Renamed injection services

roles/sys-srv-web-inj-logout/README.md

@@ -0,0 +1,29 @@
+# sys-srv-web-inj-logout
+
+This role injects a catcher that intercepts all logout elements in HTML pages served by Nginx and redirects them to a centralized logout endpoint via JavaScript.
+
+## Description
+
+The `sys-srv-web-inj-logout` Ansible role automatically embeds a lightweight JavaScript snippet into your web application's HTML responses. This script identifies logout links, buttons, forms, and other elements, overrides their target URLs, and ensures users are redirected to a central OIDC logout endpoint, providing a consistent single sign‑out experience.
+
+## Overview
+
+- **Detection**: Scans the DOM for anchors (`<a>`), buttons, inputs, forms, `use` elements and any attributes indicating logout functionality.  
+- **Override**: Rewrites logout URLs to point at your OIDC provider’s logout endpoint, including a redirect back to the application.  
+- **Dynamic content support**: Uses a `MutationObserver` to handle AJAX‑loaded or dynamically injected logout elements.  
+- **CSP integration**: Automatically appends the required script hash into your CSP policy via the role’s CSP helper.
+
+## Features
+
+- Seamless injection via Nginx `sub_filter` on `</head>`.  
+- Automatic detection of various logout mechanisms (links, buttons, forms).  
+- Centralized logout redirection for a unified user experience.  
+- No changes required in application code.  
+- Compatible with SPAs and dynamically generated content.  
+- CSP‑friendly: manages script hash for you.
+
+## Further Resources
+
+- [OpenID Connect RP-Initiated Logout](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout)  
+- [Nginx `sub_filter` Module](http://nginx.org/en/docs/http/ngx_http_sub_module.html)  
+- [Ansible Role Directory Structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_roles.html#role-directory-structure)

roles/sys-srv-web-inj-logout/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen‑Birkenbach"
+  role_name: "sys-srv-web-inj-logout"
+  description: >
+    Injects a JavaScript snippet via Nginx sub_filter that intercepts all logout actions
+    (links, buttons, forms) and redirects users to a centralized OIDC logout endpoint.
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Any
+    versions: ["all"]
+  galaxy_tags:
+  - nginx
+  - logout
+  - oidc
+  - javascript
+  - csp
+  - sub_filter
+  company: >
+    Kevin Veen‑Birkenbach   Consulting & Coaching Solutions   https://www.veen.world
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://s.infinito.nexus/code/tree/main/roles/sys-srv-web-inj-logout"

roles/sys-srv-web-inj-logout/tasks/01_core.yml

@@ -0,0 +1,8 @@
+- name: Include dependency 'srv-web-7-4-core'
+  include_role:
+    name: srv-web-7-4-core
+  when: 
+    - run_once_srv_web_7_4_core is not defined
+  
+- name: "deploy the logout.js"
+  include_tasks: "02_deploy.yml"

roles/sys-srv-web-inj-logout/tasks/02_deploy.yml

@@ -0,0 +1,16 @@
+- name: Deploy logout.js
+  template:
+    src: logout.js.j2
+    dest: "{{ INJ_LOGOUT_JS_DESTINATION }}"
+    owner: "{{ NGINX.USER }}"
+    group: "{{ NGINX.USER }}"
+    mode: '0644'
+
+- name: Get stat for logout.js
+  stat:
+    path: "{{ INJ_LOGOUT_JS_DESTINATION }}"
+  register: INJ_LOGOUT_JS_STAT
+
+- name: Set INJ_LOGOUT_JS_VERSION
+  set_fact:
+    INJ_LOGOUT_JS_VERSION: "{{ INJ_LOGOUT_JS_STAT.stat.mtime }}"

roles/sys-srv-web-inj-logout/tasks/main.yml

@@ -0,0 +1,19 @@
+- block:
+  - include_tasks: 01_core.yml
+  - set_fact:
+      run_once_sys_srv_web_inj_logout: true
+  when: run_once_sys_srv_web_inj_logout is not defined
+
+- name: "Load logout code for '{{ application_id }}'"
+  set_fact:
+    logout_code: "{{ lookup('template', 'logout_one_liner.js.j2') }}"
+
+- name: "Collapse logout code into one-liner for '{{ application_id }}'"
+  set_fact:
+    logout_code_one_liner: "{{ logout_code | to_one_liner }}"
+
+- name: "Append logout CSP hash for '{{ application_id }}'"
+  set_fact:
+    applications: "{{ applications | append_csp_hash(application_id, logout_code_one_liner) }}"
+  changed_when: false
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

roles/sys-srv-web-inj-logout/templates/body_sub.j2

@@ -0,0 +1 @@
+<script>{{ logout_code_one_liner }}</script>

roles/sys-srv-web-inj-logout/templates/head_sub.j2

@@ -0,0 +1 @@
+<script src="{{ domains | get_url('web-svc-cdn', WEB_PROTOCOL) }}/{{ INJ_LOGOUT_JS_FILE_NAME }}?{{ INJ_LOGOUT_JS_VERSION }}"></script>

