github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove pre-configured Okta & Google OAuth providers (#793)

Browse Source 
* Remove pre-configured Okta & Google OAuth providers, update docs

* Upgrade docs clarifications & remove unused auth code for pre-configured providers (google/okta)

* Fix docs url for upgrade note
This commit is contained in:
Andrew
2022-07-11 21:11:17 -05:00
committed by Jamil
parent 48d8ea75a9
commit 69a4412d75
17 changed files with 58 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/fz_http/lib/fz_http_web/controllers/root_controller.ex
View File

@@ -8,8 +8,6 @@ defmodule FzHttpWeb.RootController do
conn
|> render(
"auth.html",
okta_enabled: conf(:okta_auth_enabled),
google_enabled: conf(:google_auth_enabled),
local_enabled: conf(:local_auth_enabled),
openid_connect_providers: conf(:openid_connect_providers)
)

18
apps/fz_http/lib/fz_http_web/templates/root/auth.html.heex
View File

@@ -25,22 +25,4 @@
class: "button") %>
</p>
<% end %>
<%= if @okta_enabled do %>
<p>
<%= link(
"Sign in with Okta",
to: Routes.auth_path(@conn, :request, "okta"),
class: "button") %>
</p>
<% end %>
<%= if @google_enabled do %>
<p>
<%= link(
"Sign in with Google",
to: Routes.auth_path(@conn, :request, "google"),
class: "button") %>
</p>
<% end %>
</div>

8
apps/fz_http/lib/fz_http_web/user_from_auth.ex
View File

@@ -17,14 +17,6 @@ defmodule FzHttpWeb.UserFromAuth do
Users.get_by_email(email) |> Authentication.authenticate(password)
end
def find_or_create(%Auth{provider: provider, info: %Auth.Info{email: email}} = _auth)
when provider in [:google, :okta] do
case Users.get_by_email(email) do
nil -> maybe_create_user(email)
user -> {:ok, user}
end
end
def find_or_create(_provider, %{"email" => email, "sub" => _sub}) do
case Users.get_by_email(email) do
nil -> maybe_create_user(email)

3
apps/fz_http/mix.exs
View File

@@ -39,7 +39,6 @@ defmodule FzHttp.MixProject do
extra_applications: [
:logger,
:runtime_tools,
:ueberauth_okta,
:ueberauth_identity
],
registered: [:fz_http_server]
@@ -67,8 +66,6 @@ defmodule FzHttp.MixProject do
{:guardian_db, "~> 2.0"},
{:openid_connect, "~> 0.2.2"},
{:ueberauth, "~> 0.7"},
{:ueberauth_google, "~> 0.10"},
{:ueberauth_okta, "~> 0.2"},
{:ueberauth_identity, "~> 0.4"},
{:httpoison, "~> 1.8"},
{:argon2_elixir, "~> 2.0"},

4
apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs
View File

@@ -13,9 +13,7 @@ defmodule FzHttpWeb.AuthControllerTest do
# Assert that we email, OIDC and Oauth2 buttons provided
for expected <- [
"Sign in with email",
"Sign in with OIDC Google",
"Sign in with Google",
"Sign in with Okta"
"Sign in with OIDC Google"
] do
assert html_response(test_conn, 200) =~ expected
end

27
config/dev.exs
View File

@@ -53,8 +53,6 @@ config :fz_vpn,
# Auth
local_auth_enabled = System.get_env("LOCAL_AUTH_ENABLED") == "true"
okta_auth_enabled = System.get_env("OKTA_AUTH_ENABLED") == "true"
google_auth_enabled = System.get_env("GOOGLE_AUTH_ENABLED") == "true"
# Configure strategies
identity_strategy =
@@ -65,34 +63,15 @@ identity_strategy =
uid_field: :email
]}}
okta_strategy = {:okta, {Ueberauth.Strategy.Okta, []}}
google_strategy = {:google, {Ueberauth.Strategy.Google, []}}
providers =
[
{local_auth_enabled, identity_strategy},
{google_auth_enabled, google_strategy},
{okta_auth_enabled, okta_strategy}
{local_auth_enabled, identity_strategy}
]
|> Enum.filter(fn {key, _val} -> key end)
|> Enum.map(fn {_key, val} -> val end)
config :ueberauth, Ueberauth, providers: providers
if okta_auth_enabled do
config :ueberauth, Ueberauth.Strategy.Okta.OAuth,
client_id: System.get_env("OKTA_CLIENT_ID"),
client_secret: System.get_env("OKTA_CLIENT_SECRET"),
site: System.get_env("OKTA_SITE")
end
if google_auth_enabled do
config :ueberauth, Ueberauth.Strategy.Google.OAuth,
client_id: System.get_env("GOOGLE_CLIENT_ID"),
client_secret: System.get_env("GOOGLE_CLIENT_SECRET"),
redirect_uri: System.get_env("GOOGLE_REDIRECT_URI")
end
# ## SSL Support
#
# In order to use HTTPS in development, a self-signed
@@ -145,8 +124,6 @@ config :phoenix, :plug_init_mode, :runtime
config :fz_http,
cookie_secure: false,
telemetry_module: FzCommon.MockTelemetry,
local_auth_enabled: local_auth_enabled,
okta_auth_enabled: google_auth_enabled,
google_auth_enabled: okta_auth_enabled
local_auth_enabled: local_auth_enabled
config :fz_http, FzHttp.Mailer, adapter: Swoosh.Adapters.Local, from_email: "dev@firez.one"

