+72 -60

apps/sower/lib/sower/config.ex

reviewed

··· 13 13 14 14 @schema %Schema{ 15 15 type: :object, 16 16 - required: [:auth, :database], 16 16 + required: [:database], 17 17 properties: %{ 18 18 auth: %Schema{ 19 19 type: :object, ··· 94 94 public_url = json_config |> Keyword.fetch!(:public_url) 95 95 96 96 json_config = 97 97 - json_config 98 98 - |> Keyword.put( 99 99 - :auth, 97 97 + if Keyword.has_key?(json_config, :auth) do 100 98 json_config 101 101 - |> Keyword.fetch!(:auth) 102 102 - |> Keyword.put(:oidc_redirect_uri, ~s"#{public_url}/auth") 103 103 - ) 99 99 + |> Keyword.put( 100 100 + :auth, 101 101 + json_config 102 102 + |> Keyword.fetch!(:auth) 103 103 + |> Keyword.put(:oidc_redirect_uri, ~s"#{public_url}/auth") 104 104 + ) 105 105 + else 106 106 + json_config 107 107 + end 104 108 105 109 secret_key_base = 106 110 with {:ok, secret_key_base_file} <- json_config |> Keyword.fetch(:secret_key_base_file), ··· 153 157 154 158 # oidc client secret file 155 159 json_config = 156 156 - with {:ok, auth} <- json_config |> Keyword.fetch(:auth), 157 157 - {:ok, oidc_client_secret_file} <- auth |> Keyword.fetch(:oidc_client_secret_file), 158 158 - {:ok, oidc_client_secret} <- read_credential(oidc_client_secret_file) do 159 159 - json_config 160 160 - |> Keyword.put(:auth, auth |> Keyword.put(:oidc_client_secret, oidc_client_secret)) 161 161 - else 162 162 - {:error, err} -> 163 163 - Logger.warning( 164 164 - msg: "Failed to load oidc_client_secret from secret file", 165 165 - error: err 166 166 - ) 160 160 + if Keyword.has_key?(json_config, :auth) do 161 161 + with {:ok, auth} <- json_config |> Keyword.fetch(:auth), 162 162 + {:ok, oidc_client_secret_file} <- auth |> Keyword.fetch(:oidc_client_secret_file), 163 163 + {:ok, oidc_client_secret} <- read_credential(oidc_client_secret_file) do 164 164 + json_config 165 165 + |> Keyword.put(:auth, auth |> Keyword.put(:oidc_client_secret, oidc_client_secret)) 166 166 + else 167 167 + {:error, err} -> 168 168 + Logger.warning( 169 169 + msg: "Failed to load oidc_client_secret from secret file", 170 170 + error: err 171 171 + ) 167 172 168 168 - Kernel.exit(1) 173 173 + Kernel.exit(1) 169 174 170 170 - :error -> 171 171 - Logger.warning("Configuration is missing `auth.oidc_client_secret_file`.") 172 172 - Kernel.exit(1) 175 175 + :error -> 176 176 + Logger.warning("Configuration is missing `auth.oidc_client_secret_file`.") 177 177 + Kernel.exit(1) 178 178 + end 179 179 + else 180 180 + json_config 173 181 end 174 182 175 183 # s3 access key id ··· 233 241 persistent: true 234 242 ) 235 243 236 236 - config :sower, Sower.Accounts.UserAuthentication, 237 237 - issuer: "oidcc", 238 238 - secret_key: secret_key_base 239 239 - 240 240 - config :ueberauth_oidcc, :issuers, [ 241 241 - %{ 242 242 - name: :oidcc_issuer, 243 243 - issuer: json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_base_url) 244 244 - } 245 245 - ] 244 244 + if Keyword.has_key?(json_config, :auth) do 245 245 + config :sower, Sower.Accounts.UserAuthentication, 246 246 + issuer: "oidcc", 247 247 + secret_key: secret_key_base 246 248 247 247 - config :ueberauth, Ueberauth, 248 248 - providers: [ 249 249 - oidcc: { 250 250 - Ueberauth.Strategy.Oidcc, 251 251 - client_id: json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_client_id), 252 252 - client_secret: 253 253 - json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_client_secret), 254 254 - issuer: :oidcc_issuer, 255 255 - scopes: ["openid", "profile", "email"], 256 256 - require_pkce: true 249 249 + config :ueberauth_oidcc, :issuers, [ 250 250 + %{ 251 251 + name: :oidcc_issuer, 252 252 + issuer: json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_base_url) 257 253 } 258 254 ] 259 255 260 260 - config :ex_aws, 261 261 - region: get_in(json_config, [:s3, :region]), 262 262 - host: get_in(json_config, [:s3, :host]), 263 263 - access_key_id: [ 264 264 - get_in(json_config, [:s3, :access_key]), 265 265 - {:system, "SOWER_AWS_ACCESS_KEY"} 266 266 - ], 267 267 - secret_access_key: [ 268 268 - get_in(json_config, [:s3, :secret_key]), 269 269 - {:system, "SOWER_AWS_SECRET_KEY"} 270 270 - ] 256 256 + config :ueberauth, Ueberauth, 257 257 + providers: [ 258 258 + oidcc: { 259 259 + Ueberauth.Strategy.Oidcc, 260 260 + client_id: json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_client_id), 261 261 + client_secret: 262 262 + json_config |> Keyword.fetch!(:auth) |> Keyword.fetch!(:oidc_client_secret), 263 263 + issuer: :oidcc_issuer, 264 264 + scopes: ["openid", "profile", "email"], 265 265 + require_pkce: true 266 266 + } 267 267 + ] 268 268 + end 271 269 272 272 - %URI{scheme: scheme, host: host, port: port} = 273 273 - URI.parse(get_in(json_config, [:s3, :endpoint])) 270 270 + if Keyword.has_key?(json_config, :s3) do 271 271 + config :ex_aws, 272 272 + region: get_in(json_config, [:s3, :region]), 273 273 + host: get_in(json_config, [:s3, :host]), 274 274 + access_key_id: [ 275 275 + get_in(json_config, [:s3, :access_key]), 276 276 + {:system, "SOWER_AWS_ACCESS_KEY"} 277 277 + ], 278 278 + secret_access_key: [ 279 279 + get_in(json_config, [:s3, :secret_key]), 280 280 + {:system, "SOWER_AWS_SECRET_KEY"} 281 281 + ] 274 282 275 275 - config :ex_aws, :s3, 276 276 - scheme: scheme <> "://", 277 277 - host: host, 278 278 - port: port 283 283 + %URI{scheme: scheme, host: host, port: port} = 284 284 + URI.parse(get_in(json_config, [:s3, :endpoint])) 279 285 280 280 - config :sower, Sower.Storage, s3: [bucket: get_in(json_config, [:s3, :bucket])] 286 286 + config :ex_aws, :s3, 287 287 + scheme: scheme <> "://", 288 288 + host: host, 289 289 + port: port 290 290 + 291 291 + config :sower, Sower.Storage, s3: [bucket: get_in(json_config, [:s3, :bucket])] 292 292 + end 281 293 282 294 Logger.info("Finished loading configuration.") 283 295 end

