Support openid authentication

Whether to thwart spam or to make more private pads add support for very simple auth mechanism using mod_auth_openid. Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
2016-11-14 17:51:05 -08:00 · 2016-11-14 17:51:05 -08:00 · 9816851524
commit 9816851524
parent cbe2ba8724
2 changed files with 48 additions and 0 deletions
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@ -10,6 +10,21 @@ class etherpad_lite::apache (
  $ssl_key_file            = '',
  $ssl_key_file_contents   = '', # If left empty puppet will not create file.
  $vhost_name              = $::fqdn,
+  # Table containing openid auth details. If undef not enabled
+  # Example dict:
+  # {
+  #   banner         => "Welcome",
+  #   singleIdp      => "https://openstackid.org",
+  #   trusted        => '^https://openstackid.org/.*$',
+  #   any_valid_user => false,
+  #   users          => ['https://openstackid.org/foo',
+  #                      'https://openstackid.org/bar'],
+  # }
+  # Note that if you care which users get access set any_valid_user to false
+  # and then provide an explicit list of openids in the users list. Otherwise
+  # set any_valid_user to true and any successfully authenticated user will
+  # get access.
+  $auth_openid             = undef,
 ) {

  package { 'ssl-cert':
@ -40,6 +55,19 @@ class etherpad_lite::apache (
      ensure => present,
    }
  }
+  if ($auth_openid != undef) {
+    if !defined(Package['libapache2-mod-auth-openid']) {
+      package { 'libapache2-mod-auth-openid':
+        ensure => present,
+      }
+    }
+    if !defined(Mod['auth_openid']) {
+      httpd::mod { 'auth_openid':
+        ensure  => present,
+        require => Package['libapache2-mod-auth-openid'],
+      }
+    }
+  }

  file { '/etc/apache2':
    ensure => directory,
--- a/templates/etherpadlite.vhost.erb
+++ b/templates/etherpadlite.vhost.erb
@ -38,6 +38,26 @@
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

+  <% if @auth_openid != nil %>
+  <Location /p/>
+      AuthType OpenID
+      AuthName "<%= @auth_openid['banner'] %>"
+      AuthOpenIDSecureCookie On
+      AuthOpenIDCookieLifespan 3600
+      AuthOpenIDTrustRoot <%= @vhost_name %>
+      AuthOpenIDServerName <%= @vhost_name %>
+      AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
+      AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
+      <% if @auth_openid['any_valid_user'] %>
+      Require valid-user
+      <% elsif !@auth_openid['users'].empty? %>
+      <% @auth_openid['users'].each do |user| -%>
+      Require user <%= user %>
+      <% end -%>
+      <% end %>
+  </Location>
+  <% end %>
+
  <IfModule mod_proxy.c>
      # The following redirects "nice" urls such as https://etherpad.example.org/padname
      # to https://etherpad.example.org/p/padname. It was problematic directly