6
config/prod.exs
View File

@@ -45,8 +45,6 @@ config :logger, level: :info
config :fz_http,
sandbox: false,
local_auth_enabled: true,
google_auth_enabled: true,
okta_auth_enabled: true,
connectivity_checks_url: "https://ping.firez.one/"
config :ueberauth, Ueberauth,
@@ -56,9 +54,7 @@ config :ueberauth, Ueberauth,
[
callback_methods: ["POST"],
uid_field: :email
]}},
{:okta, {Ueberauth.Strategy.Okta, []}},
{:google, {Ueberauth.Strategy.Google, []}}
]}}
]
config :swoosh, local: false

36
config/runtime.exs
View File

@@ -76,18 +76,6 @@ if config_env() == :prod do
# Local auth
local_auth_enabled = FzString.to_boolean(System.fetch_env!("LOCAL_AUTH_ENABLED"))
# Okta auth
okta_auth_enabled = FzString.to_boolean(System.fetch_env!("OKTA_AUTH_ENABLED"))
okta_client_id = System.get_env("OKTA_CLIENT_ID")
okta_client_secret = System.get_env("OKTA_CLIENT_SECRET")
okta_site = System.get_env("OKTA_SITE")
# Google auth
google_auth_enabled = FzString.to_boolean(System.fetch_env!("GOOGLE_AUTH_ENABLED"))
google_client_id = System.get_env("GOOGLE_CLIENT_ID")
google_client_secret = System.get_env("GOOGLE_CLIENT_SECRET")
google_redirect_uri = System.get_env("GOOGLE_REDIRECT_URI")
max_devices_per_user =
System.fetch_env!("MAX_DEVICES_PER_USER")
|> String.to_integer()
@@ -197,8 +185,6 @@ if config_env() == :prod do
allow_unprivileged_device_management: allow_unprivileged_device_management,
max_devices_per_user: max_devices_per_user,
local_auth_enabled: local_auth_enabled,
okta_auth_enabled: okta_auth_enabled,
google_auth_enabled: google_auth_enabled,
wireguard_dns: wireguard_dns,
wireguard_allowed_ips: wireguard_allowed_ips,
wireguard_persistent_keepalive: wireguard_persistent_keepalive,
@@ -227,34 +213,14 @@ if config_env() == :prod do
uid_field: :email
]}}
okta_strategy = {:okta, {Ueberauth.Strategy.Okta, []}}
google_strategy = {:google, {Ueberauth.Strategy.Google, []}}
providers =
[
{local_auth_enabled, identity_strategy},
{google_auth_enabled, google_strategy},
{okta_auth_enabled, okta_strategy}
{local_auth_enabled, identity_strategy}
]
|> Enum.filter(fn {key, _val} -> key end)
|> Enum.map(fn {_key, val} -> val end)
config :ueberauth, Ueberauth, providers: providers
# Configure OAuth portion of enabled strategies
if okta_auth_enabled do
config :ueberauth, Ueberauth.Strategy.Okta.OAuth,
client_id: okta_client_id,
client_secret: okta_client_secret,
site: okta_site
end
if google_auth_enabled do
config :ueberauth, Ueberauth.Strategy.Google.OAuth,
client_id: google_client_id,
client_secret: google_client_secret,
redirect_uri: google_redirect_uri
end
end
# OIDC Auth

6
config/test.exs
View File

@@ -40,8 +40,6 @@ config :fz_http, FzHttpWeb.Endpoint,
config :fz_http,
mock_events_module_errors: false,
local_auth_enabled: true,
google_auth_enabled: true,
okta_auth_enabled: true,
telemetry_module: FzCommon.MockTelemetry,
supervision_tree_mode: :test,
connectivity_checks_interval: 86_400,
@@ -54,9 +52,7 @@ config :logger, level: :warn
config :ueberauth, Ueberauth,
providers: [
{:identity, {Ueberauth.Strategy.Identity, [callback_methods: ["POST"], uid_field: :email]}},
{:okta, {Ueberauth.Strategy.Okta, []}},
{:google, {Ueberauth.Strategy.Google, []}}
{:identity, {Ueberauth.Strategy.Identity, [callback_methods: ["POST"], uid_field: :email]}}
]
# OIDC auth for testing

