Merge pull request #11 from torbenraab/feat/oidc-auth-with-godmode-pr…

…eview-merge Merge OIDC Authentication into Preview
torbenraab · Jan 28, 2024 · 3d9f32f · 3d9f32f
2 parents 532da80 + 72b0226
commit 3d9f32f
Show file tree

Hide file tree

Showing 22 changed files with 4,923 additions and 3,334 deletions.
diff --git a/.github/workflows/build-branch.yml b/.github/workflows/build-branch.yml
@@ -32,14 +32,14 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [branch_build_setup]
     env:
-      FRONTEND_TAG: ${{ secrets.DOCKERHUB_USERNAME }}/plane-frontend:${{ needs.branch_build_setup.outputs.gh_branch_name }}
+      FRONTEND_TAG: ${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-frontend:${{ needs.branch_build_setup.outputs.gh_branch_name }}
     steps:
       - name: Set Frontend Docker Tag
         run: |
           if [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ] && [ "${{ github.event_name }}" == "release" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-frontend:latest,${{ secrets.DOCKERHUB_USERNAME }}/plane-frontend:${{ github.event.release.tag_name }}
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-frontend:latest,${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-frontend:${{ github.event.release.tag_name }}
           elif [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-frontend:stable
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-frontend:stable
           else
             TAG=${{ env.FRONTEND_TAG }}
           fi
@@ -56,6 +56,7 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/[email protected]
         with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
@@ -79,14 +80,14 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [branch_build_setup]
     env:
-      SPACE_TAG: ${{ secrets.DOCKERHUB_USERNAME }}/plane-space:${{ needs.branch_build_setup.outputs.gh_branch_name }}
+      SPACE_TAG: ${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-space:${{ needs.branch_build_setup.outputs.gh_branch_name }}
     steps:
       - name: Set Space Docker Tag
         run: |
           if [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ] && [ "${{ github.event_name }}" == "release" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-space:latest,${{ secrets.DOCKERHUB_USERNAME }}/plane-space:${{ github.event.release.tag_name }}
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-space:latest,${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-space:${{ github.event.release.tag_name }}
           elif [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-space:stable
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-space:stable
           else
             TAG=${{ env.SPACE_TAG }}
           fi
@@ -104,6 +105,7 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/[email protected]
         with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
@@ -127,14 +129,14 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [branch_build_setup]
     env:
-      BACKEND_TAG: ${{ secrets.DOCKERHUB_USERNAME }}/plane-backend:${{ needs.branch_build_setup.outputs.gh_branch_name }}
+      BACKEND_TAG: ${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-backend:${{ needs.branch_build_setup.outputs.gh_branch_name }}
     steps:
       - name: Set Backend Docker Tag
         run: |
           if [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ] && [ "${{ github.event_name }}" == "release" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-backend:latest,${{ secrets.DOCKERHUB_USERNAME }}/plane-backend:${{ github.event.release.tag_name }}
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-backend:latest,${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-backend:${{ github.event.release.tag_name }}
           elif [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-backend:stable
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-backend:stable
           else
             TAG=${{ env.BACKEND_TAG }}
           fi
@@ -152,6 +154,7 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/[email protected]
         with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
@@ -175,14 +178,14 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [branch_build_setup]
     env:
-      PROXY_TAG: ${{ secrets.DOCKERHUB_USERNAME }}/plane-proxy:${{ needs.branch_build_setup.outputs.gh_branch_name }}
+      PROXY_TAG: ${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-proxy:${{ needs.branch_build_setup.outputs.gh_branch_name }}
     steps:
       - name: Set Proxy Docker Tag
         run: |
           if [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ] && [ "${{ github.event_name }}" == "release" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-proxy:latest,${{ secrets.DOCKERHUB_USERNAME }}/plane-proxy:${{ github.event.release.tag_name }}
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-proxy:latest,${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-proxy:${{ github.event.release.tag_name }}
           elif [ "${{ needs.branch_build_setup.outputs.gh_branch_name }}" == "master" ]; then
-            TAG=${{ secrets.DOCKERHUB_USERNAME }}/plane-proxy:stable
+            TAG=${{ secrets.DOCKER_REGISTRY }}/${{ secrets.DOCKER_REPO }}/plane-proxy:stable
           else
             TAG=${{ env.PROXY_TAG }}
           fi
@@ -200,6 +203,7 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/[email protected]
         with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 

diff --git a/apiserver/.env.example b/apiserver/.env.example
@@ -58,6 +58,17 @@ ENABLE_EMAIL_PASSWORD="1"
 # Enable Magic link Login
 ENABLE_MAGIC_LINK_LOGIN="0"
 
