secret-sync/central/src/config.rs at 3599850e101b974b1d7eb117b540e5c26bbe4038 · samply/secret-sync · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
use std::{convert::Infallible, path::PathBuf};

use beam_lib::{reqwest::Url, AppId};
use clap::Parser;
use shared::{OIDCConfig, RequestType, SecretResult};

use crate::auth::{
    authentik::{self, AuthentikConfig},
    keycloak::{self, KeyCloakConfig},
};

/// Central secret sync
#[derive(Debug, Parser)]
pub struct Config {
    /// Url of the local beam proxy which is required to have sockets enabled
    #[clap(env, long, default_value = "http://beam-proxy:8081")]
    pub beam_url: Url,

    /// Beam api key
    #[clap(env, long)]
    pub beam_secret: String,

    /// The app id of this application
    #[clap(long, env, value_parser=|id: &str| Ok::<_, Infallible>(AppId::new_unchecked(id)))]
    pub beam_id: AppId,

    /// Path of the icinga config file
    #[clap(env, long, default_value = "/run/secrets/icinga.toml")]
    pub icinga_config_path: PathBuf,
}

#[derive(Clone, Debug)]
pub enum OIDCProvider {
    Keycloak(KeyCloakConfig),
    Authentik(AuthentikConfig),
}

impl OIDCProvider {
    pub fn try_init() -> Option<Self> {
        match (KeyCloakConfig::try_parse(), AuthentikConfig::try_parse()) {
            (Ok(key), _) => Some(OIDCProvider::Keycloak(key)),
            (_, Ok(auth)) => Some(OIDCProvider::Authentik(auth)),
            (Err(e), _) => {
                eprintln!("{e:#?}");
                None
            }
        }
    }

    pub async fn handle_secret_request(
        &self,
        request_type: RequestType,
        oidc_client_config: &OIDCConfig,
        from: &AppId,
    ) -> Result<SecretResult, String> {
        let name = from.as_ref().split('.').nth(1).unwrap();
        match request_type {
            RequestType::ValidateOrCreate(current) if self.validate_client(
                name,
                &current,
                oidc_client_config,
            ).await? =>
                Ok(SecretResult::AlreadyValid),
            _ => self.create_client(name, oidc_client_config).await,
        }
    }

    pub async fn create_client(
        &self,
        name: &str,
        oidc_client_config: &OIDCConfig,
    ) -> Result<SecretResult, String> {
        match self {
            OIDCProvider::Keycloak(conf) => {
                keycloak::create_client(name, oidc_client_config, conf).await
            }
            OIDCProvider::Authentik(conf) => {
                authentik::create_app_provider(name, oidc_client_config, conf).await
            }
        }
        .map_err(|e| {
            println!("Failed to create client: {e}");
            "Error creating OIDC client".into()
        })
    }

    pub async fn validate_client(
        &self,
        name: &str,
        secret: &str,
        oidc_client_config: &OIDCConfig,
    ) -> Result<bool, String> {
        match self {
            OIDCProvider::Keycloak(conf) => {
                keycloak::validate_client(name, oidc_client_config, secret, conf)
                    .await
                    .map_err(|e| {
                        eprintln!("Failed to validate client {name}: {e}");
                        "Failed to validate client. See upstrean logs.".into()
                    })
            }
            OIDCProvider::Authentik(conf) => {
                authentik::validate_application(name, oidc_client_config, secret, conf)
                    .await
                    .map_err(|e| {
                        eprintln!("Failed to validate client {name}: {e}");
                        "Failed to validate client. See upstrean logs.".into()
                    })
            }
        }
    }
}