Canonical SSO provider

Merge lp:~roadmr/canonical-identity-provider/ssl-utilities into lp:canonical-identity-provider/release

  1. ssl-utilities
  2. Merge into trunk
Proposed by Daniel Manrique
Status: Merged
Approved by: Daniel Manrique
Approved revision: no longer in the source branch.
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: lp:~roadmr/canonical-identity-provider/ssl-utilities
Merge into: lp:canonical-identity-provider/release
Diff against target: 54 lines (+31/-1)
2 files modified
Makefile (+8/-1)
README (+23/-0)
To merge this branch: bzr merge lp:~roadmr/canonical-identity-provider/ssl-utilities
Reviewer Review Type Date Requested Status
Guillermo Gonzalez Approve
Review via email: mp+372079@code.launchpad.net

Commit message

Add run-ssl makefile target and README instructions

Description of the change

This is preliminary to U2F-enablement work as U2F only works over a secure connection - this makes dev/testing on non-localhost easier/possible.

To post a comment you must log in.
Revision history for this message
Guillermo Gonzalez (verterok) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'Makefile'
--- Makefile 2019-04-30 19:14:58 +0000
+++ Makefile 2019-08-30 16:20:39 +0000
@@ -186,8 +186,15 @@
186 $(DJANGO_MANAGE) $(ARGS)186 $(DJANGO_MANAGE) $(ARGS)
187187
188run: ARGS=0.0.0.0:8000188run: ARGS=0.0.0.0:8000
189run: PID_ID=gunicorn
189run: collectstatic django-check ## Start development server190run: collectstatic django-check ## Start development server
190 $(ENV)/bin/gunicorn django_project.wsgi:application --workers=2 --reload --pid=logs/gunicorn.pid --bind=$(ARGS) --timeout=99999 --error-logfile=- --access-logfile=-191 $(ENV)/bin/gunicorn django_project.wsgi:application --workers=2 --reload --pid=logs/$(PID_ID).pid --bind=$(ARGS) --timeout=99999 --error-logfile=- --access-logfile=- $(SSL_CONFIG)
192
193run-ssl: dev-sso.crt
194 $(MAKE) run SSL_CONFIG="--certfile=dev-sso.crt --keyfile=dev-sso.key --ssl-version 2" ARGS=0.0.0.0:8443 SSO_ROOT_URL=https://sso-xenial:8443 PID_ID=gunicorn-ssl
195
196dev-sso.crt:
197 openssl req -x509 -nodes -newkey rsa:4096 -keyout dev-sso.key -out dev-sso.crt -days 365 -subj '/CN=sso-xenial'
191198
192start: bootstrap start-db199start: bootstrap start-db
193200
194201
=== modified file 'README'
--- README 2019-03-13 20:49:20 +0000
+++ README 2019-08-30 16:20:39 +0000
@@ -242,6 +242,29 @@
242242
243 Add the output config (LP_API_URL etc.) to "../local_config/settings.py"243 Add the output config (LP_API_URL etc.) to "../local_config/settings.py"
244244
24514. (Optional) Use SSL for the development service
246
247 Testing some features on a development instance might require this: an
248 example is SAML because SAML only works over a secure connection.
249
250 There's a run-ssl target just for this. It will start the service on port
251 8443 with a self-signed certificate (which is created if it didn't exist).
252
253 Importantly, a non-ssl process must also be running ("make run") because
254 internal API communication goes over http.
255
256 $ # On one terminal/tmux window
257 $ make run
258 $ # On another terminal/tmux window
259 $ make run-ssl
260 $ # Test that SSL works
261 $ curl -k --head https://sso-xenial:8443
262 HTTP/1.1 200 OK
263
264 If the self-signed certificates are not enough for your purposes, you can
265 place any certificate in dev-sso.crt and its key in dev-sso.key in the
266 project's root and run-ssl will use those.
267
245268
246BAZAAR269BAZAAR
247------270------