add generic OIDC auth backend #528
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
I wonder if adding new admins alongside the normal |
Member
|
@MagicRB are we able to test this in numtide infra? For my own buildbot the issue might be that I have people that want to login when having access to a nix-community repo. |
Contributor
Author
|
You can test the python-side of this with a mock server as well tree diffdiff --git a/packages/master.cfg.py b/packages/master.cfg.py
index 8cf3db1..2d91c50 100644
--- a/packages/master.cfg.py
+++ b/packages/master.cfg.py
@@ -3,13 +3,18 @@ from buildbot_nix import (
NixConfigurator,
BuildbotNixConfig,
)
-from buildbot_nix.models import PullBasedConfig, PullBasedRepository
+from buildbot_nix.models import (
+ PullBasedConfig,
+ PullBasedRepository,
+ OIDCConfig,
+ AuthBackendConfig,
+ OIDCMappingConfig,
+)
import getpass
import os
import platform
import subprocess
import multiprocessing
-from buildbot.plugins import util
from buildbot.process.factory import BuildFactory
from dataclasses import dataclass
@@ -211,6 +216,17 @@ buildbot_nix_config = BuildbotNixConfig(
url=url,
gcroots_user=getpass.getuser(),
admins=["admin"],
+ auth_backend=AuthBackendConfig.oidc,
+ oidc=OIDCConfig(
+ name="Mock",
+ discovery_url="http://localhost:9400/.well-known/openid-configuration",
+ client_id="123",
+ client_secret_file="/tmp/client_secret",
+ scope=["openid", "email", "profile"],
+ mapping=OIDCMappingConfig(
+ email="email", username="preferred_username", full_name="name", groups=None
+ ),
+ ),
)
c = BuildmasterConfig = dict(
@@ -221,5 +237,5 @@ c = BuildmasterConfig = dict(
NixConfigurator(buildbot_nix_config),
],
protocols={"pb": {"port": "tcp:9989:interface=\\:\\:1"}},
- www=dict(port=PORT, plugins=dict(), auth=util.UserPasswordAuth({"admin": "admin"})),
+ www=dict(port=PORT, plugins=dict()),
)
I also run this PR on https://buildbot.althaea.zone/ but you wouldn't be able to login |
Aligns OIDCMappingConfig/OIDCConfig with other Pydantic models in the file that reject unknown fields. This catches typos and accidental config keys early rather than silently ignoring them.
The "or 'groups'" fallback contradicted the preceding None check. If self.mapping.groups is not None, use it directly. The dict.get() default handles missing keys in the user response.
The code directly indexed token["access_token"] which raises KeyError for malformed responses. Now validates the token first and raises BuildbotNixError with context if the field is missing.
The OIDC client secret was referenced by full path but not exposed to systemd via LoadCredential. Now uses a relative credential name and adds the corresponding LoadCredential entry so the secret is available in $CREDENTIALS_DIRECTORY at runtime.
Member
|
@mrshmllow can you please check? I added documentation and tested the code, you gave me locally. |
Mic92
force-pushed
the
push-zpwpqzvosklt
branch
from
d6fbbb2 to
17a32ab
Compare
…to separate files Move detailed GitHub, Gitea, and OIDC authentication documentation from README.md into dedicated files under docs/. This makes the README more concise while keeping comprehensive setup instructions easily accessible.
Mic92
force-pushed
the
push-zpwpqzvosklt
branch
from
17a32ab to
a186505
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #195
This is a very simple wrapper around the Buildbot
OAuth2Authclass that you can configure with new options.Additionally, you can set your own scope and map the claims, if your OIDC provider changes them in some way. It supports syncing groups although you need to include that scope and mapping yourself.
So far I've tested this successfully with PocketID.
As a note: I decided to identify users by the provider's
preferred_usernamebecause it works well with theadminsoption