From aaab2132ffc066bed6b184b591ae4b30597ea508 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 14:52:09 -0500 Subject: [PATCH 01/27] Configure okta --- charts/opserver/templates/deployment.yaml | 37 +++++++++++++++++++ .../opserver/templates/opserver-secret.yaml | 18 +++++++++ charts/opserver/values.yaml | 14 +++++++ cnab/app/variables.GCP.json | 7 +++- 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 charts/opserver/templates/opserver-secret.yaml diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 3ea6d5a5..60e46c53 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -110,6 +110,43 @@ spec: secretKeyRef: name: {{ .Values.sqlExternalSecret.targetName }} key: exceptionalPassword + - name: Security__Provider + value: {{ .Values.security.provider }} + +{{- if eq .Values.security.provider "OIDC" }} + - name: Security__Name + value: "Okta" + - name: Security__ViewEverythingGroups + value: {{ .Values.security.viewGroups | quote }} + - name: Security__AdminEverythingGroups + value: {{ .Values.security.adminGroups | quote }} + - name: Security__ClientId + valueFrom: + secretKeyRef: + name: {{ .Values.opserverSecret.targetName }} + key: oktaClientId + - name: Security__ClientSecret + valueFrom: + secretKeyRef: + name: {{ .Values.opserverSecret.targetName }} + key: oktaClientSecret + - name: Security__AuthorizationUrl + value: "https://stackoverflow.okta.com/oauth2/v1/authorize" + - name: Security__AccessTokenUrl + value: "https://stackoverflow.okta.com/oauth2/v1/token" + - name: Security__UserInfoUrl + value: "https://stackoverflow.okta.com/oauth2/v1/userinfo" + - name: Security__NameClaim + value: "preferred_username" + - name: Security__GroupsClaim + value: "groups" + - name: Security__Scopes__0 + value: "email" + - name: Security__Scopes__1 + value: "groups" + - name: Security__Scopes__2 + value: "profile" +{{- end }} {{- if hasKey .Values.opserverSettings "sql" }} - name: Modules__Sql__defaultConnectionString diff --git a/charts/opserver/templates/opserver-secret.yaml b/charts/opserver/templates/opserver-secret.yaml new file mode 100644 index 00000000..d48934a7 --- /dev/null +++ b/charts/opserver/templates/opserver-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ .Values.opserverSecret.name }} +spec: + refreshInterval: {{ .Values.opserverSecret.refreshInterval }} + secretStoreRef: + name: {{ .Values.opserverSecret.storeRefName }} + kind: ClusterSecretStore + target: + name: {{ .Values.opserverSecret.targetName }} + data: + - secretKey: oktaClientId + remoteRef: + key: {{ .Values.opserverSecret.remoteRefs.oktaClientId }} + - secretKey: oktaClientSecret + remoteRef: + key: {{ .Values.opserverSecret.remoteRefs.oktaClientSecret }} diff --git a/charts/opserver/values.yaml b/charts/opserver/values.yaml index d0d9c0ba..88644899 100644 --- a/charts/opserver/values.yaml +++ b/charts/opserver/values.yaml @@ -5,6 +5,11 @@ tier: "Local" product: "public" # used for datadog metrics and logs aspnetcoreEnvironment: "Local" +security: + provider: "EveryonesAnAdmin" + viewGroups: "" + adminGroups: "" + requests: cpu: "1m" memory: "1M" @@ -53,6 +58,15 @@ ingress: db: ExceptionalDbName: Local.Exceptions +opserverSecret: + name: opserver-secret + refreshInterval: 5m + storeRefName: fakeopserversecretstore + targetName: opserver-secret + remoteRefs: + oktaClientId: opserver-okta-client-id + oktaClientSecret: opserver-okta-client-secret + sqlExternalSecret: name: opserver-sqldb-external-secret refreshInterval: 5m diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 22164e5c..0fa7c59a 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -38,7 +38,12 @@ ], "exceptions": [ { "serverName": "host.docker.internal" } - ] + ], + "security": { + "adminGroups": ["OpserverDev-Admin"], + "viewGroups": ["OpserverDev-View"], + "provider": "OIDC" + } } } } \ No newline at end of file From 52fba3431b2f523c294eaf0370a76207aae33844 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 15:19:54 -0500 Subject: [PATCH 02/27] Fixes for charts relating to the new secrets --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 4 ++-- charts/opserver/templates/opserver-secret.yaml | 12 ++++++------ charts/opserver/values.yaml | 2 +- cnab/app/run.ps1 | 11 +++++++++++ cnab/app/variables.GCP.json | 5 +++-- 6 files changed, 24 insertions(+), 12 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 6bee433f..6b40b2dc 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.1 +version: 1.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 60e46c53..68a16e05 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -123,12 +123,12 @@ spec: - name: Security__ClientId valueFrom: secretKeyRef: - name: {{ .Values.opserverSecret.targetName }} + name: {{ .Values.opserverExternalSecret.targetName }} key: oktaClientId - name: Security__ClientSecret valueFrom: secretKeyRef: - name: {{ .Values.opserverSecret.targetName }} + name: {{ .Values.opserverExternalSecret.targetName }} key: oktaClientSecret - name: Security__AuthorizationUrl value: "https://stackoverflow.okta.com/oauth2/v1/authorize" diff --git a/charts/opserver/templates/opserver-secret.yaml b/charts/opserver/templates/opserver-secret.yaml index d48934a7..6df7eef7 100644 --- a/charts/opserver/templates/opserver-secret.yaml +++ b/charts/opserver/templates/opserver-secret.