From 1b4c8adaeb69b845e0291eeb8e0948613fb8da71 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 26 Oct 2024 00:23:18 +0000
Subject: [PATCH 1/4] build(deps): bump werkzeug in
 /FastapiOpenRestyConfigurator

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.3 to 3.0.6.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/3.0.3...3.0.6)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 FastapiOpenRestyConfigurator/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/FastapiOpenRestyConfigurator/requirements.txt b/FastapiOpenRestyConfigurator/requirements.txt
index 5443a83..aa4122a 100644
--- a/FastapiOpenRestyConfigurator/requirements.txt
+++ b/FastapiOpenRestyConfigurator/requirements.txt
@@ -1,6 +1,6 @@
 fastapi==0.115.0
 uvicorn==0.30.6
-werkzeug==3.0.3
+werkzeug==3.0.6
 Jinja2==3.1.4
 python-dotenv==1.0.1
 gunicorn==23.0.0

From 018b2d0c820aaeedf4ab8baf22a3d27c95218bc0 Mon Sep 17 00:00:00 2001
From: dweinholz <david-weinholz@web.de>
Date: Tue, 12 Nov 2024 15:11:03 +0100
Subject: [PATCH 2/4] feat(Forc):added option to run service without https in
 local network

---
 .../roles/forc_api/templates/nginx.conf.j2    | 47 +++++++++++--------
 ansible/roles/forc_api/vars/main.yml          |  5 ++
 2 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/ansible/roles/forc_api/templates/nginx.conf.j2 b/ansible/roles/forc_api/templates/nginx.conf.j2
index 1ca40a0..ce0fe40 100644
--- a/ansible/roles/forc_api/templates/nginx.conf.j2
+++ b/ansible/roles/forc_api/templates/nginx.conf.j2
@@ -50,26 +50,33 @@ http {
 
 
 
-    server {
-        listen {{ FORC_SERVICE_PORT }} ssl http2;
-        ssl_certificate  /etc/letsencrypt/live/{{ DOMAIN }}/fullchain.pem;
-        ssl_certificate_key  /etc/letsencrypt/live/{{ DOMAIN }}/privkey.pem;
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-        ssl_prefer_server_ciphers on;
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-        add_header X-Frame-Options "SAMEORIGIN";
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Referrer-Policy 'strict-origin';
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        location / {
-                proxy_pass http://unix:/var/run/forc.sock;
-                }
-
-        }
+    {{ if FORC_SERVICE_USE_HTTPS }}
+server {
+    listen {{ FORC_SERVICE_PORT }} ssl http2;
+    ssl_certificate  /etc/letsencrypt/live/{{ DOMAIN }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ DOMAIN }}/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy 'strict-origin';
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    location / {
+            proxy_pass http://unix:/var/run/forc.sock;
+            }
+}
+{{ else }}
+server {
+    listen {{ FORC_LOCAL_NETWORK }}:{{ FORC_SERVICE_PORT }};
+    location / {
+            proxy_pass http://unix:/var/run/forc.sock;
+            }
+}
+{{ end }}
 
 
     server {
diff --git a/ansible/roles/forc_api/vars/main.yml b/ansible/roles/forc_api/vars/main.yml
index 3ebb28d..a51d4c1 100644
--- a/ansible/roles/forc_api/vars/main.yml
+++ b/ansible/roles/forc_api/vars/main.yml
@@ -30,6 +30,11 @@ FORC_TEMPLATE_PATH: "/var/forc/template_path/"
 # The Port on which OpenResty will bind forc to.
 FORC_SERVICE_PORT: 5000
 
+# If Forc Service will use HTTPs -- if not  FORC_LOCAL_NETWORK must be provided
+FORC_SERVICE_USE_HTTPS: true
+
+#IF Forc Service does not use https needs to provided to allow requests from this specific network
+FORC_LOCAL_NETWORK: ""
 # Set this to no if you don't use certbot for autogenerating ssl certs.
 CERTBOT_USED: "yes"
 

From 7ae7022b656b35f608e25af4f41939db385f6589 Mon Sep 17 00:00:00 2001
From: dweinholz <david-weinholz@web.de>
Date: Tue, 12 Nov 2024 15:23:46 +0100
Subject: [PATCH 3/4] updated tempalte

