Added support to SSO CNR

Reviewed-on: ePAS-ISTI/ansible-role-epas#18

.gitignore

@@ -1,3 +1,4 @@
 # ---> Ansible
 *.retry
 
+/.project

README.md

@@ -11,10 +11,8 @@ The most important variables are listed below:
 ``` yaml
 epas_docker_stack_name: 'epas_prod'
 epas_docker_service_server_name: 'epas'
-epas_docker_registry: 'docker-registry.services.iit.cnr.it'
-epas_docker_server_image: '{{ epas_docker_registry }}/epas/epas:stable'
-epas_docker_registry_user: 'epas.user'
-epas_docker_registry_pwd: 'use a vault file'
+epas_docker_registry: 'ghcr.io'
+epas_docker_server_image: '{{ epas_docker_registry }}/consiglionazionaledellericerche/epas:stable'
 epas_docker_network: 'epas_net'
 epas_attachments_node: 'localhost'
 epas_attachments_volume: 'epas_attachments_data'
@@ -43,8 +41,7 @@ psql_db_data: '{{ epas_psql_pg_data }}'
 # Environment
 epas_server_hostname: 'epas.example.com'
 # Teleworker
-epas_teleworker_server_active: True
-epas_teleworker_server_baseurl: 'http://epasteleworker.isti.cnr.it:8080'
+epas_teleworker_server_active: 'true'
 epas_teleworker_server_user: 'app.epas'
 #epas_teleworker_server_password: 'set in a vault file'
 ## SMTP
@@ -63,6 +60,10 @@ epas_ldap_timeout: 1000
 epas_ldap_base_dn: 'ou=People,dc=example,dc=org'
 epas_ldap_login_return_uri: '/.'
 epas_ldap_eppn_attribute_name: 'eduPersonPrincipalName'
+## Keycloak
+epas_keyclock_enabled: True
+epas_oauth_login: 'true'
+
 ```
 
 Dependencies

defaults/main.yml

@@ -1,10 +1,12 @@
 ---
 epas_docker_stack_name: 'epas_prod'
 epas_docker_service_server_name: 'epas'
-epas_docker_registry: 'docker-registry.services.iit.cnr.it'
-epas_docker_server_image: '{{ epas_docker_registry }}/epas/epas:stable'
-epas_docker_registry_user: 'epas.user'
-epas_docker_registry_pwd: 'use a vault file'
+#epas_docker_registry: 'docker-registry.services.iit.cnr.it'
+#epas_docker_server_image: '{{ epas_docker_registry }}/epas/epas:stable'
+#epas_docker_registry_user: 'epas.user'
+#epas_docker_registry_pwd: 'use a vault file'
+epas_docker_registry: 'ghcr.io'
+epas_docker_server_image: '{{ epas_docker_registry }}/consiglionazionaledellericerche/epas:stable'
 epas_docker_network: 'epas_net'
 epas_docker_attachments_node: 'localhost'
 epas_attachments_volume: 'epas_attachments_data'
@@ -35,7 +37,7 @@ epas_attestati_url: 'https://attestativ2.rm.cnr.it'
 epas_attestati_user: ''
 #epas_attestati_password: 'use a vault file'
 # Teleworker
-epas_teleworker_server_active: True
+epas_teleworker_server_active: 'true'
 epas_teleworker_server_baseurl: 'http://epasteleworker.isti.cnr.it:8080'
 epas_teleworker_server_user: 'app.epas'
 #epas_teleworker_server_password: 'use a vault file'
@@ -60,5 +62,13 @@ epas_ldap_authenticated_bind: False
 epas_ldap_bind_dn: 'cn=readuser,ou=People,o=example,c=org'
 #epas_ldap_bind_credentials: 'use a vault file'
 epas_ldap_authenticate_user_search_dn: 'o=example,c=org'
+## Keycloak
+epas_keyclock_enabled: True
+epas_oauth_login: 'true'
+epas_keycloak_config_uri: 'https://sso.cnr.it/auth/realms/CNR/.well-known/openid-configuration'
+#epas_keycloak_client_id: 'client id'
+#epas_keycloak_client_secret: 'use a vault file'
+epas_keycloak_jwt_field: 'email_cnr'
+## Logs
 epas_log_level: 'INFO'
 epas_log_appenders: 'stderr'

tasks/main.yml

@@ -35,8 +35,8 @@
     - name: Install the docker compose file
       template: src=epas-docker-compose.yml.j2 dest={{ epas_compose_dir }}/docker-epas-stack.yml owner=root group=root mode='0400'
 
-    - name: Login into the IIT registry
-      shell: docker login -u {{ epas_docker_registry_user }} -p {{ epas_docker_registry_pwd }} {{ epas_docker_registry }}
+    #- name: Login into the IIT registry
+    #  shell: docker login -u {{ epas_docker_registry_user }} -p {{ epas_docker_registry_pwd }} {{ epas_docker_registry }}
 
     - name: Start the ePAS stack 
       docker_stack:

templates/epas-docker-compose.yml.j2

@@ -77,6 +77,14 @@ services:
       - LDAP_BIND_CREDENTIALS={{ epas_ldap_bind_credentials }}
       - LDAP_AUTHENTICATE_USER_SEARCH_DN={{ epas_ldap_authenticate_user_search_dn }}
 {% endif %}
+{% if epas_keyclock_enabled %}
+      #### Autenticazione OAuth ####
+      - OAUTH_LOGIN={{ epas_oauth_login }}                       #Opzionale. default: false. Abilita l'autenticazione keycloak.
+      - KEYCLOAK_CONFIG_URI={{ epas_keycloak_config_uri }}
+      - KEYCLOAK_CLIENT_ID={{ epas_keycloak_client_id }}
+      - KEYCLOAK_CLIENT_SECRET={{ epas_keycloak_client_secret }}
+      - KEYCLOAK_JWT_FIELD={{ epas_keycloak_jwt_field }}         #Opzionale. default: email
+{% endif %}
 {% if epas_flows_enabled %}
       - FLOWS_ACTIVE=true                     # defalut: false --(true,false) -- se impostato a true abilita l'utilizzo dei flussi interni a ePAS
       - URL_ATTESTATI={{ epas_attestati_url }}                        # default: https://attestativ2.rm.cnr.it