From d4493ace3def79bd792e95172fba7b1771275be8 Mon Sep 17 00:00:00 2001 From: David Pordomingo Date: Thu, 7 Nov 2019 21:40:46 +0100 Subject: [PATCH] Configure google and github OAuth providers Google and GiHub OAuth providers can be used independently or simultaneously when authenticating in sourced-ui. The order of the providers to use will be defined by 'OAUTH_ENABLED_PROVIDERS' Signed-off-by: David Pordomingo --- README.md | 8 ++- superset/contrib/docker/superset_config.py | 78 +++++++++++++++------- 2 files changed, 60 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 6ad4fd1..25696a6 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,12 @@ You can configure the Docker image using the following environment variables: | `METADATA_USER` | Username for metadata DB (when `SYNC_MODE` is set to `true`) | | `METADATA_PASSWORD` | Password for metadata DB (when `SYNC_MODE` is set to `true`) | | `METADATA_DB` | Database name for metadata (when `SYNC_MODE` is set to `true`) | -| `OAUTH_PROVIDER` | Use OAuth provider for authorization. Currently only `google` | -| `OAUTH_CONSUMER_KEY` | OAuth provider consumer key (aka client_id) | -| `OAUTH_CONSUMER_SECRET` | OAuth provider consumer secret (aka client_secret) | +| `OAUTH_ENABLED_PROVIDERS` | Comma separated list of available OAuth providers (eg: `github,google`) | | `OAUTH_REGISTRATION_ROLE` | The role for newly registered users using OAuth `Admin`/`Alpha`/`Gamma` | +| `OAUTH_GITHUB_CONSUMER_KEY` | GitHub OAuth provider consumer key (aka client_id) | +| `OAUTH_GITHUB_CONSUMER_SECRET` | GitHub OAuth provider consumer secret (aka client_secret) | +| `OAUTH_GOOGLE_CONSUMER_KEY` | Google OAuth provider consumer key (aka client_id) | +| `OAUTH_GOOGLE_CONSUMER_SECRET` | Google OAuth provider consumer secret (aka client_secret) | To see the differences between roles in `OAUTH_REGISTRATION_ROLE` variable consult [official superset documentation](https://superset.incubator.apache.org/security.html#provided-roles). diff --git a/superset/contrib/docker/superset_config.py b/superset/contrib/docker/superset_config.py index 7283734..ebf6efa 100644 --- a/superset/contrib/docker/superset_config.py +++ b/superset/contrib/docker/superset_config.py @@ -154,31 +154,63 @@ def mutator(f): SUPERSET_WEBSERVER_TIMEOUT = 300 # Authorization configuration - -OAUTH_PROVIDER = get_env_variable('OAUTH_PROVIDER', False) -if OAUTH_PROVIDER: - OAUTH_PROVIDERS = [ - { - 'name': 'google', - 'icon': 'fa-google', - 'token_key': 'access_token', - 'remote_app': { - 'consumer_key': get_env_variable('OAUTH_CONSUMER_KEY'), - 'consumer_secret': get_env_variable('OAUTH_CONSUMER_SECRET'), - 'base_url': 'https://www.googleapis.com/oauth2/v2/', - 'request_token_params': { - 'scope': 'email profile' - }, - 'request_token_url': None, - 'access_token_url': 'https://accounts.google.com/o/oauth2/token', - 'authorize_url': 'https://accounts.google.com/o/oauth2/auth' - } +OAUTH_ENABLED_PROVIDERS = get_env_variable('OAUTH_ENABLED_PROVIDERS', False) +OAUTH_GOOGLE_CONSUMER_KEY = get_env_variable('OAUTH_GOOGLE_CONSUMER_KEY', False) +OAUTH_GOOGLE_CONSUMER_SECRET = get_env_variable('OAUTH_GOOGLE_CONSUMER_SECRET', False) +OAUTH_GITHUB_CONSUMER_KEY = get_env_variable('OAUTH_GITHUB_CONSUMER_KEY', False) +OAUTH_GITHUB_CONSUMER_SECRET = get_env_variable('OAUTH_GITHUB_CONSUMER_SECRET', False) + +OAUTH_AVAILABLE_CONFIGS = { + 'google': { + 'name': 'google', + 'icon': 'fa-google', + 'token_key': 'access_token', + 'remote_app': { + 'consumer_key': OAUTH_GOOGLE_CONSUMER_KEY, + 'consumer_secret': OAUTH_GOOGLE_CONSUMER_SECRET, + 'base_url': 'https://www.googleapis.com/oauth2/v2/', + 'request_token_params': { + 'scope': 'email profile' + }, + 'request_token_url': None, + 'access_token_url': 'https://accounts.google.com/o/oauth2/token', + 'authorize_url': 'https://accounts.google.com/o/oauth2/auth' + } + }, + 'github': { + 'name': 'github', + 'icon': 'fa-github', + 'token_key': 'access_token', + 'remote_app': { + 'consumer_key': OAUTH_GITHUB_CONSUMER_KEY, + 'consumer_secret': OAUTH_GITHUB_CONSUMER_SECRET, + 'base_url': 'https://api.github.com/', + 'request_token_params': { + 'scope': 'user' # read:user + }, + 'request_token_url': None, + 'access_token_method': 'POST', + 'access_token_url': 'https://github.com/login/oauth/access_token', + 'authorize_url': 'https://github.com/login/oauth/authorize' } - ] + } +} + +if OAUTH_ENABLED_PROVIDERS: + providers = [] + provider_names = OAUTH_ENABLED_PROVIDERS.split(',') + for provider in provider_names: + if provider in OAUTH_AVAILABLE_CONFIGS: + if not OAUTH_AVAILABLE_CONFIGS[provider]['remote_app']['consumer_key']: + raise EnvironmentError('Not valid OAuth consumer_key provided for {}'.format(provider)) + if not OAUTH_AVAILABLE_CONFIGS[provider]['remote_app']['consumer_secret']: + raise EnvironmentError('Not valid OAuth consumer_secret provided for {}'.format(provider)) + else: + raise EnvironmentError('Unknown OAuth provider {}'.format(provider)) + + providers.append(OAUTH_AVAILABLE_CONFIGS[provider]) - if OAUTH_PROVIDER not in [p['name'] for p in OAUTH_PROVIDERS]: - raise EnvironmentError( - 'Unknown OAuth provider {}'.format(OAUTH_PROVIDER)) + OAUTH_PROVIDERS = providers from flask_appbuilder.security.manager import AUTH_OAUTH