From 19572932e0ffa50b26560626a0c1194201225993 Mon Sep 17 00:00:00 2001 From: Antoine Pultier <45740+fungiboletus@users.noreply.github.com> Date: Fri, 27 Oct 2023 08:43:38 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=20Throw=20an=20error=20if=20th?= =?UTF-8?q?e=20user=20is=20trying=20to=20use=20a=20token=20It=20might=20be?= =?UTF-8?q?=20a=20dangerous=20mistake?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- controller/src/server/auth-jwt-middleware.ts | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/controller/src/server/auth-jwt-middleware.ts b/controller/src/server/auth-jwt-middleware.ts index 78469b8d..e7333c38 100644 --- a/controller/src/server/auth-jwt-middleware.ts +++ b/controller/src/server/auth-jwt-middleware.ts @@ -62,17 +62,24 @@ const fixedLocalAuth: Auth = { async function hybridAuthJwtMiddlewareAsync( request: Request, response: Response, next: NextFunction, ): Promise { + // Load the Authorisation header + // and that the header is a Bearer token + const authHeader = request.headers.authorization; + // If we are in development mode, we allow a fixed local user if (oauth2IssuerEndpoint === undefined) { + // Throw an error if the user is trying to use a bearer token + // It might be a dangerous mistake + if (authHeader) { + response.sendStatus(400); + return; + } + (request as unknown as { auth: Auth }).auth = fixedLocalAuth; next(); return; } - // Load the Authorisation header - // and that the header is a Bearer token - const authHeader = request.headers.authorization; - // We allow anonymous access to the API if (!authHeader) { next(); From c22c37e5d419898f39e51b7d975e34917a94a95d Mon Sep 17 00:00:00 2001 From: Antoine Pultier <45740+fungiboletus@users.noreply.github.com> Date: Fri, 27 Oct 2023 08:44:35 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=E2=9C=A8=20Support=20oauth2=20in=20the=20h?= =?UTF-8?q?elm=20chart?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/simpipe/templates/deployment-controller.yaml | 4 +++- charts/simpipe/values.yaml | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/simpipe/templates/deployment-controller.yaml b/charts/simpipe/templates/deployment-controller.yaml index 945bd353..59d82bcf 100644 --- a/charts/simpipe/templates/deployment-controller.yaml +++ b/charts/simpipe/templates/deployment-controller.yaml @@ -59,7 +59,9 @@ spec: - name: PROMETHEUS_SERVER_URL value: {{ .Values.controller.prometheus.serverUrl | quote }} - name: NODE_ENV - value: development + value: {{ .Values.controller.nodeEnv | quote }} + - name: OAUTH2_ISSUER_ENDPOINT + value: {{ .Values.controller.oauth2.issuerEndpoint | quote }} ports: - name: http containerPort: {{ .Values.controller.service.port }} diff --git a/charts/simpipe/values.yaml b/charts/simpipe/values.yaml index db02ac71..190d6c67 100644 --- a/charts/simpipe/values.yaml +++ b/charts/simpipe/values.yaml @@ -31,6 +31,9 @@ controller: endpoint: http://simpipe-argo-workflows-server:2746/ prometheus: serverUrl: http://prometheus-operated:9090 + nodeEnv: development + oauth2: + issuerEndpoint: "" serviceAccount: # Annotations to add to the service account