Configurable networkmanager

CHANGELOG

@@ -1,333 +0,0 @@
-* Make the default locale and the available locales for the stepup applications configurable using group_vars.
-  See the playbook variables "default_locale" and "enabled_locales" in group_vars/all.yml. These two variables
-  must be added to existing environments.
-* Add "lb_addresses" in group_vars/all.yml. When using a load balancer, set this variable to an array of IP addresses
-  of the loadbalancers. Used in nginx config and default ip(6)tables config.
-
-
-Release 13.2 (hotfix)
-- Hotfix for two SimpleSAMLphp vulnerabilities
-- Fix Tiqr authentication from Microsoft Office 365 applications
-
-* All Stepup components:
-- Update SimpleSAMLphp with fixes for 201802-01 and 201803-01
-
-* Stepup-tiqr
-- Fix a Script error when authenticating with Tiqr from Microsoft Office 365 applications
-
-Install:
-* Deploy components:
-  - Stepup-Gateway 2.7.5
-  - Stepup-SelfService 2.7.2
-  - Stepup-RA 2.7.3
-  - Stepup-tiqr 1.1.8
-
-
-Release 13.1 (hotfix)
-Hotfix for matching case-insensitive identifiers
-
-Install:
-* Deploy component
-  - Gateway 2.7.3
-
-
-Release 13
-Bugfix release solving two issues:
-- fix an issue with pushing institution config changes, which was broken in release 12
-- fix an issue with determining an institution-specific LoA for unknown users
-
-In addition, Kibana log retention is extended from 90 to 120 days.
-
-Install:
-* Deploy components:
-  - Gateway 2.7.2
-  - Middleware 2.6.4
-  - RA 2.7.1
-
-* run manage role (for manage_keep_logs_days)
-  ansible-playbook site.tyml -i <inventory> -t manage -l <host>
-
-
-Release 12
-Add support for the SFO extension for Microsoft ADFS (https://github.com/SURFnet/ADFS-MFA-SAML2.0-Extension) to the
-Setup-Gateway
-
-* Gateway
-- Add support for receiving SAML AuthnRequests using the the HTTP-POST binding
-- When the ADFS specific "AuthMethod" and "Context" are present the SFO endpoint will switch to "SFO extension for ADFS"
-  mode:
-  - It adds "AuthMethod" and "Context" HTTP POST variables from the request to the response
-  - It returns the SAMLResponse in a HTTP POST variable "_SAMLResponse" instead of "SAMLResponse"
-
-* Deploy
-- "app" role: Added "lb_addresses" variable to specify trusted IPs for the X-Forwarded-For header. Stopped using hosts
-  from lb group for this purpose as the lb role is going to be removed from the playbook. If you are using the lb role
-  you should set "lb_addresses" variable add redeploy the app role.
-
-Install:
-* Deploy components:
-  - Gateway 2.7.0
-
-* Rerun app role (for lb_addresses)
-  ansible-playbook site.yml -i <inventory> -t app -l <host>
-
-
-Release 11
-Fix for per institution LoA configuration, add GSSP though configuration, update Swiftmailer because of CVE-2016-10074,
-show error when missing EPTI attribute.
-
-* Gateway
-- Fix: Update swiftmailer because of CVE-2016-10074. Exploitation requires the attacker to control the email address.
-- Fix: Per IdP LoA configuration for an SP by institution ID. Institution ID's are now recognised in the loa definition of
-  an SP as described in https://github.com/OpenConext/Stepup-Middleware/blob/master/docs/MiddlewareConfiguration.md#service-providers
-- Fix: The gateway would generate a SAML Assertion without a Subject when the Assertion from the remote IdP did not
-  contain a eduPersonTargetedID attribute with a NameID. Now an error is shown on the gateway when this occurs.
-
-* Middleware, Gateway, SelfService and RA
-- A new GSSP can be though configuration. The Ansible environment must be updated:
-  - A new parameter "stepup_enabled_generic_second_factors" was introduced
-  - The "stepup_enabled_factors" parameter was updated
-  When using the existing GSSPs "tiqr" and "biometric", the changes are minimal. The requied changes are described in
-  docs/add-gssf-to-stepup.md
-
-Install:
-* Deploy components:
-  - Middleware 2.6.0
-  - Gateway 2.6.0
-  - RA 2.7.0
-  - SelfService 2.7.0
-
-
-Release 10
-Add option to test 2nd factor in SelfService, bugfixes
-
-* Upgrade Guzzle4 to Guzzle6
-
-* SelfService:
-  - The user now has the option to test authentication with their token in the self service interface.
-
-* Gateway:
-  - Fix: wrong entity added for saml:AuthenticatingAuthority
-
-* Middleware:
-  - Fix: bootstrapping an identity leads to unusable identity
-
-* Tiqr:
-  - Fix: no push notifications received when changing phones
-  - Fix: minor layout and translation issues
-  - Accounts are blocked after 5 authentication failures
-  - Improved support for browsers on mobile devices
-
-Install:
-* Deploy components:
-  - Middleware 2.5.0
-  - Gateway 2.5.0
-  - SelfService 2.6.2
-  - RA 2.6.1
-  - Tiqr 1.1.5
-
-
-Release 9
-Limit token types per institution, AuthnRequest signature validation error bug,
-Mixed case schacHomeOrganization bug
-
-* The repositories were moved from the GitHub SURFnet organization to the OpenConext organization
-
-* Middleware:
