From d85995b51da89054185c5a150ba352c55e4d1958 Mon Sep 17 00:00:00 2001
From: osenchenko <senchenkoob@mail.ru>
Date: Sun, 27 Oct 2024 19:31:04 +0300
Subject: [PATCH] Allow to use self-signed certificates for OIDC IDP.  Correct
 callback url creation when working behind a proxy

---
 .../authentication/provider/oauth/oidc.py     | 52 ++++++++++++++++++-
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/apiserver/plane/authentication/provider/oauth/oidc.py b/apiserver/plane/authentication/provider/oauth/oidc.py
index 104c62d5d03..ba2f58ce556 100644
--- a/apiserver/plane/authentication/provider/oauth/oidc.py
+++ b/apiserver/plane/authentication/provider/oauth/oidc.py
@@ -6,6 +6,7 @@
 
 import pytz
 import requests
+import logging
 
 # Module imports
 from plane.authentication.adapter.oauth import OauthAdapter
@@ -48,6 +49,17 @@ def __init__(self, request, code=None, state=None, callback=None):
             ]
         )
 
+        WEB_URL = get_configuration_value([{
+            "key": "WEB_URL",
+            "default": os.environ.get("WEB_URL"),
+        }])
+
+        OIDC_IDP_CA_CERT = get_configuration_value([{
+            "key": "OIDC_IDP_CA_CERT",
+            "default": os.environ.get("OIDC_IDP_CA_CERT"),
+        }])
+
+        self.idp_ca_cert = OIDC_IDP_CA_CERT[0]
         self.token_url = OIDC_URL_TOKEN
         self.userinfo_url = OIDC_URL_USERINFO
 
@@ -59,8 +71,8 @@ def __init__(self, request, code=None, state=None, callback=None):
 
         client_id = OIDC_CLIENT_ID
         client_secret = OIDC_CLIENT_SECRET
-
-        redirect_uri = f"""{"https" if request.is_secure() else "http"}://{request.get_host()}/auth/oidc/callback/"""
+        is_secure = WEB_URL[0].startswith("https")
+        redirect_uri = f"""{"https" if is_secure else "http"}://{request.get_host()}/auth/oidc/callback/"""
         url_params = {
             "client_id": client_id,
             "redirect_uri": redirect_uri,
@@ -124,6 +136,42 @@ def set_token_data(self):
             }
         )
 
+    def get_user_token(self, data, headers=None):
+        try:
+            headers = headers or {}
+            response = requests.post(
+                    self.get_token_url(), data=data, headers=headers, verify=self.idp_ca_cert
+                )
+            response.raise_for_status()
+            return response.json()
+        except requests.RequestException as ex:
+            logger = logging.getLogger("plane")
+            logger.error("Error getting token from oidc auth provider: {}".format(ex))
+            code = self.authentication_error_code()
+            raise AuthenticationException(
+                error_code=AUTHENTICATION_ERROR_CODES[code],
+                error_message=str(code),
+            )
+
+
+    def get_user_response(self):
+        try:
+            headers = {
+                "Authorization": f"Bearer {self.token_data.get('access_token')}"
+            }
+            response = requests.get(self.get_user_info_url(), headers=headers,  verify=self.idp_ca_cert)
+            response.raise_for_status()
+            return response.json()
+        except requests.RequestException as ex:
+            logger = logging.getLogger("plane")
+            logger.error("Error getting user info from oidc auth provider: {}".format(ex))
+            code = self.authentication_error_code()
+            raise AuthenticationException(
+                error_code=AUTHENTICATION_ERROR_CODES[code],
+                error_message=str(code),
+            )
+
+
     def set_user_data(self):
         user_info_response = self.get_user_response()
         email = user_info_response.get("email")