mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-10-30 18:31:28 +01:00
Update to 2022-03-04 11:00
This commit is contained in:
Daniel Berteaud
@@ -72,3 +72,7 @@ pma_sso_groups: []
|
|||||||
# - group: DB_Admins
|
# - group: DB_Admins
|
||||||
# sql_login: admin
|
# sql_login: admin
|
||||||
# sql_password: s3cr3t.
|
# sql_password: s3cr3t.
|
||||||
|
|
||||||
|
# Instead of storing SQL credentials in clear text in sso.php, you can define an encryption key here
|
||||||
|
# This encryption key should be passed to phpMyAdmin in the X-Encryption-Token HTTP header so phpMyAdmin can decrypt the passwords
|
||||||
|
# pma_sso_encryption_token: myrandompassword
|
||||||
|
|||||||
@@ -35,3 +35,20 @@
|
|||||||
- pass_file: "{{pma_root_dir }}/meta/ansible_dbpass"
|
- pass_file: "{{pma_root_dir }}/meta/ansible_dbpass"
|
||||||
- set_fact: pma_db_pass={{ rand_pass }}
|
- set_fact: pma_db_pass={{ rand_pass }}
|
||||||
tags: pma
|
tags: pma
|
||||||
|
|
||||||
|
- name: Encrypt SQL user passwords
|
||||||
|
command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.user }}'),0,16));"
|
||||||
|
register: pma_sso_users_encrypted
|
||||||
|
changed_when: False
|
||||||
|
loop: "{{ pma_sso_users | default([]) }}"
|
||||||
|
when: pma_sso_encryption_token is defined
|
||||||
|
tags: pma
|
||||||
|
|
||||||
|
- name: Encrypt SQL group passwords
|
||||||
|
command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.group }}'),0,16));"
|
||||||
|
register: pma_sso_groups_encrypted
|
||||||
|
changed_when: False
|
||||||
|
loop: "{{ pma_sso_groups | default([]) }}"
|
||||||
|
when: pma_sso_encryption_token is defined
|
||||||
|
tags: pma
|
||||||
|
|
||||||
|
|||||||
@@ -52,3 +52,12 @@
|
|||||||
when: db_created.changed
|
when: db_created.changed
|
||||||
tags: pma
|
tags: pma
|
||||||
|
|
||||||
|
- name: Setup a cron job to cleanup expired sessions
|
||||||
|
cron:
|
||||||
|
name: phpmyadmin_{{ pma_id }}_session_cleanup
|
||||||
|
cron_file: phpmyadmin
|
||||||
|
user: "{{ pma_php_user }}"
|
||||||
|
job: "find {{ pma_root_dir }}/sessions -type f -mmin +480 -exec rm -f \"{}\" \\;"
|
||||||
|
special_time: hourly
|
||||||
|
tags: pma
|
||||||
|
|
||||||
|
|||||||
@@ -1,20 +1,13 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
$login['admin'] = 'sqladmin';
|
|
||||||
$password['admin'] = '{{ mysql_admin_pass | regex_replace('\'', '\\\'')}}';
|
|
||||||
{% for user in pma_sso_users | default([]) %}
|
{% for user in pma_sso_users | default([]) %}
|
||||||
$login['{{ user.user }}'] = '{{ user.sql_login }}';
|
$login['{{ user.user }}'] = '{{ user.sql_login }}';
|
||||||
$password['{{ user.user }}'] = '{{ user.sql_password | regex_replace('\'', '\\\'') }}';
|
$password['{{ user.user }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_users_encrypted.results | selectattr('item.user', 'equalto', user.user) | map(attribute='stdout') | first, user.sql_password | regex_replace('\'', '\\\'')) }}';
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for group in pma_sso_groups | default([]) %}
|
{% for group in pma_sso_groups | default([]) %}
|
||||||
$g_login['{{ group.group }}'] = '{{ group.sql_login }}';
|
$g_login['{{ group.group }}'] = '{{ group.sql_login }}';
|
||||||
$g_password['{{ group.group }}'] = '{{ group.sql_password | regex_replace('\'', '\\\'') }}';
|
$g_password['{{ group.group }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_groups_encrypted.results | selectattr('item.group', 'equalto', group.group) | map(attribute='stdout') | first, group.sql_password | regex_replace('\'', '\\\'')) }}';
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% for client in wh_clients | default([]) %}
|
|
||||||
$g_login['Client_{{ client.name }}'] = '{{ client.name | regex_replace('\'', '\\\'') }}';
|
|
||||||
$g_password['Client_{{ client.name }}'] = '{{ client.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=client.name) | string))[9:27]) | regex_replace('\'', '\\\'') }}';
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for field in pma_sso_user_fields %}
|
{% for field in pma_sso_user_fields %}
|
||||||
@@ -33,7 +26,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
|
|||||||
session_name('PmaSignonSession');
|
session_name('PmaSignonSession');
|
||||||
session_start();
|
session_start();
|
||||||
$_SESSION['PMA_single_signon_user'] = $login[$ssologin];
|
$_SESSION['PMA_single_signon_user'] = $login[$ssologin];
|
||||||
$_SESSION['PMA_single_signon_password'] = $password[$ssologin];
|
$_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($password[$ssologin],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$ssologin),0,16))",'$password[$ssologin]') }};
|
||||||
session_write_close();
|
session_write_close();
|
||||||
header('Location: /index.php');
|
header('Location: /index.php');
|
||||||
exit(0);
|
exit(0);
|
||||||
@@ -44,7 +37,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
|
|||||||
session_name('PmaSignonSession');
|
session_name('PmaSignonSession');
|
||||||
session_start();
|
session_start();
|
||||||
$_SESSION['PMA_single_signon_user'] = $g_login[$group];
|
$_SESSION['PMA_single_signon_user'] = $g_login[$group];
|
||||||
$_SESSION['PMA_single_signon_password'] = $g_password[$group];
|
$_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($g_password[$group],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$group),0,16))",'$g_password[$group]') }};
|
||||||
session_write_close();
|
session_write_close();
|
||||||
header('Location: /index.php');
|
header('Location: /index.php');
|
||||||
exit(0);
|
exit(0);
|
||||||
|
|||||||
Reference in New Issue
Block a user