From 8b51fa296cdeb4585eefa92895c1b38099be39c3 Mon Sep 17 00:00:00 2001 From: Mathias Petermann Date: Wed, 18 Dec 2024 11:30:12 +0100 Subject: [PATCH 1/2] Improve auth sso_pipeline_roles script, to read from django settings --- docs/auth.md | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/docs/auth.md b/docs/auth.md index 5d720606..69668e3f 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -48,7 +48,7 @@ extraVolumeMounts: readOnly: true ``` -Additional resources are necessary (please note that the client ID is necessary in the custom pipeline script): +Additional resources are necessary: ```yaml apiVersion: v1 @@ -65,6 +65,8 @@ data: SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth" SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token" SOCIAL_AUTH_JSONFIELD_ENABLED: true + SOCIAL_AUTH_STAFF_ROLE: staff + SOCIAL_AUTH_SUPERUSER_ROLE: superuser --- apiVersion: v1 @@ -74,17 +76,21 @@ metadata: namespace: netbox data: sso_pipeline_roles.py: | + from django.conf import settings from netbox.authentication import Group def set_role(response, user, backend, *args, **kwargs): - client_id = '' + client_id = getattr(settings, 'SOCIAL_AUTH_KEYCLOAK_KEY', None) + staff_role = getattr(settings, 'SOCIAL_AUTH_STAFF_ROLE', 'staff') + superuser_role = getattr(settings, 'SOCIAL_AUTH_SUPERUSER_ROLE', 'superuser') + roles = [] try: roles = response['resource_access'][client_id]['roles'] except KeyError: pass - user.is_staff = ('admin' in roles) - user.is_superuser = ('superuser' in roles) + user.is_staff = (staff_role in roles) + user.is_superuser = (superuser_role in roles) user.save() groups = Group.objects.all() for group in groups: @@ -161,6 +167,8 @@ stringData: SOCIAL_AUTH_GITLAB_KEY: SOCIAL_AUTH_GITLAB_SECRET: SOCIAL_AUTH_GITLAB_SCOPE: ['read_user', 'openid'] + SOCIAL_AUTH_STAFF_ROLE: staff + SOCIAL_AUTH_SUPERUSER_ROLE: superuser --- apiVersion: v1 @@ -170,26 +178,31 @@ metadata: namespace: netbox data: sso_pipeline_roles.py: | + from django.conf import settings from netbox.authentication import Group import jwt from jwt import PyJWKClient def set_role(response, user, backend, *args, **kwargs): + client_id = getattr(settings, 'SOCIAL_AUTH_GITLAB_KEY', None) + staff_role = getattr(settings, 'SOCIAL_AUTH_STAFF_ROLE', 'staff') + superuser_role = getattr(settings, 'SOCIAL_AUTH_SUPERUSER_ROLE', 'superuser') + jwks_client = PyJWKClient("https://git.example.com/oauth/discovery/keys") signing_key = jwks_client.get_signing_key_from_jwt(response['id_token']) decoded = jwt.decode( response['id_token'], signing_key.key, algorithms=["RS256"], - audience="", + audience=client_id, ) roles = [] try: roles = decoded.get('groups_direct') except KeyError: pass - user.is_staff = ('network' in roles) - user.is_superuser = ('network' in roles) + user.is_staff = (staff_role in roles) + user.is_superuser = (superuser_role in roles) user.save() groups = Group.objects.all() for group in groups: From b5ddc3486cf7d1247f0fde3bbe8b42b5465cf6fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Wed, 18 Dec 2024 16:51:51 +0100 Subject: [PATCH 2/2] Update Chart.yaml --- charts/netbox/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index 297d8180..178a2a4e 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: netbox -version: 5.0.0-beta.172 +version: 5.0.0-beta.173 appVersion: "v4.1.8" type: application kubeVersion: ^1.25.0-0