---
 .../roles/forc_api/templates/nginx.conf.j2    | 55 ++++++++++++-------
 1 file changed, 35 insertions(+), 20 deletions(-)

diff --git a/ansible/roles/forc_api/templates/nginx.conf.j2 b/ansible/roles/forc_api/templates/nginx.conf.j2
index ce0fe40..26f6138 100644
--- a/ansible/roles/forc_api/templates/nginx.conf.j2
+++ b/ansible/roles/forc_api/templates/nginx.conf.j2
@@ -50,33 +50,48 @@ http {
 
 
 
-    {{ if FORC_SERVICE_USE_HTTPS }}
-server {
-    listen {{ FORC_SERVICE_PORT }} ssl http2;
-    ssl_certificate  /etc/letsencrypt/live/{{ DOMAIN }}/fullchain.pem;
-    ssl_certificate_key  /etc/letsencrypt/live/{{ DOMAIN }}/privkey.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers on;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Referrer-Policy 'strict-origin';
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    location / {
-            proxy_pass http://unix:/var/run/forc.sock;
+
+    {% if FORC_SERVICE_USE_HTTPS %}
+    server {
+        listen {{ FORC_SERVICE_PORT }} ssl http2;
+        ssl_certificate  /etc/letsencrypt/live/{{ DOMAIN }}/fullchain.pem;
+        ssl_certificate_key  /etc/letsencrypt/live/{{ DOMAIN }}/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        location / {
+            access_by_lua_block {
+                -- Start actual openid authentication procedure
+                local res, err = require("resty.openidc").authenticate(opts2)
+                -- If it fails for some reason, escape via HTTP 500
+                if err then
+                        ngx.status = 500
+                        ngx.say(err)
+                        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+                end
+
+                ngx.req.set_header("X-Auth-Audience", res.id_token.aud)
+                ngx.req.set_header("X-Auth-Email", res.id_token.email)
+                ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp)
+                ngx.req.set_header("X-Auth-Name", res.id_token.name)
+                ngx.req.set_header("X-Auth-Subject", res.id_token.sub)
+                ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username)
+                ngx.req.set_header("X-Auth-Username", res.id_token.preferred_username)
+                ngx.req.set_header("X-Auth-Locale", res.id_token.locale)
+
             }
-}
-{{ else }}
+        }
+
+    }
+    {% else %}
 server {
     listen {{ FORC_LOCAL_NETWORK }}:{{ FORC_SERVICE_PORT }};
     location / {
             proxy_pass http://unix:/var/run/forc.sock;
             }
 }
-{{ end }}
+    {% endif %}
 
 
     server {

From 44d87175ca855d178aa819bb477e79a8c76fa5dc Mon Sep 17 00:00:00 2001
From: dweinholz <david-weinholz@web.de>
Date: Tue, 12 Nov 2024 15:29:16 +0100
Subject: [PATCH 4/4] updated tempalte

---
 ansible/roles/forc_api/templates/nginx.conf.j2 | 2 +-
 ansible/roles/forc_api/vars/main.yml           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/forc_api/templates/nginx.conf.j2 b/ansible/roles/forc_api/templates/nginx.conf.j2
index 26f6138..559cba7 100644
--- a/ansible/roles/forc_api/templates/nginx.conf.j2
+++ b/ansible/roles/forc_api/templates/nginx.conf.j2
@@ -86,7 +86,7 @@ http {
     }
     {% else %}
 server {
-    listen {{ FORC_LOCAL_NETWORK }}:{{ FORC_SERVICE_PORT }};
+    listen {{ FORC_LOCAL_IP }}:{{ FORC_SERVICE_PORT }};
     location / {
             proxy_pass http://unix:/var/run/forc.sock;
             }
diff --git a/ansible/roles/forc_api/vars/main.yml b/ansible/roles/forc_api/vars/main.yml
index a51d4c1..7ed8fc9 100644
--- a/ansible/roles/forc_api/vars/main.yml
+++ b/ansible/roles/forc_api/vars/main.yml
@@ -33,8 +33,8 @@ FORC_SERVICE_PORT: 5000
 # If Forc Service will use HTTPs -- if not  FORC_LOCAL_NETWORK must be provided
 FORC_SERVICE_USE_HTTPS: true
 
-#IF Forc Service does not use https needs to provided to allow requests from this specific network
-FORC_LOCAL_NETWORK: ""
+#IF Forc Service does not use https needs to provided to allow requests only for the local reachable ip
+FORC_LOCAL_IP: ""
 # Set this to no if you don't use certbot for autogenerating ssl certs.
 CERTBOT_USED: "yes"