diff --git a/roles/sys-svc-proxy/templates/vhost/basic.conf.j2 b/roles/sys-svc-proxy/templates/vhost/basic.conf.j2 index fc4fa7d2..b1f1ed34 100644 --- a/roles/sys-svc-proxy/templates/vhost/basic.conf.j2 +++ b/roles/sys-svc-proxy/templates/vhost/basic.conf.j2 @@ -17,7 +17,7 @@ server {% include 'roles/sys-svc-letsencrypt/templates/ssl_header.j2' %} {% if applications | get_app_conf(application_id, 'features.oauth2', False) %} - {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', False, {}) %} + {% set acl = applications | get_app_conf(application_id, 'docker.services.oauth2_proxy.acl', False, {}) %} {% if acl.blacklist is defined %} {# 1. Expose everything by default, then protect blacklisted paths #} diff --git a/roles/web-app-friendica/config/main.yml b/roles/web-app-friendica/config/main.yml index 15297f92..6095d8ea 100644 --- a/roles/web-app-friendica/config/main.yml +++ b/roles/web-app-friendica/config/main.yml @@ -23,13 +23,14 @@ server: unsafe-eval: true style-src-attr: unsafe-inline: true -oauth2_proxy: - application: "application" - port: "80" addons: keycloakpassword: {} ldapauth: {} docker: services: database: - enabled: true + enabled: true + oauth2_proxy: + origin: + host: "application" + port: "80" \ No newline at end of file diff --git a/roles/web-app-funkwhale/config/main.yml b/roles/web-app-funkwhale/config/main.yml index eca8d414..8dbd4665 100644 --- a/roles/web-app-funkwhale/config/main.yml +++ b/roles/web-app-funkwhale/config/main.yml @@ -12,6 +12,13 @@ docker: enabled: true database: enabled: true + oauth2_proxy: + origin: + host: "front" + port: "80" + acl: + blacklist: + - "/login" features: matomo: true css: false @@ -32,9 +39,3 @@ server: whitelist: font-src: - "data:" -oauth2_proxy: - application: "front" - port: "80" - acl: - blacklist: - - "/login" diff --git a/roles/web-app-gitea/config/main.yml b/roles/web-app-gitea/config/main.yml index 47f42d20..fbe27cae 100644 --- a/roles/web-app-gitea/config/main.yml +++ b/roles/web-app-gitea/config/main.yml @@ -13,12 +13,7 @@ features: oauth2: true oidc: false # Deactivated because users aren't auto-created. logout: true -oauth2_proxy: - application: "application" - port: "<< defaults_applications[web-app-gitea].docker.services.gitea.port >>" - acl: - blacklist: - - "/user/login" + server: csp: flags: @@ -59,5 +54,12 @@ docker: mem_reservation: 0.2g mem_limit: 0.3g pids_limit: 512 + oauth2_proxy: + origin: + host: "application" + port: "<< defaults_applications[web-app-gitea].docker.services.gitea.port >>" + acl: + blacklist: + - "/user/login" volumes: data: "gitea_data" diff --git a/roles/web-app-lam/config/main.yml b/roles/web-app-lam/config/main.yml index d51b8129..9f5a03c8 100644 --- a/roles/web-app-lam/config/main.yml +++ b/roles/web-app-lam/config/main.yml @@ -1,13 +1,14 @@ docker: services: lam: - image: ghcr.io/ldapaccountmanager/lam - version: latest -oauth2_proxy: - application: application - port: 80 - allowed_groups: - - "{{ [RBAC.GROUP.NAME, 'web-app-lam-administrator'] | path_join }}" + image: ghcr.io/ldapaccountmanager/lam + version: latest + oauth2_proxy: + origin: + host: application + port: 80 + allowed_groups: + - "{{ [RBAC.GROUP.NAME, 'web-app-lam-administrator'] | path_join }}" features: matomo: true css: true diff --git a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 index f6f3868c..340fda20 100644 --- a/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 +++ b/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2 @@ -1,7 +1,7 @@ http_address = "0.0.0.0:4180" cookie_secret = "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}" -cookie_secure = "true" # True is necessary to force the cookie set via https -upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}" +cookie_secure = "true" # True is necessary to force the cookie set via https +upstreams = "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.host') }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.origin.port') }}" cookie_domains = ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('web-app-keycloak') }}"] # Required so cookie can be read on all subdomains. whitelist_domains = [".