-  - Fix: Error when applying an institution configuration when to institution is using a mixed case
-    schacHomeOrganization
-  - The institution configuration now requires an "allowed_second_factors" option. This option can be used
-    limit the available token types
-
-* Gateway:
-  - Security: Use HTTPS instead of HTTP when validating a yubikey challenge at the Yubico validation service.
-    This makes validation more robust against attacks on the message signatures.
-  - Fix: Mishandeling of the URL encoding of SAML AuthnRequests causes valid signatures to be considered
-    invalid by the Gateway
-
-* SelfService interface:
-  - The available token types that a user can select can be limited on a per institution basis
-
-Install:
-* Deploy components:
-  - Middleware 2.4.0
-  - Gateway 2.4.2
-  - SelfService 2.5.0
-
-* Run database migrations
-  - Run "/root/01-middleware-db_migrate.sh" on an app server
-
-
-Release 8
-Revocation email, UI improvements
-
-* Middleware:
-  - Send an email when an active second factor is revoked. Added a "second_factor_revoked" mail template to
-    "template/middleware/middleware-config.json.j2"
-
-* RA interface:
-  - Fix: sorting the audit log fails for some fields
-  - Fix: no error message was shown when a user with an expired registration code was vetted
-  - Fix: RA's could vet users belonging to other institutions
-  - Added help text under the search box in the "Token Activation" screen
-  - Limited input in the document number field to 6 characters
-  - Remove text 'optional' in tokens screen
-  - The Manual link URL in the footer is now per language and must be set through "ra_manual_url" in
-    "stepup-ra.yml"
-  - Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"
-
-* Selfservice interface:
-  - Help link URL in the footer is now per language and must be set through "ss_support_url" in
-    "stepup-selfservice.yml"
-  - Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"
-
-Install:
-* Deploy components
-  - Middleware 2.3.1
-  - Selfservice 2.3.0
-  - RA 2.4.0
-
-
-Release 7
-RA Locations, Institution configuration, Server-side session expiry
-
-* Added per institution configuration through the middleware API of the way the RA location are shown to users in the
-  selfservice interface and email.
-  - The RAA contacts can be hidden, so only RA contacts are shown. Defaults to old behaviour (show both RA and RAA contacts)
-  - Instead of RA(A) contacts RA locations can be shown. When enabled the RAA of an institution can edit the list of the
-    RA locations through the RA interface. Defaults to old behaviour (show RA(A) contacts)
-  - Added an institution configuration for enabling/disabling the above two options. Configuration though the template
-    in <inventory>/templates/middleware/middleware-institution.json
-    See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
-  - The email template for 'registration_code' in middleware-config.json.j2 is replaced by 'registration_code_with_ras'
-    and 'registration_code_with_ra_locations'.
-    See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
-* Added server side session timeouts based on absolute (since login) and relative (since last client interaction with the
-  server) through "app_session_max_duration" and "app_session_expiry_time" group_vars.
-* RA interface changes
-  - Show the document number in the tokens overview in the RA interface (requires event replay)
-  - The time in the audit log is now shown in the timezone configured in the webbrowser instead of in UTC
-* The Selfservice, RA and Gateway now set/update a HTTP cookie named "stepup_locale" with the current known preferred
-  locale of the user. The domain for which the cookie is set is configured through the "locale_cookie_domain" group_var.
-* Various minor UI layout fixes/improvements.
-* Fix: middleware:event:replay may fail with Middleware < 2.1.0.
-* tiqr fixes
-  - solves a problem with iOS10 devices
-  - small layout en translation improvements
-
-Install:
-* Deploy components
-  - Middleware 2.1.0
-  - Gateway 2.2.0
-  - Selfservice 2.2.0
-  - RA 2.2.0
-  - tiqr 1.1.4
-
-* Run database migrations
-  - Run "/root/01-middleware-db_migrate.sh" on an app server
-
-* Replay eventlog
-  - Prevent changes during the replay by taken middleware offline (or take the SS and RA offline)
-  - Change to middleware directory (e.g. /opt/www/middleware.example.org)
-  - Run "php app/console middleware:event:replay --env=prod_event_replay" on an app server
-    The replay runs in a single database transaction. It replays all events en recreates the projections. This may take
-    some time depending on the number of events in the events table.
-
-
-Release 6
-Ansible 2, Second factor only (SFO) authentication, biometric authentication type
-
-* Deploy now requires Ansible 2
-* Set "serial: 1" in site.yml playbook, to deploy one host at a time, even when more than one host is targeted
