diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml index e94fe4c2..31353377 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml @@ -116,4 +116,13 @@ artifactory_binarystore: |- artifactory_systemyaml_override: false # Allow artifactory user to create crontab rules -artifactory_allow_crontab: false \ No newline at end of file +artifactory_allow_crontab: false + +mtls: + enabled: false + header_name: X-JFrog-Client-Cert # name of the HTTP header that contains the client certificate + cache_expiry_secs: 100 # period (seconds) during which a successful mTLS authentication should be considered valid + extraction_regex: (.*) # regular expression used to extract the username from the certificate's subject CN + no_auto_create_users: false # avoid automatic creation of users in the system if they do not exist + allow_user_to_access_profile: false # allow created users (based on the flag above) access their profile page in the UI + sync_ldap_groups: false # automatically associate the authenticated user with groups returned from LDAP diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/shared/mtls_configuration.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/shared/mtls_configuration.yml new file mode 100644 index 00000000..74a182be --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/shared/mtls_configuration.yml @@ -0,0 +1,50 @@ + +- name: Read access.config.latest.yml file + ansible.builtin.include_vars: + file: "{{ artifactory_home }}/var/etc/access/access.config.latest.yml" + name: access_config_latest + +- name: Checking the current mtl status + set_fact: + is_mtls_enabled: "{{ access_config_latest.security.authentication.mtls.enabled | default(false) }}" + +- block: + - name: Create the access.config.patch.yml file + template: + src: mtls-access-path.yml.j2 + dest: "{{ artifactory_home }}/var/etc/access/access.config.patch.yml" + owner: "{{ artifactory_user }}" + group: "{{ artifactory_group }}" + notify: Restart artifactory + + - name: Restart artifactory + ansible.builtin.meta: flush_handlers + when: + - artifactory_start_service | bool + + - name: Make sure artifactory is up and running + ansible.builtin.uri: + url: http://127.0.0.1:8082/router/api/v1/system/health + timeout: 130 + status_code: 200 + register: result + until: result is succeeded + retries: 25 + delay: 5 + when: + - not ansible_check_mode + - artifactory_start_service | bool + + when: > + (mtls.enabled == false and is_mtls_enabled == true) or + (mtls.enabled == true and is_mtls_enabled == false) or + ( (mtls.enabled == true and is_mtls_enabled == true) and + ( + mtls.header_name != access_config_latest.security.authentication.mtls['header-name'] or + mtls.cache_expiry_secs != access_config_latest.security.authentication.mtls['cache-expiry-secs'] or + mtls.extraction_regex != access_config_latest.security.authentication.mtls['extraction-regex'] or + mtls.no_auto_create_users != access_config_latest.security.authentication.mtls['no-auto-create-users'] or + mtls.allow_user_to_access_profile != access_config_latest.security.authentication.mtls['allow-user-to-access-profile'] or + mtls.sync_ldap_groups != access_config_latest.security.authentication.mtls['sync-ldap-groups'] + ) + ) diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml index c3d54258..8ebebc0b 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml @@ -168,7 +168,7 @@ - artifactory_licenses | length > 0 notify: Restart artifactory -- name: Set up Artifactory admin account +- name: Set up Artifactory admin account become: true ansible.builtin.template: src: bootstrap.creds.j2 @@ -176,7 +176,7 @@ owner: "{{ artifactory_user }}" group: "{{ artifactory_group }}" mode: 0600 - when: + when: - artifactory_admin_username is defined - artifactory_admin_password is defined notify: Restart artifactory @@ -235,4 +235,8 @@ delay: 5 when: - not ansible_check_mode - - artifactory_start_service | bool \ No newline at end of file + - artifactory_start_service | bool + +- name: mTLS configuration + ansible.builtin.include_tasks: shared/mtls_configuration.yml + when: artifactory_version is version('7.77', '>=') \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml index e16881e0..3bac5d14 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml @@ -179,4 +179,8 @@ delay: 5 when: - not ansible_check_mode - - artifactory_start_service | bool \ No newline at end of file + - artifactory_start_service | bool + +- name: mTLS configuration + ansible.builtin.include_tasks: shared/mtls_configuration.yml + when: artifactory_version is version('7.77', '>=') \ No newline at end of file diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/mtls-access-path.yml.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/mtls-access-path.yml.j2 new file mode 100644 index 00000000..42d41ee6 --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/mtls-access-path.yml.j2 @@ -0,0 +1,10 @@ +security: + authentication: + mtls: + enabled: {{ mtls.enabled| lower }} + header-name: {{ mtls.header_name }} + cache-expiry-secs: {{ mtls.cache_expiry_secs }} + extraction-regex: {{ mtls.extraction_regex }} + no-auto-create-users: {{ mtls.no_auto_create_users | lower }} + allow-user-to-access-profile: {{ mtls.allow_user_to_access_profile | lower }} + sync-ldap-groups: {{ mtls.sync_ldap_groups | lower }} \ No newline at end of file