+5 -6

nix/tests/e2e.nix

reviewed

··· 83 83 encryption_key_file = "${pkgs.writeText "database-encryption-key" "b2s="}"; # ok in b64 84 84 }; 85 85 86 86 - auth = { 87 87 - oidc_client_id = "sower"; 88 88 - oidc_base_url = "http://localhost:9000"; 89 89 - oidc_client_secret_file = "${pkgs.writeText "oidc-secret" "ok"}"; 90 90 - }; 91 91 - 92 86 log_level = "debug"; 93 87 94 88 clients."${pkgs.stdenv.hostPlatform.system}".path = ··· 148 142 server.succeed("test -S /run/sower-activator/activator.sock") 149 143 server.succeed("test \"$(stat -c '%a' /run/sower-activator/activator.sock)\" = 660") 150 144 server.succeed("test \"$(stat -c '%G' /run/sower-activator/activator.sock)\" = sower-activator") 145 145 + 146 146 + with subtest("get client token"): 147 147 + token = server.succeed("cat /run/sower/test_token") 148 148 + server.succeed("mkdir -p /run/sower") 149 149 + server.succeed(f"echo -n {token} > /run/sower/test_token") 151 150 152 151 # with subtest("basic submission"): 153 152 # server_profile = server.succeed("readlink -f /run/booted-system").strip()