Skip to content

Commit ba76791

Browse files
zlamalpzlamalp
committed
Fixed perun.properties template
- Reordered MFA/StepUp/UserInfoEndpoint entries. - Convert enforceMfa and requestUserInfoEndpoint to boolean variables. - Change default of perun_rpc_introspectionEndpoint_mfaAcrValue variable to "https://refeds.org/profile/mfa" - Fixed missing newline when printing perun_rpc_app_allowed_roles into perun.properties
1 parent b590255 commit ba76791

2 files changed

Lines changed: 10 additions & 9 deletions

File tree

defaults/main.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,6 @@ perun_rpc_extsources_multiple_identifiers: ""
7878
perun_rpc_lookup_user_by_identifiers_and_extSourceLogin: 'false'
7979
perun_rpc_user_deletion_forced: 'false'
8080
perun_rpc_force_consents: 'false'
81-
perun_rpc_requestUserInfoEndpoint: 'false'
8281
perun_rpc_defaultLoa_idp: "2"
8382
perun_rpc_recaptcha_privatekey: '6Lf0eUYUAAAAAIBxpRrA7UNrT7czQ28IoH9yiDBE'
8483
perun_rpc_mailchange_secretKey: "test"
@@ -116,13 +115,14 @@ perun_rpc_group_maxConcurentGroupsToSynchronize: 10
116115
perun_rpc_group_structure_maxConcurrentGroupsStructuresToSynchronize: 10
117116
perun_rpc_powerusers: "perun"
118117
perun_rpc_db_initializator_enabled: yes
118+
perun_rpc_requestUserInfoEndpoint: no
119119
perun_rpc_userInfoEndpoint_extSourceLogin: ""
120120
perun_rpc_userInfoEndpoint_extSourceName: ""
121121
perun_rpc_userInfoEndpoint_extSourceFriendlyName: ""
122122
perun_rpc_introspectionEndpoint_mfaAuthTimeout: 1440
123123
perun_rpc_introspectionEndpoint_mfaAuthTimeoutPercentageForceLogIn: 75
124-
perun_rpc_introspectionEndpoint_mfaAcrValue: ""
125-
perun_rpc_enforceMfa: 'false'
124+
perun_rpc_introspectionEndpoint_mfaAcrValue: "https://refeds.org/profile/mfa"
125+
perun_rpc_enforceMfa: no
126126
perun_rpc_mounts_additional: []
127127
perun_rpc_idpLoginValidity: 24
128128
perun_rpc_idpLoginValidityExceptions: []

templates/perun.properties.j2

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -166,9 +166,6 @@ perun.user.deletion.forced={{ perun_rpc_user_deletion_forced }}
166166
# Require consents throughout Perun
167167
perun.force.consents={{ perun_rpc_force_consents }}
168168

169-
# If the call to user info endpoint should be made (on OIDC) when creating PerunPrincipal
170-
perun.requestUserInfoEndpoint={{ perun_rpc_requestUserInfoEndpoint }}
171-
172169
perun.defaultLoa.idp={{ perun_rpc_defaultLoa_idp }}
173170

174171
{% if perun_rpc_group_nameSecondaryRegex is defined %}
@@ -195,6 +192,9 @@ perun.sendIdentityAlerts={{ perun_rpc_sendIdentityAlerts }}
195192
# Therefore, account linking will not be offered to users even when they already have registered some similar accounts.
196193
perun.findSimilarUsersDisabled={{ perun_rpc_registrar_findSimilarUsers_disabled }}
197194

195+
# If the call to user info endpoint should be made (on OIDC) when creating PerunPrincipal
196+
perun.requestUserInfoEndpoint={{ perun_rpc_requestUserInfoEndpoint|bool|to_json }}
197+
198198
# names of the property in userInfo that could contain extSourceLogin
199199
perun.userInfoEndpoint.extSourceLogin={{ perun_rpc_userInfoEndpoint_extSourceLogin }}
200200

@@ -204,6 +204,9 @@ perun.userInfoEndpoint.extSourceName={{ perun_rpc_userInfoEndpoint_extSourceName
204204
# properties that are path in the userInfo to the extSourceFriendlyName
205205
perun.userInfoEndpoint.extSourceFriendlyName={{ perun_rpc_userInfoEndpoint_extSourceFriendlyName }}
206206

207+
# when set to true, MFA is required for critical operations and attribute actions
208+
perun.enforceMfa={{ perun_rpc_enforceMfa|bool|to_json }}
209+
207210
# timeout limit (minutes) for the MFA to be valid (timestamp cannot be older than the limit)
208211
perun.introspectionEndpoint.mfaAuthTimeout={{ perun_rpc_introspectionEndpoint_mfaAuthTimeout }}
209212

@@ -215,9 +218,6 @@ perun.introspectionEndpoint.mfaAuthTimeoutPercentageForceLogIn={{ perun_rpc_intr
215218
# expected acr value to be returned from introspection endpoint if MFA was performed
216219
perun.introspectionEndpoint.mfaAcrValue={{ perun_rpc_introspectionEndpoint_mfaAcrValue }}
217220

218-
# when set to true, MFA is required for critical operations and attribute actions
219-
perun.enforceMfa={{ perun_rpc_enforceMfa }}
220-
221221
# how many months is lastAccess of user IdP extSource valid for attributes retrieval
222222
perun.idpLoginValidity={{ perun_rpc_idpLoginValidity }}
223223

@@ -229,6 +229,7 @@ perun.forceHtmlSanitization={{ perun_rpc_force_html_sanitization|bool|to_json }}
229229

230230
# Limit roles in session for the old GUI apps. This is necessary to support step-up MFA globally.
231231
perun.appAllowedRoles.apps={% for app in perun_rpc_app_allowed_roles %}{{ app.name }}{% if not loop.last %},{% endif %}{% endfor %}
232+
232233
{% for app in perun_rpc_app_allowed_roles %}
233234
perun.appAllowedRoles.{{ app.name }}.reg={{ app.reg }}
234235
perun.appAllowedRoles.{{ app.name }}.roles={{ app.roles|join(',') }}

0 commit comments

Comments
 (0)