mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2026-06-17 17:07:29 +02:00
Jan Eitzinger
83d04dff17
Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login keys) are now configured directly in config.json under the auth section where they are used. Each secret can still be supplied via its existing environment variable, which takes precedence over the config value. The godotenv dependency, the .env file, configs/env-template.txt and the loadEnvironment() bootstrap step are removed. -init now writes the demo JWT keys into config.json instead of a .env file. Closes #283 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 3a7cb814c53f
140 lines
5.4 KiB
Go
140 lines
5.4 KiB
Go
// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
|
|
// All rights reserved. This file is part of cc-backend.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package auth
|
|
|
|
var configSchema = `
|
|
{
|
|
"jwts": {
|
|
"description": "For JWT token authentication.",
|
|
"type": "object",
|
|
"properties": {
|
|
"max-age": {
|
|
"description": "Configure how long a token is valid. As string parsable by time.ParseDuration()",
|
|
"type": "string"
|
|
},
|
|
"cookie-name": {
|
|
"description": "Cookie that should be checked for a JWT token.",
|
|
"type": "string"
|
|
},
|
|
"validate-user": {
|
|
"description": "Deny login for users not in database (but defined in JWT). Overwrite roles in JWT with database roles.",
|
|
"type": "boolean"
|
|
},
|
|
"trusted-issuer": {
|
|
"description": "Issuer that should be accepted when validating external JWTs ",
|
|
"type": "string"
|
|
},
|
|
"sync-user-on-login": {
|
|
"description": "Add non-existent user to DB at login attempt with values provided in JWT.",
|
|
"type": "boolean"
|
|
},
|
|
"update-user-on-login": {
|
|
"description": "Should an existent user attributes in the DB be updated at login attempt with values provided in JWT.",
|
|
"type": "boolean"
|
|
},
|
|
"public-key": {
|
|
"description": "Base64 encoded Ed25519 public key used to validate JWTs. Overridden by the JWT_PUBLIC_KEY environment variable when set.",
|
|
"type": "string"
|
|
},
|
|
"private-key": {
|
|
"description": "Base64 encoded Ed25519 private key used to sign JWTs. Overridden by the JWT_PRIVATE_KEY environment variable when set.",
|
|
"type": "string"
|
|
},
|
|
"cross-login-public-key": {
|
|
"description": "Base64 encoded Ed25519 public key for accepting externally generated JWTs. Overridden by the CROSS_LOGIN_JWT_PUBLIC_KEY environment variable when set.",
|
|
"type": "string"
|
|
},
|
|
"cross-login-hs512-key": {
|
|
"description": "Base64 encoded HMAC (HS256/HS512) key for accepting externally generated session login tokens. Overridden by the CROSS_LOGIN_JWT_HS512_KEY environment variable when set.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["max-age"]
|
|
},
|
|
"oidc": {
|
|
"type": "object",
|
|
"properties": {
|
|
"provider": {
|
|
"description": "OpenID Connect provider URL.",
|
|
"type": "string"
|
|
},
|
|
"sync-user-on-login": {
|
|
"description": "Add non-existent user to DB at login attempt with values provided.",
|
|
"type": "boolean"
|
|
},
|
|
"update-user-on-login": {
|
|
"description": "Should an existent user attributes in the DB be updated at login attempt with values provided.",
|
|
"type": "boolean"
|
|
},
|
|
"client-id": {
|
|
"description": "OAuth2 client ID for the OIDC provider. Overridden by the OID_CLIENT_ID environment variable when set.",
|
|
"type": "string"
|
|
},
|
|
"client-secret": {
|
|
"description": "OAuth2 client secret for the OIDC provider. Overridden by the OID_CLIENT_SECRET environment variable when set.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["provider"]
|
|
},
|
|
"ldap": {
|
|
"description": "For LDAP Authentication and user synchronisation.",
|
|
"type": "object",
|
|
"properties": {
|
|
"url": {
|
|
"description": "URL of LDAP directory server.",
|
|
"type": "string"
|
|
},
|
|
"user-base": {
|
|
"description": "Base DN of user tree root.",
|
|
"type": "string"
|
|
},
|
|
"search-dn": {
|
|
"description": "DN for authenticating LDAP admin account with general read rights.",
|
|
"type": "string"
|
|
},
|
|
"user-bind": {
|
|
"description": "Expression used to authenticate users via LDAP bind. Must contain uid={username}.",
|
|
"type": "string"
|
|
},
|
|
"user-filter": {
|
|
"description": "Filter to extract users for syncing.",
|
|
"type": "string"
|
|
},
|
|
"username-attr": {
|
|
"description": "Attribute with full username. Default: gecos",
|
|
"type": "string"
|
|
},
|
|
"sync-interval": {
|
|
"description": "Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.",
|
|
"type": "string"
|
|
},
|
|
"sync-del-old-users": {
|
|
"description": "Delete obsolete users in database.",
|
|
"type": "boolean"
|
|
},
|
|
"uid-attr": {
|
|
"description": "LDAP attribute used as login username. Default: uid",
|
|
"type": "string"
|
|
},
|
|
"sync-user-on-login": {
|
|
"description": "Add non-existent user to DB at login attempt if user exists in Ldap directory",
|
|
"type": "boolean"
|
|
},
|
|
"update-user-on-login": {
|
|
"description": "Should an existent user attributes in the DB be updated at login attempt with values from LDAP.",
|
|
"type": "boolean"
|
|
},
|
|
"sync-password": {
|
|
"description": "Password for the LDAP admin account used for syncing. Overridden by the LDAP_ADMIN_PASSWORD environment variable when set.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["url", "user-base", "search-dn", "user-bind", "user-filter"]
|
|
},
|
|
"required": ["jwts"]
|
|
}`
|