Access rules for profile and photo sharing (#10)

3d99e590 · Clément OUDOT · c70d9d06 · 3d99e590 · 3d99e590 · 3d99e590
Commit 3d99e590 authored Jul 08, 2021 by Clément OUDOT
--- a/README.md
+++ b/README.md
@@ -71,6 +71,8 @@ Configuration parameters are set as environment variables.
 | LEMONLDAP2_OIDCPUB                | Path to OIDC public key                       |
 | LEMONLDAP2_SAMLPRIV               | Path to SAML private key                      |
 | LEMONLDAP2_SAMLPUB                | Path to SAML public key or certificate        |
+| LEMONLDAP2_UNPROTECT_PHOTO_URL    | Allow unauthenticated access to user photo    |
+| LEMONLDAP2_UNPROTECT_PROFILE_URL  | Allow unauthenticated access to user profile  |
 | LSC_LDAP_PASSWORD                 | Password of LSC service account               |
 | LSC_LDAP_USERNAME                 | Identifier of LSC service account             |
 | POSTGRES_HOST                     | Host of database server                       |

--- a/build/centos8/lemonldap-ng/ansible/deploy.yaml
+++ b/build/centos8/lemonldap-ng/ansible/deploy.yaml
@@ -48,6 +48,9 @@
      lemonldap2_fusiondirectory_host: "{{ lookup('env', 'FUSIONDIRECTORY_HOST') }}"
      lemonldap2_fusiondirectory_port: "{{ lookup('env', 'FUSIONDIRECTORY_PORT') }}"

+      lemonldap2_unprotect_profile_url: "{{ lookup('env', 'LEMONLDAP2_UNPROTECT_PROFILE_URL') | default(0, true) }}"
+      lemonldap2_unprotect_photo_url: "{{ lookup('env', 'LEMONLDAP2_UNPROTECT_PHOTO_URL') | default(0, true) }}"
+
  tasks:
  - name: LemonLDAP main configuration file
    template:

--- a/build/centos8/lemonldap-ng/ansible/llng_config_base.yml
+++ b/build/centos8/lemonldap-ng/ansible/llng_config_base.yml
@@ -88,6 +88,20 @@
      - name: "locationRules/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/default"
        value: "inGroup('access-fusiondirectory')"

+- name: Unprotect profile URL
+  lemonldap_config:
+      name: "locationRules:{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}:^/index\\.php\\?page=display&dn="
+      value: "unprotect"
+      sep: ":"
+  when: lemonldap2_unprotect_profile_url|bool
+
+- name: Unprotect photo URL
+  lemonldap_config:
+      name: "locationRules:{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}:^/photo\\.php\\?dn="
+      value: "unprotect"
+      sep: ":"
+  when: lemonldap2_unprotect_photo_url|bool
+
 - name: Set Portal configuration
  lemonldap_config:
      name: "{{ item.name }}"

--- a/run/ENVVAR.example
+++ b/run/ENVVAR.example
@@ -17,6 +17,8 @@ LEMONLDAP2_OIDCPRIV=/etc/lemonldap-ng-keys/oidc.key
 LEMONLDAP2_OIDCPUB=/etc/lemonldap-ng-keys/oidc_pub.key
 LEMONLDAP2_SAMLPRIV=/etc/lemonldap-ng-keys/saml.key
 LEMONLDAP2_SAMLPUB=/etc/lemonldap-ng-keys/saml.pem
+LEMONLDAP2_UNPROTECT_PHOTO_URL=1
+LEMONLDAP2_UNPROTECT_PROFILE_URL=0
 POSTGRES_HOST=10.0.2.2
 POSTGRES_PASSWORD=secret
 POSTGRES_PORT=33432