confserver: record username & email from HTTP headers in commits

To use this feature with uwsgi (typical prod or docker-compose environment), add a reverse proxy that defines headers for username and/or e-mail address, and set the following environment variables to the name of these headers. For example: ``` CURIECONF_TRUSTED_USERNAME_HEADER=X-Forwarded-User CURIECONF_TRUSTED_EMAIL_HEADER=X-Forwarded-Email ``` Working oauth2-proxy configuration (container to be added to docker-compose.yml): ``` oauth2: container_name: oauth2 hostname: oauth2 image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 restart: always environment: - "OAUTH2_PROXY_PROVIDER=google" - "OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Test google.com provider" - "OAUTH2_PROXY_CLIENT_ID=(...use proper value....).apps.googleusercontent.com" - "OAUTH2_PROXY_CLIENT_SECRET=(...use proper value...)" - "OAUTH2_PROXY_REDIRECT_URL=https://accounts.google.com/o/oauth2/auth" - "OAUTH2_PROXY_REDIRECT_URL=http://localvm.com:4180/oauth2/callback" - "OAUTH2_PROXY_COOKIE_SECURE=false" - "OAUTH2_PROXY_COOKIE_SECRET=(...use proper value...)" - "OAUTH2_PROXY_EMAIL_DOMAINS=*" - "OAUTH2_PROXY_UPSTREAMS=http://uiserver:80" - "OAUTH2_PROXY_HTTP_ADDRESS=http://0.0.0.0:4180" networks: - confnet ports: - "4180:4180" ``` Signed-off-by: Xavier <[email protected]>
xavier-rbz · Jul 25, 2022 · 111df72 · 111df72
1 parent 7f6a754
commit 111df72
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 96 deletions.
diff --git a/curiefense/curieconf/server/app/main.py b/curiefense/curieconf/server/app/main.py
@@ -1,4 +1,14 @@
 from curieconf.confserver import app
 from curieconf.confserver.backend import Backends
+import os
 
 app.backend = Backends.get_backend(app, "git:///cf-persistent-config/confdb")
+options = {}
+val = os.environ.get("CURIECONF_TRUSTED_USERNAME_HEADER", None)
+if val:
+    options["trusted_username_header"] = val
+val = os.environ.get("CURIECONF_TRUSTED_EMAIL_HEADER", None)
+if val:
+    options["trusted_email_header"] = val
+
+app.options = options
diff --git a/curiefense/curieconf/server/curieconf/confserver/__init__.py b/curiefense/curieconf/server/curieconf/confserver/__init__.py
@@ -30,6 +30,7 @@ def drop_into_pdb(app, exception):
 
 
 def main(args=None):
+    # only called when running manually, not through uwsgi
     global mongo
     import argparse
 
@@ -43,6 +44,16 @@ def main(args=None):
     parser.add_argument(
         "-p", "--port", type=int, default=int(os.environ.get("CURIECONF_PORT", "5000"))
     )
+    parser.add_argument(
+        "--trusted-username-header",
+        type=str,
+        default=os.environ.get("CURIECONF_TRUSTED_USERNAME_HEADER", ""),
+    )
+    parser.add_argument(
+        "--trusted-email-header",
+        type=str,
+        default=os.environ.get("CURIECONF_TRUSTED_EMAIL_HEADER", ""),
+    )
 
     options = parser.parse_args(args)
 
@@ -52,7 +63,7 @@ def main(args=None):
     try:
         with app.app_context():
             current_app.backend = Backends.get_backend(app, options.dbpath)
-            current_app.options = options
+            current_app.options = options.__dict__
             app.run(debug=options.debug, host=options.host, port=options.port)
     finally:
         pass