chore(auth): further generalize authn
So that it's possible to plug another OAuth2 instance. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
164ba3b014
commit
1c841ebe2e
|
@ -19,9 +19,47 @@ in
|
|||
type = lib.types.path;
|
||||
description = "File containing a list of nix workers";
|
||||
};
|
||||
oauth2SecretFile = lib.mkOption {
|
||||
|
||||
oauth2 = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Name of the OAuth2 login method";
|
||||
};
|
||||
|
||||
icon = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "FontAwesome string for the icon associated to the OAuth2 login";
|
||||
default = "fa-login";
|
||||
example = "fa-login";
|
||||
};
|
||||
|
||||
clientId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Client ID for the OAuth2 authentication";
|
||||
};
|
||||
|
||||
clientSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing an OAuth 2 client secret";
|
||||
description = "Path to a file containing an OAuth 2 client secret";
|
||||
};
|
||||
|
||||
resourceEndpoint = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "URL to the OAuth 2 resource";
|
||||
example = "https://identity.lix.systems";
|
||||
};
|
||||
|
||||
authUri = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Authentication URI";
|
||||
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
|
||||
};
|
||||
|
||||
tokenUri = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Token URI";
|
||||
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
|
||||
};
|
||||
};
|
||||
buildSystems = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
|
@ -159,12 +197,12 @@ in
|
|||
''
|
||||
# TODO(raito): make me configurable from the NixOS module.
|
||||
# how?
|
||||
LixSystemsOAuth2 = make_oauth2_method(OAuth2Config(
|
||||
name='Lix',
|
||||
faIcon='fa-login',
|
||||
resourceEndpoint='https://identity.lix.systems',
|
||||
authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth',
|
||||
tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
|
||||
CustomOAuth2 = make_oauth2_method(OAuth2Config(
|
||||
name=${builtins.toJSON cfg.oauth2.name},
|
||||
faIcon=${builtins.toJSON cfg.oauth2.icon},
|
||||
resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint},
|
||||
authUri=${builtins.toJSON cfg.oauth2.authUri},
|
||||
tokenUri=${builtins.toJSON cfg.oauth2.tokenUri}
|
||||
)
|
||||
|
||||
GerritNixConfigurator(
|
||||
|
@ -184,7 +222,7 @@ in
|
|||
inherit (cfg.binaryCache) bucket region endpoint;
|
||||
profile = "default";
|
||||
}},
|
||||
auth_method=LixSystemsOAuth2('buildbot',
|
||||
auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId},
|
||||
read_secret_file('buildbot-oauth2-secret'),
|
||||
autologin=True
|
||||
)
|
||||
|
@ -230,7 +268,7 @@ in
|
|||
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
|
||||
LoadCredential = [
|
||||
"buildbot-nix-workers:${cfg.workersFile}"
|
||||
"buildbot-oauth2-secret:${cfg.oauth2SecretFile}"
|
||||
"buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue