mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains

rkachach · rkachach · commit af84f6d512a2 · 2024-09-06T12:44:45.000+02:00
this field is needed in order to configure which domains are allowed for redirection during login and/or logout Fixes: https://tracker.ceph.com/issues/67934 Signed-off-by: Redouane Kachach <rkachach@redhat.com>
diff --git a/src/pybind/mgr/cephadm/services/oauth2_proxy.py b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
@@ -67,10 +67,12 @@ def generate_random_secret(self) -> str:
     def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
         assert self.TYPE == daemon_spec.daemon_type
         svc_spec = cast(OAuth2ProxySpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        whitelist_domains = svc_spec.whitelist_domains or []
+        whitelist_domains += self.get_service_ips_and_hosts('mgmt-gateway')
         context = {
             'spec': svc_spec,
             'cookie_secret': svc_spec.cookie_secret or self.generate_random_secret(),
-            'whitelist_domains': self.get_service_ips_and_hosts('mgmt-gateway'),
+            'whitelist_domains': whitelist_domains,
             'redirect_url': svc_spec.redirect_url or self.get_redirect_url()
         }
 
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
@@ -1920,6 +1920,7 @@ def __init__(self,
                  cookie_secret: Optional[str] = None,
                  ssl_certificate: Optional[str] = None,
                  ssl_certificate_key: Optional[str] = None,
+                 whitelist_domains: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  extra_container_args: Optional[GeneralArgList] = None,
                  extra_entrypoint_args: Optional[GeneralArgList] = None,
@@ -1955,6 +1956,9 @@ def __init__(self,
         self.ssl_certificate = ssl_certificate
         #: The multi-line SSL certificate private key for decrypting communications.
         self.ssl_certificate_key = ssl_certificate_key
+        #: List of allowed domains for safe redirection after login or logout,
+        # preventing unauthorized redirects.
+        self.whitelist_domains = whitelist_domains
         self.unmanaged = unmanaged
 
     def get_port_start(self) -> List[int]:
