From: Redouane Kachach <rkachach@redhat.com>
Date: Fri, 6 Sep 2024 10:44:45 +0000 (+0200)
Subject: mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains
X-Git-Tag: v20.0.0~1073^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F59634%2Fhead;p=ceph.git

mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains

this field is needed in order to configure which domains are allowed
for redirection during login and/or logout

Fixes: https://tracker.ceph.com/issues/67934

Signed-off-by: Redouane Kachach <rkachach@redhat.com>
---

diff --git a/src/pybind/mgr/cephadm/services/oauth2_proxy.py b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
index a84f44817ee0..c19005c95f3c 100644
--- a/src/pybind/mgr/cephadm/services/oauth2_proxy.py
+++ b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
@@ -67,10 +67,12 @@ class OAuth2ProxyService(CephadmService):
     def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
         assert self.TYPE == daemon_spec.daemon_type
         svc_spec = cast(OAuth2ProxySpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        whitelist_domains = svc_spec.whitelist_domains or []
+        whitelist_domains += self.get_service_ips_and_hosts('mgmt-gateway')
         context = {
             'spec': svc_spec,
             'cookie_secret': svc_spec.cookie_secret or self.generate_random_secret(),
-            'whitelist_domains': self.get_service_ips_and_hosts('mgmt-gateway'),
+            'whitelist_domains': whitelist_domains,
             'redirect_url': svc_spec.redirect_url or self.get_redirect_url()
         }
 
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 0efd10545c6b..2b1afc141d8d 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1920,6 +1920,7 @@ class OAuth2ProxySpec(ServiceSpec):
                  cookie_secret: Optional[str] = None,
                  ssl_certificate: Optional[str] = None,
                  ssl_certificate_key: Optional[str] = None,
+                 whitelist_domains: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  extra_container_args: Optional[GeneralArgList] = None,
                  extra_entrypoint_args: Optional[GeneralArgList] = None,
@@ -1955,6 +1956,9 @@ class OAuth2ProxySpec(ServiceSpec):
         self.ssl_certificate = ssl_certificate
         #: The multi-line SSL certificate private key for decrypting communications.
         self.ssl_certificate_key = ssl_certificate_key
+        #: List of allowed domains for safe redirection after login or logout,
+        # preventing unauthorized redirects.
+        self.whitelist_domains = whitelist_domains
         self.unmanaged = unmanaged
 
     def get_port_start(self) -> List[int]: