-
Notifications
You must be signed in to change notification settings - Fork 3k
Merging oidc branch with develop #1388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
jc21
wants to merge
13
commits into
develop
Choose a base branch
from
openidc
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
8e10b7d
Add UI tab for specifying OpenID Connect options for proxy hosts.
Subv 53792a5
Add database columns to store OpenID Connect information for Proxy Ho…
Subv 5811345
Use OpenResty instead of plain nginx to support OpenID Connect author…
Subv cdf702e
Add a field to specify a list of allowed emails when using OpenID Con…
Subv daf3991
Allow limiting OpenID Connect auth to a list of users.
Subv 9f2d3a1
Manually set the default values for the OpenID Connect columns.
Subv 87d9bab
Fix conditionals in the liquid template for OpenID Connect conf.
Subv 8539930
Updated the docs to add a section about OpenID Connect
Subv 076d89b
Use localized strings for the OpenID Connect texts.
Subv e7f7be2
OpenIDC: Trigger the change event of the "restrict users" toggle when…
Subv a91dcb1
Use model for db defaults as sqlite doesn't support them
jc21 694d8a0
Merge branch 'develop' into openidc
Trozz fdb22e4
Merge pull request #3952 from Trozz/openidc
jc21 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| const migrate_name = 'openid_connect'; | ||
| const logger = require('../logger').migrate; | ||
|
|
||
| /** | ||
| * Migrate | ||
| * | ||
| * @see http://knexjs.org/#Schema | ||
| * | ||
| * @param {Object} knex | ||
| * @param {Promise} Promise | ||
| * @returns {Promise} | ||
| */ | ||
| exports.up = function (knex/*, Promise*/) { | ||
| logger.info('[' + migrate_name + '] Migrating Up...'); | ||
|
|
||
| return knex.schema.table('proxy_host', function (proxy_host) { | ||
| proxy_host.integer('openidc_enabled').notNull().unsigned().defaultTo(0); | ||
| proxy_host.text('openidc_redirect_uri').notNull().defaultTo(''); | ||
| proxy_host.text('openidc_discovery').notNull().defaultTo(''); | ||
| proxy_host.text('openidc_auth_method').notNull().defaultTo(''); | ||
| proxy_host.text('openidc_client_id').notNull().defaultTo(''); | ||
| proxy_host.text('openidc_client_secret').notNull().defaultTo(''); | ||
| }) | ||
| .then(() => { | ||
| logger.info('[' + migrate_name + '] proxy_host Table altered'); | ||
| }); | ||
| }; | ||
|
|
||
| /** | ||
| * Undo Migrate | ||
| * | ||
| * @param {Object} knex | ||
| * @param {Promise} Promise | ||
| * @returns {Promise} | ||
| */ | ||
| exports.down = function (knex/*, Promise*/) { | ||
| return knex.schema.table('proxy_host', function (proxy_host) { | ||
| proxy_host.dropColumn('openidc_enabled'); | ||
| proxy_host.dropColumn('openidc_redirect_uri'); | ||
| proxy_host.dropColumn('openidc_discovery'); | ||
| proxy_host.dropColumn('openidc_auth_method'); | ||
| proxy_host.dropColumn('openidc_client_id'); | ||
| proxy_host.dropColumn('openidc_client_secret'); | ||
| }) | ||
| .then(() => { | ||
| logger.info('[' + migrate_name + '] proxy_host Table altered'); | ||
| }); | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| const migrate_name = 'openid_allowed_users'; | ||
| const logger = require('../logger').migrate; | ||
|
|
||
| /** | ||
| * Migrate | ||
| * | ||
| * @see http://knexjs.org/#Schema | ||
| * | ||
| * @param {Object} knex | ||
| * @param {Promise} Promise | ||
| * @returns {Promise} | ||
| */ | ||
| exports.up = function (knex/*, Promise*/) { | ||
| logger.info('[' + migrate_name + '] Migrating Up...'); | ||
|
|
||
| return knex.schema.table('proxy_host', function (proxy_host) { | ||
| proxy_host.integer('openidc_restrict_users_enabled').notNull().unsigned().defaultTo(0); | ||
| proxy_host.json('openidc_allowed_users').notNull().defaultTo([]); | ||
| }) | ||
| .then(() => { | ||
| logger.info('[' + migrate_name + '] proxy_host Table altered'); | ||
| }); | ||
| }; | ||
|
|
||
| /** | ||
| * Undo Migrate | ||
| * | ||
| * @param {Object} knex | ||
| * @param {Promise} Promise | ||
| * @returns {Promise} | ||
| */ | ||
| exports.down = function (knex/*, Promise*/) { | ||
| return knex.schema.table('proxy_host', function (proxy_host) { | ||
| proxy_host.dropColumn('openidc_restrict_users_enabled'); | ||
| proxy_host.dropColumn('openidc_allowed_users'); | ||
| }) | ||
| .then(() => { | ||
| logger.info('[' + migrate_name + '] proxy_host Table altered'); | ||
| }); | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -235,6 +235,43 @@ | |
| "description": "Should we cache assets", | ||
| "example": true, | ||
| "type": "boolean" | ||
| }, | ||
| "openidc_enabled": { | ||
| "description": "Is OpenID Connect authentication enabled", | ||
| "example": true, | ||
| "type": "boolean" | ||
| }, | ||
| "openidc_redirect_uri": { | ||
| "type": "string" | ||
| }, | ||
| "openidc_discovery": { | ||
| "type": "string" | ||
| }, | ||
| "openidc_auth_method": { | ||
| "type": "string", | ||
| "pattern": "^(client_secret_basic|client_secret_post)$" | ||
| }, | ||
| "openidc_client_id": { | ||
| "type": "string" | ||
| }, | ||
| "openidc_client_secret": { | ||
| "type": "string" | ||
| }, | ||
| "openidc_restrict_users_enabled": { | ||
| "description": "Only allow a specific set of OpenID Connect emails to access the resource", | ||
| "example": true, | ||
| "type": "boolean" | ||
| }, | ||
| "openidc_allowed_users": { | ||
| "type": "array", | ||
| "minItems": 0, | ||
| "items": { | ||
| "type": "string", | ||
| "description": "Email Address", | ||
| "example": "[email protected]", | ||
| "format": "email", | ||
| "minLength": 1 | ||
| } | ||
| } | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| {% if openidc_enabled == 1 or openidc_enabled == true -%} | ||
| access_by_lua_block { | ||
| local openidc = require("resty.openidc") | ||
| local opts = { | ||
| redirect_uri = "{{- openidc_redirect_uri -}}", | ||
| discovery = "{{- openidc_discovery -}}", | ||
| token_endpoint_auth_method = "{{- openidc_auth_method -}}", | ||
| client_id = "{{- openidc_client_id -}}", | ||
| client_secret = "{{- openidc_client_secret -}}", | ||
| scope = "openid email profile" | ||
| } | ||
|
|
||
| local res, err = openidc.authenticate(opts) | ||
|
|
||
| if err then | ||
| ngx.status = 500 | ||
| ngx.say(err) | ||
| ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) | ||
| end | ||
|
|
||
| {% if openidc_restrict_users_enabled == 1 or openidc_restrict_users_enabled == true -%} | ||
| local function contains(table, val) | ||
| for i=1,#table do | ||
| if table[i] == val then | ||
| return true | ||
| end | ||
| end | ||
| return false | ||
| end | ||
|
|
||
| local allowed_users = { | ||
| {% for user in openidc_allowed_users %} | ||
| "{{ user }}", | ||
| {% endfor %} | ||
| } | ||
|
|
||
| if not contains(allowed_users, res.id_token.email) then | ||
| ngx.exit(ngx.HTTP_FORBIDDEN) | ||
| end | ||
| {% endif -%} | ||
|
|
||
|
|
||
| ngx.req.set_header("X-OIDC-SUB", res.id_token.sub) | ||
| ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email) | ||
| ngx.req.set_header("X-OIDC-NAME", res.id_token.name) | ||
| } | ||
| {% endif %} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently additional locations are not protected behind oidc. Would adding this line to
/backend/templates/_location.confbe sufficient?Maybe this should be behind a toggle so that opt-in or opt-out is possible per location?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A workaround for anyone else that need this is to copy the generated oidc config into the advanced section of the locations.
In my case I copied it to a file in the custom folder and imported that in the locations that need it. This also make it easier to share the same oidc setup for multiple proxy hosts, but that isn't as big of a deal for me.