Merge branch 'feature/oauth2' into 'master'

feat(oauth2): configure the OAuth2 plugin See merge request la-crise/discourse-formula!3

Merge branch 'feature/oauth2' into 'master'
feat(oauth2): configure the OAuth2 plugin See merge request la-crise/discourse-formula!3
d0841a2a · Daniel Dehennin · 93efc81a · c663f7d1 · d0841a2a · d0841a2a
Commit d0841a2a authored Mar 30, 2020 by Daniel Dehennin
6 changed files
--- a/README.rst
+++ b/README.rst
@@ -28,9 +28,78 @@ Then, we make the formula available to minions by linking it's directory in the

    ln -s ~/.salt/srv/formula/discourse-formula/discourse ~/.salt/srv/salt/discourse

+Create the pillar ``~/.salt/srv/pillar/discourse.sls`` to configure discourse:
+
+.. code-block:: yaml
+
+    # -*- coding: utf-8 -*-
+    # vim: ft=yaml
+    ---
+    discourse:
+      hostname: 'forum.example.net'
+      developer_emails: 'me@example.net'
+      smtp:
+        address: 'smtp.example.net'
+        port: '25'
+        user_name: 'me@example.net'
+        start_tls: true
+        # the following must be set in pillar
+        # smtp_password: ~
+      letsencrypt:
+        enabled: true
+        account_email: 'me@example.net'
+      settings:
+        default_locale: fr
+        title: This is a sample Discourse
+        site_description: This is a web forum based on Discourse
+        short_site_description: Web forum
+        contact_email: william.shakespears@example.net
+        contact_url: https://shakespears.example.net
+        enable_signup_cta: 'false'
+        default_trust_level: '1'
+        # Disable local logins for OAuth2
+        enable_local_logins: 'false'
+      oauth2:
+        enabled: true
+        # set settings without the `oauth2_` prefix
+        # https://github.com/discourse/discourse-oauth2-basic/blob/master/config/settings.yml
+        client_id: sso
+        client_secret: ThisIsVerySecret
+        authorize_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/auth
+        token_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/token/
+        callback_user_info_paths: ~
+        user_json_url: https://auth.example.net/auth/realms/apps/protocol/openid-connect/userinfo
+        json_user_id_path: sub
+        json_username_path: preferred_username
+        json_name_path: name
+        json_email_path: email
+        json_email_verified_path: email_verified
+        debug_auth: 'true'
+        button_title: OAuth Example
+        full_screen_login: 'true'
+      users:
+        william:
+          # Password reset mail is sent by default
+          email: 'william.shakespears@example.net'
+          enabled: true
+          admin: true
+    ...
+
+
+Now, associate this pillar to the minion by creating or updating ``~/.salt/pillar/top.sls``:
+
+.. code-block:: yaml
+
+    base:
+      'forum':
+        - discourse
+
+
+Now, it's possible to deploy and configure the `discourse`_ application container:
+
 .. code-block:: bash

-    salt-ssh forum.example.net state.apply discourse
+    salt-ssh forum state.apply discourse


 You can can execute ``laucher`` command directly with `salt-ssh`_ or apply ``states`` one by one, for more information on which ``states`` are available you should read the `formula documentation`_.
@@ -125,8 +194,8 @@ This file is associate several parameters to a host:

    # -*- yaml -*-
    
-        minion1:
-          host: minion1.example.net
+        forum:
+          host: forum.example.net
          user: debian
          sudo: True


--- a/discourse/config/files/default/app.yml.jinja
+++ b/discourse/config/files/default/app.yml.jinja
@@ -96,6 +96,9 @@ hooks:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
+{%- if discourse | traverse('oauth2:enabled', False) | to_bool %}
+          - git clone {{ discourse | traverse('oauth2:git-url') }}
+{%- endif %}

 ## Any custom commands to run after building
 run:

--- a/discourse/parameters/defaults.yaml
+++ b/discourse/parameters/defaults.yaml
@@ -27,6 +27,25 @@ values:
    contact_email: ~
    contact_url: ~
  # users: {}
+  oauth2:
+    git-url: 'https://github.com/discourse/discourse-oauth2-basic.git'
+    # set settings without the `oauth2_` prefix
+    # https://github.com/discourse/discourse-oauth2-basic/blob/master/config/settings.yml
+    enabled: false
+    client_id: sso
+    client_secret: ThisIsVerySecret
+    authorize_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/auth
+    token_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/token/
+    callback_user_info_paths: ~
+    user_json_url: https://auth.example.net/auth/realms/apps/protocol/openid-connect/userinfo
+    json_user_id_path: sub
+    json_username_path: preferred_username
+    json_name_path: name
+    json_email_path: email
+    json_email_verified_path: email_verified
+    debug_auth: 'true'
+    button_title: OAuth Example
+    full_screen_login: 'true'
  launcher:
    rebuild_cmd: './launcher rebuild app'
    bootstrap_cmd: './launcher bootstrap app'

--- a/discourse/setup/settings/init.sls
+++ b/discourse/setup/settings/init.sls
@@ -3,3 +3,4 @@

 include:
  - .global
+  - .oauth2
--- a/discourse/setup/settings/oauth2.sls
+++ b/discourse/setup/settings/oauth2.sls
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot | path_join("map.jinja") import discourse with context %}
+{%- from tplroot | path_join("libtofs.jinja") import files_switch with context %}
+
+{#- Do nothing if OAuth2 is not enabled #}
+{% if discourse | traverse('oauth2:enabled', False) | to_bool %}
+include:
+  - {{ sls_service_running }}
+
+{%- set settings_filename = 'oauth2.yaml' %}
+{%- set settings_contairer_path = '/shared' | path_join('settings',
+                                                        settings_filename)
+  %}
+{%- set settings_path = discourse.directory | path_join('shared',
+                                                        'standalone',
+                                                        'settings',
+                                                        settings_filename)
+  %}
+{%- set import_cmd = 'cd /var/www/discourse/ '
+                     ~ '&& rake site_settings:import '
+                     ~ '< ' ~ settings_contairer_path
+  %}
+
+{#- the configuration mix settings with formula parameters #}
+{% set skip_settings = {'git-url': true} %}
+{#- all oauth2 values are prefixed with `oauth2_` #}
+{%- set settings = {} %}
+{%- for key, value in discourse.get('oauth2', {}).items() %}
+  {%- if key not in skip_settings %}
+    {%- do settings.update({'oauth2_' ~ key: value}) %}
+  {%- endif %}
+{%- endfor %}
+
+discourse-setup-settings-oauth2-file-managed:
+  file.managed:
+    - name: {{ settings_path }}
+    - source: {{ files_switch(['settings.yaml.jinja'],
+                              lookup='discourse-setup-settings-oauth2-file-managed',
+                              use_subpath=True
+                 )
+              }}
+    - mode: 644
+    - user: root
+    - group: root
+    - makedirs: True
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - sls: {{ sls_service_running }}
+
+discourse-setup-settings-oauth2-import-cmd-run:
+  cmd.run:
+    - name: {{ discourse | traverse('launcher:run_cmd')
+               ~ " '"
+               ~ import_cmd
+               ~ "'"
+             }}
+    - cwd: {{ discourse.directory }}
+    - require:
+      - sls: {{ sls_service_running }}
+{%- endif %}
--- a/pillar.example
+++ b/pillar.example
@@ -22,6 +22,26 @@ discourse:
    contact_email: william.shakespears@example.net
    contact_url: https://shakespears.example.net
    default_trust_level: '1'
+    # Disable local logins for OAuth2
+    enable_local_logins: 'false'
+  oauth2:
+    # set settings without the `oauth2_` prefix
+    # https://github.com/discourse/discourse-oauth2-basic/blob/master/config/settings.yml
+    enabled: true
+    client_id: sso
+    client_secret: ThisIsVerySecret
+    authorize_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/auth
+    token_url: https://auth.example.net/auth/realms/example/protocol/openid-connect/token/
+    callback_user_info_paths: ~
+    user_json_url: https://auth.example.net/auth/realms/apps/protocol/openid-connect/userinfo
+    json_user_id_path: sub
+    json_username_path: preferred_username
+    json_name_path: name
+    json_email_path: email
+    json_email_verified_path: email_verified
+    debug_auth: 'true'
+    button_title: OAuth Example
+    full_screen_login: 'true'
  users:
    william:
      # Password reset mail is sent by default