Refactor and cleanup OIDC, desktop, and web-app roles

- Improved OIDC variable definitions (12_oidc.yml)
- Added account/security/profile URLs
- Restructured web-app-desktop tasks and JS handling
- Introduced oidc.js and iframe.js with runtime loader
- Fixed nginx.conf, LDAP, and healthcheck templates spacing
- Improved Lua injection for CSP and snippets
- Fixed typos (WordPress, receive, etc.)
- Added silent-check-sso nginx location

Conversation: https://chatgpt.com/share/68ae0060-4fac-800f-9f02-22592a4087d3
This commit is contained in:
2025-08-26 20:44:05 +02:00
parent ce033c370a
commit c182ecf516
33 changed files with 543 additions and 146 deletions

View File

@@ -1,4 +1,3 @@
# roles/sys-srv-web-inj-compose/filter_plugins/inj_snippets.py
"""
Jinja filter: `inj_features(kind)` filters a list of features to only those
that actually provide the corresponding snippet template file.

View File

@@ -1,4 +1,4 @@
{# roles/sys-srv-web-inj-compose/templates/location.lua.j2 #}
{# Jinja macro: expands feature snippets into Lua array pushes at render time #}
{% macro push_snippets(list_name, features) -%}
{% set kind = list_name | regex_replace('_snippets$','') %}
{% for f in features if inj_enabled.get(f) -%}
@@ -14,18 +14,20 @@ header_filter_by_lua_block {
local ct = ngx.header.content_type or ""
if ct:lower():find("^text/html") then
ngx.ctx.is_html = true
-- IMPORTANT: body will be modified → drop Content-Length to avoid mismatches
ngx.header.content_length = nil
else
ngx.ctx.is_html = false
end
}
body_filter_by_lua_block {
-- only apply further processing if this is an HTML response
-- Only process HTML responses
if not ngx.ctx.is_html then
return
end
-- initialize or reuse the buffer
-- Buffer all chunks until EOF
ngx.ctx.buf = ngx.ctx.buf or {}
local chunk, eof = ngx.arg[1], ngx.arg[2]
@@ -34,39 +36,56 @@ body_filter_by_lua_block {
end
if not eof then
-- drop intermediate chunks; well emit only on eof
-- Swallow intermediate chunks; emit once at EOF
ngx.arg[1] = nil
return
end
-- on eof: concatenate all buffered chunks
-- Concatenate the full HTML
local whole = table.concat(ngx.ctx.buf)
ngx.ctx.buf = nil -- clear buffer
ngx.ctx.buf = nil
-- remove html CSP, due to management via Infinito.Nexus policies
whole = whole:gsub(
'<meta[^>]-http%-equiv=["\']Content%-Security%-Policy["\'][^>]->%s*',
''
)
-- Remove inline CSP <meta http-equiv="Content-Security-Policy"> (case-insensitive)
local meta_re = [[<meta[^>]+http-equiv=["']Content-Security-Policy["'][^>]*>\s*]]
whole = ngx.re.gsub(whole, meta_re, "", "ijo")
-- build a list of head-injection snippets
-- Build head snippets (rendered by Jinja at template time)
local head_snippets = {}
{{ push_snippets('head_snippets', inj_head_features) }}
-- inject all collected snippets right before </head>
local head_payload = table.concat(head_snippets, "\n") .. "</head>"
whole = ngx.re.gsub(whole, "</head>", head_payload, "ijo", nil, 1)
-- build a list of body-injection snippets
-- Inject before </head> (first occurrence)
local function repl_head(_) return head_payload end
local new, n, err = ngx.re.sub(whole, [[</head\s*>]], repl_head, "ijo")
if new then
whole = new
else
ngx.log(ngx.WARN, "No </head> found; trying <body> fallback: ", err or "nil")
-- Fallback: inject right AFTER the opening <body ...> tag
local body_open_re = [[<body\b[^>]*>]]
new, n, err = ngx.re.sub(whole, body_open_re, "$0\n" .. table.concat(head_snippets, "\n"), "ijo")
if new then
whole = new
else
ngx.log(ngx.ERR, "Head-fallback failed: ", err or "nil")
end
end
-- Build body snippets (rendered by Jinja at template time)
local body_snippets = {}
{{ push_snippets('body_snippets', inj_body_features) }}
-- inject all collected snippets right before </body>
local body_payload = table.concat(body_snippets, "\n") .. "</body>"
whole = ngx.re.gsub(whole, "</body>", body_payload, "ijo", nil, 1)
-- finally send the modified HTML out
ngx.arg[1] = whole
-- Inject before </body> (first occurrence), or append if missing
local function repl_body(_) return body_payload end
new, n, err = ngx.re.sub(whole, [[</body\s*>]], repl_body, "ijo")
if new then
whole = new
else
ngx.log(ngx.WARN, "No </body> found; appending body snippets at end: ", err or "nil")
whole = whole .. table.concat(body_snippets, "\n")
end
-- Emit the modified HTML
ngx.arg[1] = whole or ""
}