Configuration file

The configuration file is a yaml file with four sections:

  1. openid_providers

  2. proxy

  3. services

  4. access_control

openid_providers

Here you can specify each provider you want to support. Each provider is a key under openid_providers and you must submit the configuration_url and either registration_token and registration_url or an configuration_token. With an configuration_token the client registers as a new OpenID Connect Client, with a registration_token the client access the registration data from the OpenID Connect Registration Endpoint.

10
11
12
13
14
15
16
17
18
openid_providers:
  example:
    configuration_token: ''
    configuration_url: ''
    do_token_introspection: true
    human_readable_name: ''
    redirect_paths: []
    registration_token: ''
    registration_url: ''

The meaning of each key is documented in the ProviderConfig class.

class arpoc.config.ProviderConfig(baseuri: dataclasses.InitVar, human_readable_name: str, configuration_url: str = '', configuration_token: str = '', registration_token: str = '', registration_url: str = '', method: str = 'auto', special_claim2scope: dataclasses.InitVar = None, redirect_paths: List[str] = <factory>, do_token_introspection: bool = True)[source]

Configuration for a single Open ID Connect Provider

Attributes:
  • human_readable_name: A name which arpoc uses when communicating

    with the user / operator

  • configuration_url: The base url of the OIDC provider. Without the

    .well-known/ part

  • configuration_token: The token ARPOC can use to register itself with

    the OIDC provider

  • registration_token: The token issued from the OIDC provider for a

    specific client to obtain its configuration

  • registration_url: The url where arpoc can obtain its configuration

    after registration.

  • method: Either ‘auto’, ‘GET’, or ‘POST’. The HTTP method ARPOC will

    use if the OIDC / OAuth standard gives a choice.

  • special_claim2scope: A mapping from claim to scopes that will deliver

    the claims.

Mandatory arguments:
  • configuration_url

And either:
  • configuration_token

Or:
  • registration_token

  • registration_url

proxy

OpenID Connect requires the use of TLS. Therefore you need an keyfile with the private key and a certificate file with the TLS Certificate. Under contacts you must submit a valid e-mail adress that will be used during the registration with the OpenID Connect Providers The secrets file is used to store the client secrets of the OpenID Connect protocol.

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
proxy:
  address: ''
  auth: /auth
  certfile: ''
  contacts:
  - ''
  domainname: ''
  groupname: www-data
  https_only: true
  keyfile: ''
  plain_port: 80
  plugin_dirs: []
  redirect:
  - /secure/redirect_uris
  secrets: /var/lib/arpoc/secrets.yml
  tls_port: 443
  tls_redirect: /TLSRedirect
  username: www-data

Each key is documented in the ProxyConfig class.

class arpoc.config.ProxyConfig(keyfile: str, certfile: str, domainname: str, contacts: List[str], address: str = '0.0.0.0', tls_port: int = 443, plain_port: int = 80, https_only: bool = True, username: str = 'www-data', groupname: str = 'www-data', secrets: str = '/var/lib/arpoc/secrets.yml', tls_redirect: str = '/TLSRedirect', auth: str = '/auth', redirect: List[str] = <factory>)[source]

Configuration for the Proxy Setup

Attributes:
  • keyfile: The path to the private key file of the TLS keypair

  • certfile: The path to the certificate chain file (full chain)

  • domainname: The domain name where ARPOC will be available

  • contacts: A list of mail contact adresses responsible for the ARPOC

    instance

Mandatory: keyfile, certfile, domainname, contacts

services

Each service (i.e. an URL that is accessible through a subfolder on the proxy) must be listed here. You can specify authentication settings like a client certificate that the proxy will use with every connection to the service or a bearer token, that the proxy will use in the ‘Authentication’ field. The AC key must specify a valid policy set that will evaluated on every access.

37
38
39
40
41
42
43
44
services:
  example:
    AC: ''
    authentication: {}
    objectsetters: {}
    obligations: {}
    origin_URL: ''
    proxy_URL: ''
class arpoc.config.ServiceConfig(origin_URL: str, proxy_URL: str, AC: str, objectsetters: dict = <factory>, obligations: dict = <factory>, authentication: dict = <factory>)[source]

Configuration for a single proxied Service

Attributes:
  • origin_URL: The URL that will be proxied, or the special page string; see Special Pages

  • proxy_URL: The path under which origin_URL will be available.

  • AC: The policy set which is evaluated to decide the access request

  • objectsetters: Configuration for the objectsetters

  • obligations: Configuration for obligations

  • authentication Authentication information which will be used to request origin_URL

Mandatory Arguments:
  • origin_URL

  • proxy_URL

  • AC

access_control

Here you can specify the list of directories where the proxy will load access control entities.

1
2
3
access_control:
  json_dir:
  - /etc/arpoc/acl
class arpoc.config.ACConfig(json_dir: List[str] = <factory>)[source]

Configuration for the access control

Attributes:
  • json_dir: The directory where the AC Entities are stored. The files

    must end with “.json”

misc

Other config option that hadn’t fit into the other sections

1
2
3
4
5
6
misc:
  access_log: /var/log/arpoc/access.log
  daemonize: true
  error_log: /var/log/arpoc/error.log
  log_level: INFO
  pid_file: /var/run/arpoc.pid
class arpoc.config.Misc(pid_file: str = '/var/run/arpoc.pid', daemonize: bool = True, log_level: str = 'INFO', access_log: str = '/var/log/arpoc/access.log', error_log: str = '/var/log/arpoc/error.log', plugin_dirs: List[str] = <factory>)[source]

Misc Config Class

Attributes:
  • access_log: The location to store the access log (HTTP requests)

  • error_log: The location to store the error_log

  • daemonize: If arpoc should start daemonized.

  • log_level: ARPOC’s log level. (DEBUG/INFO/ERROR/WARN). Affects also underlying libraries

  • pid_file: Where ARPOC should store the process id file. Only used when daemonized.

  • plugin_dirs: Where ARPOC should load plugins

No mandatory arguments.