1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165
|
# @summary
# Installs and configures `mod_auth_cas`.
#
# @param cas_login_url
# Sets the URL to which the module redirects users when they attempt to access a
# CAS-protected resource and don't have an active session.
#
# @param cas_validate_url
# Sets the URL to use when validating a client-presented ticket in an HTTP query string.
#
# @param cas_cookie_path
# Sets the location where information on the current session should be stored. This should
# be writable by the web server only.
#
# @param cas_cookie_path_mode
# The mode of cas_cookie_path.
#
# @param cas_version
# The version of the CAS protocol to adhere to.
#
# @param cas_debug
# Whether to enable or disable debug mode.
#
# @param cas_validate_server
# Whether to validate the presented certificate. This has been deprecated and
# removed from Version 1.1-RC1 onward.
#
# @param cas_validate_depth
# The maximum depth for chained certificate validation.
#
# @param cas_certificate_path
# The path leading to the certificate
#
# @param cas_proxy_validate_url
# The URL to use when performing a proxy validation.
#
# @param cas_root_proxied_as
# Sets the URL end users see when access to this Apache server is proxied per vhost.
# This URL should not include a trailing slash.
#
# @param cas_cookie_entropy
# When creating a local session, this many random bytes are used to create a unique
# session identifier.
#
# @param cas_timeout
# The hard limit, in seconds, for a mod_auth_cas session.
#
# @param cas_idle_timeout
# The limit, in seconds, of how long a mod_auth_cas session can be idle.
#
# @param cas_cache_clean_interval
# The minimum amount of time that must pass inbetween cache cleanings.
#
# @param cas_cookie_domain
# The value for the 'Domain=' parameter in the Set-Cookie header.
#
# @param cas_cookie_http_only
# Setting this flag prevents the mod_auth_cas cookies from being accessed by
# client side Javascript.
#
# @param cas_authoritative
# Determines whether an optional authorization directive is authoritative and thus binding.
#
# @param cas_validate_saml
# Parse response from CAS server for SAML.
#
# @param cas_sso_enabled
# Enables experimental support for single sign out (may mangle POST data).
#
# @param cas_attribute_prefix
# Adds a header with the value of this header being the attribute values when SAML
# validation is enabled.
#
# @param cas_attribute_delimiter
# Sets the delimiter between attribute values in the header created by `cas_attribute_prefix`.
#
# @param cas_scrub_request_headers
# Remove inbound request headers that may have special meaning within mod_auth_cas.
#
# @param suppress_warning
# Suppress warning about being on RedHat (mod_auth_cas package is now available in epel-testing repo).
#
# @note The auth_cas module isn't available on RH/CentOS without providing dependency packages provided by EPEL.
#
# @see https://github.com/apereo/mod_auth_cas for additional documentation.
#
class apache::mod::auth_cas (
String $cas_login_url,
String $cas_validate_url,
String $cas_cookie_path = $apache::params::cas_cookie_path,
Stdlib::Filemode $cas_cookie_path_mode = '0750',
Integer $cas_version = 2,
String $cas_debug = 'Off',
Optional[String] $cas_validate_server = undef,
Optional[String] $cas_validate_depth = undef,
Optional[String] $cas_certificate_path = undef,
Optional[String] $cas_proxy_validate_url = undef,
Optional[String] $cas_root_proxied_as = undef,
Optional[String] $cas_cookie_entropy = undef,
Optional[Integer[0]] $cas_timeout = undef,
Optional[Integer[0]] $cas_idle_timeout = undef,
Optional[String] $cas_cache_clean_interval = undef,
Optional[String] $cas_cookie_domain = undef,
Optional[String] $cas_cookie_http_only = undef,
Optional[String] $cas_authoritative = undef,
Optional[String] $cas_validate_saml = undef,
Optional[String] $cas_sso_enabled = undef,
Optional[String] $cas_attribute_prefix = undef,
Optional[String] $cas_attribute_delimiter = undef,
Optional[String] $cas_scrub_request_headers = undef,
Boolean $suppress_warning = false,
) inherits apache::params {
if $facts['os']['family'] == 'RedHat' and ! $suppress_warning {
warning('RedHat distributions do not have Apache mod_auth_cas in their default package repositories.')
}
include apache
include apache::mod::authn_core
::apache::mod { 'auth_cas': }
file { $cas_cookie_path:
ensure => directory,
before => File['auth_cas.conf'],
mode => $cas_cookie_path_mode,
owner => $apache::user,
group => $apache::group,
}
$parameters = {
'cas_cookie_path' => $cas_cookie_path,
'cas_login_url' => $cas_login_url,
'cas_validate_url' => $cas_validate_url,
'cas_version' => $cas_version,
'cas_debug' => $cas_debug,
'cas_certificate_path' => $cas_certificate_path,
'cas_proxy_validate_url' => $cas_proxy_validate_url,
'cas_validate_server' => $cas_validate_server,
'cas_validate_depth' => $cas_validate_depth,
'cas_root_proxied_as' => $cas_root_proxied_as,
'cas_cookie_entropy' => $cas_cookie_entropy,
'cas_timeout' => $cas_timeout,
'cas_idle_timeout' => $cas_idle_timeout,
'cas_cache_clean_interval' => $cas_cache_clean_interval,
'cas_cookie_domain' => $cas_cookie_domain,
'cas_cookie_http_only' => $cas_cookie_http_only,
'cas_authoritative' => $cas_authoritative,
'cas_sso_enabled' => $cas_sso_enabled,
'cas_validate_saml' => $cas_validate_saml,
'cas_attribute_prefix' => $cas_attribute_prefix,
'cas_attribute_delimiter' => $cas_attribute_delimiter,
'cas_scrub_request_headers' => $cas_scrub_request_headers,
}
# Template uses
# - All variables beginning with cas_
file { 'auth_cas.conf':
ensure => file,
path => "${apache::mod_dir}/auth_cas.conf",
mode => $apache::file_mode,
content => epp('apache/mod/auth_cas.conf.epp', $parameters),
require => [Exec["mkdir ${apache::mod_dir}"],],
before => File[$apache::mod_dir],
notify => Class['Apache::Service'],
}
}
|