Add OIDC config primitives #49
Conversation
app/lib/clients/vault/oidc.rb
Outdated
|
|
||
| def oidc_provider | ||
| ::Vault::Client.new( | ||
| address: "http://oidc_provider:8300", |
There was a problem hiding this comment.
Is this static string what you want here?
There was a problem hiding this comment.
changed to config param in astral.yml
README.md
Outdated
| his username/password. | ||
|
|
||
| On success, the provider returns an OIDC token, which includes the | ||
| user's email addr. |
There was a problem hiding this comment.
maybe don't abbreviate "addr" in the doc?
README.md
Outdated
| You should do this on your host machine, not in docker. This will | ||
| allow a browser window to open on your host. When it does, select | ||
| "username" option with user test/test. (That is the username/pw | ||
| configured by the rails tests.) |
app/lib/utils/oidc_provider.rb
Outdated
| private | ||
| WEBAPP_NAME = "identity/oidc/client/astral" | ||
|
|
||
| def oidc_provider |
There was a problem hiding this comment.
i think naming this vault_client might make downstream usage a little clearer? since the class is OidcProvider (abstraction) but rubber is meeting road here (vault specifically is the provider).
| oidc_provider_addr: http://oidc_provider:8300 | ||
| initial_user_name: test | ||
| initial_user_password: test | ||
| initial_user_email: [email protected] |
There was a problem hiding this comment.
you could eliminate one repetition of this config by putting these dev/test values in shared and the blank overrides in production
config/environments/development.rb
Outdated
| @@ -72,4 +73,8 @@ | |||
|
|
|||
| # Apply autocorrection by RuboCop to files generated by `bin/rails generate`. | |||
| # config.generators.apply_rubocop_autocorrect_after_generate! | |||
|
|
|||
| def get_oidc_config | |||
There was a problem hiding this comment.
similar, if this is the default impl and noop is the production case, you reduce one repetition
|
@suprjinx I've addressed all your comments. |
parameters to the oidc vault client creation.
|
@suprjinx It is ready to review again. I had to modify the cert gen rake task to include the "Subject Alternative Name", because I was getting this error when configuring the provider: |
README.md
Outdated
| OidcProvider.new.configure creates an OIDC provider | ||
| and user on a separate dedicated Vault instance. The user created has | ||
| a username/password/email address, that can be accessed with OIDC auth | ||
| from in the principal Vault instance. |
| @@ -3,15 +3,21 @@ require "rake" | |||
| # Rake tasks for making a vault cert | |||
| namespace :configure do | |||
| desc "Make the server cert for vault" | |||
| task :ssl do | |||
| task :ssl, [ :cert_name ] do |t, args| | |||
There was a problem hiding this comment.
I like your approach :-). I'll have adopt this in #53
Add OIDC config primitives:
configure_oidc_provider, configure_oidc_client, configure_oidc_user