Skip to content

Commit

Permalink
Merge pull request #454 from peschmae/develop
Browse files Browse the repository at this point in the history 
Improve auth `sso_pipeline_roles` script with Django settings
  • Loading branch information
@RangerRick
RangerRick authored Dec 18, 2024
2 parents 0e45525 + b5ddc34 commit 31aca1c
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 8 deletions.
2 changes: 1 addition & 1 deletion charts/netbox/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: netbox
version: 5.0.0-beta.172
version: 5.0.0-beta.173
appVersion: "v4.1.8"
type: application
kubeVersion: ^1.25.0-0
Expand Down
27 changes: 20 additions & 7 deletions docs/auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ extraVolumeMounts:
readOnly: true
```
Additional resources are necessary (please note that the client ID is necessary in the custom pipeline script):
Additional resources are necessary:
```yaml
apiVersion: v1
Expand All @@ -65,6 +65,8 @@ data:
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth"
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token"
SOCIAL_AUTH_JSONFIELD_ENABLED: true
SOCIAL_AUTH_STAFF_ROLE: staff
SOCIAL_AUTH_SUPERUSER_ROLE: superuser
---
apiVersion: v1
Expand All @@ -74,17 +76,21 @@ metadata:
namespace: netbox
data:
sso_pipeline_roles.py: |
from django.conf import settings
from netbox.authentication import Group
def set_role(response, user, backend, *args, **kwargs):
client_id = '<OAUTH_CLIENT_ID>'
client_id = getattr(settings, 'SOCIAL_AUTH_KEYCLOAK_KEY', None)
staff_role = getattr(settings, 'SOCIAL_AUTH_STAFF_ROLE', 'staff')
superuser_role = getattr(settings, 'SOCIAL_AUTH_SUPERUSER_ROLE', 'superuser')
roles = []
try:
roles = response['resource_access'][client_id]['roles']
except KeyError:
pass
user.is_staff = ('admin' in roles)
user.is_superuser = ('superuser' in roles)
user.is_staff = (staff_role in roles)
user.is_superuser = (superuser_role in roles)
user.save()
groups = Group.objects.all()
for group in groups:
Expand Down Expand Up @@ -161,6 +167,8 @@ stringData:
SOCIAL_AUTH_GITLAB_KEY: <OAUTH_CLIENT_ID>
SOCIAL_AUTH_GITLAB_SECRET: <OAUTH_CLIENT_SECRET>
SOCIAL_AUTH_GITLAB_SCOPE: ['read_user', 'openid']
SOCIAL_AUTH_STAFF_ROLE: staff
SOCIAL_AUTH_SUPERUSER_ROLE: superuser
---
apiVersion: v1
Expand All @@ -170,26 +178,31 @@ metadata:
namespace: netbox
data:
sso_pipeline_roles.py: |
from django.conf import settings
from netbox.authentication import Group
import jwt
from jwt import PyJWKClient
def set_role(response, user, backend, *args, **kwargs):
client_id = getattr(settings, 'SOCIAL_AUTH_GITLAB_KEY', None)
staff_role = getattr(settings, 'SOCIAL_AUTH_STAFF_ROLE', 'staff')
superuser_role = getattr(settings, 'SOCIAL_AUTH_SUPERUSER_ROLE', 'superuser')
jwks_client = PyJWKClient("https://git.example.com/oauth/discovery/keys")
signing_key = jwks_client.get_signing_key_from_jwt(response['id_token'])
decoded = jwt.decode(
response['id_token'],
signing_key.key,
algorithms=["RS256"],
audience="<OAUTH_CLIENT_ID>",
audience=client_id,
)
roles = []
try:
roles = decoded.get('groups_direct')
except KeyError:
pass
user.is_staff = ('network' in roles)
user.is_superuser = ('network' in roles)
user.is_staff = (staff_role in roles)
user.is_superuser = (superuser_role in roles)
user.save()
groups = Group.objects.all()
for group in groups:
Expand Down

0 comments on commit 31aca1c

Please sign in to comment.