chore(auth): further generalize authn

So that it's possible to plug another OAuth2 instance.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
raito 2024-07-17 16:24:49 +02:00
parent 164ba3b014
commit 1c841ebe2e

View file

@ -19,9 +19,47 @@ in
type = lib.types.path;
description = "File containing a list of nix workers";
};
oauth2SecretFile = lib.mkOption {
oauth2 = {
name = lib.mkOption {
type = lib.types.str;
description = "Name of the OAuth2 login method";
};
icon = lib.mkOption {
type = lib.types.str;
description = "FontAwesome string for the icon associated to the OAuth2 login";
default = "fa-login";
example = "fa-login";
};
clientId = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OAuth2 authentication";
};
clientSecretFile = lib.mkOption {
type = lib.types.path;
description = "File containing an OAuth 2 client secret";
description = "Path to a file containing an OAuth 2 client secret";
};
resourceEndpoint = lib.mkOption {
type = lib.types.str;
description = "URL to the OAuth 2 resource";
example = "https://identity.lix.systems";
};
authUri = lib.mkOption {
type = lib.types.str;
description = "Authentication URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
};
tokenUri = lib.mkOption {
type = lib.types.str;
description = "Token URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
};
buildSystems = lib.mkOption {
type = lib.types.listOf lib.types.str;
@ -159,12 +197,12 @@ in
''
# TODO(raito): make me configurable from the NixOS module.
# how?
LixSystemsOAuth2 = make_oauth2_method(OAuth2Config(
name='Lix',
faIcon='fa-login',
resourceEndpoint='https://identity.lix.systems',
authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth',
tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
CustomOAuth2 = make_oauth2_method(OAuth2Config(
name=${builtins.toJSON cfg.oauth2.name},
faIcon=${builtins.toJSON cfg.oauth2.icon},
resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint},
authUri=${builtins.toJSON cfg.oauth2.authUri},
tokenUri=${builtins.toJSON cfg.oauth2.tokenUri}
)
GerritNixConfigurator(
@ -184,7 +222,7 @@ in
inherit (cfg.binaryCache) bucket region endpoint;
profile = "default";
}},
auth_method=LixSystemsOAuth2('buildbot',
auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId},
read_secret_file('buildbot-oauth2-secret'),
autologin=True
)
@ -230,7 +268,7 @@ in
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [
"buildbot-nix-workers:${cfg.workersFile}"
"buildbot-oauth2-secret:${cfg.oauth2SecretFile}"
"buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
];
};
};