-
Notifications
You must be signed in to change notification settings - Fork 5.1k
/
config.go
122 lines (112 loc) · 3.45 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package dex
import (
"fmt"
"sigs.k8s.io/yaml"
"github.com/argoproj/argo-cd/v2/common"
"github.com/argoproj/argo-cd/v2/util/settings"
)
func GenerateDexConfigYAML(argocdSettings *settings.ArgoCDSettings, disableTls bool) ([]byte, error) {
if !argocdSettings.IsDexConfigured() {
return nil, nil
}
redirectURL, err := argocdSettings.RedirectURL()
if err != nil {
return nil, fmt.Errorf("failed to infer redirect url from config: %v", err)
}
var dexCfg map[string]interface{}
err = yaml.Unmarshal([]byte(argocdSettings.DexConfig), &dexCfg)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal dex.config from configmap: %v", err)
}
dexCfg["issuer"] = argocdSettings.IssuerURL()
dexCfg["storage"] = map[string]interface{}{
"type": "memory",
}
if disableTls {
dexCfg["web"] = map[string]interface{}{
"http": "0.0.0.0:5556",
}
} else {
dexCfg["web"] = map[string]interface{}{
"https": "0.0.0.0:5556",
"tlsCert": "/tmp/tls.crt",
"tlsKey": "/tmp/tls.key",
}
}
dexCfg["grpc"] = map[string]interface{}{
"addr": "0.0.0.0:5557",
}
dexCfg["telemetry"] = map[string]interface{}{
"http": "0.0.0.0:5558",
}
if oauth2Cfg, found := dexCfg["oauth2"].(map[string]interface{}); found {
if _, found := oauth2Cfg["skipApprovalScreen"].(bool); !found {
oauth2Cfg["skipApprovalScreen"] = true
}
} else {
dexCfg["oauth2"] = map[string]interface{}{
"skipApprovalScreen": true,
}
}
argoCDStaticClient := map[string]interface{}{
"id": common.ArgoCDClientAppID,
"name": common.ArgoCDClientAppName,
"secret": argocdSettings.DexOAuth2ClientSecret(),
"redirectURIs": []string{
redirectURL,
},
}
argoCDCLIStaticClient := map[string]interface{}{
"id": common.ArgoCDCLIClientAppID,
"name": common.ArgoCDCLIClientAppName,
"public": true,
"redirectURIs": []string{
"http://localhost",
"http://localhost:8085/auth/callback",
},
}
staticClients, ok := dexCfg["staticClients"].([]interface{})
if ok {
dexCfg["staticClients"] = append([]interface{}{argoCDStaticClient, argoCDCLIStaticClient}, staticClients...)
} else {
dexCfg["staticClients"] = []interface{}{argoCDStaticClient, argoCDCLIStaticClient}
}
dexRedirectURL, err := argocdSettings.DexRedirectURL()
if err != nil {
return nil, err
}
connectors, ok := dexCfg["connectors"].([]interface{})
if !ok {
return nil, fmt.Errorf("malformed Dex configuration found")
}
for i, connectorIf := range connectors {
connector, ok := connectorIf.(map[string]interface{})
if !ok {
return nil, fmt.Errorf("malformed Dex configuration found")
}
connectorType := connector["type"].(string)
if !needsRedirectURI(connectorType) {
continue
}
connectorCfg, ok := connector["config"].(map[string]interface{})
if !ok {
return nil, fmt.Errorf("malformed Dex configuration found")
}
connectorCfg["redirectURI"] = dexRedirectURL
connector["config"] = connectorCfg
connectors[i] = connector
}
dexCfg["connectors"] = connectors
dexCfg = settings.ReplaceMapSecrets(dexCfg, argocdSettings.Secrets)
return yaml.Marshal(dexCfg)
}
// needsRedirectURI returns whether or not the given connector type needs a redirectURI
// Update this list as necessary, as new connectors are added
// https://dexidp.io/docs/connectors/
func needsRedirectURI(connectorType string) bool {
switch connectorType {
case "oidc", "saml", "microsoft", "linkedin", "gitlab", "github", "bitbucket-cloud", "openshift", "gitea", "google", "oauth":
return true
}
return false
}