🧑‍💻(tilt) allow use of people as an IdP

Few fixes to allow the keycloak dev stack to use people as an Identity Provider. This requires the update of the bitnami keycloak chart we use.
suitenumerique · Feb 6, 2025 · 8bf6095 · 8bf6095
1 parent 9fb9f36
commit 8bf6095
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 22 deletions.
diff --git a/src/backend/people/settings.py b/src/backend/people/settings.py
@@ -618,6 +618,24 @@ def post_setup(cls):
             # Ignore the logs added by the DockerflowMiddleware
             ignore_logger("request.summary")
 
+    @classmethod
+    def generate_temporary_rsa_key(cls):
+        """Generate a temporary RSA key for OIDC Provider."""
+
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+        )
+
+        # - Serialize private key to PEM format
+        private_key_pem = private_key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        return private_key_pem.decode("utf-8")
+
 
 class Build(Base):
     """Settings used when the application is built.
@@ -698,30 +716,19 @@ class Development(Base):
 
     ORGANIZATION_PLUGINS = ["plugins.organizations.NameFromSiretOrganizationPlugin"]
 
-    # OIDC Provider
-    # - Generate RSA private key
-    private_key = rsa.generate_private_key(
-        public_exponent=65537,
-        key_size=4096,
-    )
-
-    # - Serialize private key to PEM format
-    private_key_pem = private_key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.TraditionalOpenSSL,
-        encryption_algorithm=serialization.NoEncryption(),
-    )
-
-    # - Set the OIDC_RSA_PRIVATE_KEY
-    OAUTH2_PROVIDER = Base.OAUTH2_PROVIDER | {
-        "OIDC_RSA_PRIVATE_KEY": private_key_pem.decode("utf-8"),
-    }
-
     def __init__(self):
         """In dev, force installs needed for Swagger API."""
         # pylint: disable=invalid-name
         self.INSTALLED_APPS += ["django_extensions", "drf_spectacular_sidecar"]
 
+    @property
+    def OAUTH2_PROVIDER(self):
+        """OAuth2 Provider settings."""
+        OAUTH2_PROVIDER = super().OAUTH2_PROVIDER
+        if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]:
+            OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key()
+        return OAUTH2_PROVIDER
+
 
 class Test(Base):
     """Test environment settings"""
@@ -887,6 +894,14 @@ class Local(Production):
     nota bene: it should inherit from the Production environment.
     """
 
+    @property
+    def OAUTH2_PROVIDER(self):
+        """OAuth2 Provider settings."""
+        OAUTH2_PROVIDER = super().OAUTH2_PROVIDER
+        if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]:
+            OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key()
+        return OAUTH2_PROVIDER
+
 
 class Staging(Production):
     """

diff --git a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl
@@ -32,6 +32,8 @@ backend:
     OIDC_RP_SCOPES: "openid email siret"
     OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io
     OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+    OAUTH2_PROVIDER_OIDC_ENABLED: True
+    OAUTH2_PROVIDER_VALIDATOR_CLASS: "core.authentication.oauth2.validators.ProConnectValidator"
     ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin"
     ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]'
     LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io
@@ -70,7 +72,7 @@ backend:
       mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem
       subPath: cacert.pem
 
-  # Exra volumes to manage our local custom CA and avoid to set ssl_verify: false
+  # Extra volumes to manage our local custom CA and avoid to set ssl_verify: false
   extraVolumes:
     - name: certs
       configMap:

diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl
@@ -50,6 +50,7 @@ backend:
     OIDC_RP_SCOPES: "openid email siret"
     OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io
     OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
+    OAUTH2_PROVIDER_OIDC_ENABLED: True
     ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin"
     USER_OIDC_FIRST_NAME_FIELD: "given_name"
     USER_OIDC_LAST_NAME_FIELD: "usual_name"

diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml
@@ -17,7 +17,7 @@ releases:
     missingFileHandler: Warn
     namespace: {{ .Namespace }}
     chart: bitnami/keycloak
-    version: 17.3.6
+    version: 24.4.8
     values:
       - postgresql:
           auth:
@@ -39,6 +39,7 @@ releases:
       - auth:
           adminUser: su
           adminPassword: su
+      - customCaExistingSecret: "certifi"
       - proxy: edge
       - ingress:
           enabled: true
@@ -50,7 +51,7 @@ releases:
             name: desk-keycloak
           data:
             desk.json: |
-{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }}
+{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | replace "http://app-dev:8000" "https://desk.127.0.0.1.nip.io" | replace "http://localhost:8071" "https://desk.127.0.0.1.nip.io" | indent 14 }}
 
   - name: postgres
     installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}