packages/powerdns-admin: patch to support new authlib, use server_metadata_url instead of manual configuration

This commit is contained in:
Max Headroom 2023-01-01 14:36:02 +01:00
parent 709bc69890
commit 930c533782
4 changed files with 112 additions and 5 deletions

View file

@ -22,7 +22,6 @@ let
configList = lib.mapAttrsToList (n: v: "${n}=${quote v}") cfg; configList = lib.mapAttrsToList (n: v: "${n}=${quote v}") cfg;
in lib.concatStringsSep "\n" configList; in lib.concatStringsSep "\n" configList;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
in { in {
age.secrets = { age.secrets = {
pdns-admin-oidc-secrets = { pdns-admin-oidc-secrets = {
@ -83,10 +82,7 @@ in {
OIDC_OAUTH_SECRET.env = "OIDC_OAUTH_SECRET"; OIDC_OAUTH_SECRET.env = "OIDC_OAUTH_SECRET";
OIDC_OAUTH_SCOPE = "openid profile email roles"; OIDC_OAUTH_SCOPE = "openid profile email roles";
OIDC_OAUTH_API_URL = login ""; OIDC_OAUTH_SERVER_METADATA_URL = "https://login.${domain}/auth/realms/master/.well-known/openid-configuration";
OIDC_OAUTH_TOKEN_URL = login "token";
OIDC_OAUTH_AUTHORIZE_URL = login "auth";
OIDC_OAUTH_LOGOUT_URL = login "logout";
}; };
}; };

View file

@ -6,6 +6,7 @@
in { in {
inherit (patched) inherit (patched)
powerdns-admin
prometheus-jitsi-exporter prometheus-jitsi-exporter
sssd sssd
tempo tempo

View file

@ -59,6 +59,8 @@ super: rec {
jre = jre17_standard; jre = jre17_standard;
}; };
powerdns-admin = patch super.powerdns-admin "patches/base/powerdns-admin";
prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter"; prometheus-jitsi-exporter = patch super.prometheus-jitsi-exporter "patches/base/prometheus-jitsi-exporter";
tempo = (super.tempo.override { buildGoModule = super.buildGo118Module; }).overrideAttrs (_: { tempo = (super.tempo.override { buildGoModule = super.buildGo118Module; }).overrideAttrs (_: {

