chore(07): integrate LDAP config into YAML and remove JSON files

This commit is contained in:
2026-04-23 12:58:15 +03:00
parent 7d492764d2
commit 88e5d66f36
11 changed files with 91 additions and 115 deletions

View File

@@ -9,15 +9,17 @@ from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer
from jose import JWTError, jwt
from pydantic import BaseModel
from .config_loader import get_config
# Configuration
SECRET_KEY = os.environ.get("JWT_SECRET_KEY")
if not SECRET_KEY:
config = get_config()
SECRET_KEY = config.get("auth", {}).get("jwt_secret_key")
if not SECRET_KEY or SECRET_KEY == "change_me_in_production":
# Generate fallback key for dev (NOT FOR PRODUCTION)
import secrets
SECRET_KEY = secrets.token_urlsafe(32)
import sys
print(f"[WARNING] JWT_SECRET_KEY not set. Generated ephemeral key: {SECRET_KEY[:20]}...", file=sys.stderr)
print(f"[WARNING] JWT_SECRET_KEY not set or default used. Generated ephemeral key: {SECRET_KEY[:20]}...", file=sys.stderr)
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 480 # 8 hours

View File

@@ -59,8 +59,20 @@ def _apply_env_overrides(config):
"CLAUDE_API_KEY": (("ai", "claude_api_key"), str),
"BACKEND_AUTH_JWT_SECRET_KEY": (("auth", "jwt_secret_key"), str),
"JWT_SECRET_KEY": (("auth", "jwt_secret_key"), str),
"BACKEND_AUTH_LDAP_ENABLED": (("auth", "ldap_enabled"), _to_bool),
"LDAP_ENABLED": (("auth", "ldap_enabled"), _to_bool),
"BACKEND_AUTH_LDAP_SERVER": (("auth", "ldap_server"), str),
"LDAP_SERVER": (("auth", "ldap_server"), str),
"BACKEND_AUTH_LDAP_BASE_DN": (("auth", "ldap_base_dn"), str),
"LDAP_BASE_DN": (("auth", "ldap_base_dn"), str),
"BACKEND_AUTH_LDAP_USER_TEMPLATE": (("auth", "ldap_user_template"), str),
"LDAP_USER_TEMPLATE": (("auth", "ldap_user_template"), str),
"BACKEND_AUTH_LDAP_GROUPS_DN": (("auth", "ldap_groups_dn"), str),
"LDAP_GROUPS_DN": (("auth", "ldap_groups_dn"), str),
"BACKEND_AUTH_LDAP_USE_TLS": (("auth", "ldap_use_tls"), _to_bool),
"LDAP_USE_TLS": (("auth", "ldap_use_tls"), _to_bool),
"BACKEND_AUTH_LDAP_IGNORE_CERT": (("auth", "ldap_ignore_cert"), _to_bool),
"LDAP_IGNORE_CERT": (("auth", "ldap_ignore_cert"), _to_bool),
"BACKEND_AUTH_PASSWORD_CACHE_PATH": (("auth", "password_cache_path"), str),
"BACKEND_LOGGING_LOG_LEVEL": (("logging", "log_level"), str),
"LOG_LEVEL": (("logging", "log_level"), str),
@@ -130,8 +142,17 @@ def load_config() -> dict:
},
"auth": {
"jwt_secret_key": "change_me_in_production",
"ldap_enabled": False,
"ldap_server": "",
"ldap_base_dn": "",
"ldap_user_template": "uid={username},ou=people,dc=ldap,dc=lan",
"ldap_groups_dn": "ou=groups",
"ldap_use_tls": True,
"ldap_ignore_cert": False,
"ldap_role_mappings": [
{"group": "inventory_admins", "role": "admin"},
{"group": "inventory_users", "role": "user"}
],
"password_cache_path": "data/.passwords"
},
"logging": {

View File

@@ -14,6 +14,7 @@ import os
import socket
import subprocess
from .. import models, schemas, database, auth
from ..config_loader import get_config
from ..logger import log
router = APIRouter(prefix="/users", tags=["auth"])
@@ -22,20 +23,18 @@ pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
def get_ldap_config():
# Priority 1: Check in DATA_DIR (for Docker production)
config_path = os.path.join(database.DATA_DIR, "config", "ldap_config.json")
if os.path.exists(config_path):
with open(config_path, "r") as f:
return json.load(f)
# Priority 2: Fallback to source-relative config (for local dev)
root_dir = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
source_config_path = os.path.join(root_dir, "config", "ldap_config.json")
if os.path.exists(source_config_path):
with open(source_config_path, "r") as f:
return json.load(f)
return {"ldap_enabled": False}
config = get_config()
auth_config = config.get("auth", {})
return {
"ldap_enabled": auth_config.get("ldap_enabled", False),
"server_uri": auth_config.get("ldap_server"),
"base_dn": auth_config.get("ldap_base_dn"),
"user_template": auth_config.get("ldap_user_template"),
"groups_dn": auth_config.get("ldap_groups_dn"),
"use_tls": auth_config.get("ldap_use_tls", True),
"ignore_cert": auth_config.get("ldap_ignore_cert", False),
"role_mappings": auth_config.get("ldap_role_mappings", [])
}
def authenticate_ldap(username, password):