Config¶
- pydantic settings gafaelfawr.config.Config¶
Configuration for Gafaelfawr.
- Parameters:
data (
Any)- Fields:
- Validators:
_validate_bootstrap_token»bootstrapToken_validate_initial_admins»initialAdmins_validate_known_scopes»knownScopes_validate_optional»all fields_validate_scopes»all fields_validate_token_lifetime»tokenLifetime_validate_userinfo»all fields
- field afterLogoutUrl: HttpUrl [Required] (name 'after_logout_url')¶
Default URL to which to send the user after logging out
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field allowSubdomains: bool = False (name 'allow_subdomains')¶
Allow authenticated ingresses in subdomains of the base URL. This requires use of domain-scoped cookies instead of host cookies and therefore requires every subdomain of the domain in the base URL be under the full control of Gafaelfawr. Otherwise, enabling this may cause cookies to leak and compromise the security of the protected applications.
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field baseInternalUrl: HttpUrl [Required] (name 'base_internal_url')¶
Base URL for internal-only routes such as
/ingress/auth- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field baseUrl: HttpUrl [Required] (name 'base_url')¶
Base URL for user-facing routes such as
/login- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field bootstrapToken: SecretStr [Required] (name 'bootstrap_token')¶
File containing the bootstrap authentication token. This token can be used with specific routes in the admin API to change the list of admins and create service and user tokens.
- Validated by:
_validate_bootstrap_token_validate_optional_validate_scopes_validate_userinfo
- field cilogon: CILogonConfig | None = None¶
Configuration for the CILogon authentication provider
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field databasePassword: SecretStr [Required] (name 'database_password')¶
Password for the PostgreSQL database
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field databaseUrl: EnvAsyncPostgresDsn [Required] (name 'database_url')¶
DSN for the PostgreSQL database
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field enableSentry: bool = False (name 'enable_sentry')¶
Send trace and telemetry information to Sentry if the Sentry environment variables are set
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
HTML to add (inside
<p>) to login error pages- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field firestore: FirestoreConfig | None = None¶
Configuration for UID/GID allocation using Firestore
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field github: GitHubConfig | None = None¶
Configuration for the GitHub authentication provider
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field groupMapping: dict[str, list[str | GitHubGroup]] = {} (name 'group_mapping')¶
Mappings of scopes to lists of groups that provide them
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field initialAdmins: list[str] = [] (name 'initial_admins')¶
List of usernames to mark as admins during database initialization
- Validated by:
_validate_initial_admins_validate_optional_validate_scopes_validate_userinfo
- field internalDatabase: bool = False (name 'internal_database')¶
Whether to use a cluster-internal database. This setting is only used by Helm, not by Gafaelfawr itself.
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field knownScopes: dict[str, str] = {} (name 'known_scopes')¶
Known scopes (the keys) and their descriptions (the values)
- Validated by:
_validate_known_scopes_validate_optional_validate_scopes_validate_userinfo
- field ldap: LDAPConfig | None = None¶
Configuration for retrieving user information from LDAP
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field logLevel: LogLevel = LogLevel.INFO (name 'log_level')¶
Python logging level
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field metrics: MetricsConfiguration [Required]¶
Configuration for reporting metrics to Kafka
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field oidc: OIDCConfig | None = None¶
Configuration for the OpenID Connect authentication provider
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field oidcServer: OIDCServerConfig | None = None (name 'oidc_server')¶
Configuration for Gafaelfawr’s internal OpenID Connect server
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field proxies: list[IPv4Network | IPv6Network] | None = None¶
If this is set to a non-empty list, it will be used as the trusted list of proxies when parsing the
X-Forwarded-ForHTTP header in incoming requests. IP addresses from that header will be discarded from the right side when they are within a netblock in this list until a non-matching IP is reached or there is only one IP left, and then that IP will be used as the remote IP for logging purposes. This allows logging of accurate client IP addresses.- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field quota: QuotaConfig | None = None¶
Rules for assigning quota to users
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field redisEphemeralUrl: EnvRedisDsn [Required] (name 'redis_ephemeral_url')¶
DSN for the Redis server that stores ephemeral data
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field redisPassword: SecretStr | None = None (name 'redis_password')¶
Password for both Redis servers
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field redisPersistentUrl: EnvRedisDsn [Required] (name 'redis_persistent_url')¶
DSN for the Redis server that stores tokens
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field sessionSecret: SecretStr [Required] (name 'session_secret')¶
Fernet encryption key used for session cookie and store
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field slackAlerts: bool = False (name 'slack_alerts')¶
Whether to enable Slack alerts. If true,
slack_webhookmust also be set.- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field slackWebhook: SecretStr | None = None (name 'slack_webhook')¶
If set, alerts will be posted to this Slack webhook
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- field tokenLifetime: HumanTimedelta = datetime.timedelta(days=30) (name 'token_lifetime')¶
Lifetime of newly-created session tokens
- Validated by:
_validate_optional_validate_scopes_validate_token_lifetime_validate_userinfo
- field updateSchema: bool = False (name 'update_schema')¶
This setting is interpreted by Helm and triggers a SQL schema update via a Helm hook. It is not used by Gafaelfawr directly.
- Validated by:
_validate_optional_validate_scopes_validate_userinfo
- classmethod from_file(path)¶
Construct a Config object from a configuration file.
- get_scopes_for_group(group)¶
Return the scopes granted by a given group membership.
- is_hostname_allowed(hostname)¶
Check whether a hostname is within the Gafaelfawr domain.
Numerous places in Gafaelfawr want to allow only hostnames that fall within the base domain of Gafaelfawr. If subdomains are disabled, the hostname must match the base hostname exactly. If subdomains are allowed, the hostname must be a subdomain of that base domain.
- model_post_init(context, /)¶
This function is meant to behave like a BaseModel method to initialise private attributes.
It takes context as an argument since that’s what pydantic-core passes when calling it.
- Args:
self: The BaseModel instance. context: The context.
- property cookie_parameters: CookieParameters¶
Parameters to pass to
fastapi.Response.set_cookie.