{{ PRIMARY_DOMAIN }}"] # Required to allow redirection back to original requested target. @@ -13,11 +13,11 @@ oidc_issuer_url = "{{ OIDC.CLIENT.ISSUER_URL }}" provider = "oidc" provider_display_name = "{{ OIDC.BUTTON_TEXT }}" -{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %} +{% if applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups', False) %} {# role based restrictions #} scope = "openid email profile {{ RBAC.GROUP.CLAIM }}" oidc_groups_claim = "{{ RBAC.GROUP.CLAIM }}" -allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) | to_json }} +allowed_groups = {{ applications | get_app_conf(oauth2_proxy_application_id, 'docker.services.oauth2_proxy.allowed_groups') | to_json }} email_domains = ["*"] {% else %} email_domains = "{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-openproject/config/main.yml b/roles/web-app-openproject/config/main.yml index 05594490..187adf11 100644 --- a/roles/web-app-openproject/config/main.yml +++ b/roles/web-app-openproject/config/main.yml @@ -1,11 +1,3 @@ -oauth2_proxy: - application: "proxy" - port: "80" - acl: - whitelist: - - "/users/me" # Necessary for Nextcloud Plugin to work - - "/api/" # Necessary for Nextcloud Plugin to work - - "/oauth/token" # Necessary for Nextcloud Plugin to work ldap: filters: administrators: False # Set true to filter administrators @@ -78,6 +70,14 @@ docker: mem_reservation: "512m" mem_limit: "512m" pids_limit: 256 - + oauth2_proxy: + origin: + host: "proxy" + port: "80" + acl: + whitelist: + - "/users/me" # Necessary for Nextcloud Plugin to work + - "/api/" # Necessary for Nextcloud Plugin to work + - "/oauth/token" # Necessary for Nextcloud Plugin to work volumes: data: "openproject_data" diff --git a/roles/web-app-pgadmin/config/main.yml b/roles/web-app-pgadmin/config/main.yml index 67ae29b7..ad9cc412 100644 --- a/roles/web-app-pgadmin/config/main.yml +++ b/roles/web-app-pgadmin/config/main.yml @@ -1,11 +1,6 @@ version: "latest" -server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. -master_password_required: True # Master password is required. Recommended True. False is a security risk. -oauth2_proxy: - application: "application" - port: "80" - allowed_groups: - - "{{ [RBAC.GROUP.NAME, 'web-app-pgadmin-administrator'] | path_join }}" +server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. +master_password_required: True # Master password is required. Recommended True. False is a security risk. features: matomo: true css: true @@ -31,3 +26,9 @@ docker: services: database: enabled: true + oauth2_proxy: + origin: + host: "application" + port: "80" + allowed_groups: + - "{{ [RBAC.GROUP.NAME, 'web-app-pgadmin-administrator'] | path_join }}" \ No newline at end of file diff --git a/roles/web-app-phpldapadmin/config/main.yml b/roles/web-app-phpldapadmin/config/main.yml index 19c68ca6..4ab9a5d9 100644 --- a/roles/web-app-phpldapadmin/config/main.yml +++ b/roles/web-app-phpldapadmin/config/main.yml @@ -1,18 +1,23 @@ -version: "2.0.0-dev" -oauth2_proxy: - application: application # Needs to be the same as webinterface - port: 8080 # application port - allowed_groups: - - "{{ [RBAC.GROUP.NAME, 'web-app-phpldapadmin-administrator'] | path_join }}" features: - matomo: true - css: true - desktop: true - ldap: true - oauth2: true + matomo: true + css: true + desktop: true + ldap: true + oauth2: true logout: true server: domains: canonical: - phpldapadmin.{{ PRIMARY_DOMAIN }} aliases: [] +docker: + services: + phpldapadmin: + image: leenooks/phpldapadmin + version: "2.0.0-dev" + oauth2_proxy: + origin: + host: application # Needs to be the same as webinterface + port: 8080 # application port + allowed_groups: + - "{{ [RBAC.GROUP.NAME, 'web-app-phpldapadmin-administrator'] | path_join }}" \ No newline at end of file diff --git a/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2 b/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2 index eeedb73f..c2c029d7 100644 --- a/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2 +++ b/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2 @@ -2,7 +2,7 @@ application: container_name: {{ application_id }} - image: leenooks/phpldapadmin:{{ applications | get_app_conf(application_id, 'version', True)}} + image: {{ PHPLDAPADMIN_IMAGE }}:{{ PHPLDAPADMIN_VERSION }} ports: - 127.0.0.1:{{ ports.localhost.http[application_id] }}:8080 {% include 'roles/docker-container/templates/base.yml.j2' %} diff --git a/roles/web-app-phpldapadmin/vars/main.yml b/roles/web-app-phpldapadmin/vars/main.yml index 07225395..4af32d70 