIDC variable definitions (12_oidc.yml) - Added account/security/profile URLs - Restructured web-app-desktop tasks and JS handling - Introduced oidc.js and iframe.js with runtime loader - Fixed nginx.conf, LDAP, and healthcheck templates spacing - Improved Lua injection for CSP and snippets - Fixed typos (WordPress, receive, etc.) - Added silent-check-sso nginx location Conversation: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
2025-08-30 15:28:12 +02:00 · 2025-08-26 20:44:05 +02:00
parent ce033c370a
commit c182ecf516
33 changed files with 543 additions and 146 deletions
--- a/roles/sys-srv-web-inj-compose/filter_plugins/inj_snippets.py
+++ b/roles/sys-srv-web-inj-compose/filter_plugins/inj_snippets.py
@@ -1,4 +1,3 @@
-# roles/sys-srv-web-inj-compose/filter_plugins/inj_snippets.py
 """
 Jinja filter: `inj_features(kind)` filters a list of features to only those
 that actually provide the corresponding snippet template file.
--- a/roles/sys-srv-web-inj-compose/templates/location.lua.j2
+++ b/roles/sys-srv-web-inj-compose/templates/location.lua.j2
@@ -1,4 +1,4 @@
-{# roles/sys-srv-web-inj-compose/templates/location.lua.j2 #}
+{# Jinja macro: expands feature snippets into Lua array pushes at render time #}
 {% macro push_snippets(list_name, features) -%}
 {% set kind = list_name | regex_replace('_snippets$','') %}
 {% for f in features if inj_enabled.get(f) -%}
@@ -14,18 +14,20 @@ header_filter_by_lua_block {
    local ct = ngx.header.content_type or ""
    if ct:lower():find("^text/html") then
        ngx.ctx.is_html = true
+        -- IMPORTANT: body will be modified → drop Content-Length to avoid mismatches
+        ngx.header.content_length = nil
    else
        ngx.ctx.is_html = false
    end
 }

 body_filter_by_lua_block {
-    -- only apply further processing if this is an HTML response
+    -- Only process HTML responses
    if not ngx.ctx.is_html then
        return
    end

-    -- initialize or reuse the buffer
+    -- Buffer all chunks until EOF
    ngx.ctx.buf = ngx.ctx.buf or {}
    local chunk, eof = ngx.arg[1], ngx.arg[2]

@@ -34,39 +36,56 @@ body_filter_by_lua_block {
    end

    if not eof then
-        -- drop intermediate chunks; we’ll emit only on eof
+        -- Swallow intermediate chunks; emit once at EOF
        ngx.arg[1] = nil
        return
    end

-    -- on eof: concatenate all buffered chunks
+    -- Concatenate the full HTML
    local whole = table.concat(ngx.ctx.buf)
-    ngx.ctx.buf = nil  -- clear buffer
+    ngx.ctx.buf = nil

-    -- remove html CSP, due to management via Infinito.Nexus policies
-    whole = whole:gsub(
-        '<meta[^>]-http%-equiv=["\']Content%-Security%-Policy["\'][^>]->%s*',
-        ''
-    )
+    -- Remove inline CSP <meta http-equiv="Content-Security-Policy"> (case-insensitive)
+    local meta_re = [[<meta[^>]+http-equiv=["']Content-Security-Policy["'][^>]*>\s*]]
+    whole = ngx.re.gsub(whole, meta_re, "", "ijo")

-    -- build a list of head-injection snippets
+    -- Build head snippets (rendered by Jinja at template time)
    local head_snippets = {}
-
    {{ push_snippets('head_snippets', inj_head_features) }}
-
-    -- inject all collected snippets right before </head>
    local head_payload = table.concat(head_snippets, "\n") .. "</head>"
-    whole = ngx.re.gsub(whole, "</head>", head_payload, "ijo", nil, 1)

-    -- build a list of body-injection snippets
+    -- Inject before </head> (first occurrence)
+    local function repl_head(_) return head_payload end
+    local new, n, err = ngx.re.sub(whole, [[</head\s*>]], repl_head, "ijo")
+    if new then
+        whole = new
+    else
+        ngx.log(ngx.WARN, "No </head> found; trying <body> fallback: ", err or "nil")
+        -- Fallback: inject right AFTER the opening <body ...> tag
+        local body_open_re = [[<body\b[^>]*>]]
+        new, n, err = ngx.re.sub(whole, body_open_re, "$0\n" .. table.concat(head_snippets, "\n"), "ijo")
+        if new then
+            whole = new
+        else
+            ngx.log(ngx.ERR, "Head-fallback failed: ", err or "nil")
+        end
+    end
+
+    -- Build body snippets (rendered by Jinja at template time)
    local body_snippets = {}
-
    {{ push_snippets('body_snippets', inj_body_features) }}
-
-    -- inject all collected snippets right before </body>
    local body_payload = table.concat(body_snippets, "\n") .. "</body>"
-    whole = ngx.re.gsub(whole, "</body>", body_payload, "ijo", nil, 1)

-    -- finally send the modified HTML out
-    ngx.arg[1] = whole
+    -- Inject before </body> (first occurrence), or append if missing
+    local function repl_body(_) return body_payload end
+    new, n, err = ngx.re.sub(whole, [[</body\s*>]], repl_body, "ijo")
+    if new then
+        whole = new
+    else
+        ngx.log(ngx.WARN, "No </body> found; appending body snippets at end: ", err or "nil")
+        whole = whole .. table.concat(body_snippets, "\n")
+    end
+
+    -- Emit the modified HTML
+    ngx.arg[1] = whole or ""
 }