Skip to content

Commit 32d90b7

Browse files
adk3798adk3798
authored
Merge pull request ceph#59634 from rkachach/fix_issue_67934
mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains Reviewed-by: Adam King <[email protected]>
2 parents b066013 + af84f6d commit 32d90b7

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

src/pybind/mgr/cephadm/services/oauth2_proxy.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,10 +67,12 @@ def generate_random_secret(self) -> str:
6767
def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
6868
assert self.TYPE == daemon_spec.daemon_type
6969
svc_spec = cast(OAuth2ProxySpec, self.mgr.spec_store[daemon_spec.service_name].spec)
70+
whitelist_domains = svc_spec.whitelist_domains or []
71+
whitelist_domains += self.get_service_ips_and_hosts('mgmt-gateway')
7072
context = {
7173
'spec': svc_spec,
7274
'cookie_secret': svc_spec.cookie_secret or self.generate_random_secret(),
73-
'whitelist_domains': self.get_service_ips_and_hosts('mgmt-gateway'),
75+
'whitelist_domains': whitelist_domains,
7476
'redirect_url': svc_spec.redirect_url or self.get_redirect_url()
7577
}
7678

src/python-common/ceph/deployment/service_spec.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1926,6 +1926,7 @@ def __init__(self,
19261926
cookie_secret: Optional[str] = None,
19271927
ssl_certificate: Optional[str] = None,
19281928
ssl_certificate_key: Optional[str] = None,
1929+
whitelist_domains: Optional[List[str]] = None,
19291930
unmanaged: bool = False,
19301931
extra_container_args: Optional[GeneralArgList] = None,
19311932
extra_entrypoint_args: Optional[GeneralArgList] = None,
@@ -1961,6 +1962,9 @@ def __init__(self,
19611962
self.ssl_certificate = ssl_certificate
19621963
#: The multi-line SSL certificate private key for decrypting communications.
19631964
self.ssl_certificate_key = ssl_certificate_key
1965+
#: List of allowed domains for safe redirection after login or logout,
1966+
# preventing unauthorized redirects.
1967+
self.whitelist_domains = whitelist_domains
19641968
self.unmanaged = unmanaged
19651969

19661970
def get_port_start(self) -> List[int]:

0 commit comments

Comments
 (0)