Merge pull request #532 from maykinmedia/feature/521-oidc-through-django-config

SilviaAmAm · web-flow · commit 8f561216e848 · 2024-12-09T10:40:21.000+01:00
[#521] OIDC through django config
diff --git a/backend/bin/setup_configuration.sh b/backend/bin/setup_configuration.sh
@@ -1,6 +1,9 @@
 #!/bin/sh
 
 # Waiting for database to be up
+export PGHOST=${DB_HOST:-db}
+export PGPORT=${DB_PORT:-5432}
+
 until pg_isready; do
   >&2 echo "Waiting for database connection..."
   sleep 1
diff --git a/backend/docker-services/keycloak/docker-compose.yaml b/backend/docker-services/keycloak/docker-compose.yaml
@@ -16,10 +16,9 @@ services:
     networks:
       - keycloak-dev
 
-  keycloak:
+  keycloak.local:
     depends_on:
       - keycloak-db
-    container_name: keycloak_dev
     command: start-dev --import-realm
     environment:
       KEYCLOAK_ADMIN: admin
@@ -39,4 +38,5 @@ services:
       - keycloak-dev
 
 networks:
-  keycloak-dev:
+  keycloak-dev:
+    name: keycloak-dev
diff --git a/backend/docker-services/openzaak/docker-compose.yaml b/backend/docker-services/openzaak/docker-compose.yaml
@@ -12,7 +12,7 @@ services:
     image: redis:7
     command: ["redis-server", "--appendonly", "yes"]
     networks:
-      - oab-dev
+      - openzaak-dev
 
   openzaak-db:
     image: postgis/postgis:${PG_VERSION:-14-master}
@@ -22,7 +22,7 @@ services:
       - ./docker-init-open-zaak-db/:/docker-entrypoint-initdb.d
       - open-zaak-db:/var/lib/postgresql/data
     networks:
-      - oab-dev
+      - openzaak-dev
 
   openzaak-web.local:
     image: openzaak/open-zaak:${OPENZAAK_VERSION:-1.13.0}
@@ -57,7 +57,7 @@ services:
       - openzaak-db
       - openzaak-redis
     networks:
-      - oab-dev
+      - openzaak-dev
 
   celery:
     image: openzaak/open-zaak:${OPENZAAK_VERSION:-1.13.0}
@@ -68,13 +68,13 @@ services:
       - openzaak-db
       - openzaak-redis
     networks:
-      - oab-dev
+      - openzaak-dev
 
 volumes:
   open-zaak-db:
   media:
   private-media:
 
 networks:
-  oab-dev:
-    name: oab-dev
+  openzaak-dev:
+    name: openzaak-dev
diff --git a/backend/docker-services/setup-configuration/data.yaml b/backend/docker-services/setup-configuration/data.yaml
diff --git a/backend/requirements/base.in b/backend/requirements/base.in
@@ -14,7 +14,7 @@ django-rosetta
 maykin-2fa
 django-timeline-logger
 django-solo
-mozilla-django-oidc-db
+mozilla-django-oidc-db[setup-configuration]
 django-privates
 django-setup-configuration
 
