Add GitHub oauth

README.rst

@@ -2,4 +2,28 @@
 ltd-proxy
 #########
 
-LTD Proxy is a secure front-end proxy for LTD projects.
+LTD Proxy is a secure front-end proxy for LTD projects that are hosted on Amazon AWS.
+It uses GitHub OAuth to authenticate visitors and GitHub organization and/or team memberships to authorize access to pages at specific URL path prefixes.
+
+Kubernetes deployment
+=====================
+
+Secret resource
+---------------
+
+Besides the ConfigMaps, your kustomized deployment needs to include a secret resource that is referenced as environment variables from the deployment's ``app`` container.
+This secret could be generated from a Vault secret or an AWS Secret, or could be a plain Kubernetes Secret, such as:
+
+.. code-block:: yaml
+
+   apiVersion: v1
+   kind: Secret
+   type: Opaque
+   metadata:
+     name: ltdproxy
+   data:
+     LTDPROXY_AWS_ACCESS_KEY_ID: ...
+     LTDPROXY_AWS_SECRET_ACCESS_KEY: ...
+     LTDPROXY_GITHUB_OAUTH_ID: ...
+     LTDPROXY_GITHUB_OAUTH_SECRET: ...
+     LTDPROXY_SESSION_KEY: ...

manifests/base/auth-configmap.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "ltdproxy-auth"
+  labels:
+    app.kubernetes.io/name: "ltd-proxy"
+data:
+  authrules.yaml: |
+    default:
+      - org: "jsickcodes"
+    paths: []
+     - pattern: "\/a\/"
+        authorized:
+          - org: "jsickcodes"
+            team: "Red Team"
+

manifests/base/configmap.yaml

@@ -11,5 +11,9 @@ data:
   SAFIR_LOGGER: "ltdproxy"
   SAFIR_LOG_LEVEL: "INFO"
   SAFIR_PROFILE: "production"
+  LTDPROXY_AUTH_CONFIG: "/opt/ltdproxy/auth/authrules.yaml"
+  LTDPROXY_PATH_PREFIX: "/"
   LTDPROXY_S3_BUCKET: ""
   LTDPROXY_S3_PREFIX: ""
+  LTDPROXY_AWS_REGION: ""
+  LTDPROXY_GITHUB_CALLBACK_URL: ""

manifests/base/deployment.yaml

@@ -19,7 +19,7 @@ spec:
         - name: app
           imagePullPolicy: "IfNotPresent"
           # Use images field in a Kustomization to set/update image tag
-          image: "lsstsqre/ltdproxy"
+          image: "ghcr.io/jsickcodes/ltd-proxy"
           ports:
             - containerPort: 8080
               name: "app"
@@ -32,6 +32,14 @@ spec:
               drop:
                 - "all"
             readOnlyRootFilesystem: true
+          volumeMounts:
+             - name: "auth-config"
+               mountPath: "/opt/ltdproxy/auth/"
+               readOnly: true
+      volumes:
+        - name: "auth-config"
+          configMap:
+            name: "ltdproxy-auth"
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000

manifests/base/kustomization.yaml

@@ -7,5 +7,6 @@ images:
 
 resources:
   - configmap.yaml
+  - auth-configmap.yaml
   - deployment.yaml
   - service.yaml

requirements/dev.in

@@ -16,3 +16,4 @@ pytest
 pytest-asyncio
 pytest-cov
 uvicorn
+types-PyYAML

requirements/main.in

@@ -10,9 +10,13 @@ fastapi
 gunicorn
 starlette
 uvicorn[standard]
+PyYAML
 
 # Other dependencies.
 safir
 httpx
 aws-request-signer
 python-dotenv
+Authlib
+itsdangerous
+gidgethub

src/ltdproxy/appsetup.py

@@ -0,0 +1,33 @@
+"""Configuration for the app."""
+
+from __future__ import annotations
+
+from importlib.metadata import metadata
+from typing import TYPE_CHECKING
+
+from .handlers.external import external_router
+from .handlers.healthcheck import health_router
+from .handlers.internal import internal_router
+
+if TYPE_CHECKING:
+    from fastapi import FastAPI
+
+    from ltdproxy.config import Configuration
+
+
+def add_handlers(*, config: Configuration, app: FastAPI) -> None:
+    if config.path_prefix == "/":
+        app.include_router(health_router)
+        app.include_router(external_router)
+    else:
+        external_app = FastAPI(
+            title="ltd-proxy",
+            description=metadata("ltd-proxy").get("Summary", ""),
+            version=metadata("ltd-proxy").get("Version", "0.0.0"),
+            openapi_url=None,
+        )
+        external_app.include_router(external_router)
+
+        app.include_router(internal_router)
+        app.include_router(health_router)
+        app.mount(f"{config.path_prefix}", external_app)

src/ltdproxy/config.py

@@ -5,7 +5,7 @@
 import os
 from enum import Enum
 
-from pydantic import BaseSettings, Field, SecretStr
+from pydantic import BaseSettings, Field, FilePath, HttpUrl, SecretStr
 
 __all__ = ["Configuration", "config", "Profile", "LogLevel"]
 
@@ -43,7 +43,7 @@ class Configuration(BaseSettings):
 
     s3_bucket: str = Field("test", env="LTDPROXY_S3_BUCKET")
 
-    s3_bucket_prefix: str = Field("", env="LTD_PROXY_S3_PREFIX")
+    s3_bucket_prefix: str = Field("", env="LTDPROXY_S3_PREFIX")
 
     aws_region: str = Field("us-central-1", env="LTDPROXY_AWS_REGION")
 
@@ -53,6 +53,22 @@ class Configuration(BaseSettings):
         ..., env="LTDPROXY_AWS_SECRET_ACCESS_KEY"
     )
 
+    github_oauth_client_id: str = Field(env="LTDPROXY_GITHUB_OAUTH_ID")
+
+    github_oauth_client_secret: SecretStr = Field(
+        env="LTDPROXY_GITHUB_OAUTH_SECRET"
+    )
+
+    github_oauth_callback_url: HttpUrl = Field(
+        env="LTDPROXY_GITHUB_CALLBACK_URL"
+    )
+
+    session_key: SecretStr = Field(env="LTDPROXY_SESSION_KEY")
+
+    github_auth_config_path: FilePath = Field(env="LTDPROXY_AUTH_CONFIG")
+
+    path_prefix: str = Field("/", env="LTDPROXY_PATH_PREFIX")
+
 
 config = Configuration(_env_file=os.getenv("LTD_PROXY_ENV"))
 """Configuration for ltd-proxy."""