better oauth secret management
This commit is contained in:
parent
85d04478d1
commit
632158b566
|
@ -63,7 +63,6 @@
|
|||
public_domain = "public-hydra.local";
|
||||
extra_args = ["--dev"];
|
||||
settings = {
|
||||
dev = true;
|
||||
urls.self = {
|
||||
issuer = "http://127.0.0.1:8082";
|
||||
public = "http://127.0.0.1:8082";
|
||||
|
|
|
@ -23,6 +23,7 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:8082'
|
|||
SUBJECT_PREFIX = 'something random'
|
||||
|
||||
OAUTH_ID = 'identiy_provider'
|
||||
OAUTH_SECRET = 'thisIsNotSecure'
|
||||
|
||||
|
||||
[LENTICULAR_CLOUD_SERVICES.jabber]
|
||||
|
|
|
@ -23,7 +23,7 @@ class HydraService:
|
|||
self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL']))
|
||||
|
||||
client_name = app.config['OAUTH_ID']
|
||||
client_secret = token_hex(16)
|
||||
client_secret = app.config['OAUTH_SECRET']
|
||||
|
||||
clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed
|
||||
if clients is None:
|
||||
|
@ -48,12 +48,12 @@ class HydraService:
|
|||
)
|
||||
ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
|
||||
if ret is None:
|
||||
raise RuntimeError("could not crate account")
|
||||
raise RuntimeError("could not create account")
|
||||
else:
|
||||
client.client_secret = client_secret
|
||||
ret = set_o_auth_2_client.sync(id=client.client_id,json_body=client, _client=self.hydra_client)
|
||||
ret = set_o_auth_2_client.sync(id=client.client_id, json_body=client, _client=self.hydra_client)
|
||||
if ret is None:
|
||||
raise RuntimeError("could not crate account")
|
||||
raise RuntimeError("could not update account")
|
||||
if type(client.client_id) is not str:
|
||||
raise RuntimeError("could not parse client_id from ory-hydra")
|
||||
self.client_id = client.client_id
|
||||
|
|
14
module.nix
14
module.nix
|
@ -4,6 +4,7 @@ let
|
|||
python = pkgs.python3;
|
||||
format = pkgs.formats.json {};
|
||||
types = lib.types;
|
||||
config_oauth_secret = "${cfg.settings.DATA_FOLDER}/lenticular_oauth_secret.toml";
|
||||
in
|
||||
{
|
||||
options = with lib.options; {
|
||||
|
@ -130,16 +131,19 @@ in
|
|||
|
||||
environment = let
|
||||
python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ];
|
||||
config_file = format.generate "lenticular-cloud.json" cfg.settings;
|
||||
in {
|
||||
# CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
|
||||
CONFIG_FILE = format.generate "lenticular-cloud.json" cfg.settings;
|
||||
CONFIG_FILE = "${config_file}:${config_oauth_secret}";
|
||||
PYTHONPATH = "${python_path}";
|
||||
# PYTHONPATH = "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
|
||||
};
|
||||
preStart = ''
|
||||
#cat > ${cfg.settings.DATA_FOLDER}/foobar.conf <<EOF
|
||||
#SECRET_KEY=""
|
||||
#EOF
|
||||
if [[ ! -e "${config_oauth_secret}" ]]; then
|
||||
SECRET_KEY=`${pkgs.openssl}/bin/openssl rand --hex 16`
|
||||
echo 'OAUTH_SECRET="$${SECRET_KEY}"' > ${config_oauth_secret}
|
||||
echo "oauth secreted generated"
|
||||
fi
|
||||
${pkgs.lenticular-cloud}/bin/lenticular_cloud-cli db_upgrade
|
||||
'';
|
||||
|
||||
|
@ -148,7 +152,7 @@ in
|
|||
WorkingDirectory = cfg.settings.DATA_FOLDER;
|
||||
User = cfg.username;
|
||||
ExecStart = ''${python.pkgs.gunicorn}/bin/gunicorn lenticular_cloud.wsgi --name lenticular_cloud \
|
||||
--workers 1 --log-level=info \
|
||||
--workers 2 --log-level=info \
|
||||
--bind=unix:/run/${cfg.username}/web.sock \
|
||||
-k gevent'';
|
||||
Restart = "on-failure";
|
||||
|
|
Loading…
Reference in a new issue