diff --git a/templates/configmap.yaml b/templates/configmap.yaml index b2a80a0..051e796 100644 --- a/templates/configmap.yaml +++ b/templates/configmap.yaml @@ -172,11 +172,11 @@ data: {{- with .Values.system.components.auth_service.token_public_keys_PEM }} token_public_keys_PEM: {{- . | toYaml | nindent 8 }} {{- end }} - {{- with .Values.system.components.auth_service.user_info_url }} + {{- with .Values.system.components.auth_service.identity_provider.user_info_url }} user_info_url: '{{ . }}' {{- end }} user_info_cache_seconds: {{ .Values.system.components.auth_service.user_info_cache_seconds | default 10 }} - {{- with .Values.system.components.auth_service.token_introspection_url }} + {{- with .Values.system.components.auth_service.identity_provider.token_introspection_url }} token_introspection_url: '{{ . }}' {{- end }} {{- with .Values.system.components.auth_service.allowed_audience_in_tokens }} @@ -193,89 +193,83 @@ data: insecure_cookies: {{ .Values.development.security.insecure_cookies }} disable_http_only_cookies: {{ .Values.development.security.disable_http_only_cookies }} logging: - severity: INFO - # TODO: ***continue work from here*** + severity: {{ .Values.system.logging.severity }} identity_provider: - authorization_endpoint: https://my.identity.provider.example.com/auth - token_endpoint: https://my.identity.provider.example.com/token - end_session_endpoint: https://my.identity.provider.example.com/logout - token_request_timeout: 5s - auth_request_timeout: 600s + authorization_endpoint: '{{ .Values.system.components.auth_service.identity_provider.authorization_endpoint }}' + token_endpoint: '{{ .Values.system.components.auth_service.identity_provider.token_endpoint }}' + end_session_endpoint: '{{ .Values.system.components.auth_service.identity_provider.end_session_endpoint }}' + token_request_timeout: {{ .Values.system.components.auth_service.identity_provider.token_request_timeout }} + auth_request_timeout: {{ .Values.system.components.auth_service.identity_provider.auth_request_timeout }} application_configs: - example-service: - display_name: Example Service - scope: 'example openid email groups profile' - client_id: IAmNotSoSecret. - client_secret: IAmVerySecret! - default_dropoff_url: https://example.com/app/ - dropoff_url_pattern: https://example.com/app/(\?(foo=[a-z]+|bar=[0-9]{3,8}|&)+)? - # note that the userinfo endpoint only works for those applications where this matches security.oidc.id_token_cookie_name - # we do support multiple application configs, but for now, you only get userinfo for one of them - cookie_name: JWT - cookie_domain: example.com - cookie_path: /app - cookie_expiry: 6h + registration-system: + display_name: Registration System + scope: '{{ .Values.system.components.auth_service.scope }} openid email groups profile' + # client_id: '$REG_SECRET_OIDC_CLIENT_ID' + # client_secret: '$REG_SECRET_OIDC_CLIENT_SECRET' + default_dropoff_url: '{{ .Values.system.components.auth_service.default_dropoff_url }}' + dropoff_url_pattern: '{{ .Values.system.components.auth_service.dropoff_url_pattern }}' + cookie_name: '{{ .Values.system.components.auth_service.id_token_cookie_name }}' + cookie_domain: '{{ .Values.system.components.auth_service.cookie_domain }}' + cookie_path: '/{{ .Values.system.public_base_context | default "" }}' + cookie_expiry: '{{ .Values.system.components.auth_service.cookie_expiry }}' mail-service-config: | # configuration file for mail-service server: - port: 9093 + port: 8080 mail: - log_only: false # Only log the E-Mail (Requires logging to be set to DEBUG). No sending. - dev_mode: false # Override the recipient (To) to the list below, ignore Bcc/Cc. - dev_mails: - - 'developer@example.com' - - 'another.dev@example.com' - # optional debug option that adds this mail address to Bcc on every email sent - # add_auto_bcc: 'debug@example.com' - from: 'Example Sender ' # Sender E-Mail Address (Can be either just "email@example.com" OR "Example " - from_password: 'email-account-password' # Sender E-Mail Password - smtp_host: 'mail.example.com' # Mail-server Host - smtp_port: '587' # Mail-server Port + log_only: {{ .Values.system.components.mail_service.log_only }} + dev_mode: {{ .Values.system.components.mail_service.dev_mode }} + {{- with .Values.system.components.mail_service.dev_mails }} + dev_mails: {{ . | toYaml | nindent 8 }} + {{- end }} + {{- with .Values.system.components.mail_service.add_auto_bcc }} + add_auto_bcc: '{{ . }}' + {{- end }} + from: '{{ .Values.system.components.mail_service.from }}' + # from_password: '$REG_SECRET_SMTP_PASSWORD' # or blank for no password + smtp_host: '{{ .Values.system.components.mail_service.smtp_host }}' + smtp_port: '{{ .Values.system.components.mail_service.smtp_port }}' database: - use: 'inmemory' # [inmemory, mysql] - username: 'db-user-username' - password: 'db-user-password' - database: 'tcp(localhost:3306)/db-name' + use: '{{ .Values.system.database.use }}' + {{- if eq .Values.system.database.use "mysql" }} + username: '{{ .Values.system.database.username }}' + # password: '$REG_SECRET_DB_PASSWORD' + database: '{{ .Values.system.database.database }}' + {{- with .Values.system.database.parameters }} parameters: - - 'charset=utf8mb4' - - 'collation=utf8mb4_general_ci' - - 'parseTime=True' - - 'timeout=30s' # connection timeout + {{- range . }} + - '{{ . }}' + {{- end }} + {{- end }} + {{- end }} security: - fixed_token: - api: 'put_secure_random_string_here_for_api_token' + fixed_token: {} + # api: '$REG_SECRET_API_TOKEN' oidc: - # set this nonempty to read the jwt token from a cookie - id_token_cookie_name: 'JWT' - access_token_cookie_name: 'AUTH' - # a list of public RSA keys in PEM format, see https://github.com/Jumpy-Squirrel/jwks2pem for obtaining PEM from openid keyset endpoint - token_public_keys_PEM: - - | - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv - vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc - aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy - tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0 - e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb - V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9 - MwIDAQAB - -----END PUBLIC KEY----- - admin_group: 'admin' - # if you leave this blank, userinfo checks will be skipped - auth_service: 'http://localhost:4712' # no trailing slash - # optional, but will be checked if set (should set to reject tokens created for other clients than regsys) - audience: 'only-allowed-audience-in-tokens' - # optional, but will be checked if set - issuer: 'only-allowed-issuer-in-tokens' + id_token_cookie_name: '{{ .Values.system.components.auth_service.id_token_cookie_name }}' + access_token_cookie_name: '{{ .Values.system.components.auth_service.access_token_cookie_name }}' + {{- with .Values.system.components.auth_service.token_public_keys_PEM }} + token_public_keys_PEM: {{- . | toYaml | nindent 8 }} + {{- end }} + admin_group: '{{ .Values.system.components.auth_service.admin_group_id }}' + {{- if .Values.system.components.auth_service.enable }} + auth_service: '{{ .Values.system.components.auth_service.local_base_url }}' + {{- end }} + {{- with .Values.system.components.auth_service.allowed_audience_in_tokens }} + audience: '{{ . }}' + {{- end }} + {{- with .Values.system.components.auth_service.allowed_issuer_in_tokens }} + issuer: '{{ . }}' + {{- end }} cors: - # set this to true to send disable cors headers - not for production - local/test instances only - will log lots of warnings - disable: false - # if setting disable_cors, you should also specify this, as a comma separated list of allowed origins - allow_origin: 'http://localhost:8000' + disable: {{ .Values.development.cors.disable }} + {{- with .Values.development.cors.allow_origin }} + allow_origin: '{{ . }}' + {{- end }} logging: - severity: INFO - style: plain # or ecs (elastic common schema), the default + severity: {{ .Values.system.logging.severity }} + style: {{ .Values.system.logging.style }} payment-cncrd-adapter-config: | # configuration file for payment-cncrd-adapter diff --git a/tests/configmap_test.yaml b/tests/configmap_test.yaml index db8d17d..02c5212 100644 --- a/tests/configmap_test.yaml +++ b/tests/configmap_test.yaml @@ -37,8 +37,26 @@ tests: -----END PUBLIC KEY----- allowed_audience_in_tokens: 'aud-1234' allowed_issuer_in_tokens: 'https://identity.example.com' - user_info_url: https://my.identity.provider.example.com/user-info - token_introspection_url: https://my.identity.provider.example.com/token-introspection + identity_provider: + user_info_url: https://my.identity.provider.example.com/user-info + token_introspection_url: https://my.identity.provider.example.com/token-introspection + authorization_endpoint: https://my.identity.provider.example.com/auth + token_endpoint: https://my.identity.provider.example.com/token + end_session_endpoint: https://my.identity.provider.example.com/logout + token_request_timeout: 5s + auth_request_timeout: 600s + scope: some.scope + default_dropoff_url: https://example.com/app/ + dropoff_url_pattern: https://example.com/app/(\?(foo=[a-z]+|bar=[0-9]{3,8}|&)+)? + cookie_domain: example.com + mail_service: + dev_mails: + - developer@example.com + - another.dev@example.com + add_auto_bcc: 'debug@example.com' + from: 'Example Sender ' + smtp_host: 'mail.example.com' + smtp_port: 587 database: use: mysql choices: @@ -284,89 +302,71 @@ tests: disable_http_only_cookies: false logging: severity: INFO - # TODO: ***continue work from here*** identity_provider: - authorization_endpoint: https://my.identity.provider.example.com/auth - token_endpoint: https://my.identity.provider.example.com/token - end_session_endpoint: https://my.identity.provider.example.com/logout + authorization_endpoint: 'https://my.identity.provider.example.com/auth' + token_endpoint: 'https://my.identity.provider.example.com/token' + end_session_endpoint: 'https://my.identity.provider.example.com/logout' token_request_timeout: 5s auth_request_timeout: 600s application_configs: - example-service: - display_name: Example Service - scope: 'example openid email groups profile' - client_id: IAmNotSoSecret. - client_secret: IAmVerySecret! - default_dropoff_url: https://example.com/app/ - dropoff_url_pattern: https://example.com/app/(\?(foo=[a-z]+|bar=[0-9]{3,8}|&)+)? - # note that the userinfo endpoint only works for those applications where this matches security.oidc.id_token_cookie_name - # we do support multiple application configs, but for now, you only get userinfo for one of them - cookie_name: JWT - cookie_domain: example.com - cookie_path: /app - cookie_expiry: 6h + registration-system: + display_name: Registration System + scope: 'some.scope openid email groups profile' + # client_id: '$REG_SECRET_OIDC_CLIENT_ID' + # client_secret: '$REG_SECRET_OIDC_CLIENT_SECRET' + default_dropoff_url: 'https://example.com/app/' + dropoff_url_pattern: 'https://example.com/app/(\?(foo=[a-z]+|bar=[0-9]{3,8}|&)+)?' + cookie_name: 'JWT' + cookie_domain: 'example.com' + cookie_path: '/hello/you' + cookie_expiry: '6h' - equal: path: data.mail-service-config value: | # configuration file for mail-service server: - port: 9093 + port: 8080 mail: - log_only: false # Only log the E-Mail (Requires logging to be set to DEBUG). No sending. - dev_mode: false # Override the recipient (To) to the list below, ignore Bcc/Cc. + log_only: false + dev_mode: false dev_mails: - - 'developer@example.com' - - 'another.dev@example.com' - # optional debug option that adds this mail address to Bcc on every email sent - # add_auto_bcc: 'debug@example.com' - from: 'Example Sender ' # Sender E-Mail Address (Can be either just "email@example.com" OR "Example " - from_password: 'email-account-password' # Sender E-Mail Password - smtp_host: 'mail.example.com' # Mail-server Host - smtp_port: '587' # Mail-server Port + - developer@example.com + - another.dev@example.com + add_auto_bcc: 'debug@example.com' + from: 'Example Sender ' + # from_password: '$REG_SECRET_SMTP_PASSWORD' # or blank for no password + smtp_host: 'mail.example.com' + smtp_port: '587' database: - use: 'inmemory' # [inmemory, mysql] - username: 'db-user-username' - password: 'db-user-password' - database: 'tcp(localhost:3306)/db-name' + use: 'mysql' + username: 'demouser' + # password: '$REG_SECRET_DB_PASSWORD' + database: 'tcp(localhost:3306)/dbname' parameters: - 'charset=utf8mb4' - 'collation=utf8mb4_general_ci' - 'parseTime=True' - - 'timeout=30s' # connection timeout + - 'timeout=30s' security: - fixed_token: - api: 'put_secure_random_string_here_for_api_token' + fixed_token: {} + # api: '$REG_SECRET_API_TOKEN' oidc: - # set this nonempty to read the jwt token from a cookie id_token_cookie_name: 'JWT' access_token_cookie_name: 'AUTH' - # a list of public RSA keys in PEM format, see https://github.com/Jumpy-Squirrel/jwks2pem for obtaining PEM from