samply
/
bridgehead
mirror of https://github.com/samply/bridgehead.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Better redirect url handeling

This commit is contained in:
janskiba 2023-11-30 13:46:08 +00:00 committed by juarez
parent e6b9db248e
commit 6533dd8727
3 changed files with 30 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ccp/modules/datashield-setup.sh
View File

@ -25,5 +25,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
}]' >/tmp/bridgehead/opal-map/local.json }]' >/tmp/bridgehead/opal-map/local.json
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
chown -R bridgehead:docker /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/
generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')" add_private_oidc_redirect_url "/opal/*"
fi fi

2
ccp/modules/teiler-setup.sh
View File

@ -3,5 +3,5 @@
if [ "$ENABLE_TEILER" == true ];then if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services." log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
generate_public_oidc_client "OIDC_PUBLIC" "$(generate_redirect_urls '/ccp-teiler/*')" add_public_oidc_redirect_url "/ccp-teiler/*"
fi fi

48
lib/functions.sh
View File

@ -240,33 +240,41 @@ add_basic_auth_user() {
sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
} }
SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} OIDC_PUBLIC_REDIRECT_URLS=${OIDC_PUBLIC_REDIRECT_URLS:-""}
# First argument is the variable name that will be generated it will not have a value. OIDC_PRIVATE_REDIRECT_URLS=${OIDC_PRIVATE_REDIRECT_URLS:-""}
# Second argument is a comma separated list of allowed redirect urls for the oidc client.
# The resulting client id will be $SITE_ID-public # Add a redirect url to the public oidc client of the bridgehead
function generate_public_oidc_client() { function add_public_oidc_redirect_url() {
local delimiter=$'\x1E' if [[ $OIDC_PUBLIC_REDIRECT_URLS == "" ]]; then
if [[ $SECRET_SYNC_ARGS == "" ]]; then OIDC_PUBLIC_REDIRECT_URLS+="$(generate_redirect_urls $1)"
SECRET_SYNC_ARGS+="OIDC:$1:public;$2"
else else
SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:public;$2" OIDC_PUBLIC_REDIRECT_URLS+=",$(generate_redirect_urls $1)"
fi fi
} }
# First argument is the variable name that the client secret will be available at. # Add a redirect url to the private oidc client of the bridgehead
# Second argument is a comma separated list of allowed redirect urls for the oidc client. function add_private_oidc_redirect_url() {
# The resulting client id will be $SITE_ID-private if [[ $OIDC_PRIVATE_REDIRECT_URLS == "" ]]; then
function generate_private_oidc_client() { OIDC_PRIVATE_REDIRECT_URLS+="$(generate_redirect_urls $1)"
local delimiter=$'\x1E'
if [[ $SECRET_SYNC_ARGS == "" ]]; then
SECRET_SYNC_ARGS+="OIDC:$1:private;$2"
else else
SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:private;$2" OIDC_PRIVATE_REDIRECT_URLS+=",$(generate_redirect_urls $1)"
fi fi
} }
function sync_secrets() { function sync_secrets() {
if [[ $SECRET_SYNC_ARGS == "" ]]; then local delimiter=$'\x1E'
local secret_sync_args=""
if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
fi
if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
if [[ $secret_sync_args == "" ]]; then
secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
else
secret_sync_args+="${delimiter}OIDC:$1:public;$OIDC_PUBLIC_REDIRECT_URLS"
fi
fi
if [[ $secret_sync_args == "" ]]; then
return return
fi fi
mkdir -p /var/cache/bridgehead/secrets/ mkdir -p /var/cache/bridgehead/secrets/
@ -282,7 +290,7 @@ function sync_secrets() {
-e PROXY_ID=$PROXY_ID \ -e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \ -e BROKER_URL=$BROKER_URL \
-e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ -e SECRET_DEFINITIONS=$secret_sync_args \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
set -a # Export variables as environment variables set -a # Export variables as environment variables
source /var/cache/bridgehead/secrets/* source /var/cache/bridgehead/secrets/*
@ -298,7 +306,7 @@ capitalize_first_letter() {
# Generate a string of ',' separated string of redirect urls relative to $HOST. # Generate a string of ',' separated string of redirect urls relative to $HOST.
# $1 will be appended to the url # $1 will be appended to the url
# If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities # If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities
generate_redirect_urls(){ function generate_redirect_urls(){
local redirect_urls="https://${HOST}$1" local redirect_urls="https://${HOST}$1"
local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)"
# Only append second url if its different and the host is not an ip address # Only append second url if its different and the host is not an ip address