From 1c841ebe2e47a54a819885cdb68ea29ee17669af Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 17 Jul 2024 16:24:49 +0200 Subject: [PATCH] chore(auth): further generalize authn So that it's possible to plug another OAuth2 instance. Signed-off-by: Raito Bezarius --- nix/coordinator.nix | 60 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/nix/coordinator.nix b/nix/coordinator.nix index 4d3bb9b..1b3e07a 100644 --- a/nix/coordinator.nix +++ b/nix/coordinator.nix @@ -19,9 +19,47 @@ in type = lib.types.path; description = "File containing a list of nix workers"; }; - oauth2SecretFile = lib.mkOption { - type = lib.types.path; - description = "File containing an OAuth 2 client secret"; + + oauth2 = { + name = lib.mkOption { + type = lib.types.str; + description = "Name of the OAuth2 login method"; + }; + + icon = lib.mkOption { + type = lib.types.str; + description = "FontAwesome string for the icon associated to the OAuth2 login"; + default = "fa-login"; + example = "fa-login"; + }; + + clientId = lib.mkOption { + type = lib.types.str; + description = "Client ID for the OAuth2 authentication"; + }; + + clientSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to a file containing an OAuth 2 client secret"; + }; + + resourceEndpoint = lib.mkOption { + type = lib.types.str; + description = "URL to the OAuth 2 resource"; + example = "https://identity.lix.systems"; + }; + + authUri = lib.mkOption { + type = lib.types.str; + description = "Authentication URI"; + example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth"; + }; + + tokenUri = lib.mkOption { + type = lib.types.str; + description = "Token URI"; + example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token"; + }; }; buildSystems = lib.mkOption { type = lib.types.listOf lib.types.str; @@ -159,12 +197,12 @@ in '' # TODO(raito): make me configurable from the NixOS module. # how? - LixSystemsOAuth2 = make_oauth2_method(OAuth2Config( - name='Lix', - faIcon='fa-login', - resourceEndpoint='https://identity.lix.systems', - authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth', - tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token' + CustomOAuth2 = make_oauth2_method(OAuth2Config( + name=${builtins.toJSON cfg.oauth2.name}, + faIcon=${builtins.toJSON cfg.oauth2.icon}, + resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint}, + authUri=${builtins.toJSON cfg.oauth2.authUri}, + tokenUri=${builtins.toJSON cfg.oauth2.tokenUri} ) GerritNixConfigurator( @@ -184,7 +222,7 @@ in inherit (cfg.binaryCache) bucket region endpoint; profile = "default"; }}, - auth_method=LixSystemsOAuth2('buildbot', + auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId}, read_secret_file('buildbot-oauth2-secret'), autologin=True ) @@ -230,7 +268,7 @@ in # in master.py we read secrets from $CREDENTIALS_DIRECTORY LoadCredential = [ "buildbot-nix-workers:${cfg.workersFile}" - "buildbot-oauth2-secret:${cfg.oauth2SecretFile}" + "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}" ]; }; };