Merge pull request #114 from CESNET/rel3431

zlamalp · web-flow · commit b41efce59ad2 · 2024-04-03T10:00:04.000+02:00
Update instanceConfig.json templates for NGUI v16.0.0+
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -246,6 +246,7 @@ perun_ngui_footer:
 
 perun_ngui_logo: "😀"
 perun_ngui_theme: {}
+perun_ngui_mfa: {}
 
 # shared password strength hints for new GUI
 perun_ngui_password_help:
@@ -287,7 +288,6 @@ perun_ngui_admin_supported_languages: ['en']
 perun_ngui_admin_member_profile_attributes_friendly_names: []
 perun_ngui_admin_login_namespace_attributes: []
 perun_ngui_admin_password_namespace_attributes: []
-perun_ngui_admin_pwd_reset_base_url: "https://{{ perun_rpc_hostname }}/fed/pwd-reset/"
 perun_ngui_admin_log_out_enabled: true
 perun_ngui_admin_brandings: "{ '{{ perun_ngui_admin_hostname}}': {} }" #Ansible cannot substitute variables in dictionary keys, this is a workaround
 perun_ngui_admin_apache_special_config1: ""
@@ -296,6 +296,9 @@ perun_ngui_admin_user_deletion_forced: false
 perun_ngui_admin_enforce_consents: false
 perun_ngui_admin_warning_message: ""
 perun_ngui_admin_password_help: '{{ perun_ngui_password_help }}'
+perun_ngui_admin_other_apps:
+  en:
+    profile: "Profile"
 
 #new GUI Profile
 perun_ngui_profile_enabled: no
@@ -321,7 +324,6 @@ perun_ngui_profile_password_namespace_attributes: []
 perun_ngui_profile_consolidator_url: "https://{{ perun_rpc_hostname }}/fed-ic/ic/"
 perun_ngui_profile_consolidator_url_cert: "https://{{ perun_rpc_hostname }}/cert-ic/ic/"
 perun_ngui_profile_registrar_base_url: "https://{{ perun_rpc_hostname }}/fed/registrar/"
-perun_ngui_profile_pwd_reset_base_url: "https://{{ perun_rpc_hostname }}/fed/pwd-reset/"
 perun_ngui_profile_page_attributes:
   - friendly_name: organization
     display_name_en: Organization
@@ -338,7 +340,6 @@ perun_ngui_profile_page_attributes:
     display_name_cs: Preferovaný mail
     tooltip_en: ''
     tooltip_cs: ''
-perun_ngui_profile_mfa: {}
 perun_ngui_profile_display_identity_certificates: true
 perun_ngui_profile_external_services: []
 perun_ngui_profile_displayed_tabs: ['profile', 'identities', 'groups', 'privacy', 'authentication', 'ssh_keys']
@@ -349,8 +350,11 @@ perun_ngui_profile_header_label_cs: "Profil uživatele"
 perun_ngui_profile_document_title:
   en: "{{ perun_ngui_profile_header_label_en }}"
   cs: "{{ perun_ngui_profile_header_label_cs }}"
-perun_ngui_profile_admin_gui_label_en: "IAM Administration"
-perun_ngui_profile_admin_gui_label_cs: "Správa IAM"
+perun_ngui_profile_other_apps:
+  en:
+    admin: "IAM Administration"
+  cs:
+    admin: "Správa IAM"
 perun_ngui_profile_link_to_admin_gui_by_roles: [
     "PERUNADMIN",
     "PERUNOBSERVER",
@@ -370,13 +374,13 @@ perun_ngui_profile_preferred_unix_group_names: []
 perun_ngui_profile_footer: '{{ perun_ngui_footer }}'
 perun_ngui_profile_theme: '{{ perun_ngui_theme }}'
 perun_ngui_profile_log_out_enabled: true
-perun_ngui_profile_logo_padding: ""
 perun_ngui_profile_logo: '{{ perun_ngui_logo }}'
 perun_ngui_profile_brandings: "{ '{{ perun_ngui_profile_hostname}}': {} }" #Ansible cannot substitute variables in dictionary keys, this is a workaround
 perun_ngui_profile_use_new_consolidator: false
 perun_ngui_profile_local_account_namespace: ""
 perun_ngui_profile_password_help: '{{ perun_ngui_password_help }}'
 perun_ngui_profile_password_help_cs: '{{ perun_ngui_password_help_cs }}'
+perun_ngui_profile_warning_message: '{{ perun_ngui_admin_warning_message }}'
 
 #new GUI Consolidator
 
@@ -385,6 +389,9 @@ perun_ngui_consolidator_hostname: "perun.aai.example.org"
 perun_ngui_consolidator_hostname_aliases: []
 perun_ngui_consolidator_tls_cert_same_as_host: yes
 perun_ngui_consolidator_document_title: "Consolidator"
+perun_ngui_consolidator_other_apps:
+  en:
+    profile: "Profile"
 perun_ngui_consolidator_client_id: "xxx-xxxx-xxxx-xxx-xx-xxx"
 perun_ngui_consolidator_oauth_authority: '{{ perun_ngui_oauth_authority }}'
 perun_ngui_consolidator_oauth_csp_url: '{{ perun_ngui_consolidator_oauth_authority }}'
@@ -447,10 +454,10 @@ perun_ngui_pwdreset_oauth_scopes: "openid profile perun_api offline_access"
 perun_ngui_pwdreset_oauth_response_type: "code"
 perun_ngui_pwdreset_oauth_offline_access_consent_prompt: '{{ perun_ngui_oauth_offline_access_consent_prompt }}'
 perun_ngui_pwdreset_oauth_filters: '{{ perun_ngui_admin_oauth_filters }}'
-perun_ngui_pwdreset_mfa: {}
 perun_ngui_pwdreset_password_help: '{{ perun_ngui_password_help }}'
 perun_ngui_pwdreset_password_help_cs: '{{ perun_ngui_password_help_cs }}'
 perun_ngui_pwdreset_brandings: "{ '{{ perun_ngui_pwdreset_hostname }}': {} }"
+perun_ngui_pwdreset_default_namespace: ""
 
 #new GUI Publications
 perun_ngui_publications_enabled: no
@@ -481,7 +488,25 @@ perun_ngui_publications_header_label_cs: "Publikace"
 perun_ngui_publications_document_title:
   en: "{{ perun_ngui_publications_header_label_en }}"
   cs: "{{ perun_ngui_publications_header_label_cs }}"
-
+perun_ngui_publications_other_apps:
+  en:
+    admin: "IAM Administration"
+    profile: "Profile"
+perun_ngui_publications_link_to_admin_gui_by_roles: [
+  "PERUNADMIN",
+  "PERUNOBSERVER",
+  "VOADMIN",
+  "VOOBSERVER",
+  "GROUPADMIN",
+  "GROUPOBSERVER",
+  "RESOURCEADMIN",
+  "RESOURCEOBSERVER",
+  "FACILITYADMIN",
+  "FACILITYOBSERVER",
+  "TRUSTEDFACILITYADMIN",
+  "SPONSOR",
+  "TOPGROUPCREATOR"
+]
 
