Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass OIDC config from .env to Backend and Frontend #458

Merged
merged 10 commits into from
Sep 1, 2023
Merged

Pass OIDC config from .env to Backend and Frontend #458

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5ac8716
Pass OIDC config from .env to Backend and Frontend
matthew-white Aug 9, 2023
f666acc
Prefix $OIDC_ENABLED with VUE_APP_ for Vue CLI
matthew-white Aug 9, 2023
cb643b7
Remove OIDC_ENABLED config
matthew-white Aug 10, 2023
735cbe7
Can we echo OIDC_DISCOVERY_URL if we pass it via environment?
matthew-white Aug 11, 2023
8171f6c
Can we echo OIDC_DISCOVERY_URL if we pass it via build.args?
matthew-white Aug 11, 2023
e287887
Revert echo experiments
matthew-white Aug 11, 2023
f59a7a5
Only pass OIDC_DISCOVERY_URL to nginx.dockerfile
matthew-white Aug 16, 2023
6b3b295
Move ARG to immediately before use
matthew-white Aug 21, 2023
44c7353
Add back OIDC_ENABLED variable
matthew-white Aug 21, 2023
7fcfeaf
Rename OIDC_DISCOVERY_URL to OIDC_ISSUER_URL
matthew-white Aug 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .env.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ HTTPS_PORT=443
# EMAIL_USER=
# EMAIL_PASSWORD=

# Optional: configure Single Sign-on with OpenID Connect
# OIDC_DISCOVERY_URL=
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=

# Optional: configure error reporting
# SENTRY_ORG_SUBDOMAIN=
# SENTRY_KEY=
Expand Down
7 changes: 7 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@ services:
- EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
- EMAIL_USER=${EMAIL_USER:-''}
- EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
- OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''}
- OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
- SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
- SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
- SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
Expand All @@ -74,6 +77,10 @@ services:
nginx:
build:
context: .
args:
- OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''}
- OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
dockerfile: nginx.dockerfile
depends_on:
- service
Expand Down
3 changes: 3 additions & 0 deletions files/prebuild/build-frontend.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
#!/bin/bash -eu
cd client
npm clean-install --no-audit --fund=false --update-notifier=false
if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then
export VUE_APP_OIDC_ENABLED=true
fi
npm run build
5 changes: 5 additions & 0 deletions files/service/config.json.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@
"domain": "${BASE_URL}",
"sysadminAccount": "${SYSADMIN_EMAIL}"
},
"oidc": {
"discoveryUrl": "${OIDC_DISCOVERY_URL}",
"clientId": "${OIDC_CLIENT_ID}",
"clientSecret": "${OIDC_CLIENT_SECRET}"
matthew-white marked this conversation as resolved.
Show resolved Hide resolved
},
"external": {
"sentry": {
"orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}",
Expand Down
2 changes: 1 addition & 1 deletion files/service/scripts/start-odk.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ echo "generating local service configuration.."

ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
< /usr/share/odk/config.json.template \
> /usr/odk/config/local.json

Expand Down
6 changes: 5 additions & 1 deletion nginx.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
FROM node:18.17 as intermediate
ARG OIDC_DISCOVERY_URL
Copy link
Member Author

@matthew-white matthew-white Aug 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to note this warning I'm seeing about ARG:

It is not recommended to use build-time variables for passing secrets like GitHub keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

I don't think this is a particular problem for us, because anyone who could run docker history on the machine would also be able to read the .env file. Passing this information via build.args doesn't seem riskier than passing it via environment. However, I wanted to mention the warning in case I'm misunderstanding something about it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, build-frontend.sh derives VUE_APP_OIDC_ENABLED from the other three OIDC_* variables. It'd be nice if we could derive that value somewhere prior to the Dockerfile, then pass only that value to the Dockerfile as an ARG. However, I don't know of an easy way to do that with our current setup. And again, my understanding is that this approach isn't a particular risk for us.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alxndrsn and I discussed this earlier today. Instead all three OIDC_* variables being passed to nginx.dockerfile, now only OIDC_DISCOVERY_URL will be passed. Unlike OIDC_CLIENT_SECRET, OIDC_DISCOVERY_URL isn't sensitive, so there shouldn't be an issue that it is passed via ARG. build-frontend.sh will derive VUE_APP_OIDC_ENABLED based only on the presence of OIDC_DISCOVERY_URL.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if derived from OIDC_DISCOVERY_URL, I think it would still be helpful to call this OIDC_ENABLED or similar in the frontend image, as that is what it's used for. I think seeing OIDC_DISCOVERY_URL in the frontend would raise questions about why it's being passed there.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OIDC_DISCOVERY_URL won't be visible in the JS that's built, just VUE_APP_OIDC_ENABLED. Is there somewhere other than the JS that you're thinking about? I think we can assume that anyone examining the source will be able to determine why the variable is passed to nginx.dockerfile.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alex and I chatted about this earlier today. We decided to reintroduce a separate OIDC_ENABLED variable so that we don't need to pass the discovery/issuer URL to the Frontend build. The user will specify the OIDC_ENABLED variable: it's not derived from the other variables. I've made this change in a commit I just pushed.

ARG OIDC_CLIENT_ID
ARG OIDC_CLIENT_SECRET

COPY ./ ./
RUN files/prebuild/write-version.sh
RUN files/prebuild/build-frontend.sh
RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \
files/prebuild/build-frontend.sh

# when upgrading, look for upstream changes to redirector.conf
# also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location
Expand Down