Use LL::NG REST API for config and sessions

2024-01-02 21:23:18 +01:00 · 2024-01-02 21:23:18 +01:00 · d24ddc605d
parent ab87cfd7ea
commit d24ddc605d
4 changed files with 42 additions and 72 deletions
--- a/README.md
+++ b/README.md
@ -32,19 +32,24 @@ Note that while creating new or updating existing basicauth entry will be reload


 # Lemonldap::NG Handler
-The job support running a Lemonldap::NG handler, but in a very specific configuration only for now. You have to use a MySQL or MariaDB for the config and the sessions, and this DB must be reachable through the Consul service mesh.
-Then you need to enable support for the handler, in your variables.yml file
+The job support running a Lemonldap::NG handler, using the REST API to reach config and session databases
 ```
 lemonldap:
  enabled: True
-  db:
-    service_name: mariadb
+  config:
+    url: https://auth.example.org/index.psgi/config
    user: lemonldap
-    db: lemonldap
+    password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
+    realm: Lemonldap::NG API
+  sessions:
+    url: https://auth.example.org/index.psgi/sessions/global
+    user: lemonldap
+    password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
+    realm: Lemonldap::NG API
 ```

-And the password for the DB is stored in vault
+And the password for the API is stored in vault

 ```
-vault kv put kv/service/traefik llng_handler_db_pwd='ThisIsNotAVeryStrongPassword'
+vault kv put kv/service/traefik llng_api_pwd='ThisIsNotAVeryStrongPassword'
 ```
--- a/templates/lemonldap-ng.ini.tpl
+++ b/templates/lemonldap-ng.ini.tpl
@ -1,5 +1,5 @@
 [all]
-logLevel = debug
+logLevel = info
 logger = Lemonldap::NG::Common::Logger::Std
 userLogger = Lemonldap::NG::Common::Logger::Std
 localSessionStorage = Cache::FileCache
@ -7,71 +7,33 @@ localSessionStorageOptions = { \
  'namespace' => 'sessions', \
  'default_expires_in' => '10', \
  'directory_umask' => '007', \
-  'cache_root' => '/secrets/cache/', \
+  'cache_root' => '/tmp', \
  'cache_depth' => 3 \
 }
-globalStorage = Apache::Session::Browseable::MySQL
+globalStorage = Lemonldap::NG::Common::Apache::Session::REST
 globalStorageOptions = { \
-  'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
-  'UserName' => '[[ .lemonldap.db.user ]]', \
-  'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
-  'TableName' => 'sessions', \
-  'Index' => 'ipAddr _whatToTrace user _session_kind _utime _httpSessionType', \
-  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
-}
-persistentStorage = Apache::Session::Browseable::MySQL
-persistentStorageOptions = { \
-  'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
-  'UserName' => '[[ .lemonldap.db.user ]]', \
-  'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
-  'TableName' => 'psessions', \
-  'Index' => 'ipAddr _whatToTrace _session_kind _httpSessionType _session_uid', \
-  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
-}
-samlStorage = Apache::Session::Browseable::MySQL
-samlStorageOptions = { \
-  'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
-  'UserName' => '[[ .lemonldap.db.user ]]', \
-  'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
-  'TableName' => 'samlsessions', \
-  'Index' => '_session_kind _utime _saml_id', \
-  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
-}
-oidcStorage = Apache::Session::Browseable::MySQL
-oidcStorageOptions = { \
-  'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
-  'UserName' => '[[ .lemonldap.db.user ]]', \
-  'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
-  'TableName' => 'oidcsessions', \
-  'Index' => '_session_kind _utime', \
-  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
-}
-casStorage = Apache::Session::Browseable::MySQL
-casStorageOptions = { \
-  'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
-  'UserName' => '[[ .lemonldap.db.user ]]', \
-  'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
-  'TableName' => 'cassessions', \
-  'Index' => '_session_kind _utime _cas_id', \
-  'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
+  baseUrl => "[[ .lemonldap.sessions.url ]]", \
+[[- if and (has .lemonldap.sessions "user") (has .lemonldap.sessions "password") (has .lemonldap.sessions "realm") ]]
+  user => "[[ .lemonldap.sessions.user ]]", \
+  password => "[[ .lemonldap.sessions.password ]]", \
+  realm => "[[ .lemonldap.sessions.realm ]]", \
+[[- end ]]
 }

 [configuration]
-type = CDBI
-dbiChain = DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1
-dbiUser = [[ .lemonldap.db.user ]]
-dbiPassword = {{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}
+type = REST
+baseUrl = [[ .lemonldap.config.url ]]
+[[- if and (has .lemonldap.config "user") (has .lemonldap.config "password") (has .lemonldap.config "realm") ]]
+user = [[ .lemonldap.config.user ]]
+password = [[ .lemonldap.config.password ]]
+realm = [[ .lemonldap.config.realm ]]
+[[- end ]]
 localStorage = Cache::FileCache
 localStorageOptions = { \
  'namespace' => 'config', \
  'default_expires_in' => '5', \
  'directory_umask' => '007', \
-  'cache_root' => '/secrets/cache/', \
+  'cache_root' => '/tmp', \
  'cache_depth' => 0 \
 }

-[handler]
-https = 1
-status = 0
-hideSignature = 1
-
--- a/traefik.nomad.hcl
+++ b/traefik.nomad.hcl
@ -136,6 +136,8 @@ _EOF
          "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
          "local/Traefik.pm:/usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Server/Traefik.pm:ro"
        ]
+        # Add a tmpfs to store config and session cache
+[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]
      }

      lifecycle {
@ -151,7 +153,7 @@ _EOF

      template {
        data        =<<_EOT
-  [[ template "traefik/lemonldap-ng.ini.tpl" . ]]
+[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
 _EOT
        destination = "secrets/lemonldap-ng.ini"
        perms       = "0400"
--- a/variables.yml
+++ b/variables.yml
@ -93,13 +93,14 @@ lemonldap:
    cpu: 200
    memory: 128

-  # DB the handler will use for config and session
-  # Only MySQL/MariaDB is supported for now
-  db:
-    host: 127.0.0.1
-    port: 3306
-    # DB user
-    user: lemonldapnghandler
-    # DB name
-    name: lemonldapng
+  config:
+    url: https://auth.example.org/index.psgi/config
+    # user: lemonldap
+    # password: secret
+    realm: Lemonldap::NG API

+  sessions:
+    url: https://auth.example.org/index.psgi/sessions/global
+    # user: lemonldap
+    # password: secret
+    realm: Lemonldap::NG API