From cf4b435c6389973ae6654ce4e90e4a5373614ced Mon Sep 17 00:00:00 2001 From: Quentin BEY Date: Tue, 4 Feb 2025 12:51:47 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=91=E2=80=8D=F0=9F=92=BB(tilt)=20allow?= =?UTF-8?q?=20use=20of=20people=20as=20an=20IdP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Few fixes to allow the keycloak dev stack to use people as an Identity Provider. This requires the update of the bitnami keycloak chart we use. --- src/backend/people/settings.py | 34 +++++++++++++++++++ .../dev-keycloak/values.desk.yaml.gotmpl | 4 ++- src/helm/env.d/dev/values.desk.yaml.gotmpl | 1 + src/helm/helmfile.yaml | 5 +-- 4 files changed, 41 insertions(+), 3 deletions(-) diff --git a/src/backend/people/settings.py b/src/backend/people/settings.py index 634cb10..c7c9a7a 100755 --- a/src/backend/people/settings.py +++ b/src/backend/people/settings.py @@ -686,6 +686,24 @@ class Base(Configuration): # Ignore the logs added by the DockerflowMiddleware ignore_logger("request.summary") + @classmethod + def generate_temporary_rsa_key(cls): + """Generate a temporary RSA key for OIDC Provider.""" + + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=4096, + ) + + # - Serialize private key to PEM format + private_key_pem = private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + + return private_key_pem.decode("utf-8") + class Build(Base): """Settings used when the application is built. @@ -732,6 +750,14 @@ class Development(Base): # pylint: disable=invalid-name self.INSTALLED_APPS += ["django_extensions"] + @property + def OAUTH2_PROVIDER(self): + """OAuth2 Provider settings.""" + OAUTH2_PROVIDER = super().OAUTH2_PROVIDER # pylint: disable=invalid-name + if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]: + OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key() + return OAUTH2_PROVIDER + class Test(Base): """Test environment settings""" @@ -895,6 +921,14 @@ class Local(Production): nota bene: it should inherit from the Production environment. """ + @property + def OAUTH2_PROVIDER(self): + """OAuth2 Provider settings.""" + OAUTH2_PROVIDER = super().OAUTH2_PROVIDER # pylint: disable=invalid-name + if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]: + OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key() + return OAUTH2_PROVIDER + class Staging(Production): """ diff --git a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl index afc4783..941dbc0 100644 --- a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl @@ -32,6 +32,8 @@ backend: OIDC_RP_SCOPES: "openid email siret" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + OAUTH2_PROVIDER_OIDC_ENABLED: True + OAUTH2_PROVIDER_VALIDATOR_CLASS: "mailbox_oauth2.validators.ProConnectValidator" ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io @@ -69,7 +71,7 @@ backend: mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem subPath: cacert.pem - # Exra volumes to manage our local custom CA and avoid to set ssl_verify: false + # Extra volumes to manage our local custom CA and avoid to set ssl_verify: false extraVolumes: - name: certs configMap: diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl index 1e57e72..a757247 100644 --- a/src/helm/env.d/dev/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl @@ -51,6 +51,7 @@ backend: USER_OIDC_FIELDS_TO_NAME: "given_name,usual_name" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + OAUTH2_PROVIDER_OIDC_ENABLED: True ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io LOGIN_REDIRECT_URL_FAILURE: https://desk.127.0.0.1.nip.io diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index ba52186..25eeae1 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -17,7 +17,7 @@ releases: missingFileHandler: Warn namespace: {{ .Namespace }} chart: bitnami/keycloak - version: 17.3.6 + version: 24.4.8 values: - postgresql: auth: @@ -39,6 +39,7 @@ releases: - auth: adminUser: su adminPassword: su + - customCaExistingSecret: "certifi" - proxy: edge - ingress: enabled: true @@ -50,7 +51,7 @@ releases: name: desk-keycloak data: desk.json: | -{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }} +{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | replace "http://app-dev:8000" "https://desk.127.0.0.1.nip.io" | replace "http://localhost:8071" "https://desk.127.0.0.1.nip.io" | indent 14 }} - name: postgres installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}