From 9fe65366759573702c94d4dfd805bdcd79a1f4fa Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Fri, 19 Jul 2024 19:24:33 +0200 Subject: [PATCH] chore(auth): further generalize authn So that it's possible to plug another OAuth2 instance. Signed-off-by: Raito Bezarius --- nix/coordinator.nix | 70 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 54 insertions(+), 16 deletions(-) diff --git a/nix/coordinator.nix b/nix/coordinator.nix index 4d3bb9b..06cd0c2 100644 --- a/nix/coordinator.nix +++ b/nix/coordinator.nix @@ -19,9 +19,47 @@ in type = lib.types.path; description = "File containing a list of nix workers"; }; - oauth2SecretFile = lib.mkOption { - type = lib.types.path; - description = "File containing an OAuth 2 client secret"; + + oauth2 = { + name = lib.mkOption { + type = lib.types.str; + description = "Name of the OAuth2 login method"; + }; + + icon = lib.mkOption { + type = lib.types.str; + description = "FontAwesome string for the icon associated to the OAuth2 login"; + default = "fa-login"; + example = "fa-login"; + }; + + clientId = lib.mkOption { + type = lib.types.str; + description = "Client ID for the OAuth2 authentication"; + }; + + clientSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to a file containing an OAuth 2 client secret"; + }; + + resourceEndpoint = lib.mkOption { + type = lib.types.str; + description = "URL to the OAuth 2 resource"; + example = "https://identity.lix.systems"; + }; + + authUri = lib.mkOption { + type = lib.types.str; + description = "Authentication URI"; + example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth"; + }; + + tokenUri = lib.mkOption { + type = lib.types.str; + description = "Token URI"; + example = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token"; + }; }; buildSystems = lib.mkOption { type = lib.types.listOf lib.types.str; @@ -150,23 +188,23 @@ in home = "/var/lib/buildbot"; extraImports = '' from datetime import timedelta - from buildbot_nix import GerritNixConfigurator, read_secret_file + from buildbot_nix import GerritNixConfigurator, read_secret_file, make_oauth2_method, OAuth2Config + + # TODO(raito): make me configurable from the NixOS module. + # how? + CustomOAuth2 = make_oauth2_method(OAuth2Config( + name=${builtins.toJSON cfg.oauth2.name}, + faIcon=${builtins.toJSON cfg.oauth2.icon}, + resourceEndpoint=${builtins.toJSON cfg.oauth2.resourceEndpoint}, + authUri=${builtins.toJSON cfg.oauth2.authUri}, + tokenUri=${builtins.toJSON cfg.oauth2.tokenUri} + )) ''; configurators = [ '' util.JanitorConfigurator(logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6) '' '' - # TODO(raito): make me configurable from the NixOS module. - # how? - LixSystemsOAuth2 = make_oauth2_method(OAuth2Config( - name='Lix', - faIcon='fa-login', - resourceEndpoint='https://identity.lix.systems', - authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth', - tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token' - ) - GerritNixConfigurator( "${cfg.gerrit.domain}", "${cfg.gerrit.username}", @@ -184,7 +222,7 @@ in inherit (cfg.binaryCache) bucket region endpoint; profile = "default"; }}, - auth_method=LixSystemsOAuth2('buildbot', + auth_method=CustomOAuth2(${builtins.toJSON cfg.oauth2.clientId}, read_secret_file('buildbot-oauth2-secret'), autologin=True ) @@ -230,7 +268,7 @@ in # in master.py we read secrets from $CREDENTIALS_DIRECTORY LoadCredential = [ "buildbot-nix-workers:${cfg.workersFile}" - "buildbot-oauth2-secret:${cfg.oauth2SecretFile}" + "buildbot-oauth2-secret:${cfg.oauth2.clientSecretFile}" ]; }; };