ITP-2120 add options for setting public key and add code for validati…#3
ITP-2120 add options for setting public key and add code for validati…#3perekatypola wants to merge 6 commits intomasterfrom
Conversation
gnomeby
left a comment
gnomeby
left a comment
There was a problem hiding this comment.
Add OAUTH2.md help file
rq_dashboard/cli.py
Outdated
| disable_delete, | ||
| verbose, | ||
| json, | ||
| oidc_public_key |
There was a problem hiding this comment.
oauth2_token_verification_key
rq_dashboard/cli.py
Outdated
| logging.warning(encoded_jwt) | ||
| if encoded_jwt: | ||
| base64_key_clean = os.environ.get('OIDC_PUBLIC_KEY').replace('\n', '').replace('\r', '').replace(' ', '') | ||
| key_formatted = textwrap.fill(base64_key_clean, 64) |
rq_dashboard/cli.py
Outdated
| '-----END PUBLIC KEY-----' | ||
| ) | ||
| payload = jwt.decode(encoded_jwt, key) | ||
| logging.warning(payload) |
rq_dashboard/cli.py
Outdated
| return "<h1>403 Not authorized (oauth2_proxy)</h1>", 403 | ||
| except errors.JoseError as ex: | ||
| logging.warning(ex) | ||
| return "<h1>403 Not authorized (oauth2_proxy)</h1>", 403 |
rq_dashboard/cli.py
Outdated
| payload.validate() | ||
| return None | ||
| else: | ||
| return "<h1>403 Not authorized (oauth2_proxy)</h1>", 403 |
rq_dashboard/cli.py
Outdated
| @blueprint.before_request | ||
| def basic_http_auth(): | ||
| try: | ||
| encoded_jwt = request.headers.get('X-Forwarded-Access-Token') |
There was a problem hiding this comment.
Должен быть настраиваемый заголовок
setup.py
Outdated
| platforms='any', | ||
| install_requires=['rq>=1.0', 'Flask', 'redis', 'arrow', 'redis-sentinel-url'], | ||
| extras_require={ | ||
| 'oauth2_proxy': [ |
| else: | ||
| add_oauth2_token_validation() | ||
| else: | ||
| if WITH_OAUTH: |
rq_dashboard/cli.py
Outdated
| "-j", "--json", is_flag=True, default=False, help="Enable JSONSerializer" | ||
| ) | ||
| @click.option( | ||
| "--oidc-public-key", default=None, help="Public key for OIDC provider (needed if ouath2_proxy is used)" |
There was a problem hiding this comment.
Verification key for oauth2 access_token verification (when oauth2 provider is used as middleware or reverse proxy. For example: oauth2_proxy+KeyCloak)
gnomeby
left a comment
gnomeby
left a comment
There was a problem hiding this comment.
Добавить заметку в README.md о том, что есть опция валидировать oauth2 token
rq_dashboard/cli.py
Outdated
| "-j", "--json", is_flag=True, default=False, help="Enable JSONSerializer" | ||
| ) | ||
| @click.option( | ||
| "--oauth2-token-verification-key", default=None, help="Verification key for oauth2 access_token verification (when oauth2 provider is used as middleware or reverse proxy. For example: oauth2_proxy+KeyCloak)" |
There was a problem hiding this comment.
oauth2 extension is required
rq_dashboard/cli.py
Outdated
| app.config['OAUTH2_TOKEN_VERIFICATION_HEADER'] = oauth2_token_verification_header | ||
|
|
||
| if app.config['OAUTH2_TOKEN_VERIFICATION_KEY'] and app.config['OAUTH2_TOKEN_VERIFICATION_HEADER']: | ||
| if not WITH_OAUTH: |
There was a problem hiding this comment.
Нужно инвертировать условие. Надо стараться делать условия позитивными
| @@ -0,0 +1,19 @@ | |||
| ## Installation of oauth2 extension: | |||
|
|
||
| restart: always | ||
|
|
||
| oauth2-proxy: |
There was a problem hiding this comment.
Рассмотреть возможно добавить сюда KEyCloak который при старте сетатип нужного клиента. С тем чтобы было просто достаточно запустить docker compose и сразу работало.
Dockerfile-oauth2
Outdated
| && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| ADD . / | ||
| RUN pip3 install '.[oauth2]' |
There was a problem hiding this comment.
Просто поменять основной Dockerfile
2 participants
…ng oauth2_proxy token
Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Fixes # (issue)
Type of change
Please delete options that are not relevant.
Checklist: