🎨(tooling) generate default SATOSA secrets for developemnt

`make bootstrap` will now generate well-formed secrets in
env.d/development/satosa. This also serves to document one way
of generating such secrets.
This commit is contained in:
Jonathan Perret
2024-04-17 17:00:06 +02:00
parent 3b2e63e2b5
commit a6d3483ad9
5 changed files with 27 additions and 57 deletions
+10 -1
View File
@@ -137,7 +137,16 @@ env.d/development/common:
cp -n env.d/development/common.dist env.d/development/common
env.d/development/satosa:
cp -n env.d/development/satosa.dist env.d/development/satosa
openssl req -quiet -batch -x509 -nodes -days 3650 -newkey rsa:2048 \
-subj "/CN=satosa.traefik.me" -out - -keyout - \
| awk '/BEGIN PRIVATE/,/END PRIVATE/{privkey=privkey $$0 "\n"} \
/BEGIN CERTIFICATE/,/END CERTIFICATE/{cert=cert $$0 "\n"} \
END { \
printf "SAML2_BACKEND_KEY=\"%s\"\n", privkey; \
printf "SAML2_BACKEND_CERT=\"%s\"\n", cert; \
}' > $@
echo "OIDC_FRONTEND_KEY=\"$$(openssl genrsa 2048)\"" >> $@
echo "STATE_ENCRYPTION_KEY=$$(openssl rand -hex 32)" >> $@
# -- Misc
clean: ## restore repository state as it was freshly cloned
+4 -4
View File
@@ -28,10 +28,10 @@ The easiest way to start working on the project is to use GNU Make:
$ make bootstrap
```
This command builds the `app` container, installs dependencies, performs
database migrations and compile translations. It's a good idea to use this
command each time you are pulling code from the project repository to avoid
dependency-related or migration-related issues.
This command builds the `app-dev` container, installs dependencies, and sets up
the development services. It's a good idea to use this command each time
you are pulling code from the project repository to avoid dependency-related or
migration-related issues.
Your Docker services should now be up and running 🎉
+13 -12
View File
@@ -10,24 +10,25 @@ services:
environment:
PYLINTHOME: /app/.pylint.d
BASE_URL: https://satosa.traefik.me
CLIENT_DB_JSON: |
{
"oidc-test-client": {
"response_types": [
"id_token",
"code"
],
"redirect_uris": [
"https://oidc-test-client.traefik.me/auth/callback"
],
"client_secret": "oidc-test-secret"
}
}
env_file:
- env.d/development/common
- env.d/development/satosa
volumes:
- ./src/satosa:/app
app:
build:
context: .
target: production
args:
DOCKER_USER: ${DOCKER_USER:-1000}
user: ${DOCKER_USER:-1000}
image: oidc2fer:production
env_file:
- env.d/development/common
- env.d/development/satosa
oidc-test-client:
image: ghcr.io/beryju/oidc-test-client
depends_on:
@@ -1,19 +1,6 @@
resolver 127.0.0.11;
charset utf-8;
server {
listen 8081;
server_name localhost;
location / {
set $backend "http://app:8000";
proxy_pass $backend; # using a variable to force late name resolution
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
server_name satosa.traefik.me;
listen 443 ssl;
-27
View File
@@ -1,27 +0,0 @@
STATE_ENCRYPTION_KEY=
SAML2_BACKEND_CERT="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
"
SAML2_BACKEND_KEY="-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"
OIDC_FRONTEND_KEY="-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"
CLIENT_DB_JSON="
{
\"oidc-test-client\": {
\"response_types\": [
\"id_token\",
\"code\"
],
\"redirect_uris\": [
\"https://oidc-test-client.traefik.me/auth/callback\"
],
\"client_secret\": \"oidc-test-secret\"
}
}
"