enhance: add option to disable bootstrap user (#1368)

Signed-off-by: Grant Linville <[email protected]>

Author: g-linville

chart/templates/deployment.yaml

@@ -79,6 +79,8 @@ spec:
                   name: {{ include "obot.config.secretName" . }}
                   key: githubAuthToken
             {{- end }}
+            - name: "OBOT_SERVER_ENABLE_BOOTSTRAP_USER"
+              value: "{{ .Values.config.obotServerEnableBootstrapUser }}"
             {{- if .Values.config.obotServerAuthAdminEmails }}
             - name: "OBOT_SERVER_AUTH_ADMIN_EMAILS"
               valueFrom:

chart/values.yaml

@@ -58,8 +58,10 @@ config:
   awsRegion: ""
   awsSecretAccessKey: ""
   baaahThreadiness: "20"
+
   githubAuthToken: ""
   obotServerEnableAuthentication: true
+  obotServerEnableBootstrapUser: true
   obotBootstrapToken: ""
   obotServerAuthAdminEmails: ""
   obotServerDSN: ""

docs/docs/05-configuration/03-auth-providers.md

@@ -43,3 +43,10 @@ Obot currently supports the following authentication providers (using OAuth2):
 - Google
 
 The code for these providers is available in the [Obot tools repo](https://github.com/obot-platform/tools).
+
+## Disabling the Bootstrap User
+
+If you do not want to be able to log in as the bootstrap user, you can set the `OBOT_SERVER_ENABLE_BOOTSTRAP_USER` environment variable to `false`.
+This will prevent you from logging in as the bootstrap user.
+When you first run Obot, do not set this environment variable, because you need to be able to use the bootstrap user to set up the first auth provider.
+Once that is done, you can restart the server and set this environment variable if you would like.

pkg/bootstrap/bootstrap.go

@@ -1,6 +1,7 @@
 package bootstrap
 
 import (
+	"context"
 	"crypto/rand"
 	"fmt"
 	"net/http"
@@ -11,22 +12,25 @@ import (
 	"github.com/obot-platform/obot/pkg/api"
 	"github.com/obot-platform/obot/pkg/api/authz"
 	"github.com/obot-platform/obot/pkg/gateway/client"
+	"github.com/obot-platform/obot/pkg/gateway/server/dispatcher"
 	"github.com/obot-platform/obot/pkg/gateway/types"
+	"github.com/obot-platform/obot/pkg/system"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
 const bootstrapCookie = "obot-bootstrap"
 
 type Bootstrap struct {
-	token, serverURL string
-	gatewayClient    *client.Client
+	enableBootstrapUser bool
+	token, serverURL    string
+	gatewayClient       *client.Client
 }
 
-func New(serverURL string, c *client.Client) (*Bootstrap, error) {
+func New(ctx context.Context, enableBootstrapUser bool, serverURL string, c *client.Client, d *dispatcher.Dispatcher) (*Bootstrap, error) {
 	token := os.Getenv("OBOT_BOOTSTRAP_TOKEN")
 
-	if token == "" {
+	if token == "" && enableBootstrapUser {
 		bytes := make([]byte, 32)
 		_, err := rand.Read(bytes)
 		if err != nil {
@@ -37,16 +41,26 @@ func New(serverURL string, c *client.Client) (*Bootstrap, error) {
 
 		// We deliberately only print the token if it was not provided by the user.
 		fmt.Printf("Bootstrap token: %s\nUse this token to log in to the Admin UI.\n", token)
+	} else if !enableBootstrapUser {
+		configuredAuthProviders, err := d.ListConfiguredAuthProviders(ctx, system.DefaultNamespace)
+		if err == nil && len(configuredAuthProviders) == 0 {
+			fmt.Printf("WARNING: Bootstrap user is disabled, and no auth providers are configured. You will be unable to log in to Obot.\n")
+		}
 	}
 
 	return &Bootstrap{
-		token:         token,
-		serverURL:     serverURL,
-		gatewayClient: c,
+		enableBootstrapUser: enableBootstrapUser,
+		token:               token,
+		serverURL:           serverURL,
+		gatewayClient:       c,
 	}, nil
 }
 
 func (b *Bootstrap) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	if !b.enableBootstrapUser {
+		return nil, false, nil
+	}
+
 	authHeader := req.Header.Get("Authorization")
 	if authHeader == "" {
 		// Check for the cookie.
@@ -80,6 +94,11 @@ func (b *Bootstrap) AuthenticateRequest(req *http.Request) (*authenticator.Respo
 }
 
 func (b *Bootstrap) Login(req api.Context) error {
+	if !b.enableBootstrapUser {
+		http.Error(req.ResponseWriter, "invalid token", http.StatusUnauthorized)
+		return nil
+	}
+
 	auth := req.Request.Header.Get("Authorization")
 	if auth == "" {
 		http.Error(req.ResponseWriter, "missing Authorization header", http.StatusBadRequest)

pkg/services/config.go

@@ -66,6 +66,7 @@ type Config struct {
 	EnvKeys                    []string `usage:"The environment keys to pass through to the GPTScript server" env:"OBOT_ENV_KEYS"`
 	KnowledgeSetIngestionLimit int      `usage:"The maximum number of files to ingest into a knowledge set" default:"3000" env:"OBOT_KNOWLEDGESET_INGESTION_LIMIT" name:"knowledge-set-ingestion-limit"`
 	EnableAuthentication       bool     `usage:"Enable authentication" default:"false"`
+	EnableBootstrapUser        bool     `usage:"Enables the bootstrap user, regardless of configured auth providers" default:"true"`
 	AuthAdminEmails            []string `usage:"Emails of admin users"`
 
 	// Sendgrid webhook
@@ -305,7 +306,7 @@ func New(ctx context.Context, config Config) (*Services, error) {
 		proxyManager *proxy.Manager
 	)
 
-	bootstrapper, err := bootstrap.New(config.Hostname, gatewayClient)
+	bootstrapper, err := bootstrap.New(ctx, config.EnableBootstrapUser, config.Hostname, gatewayClient, providerDispatcher)
 	if err != nil {
 		return nil, err
 	}