View file

@ -0,0 +1,108 @@
diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py
index 51e78e5..a66b7d3 100644
--- a/powerdnsadmin/models/setting.py
+++ b/powerdnsadmin/models/setting.py
@@ -100,10 +100,7 @@ class Setting(db.Model):
'oidc_oauth_key': '',
'oidc_oauth_secret': '',
'oidc_oauth_scope': 'email',
- 'oidc_oauth_api_url': '',
- 'oidc_oauth_token_url': '',
- 'oidc_oauth_authorize_url': '',
- 'oidc_oauth_logout_url': '',
+ 'oidc_oauth_server_metadata_url': '',
'oidc_oauth_username': 'preferred_username',
'oidc_oauth_firstname': 'given_name',
'oidc_oauth_last_name': 'family_name',
diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py
index 3a6f55c..417e05f 100644
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@@ -366,7 +366,7 @@ def login():
return authenticate_user(user, 'Azure OAuth')
if 'oidc_token' in session:
- me = json.loads(oidc.get('userinfo').text)
+ me = oidc.userinfo()
oidc_username = me[Setting().get('oidc_oauth_username')]
oidc_givenname = me[Setting().get('oidc_oauth_firstname')]
oidc_familyname = me[Setting().get('oidc_oauth_last_name')]
diff --git a/powerdnsadmin/services/oidc.py b/powerdnsadmin/services/oidc.py
index 7e8172b..dfaaf54 100644
--- a/powerdnsadmin/services/oidc.py
+++ b/powerdnsadmin/services/oidc.py
@@ -19,10 +19,8 @@ def oidc_oauth():
'oidc',
client_id=Setting().get('oidc_oauth_key'),
client_secret=Setting().get('oidc_oauth_secret'),
- api_base_url=Setting().get('oidc_oauth_api_url'),
request_token_url=None,
- access_token_url=Setting().get('oidc_oauth_token_url'),
- authorize_url=Setting().get('oidc_oauth_authorize_url'),
+ server_metadata_url=Setting().get('oidc_oauth_server_metadata_url'),
client_kwargs={'scope': Setting().get('oidc_oauth_scope')},
fetch_token=fetch_oidc_token,
update_token=update_token)
diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index ba82c2e..ccd1743 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -610,23 +610,8 @@
<span class="help-block with-errors"></span>
</div>
<div class="form-group">
- <label for="oidc_oauth_api_url">API URL</label>
- <input type="text" class="form-control" name="oidc_oauth_api_url" id="oidc_oauth_api_url" placeholder="e.g. https://api.oidc.com/user" data-error="Please input API URL" value="{{ SETTING.get('oidc_oauth_api_url') }}">
- <span class="help-block with-errors"></span>
- </div>
- <div class="form-group">
- <label for="oidc_oauth_token_url">Token URL</label>
- <input type="text" class="form-control" name="oidc_oauth_token_url" id="oidc_oauth_token_url" placeholder="e.g. https://oidc.com/login/oauth/access_token" data-error="Please input Token URL" value="{{ SETTING.get('oidc_oauth_token_url') }}">
- <span class="help-block with-errors"></span>
- </div>
- <div class="form-group">
- <label for="oidc_oauth_authorize_url">Authorize URL</label>
- <input type="text" class="form-control" name="oidc_oauth_authorize_url" id="oidc_oauth_authorize_url" placeholder="e.g. https://oidc.com/login/oauth/authorize" data-error="Plesae input Authorize URL" value="{{ SETTING.get('oidc_oauth_authorize_url') }}">
- <span class="help-block with-errors"></span>
- </div>
- <div class="form-group">
- <label for="oidc_oauth_logout_url">Logout URL</label>
- <input type="text" class="form-control" name="oidc_oauth_logout_url" id="oidc_oauth_logout_url" placeholder="e.g. https://oidc.com/login/oauth/logout" data-error="Please input Logout URL" value="{{ SETTING.get('oidc_oauth_logout_url') }}">
+ <label for="oidc_oauth_server_metadata_url">Metadata URL</label>
+ <input type="text" class="form-control" name="oidc_oauth_server_metadata_url" id="oidc_oauth_server_metadata_url" placeholder="e.g. https://oidc.com/login/.well-known/configuration" data-error="Plesae input Metadata URL" value="{{ SETTING.get('oidc_oauth_server_metadata_url') }}">
<span class="help-block with-errors"></span>
</div>
</fieldset>
@@ -1015,9 +1000,7 @@
$('#oidc_oauth_key').prop('required', true);
$('#oidc_oauth_secret').prop('required', true);
$('#oidc_oauth_scope').prop('required', true);
- $('#oidc_oauth_api_url').prop('required', true);
- $('#oidc_oauth_token_url').prop('required', true);
- $('#oidc_oauth_authorize_url').prop('required', true);
+ $('#oidc_oauth_server_metadata_url').prop('required', true);
$('#oidc_oauth_username').prop('required', true);
$('#oidc_oauth_firstname').prop('required', true);
$('#oidc_oauth_last_name').prop('required', true);
@@ -1026,9 +1009,7 @@
$('#oidc_oauth_key').prop('required', false);
$('#oidc_oauth_secret').prop('required', false);
$('#oidc_oauth_scope').prop('required', false);
- $('#oidc_oauth_api_url').prop('required', false);
- $('#oidc_oauth_token_url').prop('required', false);
- $('#oidc_oauth_authorize_url').prop('required', false);
+ $('#oidc_oauth_server_metadata_url').prop('required', false);
$('#oidc_oauth_username').prop('required', false);
$('#oidc_oauth_firstname').prop('required', false);
$('#oidc_oauth_last_name').prop('required', false);
@@ -1040,9 +1021,7 @@
$('#oidc_oauth_key').prop('required', true);
$('#oidc_oauth_secret').prop('required', true);
$('#oidc_oauth_scope').prop('required', true);
- $('#oidc_oauth_api_url').prop('required', true);
- $('#oidc_oauth_token_url').prop('required', true);
- $('#oidc_oauth_authorize_url').prop('required', true);
+ $('#oidc_oauth_server_metadata_url').prop('required', true);
$('#oidc_oauth_username').prop('required', true);
$('#oidc_oauth_firstname').prop('required', true);
$('#oidc_oauth_last_name').prop('required', true);