From 8bf6095e854de28d035786d90a673398fe279c53 Mon Sep 17 00:00:00 2001 From: Quentin BEY Date: Tue, 4 Feb 2025 12:51:47 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=91=E2=80=8D=F0=9F=92=BB(tilt)=20allow?= =?UTF-8?q?=20use=20of=20people=20as=20an=20IdP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Few fixes to allow the keycloak dev stack to use people as an Identity Provider. This requires the update of the bitnami keycloak chart we use. --- src/backend/people/settings.py | 53 ++++++++++++------- .../dev-keycloak/values.desk.yaml.gotmpl | 4 +- src/helm/env.d/dev/values.desk.yaml.gotmpl | 1 + src/helm/helmfile.yaml | 5 +- 4 files changed, 41 insertions(+), 22 deletions(-) diff --git a/src/backend/people/settings.py b/src/backend/people/settings.py index 47369faef..409fa74d0 100755 --- a/src/backend/people/settings.py +++ b/src/backend/people/settings.py @@ -618,6 +618,24 @@ def post_setup(cls): # Ignore the logs added by the DockerflowMiddleware ignore_logger("request.summary") + @classmethod + def generate_temporary_rsa_key(cls): + """Generate a temporary RSA key for OIDC Provider.""" + + private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=4096, + ) + + # - Serialize private key to PEM format + private_key_pem = private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption(), + ) + + return private_key_pem.decode("utf-8") + class Build(Base): """Settings used when the application is built. @@ -698,30 +716,19 @@ class Development(Base): ORGANIZATION_PLUGINS = ["plugins.organizations.NameFromSiretOrganizationPlugin"] - # OIDC Provider - # - Generate RSA private key - private_key = rsa.generate_private_key( - public_exponent=65537, - key_size=4096, - ) - - # - Serialize private key to PEM format - private_key_pem = private_key.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.TraditionalOpenSSL, - encryption_algorithm=serialization.NoEncryption(), - ) - - # - Set the OIDC_RSA_PRIVATE_KEY - OAUTH2_PROVIDER = Base.OAUTH2_PROVIDER | { - "OIDC_RSA_PRIVATE_KEY": private_key_pem.decode("utf-8"), - } - def __init__(self): """In dev, force installs needed for Swagger API.""" # pylint: disable=invalid-name self.INSTALLED_APPS += ["django_extensions", "drf_spectacular_sidecar"] + @property + def OAUTH2_PROVIDER(self): + """OAuth2 Provider settings.""" + OAUTH2_PROVIDER = super().OAUTH2_PROVIDER + if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]: + OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key() + return OAUTH2_PROVIDER + class Test(Base): """Test environment settings""" @@ -887,6 +894,14 @@ class Local(Production): nota bene: it should inherit from the Production environment. """ + @property + def OAUTH2_PROVIDER(self): + """OAuth2 Provider settings.""" + OAUTH2_PROVIDER = super().OAUTH2_PROVIDER + if not OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"]: + OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = Base.generate_temporary_rsa_key() + return OAUTH2_PROVIDER + class Staging(Production): """ diff --git a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl index 413ca06d2..d52e9650d 100644 --- a/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev-keycloak/values.desk.yaml.gotmpl @@ -32,6 +32,8 @@ backend: OIDC_RP_SCOPES: "openid email siret" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + OAUTH2_PROVIDER_OIDC_ENABLED: True + OAUTH2_PROVIDER_VALIDATOR_CLASS: "core.authentication.oauth2.validators.ProConnectValidator" ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" ORGANIZATION_REGISTRATION_ID_VALIDATORS: '[{"NAME": "django.core.validators.RegexValidator", "OPTIONS": {"regex": "^[0-9]{14}$"}}]' LOGIN_REDIRECT_URL: https://desk.127.0.0.1.nip.io @@ -70,7 +72,7 @@ backend: mountPath: /usr/local/lib/python3.12/site-packages/certifi/cacert.pem subPath: cacert.pem - # Exra volumes to manage our local custom CA and avoid to set ssl_verify: false + # Extra volumes to manage our local custom CA and avoid to set ssl_verify: false extraVolumes: - name: certs configMap: diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl index 04a4dc12a..cac2871ed 100644 --- a/src/helm/env.d/dev/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl @@ -50,6 +50,7 @@ backend: OIDC_RP_SCOPES: "openid email siret" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}" + OAUTH2_PROVIDER_OIDC_ENABLED: True ORGANIZATION_PLUGINS: "plugins.organizations.NameFromSiretOrganizationPlugin" USER_OIDC_FIRST_NAME_FIELD: "given_name" USER_OIDC_LAST_NAME_FIELD: "usual_name" diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 18b22b407..5a3bcd8fa 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -17,7 +17,7 @@ releases: missingFileHandler: Warn namespace: {{ .Namespace }} chart: bitnami/keycloak - version: 17.3.6 + version: 24.4.8 values: - postgresql: auth: @@ -39,6 +39,7 @@ releases: - auth: adminUser: su adminPassword: su + - customCaExistingSecret: "certifi" - proxy: edge - ingress: enabled: true @@ -50,7 +51,7 @@ releases: name: desk-keycloak data: desk.json: | -{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | indent 14 }} +{{ readFile "../../docker/auth/realm.json" | replace "http://localhost:3200" "https://desk.127.0.0.1.nip.io" | replace "http://app-dev:8000" "https://desk.127.0.0.1.nip.io" | replace "http://localhost:8071" "https://desk.127.0.0.1.nip.io" | indent 14 }} - name: postgres installed: {{ regexMatch "^dev.*" .Environment.Name | toYaml }}