Add Biscuit data to identd

Signed-off-by: Till Wegmueller <[email protected]>
OpenFlowLabs · Oct 30, 2023 · 73dc420 · 73dc420
1 parent cd8c4ff
commit 73dc420
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 22 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/identd/Cargo.toml b/crates/identd/Cargo.toml
@@ -43,6 +43,7 @@ sha2 = "0.10.7"
 base64 = "0.21.2"
 deadpool-lapin = { version = "0.10.0", features = ["serde"] }
 futures.workspace = true
+biscuit-auth.workspace = true
 
 [dev-dependencies]
 testdir = {version="0.7.3"}
diff --git a/crates/identd/src/lib.rs b/crates/identd/src/lib.rs
@@ -249,12 +249,14 @@ pub struct ConfigRealm {
     pub name: String,
     pub domain: Option<String>,
     pub clients: Vec<Client>,
+    pub scopes: Vec<String>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Client {
     id: String,
     secret: Option<String>,
+    biscuit_private_key: String,
     redirect_uri: String,
 }
 
@@ -263,6 +265,7 @@ impl Client {
         Self {
             id: id.into(),
             secret: secret.map(|s| s.into()),
+            biscuit_private_key: String::new(),
             redirect_uri: redirect_uri.into(),
         }
     }
@@ -314,6 +317,7 @@ impl ServerState {
                     &cfg_realm.name,
                     &domain_or_default,
                     helper_get_scheme_from_config(config.use_ssl),
+                    cfg_realm.scopes.as_slice(),
                     cfg_realm.clients.clone(),
                     &config.realm_keys_base_path,
                 )
@@ -335,6 +339,7 @@ impl ServerState {
         name: &str,
         domain: &str,
         scheme: &str,
+        scopes: &[String],
         clients: Vec<Client>,
         realm_keys_base_path: P,
     ) -> Result<()> {
@@ -352,6 +357,11 @@ impl ServerState {
 
         let base_url = format!("{}://{}", scheme, domain);
 
+        let scopes = scopes
+            .iter()
+            .map(|s| openidconnect::Scope::new(s.clone()))
+            .collect::<Vec<openidconnect::Scope>>();
+
         let metadata = CoreProviderMetadata::new(
             // Parameters required by the OpenID Connect Discovery spec.
             IssuerUrl::new(base_url.clone())?,
@@ -385,11 +395,7 @@ impl ServerState {
         // Recommended: support the UserInfo endpoint.
         .set_userinfo_endpoint(Some(UserInfoUrl::new(format!("{}/userinfo", &base_url))?))
         // Recommended: specify the supported scopes.
-        .set_scopes_supported(Some(vec![
-            openidconnect::Scope::new("openid".to_string()),
-            openidconnect::Scope::new("email".to_string()),
-            openidconnect::Scope::new("profile".to_string()),
-        ]))
+        .set_scopes_supported(Some(scopes))
         // Recommended: specify the supported ID token claims.
         .set_claims_supported(Some(vec![
             // Providers may also define an enum instead of using CoreClaimName.

diff --git a/crates/identd/src/realm/realm.rs b/crates/identd/src/realm/realm.rs
@@ -9,6 +9,8 @@ pub struct Model {
     pub name: String,
     pub domain: Option<String>,
     pub provider_metadata: String,
+    pub biscuit_private_key: String,
+    pub biscuit_public_key: String,
     pub jwks: String,
     pub issuer_url: String,
 }

diff --git a/crates/identd/src/realm_migration.rs b/crates/identd/src/realm_migration.rs
@@ -1,3 +1,4 @@
+use sea_orm::sea_query::ColumnDef;
 use sea_orm_migration::prelude::*;
 
 pub struct RealmMigrator;
@@ -26,6 +27,8 @@ impl MigrationTrait for DBInitializer {
                             .primary_key(),
                     )
                     .col(ColumnDef::new(Realm::Domain).string().null())
+                    .col(ColumnDef::new(Realm::BiscuitPrivateKey).string().not_null())
+                    .col(ColumnDef::new(Realm::BiscuitPublicKey).string().not_null())
                     .col(ColumnDef::new(Realm::ProviderMetadata).json().not_null())
                     .col(ColumnDef::new(Realm::Jwks).json().not_null())
                     .col(ColumnDef::new(Realm::IssuerUrl).string().not_null())
@@ -115,6 +118,8 @@ enum Realm {
     Table,
     Name,
     Domain,
+    BiscuitPrivateKey,
+    BiscuitPublicKey,
     IssuerUrl,
     ProviderMetadata,
     Jwks,

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,26 +13,17 @@ services:
       - 8090:15672
       - 5672:5672
 
-  minio:
-    image: quay.io/minio/minio
-    volumes:
-      - minio:/data
-    ports:
-      - 9002:9000
-      - 9003:9001
-    command: ["server", "/data", "--console-address", ":9001"]
-
-  couchdb:
-    image: "couchdb"
-    volumes:
-      - couchdb:/opt/couchdb/data
+  couchserver:
+    image: couchdb
+    restart: always
     ports:
-      - 5984:5984
+      - "5984:5984"
     environment:
-      COUCHDB_USER: dev
-      COUCHDB_PASSWORD: dev
+      - COUCHDB_USER=dev
+      - COUCHDB_PASSWORD=dev
+    volumes:
+        - couchdb:/opt/couchdb/data
 
 volumes:
   rabbitmq:
-  minio:
   couchdb: