Merge pull request #1987 from asieraguado/master

(MODULES-10432) Add mod_auth_openidc support

manifests/mod/auth_openidc.pp

@@ -0,0 +1,13 @@
+# @summary
+#   Installs and configures `mod_auth_openidc`.
+# 
+# @see https://github.com/zmartzone/mod_auth_openidc for additional documentation.
+#
+class apache::mod::auth_openidc (
+) inherits ::apache::params {
+
+  include ::apache
+  include ::apache::mod::authz_user
+  apache::mod { 'auth_openidc': }
+
+}

manifests/params.pp

@@ -206,6 +206,7 @@
       'auth_kerb'             => 'mod_auth_kerb',
       'auth_gssapi'           => 'mod_auth_gssapi',
       'auth_mellon'           => 'mod_auth_mellon',
+      'auth_openidc'          => 'mod_auth_openidc',
       'authnz_ldap'           => $::apache::version::distrelease ? {
         '7'     => 'mod_ldap',
         default => 'mod_authz_ldap',
@@ -344,6 +345,7 @@
       $mod_packages = {
         'auth_cas'              => 'libapache2-mod-auth-cas',
         'auth_kerb'             => 'libapache2-mod-auth-kerb',
+        'auth_openidc'          => 'libapache2-mod-auth-openidc',
         'auth_gssapi'           => 'libapache2-mod-auth-gssapi',
         'auth_mellon'           => 'libapache2-mod-auth-mellon',
         'authnz_pam'            => 'libapache2-mod-authnz-pam',
@@ -377,6 +379,7 @@
       $mod_packages = {
         'auth_cas'              => 'libapache2-mod-auth-cas',
         'auth_kerb'             => 'libapache2-mod-auth-kerb',
+        'auth_openidc'          => 'libapache2-mod-auth-openidc',
         'auth_gssapi'           => 'libapache2-mod-auth-gssapi',
         'auth_mellon'           => 'libapache2-mod-auth-mellon',
         'authnz_pam'            => 'libapache2-mod-authnz-pam',
@@ -404,6 +407,7 @@
       $mod_packages = {
         'auth_cas'              => 'libapache2-mod-auth-cas',
         'auth_kerb'             => 'libapache2-mod-auth-kerb',
+        'auth_openidc'          => 'libapache2-mod-auth-openidc',
         'auth_gssapi'           => 'libapache2-mod-auth-gssapi',
         'auth_mellon'           => 'libapache2-mod-auth-mellon',
         'authnz_pam'            => 'libapache2-mod-authnz-pam',
@@ -579,6 +583,7 @@
       # NOTE: not sure where the shibboleth should come from
       'auth_kerb'   => 'www/mod_auth_kerb2',
       'auth_gssapi' => 'www/mod_auth_gssapi',
+      'auth_openidc'=> 'www/mod_auth_openidc',
       'fcgid'       => 'www/mod_fcgid',
       'passenger'   => 'www/rubygem-passenger',
       'perl'        => 'www/mod_perl2',

manifests/vhost.pp

@@ -1626,6 +1626,12 @@
 #   this lets you define configuration variables inside a vhost using [`Define`](https://httpd.apache.org/docs/2.4/mod/core.html#define),
 #   these can then be used to replace configuration values. All Defines are Undefined at the end of the VirtualHost.
 #
+# @param auth_oidc
+#   Enable `mod_auth_openidc` parameters for OpenID Connect authentication.
+#
+# @param oidc_settings
+#   An Apache::OIDCSettings Struct containing (mod_auth_openidc settings)[https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf].
+#
 define apache::vhost(
   Variant[Boolean,String] $docroot,
   $manage_docroot                                                                   = true,
@@ -1855,6 +1861,8 @@
   Optional[Enum['On', 'on', 'Off', 'off', 'DNS', 'dns']] $use_canonical_name        = undef,
   Optional[Variant[String,Array[String]]] $comment                                  = undef,
   Hash $define                                                                      = {},
+  Boolean $auth_oidc                                                                = false,
+  Optional[Apache::OIDCSettings] $oidc_settings                                     = undef,
 ) {
 
   # The base class must be included first because it is used by parameter defaults
@@ -1901,6 +1909,10 @@
     include ::apache::mod::auth_kerb
   }
 
+  if $auth_oidc and $ensure == 'present' {
+    include ::apache::mod::auth_openidc
+  }
+
   if $virtual_docroot {
     include ::apache::mod::vhost_alias
   }
@@ -2716,6 +2728,17 @@
     }
   }
 
+  # Template uses:
+  # - $auth_oidc
+  # - $oidc_settings
+  if $auth_oidc {
+    concat::fragment { "${name}-auth_oidc":
+      target  => "${priority_real}${filename}.conf",
+      order   => 360,
+      content => template('apache/vhost/_auth_oidc.erb'),
+    }
+  }
+
   # Template uses:
   # - $shib_compat_valid_user
   if $shibboleth_enabled {

spec/acceptance/vhost_spec.rb

@@ -1197,4 +1197,37 @@ class { 'apache::mod::shib': }
       it { is_expected.to contain 'ShibCompatValidUser On' }
     end
   end
+
+  describe 'auth_oidc', unless: (os[:family] == 'ubuntu' && os[:release].to_f == 14.04) do
+    pp = <<-MANIFEST
+        class { 'apache': }
+        apache::vhost { 'test.server':
+          port    => '80',
+          docroot => '/var/www/html',
+          auth_oidc     => true,
+          oidc_settings => {
+            'ProviderMetadataURL'       => 'https://login.example.com/.well-known/openid-configuration',
+            'ClientID'                  => 'test',
+            'RedirectURI'               => 'https://login.example.com/redirect_uri',
+            'ProviderTokenEndpointAuth' => 'client_secret_basic',
+            'RemoteUserClaim'           => 'sub',
+            'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+            'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd'
+          }
+        }
+    MANIFEST
+    it 'applys cleanly' do
+      apply_manifest(pp, catch_failures: true)
+    end
+    describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do
+      it { is_expected.to be_file }
+      it { is_expected.to contain 'OIDCProviderMetadataURL https://login.example.com/.well-known/openid-configuration' }
+      it { is_expected.to contain 'OIDCClientID test' }
+      it { is_expected.to contain 'OIDCRedirectURI https://login.example.com/redirect_uri' }
+      it { is_expected.to contain 'OIDCProviderTokenEndpointAuth client_secret_basic' }
+      it { is_expected.to contain 'OIDCRemoteUserClaim sub' }
+      it { is_expected.to contain 'OIDCClientSecret aae053a9-4abf-4824-8956-e94b2af335c8' }
+      it { is_expected.to contain 'OIDCCryptoPassphrase 4ad1bb46-9979-450e-ae58-c696967df3cd' }
+    end
+  end
 end

spec/classes/mod/auth_openidc_spec.rb

@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+describe 'apache::mod::auth_openidc', type: :class do
+  it_behaves_like 'a mod class, without including apache'
+
+  context 'default configuration with parameters' do
+    context 'on a Debian OS', :compile do
+      let :facts do
+        {
+          id: 'root',
+          kernel: 'Linux',
+          lsbdistcodename: 'jessie',
+          osfamily: 'Debian',
+          operatingsystem: 'Debian',
+          operatingsystemrelease: '8',
+          path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          is_pe: false,
+        }
+      end
+
+      it { is_expected.to contain_class('apache::params') }
+      it { is_expected.to contain_apache__mod('auth_openidc') }
+      it { is_expected.to contain_package('libapache2-mod-auth-openidc') }
+    end
+    context 'on a RedHat OS', :compile do
+      let :facts do
+        {
+          id: 'root',
+          kernel: 'Linux',
+          osfamily: 'RedHat',
+          operatingsystem: 'RedHat',
+          operatingsystemrelease: '6',
+          path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          is_pe: false,
+        }
+      end
+
+      it { is_expected.to contain_class('apache::params') }
+      it { is_expected.to contain_apache__mod('auth_openidc') }
+      it { is_expected.to contain_package('mod_auth_openidc') }
+    end
+    context 'on a FreeBSD OS', :compile do
+      let :facts do
+        {
+          id: 'root',
+          kernel: 'FreeBSD',
+          osfamily: 'FreeBSD',
+          operatingsystem: 'FreeBSD',
+          operatingsystemrelease: '9',
+          path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          is_pe: false,
+        }
+      end
+
+      it { is_expected.to contain_class('apache::params') }
+      it { is_expected.to contain_apache__mod('auth_openidc') }
+      it { is_expected.to contain_package('www/mod_auth_openidc') }
+    end
+  end
+  context 'overriding mod_packages' do
+    context 'on a RedHat OS', :compile do
+      let :facts do
+        {
+          id: 'root',
+          kernel: 'Linux',
+          osfamily: 'RedHat',
+          operatingsystem: 'RedHat',
+          operatingsystemrelease: '6',
+          path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+          is_pe: false,
+        }
+      end
+      let :pre_condition do
+        <<-MANIFEST
+        include apache::params
+        class { 'apache':
+          mod_packages => merge($::apache::params::mod_packages, {
+            'auth_openidc' => 'httpd24-mod_auth_openidc',
+          })
+        }
+        MANIFEST
+      end
+
+      it { is_expected.to contain_apache__mod('auth_openidc') }
+      it { is_expected.to contain_package('httpd24-mod_auth_openidc') }
+      it { is_expected.not_to contain_package('mod_auth_openidc') }
+    end
+  end
+end

spec/defines/vhost_spec.rb

@@ -458,6 +458,14 @@
               'max_keepalive_requests'      => '1000',
               'protocols'                   => ['h2', 'http/1.1'],
               'protocols_honor_order'       => true,
+              'auth_oidc'                   => true,
+              'oidc_settings'               => { 'ProviderMetadataURL'       => 'https://login.example.com/.well-known/openid-configuration',
+                                                 'ClientID'                  => 'test',
+                                                 'RedirectURI'               => 'https://login.example.com/redirect_uri',
+                                                 'ProviderTokenEndpointAuth' => 'client_secret_basic',
+                                                 'RemoteUserClaim'           => 'sub',
+                                                 'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+                                                 'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
             }
           end
 
@@ -1378,6 +1386,41 @@
               content: %r{^\s+PassengerLveMinUid\s500$},
             )
           }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCProviderMetadataURL\shttps:\/\/login.example.com\/\.well-known\/openid-configuration$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCClientID\stest$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCRedirectURI\shttps:\/\/login\.example.com\/redirect_uri$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCProviderTokenEndpointAuth\sclient_secret_basic$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCRemoteUserClaim\ssub$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCClientSecret\saae053a9-4abf-4824-8956-e94b2af335c8$},
+            )
+          }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+              content: %r{^\s+OIDCCryptoPassphrase\s4ad1bb46-9979-450e-ae58-c696967df3cd$},
+            )
+          }
         end
         context 'vhost with multiple ip addresses' do
           let :params do

templates/vhost/_auth_oidc.erb

@@ -0,0 +1,5 @@
+<% if @auth_oidc -%>
+<% @oidc_settings.each do |key, value| %>
+  OIDC<%= key %> <%= value -%>
+<% end %>
+<% end -%>