Add fido metadata service files to webauthn

OpenConext · Apr 9, 2024 · 458274d · 458274d
1 parent f43c01f
commit 458274d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 11 deletions.
diff --git a/roles/stepupwebauthn/tasks/docker.yml b/roles/stepupwebauthn/tasks/docker.yml
@@ -36,14 +36,35 @@
     name: stepupapp
     tasks_from: copygsspidpcerts
 
-- name: Create the trusted certificate dir
+# - name: Create the trusted certificate dir
+#   ansible.builtin.file:
+#     state: directory
+#     dest: "{{ item }}"
+#     owner: root
+#     mode: "0755"
+#   with_items:
+#     - "{{ current_release_config_file_dir_name }}/trusted_certificates"
+
+- name: Create the metadata service dir
   ansible.builtin.file:
     state: directory
     dest: "{{ item }}"
     owner: root
     mode: "0755"
   with_items:
-    - "{{ current_release_config_file_dir_name }}/trusted_certificates"
+    - "{{ current_release_config_file_dir_name }}/mds"
+
+- name: Download metadata service blob
+  ansible.builtin.get_url:
+    url: https://mds3.fidoalliance.org/
+    dest: "{{ current_release_config_file_dir_name }}/mds/blob.jwt"
+    mode: '0440'
+
+- name: Download metadata service signing certificate
+  ansible.builtin.get_url:
+    url: http://secure.globalsign.com/cacert/root-r3.crt
+    dest: "{{ current_release_config_file_dir_name }}/mds/fido2-mds.cer"
+    mode: '0440'
 
 - name: Place parameters.yml
   ansible.builtin.template:
@@ -54,13 +75,13 @@
     group: "{{ appname }}"
   notify: restart webauthn
 
-- name: Copy trusted certificates
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/"
-    mode: "444"
-  with_fileglob:
-    - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*"
+# - name: Copy trusted certificates
+#   ansible.builtin.copy:
+#     src: "{{ item }}"
+#     dest: "{{ current_release_config_file_dir_name }}/trusted_certificates/"
+#     mode: "444"
+#   with_fileglob:
+#     - "{{ inventory_dir }}/files/stepup-webauthn/trusted_certificates/*"
 
 - name: Put webauthn configuration script in /root/
   ansible.builtin.template:

diff --git a/roles/stepupwebauthn/templates/parameters.yml.j2 b/roles/stepupwebauthn/templates/parameters.yml.j2
@@ -1,9 +1,9 @@
 parameters:
 {% if 'docker' in group_names %}
     app_env: prod
-    app_debug: false 
+    app_debug: false
     app_secret: {{ webauthn_secret }}
-    database_url=mysql://{{ database_webauthn_user }}:{{ mysql_passwords.webauthn }}@{{ webauthn_db_host }}:3306/{{ database_webauthn_name }}
+    database_url: mysql://{{ database_webauthn_user }}:{{ mysql_passwords.webauthn }}@{{ webauthn_db_host }}:3306/{{ database_webauthn_name }}
 {% endif %}
     # All locales supported by the application
     locales: [{{ enabled_locales | join(",") }}]
@@ -31,3 +31,5 @@ parameters:
     webauthn_logo: 'https://{{ webauthn_vhost_name }}/images/header-logo.png'
 
     trusted_certificates_directory: '{{ current_release_config_file_dir_name_in_config }}/trusted_certificates'
+    fido2_jwt_mds_blob_file_name: '{{ current_release_config_file_dir_name_in_config }}/mds/blob.jwt'
+    fido2_jwt_mds_root_certificate_file_name: '{{ current_release_config_file_dir_name_in_config }}/mds/fido2-mds.cer'