 # virtual host for API
 perun_api_enabled: no
diff --git a/templates/instance_configs/consolidatorInstanceConfig.json.j2 b/templates/instance_configs/consolidatorInstanceConfig.json.j2
@@ -19,11 +19,14 @@
     },
   "proxy_logout": {{ perun_ngui_consolidator_proxy_logout|bool|to_json }},
   "document_title": "{{ perun_ngui_consolidator_document_title }}",
+  "other_apps": {{ perun_ngui_consolidator_other_apps|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
+  "link_to_admin_gui_by_roles": {{ perun_ngui_publications_link_to_admin_gui_by_roles|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "instance_favicon": {{ perun_ngui_consolidator_instance_favicon|to_json }},
   "path_to_idp_provider_userinfo": {{ perun_ngui_consolidator_path_to_idp_provider_userinfo|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "path_to_idp_logo_userinfo": {{ perun_ngui_consolidator_path_to_idp_logo_userinfo|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "path_to_idp_logo_width_userinfo": {{ perun_ngui_consolidator_path_to_idp_logo_width_userinfo|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "path_to_idp_logo_height_userinfo": {{ perun_ngui_consolidator_path_to_idp_logo_height_userinfo|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "support_mail": "{{ perun_email }}",
   "footer": {{ perun_ngui_footer|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "logo": {{ perun_ngui_logo|to_json }},
diff --git a/templates/instance_configs/instanceConfig.json.j2 b/templates/instance_configs/instanceConfig.json.j2
@@ -33,10 +33,10 @@
     "oauth_offline_access_consent_prompt": {{ perun_ngui_oauth_offline_access_consent_prompt|bool|to_json }},
     "filters": {{ perun_ngui_admin_oauth_filters|to_nice_json(indent=2,ensure_ascii=False)|indent(4) }}
   },
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "proxy_logout": {{ perun_ngui_admin_proxy_logout|bool|to_json }},
   "login_namespace_attributes": {{ perun_ngui_admin_login_namespace_attributes|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "password_namespace_attributes": {{ perun_ngui_admin_password_namespace_attributes|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
-  "pwd_reset_base_url": "{{ perun_ngui_admin_pwd_reset_base_url }}",
   "password_help": {{ perun_ngui_admin_password_help|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
 {% if perun_rpc_group_nameSecondaryRegex is defined %}
   "group_name_secondary_regex": {{ perun_rpc_group_nameSecondaryRegex|to_json }},
@@ -48,6 +48,7 @@
   "member_profile_attributes_friendly_names": {{ perun_ngui_admin_member_profile_attributes_friendly_names|to_json }},
   "footer": {{ perun_ngui_footer|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "log_out_enabled": {{ perun_ngui_admin_log_out_enabled|bool|to_json }},
+  "other_apps": {{ perun_ngui_admin_other_apps|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "logo": {{ perun_ngui_logo|to_json }},
   "theme": {{ perun_ngui_theme|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "brandings": {{ perun_ngui_admin_brandings|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
diff --git a/templates/instance_configs/linkerInstanceConfig.json.j2 b/templates/instance_configs/linkerInstanceConfig.json.j2
@@ -17,6 +17,7 @@
       "oauth_offline_access_consent_prompt": {{ perun_ngui_linker_oauth_offline_access_consent_prompt|bool|to_json }},
       "user_info_endpoint_url": "{{ perun_ngui_linker_user_info_endpoint_url }}"
     },
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "document_title": "{{ perun_ngui_linker_document_title }}",
   "instance_favicon": {{ perun_ngui_linker_instance_favicon|to_json }},
   "support_mail": "{{ perun_email }}"
diff --git a/templates/instance_configs/profileInstanceConfig.json.j2 b/templates/instance_configs/profileInstanceConfig.json.j2
@@ -28,9 +28,8 @@
   "consolidator_url": "{{ perun_ngui_profile_consolidator_url }}",
   "consolidator_url_cert": "{{ perun_ngui_profile_consolidator_url_cert }}",
   "registrar_base_url": "{{ perun_ngui_profile_registrar_base_url }}",
-  "pwd_reset_base_url": "{{ perun_ngui_profile_pwd_reset_base_url }}",
   "profile_page_attributes": {{ perun_ngui_profile_page_attributes|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
-  "mfa": {{ perun_ngui_profile_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "password_help": {{ perun_ngui_profile_password_help|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "password_help_cs": {{ perun_ngui_profile_password_help_cs|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "display_identity_certificates": {{ perun_ngui_profile_display_identity_certificates|to_json }},
@@ -39,14 +38,16 @@
   "custom_labels": {{ perun_ngui_profile_custom_labels|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "header_label_en": "{{ perun_ngui_profile_header_label_en }}",
   "header_label_cs": "{{ perun_ngui_profile_header_label_cs }}",
-  "admin_gui_label_en": "{{ perun_ngui_profile_admin_gui_label_en }}",
-  "admin_gui_label_cs": "{{ perun_ngui_profile_admin_gui_label_cs }}",
