stacks/node-red/config/settings.js

// Node-RED config — Keycloak OIDC editor auth.
// Only the editor (/red, /flow) is gated; runtime HTTP-in / dashboard routes
// stay open by default. Lock those down separately with httpNodeAuth.

// Admins listed here get permissions "*". Everyone else (any authenticated
// Keycloak user) gets ["read"] — they can view flows but cannot deploy.
const NODERED_ADMINS = (process.env.NODERED_ADMIN_USERS || "")
    .split(",")
    .map(s => s.trim().toLowerCase())
    .filter(Boolean);

function permissionsFor(username) {
    return NODERED_ADMINS.includes((username || "").toLowerCase()) ? "*" : ["read"];
}

// In-memory state store for the OIDC handshake. Node-RED's adminAuth gives us
// req.session, but for safety (and because we don't actually need anything
// beyond CSRF on the state param), we keep state in a process-local Map keyed
// by a random handle (sent as the `state` query param).
const _crypto = require("crypto");
const _stateStore = new Map();
const _STATE_TTL_MS = 10 * 60 * 1000;
setInterval(function() {
    const now = Date.now();
    for (const [k, v] of _stateStore) {
        if (v.expires < now) _stateStore.delete(k);
    }
}, 60 * 1000).unref();

module.exports = {
    uiPort: process.env.PORT || 1880,

    adminAuth: {
        type: "strategy",
        strategy: {
            name: "openidconnect",
            label: "Sign in with Keycloak",
            icon: "fa-sign-in",
            strategy: require("passport-openidconnect").Strategy,
            options: {
                issuer:           "https://auth.wbd-rd.nl/realms/wbd",
                authorizationURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/auth",
                tokenURL:         "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/token",
                userInfoURL:      "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/userinfo",
                clientID:     process.env.NODERED_OAUTH_CLIENT_ID || "node-red",
                clientSecret: process.env.NODERED_OAUTH_CLIENT_SECRET,
                callbackURL:  "https://flow.wbd-rd.nl/auth/strategy/callback/",
                scope:        ["openid", "email", "profile"],
                proxy: true,
                store: {
                    store: function(req, ctx, appState, meta, cb) {
                        const handle = _crypto.randomBytes(18).toString("hex");
                        _stateStore.set(handle, {
                            ctx: ctx || {},
                            appState: appState,
                            expires: Date.now() + _STATE_TTL_MS,
                        });
                        cb(null, handle);
                    },
                    verify: function(req, handle, cb) {
                        const entry = _stateStore.get(handle);
                        if (!entry) return cb(null, false, { message: "Unknown auth state" });
                        _stateStore.delete(handle);
                        if (entry.expires < Date.now()) {
                            return cb(null, false, { message: "Expired auth state" });
                        }
                        cb(null, entry.ctx, entry.appState);
                    },
                },
                // Standard 3-arg verify; pass the username forward so users(username) can build the user.
                verify: function(issuer, profile, done) {
                    const json = (profile && profile._json) || {};
                    const username = (
                        (profile && profile.username)
                        || json.preferred_username
                        || (profile && profile.emails && profile.emails[0] && profile.emails[0].value)
                        || json.email
                        || (profile && profile.id)
                        || "unknown"
                    ).toString().toLowerCase();
                    done(null, { username: username });
                },
            },
        },
        // Resolve a username (as produced by verify above) into a full Node-RED user.
        // Anyone the realm vouches for is allowed in; admins from NODERED_ADMIN_USERS get "*",
        // everyone else gets read-only.
        users: function(username) {
            return Promise.resolve({
                username: (username || "").toLowerCase(),
                permissions: permissionsFor(username),
            });
        },
    },

    editorTheme: {
        projects: { enabled: false },
        page: { title: "WBD Node-RED" },
    },

    functionGlobalContext: {},

    logging: {
        console: {
            level: "info",
            metrics: false,
            audit: false,
        },
    },
};
feat(sso): wire Keycloak SSO end-to-end across all apps New stack: - stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq) that gate vhosts via nginx auth_request against Keycloak's wbd realm. Native OIDC wired into: - grafana (generic_oauth, role-attribute-path → Admin/Editor/Viewer) - jupyterhub (oauthenticator.GenericOAuthenticator) - node-red (passport-openidconnect; in-memory state store + users() resolver because adminAuth doesn't expose req.session) - jenkins (oic-auth plugin via JCasC; matrix-auth for authz; setup wizard suppressed; custom image with plugins.txt) Infra fixes uncovered while bringing the above online: - nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks don't 502 on the JWT-bearing Set-Cookie header. - nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names re-resolve after sidecar recreates (was cross-wiring oauth2-proxy upstreams after restart). - jupyterhub: pass --allow-root to the singleuser spawner (hub runs as root inside its container; jupyter-server refused root without flag). - jupyterhub Dockerfile: install jupyterlab + notebook so SimpleLocalProcessSpawner has something to launch. - node-red Dockerfile: install passport-openidconnect into the image so settings.js can require() it. - portainer: pre-seed local admin via --admin-password=<bcrypt-hash> so the 5-minute "no admin → lockout" timer can never trigger. - deploy.sh: restore executable bit (was 644 in repo). Admin/viewer policy: - Created realm role `app-admin` in keycloak wbd realm. - Grafana maps app-admin → Admin (default Viewer). - Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated users get Overall/Read + Job/Read + View/Read. - Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others ["read"]. (TODO: switch to app-admin realm role.) - JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.) - Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email. Docs: - README, cloud/README, stacks/oauth2-proxy/README, and per-stack READMEs updated to reflect the new state and remove resolved TODOs. - cloud/.env.example gains all the new OIDC client + cookie-secret keys. - cloud/README documents the full kcadm realm bootstrap, including the hardcoded-audience mapper and post-logout redirect URIs that are non-obvious gotchas. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 18:34:37 +00:00			`// Node-RED config — Keycloak OIDC editor auth.`
			`// Only the editor (/red, /flow) is gated; runtime HTTP-in / dashboard routes`
			`// stay open by default. Lock those down separately with httpNodeAuth.`

			`// Admins listed here get permissions "*". Everyone else (any authenticated`
			`// Keycloak user) gets ["read"] — they can view flows but cannot deploy.`
			`const NODERED_ADMINS = (process.env.NODERED_ADMIN_USERS \|\| "")`
			`.split(",")`
			`.map(s => s.trim().toLowerCase())`
			`.filter(Boolean);`

			`function permissionsFor(username) {`
			`return NODERED_ADMINS.includes((username \|\| "").toLowerCase()) ? "*" : ["read"];`
			`}`

			`// In-memory state store for the OIDC handshake. Node-RED's adminAuth gives us`
			`// req.session, but for safety (and because we don't actually need anything`
			`// beyond CSRF on the state param), we keep state in a process-local Map keyed`
			// by a random handle (sent as the `state` query param).
			`const _crypto = require("crypto");`
			`const _stateStore = new Map();`
			`const _STATE_TTL_MS = 10 * 60 * 1000;`
			`setInterval(function() {`
			`const now = Date.now();`
			`for (const [k, v] of _stateStore) {`
			`if (v.expires < now) _stateStore.delete(k);`
			`}`
			`}, 60 * 1000).unref();`

			`module.exports = {`
			`uiPort: process.env.PORT \|\| 1880,`

			`adminAuth: {`
			`type: "strategy",`
			`strategy: {`
			`name: "openidconnect",`
			`label: "Sign in with Keycloak",`
			`icon: "fa-sign-in",`
			`strategy: require("passport-openidconnect").Strategy,`
			`options: {`
			`issuer: "https://auth.wbd-rd.nl/realms/wbd",`
			`authorizationURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/auth",`
			`tokenURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/token",`
			`userInfoURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/userinfo",`
			`clientID: process.env.NODERED_OAUTH_CLIENT_ID \|\| "node-red",`
			`clientSecret: process.env.NODERED_OAUTH_CLIENT_SECRET,`
			`callbackURL: "https://flow.wbd-rd.nl/auth/strategy/callback/",`
			`scope: ["openid", "email", "profile"],`
			`proxy: true,`
			`store: {`
			`store: function(req, ctx, appState, meta, cb) {`
			`const handle = _crypto.randomBytes(18).toString("hex");`
			`_stateStore.set(handle, {`
			`ctx: ctx \|\| {},`
			`appState: appState,`
			`expires: Date.now() + _STATE_TTL_MS,`
			`});`
			`cb(null, handle);`
			`},`
			`verify: function(req, handle, cb) {`
			`const entry = _stateStore.get(handle);`
			`if (!entry) return cb(null, false, { message: "Unknown auth state" });`
			`_stateStore.delete(handle);`
			`if (entry.expires < Date.now()) {`
			`return cb(null, false, { message: "Expired auth state" });`
			`}`
			`cb(null, entry.ctx, entry.appState);`
			`},`
			`},`
			`// Standard 3-arg verify; pass the username forward so users(username) can build the user.`
			`verify: function(issuer, profile, done) {`
			`const json = (profile && profile._json) \|\| {};`
			`const username = (`
			`(profile && profile.username)`
			`\|\| json.preferred_username`
			`\|\| (profile && profile.emails && profile.emails[0] && profile.emails[0].value)`
			`\|\| json.email`
			`\|\| (profile && profile.id)`
			`\|\| "unknown"`
			`).toString().toLowerCase();`
			`done(null, { username: username });`
			`},`
			`},`
			`},`
			`// Resolve a username (as produced by verify above) into a full Node-RED user.`
			`// Anyone the realm vouches for is allowed in; admins from NODERED_ADMIN_USERS get "*",`
			`// everyone else gets read-only.`
			`users: function(username) {`
			`return Promise.resolve({`
			`username: (username \|\| "").toLowerCase(),`
			`permissions: permissionsFor(username),`
			`});`
			`},`
			`},`

			`editorTheme: {`
			`projects: { enabled: false },`
			`page: { title: "WBD Node-RED" },`
			`},`

			`functionGlobalContext: {},`

			`logging: {`
			`console: {`
			`level: "info",`
			`metrics: false,`
			`audit: false,`
			`},`
			`},`
			`};`