openid keyset endpoint token_public_keys_PEM: - - | - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv - vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc - aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy - tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0 - e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb - V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9 - MwIDAQAB - -----END PUBLIC KEY----- - admin_group: 'admin' - # if you leave this blank, userinfo checks will be skipped - auth_service: 'http://localhost:4712' # no trailing slash - # optional, but will be checked if set (should set to reject tokens created for other clients than regsys) - audience: 'only-allowed-audience-in-tokens' - # optional, but will be checked if set - issuer: 'only-allowed-issuer-in-tokens' + - | + -----BEGIN PUBLIC KEY----- + ABC + -----END PUBLIC KEY----- + admin_group: 'D1DQADM' + auth_service: 'http://auth-service:8080' + audience: 'aud-1234' + issuer: 'https://identity.example.com' cors: - # set this to true to send disable cors headers - not for production - local/test instances only - will log lots of warnings disable: false - # if setting disable_cors, you should also specify this, as a comma separated list of allowed origins - allow_origin: 'http://localhost:8000' logging: severity: INFO - style: plain # or ecs (elastic common schema), the default + style: ecs - equal: path: data.payment-cncrd-adapter-config @@ -503,6 +503,10 @@ tests: latest_due_date: '2023-09-23' birthday: latest: '2004-08-24' + auth_service: + identity_provider: + user_info_url: https://my.identity.provider.example.com/user-info + token_introspection_url: https://my.identity.provider.example.com/token-introspection choices: packages: attendance: @@ -540,6 +544,10 @@ tests: latest_due_date: '2023-09-23' birthday: latest: '2004-08-24' + auth_service: + identity_provider: + user_info_url: https://my.identity.provider.example.com/user-info + token_introspection_url: https://my.identity.provider.example.com/token-introspection choices: packages: attendance: diff --git a/values-example.yaml b/values-example.yaml index 7c8259c..bd2de14 100644 --- a/values-example.yaml +++ b/values-example.yaml @@ -68,15 +68,34 @@ system: allowed_audience_in_tokens: 'aud-1234' # optional, but will be checked if set allowed_issuer_in_tokens: 'https://example.com' - - # optional, if not configured, local validation is used if the key is provided. Not safe for production if omitted. - user_info_url: https://my.identity.provider.example.com/user-info - # optional, if not configured, audience check is potentially skipped. Not recommended for production to omit this. - token_introspection_url: https://my.identity.provider.example.com/token-introspection + identity_provider: + # optional, if not configured, local validation is used if the key is provided. Not safe for production if omitted. + user_info_url: https://my.identity.provider.example.com/user-info + # optional, if not configured, audience check is potentially skipped. Not recommended for production to omit this. + token_introspection_url: https://my.identity.provider.example.com/token-introspection + authorization_endpoint: https://my.identity.provider.example.com/auth + token_endpoint: https://my.identity.provider.example.com/token + end_session_endpoint: https://my.identity.provider.example.com/logout + token_request_timeout: 5s + auth_request_timeout: 600s + scope: some.scope + default_dropoff_url: https://example.com/app/ + dropoff_url_pattern: https://example.com/app/(\?(foo=[a-z]+|bar=[0-9]{3,8}|&)+)? + cookie_domain: example.com + cookie_expiry: 6h mail_service: enable: true local_base_url: http://mail-service:8080 + log_only: false + dev_mode: false + dev_mails: + - 'developer@example.com' + - 'another.dev@example.com' + add_auto_bcc: 'debug@example.com' + from: 'Example Sender ' + smtp_host: 'mail.example.com' + smtp_port: 587 payment_cncrd_adapter: enable: false diff --git a/values.schema.json b/values.schema.json index 6f59750..9484239 100644 --- a/values.schema.json +++ b/values.schema.json @@ -234,19 +234,69 @@ "type": "string", "description": "optional, but will be checked if set" }, - "user_info_url": { - "type": "string", - "description": "OpenID Connect user info URL. optional, if not configured, local validation is used if the key is provided. Not safe for production if omitted." - }, "user_info_cache_seconds": { "type": "integer", "minValue": 0, "default": 10, "description": "seconds to cache user info and token introspection results (can drastically reduce load on the identity provider). Important downside: revoked tokens will still grant access up to this long, so don't set it to large values. 