Merge pull request #23 from CanDIG/daisieh/secrets

Handle OPA secrets via docker-secrets
CanDIG · Aug 3, 2022 · cc16c3d · cc16c3d
2 parents 4421a94 + 832948c
commit cc16c3d
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 19 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,12 +18,5 @@ COPY ./ /app/
 
 RUN pip install --no-cache-dir -r app/tests/requirements.txt
 
-ARG client_id
-ENV CLIENT_ID=${client_id}
-RUN sed -i s/CLIENT_ID/$CLIENT_ID/ app/permissions_engine/idp.rego && sed -i s/CLIENT_ID/$CLIENT_ID/ app/permissions_engine/authz.rego
-
-ARG opa_site_admin_key
-ENV OPA_SITE_ADMIN_KEY=${opa_site_admin_key}
-RUN sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/idp.rego && sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/authz.rego
-
-ENTRYPOINT ["top", "-b"]
+RUN touch initial_setup
+ENTRYPOINT ["bash", "/app/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -Euo pipefail
+
+if [[ -f "initial_setup" ]]; then
+    sed -i s/CLIENT_ID/$IDP_CLIENT_ID/ app/permissions_engine/idp.rego && sed -i s/CLIENT_ID/$IDP_CLIENT_ID/ app/permissions_engine/authz.rego
+    sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/idp.rego && sed -i s/OPA_SITE_ADMIN_KEY/$OPA_SITE_ADMIN_KEY/ app/permissions_engine/authz.rego
+
+    OPA_SERVICE_TOKEN=$(cat /run/secrets/opa-service-token)
+    sed -i s/OPA_SERVICE_TOKEN/$OPA_SERVICE_TOKEN/ app/permissions_engine/authz.rego
+
+    OPA_ROOT_TOKEN=$(cat /run/secrets/opa-root-token)
+    sed -i s/OPA_ROOT_TOKEN/$OPA_ROOT_TOKEN/ app/permissions_engine/authz.rego
+
+    python3 app/permissions_engine/fetch_keys.py
+    rm initial_setup
+fi
+
+while [ 0 -eq 0 ]
+do
+  sleep 60
+done
diff --git a/permissions_engine/authz.rego b/permissions_engine/authz.rego
@@ -15,11 +15,8 @@ rights = {
     }
 }
 
-# Tokens provided as env variables
-
-env := opa.runtime().env
-root_token := object.get(env, "CLIENT_SECRET_ROOT", "no_root_token")
-service_token := object.get(env, "CLIENT_SECRET_SERVICE", "no_service_token")
+root_token := "OPA_ROOT_TOKEN"
+service_token := "OPA_SERVICE_TOKEN"
 
 tokens = {
     root_token : {
@@ -44,8 +41,10 @@ allow {                             # Allow request if...
     right.path == input.path        # Right.path matches input.path.
 }
 
+x_opa := input.headers["X-Opa"][_]
+
 identity_rights[right] {             # Right is in the identity_rights set if...
-    token := tokens[input.identity]  # Token exists for identity, and...
+    token := tokens[x_opa]  # Token exists for identity, and...
     role := token.roles[_]           # Token has a role, and...
     right := rights[role]            # Role has rights defined.
 }

diff --git a/tests/capture_token.py b/tests/capture_token.py
@@ -10,10 +10,8 @@
 
 client_id = os.getenv("IDP_CLIENT_ID")
 
-client_secret = os.getenv("IDP_CLIENT_SECRET")
-if client_secret is None:
-    with open("/run/secrets/idp_client_secret", "r") as f:
-        client_secret = f.read().strip()
+with open("/run/secrets/idp_client_secret", "r") as f:
+    client_secret = f.read().strip()
 
 def helper_get_user_token(username, password, oidc_name="oidc"):
     oidc = idp_map[oidc_name]