Commit 960171cd authored by ale's avatar ale

Parameterize SSO ACL rules

parent 6d6d5320
Pipeline #3328 passed with stage
in 4 minutes and 25 seconds
......@@ -7,3 +7,33 @@ enable_keystore: false
# Allows deploying the SSO service on a subpath.
sso_server_url_path_prefix: "/"
# Additional allowed services (on top of those defined as
# public_endpoints).The values are regular expressions and must be
# escaped if necessary.
sso_extra_allowed_services:
- "^(imap|accountserver).{{ domain | regex_escape }}/$"
- "[^.]+\\.webmail\\.{{ domain_public[0] | regex_escape }}/$"
# Allowed exchanges (source and destination services).
sso_allowed_exchanges:
- src_regexp: "^[^.]+\\.webmail\\.({{ domain_public | regex_escape | join('|') }})/$"
dst_regexp: "^imap\\.{{ domain | regex_escape }}/$"
- src_regexp: "^accounts\\.({{ domain_public | regex_escape | join('|') }})/$"
dst_regexp: "^accountserver.{{ domain | regex_escape }}/$"
- src_regexp: "^accountadmin\\.({{ domain_public | regex_escape | join('|') }})/$"
dst_regexp: "^accountserver.{{ domain | regex_escape }}/$"
# TTLs for SSO tickets for various services. Remember to always
# include the catch-all default entry.
sso_service_ttls:
- regexp: "^[^.]+\\.webmail\\.({{ domain_public | regex_escape | join('|') }}) }}/$"
ttl: 43200
- regexp: "^imap\\.{{ domain | regex_escape }}/$"
ttl: 43200
- regexp: "^accounts\\.({{ domain_public | regex_escape | join('|') }})/$"
ttl: 3600
- regexp: "^accountserver\\.{{ domain | regex_escape }}/$"
ttl: 3600
- regexp: ".*"
ttl: 300
......@@ -3,14 +3,10 @@
{%- for d in domain_public -%}
{%- if not loop.first %}|{% endif -%}
{# We are inside a quoted YAML string so we must escape backslashes twice #}
({{ d | regex_escape() | regex_replace('\\\\', '\\\\\\\\') }})
{{ d | regex_escape() | regex_replace('\\\\', '\\\\\\\\') }}
{%- endfor -%}
{%- endmacro %}
{%- macro domain_regex() %}
{{ domain | regex_escape() | regex_replace('\\\\', '\\\\\\\\') }}
{%- endmacro %}
{%- macro public_endpoints_regex() %}
{%- for s in services.values() %}
{%- for p in s.get('public_endpoints', []) %}
......@@ -24,27 +20,13 @@ public_key_file: "/etc/sso/public.key"
domain: "{{ domain_public[0] }}"
allowed_services:
{# Automatically allow all services with public_endpoints #}
- "^({{ public_endpoints_regex() }})\\.{{ domain_public_regex() }}/$"
- "^[^.]+\\.webmail\\.{{ domain_public_regex() }}/$"
- "^(imap|accountserver)\\.{{ domain_regex() }}/$"
allowed_exchanges:
- src_regexp: "^[^.]+\\.webmail\\.{{ domain_public_regex() }}/$"
dst_regexp: "^imap\\.{{ domain_regex() }}/$"
- src_regexp: "^accounts\\.{{ domain_public_regex() }}/$"
dst_regexp: "^accountserver.{{ domain_regex() }}/$"
- src_regexp: "^accountadmin\\.{{ domain_public_regex() }}/$"
dst_regexp: "^accountserver.{{ domain_regex() }}/$"
service_ttls:
- regexp: "^[^.]+\\.webmail\\.{{ domain_public_regex() }}/$"
ttl: 43200
- regexp: "^imap\\.{{ domain_regex() }}/$"
ttl: 43200
- regexp: "^accounts\\.{{ domain_public_regex() }}/$"
ttl: 3600
- regexp: "^accountserver\\.{{ domain_regex() }}/$"
ttl: 3600
- regexp: ".*"
ttl: 300
- "^({{ public_endpoints_regex() }})\\.({{ domain_public_regex() }})/$"
{# Additional services (public and internal) #}
{% for s in sso_extra_allowed_services %}
- {{ s | to_json }}
{% endfor %}
allowed_exchanges: {{ sso_allowed_exchanges | to_json }}
service_ttls: {{ sso_service_ttls | to_json }}
auth_session_lifetime: 43200
session_secrets:
- "{{ sso_session_auth_secret }}"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment