R de Ren
33a794e35d
New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
that gate vhosts via nginx auth_request against Keycloak's wbd realm.
Native OIDC wired into:
- grafana (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub (oauthenticator.GenericOAuthenticator)
- node-red (passport-openidconnect; in-memory state store + users()
resolver because adminAuth doesn't expose req.session)
- jenkins (oic-auth plugin via JCasC; matrix-auth for authz; setup
wizard suppressed; custom image with plugins.txt)
Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).
Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.
Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
hardcoded-audience mapper and post-logout redirect URIs that are
non-obvious gotchas.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
111 lines
4.6 KiB
JavaScript
111 lines
4.6 KiB
JavaScript
// Node-RED config — Keycloak OIDC editor auth.
|
|
// Only the editor (/red, /flow) is gated; runtime HTTP-in / dashboard routes
|
|
// stay open by default. Lock those down separately with httpNodeAuth.
|
|
|
|
// Admins listed here get permissions "*". Everyone else (any authenticated
|
|
// Keycloak user) gets ["read"] — they can view flows but cannot deploy.
|
|
const NODERED_ADMINS = (process.env.NODERED_ADMIN_USERS || "")
|
|
.split(",")
|
|
.map(s => s.trim().toLowerCase())
|
|
.filter(Boolean);
|
|
|
|
function permissionsFor(username) {
|
|
return NODERED_ADMINS.includes((username || "").toLowerCase()) ? "*" : ["read"];
|
|
}
|
|
|
|
// In-memory state store for the OIDC handshake. Node-RED's adminAuth gives us
|
|
// req.session, but for safety (and because we don't actually need anything
|
|
// beyond CSRF on the state param), we keep state in a process-local Map keyed
|
|
// by a random handle (sent as the `state` query param).
|
|
const _crypto = require("crypto");
|
|
const _stateStore = new Map();
|
|
const _STATE_TTL_MS = 10 * 60 * 1000;
|
|
setInterval(function() {
|
|
const now = Date.now();
|
|
for (const [k, v] of _stateStore) {
|
|
if (v.expires < now) _stateStore.delete(k);
|
|
}
|
|
}, 60 * 1000).unref();
|
|
|
|
module.exports = {
|
|
uiPort: process.env.PORT || 1880,
|
|
|
|
adminAuth: {
|
|
type: "strategy",
|
|
strategy: {
|
|
name: "openidconnect",
|
|
label: "Sign in with Keycloak",
|
|
icon: "fa-sign-in",
|
|
strategy: require("passport-openidconnect").Strategy,
|
|
options: {
|
|
issuer: "https://auth.wbd-rd.nl/realms/wbd",
|
|
authorizationURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/auth",
|
|
tokenURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/token",
|
|
userInfoURL: "https://auth.wbd-rd.nl/realms/wbd/protocol/openid-connect/userinfo",
|
|
clientID: process.env.NODERED_OAUTH_CLIENT_ID || "node-red",
|
|
clientSecret: process.env.NODERED_OAUTH_CLIENT_SECRET,
|
|
callbackURL: "https://flow.wbd-rd.nl/auth/strategy/callback/",
|
|
scope: ["openid", "email", "profile"],
|
|
proxy: true,
|
|
store: {
|
|
store: function(req, ctx, appState, meta, cb) {
|
|
const handle = _crypto.randomBytes(18).toString("hex");
|
|
_stateStore.set(handle, {
|
|
ctx: ctx || {},
|
|
appState: appState,
|
|
expires: Date.now() + _STATE_TTL_MS,
|
|
});
|
|
cb(null, handle);
|
|
},
|
|
verify: function(req, handle, cb) {
|
|
const entry = _stateStore.get(handle);
|
|
if (!entry) return cb(null, false, { message: "Unknown auth state" });
|
|
_stateStore.delete(handle);
|
|
if (entry.expires < Date.now()) {
|
|
return cb(null, false, { message: "Expired auth state" });
|
|
}
|
|
cb(null, entry.ctx, entry.appState);
|
|
},
|
|
},
|
|
// Standard 3-arg verify; pass the username forward so users(username) can build the user.
|
|
verify: function(issuer, profile, done) {
|
|
const json = (profile && profile._json) || {};
|
|
const username = (
|
|
(profile && profile.username)
|
|
|| json.preferred_username
|
|
|| (profile && profile.emails && profile.emails[0] && profile.emails[0].value)
|
|
|| json.email
|
|
|| (profile && profile.id)
|
|
|| "unknown"
|
|
).toString().toLowerCase();
|
|
done(null, { username: username });
|
|
},
|
|
},
|
|
},
|
|
// Resolve a username (as produced by verify above) into a full Node-RED user.
|
|
// Anyone the realm vouches for is allowed in; admins from NODERED_ADMIN_USERS get "*",
|
|
// everyone else gets read-only.
|
|
users: function(username) {
|
|
return Promise.resolve({
|
|
username: (username || "").toLowerCase(),
|
|
permissions: permissionsFor(username),
|
|
});
|
|
},
|
|
},
|
|
|
|
editorTheme: {
|
|
projects: { enabled: false },
|
|
page: { title: "WBD Node-RED" },
|
|
},
|
|
|
|
functionGlobalContext: {},
|
|
|
|
logging: {
|
|
console: {
|
|
level: "info",
|
|
metrics: false,
|
|
audit: false,
|
|
},
|
|
},
|
|
};
|