From 605d406b502b3f4eb0d2270ba2450c8359ae9a9f Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <6413499+elberfeld@users.noreply.github.com>
Date: Sat, 1 Jun 2024 23:22:15 +0200
Subject: [PATCH] tandoor oauth anbindung

---
 testserver/docker_grafana/Documentation.md    |  2 +-
 testserver/docker_tandoor/Documentation.md    | 32 +++++++++++++++++--
 testserver/docker_tandoor/tasks/main.yml      |  1 +
 .../templates/docker-compose.yml              |  4 +++
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/testserver/docker_grafana/Documentation.md b/testserver/docker_grafana/Documentation.md
index 771c3e47..139bda49 100644
--- a/testserver/docker_grafana/Documentation.md
+++ b/testserver/docker_grafana/Documentation.md
@@ -27,7 +27,7 @@ Create Groups:
 
 Create a Service / OAuth Client: 
 
-Only Users with goup grafana_access can access Wordpress 
+Only Users with goup grafana_access can access Grafana 
 
 Client-ID: grafana
 Client-Secret: from file oauth_client_secret on the server
diff --git a/testserver/docker_tandoor/Documentation.md b/testserver/docker_tandoor/Documentation.md
index 074a7865..87af86d0 100644
--- a/testserver/docker_tandoor/Documentation.md
+++ b/testserver/docker_tandoor/Documentation.md
@@ -1,4 +1,32 @@
 
-After initial Setup, the initial superuser 'tandooradmin' must be created in the unser interface. 
-The Password is stored on the Server in the file ```secrets/tandooradmin_user_pass``` within the data directory. 
+# Overview 
+
+* Authentication to Tandoor is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'tandoor_access' can access the Application 
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup in Tandoor
+
+All setup is done in the docker-compose.yml
+References: 
+* https://docs.tandoor.dev/features/authentication/
+
+## Setup in uffd
+
+Create Groups:
+
+- tandoor_access: General Access to Tandoor
+
+Create a Service / OAuth Client: 
+
+Only Users with goup grafana_access can access Tandoor 
+
+Client-ID: tandoor
+Client-Secret: from file openid_client_secret on the server
+Redirect-URIs: 
+* https://tandoor.test-warpzone.de/accounts/oidc/uffd/login/callback/
 
diff --git a/testserver/docker_tandoor/tasks/main.yml b/testserver/docker_tandoor/tasks/main.yml
index 28fc83e7..6c0629fa 100644
--- a/testserver/docker_tandoor/tasks/main.yml
+++ b/testserver/docker_tandoor/tasks/main.yml
@@ -5,6 +5,7 @@
     - { path: "{{ basedir }}/secrets/secret_key",  length: 32 }
     - { path: "{{ basedir }}/secrets/postgres_user_pass",  length: 24 }
     - { path: "{{ basedir }}/secrets/tandooradmin_user_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/openid_client_secret",  length: 32 }
 
 
 - name: "create folder struct for {{ servicename }}"
diff --git a/testserver/docker_tandoor/templates/docker-compose.yml b/testserver/docker_tandoor/templates/docker-compose.yml
index 68a281de..0f9d348b 100644
--- a/testserver/docker_tandoor/templates/docker-compose.yml
+++ b/testserver/docker_tandoor/templates/docker-compose.yml
@@ -34,6 +34,10 @@ services:
       POSTGRES_PORT: 5432
       POSTGRES_USER: tandoor
       POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      SOCIALACCOUNT_PROVIDERS: '{"openid_connect":{"APPS":[{"provider_id":"uffd","name":"uffd","client_id":"tandoor","secret":"{{ openid_client_secret }}","settings":{"server_url":"{{ oidc_global.provider_url }}/.well-known/openid-configuration"}}]}}'
+      SOCIAL_DEFAULT_GROUP: "warpzone"
+      ENABLE_SIGNUP: "False"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
-- 
GitLab