search

puppetlabs / puppetlabs-apache

Puppet module for the Apache httpd server, maintained by Puppet, Inc.
https://forge.puppet.com/modules/puppetlabs/apache
Apache License 2.0
366 stars 1.08k forks source link

Using PrivateKeyFiles parameter in oidc_settings causes unrecognized key error #2567

Open uoe-pjackson opened 1 week ago

uoe-pjackson commented 1 week ago

Describe the Bug

When specifying PrivateKeyFiles parameter for oidc_settings puppet fails with 

Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Apache::Vhost[example.com]: parameter 'oidc_settings' unrecognized key 'PrivateKeyFiles'

It appears that PrivateKeyFiles is missing from the definition of Apache::OIDCSettings, so should be a case of just adding it.

Expected Behaviour

Successful application of the puppet catalog

Steps to Reproduce

Steps to reproduce the behaviour:

  1. Use the following vhost manifest
apache::vhost { "example.com":
    port              => 80,
    auth_oidc         => true,
    oidc_settings     => {
      'ProviderMetadataURL'       => $oidc_provider_metadata_url,
      'Scope'                     => $oidc_scope,
      'RemoteUserClaim'           => $oidc_remote_user_claim,
      'ClientID'                  => $oidc_client_id,
      'CryptoPassphrase'          => $oidc_crypto_passphrase,
      'PrivateKeyFiles'           => "/etc/pki/tls/private/${siapp_url}-selfsigned.key",
      'PublicKeyFiles'            => "/etc/pki/tls/certs/${siapp_url}-selfsigned.crt",
      'ProviderTokenEndpointAuth' => 'private_key_jwt',
      'RedirectURI'               => '/oidc/redirect',
    }
  }

Environment

uoe-pjackson commented 1 week ago

After further investigation there appears to be a number of other configuration parameters in the lastest mod_auth_openidc that aren't defined in Apache::OIDCSettings.

The full list is:

CABundlePath CacheDir ClientTokenEndpointKeyPassword CookieDomain CookiePath DefaultLoggedOutURL DPoPMode FilterClaimsExpr LogoutRequestParams LogoutXFrameOptions MemCacheConnectionsHMax MemCacheConnectionsMin MemCacheConnectionsSMax MemCacheConnectionsTTL MetricsData MetricsPublish OAuthIntrospectionEndpoint OAuthIntrospectionEndpointKeyPassword OAuthTokenIntrospectionInterval PassAccessToken PKCEMethod PreservePostTemplates PrivateKeyFiles ProviderPushedAuthorizationRequestEndpoint ProviderSignedJwksUri ProviderVerifyCertFiles RedirectURLsAllowed RedisCacheConnectTimeout RedisCacheDatabase RedisCacheTimeout RedisCacheUsername StateCookiePrefix StateInputHeaders TraceParent UnAutzAction UserInfoClaimsExpr UserInfoSignedResponseAlg ValidateIssuer

I'm preparing a pull request to add these parameters.