Enable OpenID Connect by default, without RSA support

This was done to ease testing without having to generate and configure an RSA key. OpenID Connect is fully functional even without an RSA key, although operating without RSA is not recommended. On the go, support for directly passing keys in the configuration, e.g. when configuring AlekSIS from a K8s secret, was added.

Enable OpenID Connect by default, without RSA support
987c5811 · Nik | Klampfradler · eb015334 · 987c5811 · 987c5811
Verified Commit 987c5811 authored 3 years ago by Nik | Klampfradler
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,6 +14,11 @@ Added

 * Add preference for configuring the default phone number country code.

+Added
+~~~~~
+
+* OpenID Connect RSA keys can now be passed as string in config files
+
 Fixed
 ~~~~~

@@ -30,6 +35,8 @@ Changed
  * Name collisions are resolved by prefixing with the app label
  * Apps can extend SHELL_PLUS_APP_PREFIXES and SHELL_PLUS_DONT_LOAD

+* OpenID Connect is enabled by default now, without RSA support
+
 `2.5`_ – 2022-01-02
 -------------------


--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
 import os
+import warnings
 from glob import glob
 from socket import getfqdn

@@ -368,25 +369,33 @@ INVITATIONS_GONE_ON_ACCEPT_ERROR = False
 INVITATIONS_ACCEPT_INVITE_AFTER_SIGNUP = True

 # Configuration for OAuth2 provider
-OAUTH2_PROVIDER = {"SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes"}
+OAUTH2_PROVIDER = {
+    "SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes",
+    "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
+    "OIDC_ENABLED": True,
+}
 OAUTH2_PROVIDER_APPLICATION_MODEL = "core.OAuthApplication"
 OAUTH2_PROVIDER_GRANT_MODEL = "core.OAuthGrant"
 OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = "core.OAuthAccessToken"  # noqa: S105
 OAUTH2_PROVIDER_ID_TOKEN_MODEL = "core.OAuthIDToken"  # noqa: S105
 OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = "core.OAuthRefreshToken"  # noqa: S105

-if _settings.get("oauth2.oidc.enabled", False):
-    with open(_settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem"), "r") as f:
-        oid_rsa_key = f.read()
-
-    OAUTH2_PROVIDER.update(
-        {
-            "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
-            "OIDC_ENABLED": True,
-            "OIDC_RSA_PRIVATE_KEY": oid_rsa_key,
-            #        "OIDC_ISS_ENDPOINT": _settings.get("oauth2.oidc.issuer_name", "example.com"),
-        }
+_OIDC_RSA_KEY_DEFAULT = "/etc/aleksis/oidc.pem"
+_OIDC_RSA_KEY = _settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem")
+if "BEGIN RSA PRIVATE KEY" in _OIDC_RSA_KEY:
+    OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = _OIDC_RSA_KEY
+elif _OIDC_RSA_KEY == _OIDC_RSA_KEY_DEFAULT and not os.path.exists(_OIDC_RSA_KEY):
+    warnings.warn(
+        (
+            f"The default OIDC RSA key in {_OIDC_RSA_KEY} does not exist. "
+            f"RSA will be disabled for now, but creating and configuring a "
+            f"key is recommended. To silence this warning, set oauth2.oidc.rsa_key "
+            f"to the empty string in a configuration file."
+        )
    )
+elif _OIDC_RSA_KEY:
+    with open(_OIDC_RSA_KEY, "r") as f:
+        OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = f.read()

 # Configuration for REST framework
 REST_FRAMEWORK = {