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: {{ .Values.opserverSecret.name }} + name: {{ .Values.opserverExternalSecret.name }} spec: - refreshInterval: {{ .Values.opserverSecret.refreshInterval }} + refreshInterval: {{ .Values.opserverExternalSecret.refreshInterval }} secretStoreRef: - name: {{ .Values.opserverSecret.storeRefName }} + name: {{ .Values.opserverExternalSecret.storeRefName }} kind: ClusterSecretStore target: - name: {{ .Values.opserverSecret.targetName }} + name: {{ .Values.opserverExternalSecret.targetName }} data: - secretKey: oktaClientId remoteRef: - key: {{ .Values.opserverSecret.remoteRefs.oktaClientId }} + key: {{ .Values.opserverExternalSecret.remoteRefs.oktaClientId }} - secretKey: oktaClientSecret remoteRef: - key: {{ .Values.opserverSecret.remoteRefs.oktaClientSecret }} + key: {{ .Values.opserverExternalSecret.remoteRefs.oktaClientSecret }} diff --git a/charts/opserver/values.yaml b/charts/opserver/values.yaml index 88644899..143b34b5 100644 --- a/charts/opserver/values.yaml +++ b/charts/opserver/values.yaml @@ -58,7 +58,7 @@ ingress: db: ExceptionalDbName: Local.Exceptions -opserverSecret: +opserverExternalSecret: name: opserver-secret refreshInterval: 5m storeRefName: fakeopserversecretstore diff --git a/cnab/app/run.ps1 b/cnab/app/run.ps1 index 36af260e..0b8a528b 100644 --- a/cnab/app/run.ps1 +++ b/cnab/app/run.ps1 @@ -174,6 +174,17 @@ switch ($action) { } } + opserverExternalSecret = @{ + name = "opserver-external-secret" + refreshInterval = "5m" + storeRefName = $vars.vars.secretStore + targetName = "opserver-secret" + remoteRefs = @{ + oktaClientId = "opserver-okta-client-id" + oktaClientSecret = "opserver-okta-client-secret" + } + } + opserverSettings = $vars.vars.opserverSettings adminRolebindingGroupId = $vars.vars.adminRolebindingGroupId diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 0fa7c59a..097b93d2 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -4,11 +4,11 @@ "product": "pubplat", "project": "opserver", "tenant": "sandbox", - "releaseTag": "pr-250" + "releaseTag": "pr-5" }, "runtime": { "cd": false, - "local": true, + "local": false, "name": "GCP" }, "tenant_metadata": { @@ -33,6 +33,7 @@ "isHADRPrimary": "true", "podDisruptionBudgetMinAvailable": "1", "opserverSettings": { + "hostUrl": "opserver.sandbox.int.gcp.stackoverflow.net", "sql": [ { "name": "host.docker.internal" } ], From fcc2d5c73688c1ff9ceee9554ebea88291913926 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 15:38:52 -0500 Subject: [PATCH 03/27] Refactor security provider chart settings --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 6 +++--- charts/opserver/values.yaml | 5 ----- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 6b40b2dc..f9caa75d 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.2 +version: 1.0.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 68a16e05..f16a69c0 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -113,13 +113,13 @@ spec: - name: Security__Provider value: {{ .Values.security.provider }} -{{- if eq .Values.security.provider "OIDC" }} +{{- if eq .Values.opserverSettings.security.provider "OIDC" }} - name: Security__Name value: "Okta" - name: Security__ViewEverythingGroups - value: {{ .Values.security.viewGroups | quote }} + value: {{ .Values.opserverSettings.security.viewGroups | quote }} - name: Security__AdminEverythingGroups - value: {{ .Values.security.adminGroups | quote }} + value: {{ .Values.opserverSettings.security.adminGroups | quote }} - name: Security__ClientId valueFrom: secretKeyRef: diff --git a/charts/opserver/values.yaml b/charts/opserver/values.yaml index 143b34b5..06a319c2 100644 --- a/charts/opserver/values.yaml +++ b/charts/opserver/values.yaml @@ -5,11 +5,6 @@ tier: "Local" product: "public" # used for datadog metrics and logs aspnetcoreEnvironment: "Local" -security: - provider: "EveryonesAnAdmin" - viewGroups: "" - adminGroups: "" - requests: cpu: "1m" memory: "1M" From b364fb0c2aa22ca83f9f55c3ea68eb5a811f4c20 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 15:45:30 -0500 Subject: [PATCH 04/27] Check for null in opserverSettings.security before evaluating --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index f9caa75d..60bd4f67 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.3 +version: 1.0.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index f16a69c0..3b04ff2c 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -113,7 +113,7 @@ spec: - name: Security__Provider value: {{ .Values.security.provider }} -{{- if eq .Values.opserverSettings.security.provider "OIDC" }} +{{- if and (.Values.opserverSettings.security) (eq .Values.opserverSettings.security.provider "OIDC") }} - name: Security__Name value: "Okta" - name: Security__ViewEverythingGroups From 37b2015a69e4824a2533195a4bebdf29d85b7d34 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 15:52:35 -0500 Subject: [PATCH 05/27] revert previous change; fix values property name --- charts/opserver/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 3b04ff2c..6874e25a 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -111,9 +111,9 @@ spec: name: {{ .Values.sqlExternalSecret.targetName }} key: exceptionalPassword - name: Security__Provider - value: {{ .Values.security.provider }} + value: {{ .Values.opserverSettings.security.provider }} -{{- if and (.Values.opserverSettings.security) (eq .Values.opserverSettings.security.provider "OIDC") }} +{{- if eq .Values.opserverSettings.security.provider "OIDC" }} - name: Security__Name value: "Okta" - name: Security__ViewEverythingGroups From 17abb2fc5f6ae537cc9731750587b2d89c715998 