From 8b8cc7b23e6a6b7349a71aef47ac62ed2001493a Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 13 Dec 2023 22:57:37 +0100 Subject: [PATCH] Only users of group DataSHIELD can use R-Studio --- ccp/docker-compose.yml | 38 ------------------------------ ccp/modules/datashield-compose.yml | 37 +++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 38 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index be2d358..c4610b6 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -59,44 +59,6 @@ services: - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" - oauth2_proxy: - image: quay.io/oauth2-proxy/oauth2-proxy - container_name: bridgehead_oauth2_proxy - command: >- - --allowed-group=/${KEYCLOAK_USER_GROUP} - --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} - --auth-logging=true - --whitelist-domain=${HOST} - --http-address="0.0.0.0:4180" - --reverse-proxy=true - --upstream="static://202" - --email-domain="*" - --cookie-name="_BRIDGEHEAD_oauth2" - --cookie-secret="${OAUTH2_PROXY_SECRET}" - --cookie-expire="12h" - --cookie-secure="true" - --cookie-httponly="true" - #OIDC settings - --provider="keycloak-oidc" - --provider-display-name="VerbIS Login" - --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" - --client-secret="${OIDC_CLIENT_SECRET}" - --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" - --scope="openid email profile" - --code-challenge-method="S256" - --skip-provider-button=true - #X-Forwarded-Header settings - true/false depending on your needs - --pass-basic-auth=true - --pass-user-headers=false - --pass-access-token=false - labels: - - "traefik.enable=true" - - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - - "traefik.http.routers.oauth2_proxy.tls=true" - - volumes: blaze-data: diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 55bda13..780d049 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -110,6 +110,43 @@ services: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} + oauth2_proxy: + image: quay.io/oauth2-proxy/oauth2-proxy + container_name: bridgehead_oauth2_proxy + command: >- + --allowed-group=/DataSHIELD + --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} + --auth-logging=true + --whitelist-domain=${HOST} + --http-address="0.0.0.0:4180" + --reverse-proxy=true + --upstream="static://202" + --email-domain="*" + --cookie-name="_BRIDGEHEAD_oauth2" + --cookie-secret="${OAUTH2_PROXY_SECRET}" + --cookie-expire="12h" + --cookie-secure="true" + --cookie-httponly="true" + #OIDC settings + --provider="keycloak-oidc" + --provider-display-name="VerbIS Login" + --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" + --client-secret="${OIDC_CLIENT_SECRET}" + --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" + --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" + --scope="openid email profile" + --code-challenge-method="S256" + --skip-provider-button=true + #X-Forwarded-Header settings - true/false depending on your needs + --pass-basic-auth=true + --pass-user-headers=false + --pass-access-token=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" + - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" + - "traefik.http.routers.oauth2_proxy.tls=true" + secrets: opal-cert.pem: file: /tmp/bridgehead/opal-cert.pem