Create roles for apache and shibboleth that run the lms and

support registration and login via apache + mod_wsgi + mod_shib Note that we now thing that gunicorn and mod_wsgi should not live on the same machine if they are running the exact same codebase with the exact same edx logging directories. This seems to cause deadlock at random times

Create roles for apache and shibboleth that run the lms and
support registration and login via apache + mod_wsgi + mod_shib Note that we now thing that gunicorn and mod_wsgi should not live on the same machine if they are running the exact same codebase with the exact same edx logging directories. This seems to cause deadlock at random times
37e8d778 · Jason Bau · 074b4f02 · 37e8d778 · 37e8d778 · 37e8d778
Commit 37e8d778 authored May 30, 2013 by Jason Bau
16 changed files
--- a/playbooks/edx-west/ansible.cfg
+++ b/playbooks/edx-west/ansible.cfg
+../ansible.cfg
\ No newline at end of file
--- a/playbooks/edx-west/edxapp_prod_apache.yml
+++ b/playbooks/edx-west/edxapp_prod_apache.yml
- hosts: tag_Name_app4_prod
+- hosts: ~tag_Name_app(12|22)_prod
 #- hosts: security_group_edx-prod-EdxappServerSecurityGroup-NSKCQTMZIPQB
  sudo: True
  vars_files:
@@ -6,6 +6,12 @@
    - "{{ secure_dir }}/vars/users.yml"
    - "{{ secure_dir }}/vars/edxapp_prod_users.yml"
    - "{{ secure_dir }}/vars/shib_prod_vars.yml"
+  vars:
+    secure_dir: '../../../configuration-secure/ansible'
+    # this indicates the path to site-specific (with precedence)
+    # things like nginx template files
+    local_dir:  '../../../configuration-secure/ansible/local'
+
  roles:
    - nginx
    - edxapp

--- a/playbooks/roles/apache/handlers/main.yml
+++ b/playbooks/roles/apache/handlers/main.yml
+---
+- name: restart apache
+  service: name=apache2 state=restarted
--- a/playbooks/roles/apache/tasks/apache_site.yml
+++ b/playbooks/roles/apache/tasks/apache_site.yml
+# Requires nginx package
+---
+- name: Copying apache config {{ site_name }}
+  template: src={{ item }} dest=/etc/apache2/sites-available/{{ site_name }}
+  first_available_file:
+    - "{{ local_dir }}/apache/templates/{{ site_name }}.j2"
+    # seems like paths in first_available_file must be relative to the playbooks dir
+    - "roles/apache/templates/{{ site_name }}.j2"
+  notify: restart apache
+  when_set: $apache_role_run
+  tags:
+    - apache
+    - update
+
+- name: Creating apache2 config link {{ site_name }}
+  file: src=/etc/apache2/sites-available/{{ site_name }} dest=/etc/apache2/sites-enabled/{{ site_name }} state={{ state }} owner=root group=root
+  notify: restart apache
+  when_set: $apache_role_run
+  tags:
+    - apache
+    - update
--- a/playbooks/roles/apache/tasks/main.yml
+++ b/playbooks/roles/apache/tasks/main.yml
+#Installs apache and runs the lms wsgi
+---
+
+- name: Installs apache and mod_wsgi from apt
+  apt: pkg={{item}} install_recommends=no state=present update_cache=yes
+  with_items:
+    - apache2
+    - libapache2-mod-wsgi
+  notify: restart apache
+  tags:
+    - apache
+    - install
+    
+- name: disables default site
+  command: a2dissite 000-default
+  notify: restart apache
+  tags:
+    - apache
+    - install
+    
+- name: rewrite apache ports conf
+  template: dest=/etc/apache2/ports.conf src=ports.conf.j2 owner=root group=root
+  notify: restart apache
+  tags:
+    - apache
+    - install
+  
+- name: Register the fact that apache role has run
+  command: echo True
+  register: apache_role_run
+  tags:
+    - apache
+    - install
+
+
+- include: apache_site.yml state=link site_name=lms
--- a/playbooks/roles/apache/templates/lms.j2
+++ b/playbooks/roles/apache/templates/lms.j2
+WSGIPythonHome {{venv_dir}}
+WSGIRestrictEmbedded On
+
+<VirtualHost *:{{apache_port}}>
+    ServerName https://{{ lms_env_config.SITE_NAME }}
+    ServerAlias *.{{ lms_env_config.SITE_NAME }}
+    UseCanonicalName On
+ 
+    Alias /static/ /opt/wwc/staticfiles/
+    
+    <Directory /opt/wwc/staticfiles>
+        Order deny,allow
+        Allow from all
+    </Directory>
+
+    SetEnv SERVICE_VARIANT lms
+    
+    WSGIScriptAlias / {{platform_code_dir}}/lms/wsgi_apache_lms.py
+
+    <Directory {{platform_code_dir}}/lms>
+    <Files wsgi_apache_lms.py>
+        Order deny,allow
+        Allow from all
+    </Files>
+    </Directory>
+
+    <Location /Shibboleth.sso>
+        SetHandler shib
+        Satisfy Any
+        Allow from all
+        AuthType None
+        Require all granted
+        ShibRequestSetting applicationId class
+    </Location>
+    <Location '/shib-login'>
+        ShibRequestSetting applicationId class
+        AuthType shibboleth
+        ShibRequestSetting requireSession 1
+        require valid-user
+    </Location>
+
+    WSGIDaemonProcess lms user=www-data group=adm processes=1 python-path={{platform_code_dir}}:{{venv_dir}}/lib/python2.7/site-packages display-name=%{GROUP}
+    WSGIProcessGroup lms
+    WSGIApplicationGroup %{GLOBAL}
+    
+    ErrorLog ${APACHE_LOG_DIR}/apache-edx-error.log
+
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" apache-edx
+    CustomLog ${APACHE_LOG_DIR}/apache-edx-access.log apache-edx
+
+</VirtualHost>
\ No newline at end of file
--- a/playbooks/roles/apache/templates/ports.conf.j2
+++ b/playbooks/roles/apache/templates/ports.conf.j2
+NameVirtualHost *:{{apache_port}}
+Listen {{apache_port}}
--- a/playbooks/roles/apache/vars/main.yml
+++ b/playbooks/roles/apache/vars/main.yml
+---
+apache_port: 80
\ No newline at end of file
--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -35,12 +35,6 @@
  - nginx
  - update

- name: Ensuring that nginx is running
-  service: name=nginx state=started
-  tags:
-  - nginx
-  - update
-
 # Note that nginx logs to /var/log until it reads its configuration, so /etc/logrotate.d/nginx is still good

 - name: Set up nginx access log rotation

--- a/playbooks/roles/shibboleth/handlers/main.yml
+++ b/playbooks/roles/shibboleth/handlers/main.yml
+---
+- name: restart shibd
+  service: name=shibd state=restarted
--- a/playbooks/roles/shibboleth/tasks/main.yml
+++ b/playbooks/roles/shibboleth/tasks/main.yml
+#Install shibboleth
+
+---
+- name: Installs shib and dependencies from apt
+  apt: pkg={{item}} install_recommends=no state=present update_cache=yes
+  with_items:
+    - shibboleth-sp2-schemas
+    - libshibsp-dev
+    - libshibsp-doc
+    - libapache2-mod-shib2
+    - opensaml2-tools
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: Creates /etc/shibboleth/metadata directory
+  file: path=/etc/shibboleth/metadata state=directory mode=2774 group=_shibd owner=_shibd
+  tags:
+    - shib
+    - install
+
+- name: Downloads metadata into metadata directory as backup
+  get_url: url=https://idp.stanford.edu/Stanford-metadata.xml dest=/etc/shibboleth/metadata/idp-metadata.xml mode=0640 group=_shibd owner=_shibd
+  tags:
+    - shib
+    - install
+
+- name: writes out key and pem file
+  template: src=sp.{{item}}.j2 dest=/etc/shibboleth/sp.{{item}}  group=_shibd owner=_shibd mode=0600
+  with_items:
+    - key
+    - pem
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: writes out configuration files
+  template: src={{item}}.j2 dest=/etc/shibboleth/{{item}}  group=_shibd owner=_shibd mode=0644
+  with_items:
+    - attribute-map.xml
+    - shibboleth2.xml
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+
+- name: enables shib
+  command: a2enmod shib2
+  notify: restart shibd
+  tags:
+    - shib
+    - install
+    
--- a/playbooks/roles/shibboleth/templates/attribute-map.xml.j2
+++ b/playbooks/roles/shibboleth/templates/attribute-map.xml.j2
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="eduPersonEntitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eduPersonEntitlement"/>
+    
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+    
+    <!-- First, the deprecated version: -->
+<!-- Using SAML2 so comment out SAML1 definition.
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+-->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+
+    <!-- Second, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!-- Third, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name"/>
+    </Attribute>
+
+    <!--Examples of LDAP-based attributes, uncomment to use these... -->
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid-alt"/>
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:suDisplayNameLF" id="suDisplayNameLF"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalAddress" id="postalAddress"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:suUnivID" id="suUnivID"/>
+
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
+    <Attribute name="urn:oid:2.5.4.12" id="title"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:2.5.4.9" id="street"/>
+    <Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
+    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
+
+</Attributes>
--- a/playbooks/roles/shibboleth/templates/shibboleth2.xml.j2
+++ b/playbooks/roles/shibboleth/templates/shibboleth2.xml.j2
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+
+
+
+    <!-- READ ME!
+ 
+      This configuration file is based on Shibboleth SP v2.4.3. Stanford
+      runs both a production and development IdP (identity provider)
+      system, each with a pair of load balanced servers. This file is
+      pre-configured against the production IdP. If you ever want to
+      authenticate against dev instead, replace 'idp.stanford.edu' with
+      'idp-dev.stanford.edu' in the two locations below (SSO link and
+      metadata download).
+
+      More information:
+
+      * https://itservices.stanford.edu/service/shibboleth/sp
+      * http://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
+ -->
+
+
+
+
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="{{shib.sp_entity_id}}" REMOTE_USER="eppn persistent-id targeted-id">
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
+        in that case. Note that while we default checkAddress to "false", this has a negative
+        impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="{{shib.idp_entity_id}}">
+              SAML2 SAML1
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed" cacheToDisk="false" />
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="{{shib.support_email}}"
+            logoLocation="/shibboleth-sp/logo.jpg"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <!--
+        <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
+            <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
+        </MetadataProvider>
+        -->
+        <!-- Automatically download and refresh the IDP's metadata. -->
+        <MetadataProvider type="XML" uri="{{shib.idp_metadata_url}}"
+             backingFilePath="/etc/shibboleth/metadata/idp-metadata.xml"
+             reloadInterval="7200" >
+        </MetadataProvider>
+
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp.key" certificate="sp.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+        <ApplicationOverride id="class" entityID="{{shib.sp_entity_id}}"/>
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
+
--- a/playbooks/roles/shibboleth/templates/sp.key.j2
+++ b/playbooks/roles/shibboleth/templates/sp.key.j2
+{{ shib.sp_key }}
\ No newline at end of file
--- a/playbooks/roles/shibboleth/templates/sp.pem.j2
+++ b/playbooks/roles/shibboleth/templates/sp.pem.j2
+{{ shib.sp_pem }}
\ No newline at end of file
--- a/playbooks/roles/shibboleth/vars/main.yml
+++ b/playbooks/roles/shibboleth/vars/main.yml
+shib:
+  sp_entity_id: 'https://class.stanford.edu/shibboleth'
+  idp_entity_id: 'https://idp.stanford.edu/'
+  idp_metadata_url: 'https://idp.stanford.edu/Stanford-metadata.xml'
+  support_email: 'bugs@class.stanford.edu'
+  sp_key: |
+    YOU NEED TO GENERATE A REAL KEY HERE USING OPENSSL
+  sp_pem: |
+    THE CORRESPONDING CERTIFICATE PEM GOES HERE