roles/sys-srv-web-inj-logout/templates/logout.js.j2

@@ -0,0 +1,127 @@
+/* logoutPatch.js */
+(function(global) {
+  /**
+   * Initialize the logout patch script.
+   * @param {string} logoutUrlBase - Base logout URL (e.g., from your OIDC client).
+   * @param {string} webProtocol - Protocol to use (e.g., "https").
+   * @param {string} primaryDomain - Primary domain (e.g., "example.com").
+   */
+  function initLogoutPatch(logoutUrlBase, webProtocol, primaryDomain) {
+    const redirectUri = encodeURIComponent(webProtocol + '://' + primaryDomain);
+    const logoutUrl = logoutUrlBase + '?redirect_uri=' + redirectUri;
+
+    function matchesLogout(str) {
+      return str && /(?:^|\W)log\s*out(?:\W|$)|logout/i.test(str);
+    }
+
+    /**
+    * Returns true if any attribute name or value on the given element
+    * contains the substring "logout" (case-insensitive).
+    *
+    * @param {Element} element – The DOM element to inspect.
+    * @returns {boolean} – True if "logout" appears in any attribute name or value.
+    */
+    function containsLogoutAttribute(element) {
+      for (const attribute of element.attributes) {
+        if (/logout/i.test(attribute.name) || /logout/i.test(attribute.value)) {
+          return true;
+        }
+      }
+      return false;
+    }
+
+    function matchesTechnicalIndicators(el) {
+      const title = el.getAttribute('title');
+      const ariaLabel = el.getAttribute('aria-label');
+      const onclick = el.getAttribute('onclick');
+
+      if (matchesLogout(title) || matchesLogout(ariaLabel) || matchesLogout(onclick)) return true;
+
+      for (const attr of el.attributes) {
+        if (attr.name.startsWith('data-') && matchesLogout(attr.name + attr.value)) return true;
+      }
+
+      if (typeof el.onclick === 'function' && matchesLogout(el.onclick.toString())) return true;
+
+      if (el.tagName.toLowerCase() === 'use') {
+        const href = el.getAttribute('xlink:href') || el.getAttribute('href');
+        if (matchesLogout(href)) return true;
+      }
+      return false;
+    }
+
+    /**
+    * Apply logout redirect behavior to a matching element:
+    * – Installs a capturing click‐handler to force navigation to logoutUrl
+    * – Always sets href/formaction/action to logoutUrl
+    * – Marks the element as patched to avoid double‐binding
+    *
+    * @param {Element} el – The element to override (e.g. <a>, <button>, <form>, <input>)
+    * @param {string} logoutUrl – The full logout URL including redirect params
+    */
+    function overrideLogout(el, logoutUrl) {
+      // avoid patching the same element twice
+      if (el.dataset._logoutHandled) return;
+      el.dataset._logoutHandled = "true";
+
+      // show pointer cursor
+      el.style.cursor = 'pointer';
+
+      // capture‐phase listener so it fires before any framework handlers
+      el.addEventListener('click', function(e) {
+        e.preventDefault();
+        window.location.href = logoutUrl;
+      }, { capture: true });
+
+      const tag = el.tagName.toLowerCase();
+
+      // always set the link target on <a>
+      if (tag === 'a') {
+        el.setAttribute('href', logoutUrl);
+      }
+      // always set the formaction on <button> or <input>
+      else if ((tag === 'button' || tag === 'input') && el.hasAttribute('formaction')) {
+        el.setAttribute('formaction', logoutUrl);
+      }
+      // always set the form action on <form>
+      else if (tag === 'form') {
+        el.setAttribute('action', logoutUrl);
+      }
+    }
+
+    function scanAndPatch(elements) {
+      elements.forEach(el => {
+        const tagName = el.tagName.toLowerCase();
+        const isPotential = ['a','button','input','form','use'].includes(tagName);
+        if (!isPotential) return;
+        if (
+          matchesLogout(el.getAttribute('name')) ||
+          matchesLogout(el.id) ||
+          matchesLogout(el.className) ||
+          matchesLogout(el.innerText) ||
+          containsLogoutAttribute(el) ||
+          matchesTechnicalIndicators(el)
+        ) {
+          overrideLogout(el, logoutUrl);
+        }
+      });
+    }
+
+    // Initial scan
+    scanAndPatch(Array.from(document.querySelectorAll('*')));
+
+    // Watch for dynamic content
+    const observer = new MutationObserver(mutations => {
+      mutations.forEach(mutation => {
+        mutation.addedNodes.forEach(node => {
+          if (!(node instanceof Element)) return;
+          scanAndPatch([node, ...node.querySelectorAll('*')]);
+        });
+      });
+    });
+    observer.observe(document.body, { childList: true, subtree: true });
+  }
+
+  // Expose to global scope
+  global.initLogoutPatch = initLogoutPatch;
+})(window);

roles/sys-srv-web-inj-logout/templates/logout_one_liner.js.j2

@@ -0,0 +1,7 @@
+document.addEventListener('DOMContentLoaded', function() {
+    initLogoutPatch(
+        '{{ oidc.client.logout_url }}',
+        '{{ WEB_PROTOCOL }}',
+        '{{ PRIMARY_DOMAIN }}'
+    );
+});

roles/sys-srv-web-inj-logout/vars/main.yml

@@ -0,0 +1,2 @@
+INJ_LOGOUT_JS_FILE_NAME:    "logout.js"
+INJ_LOGOUT_JS_DESTINATION:  "{{ [ NGINX.DIRECTORIES.DATA.CDN, INJ_LOGOUT_JS_FILE_NAME ] | path_join }}"