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 16:06:09 -0500 Subject: [PATCH 06/27] Add flag to always use https in oidc referral --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 2 ++ src/Opserver.Web/Controllers/AuthController.OIDC.cs | 3 ++- src/Opserver.Web/Security/OIDCSecuritySettings.cs | 5 +++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 60bd4f67..e20f2c55 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.4 +version: 1.0.7 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 6874e25a..4dc45b7c 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -114,6 +114,8 @@ spec: value: {{ .Values.opserverSettings.security.provider }} {{- if eq .Values.opserverSettings.security.provider "OIDC" }} + - name: Security__UseHttpsForRedirects + value: "true" - name: Security__Name value: "Okta" - name: Security__ViewEverythingGroups diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index e9087d48..ea656ffe 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -216,11 +216,12 @@ private IActionResult RedirectToProvider(string returnUrl) }); var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; + var scheme = (oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); var redirectUri = Url.Action( nameof(OAuthCallback), ControllerContext.ActionDescriptor.ControllerName, null, - Request.Scheme, + scheme, Request.Host.Value, null ); diff --git a/src/Opserver.Web/Security/OIDCSecuritySettings.cs b/src/Opserver.Web/Security/OIDCSecuritySettings.cs index ae4ee5ca..e1840898 100644 --- a/src/Opserver.Web/Security/OIDCSecuritySettings.cs +++ b/src/Opserver.Web/Security/OIDCSecuritySettings.cs @@ -46,5 +46,10 @@ public class OIDCSecuritySettings : SecuritySettings /// Gets or sets the name of the "name" claim. /// public string GroupsClaim { get; set; } = "groups"; + + /// + /// When redirecting to an OIDC provider, whether to always use https for the redirect/referral. + /// + public bool UseHttpsForRedirects { get; set; } = false; } } From 6f70eaaacae2eba46a104918f57c0d3edfce9762 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 16:13:54 -0500 Subject: [PATCH 07/27] Always use https for scheme --- charts/opserver/Chart.yaml | 2 +- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index e20f2c55..1c282226 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.7 +version: 1.0.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index ea656ffe..d9e008fb 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -216,7 +216,7 @@ private IActionResult RedirectToProvider(string returnUrl) }); var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; - var scheme = (oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); + var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); var redirectUri = Url.Action( nameof(OAuthCallback), ControllerContext.ActionDescriptor.ControllerName, From 9633c1ae261e5408d554030f33ca9b1da8adabf6 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 18:42:28 -0500 Subject: [PATCH 08/27] Add logging statements (to remove later) --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 1 + src/Opserver.Web/Controllers/HomeController.cs | 1 + 2 files changed, 2 insertions(+) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index d9e008fb..f2a14344 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -241,6 +241,7 @@ private IActionResult RedirectToProvider(string returnUrl) .Add("nonce", Guid.NewGuid().ToString("N")); authorizationUrl.Query = queryString.ToUriComponent(); + Console.WriteLine($"Redirecting to {authorizationUrl}"); return Redirect(authorizationUrl.ToString()); } diff --git a/src/Opserver.Web/Controllers/HomeController.cs b/src/Opserver.Web/Controllers/HomeController.cs index c456aacd..d10a2041 100644 --- a/src/Opserver.Web/Controllers/HomeController.cs +++ b/src/Opserver.Web/Controllers/HomeController.cs @@ -54,6 +54,7 @@ HAProxyModule haproxy [DefaultRoute("")] public ActionResult Home() { + Console.WriteLine("Home Page loaded"); // TODO: Order foreach (var m in Modules) { From d3979184d8bc9f13e7e8581d41ff47b4f93700b2 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 18:52:32 -0500 Subject: [PATCH 09/27] Refactor redirecturi to a method used in both places --- .../Controllers/AuthController.OIDC.cs | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index f2a14344..130a1a2a 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -27,6 +27,22 @@ partial class AuthController private const string OidcIdentifierKey = "id"; private const string OidcReturnUrlKey = "returnUrl"; + private async Task GetRedirectUri() + { + var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; + var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); + var redirectUri = Url.Action( + nameof(OAuthCallback), + ControllerContext.ActionDescriptor.ControllerName, + null, + scheme, + Request.Host.Value, + null + ); + Console.WriteLine($"Redirect Uri = {redirectUri}"); + return redirectUri; + } + [AllowAnonymous] [HttpGet("login/oauth/callback")] public async Task OAuthCallback(string code, string state, string error = null) @@ -74,14 +90,7 @@ public async Task OAuthCallback(string code, string state, string // hooray! we're all set, let's go fetch our access token var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; var scopes = oidcSettings.Scopes ?? OIDCSecuritySettings.DefaultScopes; - var redirectUri = Url.Action( - nameof(OAuthCallback), - ControllerContext.ActionDescriptor.ControllerName, - null, - Request.Scheme, - Request.Host.Value, - null - ); + var redirectUri = await GetRedirectUri(); var form = new NameValueCollection { @@ -217,14 +226,7 @@ private IActionResult RedirectToProvider(string returnUrl) var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); - var redirectUri = Url.Action( - nameof(OAuthCallback), - ControllerContext.ActionDescriptor.ControllerName, - null, - scheme, - Request.Host.Value, - null - ); + var redirectUri = await GetRedirectUri(); // construct the URL to the authorization endpoint var authorizationUrl = new UriBuilder(oidcSettings.AuthorizationUrl); From 0a3719d9a4ac0d842c31e376d0f92ab5fd4ca5aa Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 18:56:28 -0500 Subject: [PATCH 10/27] Change redirect uri method to be sync --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index 130a1a2a..f30df69c 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -27,7 +27,7 @@ partial class AuthController private const string OidcIdentifierKey = "id"; private const string OidcReturnUrlKey = "returnUrl"; - private async Task GetRedirectUri() + private string GetRedirectUri() { var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); @@ -90,7 +90,7 @@ public async Task OAuthCallback(string code, string state, string // hooray! we're all set, let's go fetch our access token var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; var scopes = oidcSettings.Scopes ?? OIDCSecuritySettings.DefaultScopes; - var redirectUri = await GetRedirectUri(); + var redirectUri = GetRedirectUri(); var form = new NameValueCollection { @@ -226,7 +226,7 @@ private IActionResult RedirectToProvider(string returnUrl) var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); - var redirectUri = await GetRedirectUri(); + var redirectUri = GetRedirectUri(); // construct the URL to the authorization endpoint var authorizationUrl = new UriBuilder(oidcSettings.AuthorizationUrl); From aa2a65e7d87325458f8937c49578c09ee6591fdf Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 19:01:44 -0500 Subject: [PATCH 11/27] Remove unused variable --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index f30df69c..5c512e83 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -225,7 +225,6 @@ private IActionResult RedirectToProvider(string returnUrl) }); var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; - var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); var redirectUri = GetRedirectUri(); // construct the URL to the authorization endpoint From 7d947d5e52d03c93bf97650b23d06ff5c7609b04 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 19:10:55 -0500 Subject: [PATCH 12/27] Add redirect URI to callback error --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index 5c512e83..30b5ca3b 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -111,7 +111,7 @@ public async Task OAuthCallback(string code, string state, string if (!response.Success) { return Error( - $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data}" + $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data} - uri {rediectUri}" ); } From 5317cd9ea1ee99700138bbe7c0a07b93e21eab3d Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 19:12:50 -0500 Subject: [PATCH 13/27] Fix typo in variable name --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index 30b5ca3b..0cbd839d 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -111,7 +111,7 @@ public async Task OAuthCallback(string code, string state, string if (!response.Success) { return Error( - $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data} - uri {rediectUri}" + $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data} - uri {redirectUri}" ); } From d5e22349c59577d56260921ae4db627953b399b2 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 19:31:32 -0500 Subject: [PATCH 14/27] Add logging of user details in NoConfig view --- cnab/app/run.ps1 | 1 + cnab/app/variables.GCP.json | 4 ++-- src/Opserver.Web/Views/Shared/NoConfiguration.cshtml | 9 +++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/cnab/app/run.ps1 b/cnab/app/run.ps1 index 0b8a528b..11b8175c 100644 --- a/cnab/app/run.ps1 +++ b/cnab/app/run.ps1 @@ -150,6 +150,7 @@ switch ($action) { } image = @{ + pullPolicy = "Always" pullSecretName = $pullSecretName } diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 097b93d2..9b6270b0 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -35,10 +35,10 @@ "opserverSettings": { "hostUrl": "opserver.sandbox.int.gcp.stackoverflow.net", "sql": [ - { "name": "host.docker.internal" } + { "name": "db.db" } ], "exceptions": [ - { "serverName": "host.docker.internal" } + { "serverName": "db.db" } ], "security": { "adminGroups": ["OpserverDev-Admin"], diff --git a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml index c04b5eab..f28696fe 100644 --- a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml +++ b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml @@ -24,6 +24,15 @@

You can browse to /about to see how you have been authenticated and what monitors have been enabled.

+

+ Your access: +

    +
  • Account: @Current.Security.AccountName
    • +
  • Is Anonymous: @Current.Security.IsAnonymous
    • +
  • Is Global Admin: @Current.Security.IsGlobalAdmin
    • +
  • Roles: @string.Join(", ", Current.Security.Roles)
    • +
+

