Added remaining pieces of the access control config for Ansible

### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl

## OPTIONAL: Enabling access control components

#auth_enabled: true/false

## Configuration for the auth service container

#auth_settings:

#  MIDDLEWARE:

#    - authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware

#    - authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware

#    - authorize.opa.middleware.OPAAuthorizationMiddleware

#  OPA_SERVER:

#    package_path: esgf

#    rule_name: allow

#  # Group info keys for authorization

#  OAUTH2_GROUPS_KEY: group_membership

#  OIDC_GROUPS_KEY: group_membership

#  # OAuth Bearer Token auth settings

#  OAUTH_CLIENT_ID:

#  OAUTH_CLIENT_SECRET:

#  OAUTH_TOKEN_URL:

#  OAUTH_TOKEN_INTROSPECT_URL:

#  # OIDC auth settings

#  OIDC_BACKEND_CLIENT_NAME: esgf

#  AUTHLIB_OAUTH_CLIENTS:

#    esgf:

#      client_id:

#      client_secret:

#      authorize_url:

#      userinfo_endpoint:

#      client_kwargs:

#        scope: openid profile email

## Default rego template (override this to use your own).

#opa_policy_template: policy.rego.j2

## Paths to apply the authorisation policy to and the access group that a user will need.

#opa_policy_restricted_paths:

#  - name: threddsdata

#    path: /thredds/fileServer/restricted/.*

#    group: admins

#  - name: example

#    path: /some/restricted/path/.*

#    group: admins

## Your server's name. The default policy will deny requests from other hostnames.

#opa_policy_server_host: example.com

## The logging level of the OPA container. Set this to debug for troubleshooting.

#opa_log_level: info

### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-access-control

# Indicates if the auth service should be deployed or not

auth_enabled: false

auth_settings_base:

  MIDDLEWARE:

    - django.middleware.security.SecurityMiddleware

    - django.contrib.sessions.middleware.SessionMiddleware

    - django.middleware.common.CommonMiddleware

    - django.middleware.csrf.CsrfViewMiddleware

    - django.contrib.messages.middleware.MessageMiddleware

    - django.middleware.clickjacking.XFrameOptionsMiddleware

  OPA_SERVER:

    host: opa

    port: 8181

  RESOURCE_URI_QUERY_KEY: rd

  RESOURCE_URI_HEADER_KEY: HTTP_X_ORIGINAL_URL

# Default rego template (override this to use your own)

opa_policy_template: policy.rego.j2

MIDDLEWARE:

  - django.middleware.security.SecurityMiddleware

  - django.contrib.sessions.middleware.SessionMiddleware

  - django.middleware.common.CommonMiddleware

  - django.middleware.csrf.CsrfViewMiddleware

  - django.contrib.messages.middleware.MessageMiddleware

  - django.middleware.clickjacking.XFrameOptionsMiddleware

  - authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware

  - authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware

  - authorize.opa.middleware.OPAAuthorizationMiddleware

OPA_SERVER:

  host: opa

  port: 8181

  package_path: esgf

  rule_name: allow

RESOURCE_URI_QUERY_KEY: rd

RESOURCE_URI_HEADER_KEY: HTTP_X_ORIGINAL_URL

# Group info keys for authorization

OAUTH2_GROUPS_KEY: group_membership

OIDC_GROUPS_KEY: group_membership

# OAuth Bearer Token auth settings

OAUTH_CLIENT_ID:

OAUTH_CLIENT_SECRET:

OAUTH_TOKEN_URL:

OAUTH_TOKEN_INTROSPECT_URL:

# OIDC auth settings

OIDC_BACKEND_CLIENT_NAME: esgf

AUTHLIB_OAUTH_CLIENTS:

  esgf:

    client_id:

    client_secret:

    authorize_url:

    userinfo_endpoint:

    client_kwargs:

      scope: openid profile email

# Generated by Ansible

{{ auth_settings_base | combine(auth_settings, recursive=true, list_merge='append_rp') | to_yaml(indent=2) }}

{% macro auth_check() -%}

        error_page 401 = @error401;

        auth_request /verify;

        auth_request_set $username $upstream_http_x_username;

        auth_request_set $sid $upstream_http_x_session;

{%- endmacro %}

# HTTP and HTTPS server blocks that proxy to the other containers running on this host

server {

    }

    location @error401 {

        return 302 /login;

        return 302 https://$host/login;

    }

    {% endif %}

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://thredds:8080;

        {% if auth_enabled %}

        error_page 401 = @error401;

        auth_request /auth/verify;

        auth_request_set $username $upstream_http_x_username;

        auth_request_set $sid $upstream_http_x_session;

        {% endif %}

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    location /thredds/fileServer {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://fileserver:8080;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    {% endif %}

    location ~ ^/solr/[a-z]+/replication {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://solr-slave:8983;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    location /esg-search {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://search:8080;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    {% endif %}

{% macro auth_check() -%}

        error_page 401 = @error401;

        auth_request /verify;

        auth_request_set $username $upstream_http_x_username;

        auth_request_set $sid $upstream_http_x_session;

{%- endmacro %}

# HTTP and HTTPS server blocks that proxy to the other containers running on this host

server {

    listen 8080 default_server;

        return 404;

    }

    {% if auth_enabled %}

    location /verify {

        set $query '';

        if ($request_uri ~* "[^\?]+\?(.*)$") {

            set $query $1;

        }

        proxy_pass http://auth:8080/verify/?next=$scheme://$http_host$http_port$request_uri;

        proxy_pass_request_body off;

        proxy_set_header Content-Length '0';

        proxy_set_header Host $host;

        proxy_set_header X-Origin-URI $request_uri;

        proxy_set_header X-Origin-Query $query;

        proxy_set_header X-Forwarded-Host $host;

    }

    location /login {

        proxy_pass http://auth:8080/login;

        proxy_pass_request_body off;

        proxy_set_header Content-Length '0';

        proxy_set_header Host $host;

        proxy_set_header X-Origin-URI $request_uri;

        proxy_set_header X-Origin-Query $query;

        proxy_set_header X-Forwarded-Host $host;

    }

    location @error401 {

        return 302 https://$host/login;

    }

    {% endif %}

    {% if 'data' in group_names %}

    {% if thredds_enabled %}

    location /thredds {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://thredds:8080;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    location /thredds/fileServer {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://fileserver:8080;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    {% endif %}

    location ~ ^/solr/[a-z]+/replication {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://solr-slave:8983;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    location /esg-search {

        include /etc/nginx/includes/proxy_params.conf;

        proxy_pass http://search:8080;

        {% if auth_enabled %}{{ auth_check() }}{% endif %}

    }

    {% endif %}

    {% endif %}