From c3a8ca9d868c21a911d0bb6d3d1d2cb432828e08 Mon Sep 17 00:00:00 2001
From: root <root@jupyter.ens.uvsq.fr>
Date: Thu, 27 Sep 2018 01:11:54 +0000
Subject: [PATCH] Added OAuth2 bridge, made configuration more portable

---
 .env                            |  1 +
 docker-compose.yml              | 21 ++++++++++++++---
 jupyterhub/jupyterhub_config.py | 10 ++++----
 oauth2/config.js                | 41 +++++++++++++++++++++++++++++++++
 reverse-proxy/traefik.toml      |  6 +++--
 5 files changed, 69 insertions(+), 10 deletions(-)
 create mode 100644 .env
 create mode 100644 oauth2/config.js

diff --git a/.env b/.env
new file mode 100644
index 0000000..b750b32
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=jupyterhub
diff --git a/docker-compose.yml b/docker-compose.yml
index e8a09b3..e65ac87 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,22 +3,27 @@ version: '3'
 services:
   jupyterhub:
     build: jupyterhub
+    image: jupyterhub_img
     container_name: jupyterhub
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - jupyterhub_data:/srv/jupyterhub
     environment:
-      DOCKER_JUPYTER_CONTAINER: root_jupyterlab
-      DOCKER_NETWORK_NAME: root_default
+      DOCKER_JUPYTER_CONTAINER: jupyterlab_img
+      DOCKER_NETWORK_NAME: ${COMPOSE_PROJECT_NAME}_default
       HUB_IP: jupyterhub
     labels:
       - "traefik.enable=true"
-      - "traefik.hub.frontend.rule=Host:jupyter.ens.uvsq.fr"
+      - "traefik.frontend.rule=Host:jupyter.ens.uvsq.fr"
     restart: on-failure
+
   jupyterlab:
     build: jupyterlab
+    image: jupyterlab_img
     container_name: jupyterlab-throaway
+    network_mode: none
     command: echo
+
   reverse-proxy:
     image: traefik
     container_name: reverse-proxy
@@ -32,5 +37,15 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
     restart: on-failure
 
+  oauth2_server:
+    image: defeo/cas2oauth2bridge
+    container_name: c2o2b
+    volumes:
+      - ./oauth2/config.js:/home/node/config.js
+    labels:
+      - "traefik.enable=true"
+      - "traefik.frontend.rule=Host:jupyter.ens.uvsq.fr;PathPrefixStrip:/c2o2b/"
+    restart: on-failure
+
 volumes:
   jupyterhub_data:
diff --git a/jupyterhub/jupyterhub_config.py b/jupyterhub/jupyterhub_config.py
index 5c1af77..687e1aa 100644
--- a/jupyterhub/jupyterhub_config.py
+++ b/jupyterhub/jupyterhub_config.py
@@ -8,8 +8,8 @@
 from tornado.auth import OAuth2Mixin
 
 class UVSQMixin(OAuth2Mixin):
-    _OAUTH_AUTHORIZE_URL = 'https://keats.prism.uvsq.fr/oauth2/login'
-    _OAUTH_ACCESS_TOKEN_URL = 'https://keats.prism.uvsq.fr/oauth2/token'
+    _OAUTH_AUTHORIZE_URL = 'https://jupyter.ens.uvsq.fr/c2o2b/login'
+    _OAUTH_ACCESS_TOKEN_URL = 'https://jupyter.ens.uvsq.fr/c2o2b/token'
 
 class UVSQLoginHandler(OAuthLoginHandler, UVSQMixin):
     pass
@@ -17,10 +17,10 @@ class UVSQLoginHandler(OAuthLoginHandler, UVSQMixin):
 class UVSQAuthenticator(GenericOAuthenticator):
     login_service = 'UVSQ'
     login_handler = UVSQLoginHandler
-    client_id = '1'
+    client_id = '0'
     client_secret = ''
-    userdata_url = 'https://keats.prism.uvsq.fr/oauth2/userdata'
-    token_url = 'https://keats.prism.uvsq.fr/oauth2/token'
+    userdata_url = 'https://jupyter.ens.uvsq.fr/c2o2b/userdata'
+    token_url = 'https://jupyter.ens.uvsq.fr/c2o2b/token'
     oauth_callback_url = 'https://jupyter.ens.uvsq.fr/hub/oauth_callback'
 
 c.JupyterHub.authenticator_class = UVSQAuthenticator
diff --git a/oauth2/config.js b/oauth2/config.js
new file mode 100644
index 0000000..935858e
--- /dev/null
+++ b/oauth2/config.js
@@ -0,0 +1,41 @@
+module.exports = {
+    // The URL where the OAuth2 server will respond
+    appURL: "https://jupyter.ens.uvsq.fr/c2o2b",
+    // The port to bind to
+    port: process.env.PORT,
+
+    // The endpoints of the CAS server (v1.0) to authenticate to
+    cas: {
+	entryPoint: "https://cas.uvsq.fr/login",
+	validate: "https://cas.uvsq.fr/serviceValidate",
+    },
+    // The endpoint of the SAML server (v2.0) to authenticate to
+    saml: {
+	entryPoint: "https://cas.uvsq.fr/login",
+	issuer: "cas2oauth2bridge",
+    },
+    
+    // The cipher used to encrypt cookies
+    crypto: {
+	// Authenticated encryption mode
+	algorithm: "aes-256-gcm",
+	// If initialized to zero, like here, a random key will be
+	// generated at startup (hence, cookies will not survive
+	// reboot).
+	key: Buffer.alloc(32),
+	ivlen: 16,
+    },
+    
+    // Definition of the services
+    oauth: {
+	// Expiration time of authentication cookies
+	tokenLifetime: 24*60*60,
+	// The services allowed to authenticate to this server
+	clients: {
+	    "0": {
+		secret: null,
+		redirectUri: new RegExp('^https://jupyter\\.ens\\.uvsq\\.fr/'),
+	    },
+	},
+    },
+}
diff --git a/reverse-proxy/traefik.toml b/reverse-proxy/traefik.toml
index f77dab1..b4bd4e0 100644
--- a/reverse-proxy/traefik.toml
+++ b/reverse-proxy/traefik.toml
@@ -1,4 +1,4 @@
-debug = false
+debug = true
 
 logLevel = "ERROR"
 defaultEntryPoints = ["https","http"]
@@ -17,6 +17,8 @@ defaultEntryPoints = ["https","http"]
 
 [docker]
 domain = "docker.local"
-#watch = true
+watch = true
 
 [api]
+  [api.statistics]
+    recentErrors = 10