Merge pull request #29 from EGI-Foundation/login_flow

Login flow

.travis.yml

@@ -1,21 +1,23 @@
+---
 language: python
 python:
-- '2.7'
+  - '2.7'
 before_install:
-- sudo apt-get install python-dev
-- sudo apt-get install ruby ruby-dev
+  - sudo apt-get install python-dev
+  - sudo apt-get install ruby ruby-dev
+  - gem update --system
 install:
-- pip install ansible
-- pip install yamllint
-- bundle
-before_script: 
+  # - pip install ansible
+  - pip install yamllint
+  - bundle
+before_script:
 script:
-- find . -name "*.yml" -exec yamllint {} \;
-- cd tests/content
-- inspec exec categories
-after_success: 
-after_failure: 
-after_script: 
+  - find . -name "*.yml" -exec yamllint {} \;
+  - cd tests/content
+  - inspec exec categories
+after_success:
+after_failure:
+after_script:
 notifications:
   slack:
     secure: QVsFzD+yZnQvqXEazoCr04N+z1dFLxagP8rJ3EMpq//YyA52xwPDPrEXaKBmiFYGYaOBWsLV4O01Ds4x0eJRkkYFZT24+gY4Mb3fcLrEKvTvzLqCWj8N5PyZ8sgqiyUJ6E8YTnnarmKhZheoO0j6xBuDfbxPDtYe6z/9g+IOHuw0f/GgfDVUDfniFVNnAs0kbpInr9gERwx6/OVI9ugtZP3ZIb7pNKWwTZKMgiDaGO/Vifcxuy55TH3BBePwp0T1PorV42MqBH1LIsCpqb/zHB9ce0KqlMcWT0iQMVl11pQe9N20PoHUtj5mBKyU8+nq5OI7qW51+CVDPnlopv1ST/jlfuTTXViICpfe+EfCjE8JScxvT1v96KwMx9/gw0eSSB8njA3gBz9rULSfJu5fskuX/SmDSj7mRGWYCEzGzidp8GqPSsvXBTRknQgmfOwx28H0ab3u6Adag/JktiOrk+4dcLKVtAe9GPvRdcZtUOCXd/wBIUjj8W0Wo63m217IVGXLIGIRjjfO6NB6GzdM67H4kAz2Um21F1OhBGP/TgHXJz4yV4o85sbcenaE6JcRbMv13gKoK+W6h5C1rvDAqIlyyzOcctbYH0KRBDWa7KPwjEzZOOmrNz4uf6l7lPfkLuFsbU/nC+UbVALoWfD6511NHf1rvkpq7nvzAiURc5s=

.yamllint

@@ -0,0 +1,7 @@
+extends: default
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 80
+    level: warning

Gemfile

@@ -5,8 +5,9 @@ gem 'inspec'
 gem 'json'
 
 group :test do
+  gem 'cucumber', '~> 3.1.0'
   gem 'rspec'
   gem 'rubocop'
-  gem 'cucumber', '~> 3.1.0'
+  gem 'selenium-webdriver', '~> 3.14'
   gem 'watir'
 end

Gemfile.lock

@@ -5,17 +5,17 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     ast (2.4.0)
     awesome_print (1.8.0)
-    aws-sdk (2.11.144)
-      aws-sdk-resources (= 2.11.144)
-    aws-sdk-core (2.11.144)
+    aws-sdk (2.11.145)
+      aws-sdk-resources (= 2.11.145)
+    aws-sdk-core (2.11.145)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.11.144)
-      aws-sdk-core (= 2.11.144)
+    aws-sdk-resources (2.11.145)
+      aws-sdk-core (= 2.11.145)
     aws-sigv4 (1.0.3)
     azure_graph_rbac (0.17.0)
       ms_rest_azure (~> 0.11.0)
-    azure_mgmt_resources (0.17.1)
+    azure_mgmt_resources (0.17.2)
       ms_rest_azure (~> 0.11.0)
     backports (3.11.4)
     builder (3.2.3)
@@ -247,6 +247,7 @@ DEPENDENCIES
   json
   rspec
   rubocop
+  selenium-webdriver (~> 3.14)
   watir
 
 BUNDLED WITH

README.md

@@ -34,4 +34,8 @@ If all that is ok, run the playbook, or get your favourite CI tool to do it :
 ## Testing
 
 The [tests](tests/README.md) directory contains the tests that we expect the service, server and machine to pass.
-They contain tests for the ssh connection, nginx server configuration and some content.
+They contain tests for the ssh connection, nginx server configuration and some content.
+
+## Authors
+
+See [the authors file](authors.yml)

Vagrantfile

@@ -0,0 +1,6 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure('2') do |config|
+  config.vm.box = 'geerlingguy/centos7'
+end

authors.yml

@@ -0,0 +1,8 @@
+---
+Authors:
+  - name: "@brucellino"
+    affiliation: EGI Foundation
+
+contributors:
+  - name: "@NicolasLiampotis"
+    afflilation: GRNET

community.egi.eu.yml

@@ -2,11 +2,13 @@
 # Ansible playbook to deploy and maintain the EGI community forum
 - hosts: forum
   name: harden ssh
+  become: true
   roles:
     - {role: dev-sec.ssh-hardening, tags: ssh}
 
 - hosts: forum
   name: Provide certs
+  become: true
   tags:
     - ssl
   tasks:
@@ -36,7 +38,8 @@
 
 - hosts: forum
   name: Deploy !
+  become: true
   tags:
     - discourse
   roles:
-    - {role: AAROC.discourse-sso, launch: 'False'}
+    - { role: AAROC.discourse-sso, launch: 'False'}

group_vars/forum.yml

@@ -8,21 +8,21 @@ ssh_server_enabled: true               # sshd
 ssh_use_dns: false                      # sshd
 # true or value if compression is needed
 ssh_compression: false                  # sshd
-# For which components (client and server) to generate the configuration for. 
+# For which components (client and server) to generate the configuration for.
 # Can be useful when running against a client without an SSH server.
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
-# true if CBC for ciphers is required. 
-# This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. 
-# CBC is a weak alternative. 
+# true if CBC for ciphers is required.
+# This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled.
+# CBC is a weak alternative.
 # Anything weaker should be avoided and is thus not available.
 ssh_client_cbc_required: false          # ssh
 ssh_server_cbc_required: false          # sshd
-# true if weaker HMAC mechanisms are required. 
+# true if weaker HMAC mechanisms are required.
 # This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
 ssh_client_weak_hmac: false             # ssh
 ssh_server_weak_hmac: false             # sshd
-# true if weaker Key-Exchange (KEX) mechanisms are required. 
+# true if weaker Key-Exchange (KEX) mechanisms are required.
 # This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
 ssh_client_weak_kex: false              # ssh
 ssh_server_weak_kex: false              # sshd
@@ -33,12 +33,12 @@ ssh_server_password_login: false          # sshd
 ssh_server_ports: ['22']      # sshd
 # port to which ssh-client should connect
 ssh_client_port: '22'         # ssh
-# one or more ip addresses, to which ssh-server should listen to. 
+# one or more ip addresses, to which ssh-server should listen to.
 # Default is empty, but should be configured for security reasons!
 ssh_listen_to: ['0.0.0.0']    # sshd
 # Host keys to look for when starting sshd.
 ssh_host_key_files: []  # sshd
-# Specifies  the  maximum  number  of authentication attempts permitted per connection.  
+# Specifies  the  maximum  number  of authentication attempts permitted per connection.
 # Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2
 ssh_client_alive_interval: 600          # sshd
@@ -147,30 +147,30 @@ ssh_server_revoked_keys: []
 cert_location: /etc/ssl/certs/
 nginx_sites:
   http:
-    -  listen      80 default
+    - listen      80 default
     - server_name community.egi.eu
 ## redirect http to https ##
     - return      301 https://$server_name$request_uri
   https:
-     - listen 443 
-     - listen [::]:443
-     - ssl on
-     - ssl_certificate    /etc/ssl/certs/server.crt
-     - ssl_certificate_key    /etc/ssl/certs/server.key
-     - ssl_session_timeout 1d
-     - ssl_protocols TLSv1.2
-     - ssl_ciphers  'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
-     - ssl_prefer_server_ciphers on
-     - ssl_session_cache shared:SSL:10m
-     - add_header Strict-Transport-Security max-age=15768000
-     - server_name community.egi.eu
-     - | 
-            location / { 
-                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:; 
-                proxy_set_header Host $http_host; proxy_http_version 1.1; 
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
-                proxy_set_header X-Forwarded-Proto $scheme; 
-                }
+    - listen 443
+    - listen [::]:443
+    - ssl on
+    - ssl_certificate    /etc/ssl/certs/server.crt
+    - ssl_certificate_key    /etc/ssl/certs/server.key
+    - ssl_session_timeout 1d
+    - ssl_protocols TLSv1.2
+    - ssl_ciphers  'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
+    - ssl_prefer_server_ciphers on
+    - ssl_session_cache shared:SSL:10m
+    - add_header Strict-Transport-Security max-age=15768000
+    - server_name community.egi.eu
+    - |
+          location / {
+              proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
+              proxy_set_header Host $http_host; proxy_http_version 1.1;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              }
 # Discourse stuff
 #discourse_hostname:
 developer_emails: 'brucellino@gmail.com'