From 06c89e7fb7c98ac73b4eda7d11dc2f5082a5856e Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 30 Sep 2020 00:00:07 +0200 Subject: [PATCH] Update to 2020-09-30 00:00 --- roles/jitsi/defaults/main.yml | 3 +- roles/mayan_edms/defaults/main.yml | 61 +++++++++++++++++++++++++++++ roles/mayan_edms/meta/main.yml | 1 + roles/mayan_edms/tasks/directories.yml | 3 +- roles/mayan_edms/tasks/install.yml | 19 ++++++++- roles/mayan_edms/templates/auth.py.j2 | 70 ++++++++++++++++++++++++++++++++++ roles/mayan_edms/templates/env.j2 | 7 +++- 7 files changed, 159 insertions(+), 5 deletions(-) create mode 100644 roles/mayan_edms/templates/auth.py.j2 diff --git a/roles/jitsi/defaults/main.yml b/roles/jitsi/defaults/main.yml index a67091a..d99b4bf 100644 --- a/roles/jitsi/defaults/main.yml +++ b/roles/jitsi/defaults/main.yml @@ -133,11 +133,11 @@ jitsi_meet_interface_conf_base: - camera - closedcaptions - desktop + - embedmeeting - fullscreen - fodeviceselection - hangup - profile - - info - chat #- recording #- livestreaming @@ -156,6 +156,7 @@ jitsi_meet_interface_conf_base: - download - help - mute-everyone + - security #- localrecording SETTINGS_SECTIONS: - devices diff --git a/roles/mayan_edms/defaults/main.yml b/roles/mayan_edms/defaults/main.yml index 8c82f61..a73d0e3 100644 --- a/roles/mayan_edms/defaults/main.yml +++ b/roles/mayan_edms/defaults/main.yml @@ -32,3 +32,64 @@ mayan_from_mail: mayan-edsm@{{ ansible_domain }} # Main language for document mayan_doc_lang: fra + +# LDAP Auth +# Most of these settings will try to detect system auth config +# and use them. But you can override if you want +# +# This is to turn on of off LDAP auth +mayan_ldap_auth: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary(True,False) }}" +# URI of your LDAP server, eg ldap://ldap.example.org:389 +mayan_ldap_uri: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower,ldap_uri) }}" +# SHould Start TLS be used ? +mayan_ldap_start_tls: True +# Base of your LDAP tree. Eg DC=example,DC=org +mayan_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), ldap_base) }}" +# If your directory only allow authenticated searches, you can define it here +# mayan_ldap_bind_dn: +# mayan_ldap_bind_pass: +# +# If set, will restrict user search in these OU. Default is to search from the base +# Eg +# mayan_ldap_user_ou: +# - OU=People,DC=example,DC=org +# - OU=Presta,DC=example,DC=org +mayan_ldap_user_ou: [] +# Filter to search for users +mayan_ldap_user_filter: "{{ ad_auth | default(False) | ternary('(sAMAccountName=%(user)s)','(uid=%(user)s)') }}" +# Mapping of LDAP attributes into Django attributes +mayan_ldap_user_attr_map: + username: "{{ ad_auth | default(False) | ternary('sAMAccountName','uid') }}" + first_name: givenName + last_name: sn + email: mail + +# Same for groups +mayan_ldap_group_ou: [] +# How are group represented in your directory. +# See https://django-auth-ldap.readthedocs.io/en/latest/groups.html for a list of valid values +mayan_ldap_group_type: "{{ ad_auth | default(False) | ternary('NestedActiveDirectoryGroupType','PosixGroupType') }}" +# LDAP filter to search for groups +mayan_ldap_group_filter: "{{ ad_auth | default(False) | ternary('(objectClass=group)','(objectClass=posixGroup)') }}" + +# If