From b05723a37e27cd361f1ffeb69f710db4e194fafe Mon Sep 17 00:00:00 2001 From: Sanne Raymaekers Date: Wed, 23 Feb 2022 14:19:45 +0100 Subject: [PATCH] templates/composer: Verify against mass sso and rh sso --- cmd/osbuild-composer/composer.go | 6 ------ cmd/osbuild-composer/config.go | 2 -- cmd/osbuild-composer/config_test.go | 2 +- cmd/osbuild-composer/testdata/test.toml | 2 +- templates/composer.yml | 12 +++++++++--- test/cases/api.sh | 4 ++-- 6 files changed, 13 insertions(+), 15 deletions(-) diff --git a/cmd/osbuild-composer/composer.go b/cmd/osbuild-composer/composer.go index 0aa17f7d6..21568c3a0 100644 --- a/cmd/osbuild-composer/composer.go +++ b/cmd/osbuild-composer/composer.go @@ -221,9 +221,6 @@ func (c *Composer) Start() error { var err error if c.config.Worker.EnableJWT { keysURLs := c.config.Worker.JWTKeysURLs - if c.config.Worker.JWTKeysURL != "" { - keysURLs = append(keysURLs, c.config.Worker.JWTKeysURL) - } handler, err = auth.BuildJWTAuthHandler( keysURLs, c.config.Worker.JWTKeysCA, @@ -270,9 +267,6 @@ func (c *Composer) Start() error { var err error if c.config.Koji.EnableJWT { keysURLs := c.config.Koji.JWTKeysURLs - if c.config.Koji.JWTKeysURL != "" { - keysURLs = append(keysURLs, c.config.Koji.JWTKeysURL) - } handler, err = auth.BuildJWTAuthHandler( keysURLs, c.config.Koji.JWTKeysCA, diff --git a/cmd/osbuild-composer/config.go b/cmd/osbuild-composer/config.go index 4aa28a18c..08e208d82 100644 --- a/cmd/osbuild-composer/config.go +++ b/cmd/osbuild-composer/config.go @@ -24,7 +24,6 @@ type KojiAPIConfig struct { EnableTLS bool `toml:"enable_tls"` EnableMTLS bool `toml:"enable_mtls"` EnableJWT bool `toml:"enable_jwt"` - JWTKeysURL string `toml:"jwt_keys_url"` JWTKeysURLs []string `toml:"jwt_keys_urls"` JWTKeysCA string `toml:"jwt_ca_file"` JWTACLFile string `toml:"jwt_acl_file"` @@ -51,7 +50,6 @@ type WorkerAPIConfig struct { EnableTLS bool `toml:"enable_tls"` EnableMTLS bool `toml:"enable_mtls"` EnableJWT bool `toml:"enable_jwt"` - JWTKeysURL string `toml:"jwt_keys_url"` JWTKeysURLs []string `toml:"jwt_keys_urls"` JWTKeysCA string `toml:"jwt_ca_file"` JWTACLFile string `toml:"jwt_acl_file"` diff --git a/cmd/osbuild-composer/config_test.go b/cmd/osbuild-composer/config_test.go index 3ccf57dc9..c32bd659d 100644 --- a/cmd/osbuild-composer/config_test.go +++ b/cmd/osbuild-composer/config_test.go @@ -86,7 +86,7 @@ func TestConfig(t *testing.T) { require.Equal(t, "composer-db", config.Worker.PGDatabase) require.False(t, config.Koji.EnableJWT) - require.Equal(t, "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs", config.Koji.JWTKeysURL) + require.Equal(t, []string{"https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"}, config.Koji.JWTKeysURLs) require.Equal(t, "", config.Koji.JWTKeysCA) require.Equal(t, "/var/lib/osbuild-composer/acl", config.Koji.JWTACLFile) } diff --git a/cmd/osbuild-composer/testdata/test.toml b/cmd/osbuild-composer/testdata/test.toml index 218d98671..d47cd026b 100644 --- a/cmd/osbuild-composer/testdata/test.toml +++ b/cmd/osbuild-composer/testdata/test.toml @@ -2,7 +2,7 @@ allowed_domains = [ "osbuild.org" ] ca = "/etc/osbuild-composer/ca-crt.pem" enable_jwt = false -jwt_keys_url = "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs" +jwt_keys_urls = ["https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"] jwt_acl_file = "/var/lib/osbuild-composer/acl" [worker] diff --git a/templates/composer.yml b/templates/composer.yml index ae27b8502..4c1c0a25e 100644 --- a/templates/composer.yml +++ b/templates/composer.yml @@ -201,13 +201,15 @@ objects: acl.yml: | - claim: user_id pattern: ^(54629121|54629180|54597799|54676085)$ + - claim: rh-org-id + pattern: ^(13826359)$ osbuild-composer.toml: | log_level = "info" [koji] enable_tls = false enable_mtls = false enable_jwt = true - jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs" + jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"] jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" [koji.aws_config] bucket = "imagebuilder.service.staging" @@ -218,7 +220,7 @@ objects: enable_tls = false enable_mtls = false enable_jwt = true - jwt_keys_url = "${SSO_BASE_URL}/protocol/openid-connect/certs" + jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"] jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml" - apiVersion: batch/v1 @@ -328,9 +330,13 @@ parameters: name: PGMAXCONNS value: "20" - description: base sso url - name: SSO_BASE_URL + name: RH_SSO_BASE_URL required: true value: "https://sso.redhat.com/auth/realms/redhat-external" + - description: base sso url + name: MAS_SSO_BASE_URL + required: true + value: "https://identity.api.openshift.com/auth/realms/rhoas" - description: base sso url name: COMPOSER_CONFIG_DIR required: true diff --git a/test/cases/api.sh b/test/cases/api.sh index c4e9c2768..4ce5d5838 100755 --- a/test/cases/api.sh +++ b/test/cases/api.sh @@ -1262,7 +1262,7 @@ cat <