Merge pull request #1459 from maykinmedia/issues/2830-admin-oidc-setu…

…p-in-docker-compose [#2830] Properly expose ADMIN_OIDC setup configuration to docker-compose
maykinmedia · Oct 28, 2024 · c7328ef · c7328ef
2 parents a6bb96b + d756d02
commit c7328ef
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 7 deletions.
diff --git a/django-setup-config.env b/django-setup-config.env
@@ -0,0 +1,11 @@
+# AdminOIDCConfigurationStep
+# Configure admin login via OpenID Connect
+ADMIN_OIDC_CONFIG_ENABLE=true
+ADMIN_OIDC_OIDC_RP_CLIENT_ID=str
+ADMIN_OIDC_OIDC_RP_CLIENT_SECRET=str
+ADMIN_OIDC_DEFAULT_GROUPS=str
+# NOTE: These URLs are stored in a Django URLField which expects a fully qualified domain name, so e.g.
+# http://localhost:8000 or http://keycloak will not validate properly
+ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT=http://keycloak.maykinmedia.nl/realms/test/protocol/openid-connect/auth
+ADMIN_OIDC_OIDC_OP_TOKEN_ENDPOINT=http://keycloak.maykinmedia.nl/realms/test/protocol/openid-connect/token
+ADMIN_OIDC_OIDC_OP_USER_ENDPOINT=http://keycloak.maykinmedia.nl/realms/test/protocol/openid-connect/userinfo
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -53,7 +53,7 @@ services:
     volumes:
       - private_media:/private-media
 
-  web:
+  web: &web-service
     build: &web_build
       context: .
       args:
@@ -101,6 +101,14 @@ services:
     networks:
       - openinwoner-dev
 
+  web-init:
+    <<: *web-service
+    container_name: open-inwoner-web-init
+    ports: []
+    env_file:
+      - django-setup-config.env
+    command: /setup_configuration.sh
+
   nginx:
     image: nginx
     volumes:

diff --git a/docs/configuration/admin_oidc.rst b/docs/configuration/admin_oidc.rst
@@ -23,6 +23,9 @@ Required:
 ::
 
     ADMIN_OIDC_DEFAULT_GROUPS
+    ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
+    ADMIN_OIDC_OIDC_OP_TOKEN_ENDPOINT
+    ADMIN_OIDC_OIDC_OP_USER_ENDPOINT
     ADMIN_OIDC_OIDC_RP_CLIENT_ID
     ADMIN_OIDC_OIDC_RP_CLIENT_SECRET
 

diff --git a/src/open_inwoner/conf/app/setup_configuration.py b/src/open_inwoner/conf/app/setup_configuration.py
@@ -212,7 +212,7 @@
 
 # Authentication configuration variables
 # NOTE variables are namespaced with `DIGID_OIDC`, but some model field names also have `oidc_...` in them
-DIGID_OIDC_CONFIG_ENABLE = config("DIGID_OIDC_CONFIG_ENABLE", True)
+DIGID_OIDC_CONFIG_ENABLE = config("DIGID_OIDC_CONFIG_ENABLE", False)
 DIGID_OIDC_BSN_CLAIM = config("DIGID_OIDC_BSN_CLAIM", None)
 DIGID_OIDC_OIDC_RP_CLIENT_ID = config("DIGID_OIDC_OIDC_RP_CLIENT_ID", None)
 DIGID_OIDC_OIDC_RP_CLIENT_SECRET = config("DIGID_OIDC_OIDC_RP_CLIENT_SECRET", None)
@@ -236,7 +236,7 @@
 DIGID_OIDC_OIDC_STATE_SIZE = config("DIGID_OIDC_OIDC_STATE_SIZE", None)
 
 # NOTE variables are namespaced with `EHERKENNING_OIDC`, but some model field names also have `oidc_...` in them
-EHERKENNING_OIDC_CONFIG_ENABLE = config("EHERKENNING_OIDC_CONFIG_ENABLE", True)
+EHERKENNING_OIDC_CONFIG_ENABLE = config("EHERKENNING_OIDC_CONFIG_ENABLE", False)
 EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM = config(
     "EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM", None
 )

diff --git a/src/open_inwoner/configurations/bootstrap/auth.py b/src/open_inwoner/configurations/bootstrap/auth.py
@@ -237,17 +237,17 @@ class AdminOIDCConfigurationStep(BaseConfigurationStep):
             "ADMIN_OIDC_OIDC_RP_CLIENT_ID",
             "ADMIN_OIDC_OIDC_RP_CLIENT_SECRET",
             "ADMIN_OIDC_DEFAULT_GROUPS",
+            "ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT",
+            "ADMIN_OIDC_OIDC_OP_TOKEN_ENDPOINT",
+            "ADMIN_OIDC_OIDC_OP_USER_ENDPOINT",
         ],
         optional_settings=[
             "ADMIN_OIDC_CLAIM_MAPPING",
             "ADMIN_OIDC_GROUPS_CLAIM",
             "ADMIN_OIDC_MAKE_USERS_STAFF",
             "ADMIN_OIDC_OIDC_NONCE_SIZE",
-            "ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT",
             "ADMIN_OIDC_OIDC_OP_DISCOVERY_ENDPOINT",
             "ADMIN_OIDC_OIDC_OP_JWKS_ENDPOINT",
-            "ADMIN_OIDC_OIDC_OP_TOKEN_ENDPOINT",
-            "ADMIN_OIDC_OIDC_OP_USER_ENDPOINT",
             "ADMIN_OIDC_OIDC_RP_IDP_SIGN_KEY",
             "ADMIN_OIDC_OIDC_RP_SCOPES_LIST",
             "ADMIN_OIDC_OIDC_RP_SIGN_ALGO",

diff --git a/src/open_inwoner/configurations/bootstrap/utils.py b/src/open_inwoner/configurations/bootstrap/utils.py
@@ -16,4 +16,4 @@ def log_form_errors(config_step, form):
         % f"\n\n{RED}There are problems with the settings for {config_step.verbose_name}:{NORMAL}"
     )
     for field, errors in form.errors.items():
-        logger.error("%s" % "; ".join(errors))
+        logger.error("%s : %s" % (field, "; ".join(errors)))