diff --git a/tljh/configurer.py b/tljh/configurer.py index e019ae8..2a68e88 100644 --- a/tljh/configurer.py +++ b/tljh/configurer.py @@ -10,8 +10,6 @@ FIXME: A strong feeling that JSON Schema should be involved somehow. import os -from passlib.apache import HtpasswdFile - from .config import CONFIG_FILE, STATE_DIR from .yaml import yaml @@ -48,12 +46,11 @@ default = { 'domains': [], }, }, - 'auth_api': { + 'traefik_api': { 'ip': "127.0.0.1", 'port': 8099, 'username': 'api_admin', 'password': '', - 'basic_auth': '' }, 'user_environment': { 'default_app': 'classic', @@ -86,7 +83,7 @@ def apply_config(config_overrides, c): update_limits(c, tljh_config) update_user_environment(c, tljh_config) update_user_account_config(c, tljh_config) - update_auth_api(c, tljh_config) + update_traefik_api(c, tljh_config) def set_if_not_none(parent, key, value): @@ -101,12 +98,7 @@ def generate_traefik_api_credentials(): with open(proxy_secret_path,'r') as f: password = f.read() - default['auth_api']['password'] = password - ht = HtpasswdFile() - # generate htpassword - ht.set_password(default['auth_api']['username'], default['auth_api']['password']) - traefik_api_hashed_password = str(ht.to_string()).split(":")[1][:-3] - default['auth_api']['basic_auth'] = default['auth_api']['username'] + ":" + traefik_api_hashed_password + default['traefik_api']['password'] = password def update_auth(c, config): @@ -172,12 +164,12 @@ def update_user_account_config(c, config): c.SystemdSpawner.username_template = 'jupyter-{USERNAME}' -def update_auth_api(c, config): +def update_traefik_api(c, config): """ Set traefik api endpoint credentials """ - c.TraefikTomlProxy.traefik_api_username = config['auth_api']['username'] - c.TraefikTomlProxy.traefik_api_password = config['auth_api']['password'] + c.TraefikTomlProxy.traefik_api_username = config['traefik_api']['username'] + c.TraefikTomlProxy.traefik_api_password = config['traefik_api']['password'] def _merge_dictionaries(a, b, path=None, update=True): diff --git a/tljh/traefik.py b/tljh/traefik.py index 5758d09..4581953 100644 --- a/tljh/traefik.py +++ b/tljh/traefik.py @@ -4,6 +4,7 @@ import os from urllib.request import urlretrieve from jinja2 import Template +from passlib.apache import HtpasswdFile from tljh.configurer import load_config @@ -55,9 +56,23 @@ def ensure_traefik_binary(prefix): raise IOError(f"Checksum failed {traefik_bin}: {checksum} != {checksums[plat]}") +def compute_basic_auth(username, password): + """Generate hashed HTTP basic auth from traefik_api username+password""" + ht = HtpasswdFile() + # generate htpassword + ht.set_password(username, password) + hashed_password = str(ht.to_string()).split(":")[1][:-3] + return username + ":" + hashed_password + + def ensure_traefik_config(state_dir): """Render the traefik.toml config file""" config = load_config() + config['traefik_api']['basic_auth'] = compute_basic_auth( + config['traefik_api']['username'], + config['traefik_api']['password'], + ) + with open(os.path.join(os.path.dirname(__file__), "traefik.toml.tpl")) as f: template = Template(f.read()) new_toml = template.render(config) diff --git a/tljh/traefik.toml.tpl b/tljh/traefik.toml.tpl index 20a3487..2b88b77 100644 --- a/tljh/traefik.toml.tpl +++ b/tljh/traefik.toml.tpl @@ -41,11 +41,11 @@ idleTimeout = "10m0s" {% endif %} {% endif %} [entryPoints.auth_api] - address = "127.0.0.1:{{auth_api['port']}}" + address = "127.0.0.1:{{traefik_api['port']}}" [entryPoints.auth_api.whiteList] - sourceRange = ['{{auth_api['ip']}}'] + sourceRange = ['{{traefik_api['ip']}}'] [entryPoints.auth_api.auth.basic] - users = ['{{auth_api['basic_auth']}}'] + users = ['{{ traefik_api['basic_auth'] }}'] [wss] protocol = "http"