100644 --- a/roles/web-app-phpldapadmin/vars/main.yml +++ b/roles/web-app-phpldapadmin/vars/main.yml @@ -1 +1,5 @@ -application_id: "web-app-phpldapadmin" \ No newline at end of file +application_id: "web-app-phpldapadmin" +entity_name: "{{ application_id | get_entity_name }}" + +PHPLDAPADMIN_IMAGE: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ entity_name ~ '.image' )}}" +PHPLDAPADMIN_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.' ~ entity_name ~ '.version' )}}" \ No newline at end of file diff --git a/roles/web-app-phpmyadmin/config/main.yml b/roles/web-app-phpmyadmin/config/main.yml index 5fc475bc..122170ee 100644 --- a/roles/web-app-phpmyadmin/config/main.yml +++ b/roles/web-app-phpmyadmin/config/main.yml @@ -1,13 +1,8 @@ autologin: false # This is a high security risk. Just activate this option if you know what you're doing -oauth2_proxy: - port: "80" - application: "application" - allowed_groups: - - "{{ [RBAC.GROUP.NAME, 'web-app-phpmyadmin-administrator'] | path_join }}" features: matomo: true css: false - desktop: false # Opens itself in a new window, when it's loaded in an iframe. + desktop: false # Opens itself in a new window, when it's loaded in an iframe. # it's anyhow not so enduser relevant, so it can be kept like this central_database: true oauth2: true @@ -30,4 +25,9 @@ docker: phpmyadmin: version: "latest" # Use the latest phpmyadmin version name: "phpmyadmin" - image: phpmyadmin/phpmyadmin + image: "phpmyadmin/phpmyadmin" + oauth2_proxy: + port: "80" + application: "application" + allowed_groups: + - "{{ [RBAC.GROUP.NAME, 'web-app-phpmyadmin-administrator'] | path_join }}" \ No newline at end of file diff --git a/roles/web-app-snipe-it/config/main.yml b/roles/web-app-snipe-it/config/main.yml index 05b1f23b..b741777e 100644 --- a/roles/web-app-snipe-it/config/main.yml +++ b/roles/web-app-snipe-it/config/main.yml @@ -1,11 +1,11 @@ features: - matomo: true - css: false - desktop: true - central_database: true - ldap: true - oauth2: true - logout: true + matomo: true + css: false + desktop: true + central_database: true + ldap: true + oauth2: true + logout: true server: domains: canonical: @@ -23,12 +23,6 @@ server: whitelist: font-src: - "data:" -oauth2_proxy: - application: "application" - port: "80" - acl: - blacklist: - - "/login" docker: services: redis: @@ -39,6 +33,12 @@ docker: version: "latest" name: "snipe-it" image: "grokability/snipe-it" + oauth2_proxy: + application: "application" + port: "80" + acl: + blacklist: + - "/login" volumes: data: "snipe-it_data" diff --git a/roles/web-app-yourls/config/main.yml b/roles/web-app-yourls/config/main.yml index fbd0353b..e3d7c878 100644 --- a/roles/web-app-yourls/config/main.yml +++ b/roles/web-app-yourls/config/main.yml @@ -1,11 +1,3 @@ -oauth2_proxy: - application: "application" - port: "80" - allowed_groups: - - "{{ [RBAC.GROUP.NAME, 'web-app-yourls-administrator'] | path_join }}" - acl: - blacklist: - - "<< defaults_applications[web-app-yourls].server.locations.admin >>" # Protects the admin area features: matomo: true css: true @@ -38,3 +30,11 @@ docker: version: "latest" name: "yourls" image: "yourls" + oauth2_proxy: + application: "application" + port: "80" + allowed_groups: + - "{{ [RBAC.GROUP.NAME, 'web-app-yourls-administrator'] | path_join }}" + acl: + blacklist: + - "<< defaults_applications[web-app-yourls].server.locations.admin >>" # Protects the admin area diff --git a/tests/integration/test_oauth2_acl_mutual_exclusive.py b/tests/integration/test_oauth2_acl_mutual_exclusive.py index 9e0dbfc1..9331711f 100644 --- a/tests/integration/test_oauth2_acl_mutual_exclusive.py +++ b/tests/integration/test_oauth2_acl_mutual_exclusive.py @@ -22,7 +22,8 @@ class TestOauth2AclMutualExclusion(unittest.TestCase): failures.append(f"{role_path.name}: failed to parse YAML ({e})") continue - oauth2 = data.get("oauth2_proxy", {}) + services = data.get("services", {}) + oauth2 = services.get("oauth2_proxy", {}) acl = oauth2.get("acl", None) if acl is None: continue @@ -37,7 +38,7 @@ class TestOauth2AclMutualExclusion(unittest.TestCase): if failures: self.fail( - "The following roles define both whitelist and blacklist under oauth2_proxy.acl:\n" + "The following roles define both whitelist and blacklist under docker.services.oauth2_proxy.acl:\n" + "\n".join(failures) )