chore(07): integrate LDAP config into YAML and remove JSON files
This commit is contained in:
@@ -9,15 +9,17 @@ from fastapi import Depends, HTTPException, status
|
||||
from fastapi.security import HTTPBearer
|
||||
from jose import JWTError, jwt
|
||||
from pydantic import BaseModel
|
||||
from .config_loader import get_config
|
||||
|
||||
# Configuration
|
||||
SECRET_KEY = os.environ.get("JWT_SECRET_KEY")
|
||||
if not SECRET_KEY:
|
||||
config = get_config()
|
||||
SECRET_KEY = config.get("auth", {}).get("jwt_secret_key")
|
||||
if not SECRET_KEY or SECRET_KEY == "change_me_in_production":
|
||||
# Generate fallback key for dev (NOT FOR PRODUCTION)
|
||||
import secrets
|
||||
SECRET_KEY = secrets.token_urlsafe(32)
|
||||
import sys
|
||||
print(f"[WARNING] JWT_SECRET_KEY not set. Generated ephemeral key: {SECRET_KEY[:20]}...", file=sys.stderr)
|
||||
print(f"[WARNING] JWT_SECRET_KEY not set or default used. Generated ephemeral key: {SECRET_KEY[:20]}...", file=sys.stderr)
|
||||
|
||||
ALGORITHM = "HS256"
|
||||
ACCESS_TOKEN_EXPIRE_MINUTES = 480 # 8 hours
|
||||
|
||||
@@ -59,8 +59,20 @@ def _apply_env_overrides(config):
|
||||
"CLAUDE_API_KEY": (("ai", "claude_api_key"), str),
|
||||
"BACKEND_AUTH_JWT_SECRET_KEY": (("auth", "jwt_secret_key"), str),
|
||||
"JWT_SECRET_KEY": (("auth", "jwt_secret_key"), str),
|
||||
"BACKEND_AUTH_LDAP_ENABLED": (("auth", "ldap_enabled"), _to_bool),
|
||||
"LDAP_ENABLED": (("auth", "ldap_enabled"), _to_bool),
|
||||
"BACKEND_AUTH_LDAP_SERVER": (("auth", "ldap_server"), str),
|
||||
"LDAP_SERVER": (("auth", "ldap_server"), str),
|
||||
"BACKEND_AUTH_LDAP_BASE_DN": (("auth", "ldap_base_dn"), str),
|
||||
"LDAP_BASE_DN": (("auth", "ldap_base_dn"), str),
|
||||
"BACKEND_AUTH_LDAP_USER_TEMPLATE": (("auth", "ldap_user_template"), str),
|
||||
"LDAP_USER_TEMPLATE": (("auth", "ldap_user_template"), str),
|
||||
"BACKEND_AUTH_LDAP_GROUPS_DN": (("auth", "ldap_groups_dn"), str),
|
||||
"LDAP_GROUPS_DN": (("auth", "ldap_groups_dn"), str),
|
||||
"BACKEND_AUTH_LDAP_USE_TLS": (("auth", "ldap_use_tls"), _to_bool),
|
||||
"LDAP_USE_TLS": (("auth", "ldap_use_tls"), _to_bool),
|
||||
"BACKEND_AUTH_LDAP_IGNORE_CERT": (("auth", "ldap_ignore_cert"), _to_bool),
|
||||
"LDAP_IGNORE_CERT": (("auth", "ldap_ignore_cert"), _to_bool),
|
||||
"BACKEND_AUTH_PASSWORD_CACHE_PATH": (("auth", "password_cache_path"), str),
|
||||
"BACKEND_LOGGING_LOG_LEVEL": (("logging", "log_level"), str),
|
||||
"LOG_LEVEL": (("logging", "log_level"), str),
|
||||
@@ -130,8 +142,17 @@ def load_config() -> dict:
|
||||
},
|
||||
"auth": {
|
||||
"jwt_secret_key": "change_me_in_production",
|
||||
"ldap_enabled": False,
|
||||
"ldap_server": "",
|
||||
"ldap_base_dn": "",
|
||||
"ldap_user_template": "uid={username},ou=people,dc=ldap,dc=lan",
|
||||
"ldap_groups_dn": "ou=groups",
|
||||
"ldap_use_tls": True,
|
||||
"ldap_ignore_cert": False,
|
||||
"ldap_role_mappings": [
|
||||
{"group": "inventory_admins", "role": "admin"},
|
||||
{"group": "inventory_users", "role": "user"}
|
||||
],
|
||||
"password_cache_path": "data/.passwords"
|
||||
},
|
||||
"logging": {
|
||||
|
||||
@@ -14,6 +14,7 @@ import os
|
||||
import socket
|
||||
import subprocess
|
||||
from .. import models, schemas, database, auth
|
||||
from ..config_loader import get_config
|
||||
from ..logger import log
|
||||
|
||||
router = APIRouter(prefix="/users", tags=["auth"])
|
||||
@@ -22,20 +23,18 @@ pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
|
||||
|
||||
|
||||
def get_ldap_config():
|
||||
# Priority 1: Check in DATA_DIR (for Docker production)
|
||||
config_path = os.path.join(database.DATA_DIR, "config", "ldap_config.json")
|
||||
if os.path.exists(config_path):
|
||||
with open(config_path, "r") as f:
|
||||
return json.load(f)
|
||||
|
||||
# Priority 2: Fallback to source-relative config (for local dev)
|
||||
root_dir = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
||||
source_config_path = os.path.join(root_dir, "config", "ldap_config.json")
|
||||
if os.path.exists(source_config_path):
|
||||
with open(source_config_path, "r") as f:
|
||||
return json.load(f)
|
||||
|
||||
return {"ldap_enabled": False}
|
||||
config = get_config()
|
||||
auth_config = config.get("auth", {})
|
||||
return {
|
||||
"ldap_enabled": auth_config.get("ldap_enabled", False),
|
||||
"server_uri": auth_config.get("ldap_server"),
|
||||
"base_dn": auth_config.get("ldap_base_dn"),
|
||||
"user_template": auth_config.get("ldap_user_template"),
|
||||
"groups_dn": auth_config.get("ldap_groups_dn"),
|
||||
"use_tls": auth_config.get("ldap_use_tls", True),
|
||||
"ignore_cert": auth_config.get("ldap_ignore_cert", False),
|
||||
"role_mappings": auth_config.get("ldap_role_mappings", [])
|
||||
}
|
||||
|
||||
|
||||
def authenticate_ldap(username, password):
|
||||
|
||||
Reference in New Issue
Block a user