Ronni Baslund
0b269e7ea7
A partner or tenant admin could complete the dezky-operator OIDC flow and
land on the operator portal. The platform-api OperatorGuard already 403s
their data, but the login/UI layer had no authorization check at all — the
only gate was a manual Authentik UI setting with nothing in git enforcing it.
Close it with defense-in-depth across three independent layers:
1. IdP — operator-application.yaml blueprint binds an
ak_is_group_member("dezky-platform-admins") policy to the dezky-operator
app, so Authentik denies the OIDC flow for non-admins. The blueprint also
provisions the provider + application (state: created, so a fresh env is
built from code while an existing hand-made provider is left untouched).
Wire OPERATOR_OIDC_* into both authentik containers and mount the
blueprints dir on the worker (it applies blueprints, and previously lacked
the mount).
2. Operator app — require-platform-admin.global.ts requires platformAdmin and
routes a non-admin to not-authorized.vue, which triggers a full sign-out
(local + Authentik IdP) for shared-workstation safety. Fails open on a
transient /api/me error by design, to avoid mass-signout on platform-api
restarts; layers 1 and 3 contain the exposure.
3. platform-api — OperatorGuard (unchanged) requires dezky-operator audience
plus platformAdmin resolved from the DB on every request.
Also harden the partner surface: it shares the dezky-portal client with tenant
users so it has no IdP gate, and its /partner/* route middleware now fails
CLOSED when identity can't be confirmed.
Docs (AUTHENTIK-SETUP.md) and .env.example updated; the operator client secret
must be set before first boot since the blueprint now consumes it.
60 lines
3.8 KiB
Bash
60 lines
3.8 KiB
Bash
# ─────────────────────────────────────────────────────────────────
|
|
# Dezky Local Development — Environment Variables
|
|
# ─────────────────────────────────────────────────────────────────
|
|
#
|
|
# Copy this file to .env and fill in the values.
|
|
# Generate secure random values with: openssl rand -hex 32
|
|
#
|
|
# DO NOT commit .env to git.
|
|
# ─────────────────────────────────────────────────────────────────
|
|
|
|
# ────────────────────────────────────────
|
|
# Database root passwords
|
|
# ────────────────────────────────────────
|
|
POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
|
|
REDIS_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Per-service DB passwords
|
|
# ────────────────────────────────────────
|
|
AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
|
|
OCIS_DB_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Authentik
|
|
# ────────────────────────────────────────
|
|
# AUTHENTIK_SECRET_KEY must be 50+ chars
|
|
AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
|
|
# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
|
|
AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32
|
|
|
|
# ────────────────────────────────────────
|
|
# Operator OIDC (dezky-operator)
|
|
# ────────────────────────────────────────
|
|
# The operator app differs from the portal: its OAuth provider is provisioned
|
|
# declaratively by the operator-application blueprint, which CONSUMES the secret
|
|
# below (rather than Authentik generating one for you to copy out). You must set
|
|
# a value BEFORE first boot — on a fresh environment the blueprint creates the
|
|
# provider with exactly this secret, and the operator container authenticates
|
|
# with the same value, so the two only agree if it's set here first.
|
|
# Generate with: openssl rand -hex 64
|
|
OPERATOR_OIDC_CLIENT_ID=dezky-operator
|
|
OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64
|
|
|
|
# ────────────────────────────────────────
|
|
# Stalwart Mail
|
|
# ────────────────────────────────────────
|
|
STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# OCIS
|
|
# ────────────────────────────────────────
|
|
OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand
|
|
|
|
# ────────────────────────────────────────
|
|
# Collabora
|
|
# ────────────────────────────────────────
|
|
COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand
|