-* Add second factory only (SFO) authentication to the GW, disabled by default
-* Add support for a "biometric" authentication type using GSSP
-* Added vars for SFO: gateway_second_factor_only, stepup_uri_sfo_loa2, stepup_uri_sfo_loa3
-* Added var for stepup cookie domain: locale_cookie_domain
-* Service providers in the middleware configuration require two new configuration keys. To keep the current
-  behaviour add:
-    "second_factor_only": false,
-    "second_factor_only_nameid_patterns": [],
-* Add translations for tiqr error messages, fix regression error in tiqr userId
-
-Install:
-* Run the app role from the site.yml playbook
-* Deploy components
-  - Middleware 1.6.0
-  - Gateway 2.0.0
-  - SelfService 1.4.0
-  - RA 1.4.0
-  - tiqr 1.1.3
-
-
-Release 5.2
-Infrastucture changes: Read-only accounts for external access to middleware and gateway databases,
-SMTP smarthost and disable IPv6
-
-Security: Block HTTP Proxy header in haproxy and nginx (CVE-2016-5385)
-
-* Optionally use SMTP smarthost on servers with app role. Configuration through sendmail_smarthost in group_vars/app.yml
-* Optionally create gateway_ro and middleware_ro accounts for read only access to the gateway and middleware databases
-  Configuration in group_vars/dbcluser.yml though database_(gateway|middleware)_readonly_(user|password)
-* Disable IPv6
-
-Install:
-* Run the dbcluster, lb and app roles from the site.yml playbook
-* Deploy component
-  - none
-
-
-Release 5.1 (hotfix)
-Hotfixes for loadbalancer configuration (fixes issues with tiqr registration)
-
-* Updated sysctl-local.conf to allow nonlocal binds
-* Updated nginx.yml tasks and nginx.vhost.conf.j2 template to have nginx listen on dedicated IP addresses
-
-Install:
-* Run the lb role from the site.yml playbook
-* Deploy component
-  - none
-
-
-Release 5
-Allow scripted / automated middleware configuration updates from remote
-
-* Moved the 02-middleware-config.sh and 04-middleware-whitelist.sh scripts from root to /opt/scripts and made these scripts
-  executable by the stepup-deploy user. The scripts in /root/ are replaced by symlinks
-  The configuration (middleware-config.json and middleware-whitelist.json) is now stored in /opt/scripts
-* Added app group_vars: app_deploy_user_ssh_key and app_deploy_user_ssh_from
-* Updated push-mw-config.yml and push-mw-whitelist.yml playbooks to use the stepup-deploy user
-* Added scrips/push-config.sh script
-
-Install:
-* Run the app role from the site.yml playbook
-* Deploy component
-  - Middleware 1.4.0
-    Note: Do redeploy if 1.4.0 is already installed because of updates in the stepup-middleware that update the middleware
-          configuration scrips
-
-
-Release 4
-* Moved the PHP session dir from /var/lib/php/session/ to /var/lib/stepup/session/. The contents of the old directory can be removed
-* Tighten PHP session configuration in php.ini. Use /dev/urandom for entropy, set session.cookie_secure = session.cookie_httponly = session.hash_function = 1;
-* Added app_session_expiry_time and (currently unused app_session_max_duration group_vars
-* Set session.cookie_domain and session.cookie_(gc_max)lifetime in fpm.ini
-* Added stepup_enabled_factors group_var to control which 2nd factors are enabled
-* A database schema for u2f was added. Added database_u2f_(name|user|password) group_vars
-* Added /root/01-gateway-db_migrate.sh script
-* A added a /etc/cron.d/curator job on manage node that runs "curator" to delete old logstash indexes. The manage_keep_logs_days group_var configures how many days of logs to keep
-* Added stepup_enabled_factors group_var to control which 2nf factors are enabled in SS, RA and GW
-* Update scripts from https://github.com/pmeulen/ansible-tools
-* A deploy user for the gateway component was added with corresponding database_gateway_deploy_(user|password)
-
-Install:
-* Run site.yml playbook on all hosts
-* Deploy components:
-  - Middleware 1.4.0
-  - Gateway 1.3.3
-  - SelfService 1.3.1
-  - RA 1.3.1
-  - Tiqr 1.1.0
-  - oath-service-php 1.0.1
-* Run DB migrations
-  - /root/01-middleware-db_migrate.sh
-  - /root/01-gateway-db_migrate.sh

environments/template/group_vars/all.yml

@@ -26,6 +26,8 @@ server_admin_email: [email protected]
 noreply_email: [email protected]
 noreply_email_name: Step-up Example
 
+# Keep using NetworkManager (default will be disabled)
+# networkmanager: yes
 # FQDN for vhosts
 # These are the hostnames for the stepup web applications.
 #

roles/common/tasks/main.yml

@@ -33,11 +33,18 @@
   service: name={{item}} enabled=no state=stopped
   with_items:
   - firewalld # Because we want to use iptables-services below
-  - NetworkManager
   - atd.service
   - smartd.service
   ignore_errors: yes
 
+- name: "Disable NetworkManager"
+  service:
+    name: NetworkManager
+    enabled: no
+    state: stopped
+  when: networkmanager is undefined
+  ignore_errors: yes
+
 - name: Install ntp, iptables, ip6tables, rsyslog
   yum: name={{item}} state=present
   with_items: