better oauth secret management

This commit is contained in:
tuxcoder 2023-12-23 02:41:26 +01:00
parent 85d04478d1
commit 632158b566
4 changed files with 14 additions and 10 deletions

View file

@ -63,7 +63,6 @@
public_domain = "public-hydra.local";
extra_args = ["--dev"];
settings = {
dev = true;
urls.self = {
issuer = "http://127.0.0.1:8082";
public = "http://127.0.0.1:8082";

View file

@ -23,6 +23,7 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:8082'
SUBJECT_PREFIX = 'something random'
OAUTH_ID = 'identiy_provider'
OAUTH_SECRET = 'thisIsNotSecure'
[LENTICULAR_CLOUD_SERVICES.jabber]

View file

@ -23,7 +23,7 @@ class HydraService:
self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL']))
client_name = app.config['OAUTH_ID']
client_secret = token_hex(16)
client_secret = app.config['OAUTH_SECRET']
clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed
if clients is None:
@ -48,12 +48,12 @@ class HydraService:
)
ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
if ret is None:
raise RuntimeError("could not crate account")
raise RuntimeError("could not create account")
else:
client.client_secret = client_secret
ret = set_o_auth_2_client.sync(id=client.client_id,json_body=client, _client=self.hydra_client)
ret = set_o_auth_2_client.sync(id=client.client_id, json_body=client, _client=self.hydra_client)
if ret is None:
raise RuntimeError("could not crate account")
raise RuntimeError("could not update account")
if type(client.client_id) is not str:
raise RuntimeError("could not parse client_id from ory-hydra")
self.client_id = client.client_id

View file

@ -4,6 +4,7 @@ let
python = pkgs.python3;
format = pkgs.formats.json {};
types = lib.types;
config_oauth_secret = "${cfg.settings.DATA_FOLDER}/lenticular_oauth_secret.toml";
in
{
options = with lib.options; {
@ -130,16 +131,19 @@ in
environment = let
python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ];
config_file = format.generate "lenticular-cloud.json" cfg.settings;
in {
# CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
CONFIG_FILE = format.generate "lenticular-cloud.json" cfg.settings;
CONFIG_FILE = "${config_file}:${config_oauth_secret}";
PYTHONPATH = "${python_path}";
# PYTHONPATH = "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
};
preStart = ''
#cat > ${cfg.settings.DATA_FOLDER}/foobar.conf <<EOF
#SECRET_KEY=""
#EOF
if [[ ! -e "${config_oauth_secret}" ]]; then
SECRET_KEY=`${pkgs.openssl}/bin/openssl rand --hex 16`
echo 'OAUTH_SECRET="$${SECRET_KEY}"' > ${config_oauth_secret}
echo "oauth secreted generated"
fi
${pkgs.lenticular-cloud}/bin/lenticular_cloud-cli db_upgrade
'';
@ -148,7 +152,7 @@ in
WorkingDirectory = cfg.settings.DATA_FOLDER;
User = cfg.username;
ExecStart = ''${python.pkgs.gunicorn}/bin/gunicorn lenticular_cloud.wsgi --name lenticular_cloud \
--workers 1 --log-level=info \
--workers 2 --log-level=info \
--bind=unix:/run/${cfg.username}/web.sock \
-k gevent'';
Restart = "on-failure";