--- Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org].orig
+++ Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]
- attribute_delimiter => :
- enable_slo => True
- protected_uri => /
- environment => production
- vhost_settings => {'proxy_pass': 'http://localhost:8080'}
- debug => False
- validate_saml => False
- enable_monitor => True
- session_idle_timeout => 3600
- virtual_host => requestctl.wikimedia.org
- cookie_same_site => Lax
- vhost_content => profile/conftool/httpd-hiddenparma.conf.erb
- session_timeout => 7200
- cookie_scope => /
- require => ['Acme_chief::Cert[icinga]']
- authn_header => CAS-User
- required_groups => ['cn=ops,ou=groups,dc=wikimedia,dc=org', 'cn=wmf,ou=groups,dc=wikimedia,dc=org']
- attribute_prefix => X-CAS-
- priority => 50
- server_aliases => []
- document_root => /var/www
- proxied_as_https => False
- cookie_secure => On
File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]
- Parameters differences:
--- File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/].orig
+++ File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]
- ensure => directory
- owner => www-data
- path => /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org
- group => www-data
- Monitoring::Service[https-requestctl.wikimedia.org-expiry]
- Parameters differences:
--- Monitoring::Service[https-requestctl.wikimedia.org-expiry].orig
+++ Monitoring::Service[https-requestctl.wikimedia.org-expiry]
- check_command => check_https_expiry!requestctl.wikimedia.org!443
- ensure => present
- retry_interval => 1
- check_interval => 1
- passive => False
- freshness => 36000
- description => requestctl.wikimedia.org tls expiry
- host => alert1002
- migration_task => T367065
- retries => 3
- notes_url => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration
- config_dir => /etc/nagios
- notify => Service[icinga]
- critical => False
- Httpd::Site[requestctl.wikimedia.org]
- Parameters differences:
--- Httpd::Site[requestctl.wikimedia.org].orig
+++ Httpd::Site[requestctl.wikimedia.org]
+ require => ['Acme_chief::Cert[icinga]']
- File[/etc/default/hiddenparma]
- Content differences:
--- /etc/default/hiddenparma.orig
+++ /etc/default/hiddenparma
@@ -5,6 +5,12 @@
CSRF_SHARED_SECRET="snakeoil"
DATACENTERS="eqiad,codfw,esams,ulsfo,eqsin,drmrs,magru"
DBSTORE_DSN="mariadb+pymysql://lolo:placeholder@m2-master.eqiad.wmnet/requestctl?charset=utf8mb4"
+WEB_AUTH_BACKEND="native_cas"
API_AUTH_BACKEND="api_token_from_db"
API_ROOT_TOKEN="t00r"
API_TOKEN_ENCRYPTION_KEY="snakeoil"
+# Native CAS configuration
+CAS_SERVER_URL="'https://idp.wikimedia.org/login'"
+CAS_SERVICE_URL="https://requestctl.wikimedia.org/cas/callback"
+SESSION_SECRET_KEY="a secret"
+AUTHORIZED_GROUPS="cn=ops,ou=groups,dc=wikimedia,dc=org:cn=wmf,ou=groups,dc=wikimedia,dc=org"
- Class[Profile::Conftool::Hiddenparma]
- Parameters differences:
--- Class[Profile::Conftool::Hiddenparma].orig
+++ Class[Profile::Conftool::Hiddenparma]
+ session_secret_key => a secret
- Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]
- Parameters differences:
--- Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized].orig
+++ Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]
- check_command => check_https_sso_redirect!requestctl.wikimedia.org!/
- ensure => present
- host_name => alert1002
- notification_interval => 0
- check_interval => 1
- passive_checks_enabled => 1
- active_checks_enabled => 1
- servicegroups => alerting_eqiad
- service_description => requestctl.wikimedia.org requires authentication
- notes_url => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration
- notification_period => 24x7
- max_check_attempts => 3
- check_period => 24x7
- retry_interval => 1
- is_volatile => 0
- notifications_enabled => 1
- contact_groups => admins
- notification_options => c,r,f
- check_freshness => 0
- Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]
- Parameters differences:
--- Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry].orig
+++ Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]
- check_command => check_https_expiry!requestctl.wikimedia.org!443
- ensure => present
- host_name => alert1002
- notification_interval => 0
- check_interval => 1
- passive_checks_enabled => 1
- active_checks_enabled => 1
- servicegroups => alerting_eqiad
- service_description => requestctl.wikimedia.org tls expiry
- notes_url => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration
- notification_period => 24x7
- max_check_attempts => 3
- check_period => 24x7
- retry_interval => 1
- is_volatile => 0
- notifications_enabled => 1
- contact_groups => admins
- notification_options => c,r,f
- check_freshness => 0
- Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]
- Parameters differences:
--- Monitoring::Service[https-requestctl.wikimedia.org-unauthorized].orig
+++ Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]
- check_command => check_https_sso_redirect!requestctl.wikimedia.org!/
- ensure => present
- retry_interval => 1
- check_interval => 1
- passive => False
- freshness => 36000
- description => requestctl.wikimedia.org requires authentication
- host => alert1002
- migration_task => T367065
- retries => 3
- notes_url => https://wikitech.wikimedia.org/wiki/CAS-SSO/Administration
- config_dir => /etc/nagios
- notify => Service[icinga]
- critical => False
- File[/etc/apache2/sites-available/50-requestctl-wikimedia-org.conf]
- Content differences:
--- /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf.orig
+++ /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf
@@ -22,54 +22,18 @@
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
Header always set Strict-Transport-Security "max-age=106384710; includeSubDomains; preload"
- CASLoginURL https://idp.wikimedia.org/login
- CASValidateURL https://idp.wikimedia.org/serviceValidate
- CASDebug Off
- CASVersion 2
- CASCertificatePath /etc/ssl/certs
- CASCookiePath /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/
- CASAttributePrefix X-CAS-
- CASAttributeDelimiter :
- CASValidateSAML Off
- CASSSOEnabled On
- CASCookieSameSite Lax
- CASCookieSecure On
- CASTimeout 7200
- CASIdleTimeout 3600
- <Directory />
- AllowOverride None
- Require all granted
- </Directory>
-
<Location />
- AuthType CAS
- CASAuthNHeader CAS-User
- CASScope /
- Require cas-attribute memberOf:cn=ops,ou=groups,dc=wikimedia,dc=org
- Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
<Location /health_check>
- Require all granted
Alias /var/www/health_check
ProxyPass !
</Location>
- <Location /api>
- Require all granted
- ProxyPass http://localhost:8080/api
- ProxyPassReverse http://localhost:8080/api
- </Location>
-
# Static files
Alias "/static" "/srv/deployment/hiddenparma/deploy/src/static"
- # Static assets are not protected by the CAS auth
- <Directory /srv/deployment/hiddenparma/deploy/src/static">
- AllowOverride None
- Require all granted
- </Directory>
CustomLog /var/log/apache2/requestctl.wikimedia.org-access.log wmf
Relevant files