kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-08 10:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:feature/xwiki-auth-oidc
Branches Tags
kevinveenbirkenbach:master kevinveenbirkenbach:features/web-app-suitecrm kevinveenbirkenbach:feature/shopware kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client
..
compare: kevinveenbirkenbach:37b213f96adf3751bc695c0417f5d7d9b2bcec78
Branches Tags
kevinveenbirkenbach:master kevinveenbirkenbach:features/web-app-suitecrm kevinveenbirkenbach:feature/shopware kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client

2 Commits
feature/xw ... 37b213f96a

Author SHA1 Message Date
Kevin Veen-Birkenbach
37b213f96a Refactor XWiki OIDC activation to use REST-based authenticationService update (reliable alternative to Groovy) — see ChatGPT discussion: https://chatgpt.com/share/69005d88-6bf8-800f-af41-73b0e5dc9c13 2025-10-29 11:12:19 +01:00
Kevin Veen-Birkenbach
5ef525eac9 Optimized CSP for Gitlab 2025-10-28 08:26:53 +01:00
5 changed files with 8 additions and 148 deletions
Expand all files Collapse all files

4
roles/web-app-gitlab/config/main.yml
View File

@@ -27,3 +27,7 @@ server:
domains: domains:
canonical: canonical:
- lab.git.{{ PRIMARY_DOMAIN }} - lab.git.{{ PRIMARY_DOMAIN }}
csp:
flags:
script-src-elem:
unsafe-inline: true

6
roles/web-app-xwiki/tasks/01_core.yml
View File

@@ -36,12 +36,6 @@
- name: Load setup procedures for extensions - name: Load setup procedures for extensions
include_tasks: 04_extensions.yml include_tasks: 04_extensions.yml
- name: "Set authentication service according to feature toggles"
include_tasks: 05_set_authservice.yml
- name: "Run AuthDiag (temporary)"
include_tasks: _auth_diag.yml
- block: - block:
- name: "Create Final Docker Compose File" - name: "Create Final Docker Compose File"
template: template:

73
roles/web-app-xwiki/tasks/05_set_authservice.yml
View File

@@ -1,73 +0,0 @@
---
# Sets XWikiPreferences.authenticationService to modern component hint (standard, oidc, ldap)
- name: "XWIKI | Compute target authservice hint"
set_fact:
_target_authservice: >-
{{
'oidc' if (XWIKI_OIDC_ENABLED | bool)
else ('ldap' if (XWIKI_LDAP_ENABLED | bool)
else 'standard')
}}
- name: "XWIKI | PUT Groovy page SetAuthService"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
method: PUT
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200,201,202,204]
headers:
Content-Type: "application/xml"
Accept: "application/xml"
body: |
<page xmlns="http://www.xwiki.org">
<title>SetAuthService</title>
<content><![CDATA[
{% raw %}{{groovy}}{% endraw %}
try {
def doc = xwiki.getDocument('XWiki.XWikiPreferences')
def obj = doc.getObject('XWiki.XWikiPreferences', true)
obj.set('authenticationService', '{{ _target_authservice }}')
def engine = xcontext.context.getWiki()
engine.saveDocument(doc.getDocument(), "Set authentication service to {{ _target_authservice }}", true, xcontext.context)
print "OK::{{ _target_authservice }}"
} catch (Throwable t) {
print "ERROR::" + (t?.message ?: t?.toString())
}
{% raw %}{{/groovy}}{% endraw %}
]]></content>
<syntax>xwiki/2.1</syntax>
</page>
register: _put_auth_page
- name: "XWIKI | Execute SetAuthService"
uri:
url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/SetAuthService?xpage=plain"
method: GET
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200]
return_content: yes
register: _exec_auth_page
retries: 10
delay: 3
until: _exec_auth_page is succeeded
- name: "ASSERT | Auth service set"
assert:
that:
- _exec_auth_page.content is search("OK::")
fail_msg: "Failed to set XWikiPreferences.authenticationService: {{ _exec_auth_page.content | default('no content') }}"
- name: "XWIKI | Delete SetAuthService page"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
method: DELETE
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [204,200,202,404]
changed_when: false

68
roles/web-app-xwiki/tasks/_auth_diag.yml
View File

@@ -1,68 +0,0 @@
# roles/web-app-xwiki/tasks/_auth_diag.yml
- name: "XWIKI | PUT page XWiki.AuthDiag (Groovy)"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
method: PUT
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200,201,202,204]
headers:
Content-Type: "application/xml"
Accept: "application/xml"
body: |
<page xmlns="http://www.xwiki.org">
<title>AuthDiag</title>
<content><![CDATA[
{% raw %}{{groovy}}{% endraw %}
import org.xwiki.security.authservice.AuthService
try {
def cm = services.component.componentManager
def hints = cm.getComponentDescriptorList(AuthService).collect{ it.roleHint }.sort()
def doc = xwiki.getDocument('XWiki.XWikiPreferences')
def obj = doc.getObject('XWiki.XWikiPreferences', true)
def pref = (obj.get('authenticationService') ?: 'unset')
println "HINTS::" + hints
println "PREF::" + pref
def chosenHint = (pref ?: 'standard')
def hasChosen = hints.contains(chosenHint)
println "HAS_CHOSEN::" + hasChosen + "::" + chosenHint
} catch (Throwable t) {
println "ERROR::" + (t?.message ?: t?.toString())
}
{% raw %}{{/groovy}}{% endraw %}
]]></content>
<syntax>xwiki/2.1</syntax>
</page>
register: _put_authdiag
changed_when: false
- name: "XWIKI | Run AuthDiag"
uri:
url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/AuthDiag?xpage=plain"
method: GET
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200]
return_content: yes
register: _authdiag_run
changed_when: false
- name: "DEBUG | AuthDiag output"
debug:
msg: "{{ _authdiag_run.content | regex_replace('<[^>]+>', '') | trim }}"
# Optional sauber machen:
- name: "XWIKI | DELETE AuthDiag page"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
method: DELETE
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [204,200,202,404]
changed_when: false

5
roles/web-app-xwiki/templates/docker-compose.yml.j2
View File

@@ -8,9 +8,11 @@
- "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}" - "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}"
environment: environment:
JAVA_OPTS: >- JAVA_OPTS: >-
{% if xwiki_oidc_enabled_switch | bool %} {% if xwiki_oidc_enabled_switch| bool %}
-Dxwiki.authentication.authservice=oidc -Dxwiki.authentication.authservice=oidc
-Dxwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
{% elif xwiki_ldap_enabled_switch | bool %} {% elif xwiki_ldap_enabled_switch | bool %}
-Dxwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
-Dxwiki.authentication.authservice=ldap -Dxwiki.authentication.authservice=ldap
-Dxwiki.authentication.ldap=1 -Dxwiki.authentication.ldap=1
-Dxwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }} -Dxwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
@@ -25,6 +27,7 @@
-Dxwiki.authentication.ldap.update_user=1 -Dxwiki.authentication.ldap.update_user=1
{% else %} {% else %}
-Dxwiki.authentication.authservice=standard -Dxwiki.authentication.authservice=standard
-Dxwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
{% endif %} {% endif %}
volumes: volumes:
- "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties" - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"