} From f23510c2c02f80fda6d8512877302032c09c396c Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Thu, 18 Jul 2024 19:34:07 -0500 Subject: [PATCH 15/27] Use correct class name in razor --- src/Opserver.Web/Views/Shared/NoConfiguration.cshtml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml index f28696fe..919b0a1c 100644 --- a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml +++ b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml @@ -27,10 +27,10 @@

Your access:

    -
  • Account: @Current.Security.AccountName
    • -
  • Is Anonymous: @Current.Security.IsAnonymous
    • -
  • Is Global Admin: @Current.Security.IsGlobalAdmin
    • -
  • Roles: @string.Join(", ", Current.Security.Roles)
    • +
  • Account: @Current.User.AccountName
    • +
  • Is Anonymous: @Current.User.IsAnonymous
    • +
  • Is Global Admin: @Current.User.IsGlobalAdmin
    • +
  • Roles: @string.Join(", ", Current.User.Roles)

} From 34d18bea04fed32bc61125c0e0ede8366aa51485 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 10:36:04 -0500 Subject: [PATCH 16/27] Add logging in a few places to troubleshoot --- src/Opserver.Web/Controllers/AdminController.cs | 6 ++++++ src/Opserver.Web/Controllers/AuthController.OIDC.cs | 3 +-- src/Opserver.Web/Controllers/HomeController.cs | 7 +++++-- src/Opserver.Web/Security/OIDCProvider.cs | 2 ++ 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/Opserver.Web/Controllers/AdminController.cs b/src/Opserver.Web/Controllers/AdminController.cs index 8b570d0a..e587d815 100644 --- a/src/Opserver.Web/Controllers/AdminController.cs +++ b/src/Opserver.Web/Controllers/AdminController.cs @@ -24,5 +24,11 @@ public ActionResult Dashboard() /// [Route("admin/errors/{resource?}/{subResource?}"), AlsoAllow(Roles.LocalRequest)] public Task InvokeErrorHandler() => ExceptionalMiddleware.HandleRequestAsync(HttpContext); + + [Route("admin/throw"), AlsoAllow(Roles.LocalRequest)] + public ActionResult Throw() + { + throw new System.Exception("This is a test exception"); + } } } diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index 0cbd839d..f1cdb596 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -39,7 +39,6 @@ private string GetRedirectUri() Request.Host.Value, null ); - Console.WriteLine($"Redirect Uri = {redirectUri}"); return redirectUri; } @@ -111,7 +110,7 @@ public async Task OAuthCallback(string code, string state, string if (!response.Success) { return Error( - $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data} - uri {redirectUri}" + $"failed to exchange authorization code for access token. {response.StatusCode} - {response.Data}" ); } diff --git a/src/Opserver.Web/Controllers/HomeController.cs b/src/Opserver.Web/Controllers/HomeController.cs index d10a2041..b5b32fa3 100644 --- a/src/Opserver.Web/Controllers/HomeController.cs +++ b/src/Opserver.Web/Controllers/HomeController.cs @@ -54,15 +54,18 @@ HAProxyModule haproxy [DefaultRoute("")] public ActionResult Home() { - Console.WriteLine("Home Page loaded"); // TODO: Order foreach (var m in Modules) { //if (m.Enabled && m.SecuritySettings) // return RedirectToAction()... + Console.WriteLine(m) } - static bool AllowMeMaybe(StatusModule m) => m.Enabled && Current.User.HasAccess(m); + static bool AllowMeMaybe(StatusModule m) { + Console.WriteLine($"Module: {m.Name}, Enabled: {m.Enabled}, HasAccess: {Current.User.HasAccess(m)"); + return m.Enabled && Current.User.HasAccess(m); + } if (AllowMeMaybe(Dashboard)) return RedirectToAction(nameof(DashboardController.Dashboard), "Dashboard"); diff --git a/src/Opserver.Web/Security/OIDCProvider.cs b/src/Opserver.Web/Security/OIDCProvider.cs index a1caa243..d07b89bc 100644 --- a/src/Opserver.Web/Security/OIDCProvider.cs +++ b/src/Opserver.Web/Security/OIDCProvider.cs @@ -40,11 +40,13 @@ protected override bool TryValidateToken(OIDCToken token, out ClaimsPrincipal cl protected override bool InGroupsCore(User user, string[] groupNames) { + Console.WriteLine("Checking if user is in groups {0}", string.Join(", ", groupNames)); var groupClaims = user.Principal.FindAll(x => x.Type == GroupsClaimType); foreach (var groupClaim in groupClaims) { if (groupNames.Any(x => string.Equals(groupClaim.Value, x, StringComparison.OrdinalIgnoreCase))) { + Console.WriteLine("User is in group {0}", groupClaim.Value); return true; } } From 20e83e8e7d71249b4bc21b572055ea65ede99fff Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 10:40:03 -0500 Subject: [PATCH 17/27] Various fixes caused by me refusing to compile before comitting --- src/Opserver.Web/Controllers/HomeController.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Opserver.Web/Controllers/HomeController.cs b/src/Opserver.Web/Controllers/HomeController.cs index b5b32fa3..c71e7c09 100644 --- a/src/Opserver.Web/Controllers/HomeController.cs +++ b/src/Opserver.Web/Controllers/HomeController.cs @@ -59,11 +59,10 @@ public ActionResult Home() { //if (m.Enabled && m.SecuritySettings) // return RedirectToAction()... - Console.WriteLine(m) } static bool AllowMeMaybe(StatusModule m) { - Console.WriteLine($"Module: {m.Name}, Enabled: {m.Enabled}, HasAccess: {Current.User.HasAccess(m)"); + Console.WriteLine($"Module: {m.Name}, Enabled: {m.Enabled}, HasAccess: {Current.User.HasAccess(m)}"); return m.Enabled && Current.User.HasAccess(m); } From 91d7ad385c3bfc6c94c20ac15ff0f849a71ad9e0 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 11:31:26 -0500 Subject: [PATCH 18/27] Log all user groups each time we check membership --- src/Opserver.Web/Security/OIDCProvider.cs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/Opserver.Web/Security/OIDCProvider.cs