authnzerver.confvars module

Contains the configuration variables that define how the server operates.

The CONF dict in this file describes how to load these variables from the environment or command-line options.

You can change this file as needed. It will be copied over to the authnzerver’s base directory when authnzrv --autosetup is run and you can tell authnzerver to use it like so: authnzrv --confvars /path/to/basedir/confvars.py.

You MUST NOT store any actual secrets in this file; just define how to get to them.

For example, look at the secret dict entry below in CONF:

'secret': {
    'env': '%s_SECRET' % ENVPREFIX,
    'cmdline': 'secret',
    'type': str,
    'default': None,
    'help': ('The shared secret key used to secure '
            'communications between authnzerver and any frontend servers.'),
    'readable_from_file': 'string',
    'postprocess_value': None,
}

This means the server will look at an environmental variable called AUTHNZERVER_SECRET, falling back to the value provided in the --secret command line option. The readable_from_file key tells the server how to handle the value it retrieved from either of these two sources.

To indicate that the retrieved value is to be used directly, set "readable_from_file" = False.

To indicate that the retrieved value can either be: (i) used directly or, (ii) may be a path to a file and the actual value of the secret item is a string to be read from that file, set "readable_from_file" = "string".

To indicate that the retrieved value is a URL and the authnzerver must fetch the actual secret from this URL, set:

"readable_from_file" = ("http",
                        {'method': 'get',
                         'headers': {header dict},
                         'data': {param dict},
                         'timeout': 5.0},
                         'string')

Finally, you can also tell the server to fetch a JSON and pick out a key in the JSON. See the docstring for : py: func: authnzerver.confload.get_conf_item for more details on the various ways to retrieve the actual item pointed to by the config variable key.

To make this example more concrete, if the authnzerver secret was stored as a GCP Secrets Manager item, you’d set some environmental variables like so:

GCP_SECMAN_URL=https://secretmanager.googleapis.com/v1/projects/abcproj/secrets/abc/versions/z:access
GCP_AUTH_TOKEN=some-secret-token

Then change the secret dict item in CONF dict below to:

'secret': {
    'env': 'GCP_SECMAN_URL',
    'cmdline': 'secret',
    'type': str,
    'default': None,
    'help': ('The shared secret key used to secure '
            'communications between authnzerver and any frontend servers.'),
    'readable_from_file': see below,
    'postprocess_value': 'custom_decode.py:: custom_b64decode',
}

The readable_from_file key would be set to something like:

"readable_from_file" = ("http",
                        {"method": "get",
                         "headers": {
                             "Authorization": "Bearer [[GCP_AUTH_TOKEN]]",
                             "Content-Type": "application/json",
                             "x-goog-user-project": "abcproj"
                         },
                         "data": None,
                         "timeout": 5.0},
                        'json',
                        "payload.data")

This would then load the authnzerver secret directly from the Secrets Manager.

Notice that we used a path to a Python module and function for the postprocess_value key. This is because GCP’s Secrets Manager base-64 encodes the data you put into it and we need to post-process the value we get back from the stored item’s URL. This module looks like:

import base64

def custom_b64decode(input):
    return base64.b64decode(input.encode('utf-8')).decode('utf-8')

The function above will base-64 decode the value returned from the Secrets Manager and finally give us the secret value we need.