From 39305e766c5e664f38412bf50de8c4dd3362fbb4 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 21 Jul 2023 14:20:53 +0200
Subject: [PATCH] SAML e additional plugins.

---
 defaults/main.yml         | 30 ++++++++++++++++++++++++-
 tasks/redmine-plugins.yml | 46 ++++++++++++++++++++++++++++++++++++++-
 templates/saml.rb.j2      | 46 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 templates/saml.rb.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index af18bf5..8733a09 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 redmine_major_version: 4
 redmine_minor_version: 2
-redmine_patch_version: 0
+redmine_patch_version: 10
 redmine_load_balanced: False
 redmine_load_balanced_main_instance: True
 redmine_version: '{{ redmine_major_version }}.{{ redmine_minor_version }}.{{ redmine_patch_version }}'
@@ -162,6 +162,34 @@ rm_openid_connect_plugin_url: https://github.com/devopskube/redmine_openid_conne
 rm_openid_connect_plugin: False
 rm_dashboard_plugin_url: https://github.com/akpaevj/dashboard.git
 rm_dashboard_plugin: False
+rm_additionals_plugin: false
+rm_additionals_plugin_url: "https://github.com/AlphaNodes/additionals.git"
+rm_additionals_plugin_branch: stable
+rm_saml_plugin: false
+rm_saml_plugin_url: "https://github.com/alphanodes/redmine_saml.git"
+rm_saml_branch: stable
+rm_saml_entity_id: 'redmine_saml'
+rm_saml_assertion_consumer_service_url: "http://redmine.local/auth/saml/callback"
+rm_saml_issuer: "https://redmine.local/auth/saml/metadata"
+rm_saml_single_logout_service_url: "https://redmine.local/auth/saml/sls"
+rm_saml_idp_sso_target_url: "https://idp.local/auth/realms/realm/protocol/saml"
+rm_saml_idp_cert: "cert string without begin and end sections"
+# Use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" for the email
+rm_saml_name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+rm_saml_signout_url: "https://idp.local/auth/realms/realm/protocol/saml"
+rm_saml_idp_slo_target_url: "https://idp.local/auth/realms/realm/protocol/saml"
+rm_saml_attribute_mapping:
+  - name: login
+    value: "extra|raw_info|username"
+  - name: mail
+    value: "extra|raw_info|email"
+  - name: firstname
+    value: "extra|raw_info|first_name"
+  - name: lastname
+    value: "extra|raw_info|last_name"
+  - name: admin
+    value: "extra|raw_info|admin"
+
 # Used by unicorn
 unicorn_listen_port: 4000
 unicorn_listen_address: 127.0.0.1
diff --git a/tasks/redmine-plugins.yml b/tasks/redmine-plugins.yml
index 6103897..2e95883 100644
--- a/tasks/redmine-plugins.yml
+++ b/tasks/redmine-plugins.yml
@@ -37,7 +37,7 @@
   tags: [ 'redmine', 'redmine_plugins', 'rm_ldap_sync' ]
 
 - name: Redmine login audit plugin
-  ansible.builtin.ansible.builtin.git:
+  ansible.builtin.git:
     repo: '{{ rm_login_audit_url }}'
     dest: '{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/plugins/redmine_login_audit'
     update: false
@@ -300,6 +300,17 @@
   when: rm_omniauth_plugin
   tags: [ 'redmine', 'redmine_plugins', 'rm_oauth', 'rm_omniauth' ]
 
+- name: Remove the omniauth Oauth plugin
+  ansible.builtin.file:
+    dest: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/plugins/redmine_omniauth_client"
+    - "{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/public/plugin_assets/redmine_omniauth_client"
+  notify: Reload unicorn
+  when: not rm_omniauth_plugin
+  tags: ['redmine', 'redmine_plugins', 'rm_oauth', 'rm_omniauth']
+
 - name: Install the OpenId connect plugin
   ansible.builtin.git:
     repo: '{{ rm_openid_connect_plugin_url }}'
@@ -310,6 +321,39 @@
   when: rm_openid_connect_plugin
   tags: [ 'redmine', 'redmine_plugins', 'rm_oidc', 'rm_openid_connect' ]
 
+- name: Install the additionals plugin
+  ansible.builtin.git:
+    repo: '{{ rm_additionals_plugin_url }}'
+    dest: '{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/plugins/additionals'
+    version: "{{ rm_additionals_plugin_branch }}"
+    update: false
+  notify:
+    - Bundle install and reconfigure redmine
+  when: rm_additionals_plugin or rm_saml_plugin
+  tags: ['redmine', 'redmine_plugins', 'rm_saml', 'rm_additionals']
+
+- name: Install the SAML auth plugin
+  ansible.builtin.git:
+    repo: '{{ rm_saml_plugin_url }}'
+    dest: '{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/plugins/additionals'
+    version: "{{ rm_saml_branch }}"
+    update: false
+  notify:
+    - Bundle install and reconfigure redmine
+  when: rm_saml_plugin
+  tags: ['redmine', 'redmine_plugins', 'rm_saml']
+
+- name: Configure the SAML plugin
+  ansible.builtin.template:
+    src: saml.rb.j2
+    dest: "{{ redmine_glob_root_dir }}/{{ redmine_inst_dir }}/config/initializers/saml.rb"
+    owner: root
+    group: redmine
+    mode: 0440
+  notify: Reload unicorn
+  when: rm_saml_plugin
+  tags: ['redmine', 'redmine_plugins', 'rm_saml']
+
 - name: Install the dashboard plugin
   ansible.builtin.git:
     repo: '{{ rm_dashboard_plugin_url }}'
diff --git a/templates/saml.rb.j2 b/templates/saml.rb.j2
new file mode 100644
index 0000000..c46deb3
--- /dev/null
+++ b/templates/saml.rb.j2
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require Rails.root.join('plugins/redmine_saml/lib/redmine_saml')
+require Rails.root.join('plugins/redmine_saml/lib/redmine_saml/base')
+
+RedmineSaml::Base.configure do |config|
+  config.saml = {
+    sp_entity_id: '{{ rm_saml_entity_id }}',
+    # Redmine callback URL
+    assertion_consumer_service_url: '{{ rm_saml_assertion_consumer_service_url }}',
+    # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
+    issuer: '{{ rm_saml_issuer }}',
+    # The SLS (logout) callback URL
+    single_logout_service_url: '{{ rm_saml_single_logout_service_url }}',
+    # SSO login endpoint
+    idp_sso_target_url: '{{ rm_saml_idp_sso_target_url }}',
+    idp_cert: '{{ rm_saml_idp_cert }}',
+    # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+    name_identifier_format: '{{ rm_saml_name_identifier_format }}',
+    # Optional signout URL, not supported by all identity providers
+    signout_url: '{{ rm_saml_signout_url }}',
+    idp_slo_target_url: '{{ rm_saml_idp_slo_target_url }}',
+    # Which redmine field is used as name_identifier_value for SAML logout
+    name_identifier_value: 'mail',
+    # overwrite mapping seperator, if required
+    # attribute_mapping_sep: '|',
+    attribute_mapping: {
+      # How will we map attributes from SSO to redmine attributes
+      # using either urn:oid:identifier, or friendly names, e.g.
+      # mail: 'extra|raw_info|urn:oid:0.9.2342.19200300.100.1.3'
+      # or
+      # mail: 'extra|raw_info|email'
+      #
+      # Edit defaults below to match your attributes
+{% for map in rm_saml_attribute_mapping %}
+      {{ map.name}}: '{{ map.value}}'{% if not loop.last %},{% endif %}
+
+{% endfor %}
+
+    }
+  }
+
+  config.on_login do |omniauth_hash, user|
+    # Implement any hook you want here
+  end
+end