Configuration file¶
The configuration file is a yaml file with four sections:
openid_providers
proxy
services
access_control
openid_providers¶
Here you can specify each provider you want to support. Each provider is a key under openid_providers and you must submit the configuration_url and either registration_token and registration_url or an configuration_token. With an configuration_token the client registers as a new OpenID Connect Client, with a registration_token the client access the registration data from the OpenID Connect Registration Endpoint.
10 11 12 13 14 15 16 17 18 | openid_providers:
example:
configuration_token: ''
configuration_url: ''
do_token_introspection: true
human_readable_name: ''
redirect_paths: []
registration_token: ''
registration_url: ''
|
The meaning of each key is documented in the ProviderConfig class.
-
class
arpoc.config.
ProviderConfig
(baseuri: dataclasses.InitVar, human_readable_name: str, configuration_url: str = '', configuration_token: str = '', registration_token: str = '', registration_url: str = '', method: str = 'auto', special_claim2scope: dataclasses.InitVar = None, redirect_paths: List[str] = <factory>, do_token_introspection: bool = True)[source] Configuration for a single Open ID Connect Provider
- Attributes:
- human_readable_name: A name which arpoc uses when communicating
with the user / operator
- configuration_url: The base url of the OIDC provider. Without the
.well-known/ part
- configuration_token: The token ARPOC can use to register itself with
the OIDC provider
- registration_token: The token issued from the OIDC provider for a
specific client to obtain its configuration
- registration_url: The url where arpoc can obtain its configuration
after registration.
- method: Either ‘auto’, ‘GET’, or ‘POST’. The HTTP method ARPOC will
use if the OIDC / OAuth standard gives a choice.
- special_claim2scope: A mapping from claim to scopes that will deliver
the claims.
- Mandatory arguments:
configuration_url
- And either:
configuration_token
- Or:
registration_token
registration_url
proxy¶
OpenID Connect requires the use of TLS. Therefore you need an keyfile with the private key and a certificate file with the TLS Certificate. Under contacts you must submit a valid e-mail adress that will be used during the registration with the OpenID Connect Providers The secrets file is used to store the client secrets of the OpenID Connect protocol.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | proxy:
address: ''
auth: /auth
certfile: ''
contacts:
- ''
domainname: ''
groupname: www-data
https_only: true
keyfile: ''
plain_port: 80
plugin_dirs: []
redirect:
- /secure/redirect_uris
secrets: /var/lib/arpoc/secrets.yml
tls_port: 443
tls_redirect: /TLSRedirect
username: www-data
|
Each key is documented in the ProxyConfig class.
-
class
arpoc.config.
ProxyConfig
(keyfile: str, certfile: str, domainname: str, contacts: List[str], address: str = '0.0.0.0', tls_port: int = 443, plain_port: int = 80, https_only: bool = True, username: str = 'www-data', groupname: str = 'www-data', secrets: str = '/var/lib/arpoc/secrets.yml', tls_redirect: str = '/TLSRedirect', auth: str = '/auth', redirect: List[str] = <factory>)[source] Configuration for the Proxy Setup
- Attributes:
keyfile: The path to the private key file of the TLS keypair
certfile: The path to the certificate chain file (full chain)
domainname: The domain name where ARPOC will be available
- contacts: A list of mail contact adresses responsible for the ARPOC
instance
Mandatory: keyfile, certfile, domainname, contacts
services¶
Each service (i.e. an URL that is accessible through a subfolder on the proxy) must be listed here. You can specify authentication settings like a client certificate that the proxy will use with every connection to the service or a bearer token, that the proxy will use in the ‘Authentication’ field. The AC key must specify a valid policy set that will evaluated on every access.
37 38 39 40 41 42 43 44 | services:
example:
AC: ''
authentication: {}
objectsetters: {}
obligations: {}
origin_URL: ''
proxy_URL: ''
|
-
class
arpoc.config.
ServiceConfig
(origin_URL: str, proxy_URL: str, AC: str, objectsetters: dict = <factory>, obligations: dict = <factory>, authentication: dict = <factory>)[source] Configuration for a single proxied Service
- Attributes:
origin_URL: The URL that will be proxied, or the special page string; see Special Pages
proxy_URL: The path under which origin_URL will be available.
AC: The policy set which is evaluated to decide the access request
objectsetters: Configuration for the objectsetters
obligations: Configuration for obligations
authentication Authentication information which will be used to request origin_URL
- Mandatory Arguments:
origin_URL
proxy_URL
AC
access_control¶
Here you can specify the list of directories where the proxy will load access control entities.
1 2 3 | access_control:
json_dir:
- /etc/arpoc/acl
|
-
class
arpoc.config.
ACConfig
(json_dir: List[str] = <factory>)[source] Configuration for the access control
- Attributes:
- json_dir: The directory where the AC Entities are stored. The files
must end with “.json”
misc¶
Other config option that hadn’t fit into the other sections
1 2 3 4 5 6 | misc:
access_log: /var/log/arpoc/access.log
daemonize: true
error_log: /var/log/arpoc/error.log
log_level: INFO
pid_file: /var/run/arpoc.pid
|
-
class
arpoc.config.
Misc
(pid_file: str = '/var/run/arpoc.pid', daemonize: bool = True, log_level: str = 'INFO', access_log: str = '/var/log/arpoc/access.log', error_log: str = '/var/log/arpoc/error.log', plugin_dirs: List[str] = <factory>)[source] Misc Config Class
- Attributes:
access_log: The location to store the access log (HTTP requests)
error_log: The location to store the error_log
daemonize: If arpoc should start daemonized.
log_level: ARPOC’s log level. (DEBUG/INFO/ERROR/WARN). Affects also underlying libraries
pid_file: Where ARPOC should store the process id file. Only used when daemonized.
plugin_dirs: Where ARPOC should load plugins
No mandatory arguments.