chore(auth): further generalize authn

So that it's possible to plug another OAuth2 instance.

Signed-off-by: Raito Bezarius <raito@lix.systems>
This commit is contained in:
raito 2024-07-19 19:24:33 +02:00 committed by Jade Lovelace
parent bd8c11ed1e
commit 965cd014b3

View file

@ -19,9 +19,52 @@ in
type = lib.types.path;
description = "File containing a list of nix workers";
};
oauth2SecretFile = lib.mkOption {
type = lib.types.path;
description = "File containing an OAuth 2 client secret";
oauth2 = {
name = lib.mkOption {
type = lib.types.str;
description = "Name of the OAuth2 login method";
};
icon = lib.mkOption {
type = lib.types.str;
description = "FontAwesome string for the icon associated to the OAuth2 login";
default = "fa-login";
example = "fa-login";
};
clientId = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OAuth2 authentication";
};
clientSecretFile = lib.mkOption {
type = lib.types.path;
description = "Path to a file containing an OAuth 2 client secret";
};
resourceEndpoint = lib.mkOption {
type = lib.types.str;
description = "URL to the OAuth 2 resource";
example = "https://identity.lix.systems";
};
authUri = lib.mkOption {
type = lib.types.str;
description = "Authentication URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
};
tokenUri = lib.mkOption {
type = lib.types.str;
description = "Token URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
userinfoUri = lib.mkOption {
type = lib.types.str;
description = "User info URI";
example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
};
};
buildSystems = lib.mkOption {
type = lib.types.listOf lib.types.str;
@ -164,24 +207,24 @@ in
home = "/var/lib/buildbot";
extraImports = ''
from datetime import timedelta
from buildbot_nix import GerritNixConfigurator, read_secret_file
from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config
# TODO(raito): make me configurable from the NixOS module.
# how?
CustomOAuth2 = make_oauth2_method(OAuth2Config(
name=${builtins.toJSON cfg.oauth2.name},
faIcon=${builtins.toJSON cfg.oauth2.icon},
resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint},
authUri=${builtins.toJSON cfg.oauth2.authUri},
tokenUri=${builtins.toJSON cfg.oauth2.tokenUri},
userinfoUri=${builtins.toJSON cfg.oauth2.userinfoUri}
))
'';
configurators = [
''
util.JanitorConfigurator(logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6)
''
''
# TODO(raito): make me configurable from the NixOS module.
# how?
LixSystemsOAuth2 = make_oauth2_method(OAuth2Config(
name='Lix',
faIcon='fa-login',
resourceEndpoint='https://identity.lix.systems',
authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth',
tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token',
userinfoUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/userinfo'
)
GerritNixConfigurator(
"${cfg.gerrit.domain}",
"${cfg.gerrit.username}",
@ -202,7 +245,7 @@ in
inherit (cfg.binaryCache) bucket region endpoint;
profile = "default";
}},
auth_method=LixSystemsOAuth2('buildbot',
auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId},
read_secret_file('buildbot-oauth2-secret'),
autologin=True
)
@ -249,7 +292,7 @@ in
# in master.py we read secrets from $CREDENTIALS_DIRECTORY
LoadCredential = [
"buildbot-nix-workers:${cfg.workersFile}"
"buildbot-oauth2-secret:${cfg.oauth2SecretFile}"
"buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}"
];
};
};