diff --git a/backend/requirements/base.txt b/backend/requirements/base.txt
@@ -122,6 +122,7 @@ django-sendfile2==0.7.1
 django-setup-configuration==0.4.0
     # via
     #   -r requirements/base.in
+    #   mozilla-django-oidc-db
     #   zgw-consumers
 django-simple-certmanager==2.0.0
     # via zgw-consumers
@@ -176,7 +177,7 @@ maykin-2fa==1.0.0
     # via -r requirements/base.in
 mozilla-django-oidc==4.0.1
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db==0.19.0
+mozilla-django-oidc-db==0.20.0
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl
diff --git a/backend/requirements/ci.txt b/backend/requirements/ci.txt
@@ -373,7 +373,7 @@ mozilla-django-oidc==4.0.1
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.19.0
+mozilla-django-oidc-db==0.20.0
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
diff --git a/backend/requirements/dev.txt b/backend/requirements/dev.txt
@@ -457,7 +457,7 @@ mozilla-django-oidc==4.0.1
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   mozilla-django-oidc-db
-mozilla-django-oidc-db==0.19.0
+mozilla-django-oidc-db==0.20.0
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
diff --git a/backend/src/openarchiefbeheer/conf/base.py b/backend/src/openarchiefbeheer/conf/base.py
@@ -659,4 +659,5 @@
 SETUP_CONFIGURATION_STEPS = [
     "zgw_consumers.contrib.setup_configuration.steps.ServiceConfigurationStep",
     "openarchiefbeheer.config.setup_configuration.steps.APIConfigConfigurationStep",
+    "mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep",
 ]
diff --git a/backend/src/openarchiefbeheer/config/setup_configuration/fixtures/data.yaml b/backend/src/openarchiefbeheer/config/setup_configuration/fixtures/data.yaml
@@ -0,0 +1,65 @@
+zgw_consumers_config_enable: true
+zgw_consumers:
+  services:
+  - identifier: zaken-test
+    label: Open Zaak - Zaken API
+    api_root: http://localhost:8003/zaken/api/v1/
+    api_type: zrc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: documenten-test
+    label: Open Zaak - Documenten API
+    api_root: http://localhost:8003/documenten/api/v1/
+    api_type: drc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: catalogi-test
+    label: Open Zaak - Catalogi API
+    api_root: http://localhost:8003/catalogi/api/v1/
+    api_type: ztc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: besluiten-test
+    label: Open Zaak - Besluiten API
+    api_root: http://localhost:8003/besluiten/api/v1/
+    api_type: brc
+    auth_type: zgw
+    client_id: test-vcr
+    secret: test-vcr
+  - identifier: selectielijst
+    label: Open Zaak (public) - Selectielijst API
+    api_root: https://selectielijst.openzaak.nl/api/v1/
+    api_type: orc
+    auth_type: no_auth
+
+api_configuration_enabled: true
+api_configuration:
+  selectielijst_service_identifier: selectielijst
+
+
+oidc_db_config_enable: true
+oidc_db_config_admin_auth:
+  enabled: true
+  oidc_rp_client_id: "openarchiefbeheer-dev"
+  oidc_rp_client_secret: "very-secret-bla"
+  oidc_rp_sign_algo: "RS256"
+  oidc_token_use_basic_auth: false
+  username_claim: 
+    - preferred_username   
+  groups_claim:
+    - resource_access
+    - openarchiefbeheer-dev
+    - roles
+  superuser_group_names:
+    - Superuser
+  userinfo_claims_source: userinfo_endpoint
+  oidc_op_jwks_endpoint: "http://localhost:28080/realms/openarchiefbeheer-dev/protocol/openid-connect/certs"
+  oidc_op_logout_endpoint: "http://localhost:28080/realms/openarchiefbeheer-dev/protocol/openid-connect/logout"
+  oidc_rp_idp_sign_key: ""
+  endpoint_config:
+    oidc_op_authorization_endpoint: "http://localhost:28080/realms/openarchiefbeheer-dev/protocol/openid-connect/auth"
+    oidc_op_token_endpoint: "http://localhost:28080/realms/openarchiefbeheer-dev/protocol/openid-connect/token"
+    oidc_op_user_endpoint: "http://localhost:28080/realms/openarchiefbeheer-dev/protocol/openid-connect/userinfo"
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -58,12 +58,15 @@ services:
     networks:
       - open-archiefbeheer-dev
 
+  # TODO: the configuration does not result in properly working OIDC
+  # The backchannel needs a hostname resolvable in the docker network but the 
+  # frontchannel needs a hostname resolvable on the host.
   web-init:
     build: .
     environment: *web_env
     command: /setup_configuration.sh
     volumes:
-      - ./backend/docker-services/setup-configuration:/app/setup_configuration
+      - ./backend/src/openarchiefbeheer/config/setup-configuration/fixtures:/app/setup_configuration
     depends_on:
       - db
       - redis

Original file line number	Diff line number	Diff line change
`@@ -659,4 +659,5 @@`
`659`	`659`	`SETUP_CONFIGURATION_STEPS = [`
`660`	`660`	`"zgw_consumers.contrib.setup_configuration.steps.ServiceConfigurationStep",`
`661`	`661`	`"openarchiefbeheer.config.setup_configuration.steps.APIConfigConfigurationStep",`
	`662`	`+ "mozilla_django_oidc_db.setup_configuration.steps.AdminOIDCConfigurationStep",`
`662`	`663`	`]`