feat: add auth providers #320
Conversation
g-linville
requested review from
drpebcak,
thedadams,
njhale,
StrongMonkey and
iwilltry42
There was a problem hiding this comment.
In addition to these comments, can we do a little more consolidation? Now that we are adding more Go-based model providers, there is an effort to combine as much of the common logic as is reasonable. Can we do the same thing here? Perhaps a common package at the top level?
github-auth-provider/main.go
Outdated
| mux.HandleFunc("/", oauthProxy.ServeHTTP) | ||
|
|
||
| fmt.Printf("listening on 127.0.0.1:%s\n", port) | ||
| if err := http.ListenAndServe("127.0.0.1:"+port, mux); err != nil { |
There was a problem hiding this comment.
ListenAndServe always returns an error. I think we should catch the "server closed" error and not exit 1 in that case.
github-auth-provider/main.go
Outdated
| for k, v := range sr.Header { | ||
| reqObj.Header[k] = v | ||
| } |
There was a problem hiding this comment.
Does something like this work? Maybe a cast is needed?
| for k, v := range sr.Header { | |
| reqObj.Header[k] = v | |
| } | |
| reqObj.Header = sr.Header |
github-auth-provider/main.go
Outdated
| return | ||
| } | ||
|
|
||
| w.WriteHeader(http.StatusOK) |
There was a problem hiding this comment.
This is written the first time we write to w.
github-auth-provider/tool.gpt
Outdated
| Description: Auth provider for GitHub | ||
| Metadata: envVars: OBOT_GITHUB_AUTH_PROVIDER_CLIENT_ID,OBOT_GITHUB_AUTH_PROVIDER_CLIENT_SECRET,OBOT_AUTH_PROVIDER_COOKIE_SECRET,OBOT_AUTH_PROVIDER_EMAIL_DOMAINS | ||
| Metadata: optionalEnvVars: OBOT_GITHUB_AUTH_PROVIDER_TEAMS,OBOT_GITHUB_AUTH_PROVIDER_ORG,OBOT_GITHUB_AUTH_PROVIDER_REPO,OBOT_GITHUB_AUTH_PROVIDER_TOKEN,OBOT_GITHUB_AUTH_PROVIDER_ALLOW_USERS | ||
| Credential: ../model-provider-credential as github-auth-provider |
There was a problem hiding this comment.
Should we consider renaming this credential to something more descriptive?
There was a problem hiding this comment.
I renamed this to placeholder-credential
google-auth-provider/pkg/env/env.go
Outdated
| "strings" | ||
| ) | ||
|
|
||
| func LoadEnvForStruct[T any](s *T) error { |
There was a problem hiding this comment.
Can we have only one of these?
There was a problem hiding this comment.
I moved this into a common package
google-auth-provider/main.go
Outdated
| return | ||
| } | ||
|
|
||
| w.WriteHeader(http.StatusOK) |
There was a problem hiding this comment.
Same comment about this already being written when we write w.
google-auth-provider/main.go
Outdated
| mux.HandleFunc("/", oauthProxy.ServeHTTP) | ||
|
|
||
| fmt.Printf("listening on 127.0.0.1:%s\n", port) | ||
| if err := http.ListenAndServe("127.0.0.1:"+port, mux); err != nil { |
There was a problem hiding this comment.
Catch "server closed" error.
|
@thedadams I created a common package to hold code that would be used by all auth providers. For now, it only includes the env for struct stuff. |
g-linville
force-pushed
the
auth-providers
branch
from
efbb3c7 to
78621cc
Compare
|
Sorry for the force push. Needed to rebase to fix a conflict. |
| Metadata: envVars: OBOT_GITHUB_AUTH_PROVIDER_CLIENT_ID,OBOT_GITHUB_AUTH_PROVIDER_CLIENT_SECRET,OBOT_AUTH_PROVIDER_COOKIE_SECRET,OBOT_AUTH_PROVIDER_EMAIL_DOMAINS | ||
| Metadata: optionalEnvVars: OBOT_GITHUB_AUTH_PROVIDER_TEAMS,OBOT_GITHUB_AUTH_PROVIDER_ORG,OBOT_GITHUB_AUTH_PROVIDER_REPO,OBOT_GITHUB_AUTH_PROVIDER_TOKEN,OBOT_GITHUB_AUTH_PROVIDER_ALLOW_USERS | ||
| Credential: ../placeholder-credential as github-auth-provider | ||
|
|
There was a problem hiding this comment.
| Metadata: noUserAuth: github-auth-provider | |
| Description: Auth provider for Google | ||
| Metadata: envVars: OBOT_GOOGLE_AUTH_PROVIDER_CLIENT_ID,OBOT_GOOGLE_AUTH_PROVIDER_CLIENT_SECRET,OBOT_AUTH_PROVIDER_COOKIE_SECRET,OBOT_AUTH_PROVIDER_EMAIL_DOMAINS | ||
| Credential: ../placeholder-credential as google-auth-provider | ||
|
|
There was a problem hiding this comment.
| Metadata: noUserAuth: google-auth-provider | |
Signed-off-by: Grant Linville <[email protected]>
g-linville
force-pushed
the
auth-providers
branch
from
51ac9d5 to
c521325
Compare
|
Force pushed to rebase on main and fix conflicts. |
|
@g-linville Did you mean to close this? |
|
Nope, lol. Not sure how I managed to close it. |
google-auth-provider/main.go
Outdated
| Email string `json:"email"` | ||
| } | ||
|
|
||
| func obotGetState(p *oauth2proxy.OAuthProxy) http.HandlerFunc { |
There was a problem hiding this comment.
It would be great if this function could be imported from a shared package for all auth providers. This is very likely to be exactly the same for all auth providers.
I would be OK with this change being made when we add the next auth provider.
| } | ||
| } | ||
|
|
||
| func obotGetIconURL(w http.ResponseWriter, r *http.Request) { |
There was a problem hiding this comment.
Same comment here about importing this from a shared package.
There was a problem hiding this comment.
Doesn't look like this was done.
There was a problem hiding this comment.
Oh I didn't pay close enough attention to this one lol. Sorry. I would like to keep this out of the common package, since the function is a bit different for our current two providers.
Signed-off-by: Grant Linville <[email protected]>
Signed-off-by: Grant Linville <[email protected]>
Signed-off-by: Grant Linville <[email protected]>
This PR adds auth provider tools for Google and GitHub. This is to replace the built-in auth providers that are currently in the Obot gateway code, but will soon be refactored to use these instead.
Once refactored, Obot will reverse proxy traffic to these daemon tools, which will then either respond on their own (for the
/obot*paths) or handle it with the oauth2proxy.The
/obot-get-statepath is used to get information about the logged in user. Obot will send over a serialized request, which gets reconstructed into anhttp.Requesthere in the auth provider, so that we can extract the state from the cookie using the oauth2proxy library.