🧑‍💻(tilt) allow use of people as an IdP

Few fixes to allow the keycloak dev stack to use people as an Identity Provider. This requires the update of the bitnami keycloak chart we use.
2025-02-04 12:51:47 +01:00
parent fd8e0e08c3
commit cf4b435c63
4 changed files with 41 additions and 3 deletions
--- a/src/backend/people/settings.py
+++ b/src/backend/people/settings.py
@@ -686,6 +686,24 @@ class Base(Configuration):
            # Ignore the logs added by the DockerflowMiddleware
            ignore_logger("request.summary")

+    @classmethod
+    def generate_temporary_rsa_key(cls):
+        """Generate a temporary RSA key for OIDC Provider."""
+
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+        )
+
+        # - Serialize private key to PEM format
+        private_key_pem = private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        return private_key_pem.decode("utf-8")
+

 class Build(Base):
    """Settings used when the application is built.
@@ -732,6 +750,14 @@ class Development(Base):
        # pylint: disable=invalid-name
        self.INSTALLED_APPS += ["django_extensions"]

+    @property
+    def OAUTH2_PROVIDER(self):
+        """OAuth2 Provider settings."""
+        OAUTH2_PROVIDER = super().OAUTH2_PROVIDER  # pylint: disable=invalid-name
+        if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]:
+            OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key()
+        return OAUTH2_PROVIDER
+

 class Test(Base):
    """Test environment settings"""
@@ -895,6 +921,14 @@ class Local(Production):
    nota bene: it should inherit from the Production environment.
    """

+    @property
+    def OAUTH2_PROVIDER(self):
+        """OAuth2 Provider settings."""
+        OAUTH2_PROVIDER = super().OAUTH2_PROVIDER  # pylint: disable=invalid-name
+        if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]:
+            OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key()
+        return OAUTH2_PROVIDER
+

 class Staging(Production):
    """
--- a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl
+++ b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl
@@ -32,6 +32,8 @@ backend:
    OIDC_RP_SCOPES: "openid email siret"
    OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io
    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+    OAUTH2_PROVIDER_OIDC_ENABLED: True
+    OAUTH2_PROVIDER_VALIDATOR_CLASS: "mailbox_oauth2.validators.ProConnectValidator"
    ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
    LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io
    LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io
@@ -69,7 +71,7 @@ backend:
      mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem
      subPath: cacert.pem

-  # Exra volumes to manage our local custom CA and avoid to set ssl_verify: false
+  # Extra volumes to manage our local custom CA and avoid to set ssl_verify: false
  extraVolumes:
    - name: certs
      configMap:
--- a/src/helm/env.d/dev/values.desk.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl
@@ -51,6 +51,7 @@ backend:
    USER_OIDC_FIELDS_TO_NAME: "given_name,usual_name"
    OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io
    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+    OAUTH2_PROVIDER_OIDC_ENABLED: True
    ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
    LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io
    LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io
--- a/src/helm/helmfile.yaml
+++ b/src/helm/helmfile.yaml
@@ -17,7 +17,7 @@ releases:
    missingFileHandler: Warn
    namespace: {{ .Namespace }}
    chart: bitnami/keycloak
-    version: 17.3.6
+    version: 24.4.8
    values:
      - postgresql:
          auth:
@@ -39,6 +39,7 @@ releases:
      - auth:
          adminUser: su
          adminPassword: su
+      - customCaExistingSecret: "certifi"
      - proxy: edge
      - ingress:
          enabled: true
@@ -50,7 +51,7 @@ releases:
            name: desk-keycloak
          data:
            desk.json: |
-{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }}
+{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | replace "http://app-dev:8000" "https://desk.127.0.0.1.nip.io" | replace "http://localhost:8071" "https://desk.127.0.0.1.nip.io" | indent 14 }}

  - name: postgres
    installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}