[mailman3] Enable OIDC

Enable OIDC support for mailman3 staging deployment. Signed-off-by: Michal Konecny <mkonecny@redhat.com>
2026-03-20 03:57:02 +08:00 · 2024-04-08 15:08:32 +02:00
parent cf48dec0eb
commit 9fbe2c3d7e
4 changed files with 31 additions and 1 deletions
--- a/playbooks/groups/mailman.yml
+++ b/playbooks/groups/mailman.yml
@@ -109,6 +109,8 @@
    mailman_hyperkitty_db_pass: "{{ mailman_hk_db_pass }}"
    mailman_hyperkitty_cookie_key: "{{ mailman_hk_cookie_key }}"
    mailman_hyperkitty_archiver_key: "{{ mailman_hk_stg_archiver_key }}"
+    mailman_openidc_server_url: https://id.stg.fedoraproject.org/openidc
+    mailman_openidc_secret: "{{ mailman_stg_oidc_pass }}"
    mailman_httpd_hostname: lists.stg.fedoraproject.org
    when: env == "staging"
  - {role: fedmsg/base,
--- a/roles/mailman3/defaults/main.yml
+++ b/roles/mailman3/defaults/main.yml
@@ -32,3 +32,12 @@ mailman_domains:
 - lists.example.com
 - lists.example.org
 mailman_social_login: []
+
+# OpenID-connect settings
+# Attention that you should ensure that callback/redirect_url set at the provider side will end with /
+# see https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html#openid-connect
+mailman_openidc_provider_id: fedora
+mailman_openidc_name: Fedora Account
+mailman_openidc_server_url: https://id.fedoraproject.org/openidc
+mailman_openidc_client_id: mailman3
+mailman_openidc_secret: boooooooooooooyoushouldnotreadthisasnotused
--- a/roles/mailman3/templates/mailmanweb.conf.j2
+++ b/roles/mailman3/templates/mailmanweb.conf.j2
@@ -1,5 +1,12 @@
 ServerName lists{{ env_suffix }}.fedoraproject.org

+Header always set Strict-Transport-Security "max-age=31536000"
+Header always set X-Frame-Options "SAMEORIGIN"
+Header always set X-Xss-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+Header always set Referrer-Policy "same-origin"
+RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+
 Alias /favicon.ico {{ mailman_webui_basedir }}/static/favicon.ico
 Alias /robots.txt  {{ mailman_webui_basedir }}/static/robots.txt
 Alias /static      {{ mailman_webui_basedir }}/static
--- a/roles/mailman3/templates/settings.py.j2
+++ b/roles/mailman3/templates/settings.py.j2
@@ -64,7 +64,6 @@ INSTALLED_APPS = (
    'django_extensions',
    'django_gravatar',
    'django_mailman3',
-    'django_mailman3.lib.auth.fedora',
    'django_q',
    'hyperkitty',
    'postorius',
@@ -228,6 +227,19 @@ ACCOUNT_ADAPTER = "django_fedora_nosignup.NoLocalSignUpAdapter"
 SOCIALACCOUNT_ADAPTER = "django_fedora_nosignup.SignUpEnabledSocialAdapter"

 SOCIALACCOUNT_PROVIDERS = {
+    'openid_connect': {
+        "SERVERS": [
+            {
+                "id": "{{ mailman3_openidc_provider_id }}",
+                "name": "{{ mailman3_openidc_name }}",
+                "server_url": "{{ mailman3_openidc_server_url }}",
+                "APP": {
+                    "client_id": "{{ mailman3_openidc_client_id }}",
+                    "secret": "{{ mailman3_openidc_secret }}",
+                },
+            },
+        ]
+    },
    'openid': {
        'SERVERS': [
            dict(id='yahoo',