Set OIDC secrets in place for MBS service provider.

author: Ralph Bean <rbean@redhat.com> 2017-02-15 15:52:03 +0000
committer: Ralph Bean <rbean@redhat.com> 2017-02-15 15:52:09 +0000
commit: 9f6dafbe935122c80341d1cacd62f4d41f02ba09 (patch)
tree: 73e9cab7d1e40171f4c0578d62c519114ff47554
parent: c1b28e4568f7b67922d9fd2f8afd6ed9d2340517 (diff)
download: ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.tar.gz
ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.tar.xz
ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.zip
3 files changed, 13 insertions, 14 deletions
diff --git a/roles/mbs/common/tasks/main.yml b/roles/mbs/common/tasks/main.yml
index 5a1126d3b..a2518479c 100644
--- a/roles/mbs/common/tasks/main.yml
+++ b/roles/mbs/common/tasks/main.yml
@@ -26,10 +26,11 @@
   - mbs
   - mbs/common
 
-- name: copy client secrets that aren't really secret.
+- name: copy client secrets
   template: >
     src=client_secrets.json.{{env}} dest=/etc/module-build-service/client_secrets.json
-    owner=root group=root mode=0644
+    owner=root group=apache mode=0640
+  when: inventory_hostname.startswith('mbs-web')
   notify:
   - restart apache
   tags:
diff --git a/roles/mbs/common/templates/client_secrets.json.production b/roles/mbs/common/templates/client_secrets.json.production
index e25c1b49a..9b12f4cc7 100644
--- a/roles/mbs/common/templates/client_secrets.json.production
+++ b/roles/mbs/common/templates/client_secrets.json.production
@@ -1,12 +1,11 @@
 {
     "web": {
         "auth_uri": "https://id.fedoraproject.org/openidc/Authorization",
-        "client_id": "mbs-authorizer",
-        "client_secret": "notsecret",
-        "redirect_uris": [
-            "http://localhost:13747/"
-        ],
+        "client_id": "mbs-prod",
+        "client_secret": "{{ mbs_prod_oidc_client_secret }}",
+        "redirect_uris": [],
         "token_uri": "https://id.fedoraproject.org/openidc/Token",
-        "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo"
+        "token_introspection_uri": "https://id.fedoraproject.org/openidc/TokenInfo",
+        "userinfo_uri": "https://id.fedoraproject.org/openidc/UserInfo"
     }
 }
diff --git a/roles/mbs/common/templates/client_secrets.json.staging b/roles/mbs/common/templates/client_secrets.json.staging
index 7fd5069da..f78371caf 100644
--- a/roles/mbs/common/templates/client_secrets.json.staging
+++ b/roles/mbs/common/templates/client_secrets.json.staging
@@ -1,12 +1,11 @@
 {
     "web": {
         "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
-        "client_id": "mbs-authorizer",
-        "client_secret": "notsecret",
-        "redirect_uris": [
-            "http://localhost:13747/"
-        ],
+        "client_id": "mbs-stg",
+        "client_secret": "{{ mbs_stg_oidc_client_secret }}",
+        "redirect_uris": [],
         "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
-        "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+        "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo",
+        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo"
     }
 }
author	Ralph Bean <rbean@redhat.com>	2017-02-15 15:52:03 +0000
committer	Ralph Bean <rbean@redhat.com>	2017-02-15 15:52:09 +0000
commit	9f6dafbe935122c80341d1cacd62f4d41f02ba09 (patch)
tree	73e9cab7d1e40171f4c0578d62c519114ff47554
parent	c1b28e4568f7b67922d9fd2f8afd6ed9d2340517 (diff)
download	ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.tar.gz ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.tar.xz ansible-9f6dafbe935122c80341d1cacd62f4d41f02ba09.zip