defined, will either require user to be part of one of those groups, +# or forbid access to membres of those groups +# mayan_ldap_require_group: +# - CN=Admins,OU=Groups,DC=example,DC=org +# - CN=Board,OU=Groups,DC=example,DC=org +# +# mayan_ldap_deny_group: +# - CN=Guests,OU=Groups,DC=example,DC=org + +# Useful to debug LDAP related issues +mayan_ldap_debug: False + +# Custom settings to set in the auth.py module +# Eg +# mayan_auth_custom_conf: | +# AUTH_LDAP_USER_FLAGS_BY_GROUP = { +# 'is_active': 'CN=Role_EDMS,OU=Roles,DC=example,DC=org', +# 'is_staff': 'CN=Role_Staff,OU=Roles,DC=example,DC=org', +# 'is_superuser': 'CN=Role_Infra_Admin,OU=Roles,DC=example,DC=org', +# } + diff --git a/roles/mayan_edms/meta/main.yml b/roles/mayan_edms/meta/main.yml index 9e11fd7..0ba72dd 100644 --- a/roles/mayan_edms/meta/main.yml +++ b/roles/mayan_edms/meta/main.yml @@ -2,6 +2,7 @@ dependencies: - role: mkdir + - role: repo_remi_safe # for gnupg1 - role: mysql_server when: mayan_db_server == '127.0.0.1' or mayan_db_server == 'localhost' - role: redis_server diff --git a/roles/mayan_edms/tasks/directories.yml b/roles/mayan_edms/tasks/directories.yml index b3024e2..df269df 100644 --- a/roles/mayan_edms/tasks/directories.yml +++ b/roles/mayan_edms/tasks/directories.yml @@ -7,13 +7,12 @@ group: "{{ item.group | default(omit) }}" mode: "{{ item.mode | default(omit) }}" loop: - - path: "{{ mayan_root_dir }}/venv" - path: "{{ mayan_root_dir }}/meta" mode: 700 - path: "{{ mayan_root_dir }}/tmp" mode: 700 owner: "{{ mayan_user }}" - - path: "{{ mayan_root_dir }}/data" + - path: "{{ mayan_root_dir }}/data/mayan_settings/" mode: 700 owner: "{{ mayan_user }}" - path: "{{ mayan_root_dir }}/archive" diff --git a/roles/mayan_edms/tasks/install.yml b/roles/mayan_edms/tasks/install.yml index 23ebce9..3956de3 100644 --- a/roles/mayan_edms/tasks/install.yml +++ b/roles/mayan_edms/tasks/install.yml @@ -13,7 +13,7 @@ - mysql-devel - libexif - ghostscript - - gnupg + - gnupg1 - graphviz - fuse-libs - file-libs @@ -28,6 +28,14 @@ - python-setuptools tags: mayan +# WHen using upstream MariaDB repo, we have to install MariaDB-shared +- name: Install MariaDB shared libs + yum: + name: + - MariaDB-shared + when: mysql_mariadb_version is defined and mysql_mariadb_version != 'default' + tags: mayan + - name: Wipe the venv on upgrades file: path={{ mayan_root_dir }}/venv state=absent when: mayan_install_mode=='upgrade' @@ -43,6 +51,8 @@ - pip - redis - mysql + - python-ldap + - django_auth_ldap state: "{{ (mayan_install_mode == 'none') | ternary('present', 'latest') }}" virtualenv: "{{ mayan_root_dir }}/venv" virtualenv_command: /usr/bin/virtualenv-3 @@ -90,6 +100,7 @@ - mayan-edms-worker-slow.service - mayan-edms-beat.service register: mayan_systemd_units + notify: restart mayan-edms tags: mayan - name: Reload systemd @@ -103,3 +114,9 @@ - pre - post tags: mayan + +- name: Deploy auth configuration + template: src=auth.py.j2 dest={{ mayan_root_dir }}/data/mayan_settings/auth.py group={{ mayan_user }} mode=640 + when: mayan_ldap_auth + notify: restart mayan-edms + tags: mayan diff --git a/roles/mayan_edms/templates/auth.py.j2 b/roles/mayan_edms/templates/auth.py.j2 new file mode 100644 index 