Add GitHub oauth#3
Merged
Merged
Conversation
This is needed for persistent sessions in the oauth flow.
This clarifies what is the dependency, and what is the class providing the singleton.
We're using authlib via their starlette integration to implement a GitHub OAuth client. - GitHubOAuth configures/registers the client, and github_oauth_dependency provides an instance of that GitHub client as a path operation depenency. - The GitHub access token is stored in the Cookie session. Note that the endpoints for logging in and logging out are just stubs; we'll develop those further so they're configured more naturally and redirect to the right place.
After login, we cache the relevant org and team memberships in the cookie (JSON serialized). This will allow endpoints to quickly determine if the user is in the correct endpoints for a given path authorization rule.
Also add types-PyYAML dependency for mypy
The purpose of this class is to parse the github auth configuration file, and then judge if a user's cookie has the appropriate memberships to allow a user to access a given URL path.
We'll make these internal handlers optional to make it possible to serve from the application root (and hence the internal handlers won't exist). We'll re-add these types of tests once the health check endpoints are added again.
This configuration lets us break from the "Safir" app pattern and now serve from the application root path with only the "external" routes, or serve both internal and external routes if a non-trivial prefix path is set.
Needed since the app can now be served from both a prefix path or the root.
Now / is send to the proxy endpoint. Since there isn't an explicit homepage that's publicly available: - Make logout redirect to a special logout page that is publicly available. - Make the default redirect from the oauth callback just redirect to "/" if a ref page isn't set.
Make */ URLs get the */index.html object from the S3 bucket.
Eventually we should implement templated error pages, but this works for now.
These aren't needed for this application.
This endpoint is always at the /__healthz path, regardless of whether the app is serving from a path prefix or not.
This includes stub for the auth rules YAML file config map, which is mounted onto the pod's filesystem.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements GitHub-based authentication with organization/team-based authorization rules.
LTD Proxy is registered as a GitHub OAuth app and authenticates users through the "OAuth dance" to get an OAuth token that has permissions to see a user's organization and team memberships.
LTD Proxy can be configured with an auth rules YAML file, that is loaded via a Kubernetes config map. That file supports setting a "default" authorization based on GitHub organization and/or team memberships. The file can also add more specific authorization rules for specific paths (matching a regular expression rule for a path membership).
In the proxy endpoint, the user's memberships, set in the session cookie, are compared to the authorization rules and the content is either proxied, redirected to log in, or given a 403 response.