b/src/Opserver.Web/Security/OIDCProvider.cs index d07b89bc..1ec6b2ad 100644 --- a/src/Opserver.Web/Security/OIDCProvider.cs +++ b/src/Opserver.Web/Security/OIDCProvider.cs @@ -40,13 +40,16 @@ protected override bool TryValidateToken(OIDCToken token, out ClaimsPrincipal cl protected override bool InGroupsCore(User user, string[] groupNames) { - Console.WriteLine("Checking if user is in groups {0}", string.Join(", ", groupNames)); var groupClaims = user.Principal.FindAll(x => x.Type == GroupsClaimType); - foreach (var groupClaim in groupClaims) + var groupClaimValues = groupClaims.Select(x => x.Value).ToArray(); + Console.WriteLine("Checking if user is in groups {0}. User is in these groups: [{1}]", + string.Join(", ", groupNames), + string.Join(", ", groupClaimValues)); + foreach (var groupClaim in groupClaimValues) { - if (groupNames.Any(x => string.Equals(groupClaim.Value, x, StringComparison.OrdinalIgnoreCase))) + if (groupNames.Any(x => string.Equals(groupClaim, x, StringComparison.OrdinalIgnoreCase))) { - Console.WriteLine("User is in group {0}", groupClaim.Value); + Console.WriteLine("User is in group {0}", groupClaim); return true; } } From 5c1bcbbe8df7783188e2b4519047b3d18bf6bef6 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 11:58:06 -0500 Subject: [PATCH 19/27] More debugging logs in group checks --- src/Opserver.Web/Controllers/AuthController.OIDC.cs | 1 + src/Opserver.Web/Security/OIDCProvider.cs | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index f1cdb596..8370a533 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -50,6 +50,7 @@ public async Task OAuthCallback(string code, string state, string if (!Current.Security.IsConfigured) { + Console.WriteLine("No Security is configured!"); return View("NoConfiguration"); } diff --git a/src/Opserver.Web/Security/OIDCProvider.cs b/src/Opserver.Web/Security/OIDCProvider.cs index 1ec6b2ad..e81c2f13 100644 --- a/src/Opserver.Web/Security/OIDCProvider.cs +++ b/src/Opserver.Web/Security/OIDCProvider.cs @@ -42,9 +42,11 @@ protected override bool InGroupsCore(User user, string[] groupNames) { var groupClaims = user.Principal.FindAll(x => x.Type == GroupsClaimType); var groupClaimValues = groupClaims.Select(x => x.Value).ToArray(); - Console.WriteLine("Checking if user is in groups {0}. User is in these groups: [{1}]", + var intersection = groupClaimValues.Intersect(groupNames, StringComparer.OrdinalIgnoreCase); + Console.WriteLine("Checking if user is in groups [{0}]. User is in these groups: [{1}]. Intersect: [{2}]", string.Join(", ", groupNames), - string.Join(", ", groupClaimValues)); + string.Join(", ", groupClaimValues), + string.Join(", " , intersection)); foreach (var groupClaim in groupClaimValues) { if (groupNames.Any(x => string.Equals(groupClaim, x, StringComparison.OrdinalIgnoreCase))) From 81db36e081b81564cb49f130b05d72533e4426c0 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 12:09:02 -0500 Subject: [PATCH 20/27] Fix handling of array for groups in chart --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 1c282226..4c5a0913 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.8 +version: 1.0.9 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 4dc45b7c..151924b6 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -118,10 +118,14 @@ spec: value: "true" - name: Security__Name value: "Okta" - - name: Security__ViewEverythingGroups - value: {{ .Values.opserverSettings.security.viewGroups | quote }} - - name: Security__AdminEverythingGroups - value: {{ .Values.opserverSettings.security.adminGroups | quote }} + {{- range $i, $groupName := .Values.security.viewGroups }} + - name: Security__ViewEverythingGroups__{{ $i }} + value: {{ $groupName | quote }} + {{- end }} + {{- range $i, $groupName := .Values.security.adminGroups }} + - name: Security__AdminEverythingGroups__{{ $i }} + value: {{ $groupName | quote }} + {{- end }} - name: Security__ClientId valueFrom: secretKeyRef: From 5a6337a1363e143169b0dfec7b13095c62261ac5 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 12:26:08 -0500 Subject: [PATCH 21/27] Fix chart variable reference --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 4c5a0913..8b56528d 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.9 +version: 1.0.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 151924b6..4b5b4601 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -118,11 +118,11 @@ spec: value: "true" - name: Security__Name value: "Okta" - {{- range $i, $groupName := .Values.security.viewGroups }} + {{- range $i, $groupName := .Values.opserverSettings.security.viewGroups }} - name: Security__ViewEverythingGroups__{{ $i }} value: {{ $groupName | quote }} {{- end }} - {{- range $i, $groupName := .Values.security.adminGroups }} + {{- range $i, $groupName := .Values.opserverSettings.security.adminGroups }} - name: Security__AdminEverythingGroups__{{ $i }} value: {{ $groupName | quote }} {{- end }} From 0329c8def927ca6f7dbdb26c72b7b20fea49622e Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 12:38:13 -0500 Subject: [PATCH 22/27] Revert array stuff because it's semicolon-separated single string value --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 12 ++++-------- cnab/app/variables.GCP.json | 4 ++-- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 8b56528d..7c5dacaa 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.10 +version: 1.0.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 4b5b4601..4dc45b7c 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -118,14 +118,10 @@ spec: value: "true" - name: Security__Name value: "Okta" - {{- range $i, $groupName := .Values.opserverSettings.security.viewGroups }} - - name: Security__ViewEverythingGroups__{{ $i }} - value: {{ $groupName | quote }} - {{- end }} - {{- range $i, $groupName := .Values.opserverSettings.security.adminGroups }} - - name: Security__AdminEverythingGroups__{{ $i }} - value: {{ $groupName | quote }} - {{- end }} + - name: Security__ViewEverythingGroups + value: {{ .Values.opserverSettings.security.viewGroups | quote }} + - name: Security__AdminEverythingGroups + value: {{ .Values.opserverSettings.security.adminGroups | quote }} - name: Security__ClientId valueFrom: secretKeyRef: diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 9b6270b0..95730423 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -41,8 +41,8 @@ { "serverName": "db.db" } ], "security": { - "adminGroups": ["OpserverDev-Admin"], - "viewGroups": ["OpserverDev-View"], + "adminGroups": "OpserverDev-Admin", + "viewGroups": "OpserverDev-View", "provider": "OIDC" } } From f3db0ee5326d8e5b8356a245b1a62d13731b8cea Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 12:51:05 -0500 Subject: [PATCH 23/27] Set default db to master cuz nothing else makes sense --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 7c5dacaa..44239ec4 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.11 +version: 1.0.12 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 4dc45b7c..5456fd92 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -151,9 +151,11 @@ spec: {{- end }} {{- if hasKey .Values.opserverSettings "sql" }} - - name: Modules__Sql__defaultConnectionString - value: "Server=$(SQL_EXCEPTIONAL_SERVERNAME);Database=Local.Exceptions;User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);" {{- range $i, $instance := .Values.opserverSettings.sql }} + {{ - if eq $i 0 }} + - name: Modules__Sql__defaultConnectionString + value: "Server=$(SQL_EXCEPTIONAL_SERVERNAME);Database=master;User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);" + {{- end }} - name: Modules__Sql__instances__{{ $i }}__name value: "{{ $instance.name }}" {{- end }} From c24d367b1a396686eba71369d4c5ad861cccac87 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 12:57:07 -0500 Subject: [PATCH 24/27] fix whitespace issue in chart --- charts/opserver/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 5456fd92..187d4044 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -152,10 +152,10 @@ spec: {{- if hasKey .Values.opserverSettings "sql" }} {{- range $i, $instance := .Values.opserverSettings.sql }} - {{ - if eq $i 0 }} + {{- if eq $i 0 }} - name: Modules__Sql__defaultConnectionString value: "Server=$(SQL_EXCEPTIONAL_SERVERNAME);Database=master;User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);" - {{- end }} + {{- end }} - name: Modules__Sql__instances__{{ $i }}__name value: "{{ $instance.name }}" {{- end }} From cd7fd99302fc3777c2a6a61427ab1f7d90763ec9 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 13:09:36 -0500 Subject: [PATCH 25/27] Clean up all the logging --- cnab/app/run.ps1 | 1 - cnab/app/variables.GCP.json | 2 +- src/Opserver.Web/Controllers/AdminController.cs | 6 ------ src/Opserver.Web/Controllers/AuthController.OIDC.cs | 4 +--- src/Opserver.Web/Controllers/HomeController.cs | 5 +---- src/Opserver.Web/Security/OIDCProvider.cs | 11 ++--------- src/Opserver.Web/Views/Shared/NoConfiguration.cshtml | 9 --------- 7 files changed, 5 insertions(+), 33 deletions(-) diff --git a/cnab/app/run.ps1 b/cnab/app/run.ps1 index 11b8175c..0b8a528b 100644 --- a/cnab/app/run.ps1 +++ b/cnab/app/run.ps1 @@ -150,7 +150,6 @@ switch ($action) { } image = @{ - pullPolicy = "Always" pullSecretName = $pullSecretName } diff --git a/cnab/app/variables.GCP.json b/cnab/app/variables.GCP.json index 95730423..ca5036e0 100644 --- a/cnab/app/variables.GCP.json +++ b/cnab/app/variables.GCP.json @@ -38,7 +38,7 @@ { "name": "db.db" } ], "exceptions": [ - { "serverName": "db.db" } + { "serverName": "db.db", "database": "Dev.Exceptions" } ], "security": { "adminGroups": "OpserverDev-Admin", diff --git a/src/Opserver.Web/Controllers/AdminController.cs b/src/Opserver.Web/Controllers/AdminController.cs index e587d815..8b570d0a 100644 --- a/src/Opserver.Web/Controllers/AdminController.cs +++ b/src/Opserver.Web/Controllers/AdminController.cs @@ -24,11 +24,5 @@ public ActionResult Dashboard() /// [Route("admin/errors/{resource?}/{subResource?}"), AlsoAllow(Roles.LocalRequest)] public Task InvokeErrorHandler() => ExceptionalMiddleware.HandleRequestAsync(HttpContext); - - [Route("admin/throw"), AlsoAllow(Roles.LocalRequest)] - public ActionResult Throw() - { - throw new System.Exception("This is a test exception"); - } } } diff --git a/src/Opserver.Web/Controllers/AuthController.OIDC.cs b/src/Opserver.Web/Controllers/AuthController.OIDC.cs index 8370a533..0e0b2b81 100644 --- a/src/Opserver.Web/Controllers/AuthController.OIDC.cs +++ b/src/Opserver.Web/Controllers/AuthController.OIDC.cs @@ -30,7 +30,7 @@ partial class AuthController private string GetRedirectUri() { var oidcSettings = (OIDCSecuritySettings) Current.Security.Settings; - var scheme = "https"; //(oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); + var scheme = (oidcSettings.UseHttpsForRedirects ? "https" : Request.Scheme); var redirectUri = Url.Action( nameof(OAuthCallback), ControllerContext.ActionDescriptor.ControllerName, @@ -50,7 +50,6 @@ public async Task OAuthCallback(string code, string state, string if (!Current.Security.IsConfigured) { - Console.WriteLine("No Security is configured!"); return View("NoConfiguration"); } @@ -242,7 +241,6 @@ private IActionResult RedirectToProvider(string returnUrl) .Add("nonce", Guid.NewGuid().ToString("N")); authorizationUrl.Query = queryString.ToUriComponent(); - Console.WriteLine($"Redirecting to {authorizationUrl}"); return Redirect(authorizationUrl.ToString()); } diff --git a/src/Opserver.Web/Controllers/HomeController.cs b/src/Opserver.Web/Controllers/HomeController.cs index c71e7c09..c456aacd 100644 --- a/src/Opserver.Web/Controllers/HomeController.cs +++ b/src/Opserver.Web/Controllers/HomeController.cs @@ -61,10 +61,7 @@ public ActionResult Home() // return RedirectToAction()... } - static bool AllowMeMaybe(StatusModule m) { - Console.WriteLine($"Module: {m.Name}, Enabled: {m.Enabled}, HasAccess: {Current.User.HasAccess(m)}"); - return m.Enabled && Current.User.HasAccess(m); - } + static bool AllowMeMaybe(StatusModule m) => m.Enabled && Current.User.HasAccess(m); if (AllowMeMaybe(Dashboard)) return RedirectToAction(nameof(DashboardController.Dashboard), "Dashboard"); diff --git a/src/Opserver.Web/Security/OIDCProvider.cs b/src/Opserver.Web/Security/OIDCProvider.cs index e81c2f13..a1caa243 100644 --- a/src/Opserver.Web/Security/OIDCProvider.cs +++ b/src/Opserver.Web/Security/OIDCProvider.cs @@ -41,17 +41,10 @@ protected override bool TryValidateToken(OIDCToken token, out ClaimsPrincipal cl protected override bool InGroupsCore(User user, string[] groupNames) { var groupClaims = user.Principal.FindAll(x => x.Type == GroupsClaimType); - var groupClaimValues = groupClaims.Select(x => x.Value).ToArray(); - var intersection = groupClaimValues.Intersect(groupNames, StringComparer.OrdinalIgnoreCase); - Console.WriteLine("Checking if user is in groups [{0}]. User is in these groups: [{1}]. Intersect: [{2}]", - string.Join(", ", groupNames), - string.Join(", ", groupClaimValues), - string.Join(", " , intersection)); - foreach (var groupClaim in groupClaimValues) + foreach (var groupClaim in groupClaims) { - if (groupNames.Any(x => string.Equals(groupClaim, x, StringComparison.OrdinalIgnoreCase))) + if (groupNames.Any(x => string.Equals(groupClaim.Value, x, StringComparison.OrdinalIgnoreCase))) { - Console.WriteLine("User is in group {0}", groupClaim); return true; } } diff --git a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml index 919b0a1c..c04b5eab 100644 --- a/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml +++ b/src/Opserver.Web/Views/Shared/NoConfiguration.cshtml @@ -24,15 +24,6 @@

You can browse to /about to see how you have been authenticated and what monitors have been enabled.

-

- Your access: -

    -
  • Account: @Current.User.AccountName
    • -
  • Is Anonymous: @Current.User.IsAnonymous
    • -
  • Is Global Admin: @Current.User.IsGlobalAdmin
    • -
  • Roles: @string.Join(", ", Current.User.Roles)
    • -
-

} From a7df2be4e8bcb9fd1a93599fe905da63df7a96ab Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Fri, 19 Jul 2024 13:11:09 -0500 Subject: [PATCH 26/27] Move default connection string outside range --- charts/opserver/Chart.yaml | 2 +- charts/opserver/templates/deployment.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/opserver/Chart.yaml b/charts/opserver/Chart.yaml index 44239ec4..b47a82ad 100644 --- a/charts/opserver/Chart.yaml +++ b/charts/opserver/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.12 +version: 1.0.13 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opserver/templates/deployment.yaml b/charts/opserver/templates/deployment.yaml index 187d4044..7c6e74d8 100644 --- a/charts/opserver/templates/deployment.yaml +++ b/charts/opserver/templates/deployment.yaml @@ -151,11 +151,9 @@ spec: {{- end }} {{- if hasKey .Values.opserverSettings "sql" }} - {{- range $i, $instance := .Values.opserverSettings.sql }} - {{- if eq $i 0 }} - name: Modules__Sql__defaultConnectionString value: "Server=$(SQL_EXCEPTIONAL_SERVERNAME);Database=master;User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);" - {{- end }} + {{- range $i, $instance := .Values.opserverSettings.sql }} - name: Modules__Sql__instances__{{ $i }}__name value: "{{ $instance.name }}" {{- end }} From 5738c4b85084641630025823aff4ac219f58b925 Mon Sep 17 00:00:00 2001 From: Stephen Vakil Date: Mon, 22 Jul 2024 08:43:34 -0500 Subject: [PATCH 27/27] Remove redundant values that mirror values.yaml --- cnab/app/run.ps1 | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/cnab/app/run.ps1 b/cnab/app/run.ps1 index 0b8a528b..fd99312c 100644 --- a/cnab/app/run.ps1 +++ b/cnab/app/run.ps1 @@ -163,26 +163,11 @@ switch ($action) { } sqlExternalSecret = @{ - name = "opserver-sqldb-external-secret" - refreshInterval = "5m" storeRefName = $vars.vars.secretStore - targetName = "sql-secret" - remoteRefs = @{ - exceptionalServerName = "ExceptionsSqlServerName" - exceptionalUsername = "db-opserver-User" - exceptionalPassword = "db-opserver-Password" - } } opserverExternalSecret = @{ - name = "opserver-external-secret" - refreshInterval = "5m" storeRefName = $vars.vars.secretStore - targetName = "opserver-secret" - remoteRefs = @{ - oktaClientId = "opserver-okta-client-id" - oktaClientSecret = "opserver-okta-client-secret" - } } opserverSettings = $vars.vars.opserverSettings