From 987c5811edba9fc438f65f80a06cf18c3fcd6c3c Mon Sep 17 00:00:00 2001
From: Dominik George <dominik.george@teckids.org>
Date: Tue, 4 Jan 2022 01:05:08 +0100
Subject: [PATCH] Enable OpenID Connect by default, without RSA support
This was done to ease testing without having to generate and configure
an RSA key. OpenID Connect is fully functional even without an RSA
key, although operating without RSA is not recommended.
On the go, support for directly passing keys in the configuration,
e.g. when configuring AlekSIS from a K8s secret, was added.
---
CHANGELOG.rst | 7 +++++++
aleksis/core/settings.py | 33 +++++++++++++++++++++------------
2 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 936b6ddc1..ef46295e4 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,6 +14,11 @@ Added
* Add preference for configuring the default phone number country code.
+Added
+~~~~~
+
+* OpenID Connect RSA keys can now be passed as string in config files
+
Fixed
~~~~~
@@ -30,6 +35,8 @@ Changed
* Name collisions are resolved by prefixing with the app label
* Apps can extend SHELL_PLUS_APP_PREFIXES and SHELL_PLUS_DONT_LOAD
+* OpenID Connect is enabled by default now, without RSA support
+
`2.5`_ – 2022-01-02
-------------------
diff --git a/aleksis/core/settings.py b/aleksis/core/settings.py
index 089bf17d6..05a460d13 100644
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -1,4 +1,5 @@
import os
+import warnings
from glob import glob
from socket import getfqdn
@@ -368,25 +369,33 @@ INVITATIONS_GONE_ON_ACCEPT_ERROR = False
INVITATIONS_ACCEPT_INVITE_AFTER_SIGNUP = True
# Configuration for OAuth2 provider
-OAUTH2_PROVIDER = {"SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes"}
+OAUTH2_PROVIDER = {
+ "SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes",
+ "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
+ "OIDC_ENABLED": True,
+}
OAUTH2_PROVIDER_APPLICATION_MODEL = "core.OAuthApplication"
OAUTH2_PROVIDER_GRANT_MODEL = "core.OAuthGrant"
OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = "core.OAuthAccessToken" # noqa: S105
OAUTH2_PROVIDER_ID_TOKEN_MODEL = "core.OAuthIDToken" # noqa: S105
OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = "core.OAuthRefreshToken" # noqa: S105
-if _settings.get("oauth2.oidc.enabled", False):
- with open(_settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem"), "r") as f:
- oid_rsa_key = f.read()
-
- OAUTH2_PROVIDER.update(
- {
- "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
- "OIDC_ENABLED": True,
- "OIDC_RSA_PRIVATE_KEY": oid_rsa_key,
- # "OIDC_ISS_ENDPOINT": _settings.get("oauth2.oidc.issuer_name", "example.com"),
- }
+_OIDC_RSA_KEY_DEFAULT = "/etc/aleksis/oidc.pem"
+_OIDC_RSA_KEY = _settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem")
+if "BEGIN RSA PRIVATE KEY" in _OIDC_RSA_KEY:
+ OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = _OIDC_RSA_KEY
+elif _OIDC_RSA_KEY == _OIDC_RSA_KEY_DEFAULT and not os.path.exists(_OIDC_RSA_KEY):
+ warnings.warn(
+ (
+ f"The default OIDC RSA key in {_OIDC_RSA_KEY} does not exist. "
+ f"RSA will be disabled for now, but creating and configuring a "
+ f"key is recommended. To silence this warning, set oauth2.oidc.rsa_key "
+ f"to the empty string in a configuration file."
+ )
)
+elif _OIDC_RSA_KEY:
+ with open(_OIDC_RSA_KEY, "r") as f:
+ OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = f.read()
# Configuration for REST framework
REST_FRAMEWORK = {
--
GitLab