35
docs/docs/administer/upgrade.md
View File

@@ -19,6 +19,41 @@ To upgrade Firezone, follow these steps:
Occasionally problems arise. If you hit any, please let us know by [filing an
issue](https://github.com/firezone/firezone/issues/new/choose).
## Upgrading from < 0.5.0 to >= 0.5.0
Firezone has removed support for pre-configured Okta and Google OAuth2 providers.
Follow the instructions below based on your current setup to migrate to OIDC providers:
### I have an existing Google OAuth configuration
Remove these lines containing the old Google OAuth configs from your configuration
file located at `/etc/firezone/firezone.rb`
```rb
default['firezone']['authentication']['google']['enabled']
default['firezone']['authentication']['google']['client_id']
default['firezone']['authentication']['google']['client_secret']
default['firezone']['authentication']['google']['redirect_uri']
```
Then, follow the instructions [here](../authenticate/google) to configure Google
as an OIDC provider.
### I have an existing Okta OAuth configuration
Remove these lines containing the old Okta OAuth configs from your configuration
file located at `/etc/firezone/firezone.rb`
```rb
default['firezone']['authentication']['okta']['enabled']
default['firezone']['authentication']['okta']['client_id']
default['firezone']['authentication']['okta']['client_secret']
default['firezone']['authentication']['okta']['site']
```
Then, follow the instructions [here](../authenticate/okta) to configure Okta as
an OIDC provider.
## Upgrading from 0.3.x to >= 0.3.16
Follow the instructions below based on your current version and setup:

11
docs/docs/authenticate/google.md
View File

@@ -22,17 +22,6 @@ to provide Firezone with the user's email in the returned claims.
![Firezone Google SSO Login](https://user-images.githubusercontent.com/52545545/156853456-1ab3f041-1002-4c79-a266-82acb5802890.gif)
Note: Previously, Firezone used pre-configured Oauth2 providers. We've moved to
OIDC based authentication, which allows for any OpenID Connect provider
(Google, Okta, Dex) to be used for authentication.
We strongly recommend transitioning your existing Google or Okta-based SSO
configuration to the generic OIDC-based configuration format described here.
We'll be removing the Google-specific and Okta-specific SSO functionality
in a future release.
To set up SSO, follow the steps below:
## Obtain Config Settings
### Step 1 - OAuth Config Screen

11
docs/docs/authenticate/okta.md
View File

@@ -22,17 +22,6 @@ to provide Firezone with the user's email in the returned claims.
![Firezone Okta SSO Login](https://user-images.githubusercontent.com/52545545/156855886-5a4a0da7-065c-4ec1-af33-583dff4dbb72.gif)
**Note:** Previously, Firezone used pre-configured Oauth2 providers. We've moved
to OIDC based authentication, which allows for any OpenID Connect provider
(Google, Okta, Dex) to be integrated.
We strongly recommend transitioning your existing Google or Okta-based SSO
configuration to the generic OIDC-based configuration format described here.
We'll be removing the Google-specific and Okta-specific SSO functionality
in a future release.
To set up SSO, follow the steps below:
## Step 1 - Create Okta App Integration
_This section of the guide is based on

8
docs/docs/reference/configuration-file.md
View File

@@ -34,14 +34,6 @@ Shown below is a complete listing of the configuration options available in
| `default['firezone']['authentication']['auto_create_oidc_users']` | Automatically create users signing in from OIDC for the first time. Disable to allow only existing users to sign in via OIDC. | `true` |
| `default['firezone']['authentication']['disable_vpn_on_oidc_error']` | Disable a user's VPN if an error is detected trying to refresh their OIDC token. | `false` |
| `default['firezone']['authentication']['oidc']` | OpenID Connect config, in the format of `{"provider" => [config...]}` - See [OpenIDConnect documentation](https://hexdocs.pm/openid_connect/readme.html) for config examples. | `{}` |
| `default['firezone']['authentication']['okta']['enabled']` | Enable or disable Okta SSO authentication. | `false` |
| `default['firezone']['authentication']['okta']['client_id']` | OAuth Client ID for Okta SSO authentication. | `nil` |
| `default['firezone']['authentication']['okta']['client_secret']` | OAuth Client Secret for Okta SSO authentication. | `nil` |
| `default['firezone']['authentication']['okta']['site']` | Okta site to redirect to after successful authentication. | `'https://your-domain.okta.com'` |
| `default['firezone']['authentication']['google']['enabled']` | Enable or disable Google SSO authentication. | `false` |
| `default['firezone']['authentication']['google']['client_id']` | OAuth Client ID for Google SSO authentication. | `nil` |
| `default['firezone']['authentication']['google']['client_secret']` | OAuth Client Secret for Google SSO authentication. | `nil` |
| `default['firezone']['authentication']['google']['redirect_uri']` | Google redirect URI for Google SSO authentication. | `nil` |
| `default['firezone']['nginx']['enabled']` | Enable or disable the bundled nginx server. | `true` |
| `default['firezone']['nginx']['non_ssl_port']` | HTTP listen port. | `80` |
| `default['firezone']['nginx']['ssl_port']` | HTTPS listen port. | `443` |