   "link_to_admin_gui_by_roles": {{ perun_ngui_profile_link_to_admin_gui_by_roles|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "preferred_unix_group_names": {{ perun_ngui_profile_preferred_unix_group_names|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "footer": {{ perun_ngui_profile_footer|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "theme": {{ perun_ngui_profile_theme|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "log_out_enabled": {{ perun_ngui_profile_log_out_enabled|to_json }},
-  "logo_padding": {{ perun_ngui_profile_logo_padding|to_json }},
+{% if perun_ngui_profile_warning_message %}
+  "display_warning": true,
+  "warning_message": "{{ perun_ngui_profile_warning_message }}",
+{% endif %}
+  "other_apps": {{ perun_ngui_profile_other_apps|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "logo": {{ perun_ngui_profile_logo|to_json }},
   "brandings": {{ perun_ngui_profile_brandings|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "use_new_consolidator": {{ perun_ngui_profile_use_new_consolidator|to_json }},
diff --git a/templates/instance_configs/publicationsInstanceConfig.json.j2 b/templates/instance_configs/publicationsInstanceConfig.json.j2
@@ -22,6 +22,7 @@
     "oauth_offline_access_consent_prompt": {{ perun_ngui_publications_oauth_offline_access_consent_prompt|to_json }},
     "filters": {{ perun_ngui_publications_oauth_filters|to_nice_json(indent=2,ensure_ascii=False)|indent(4) }}
   },
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
 {% if perun_ngui_publications_warning_message %}
   "display_warning": true,
   "warning_message": "{{ perun_ngui_publications_warning_message }}",
@@ -32,6 +33,7 @@
   "logo": {{ perun_ngui_publications_logo|to_json }},
   "header_label_en": "{{ perun_ngui_publications_header_label_en }}",
   "header_label_cs": "{{ perun_ngui_publications_header_label_cs }}",
+  "other_apps": {{ perun_ngui_publications_other_apps|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "footer": {{ perun_ngui_publications_footer|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "theme": {{ perun_ngui_publications_theme|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "brandings": {{ perun_ngui_publications_brandings|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }}
diff --git a/templates/instance_configs/pwdresetInstanceConfig.json.j2 b/templates/instance_configs/pwdresetInstanceConfig.json.j2
@@ -22,7 +22,7 @@
     "oauth_offline_access_consent_prompt": {{ perun_ngui_pwdreset_oauth_offline_access_consent_prompt|to_json }},
     "filters": {{ perun_ngui_pwdreset_oauth_filters|to_nice_json(indent=2,ensure_ascii=False)|indent(4) }}
   },
-  "mfa": {{ perun_ngui_pwdreset_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
+  "mfa": {{ perun_ngui_mfa|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
 {% if perun_ngui_pwdreset_warning_message %}
   "display_warning": true,
   "warning_message": "{{ perun_ngui_pwdreset_warning_message }}",
@@ -33,6 +33,7 @@
   "footer": {{ perun_ngui_pwdreset_footer|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "theme": {{ perun_ngui_pwdreset_theme|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "brandings": {{ perun_ngui_pwdreset_brandings|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
+  "default_namespace": "{{ perun_ngui_pwdreset_default_namespace }}",
   "password_help": {{ perun_ngui_pwdreset_password_help|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }},
   "password_help_cs": {{ perun_ngui_pwdreset_password_help_cs|to_nice_json(indent=2,ensure_ascii=False)|indent(2) }}
 }
diff --git a/templates/sites-enabled/perun-profile.conf.j2 b/templates/sites-enabled/perun-profile.conf.j2
@@ -83,7 +83,7 @@
   # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
   Header always set X-XSS-Protection "1; mode=block"
   # https://scotthelme.co.uk/content-security-policy-an-introduction/
-  Header always set Content-Security-Policy "default-src 'self' ; connect-src 'self' {{ perun_ngui_profile_oauth_csp_url }} https://{{ perun_ngui_profile_api_hostname if perun_ngui_profile_api_hostname is defined else perun_api_hostname }} {{ perun_ngui_profile_mfa.api_url if perun_ngui_profile_mfa.api_url is defined else '' }} ; img-src 'self' data: ; font-src https://fonts.gstatic.com https://fonts.googleapis.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"
+  Header always set Content-Security-Policy "default-src 'self' ; connect-src 'self' {{ perun_ngui_profile_oauth_csp_url }} https://{{ perun_ngui_profile_api_hostname if perun_ngui_profile_api_hostname is defined else perun_api_hostname }} {{ perun_ngui_mfa.api_url if perun_ngui_mfa.api_url is defined else '' }} ; img-src 'self' data: ; font-src https://fonts.gstatic.com https://fonts.googleapis.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"
   # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
   Header always set Referrer-Policy "no-referrer-when-downgrade"
   # https://scotthelme.co.uk/a-new-security-header-feature-policy/