0000000..a61cd53 --- /dev/null +++ b/roles/mayan_edms/templates/auth.py.j2 @@ -0,0 +1,70 @@ +import ldap + +from django_auth_ldap.config import ( + LDAPSearch, LDAPSearchUnion, {{ mayan_ldap_group_type }} +) + +from mayan.settings.production import * + +ldap.set_option(ldap.OPT_DEBUG_LEVEL, {{ mayan_ldap_debug | ternary('1','0') }}) + +AUTH_LDAP_ALWAYS_UPDATE_USER = True +LDAP_USER_AUTO_CREATION = True + +AUTH_LDAP_START_TLS = {{ mayan_ldap_start_tls | ternary('True','False') }} + +{% if mayan_ldap_bind_dn is defined and mayan_ldap_bind_pass is defined %} +AUTH_LDAP_BIND_DN = '{{ mayan_ldap_bind_dn }}' +AUTH_LDAP_BIND_PASSWORD = '{{ mayan_ldap_bind_pass }}' +{% endif %} +LDAP_BASE_DN = '{{ mayan_ldap_base }}' +AUTH_LDAP_SERVER_URI = '{{ mayan_ldap_uri }}' + +{% if mayan_ldap_user_ou | length > 0 %} +AUTH_LDAP_USER_SEARCH = LDAPSearchUnion( +{% for ou in mayan_ldap_user_ou %} + LDAPSearch( + '{{ ou }}', ldap.SCOPE_SUBTREE, + '{{ mayan_ldap_user_filter }}' + ), +{% endfor %} +) +{% else %} +AUTH_LDAP_USER_SEARCH = LDAPSearch( + '{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE, + '{{ mayan_ldap_user_filter }}' +) +{% endif %} + +AUTH_LDAP_USER_ATTR_MAP = { +{% for attr in mayan_ldap_user_attr_map.keys() %} + '{{ attr }}': '{{ mayan_ldap_user_attr_map[attr] }}', +{% endfor %} +} + +{% if mayan_ldap_group_ou | length > 0 %} +AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( +{% for ou in mayan_ldap_group_ou %} + LDAPSearch( + '{{ ou }}', ldap.SCOPE_SUBTREE, + '{{ mayan_ldap_group_filter }}' + ), +{% endfor %} +) +{% else %} +AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + '{{ mayan_ldap_base }}', ldap.SCOPE_SUBTREE, + '{{ mayan_ldap_group_filter }}' +) +{% endif %} + +AUTH_LDAP_GROUP_TYPE = {{ mayan_ldap_group_type }}() + +AUTHENTICATION_BACKENDS = ( + 'django_auth_ldap.backend.LDAPBackend', + 'django.contrib.auth.backends.ModelBackend' +) + +{% if mayan_auth_custom_conf is defined %} +{{ mayan_auth_custom_conf }} +{% endif %} diff --git a/roles/mayan_edms/templates/env.j2 b/roles/mayan_edms/templates/env.j2 index c4a424e..67635d3 100644 --- a/roles/mayan_edms/templates/env.j2 +++ b/roles/mayan_edms/templates/env.j2 @@ -1,10 +1,15 @@ MAYAN_ALLOWED_HOSTS="['*']" PYTHONPATH="{{ mayan_root_dir }}/data/mayan_settings" -DJANGO_SETTINGS_MODULE=mayan.settings.production +DJANGO_SETTINGS_MODULE={{ mayan_ldap_auth | ternary('auth','mayan.settings.production') }} MAYAN_MEDIA_ROOT="{{ mayan_root_dir }}/data" MAYAN_CELERY_RESULT_BACKEND="{{ mayan_redis_url }}/{{ mayan_redis_db.result_backend }}" MAYAN_CELERY_BROKER_URL="{{ mayan_redis_url }}/{{ mayan_redis_db.broker }}" MAYAN_DATABASES="{default: {ENGINE: django.db.backends.mysql, HOST: '{{ mayan_db_server }}', NAME: '{{ mayan_db_user }}', PASSWORD: '{{ mayan_db_pass }}', USER: '{{ mayan_db_user }}'}}" +MAYAN_DATABASE_ENGINE="django.db.backends.mysql" +MAYAN_DATABASE_NAME={{ mayan_db_name | quote }} +MAYAN_DATABASE_PASSWORD={{ mayan_db_pass | quote }} +MAYAN_DATABASE_USER={{ mayan_db_user | quote }} +MAYAN_DATABASE_HOST={{ mayan_db_server | quote }} MAYAN_DEFAULT_FROM_EMAIL={{ mayan_from_mail | quote }} MAYAN_DOCUMENTS_LANGUAGE={{ mayan_doc_lang }} MAYAN_SECURE_PROXY_SSL_HEADER="('HTTP_X_FORWARDED_PROTO', 'https')"