+# Enable OpenID Connect Login - You can set the discovery url to get the Enpoints (URLs) automatically or set them manually
+# If you set the Endpoints manually the discovery url should be empty to avoid overriding the endpoints
+OIDC_AUTO="0"
+OIDC_CLIENT_ID=""
+OIDC_CLIENT_SECRET=""
+OIDC_DISCOVERY=""
+OIDC_URL_AUTHORIZATION=""
+OIDC_URL_TOKEN=""
+OIDC_URL_USERINFO=""
+OIDC_URL_ENDSESSION=""
+
 # Email redirections and minio domain settings
 WEB_URL="http://localhost"
 

diff --git a/apiserver/plane/app/urls/authentication.py b/apiserver/plane/app/urls/authentication.py
@@ -10,6 +10,7 @@
     MagicGenerateEndpoint,
     MagicSignInEndpoint,
     OauthEndpoint,
+    OIDCEndpoint,
     EmailCheckEndpoint,
     ## End Authentication
     # Auth Extended
@@ -27,6 +28,7 @@
     #  Social Auth
     path("email-check/", EmailCheckEndpoint.as_view(), name="email"),
     path("social-auth/", OauthEndpoint.as_view(), name="oauth"),
+    path("oidc-auth/", OIDCEndpoint.as_view(), name="oidc"),
     # Auth
     path("sign-in/", SignInEndpoint.as_view(), name="sign-in"),
     path("sign-out/", SignOutEndpoint.as_view(), name="sign-out"),

diff --git a/apiserver/plane/app/views/__init__.py b/apiserver/plane/app/views/__init__.py
@@ -22,6 +22,8 @@
 
 from .oauth import OauthEndpoint
 
+from .oidc import OIDCEndpoint
+
 from .base import BaseAPIView, BaseViewSet, WebhookMixin
 
 from .workspace import (

diff --git a/apiserver/plane/app/views/config.py b/apiserver/plane/app/views/config.py
@@ -25,6 +25,13 @@ def get(self, request):
             GOOGLE_CLIENT_ID,
             GITHUB_CLIENT_ID,
             GITHUB_APP_NAME,
+            OIDC_AUTO,
+            OIDC_CLIENT_ID,
+            OIDC_CLIENT_SECRET,
+            OIDC_URL_AUTHORIZATION,
+            OIDC_URL_TOKEN,
+            OIDC_URL_USERINFO,
+            OIDC_URL_ENDSESSION,
             EMAIL_HOST_USER,
             EMAIL_HOST_PASSWORD,
             ENABLE_MAGIC_LINK_LOGIN,
@@ -48,6 +55,34 @@ def get(self, request):
                     "key": "GITHUB_APP_NAME",
                     "default": os.environ.get("GITHUB_APP_NAME", None),
                 },
+                {
+                    "key": "OIDC_AUTO",
+                    "default": os.environ.get("OIDC_AUTO", None),
+                },
+                {
+                    "key": "OIDC_CLIENT_ID",
+                    "default": os.environ.get("OIDC_CLIENT_ID", None),
+                },
+                {
+                    "key": "OIDC_CLIENT_SECRET",
+                    "default": os.environ.get("OIDC_CLIENT_SECRET", None),
+                },
+                {
+                    "key": "OIDC_URL_AUTHORIZATION",
+                    "default": os.environ.get("OIDC_URL_AUTHORIZATION", None),
+                },
+                {
+                    "key": "OIDC_URL_TOKEN",
+                    "default": os.environ.get("OIDC_URL_TOKEN", None),
+                },
+                {
+                    "key": "OIDC_URL_USERINFO",
+                    "default": os.environ.get("OIDC_URL_USERINFO", None),
+                },
+                {
+                    "key": "OIDC_URL_ENDSESSION",
+                    "default": os.environ.get("OIDC_URL_ENDSESSION", None),
+                },
                 {
                     "key": "EMAIL_HOST_USER",
                     "default": os.environ.get("EMAIL_HOST_USER", None),
@@ -100,6 +135,18 @@ def get(self, request):
             else None
         )
         data["github_app_name"] = GITHUB_APP_NAME
+        data["oidc_auto"] = (
+            bool(OIDC_CLIENT_ID) and 
+            bool(OIDC_CLIENT_SECRET) and 
+            bool(OIDC_URL_AUTHORIZATION) and 
+            bool(OIDC_URL_TOKEN) and 
+            bool(OIDC_URL_USERINFO)
+        ) and OIDC_AUTO == "1"
+        data["oidc_client_id"] = (
+            OIDC_CLIENT_ID if OIDC_CLIENT_ID and OIDC_CLIENT_ID != '""' else None
+        )
+        data["oidc_url_authorize"] = OIDC_URL_AUTHORIZATION
+        data["oidc_url_endsession"] = OIDC_URL_ENDSESSION
         data["magic_login"] = (
             bool(EMAIL_HOST_USER) and bool(EMAIL_HOST_PASSWORD)
         ) and ENABLE_MAGIC_LINK_LOGIN == "1"