openqa/server: allow OAuth2 authentication, enable on lab

OpenID support in FAS is going away. openQA has OAuth2 support. I've tested this config to work with manual edits on lab, now ansiblizing it (for lab only to start with). Signed-off-by: Adam Williamson <awilliam@redhat.com>
2025-03-28 13:38:20 -07:00 · 2025-03-28 13:38:20 -07:00 · 5da2faac67
commit 5da2faac67
parent 721ffe0df4
5 changed files with 36 additions and 3 deletions
--- a/inventory/group_vars/openqa
+++ b/inventory/group_vars/openqa
@ -9,6 +9,11 @@ openqa_amqp_this_keyfile: "{{ openqa_amqp_prod_keyfile }}"
 openqa_amqp_this_url: "{{ openqa_amqp_prod_url }}"
 openqa_amqp_this_username: "{{ openqa_amqp_prod_username }}"
 openqa_amqp_scheduler_queue: "{{ openqa_amqp_prod_username }}_scheduler"
+
+# auth stuff
+openqa_auth_method: OpenID
+openqa_oauth2_secret: "{{ openqa_prod_oidc_secret }}"
+
 openqa_compose_arches: x86_64,aarch64
 openqa_dbname: openqa
 openqa_dbpassword: "{{ prod_openqa_dbpassword }}"
--- a/inventory/group_vars/openqa_lab
+++ b/inventory/group_vars/openqa_lab
@ -24,6 +24,10 @@ openqa_amqp_this_url: "{{ openqa_amqp_stg_url }}"
 openqa_amqp_this_username: "{{ openqa_amqp_stg_username }}"
 openqa_amqp_scheduler_queue: "{{ openqa_amqp_prod_username }}_scheduler_stg"

+# auth stuff
+openqa_auth_method: OAuth2
+openqa_oauth2_secret: "{{ openqa_stg_oidc_secret }}"
+
 openqa_assetsize_updates_aarch64: 50
 openqa_assetsize_ppc: 300
 openqa_assetsize_updates_ppc: 100
--- a/roles/openqa/server/defaults/main.yml
+++ b/roles/openqa/server/defaults/main.yml
@ -3,3 +3,4 @@ openqa_amqp_publisher_prefix:
 openqa_amqp_publisher_url: amqp://test:@localhost/%2Fpubsub
 openqa_amqp_publisher_exchange: amq.topic
 openqa_repo: updates
+openqa_auth_method: Fake
--- a/roles/openqa/server/tasks/main.yml
+++ b/roles/openqa/server/tasks/main.yml
@ -77,6 +77,12 @@
 ##               the share (they need write access to be able to decompress
 ##               compressed disk images on the fly). If not defined, the
 ##               factory dir will not be shared via NFS at all.
+# - openqa_auth_method
+##      string - authentication method to use (Fake, OpenID, OAuth2)
+##      default - Fake
+# - openqa_oauth2_secret
+##      string - the secret to use for OAuth2 authentcation. Required if
+##               openqa_auth_method is OAuth2

 # If openqa_dbhost is set, the other openqa_db* variables must be too,
 # and the server will be configured to use a pgsql database accordingly.
@ -225,7 +231,7 @@
  - config

 - name: OpenQA config
-  ansible.builtin.template: src=openqa.ini.j2 dest=/etc/openqa/openqa.ini owner=geekotest group=root mode=0644
+  ansible.builtin.template: src=openqa.ini.j2 dest=/etc/openqa/openqa.ini owner=geekotest group=root mode=0640
  tags:
  - config

--- a/roles/openqa/server/templates/openqa.ini.j2
+++ b/roles/openqa/server/templates/openqa.ini.j2
@ -33,14 +33,31 @@ needle = 7
 other = 7

 [auth]
-method=OpenID
+method = {{ openqa_auth_method }}

 [logging]
-level=info
+level = info

 [misc_limits]
 asset_cleanup_max_free_percentage = 20

+{% if openqa_auth_method == 'OpenID' %}
 [openid]
 provider = https://id.fedoraproject.org/
 httpsonly = 1
+{% endif %}
+
+{% if openqa_auth_method == 'OAuth2' %}
+[oauth2]
+provider = custom
+authorize_url = https://id{{openqa_env_suffix}}.fedoraproject.org/openidc/Authorization?response_type=code
+token_url = https://id{{openqa_env_suffix}}.fedoraproject.org/openidc/Token
+user_url = https://id{{openqa_env_suffix}}.fedoraproject.org/openidc/UserInfo
+token_scope = openid profile email
+token_label = Bearer
+id_from = preferred_username
+nickname_from = nickname
+unique_name = FAS
+key = openqa
+secret = {{ openqa_oauth2_secret }}
+{% endif %}