Merge pull request #59634 from rkachach/fix_issue_67934

mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains Reviewed-by: Adam King <adking@redhat.com>
author: Adam King <47704447+adk3798@users.noreply.github.com> 2024-09-12 14:50:21 +0200
committer: GitHub <noreply@github.com> 2024-09-12 14:50:21 +0200
commit: 32d90b71fdbdf1b91cbf34819918b0b390fbbf81 (patch)
tree: ca00dffb022b9c86e1448f7008afa8de3c54e05d /src
parent: Merge pull request #59456 from xxhdx1985126/wip-67731 (diff)
parent: mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains (diff)
download: ceph-32d90b71fdbdf1b91cbf34819918b0b390fbbf81.tar.xz
ceph-32d90b71fdbdf1b91cbf34819918b0b390fbbf81.zip
2 files changed, 7 insertions, 1 deletions
diff --git a/src/pybind/mgr/cephadm/services/oauth2_proxy.py b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
index a84f44817ee..c19005c95f3 100644
--- a/src/pybind/mgr/cephadm/services/oauth2_proxy.py
+++ b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
@@ -67,10 +67,12 @@ class OAuth2ProxyService(CephadmService):
     def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
         assert self.TYPE == daemon_spec.daemon_type
         svc_spec = cast(OAuth2ProxySpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        whitelist_domains = svc_spec.whitelist_domains or []
+        whitelist_domains += self.get_service_ips_and_hosts('mgmt-gateway')
         context = {
             'spec': svc_spec,
             'cookie_secret': svc_spec.cookie_secret or self.generate_random_secret(),
-            'whitelist_domains': self.get_service_ips_and_hosts('mgmt-gateway'),
+            'whitelist_domains': whitelist_domains,
             'redirect_url': svc_spec.redirect_url or self.get_redirect_url()
         }
 
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 75b1ac75573..2238cd01c37 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1926,6 +1926,7 @@ class OAuth2ProxySpec(ServiceSpec):
                  cookie_secret: Optional[str] = None,
                  ssl_certificate: Optional[str] = None,
                  ssl_certificate_key: Optional[str] = None,
+                 whitelist_domains: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  extra_container_args: Optional[GeneralArgList] = None,
                  extra_entrypoint_args: Optional[GeneralArgList] = None,
@@ -1961,6 +1962,9 @@ class OAuth2ProxySpec(ServiceSpec):
         self.ssl_certificate = ssl_certificate
         #: The multi-line SSL certificate private key for decrypting communications.
         self.ssl_certificate_key = ssl_certificate_key
+        #: List of allowed domains for safe redirection after login or logout,
+        # preventing unauthorized redirects.
+        self.whitelist_domains = whitelist_domains
         self.unmanaged = unmanaged
 
     def get_port_start(self) -> List[int]:
author	Adam King <47704447+adk3798@users.noreply.github.com>	2024-09-12 14:50:21 +0200
committer	GitHub <noreply@github.com>	2024-09-12 14:50:21 +0200
commit	32d90b71fdbdf1b91cbf34819918b0b390fbbf81 (patch)
tree	ca00dffb022b9c86e1448f7008afa8de3c54e05d /src
parent	Merge pull request #59456 from xxhdx1985126/wip-67731 (diff)
parent	mgr/cephadm: adding spec fields for oauth2-proxy whitelist_domains (diff)
download	ceph-32d90b71fdbdf1b91cbf34819918b0b390fbbf81.tar.xz ceph-32d90b71fdbdf1b91cbf34819918b0b390fbbf81.zip