more

0011ee8e · Adam Lewenberg · a17f18d3 · 0011ee8e · 0011ee8e · 0011ee8e
Commit 0011ee8e authored 8 years ago by Adam Lewenberg
--- a/manifests/config.pp
+++ b/manifests/config.pp
 class shibb_idp3::config {

+  # idp.properties file
+  include shibb_idp3::config::idp_properties

  # 1. web.xml: custom version contains TwoStepRemoteUser definition.
  file { '/opt/shibboleth-idp/webapp/WEB-INF/web.xml':
@@ -8,15 +10,6 @@ class shibb_idp3::config {
    mode    => '0644',
  }

-  # Add idp.properties configuration file. This file has a password in it(?)
-  file { '/etc/shibboleth-idp/conf/idp.properties':
-    ensure  => present,
-    content => template('shibb_idp3/etc/shibboleth-idp/conf/idp.properties.erb'),
-    owner   => 'tomcat8',
-    group   => 'tomcat8',
-    mode    => '0644',
-  }
-
  # 1. metadata-providers.xml: points to all our SP metadata.
  file { '/etc/shibboleth-idp/conf/metadata-providers.xml':
    ensure  => present,

--- a/manifests/config/idp_properties.pp
+++ b/manifests/config/idp_properties.pp
+class shibb_idp3::config::idp_properties {
+
+  ## idp.properties
+  # Add idp.properties configuration file. This file has a password in it
+  # so we (1) install a template file first, then (2) a small wallet file with the
+  # password in it, then (3) merge the two to get the final idp.properies file.
+
+  $datasealer_template_file = '/etc/shibboleth-idp/conf/idp.properties.template'
+  $idp_properties_file      = '/etc/shibboleth-idp/conf/idp.properties'
+  $datasealer_password_file = '/opt/shibboleth-idp/credentials/datasealer.password'
+
+  base::wallet { $data_sealer_name:
+    type   => 'file',
+    path   => $datasealer_password_file,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0640';
+  }
+
+  # (1)
+  file { $datasealer_template_file:
+    ensure  => present,
+    content => template('shibb_idp3/etc/shibboleth-idp/conf/idp.properties.template.erb'),
+    owner   => 'tomcat8',
+    group   => 'tomcat8',
+    mode    => '0644',
+  }
+
+
+  # (2)
+  case "${shibb_idp3::env}" {
+    'prod':  { $data_sealer_name = 'config/its-idg/idp/datasealer' }
+    'uat':   { $data_sealer_name = 'config/its-idg/idp-uat/datasealer' }
+    'dev':   { $data_sealer_name = 'config/its-idg/idp-dev/datasealer' }
+    default: { fail("unknown environment ${shibb_idp3::env}") }
+  }
+
+
+  # (3)
+  exec { "generate-conf $idp_properties_file":
+    command     => "generate-conf --template $datasealer_template_file --config $datasealer_password_file
+    --newfile $idp_properties_file",
+    refreshonly => true,
+    subscribe   => [
+                    File[$datasealer_template_file],
+                    Base::Wallet[$data_sealer_name],
+                    ]
+  }
+
+  # Set file permissions on $idp_properties_file file
+  file { $idp_properties_file:
+    owner   => 'root',
+    group   => 'tomcat8',
+    mode    => '0640',
+    require => Exec["generate-conf $idp_properties_file"],
+  }
+
+}
--- a/templates/etc/shibboleth-idp/conf/idp.properties.erb
+++ b/templates/etc/shibboleth-idp/conf/idp.properties.erb
@@ -31,8 +31,8 @@ idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
 #
 # adamhl: idp.sealer.storePassword and idp.sealer.keyPassword need to be
 # set to the SAME value (why?!?).
-idp.sealer.storePassword= EFP3ToaeVDN6iCSr
-idp.sealer.keyPassword= EFP3ToaeVDN6iCSr
+idp.sealer.storePassword= %%DATA_SEALER_PASSWORD%%
+idp.sealer.keyPassword= %%DATA_SEALER_PASSWORD%%

 # Settings for public/private signing and encryption key(s)
 # During decryption key rollover, point the ".2" properties at a second