authnzerver.confvars module¶
Contains the configuration variables that define how the server operates.
The CONF dict in this file describes how to load these variables from the environment or command-line options.
You can change this file as needed. It will be copied over to the authnzerver’s
base directory when authnzrv --autosetup
is run and you can tell authnzerver
to use it like so: authnzrv --confvars /path/to/basedir/confvars.py
.
You MUST NOT store any actual secrets in this file; just define how to get to them.
For example, look at the secret
dict entry below in CONF:
'secret':{
'env':'%s_SECRET' % ENVPREFIX,
'cmdline':'secret',
'type':str,
'default':None,
'help':('The shared secret key used to secure '
'communications between authnzerver and any frontend servers.'),
'readable_from_file':'string',
'postprocess_value':None,
}
This means the server will look at an environmental variable called
AUTHNZERVER_SECRET
, falling back to the value provided in the --secret
command line option. The readable_from_file
key tells the server how to
handle the value it retrieved from either of these two sources.
To indicate that the retrieved value is to be used directly, set
"readable_from_file" = False
.
To indicate that the retrieved value can either be: (i) used directly or, (ii)
may be a path to a file and the actual value of the secret
item is a string
to be read from that file, set "readable_from_file" = "string"
.
To indicate that the retrieved value is a URL and the authnzerver must fetch the actual secret from this URL, set:
"readable_from_file" = ("http",
{'method':'get',
'headers':{header dict},
'data':{param dict},
'timeout':5.0},
'string')
Finally, you can also tell the server to fetch a JSON and pick out a key in the
JSON. See the docstring for authnzerver.confload.get_conf_item()
for
more details on the various ways to retrieve the actual item pointed to by the
config variable key.
To make this example more concrete, if the authnzerver secret
was stored as
a GCP Secrets Manager
item, you’d set some environmental variables like so:
GCP_SECMAN_URL=https://secretmanager.googleapis.com/v1/projects/abcproj/secrets/abc/versions/z:access
GCP_AUTH_TOKEN=some-secret-token
Then change the secret
dict item in CONF dict below to:
'secret':{
'env':'GCP_SECMAN_URL',
'cmdline':'secret',
'type':str,
'default':None,
'help':('The shared secret key used to secure '
'communications between authnzerver and any frontend servers.'),
'readable_from_file':see below,
'postprocess_value':'custom_decode.py::custom_b64decode',
}
The readable_from_file
key would be set to something like:
"readable_from_file" = ("http",
{"method":"get",
"headers":{"Authorization":"Bearer [[GCP_AUTH_TOKEN]]",
"Content-Type":"application/json",
"x-goog-user-project": "abcproj"},
"data":None,
"timeout":5.0},
'json',
"payload.data")
This would then load the authnzerver secret
directly from the Secrets
Manager.
Notice that we used a path to a Python module and function for the
postprocess_value
key. This is because GCP’s Secrets Manager base-64 encodes
the data you put into it and we need to post-process the value we get back from
the stored item’s URL. This module looks like:
import base64
def custom_b64decode(input):
return base64.b64decode(input.encode('utf-8')).decode('utf-8')
The function above will base-64 decode the value returned from the Secrets
Manager and finally give us the secret
value we need.