chore(auth): further generalize authn

So that it's possible to plug another OAuth2 instance.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2024-07-17 16:24:49 +02:00
parent 164ba3b014
commit 1c841ebe2e

View file

@ -19,9 +19,47 @@ in
type = lib.types.path; type = lib.types.path;
description = "File containing a list of nix workers"; description = "File containing a list of nix workers";
}; };
oauth2SecretFile = lib.mkOption {
type = lib.types.path; oauth2 = {
description = "File containing an OAuth 2 client secret"; name = lib.mkOption {
type = lib.types.str;
description = "Name of the OAuth2 login method";
};
icon = lib.mkOption {
type = lib.types.str;
description = "FontAwesome string for the icon associated to the OAuth2 login";
default = "fa-login";
example = "fa-login";
};
clientId = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OAuth2 authentication";
};
clientSecretFile = lib.mkOption {
type = lib.types.path;
description = "Path to a file containing an OAuth 2 client secret";
};
resourceEndpoint = lib.mkOption {
type = lib.types.str;
description = "URL to the OAuth 2 resource";
example = "https://identity.lix.systems";
};
authUri = lib.mkOption {
type = lib.types.str;
description = "Authentication URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
};
tokenUri = lib.mkOption {
type = lib.types.str;
description = "Token URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
}; };
buildSystems = lib.mkOption { buildSystems = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@ -159,12 +197,12 @@ in
'' ''
# TODO(raito): make me configurable from the NixOS module. # TODO(raito): make me configurable from the NixOS module.
# how? # how?
LixSystemsOAuth2 = make_oauth2_method(OAuth2Config( CustomOAuth2 = make_oauth2_method(OAuth2Config(
name='Lix', name=${builtins.toJSON cfg.oauth2.name},
faIcon='fa-login', faIcon=${builtins.toJSON cfg.oauth2.icon},
resourceEndpoint='https://identity.lix.systems', resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint},
authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth', authUri=${builtins.toJSON cfg.oauth2.authUri},
tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token' tokenUri=${builtins.toJSON cfg.oauth2.tokenUri}
) )
GerritNixConfigurator( GerritNixConfigurator(
@ -184,7 +222,7 @@ in
inherit (cfg.binaryCache) bucket region endpoint; inherit (cfg.binaryCache) bucket region endpoint;
profile = "default"; profile = "default";
}}, }},
auth_method=LixSystemsOAuth2('buildbot', auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId},
read_secret_file('buildbot-oauth2-secret'), read_secret_file('buildbot-oauth2-secret'),
autologin=True autologin=True
) )
@ -230,7 +268,7 @@ in
# in master.py we read secrets from $CREDENTIALS_DIRECTORY # in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [ LoadCredential = [
"buildbot-nix-workers:${cfg.workersFile}" "buildbot-nix-workers:${cfg.workersFile}"
"buildbot-oauth2-secret:${cfg.oauth2SecretFile}" "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
]; ];
}; };
}; };