17
omnibus/cookbooks/firezone/attributes/default.rb
View File

@@ -135,23 +135,6 @@ default['firezone']['authentication']['oidc'] = {}
# }
# }
# DEPRECATED
# Previously, Firezone used preconfigured Oauth2 providers. We've moved to OIDC authentication
# which allows for any OpenID Connect provider (Google, Okta, Dex) to be used for authetication.
# See the above OIDC Authentication section
#
# DEPRECATED: Okta example config
default['firezone']['authentication']['okta']['enabled'] = false
default['firezone']['authentication']['okta']['client_id'] = nil
default['firezone']['authentication']['okta']['client_secret'] = nil
default['firezone']['authentication']['okta']['site'] = 'https://your-domain.okta.com'
# DEPRECATED: Google example config
default['firezone']['authentication']['google']['enabled'] = false
default['firezone']['authentication']['google']['client_id'] = nil
default['firezone']['authentication']['google']['client_secret'] = nil
default['firezone']['authentication']['google']['redirect_uri'] = nil
# ## Nginx
# These attributes control Firezone-specific portions of the Nginx

8
omnibus/cookbooks/firezone/libraries/config.rb
View File

@@ -262,14 +262,6 @@ class Firezone
# Auth
'LOCAL_AUTH_ENABLED' => attributes['authentication']['local']['enabled'].to_s,
'OKTA_AUTH_ENABLED' => attributes['authentication']['okta']['enabled'].to_s,
'OKTA_CLIENT_ID' => attributes['authentication']['okta']['client_id'],
'OKTA_CLIENT_SECRET' => attributes['authentication']['okta']['client_secret'],
'OKTA_SITE' => attributes['authentication']['okta']['site'],
'GOOGLE_AUTH_ENABLED' => attributes['authentication']['google']['enabled'].to_s,
'GOOGLE_CLIENT_ID' => attributes['authentication']['google']['client_id'],
'GOOGLE_CLIENT_SECRET' => attributes['authentication']['google']['client_secret'],
'GOOGLE_REDIRECT_URI' => attributes['authentication']['google']['redirect_uri'],
'DISABLE_VPN_ON_OIDC_ERROR' => attributes['authentication']['disable_vpn_on_oidc_error'].to_s,
'AUTO_CREATE_OIDC_USERS' => attributes['authentication']['auto_create_oidc_users'].to_s,

4
omnibus/package-scripts/firezone/postinst
View File

@@ -28,4 +28,6 @@ fi
# Symlink ctl commands
DEST_DIR=/opt/firezone
${DEST_DIR}/embedded/bin/symlink_ctl_cmds
if [ -e ${DEST_DIR}/embedded/bin/symlink_ctl_cmds ]; then
${DEST_DIR}/embedded/bin/symlink_ctl_cmds
fi

15
omnibus/package-scripts/firezone/preinst
View File

@@ -17,6 +17,18 @@ kernelCheck() {
fi
}
configCheck() {
config_file='/etc/firezone/firezone.rb'
error_color='\033[0;31m'
reset_color='\033[0m'
if grep -q "^\s*default\['firezone'\]\['authentication'\]\['\(google\|okta\)'\]\['enabled'\]\s*=\s*true" $config_file ; then
echo "${error_color}ERROR: Firezone 0.5+ disables support for pre-configured Okta and Google OAuth2 providers!${reset_color}"
echo "Please see our transition guide to move to a generic OIDC config: https://docs.firezone.dev/administer/upgrade#upgrading-from--050-to--050"
exit 1
fi
}
capture () {
if type curl > /dev/null; then
if [ -e /var/opt/firezone/cache/telemetry_id ]; then
@@ -40,5 +52,6 @@ if [ ! -e /var/opt/firezone/.disable_telemetry ]; then
capture || true
fi
echo "You're about to install firezone!"
kernelCheck
configCheck
echo "You're about to install firezone!"