mirror of https://github.com/samply/bridgehead.git
Better redirect url handeling
This commit is contained in:
parent
91903fae24
commit
a3c7a002fd
|
@ -25,5 +25,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
|
||||||
}]' >/tmp/bridgehead/opal-map/local.json
|
}]' >/tmp/bridgehead/opal-map/local.json
|
||||||
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
|
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
|
||||||
chown -R bridgehead:docker /tmp/bridgehead/
|
chown -R bridgehead:docker /tmp/bridgehead/
|
||||||
generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')"
|
add_private_oidc_redirect_url "/opal/*"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -3,5 +3,5 @@
|
||||||
if [ "$ENABLE_TEILER" == true ];then
|
if [ "$ENABLE_TEILER" == true ];then
|
||||||
log INFO "Teiler setup detected -- will start Teiler services."
|
log INFO "Teiler setup detected -- will start Teiler services."
|
||||||
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
|
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
|
||||||
generate_public_oidc_client "OIDC_PUBLIC" "$(generate_redirect_urls '/ccp-teiler/*')"
|
add_public_oidc_redirect_url "/ccp-teiler/*"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -240,33 +240,41 @@ add_basic_auth_user() {
|
||||||
sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
|
sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
|
||||||
}
|
}
|
||||||
|
|
||||||
SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""}
|
OIDC_PUBLIC_REDIRECT_URLS=${OIDC_PUBLIC_REDIRECT_URLS:-""}
|
||||||
# First argument is the variable name that will be generated it will not have a value.
|
OIDC_PRIVATE_REDIRECT_URLS=${OIDC_PRIVATE_REDIRECT_URLS:-""}
|
||||||
# Second argument is a comma separated list of allowed redirect urls for the oidc client.
|
|
||||||
# The resulting client id will be $SITE_ID-public
|
# Add a redirect url to the public oidc client of the bridgehead
|
||||||
function generate_public_oidc_client() {
|
function add_public_oidc_redirect_url() {
|
||||||
local delimiter=$'\x1E'
|
if [[ $OIDC_PUBLIC_REDIRECT_URLS == "" ]]; then
|
||||||
if [[ $SECRET_SYNC_ARGS == "" ]]; then
|
OIDC_PUBLIC_REDIRECT_URLS+="$(generate_redirect_urls $1)"
|
||||||
SECRET_SYNC_ARGS+="OIDC:$1:public;$2"
|
|
||||||
else
|
else
|
||||||
SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:public;$2"
|
OIDC_PUBLIC_REDIRECT_URLS+=",$(generate_redirect_urls $1)"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# First argument is the variable name that the client secret will be available at.
|
# Add a redirect url to the private oidc client of the bridgehead
|
||||||
# Second argument is a comma separated list of allowed redirect urls for the oidc client.
|
function add_private_oidc_redirect_url() {
|
||||||
# The resulting client id will be $SITE_ID-private
|
if [[ $OIDC_PRIVATE_REDIRECT_URLS == "" ]]; then
|
||||||
function generate_private_oidc_client() {
|
OIDC_PRIVATE_REDIRECT_URLS+="$(generate_redirect_urls $1)"
|
||||||
local delimiter=$'\x1E'
|
|
||||||
if [[ $SECRET_SYNC_ARGS == "" ]]; then
|
|
||||||
SECRET_SYNC_ARGS+="OIDC:$1:private;$2"
|
|
||||||
else
|
else
|
||||||
SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:private;$2"
|
OIDC_PRIVATE_REDIRECT_URLS+=",$(generate_redirect_urls $1)"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function sync_secrets() {
|
function sync_secrets() {
|
||||||
if [[ $SECRET_SYNC_ARGS == "" ]]; then
|
local delimiter=$'\x1E'
|
||||||
|
local secret_sync_args=""
|
||||||
|
if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
|
||||||
|
secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
|
||||||
|
fi
|
||||||
|
if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
|
||||||
|
if [[ $secret_sync_args == "" ]]; then
|
||||||
|
secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
|
||||||
|
else
|
||||||
|
secret_sync_args+="${delimiter}OIDC:$1:public;$OIDC_PUBLIC_REDIRECT_URLS"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [[ $secret_sync_args == "" ]]; then
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
mkdir -p /var/cache/bridgehead/secrets/
|
mkdir -p /var/cache/bridgehead/secrets/
|
||||||
|
@ -282,7 +290,7 @@ function sync_secrets() {
|
||||||
-e PROXY_ID=$PROXY_ID \
|
-e PROXY_ID=$PROXY_ID \
|
||||||
-e BROKER_URL=$BROKER_URL \
|
-e BROKER_URL=$BROKER_URL \
|
||||||
-e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
|
-e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
|
||||||
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
|
-e SECRET_DEFINITIONS=$secret_sync_args \
|
||||||
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
||||||
set -a # Export variables as environment variables
|
set -a # Export variables as environment variables
|
||||||
source /var/cache/bridgehead/secrets/*
|
source /var/cache/bridgehead/secrets/*
|
||||||
|
@ -298,7 +306,7 @@ capitalize_first_letter() {
|
||||||
# Generate a string of ',' separated string of redirect urls relative to $HOST.
|
# Generate a string of ',' separated string of redirect urls relative to $HOST.
|
||||||
# $1 will be appended to the url
|
# $1 will be appended to the url
|
||||||
# If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities
|
# If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities
|
||||||
generate_redirect_urls(){
|
function generate_redirect_urls(){
|
||||||
local redirect_urls="https://${HOST}$1"
|
local redirect_urls="https://${HOST}$1"
|
||||||
local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)"
|
local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)"
|
||||||
# Only append second url if its different and the host is not an ip address
|
# Only append second url if its different and the host is not an ip address
|
||||||
|
|
Loading…
Reference in New Issue