10 seconds should be an acceptable compromise." }, - "token_introspection_url": { + "identity_provider": { + "type": "object", + "additionalProperties": false, + "description": "identity provider configuration", + "properties": { + "user_info_url": { + "type": "string", + "description": "OpenID Connect user info URL. optional, if not configured, local validation is used if the key is provided. Not safe for production if omitted." + }, + "token_introspection_url": { + "type": "string", + "description": "OpenID Connect token info URL. optional, if not configured, audience check is potentially skipped. Not recommended for production to omit this." + }, + "authorization_endpoint": { + "type": "string", + "description": "OpenID Connect auth endpoint URL" + }, + "token_endpoint": { + "type": "string", + "description": "OpenID Connect token endpoint URL" + }, + "end_session_endpoint": { + "type": "string", + "description": "OpenID Connect end session endpoint URL (aka. logout)" + }, + "token_request_timeout": { + "type": "string", + "pattern": "^[1-9][0-9]*(ms|s|m)$" + }, + "auth_request_timeout": { + "type": "string", + "pattern": "^[1-9][0-9]*(ms|s|m)$" + } + } + }, + "scope": { + "type": "string", + "description": "primary scope to request. openid email groups profile are added automatically. Your OIDC app must have all these scopes enabled for the system to function." + }, + "default_dropoff_url": { "type": "string", - "description": "OpenID Connect token info URL. optional, if not configured, audience check is potentially skipped. Not recommended for production to omit this." + "description": "default dropoff url, the redirect target after authentication success" + }, + "dropoff_url_pattern": { + "type": "string", + "description": "OIDC dropoff url pattern, must include the default_dropoff_url. redirect targets that do not match this are rejected for security reasons. Regular expression." + }, + "cookie_domain": { + "type": "string", + "description": "domain to limit cookie to", + "example": "example.com" + }, + "cookie_expiry": { + "type": "string", + "description": "Time until the cookie expires (unless the JWT token expires before that). s = seconds, m = minutes, h = hours", + "pattern": "^[1-9][0-9]*[smh]$", + "example": "2h" } } }, @@ -263,6 +313,38 @@ "local_base_url": { "type": "string", "description": "the local url used to access this service, including protocol and port, with no trailing /" + }, + "log_only": { + "type": "boolean", + "description": "Only log the E-Mail (Requires logging to be set to DEBUG). Disables sending mail completely." + }, + "dev_mode": { + "type": "boolean", + "description": "Override the recipient (To) to the list under dev_mails, ignore Bcc/Cc." + }, + "dev_mails": { + "type": "array", + "description": "List of email addresses to force sending to if dev_mode is enabled. Use for debugging / test systems. Actual recipients do not get mail, but are instead listed in the mail body.", + "items": { + "type": "string" + } + }, + "add_auto_bcc": { + "type": "string", + "description": "optional debug option that adds this mail address to Bcc on every email sent" + }, + "from": { + "type": "string", + "description": "Sender E-Mail Address (Can be either just email@example.com OR Example ", + "example": "Example Sender " + }, + "smtp_host": { + "type": "string", + "description": "Mail-server Host" + }, + "smtp_port": { + "type": "integer", + "description": "Mail-server Port" } } }, diff --git a/values.yaml b/values.yaml index 1412b10..2d0b898 100644 --- a/values.yaml +++ b/values.yaml @@ -35,10 +35,13 @@ system: id_token_cookie_name: 'JWT' access_token_cookie_name: 'AUTH' user_info_cache_seconds: 10 + cookie_expiry: 6h mail_service: enable: true local_base_url: http://mail-service:8080 + log_only: false + dev_mode: false payment_cncrd_adapter: enable: false