[Feature] Sso Backend support

dinky-admin/pom.xml

@@ -32,7 +32,11 @@
 
     <properties>
         <expand.scope>provided</expand.scope>
+        <!-- Pac4j 4.x for jdk 8 -->
+        <pac4j.version>4.2.0</pac4j.version>
         <postgresql.version>42.5.1</postgresql.version>
+        <spring-webmvc-pac4j.version>4.0.1</spring-webmvc-pac4j.version>
+
     </properties>
 
     <dependencies>
@@ -59,6 +63,44 @@
             <groupId>org.xerial</groupId>
             <artifactId>sqlite-jdbc</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.pac4j</groupId>
+            <artifactId>pac4j-springboot</artifactId>
+            <version>${pac4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-web</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-to-slf4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.pac4j</groupId>
+            <artifactId>spring-webmvc-pac4j</artifactId>
+            <version>${spring-webmvc-pac4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-webmvc</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-aop</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.mitre.dsmiley.httpproxy</groupId>
             <artifactId>smiley-http-proxy-servlet</artifactId>

dinky-admin/src/main/java/org/dinky/configure/AppConfig.java

@@ -25,8 +25,17 @@
 
 import java.util.Locale;
 
+import org.pac4j.core.config.Config;
+import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
+import org.pac4j.springframework.annotation.AnnotationConfig;
+import org.pac4j.springframework.component.ComponentConfig;
+import org.pac4j.springframework.web.SecurityInterceptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@@ -36,14 +45,23 @@
 import cn.dev33.satoken.interceptor.SaInterceptor;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
+import lombok.extern.slf4j.Slf4j;
 
 /**
  * AppConfiguration
  *
  * @since 2021/11/28 19:35
  */
 @Configuration
+@Slf4j
+@Import({ComponentConfig.class, AnnotationConfig.class})
+@ComponentScan(basePackages = "org.pac4j.springframework.web")
 public class AppConfig implements WebMvcConfigurer {
+    @Autowired
+    private Config config;
+
+    @Value("${sso.enabled:false}")
+    private boolean ssoEnabled;
     /**
      * Cookie
      *
@@ -86,11 +104,22 @@ public void addInterceptors(InterceptorRegistry registry) {
                 }))
                 .addPathPatterns("/api/**", "/openapi/**")
                 .excludePathPatterns(
-                        "/api/login", "/api/ldap/ldapEnableStatus", "/download/**", "/druid/**", "/api/version");
-
+                        "/api/sso/ssoEnableStatus",
+                        "/api/login",
+                        "/api/ldap/ldapEnableStatus",
+                        "/download/**",
+                        "/druid/**",
+                        "/api/version");
+        if (ssoEnabled) {
+            log.info("Load{}", config.getClients().getClients().get(0).getName());
+            registry.addInterceptor(buildInterceptor(
+                            config.getClients().getClients().get(0).getName()))
+                    .addPathPatterns("/api/sso/login")
+                    .addPathPatterns("/api/sso/token");
+        }
         registry.addInterceptor(new TenantInterceptor())
                 .addPathPatterns("/api/**")
-                .excludePathPatterns("/api/login", "/api/ldap/ldapEnableStatus")
+                .excludePathPatterns("/api/sso/ssoEnableStatus", "/api/login", "/api/ldap/ldapEnableStatus")
                 .addPathPatterns("/api/alertGroup/**")
                 .addPathPatterns("/api/alertHistory/**")
                 .addPathPatterns("/api/alertInstance/**")
@@ -110,4 +139,8 @@ public void addInterceptors(InterceptorRegistry registry) {
                 .addPathPatterns("/api/git/**")
                 .addPathPatterns("/api/jar/*");
     }
+
+    private SecurityInterceptor buildInterceptor(final String client) {
+        return new SecurityInterceptor(config, client, JEEHttpActionAdapter.INSTANCE);
+    }
 }

dinky-admin/src/main/java/org/dinky/controller/SsoController.java

@@ -0,0 +1,111 @@
+/*
+ *
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package org.dinky.controller;
+
+import org.dinky.data.dto.LoginDTO;
+import org.dinky.data.dto.UserDTO;
+import org.dinky.data.enums.Status;
+import org.dinky.data.exception.AuthException;
+import org.dinky.data.result.Result;
+import org.dinky.service.UserService;
+
+import java.util.List;
+
+import javax.annotation.PostConstruct;
+
+import org.pac4j.core.config.Config;
+import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.ProfileManager;
+import org.pac4j.springframework.web.CallbackController;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.RedirectView;
+
+import cn.dev33.satoken.annotation.SaIgnore;
+import io.swagger.annotations.ApiOperation;
+import lombok.NoArgsConstructor;
+
+/**
+ * @author 杨泽翰
+ */
+@RestController
+@NoArgsConstructor
+@RequestMapping("/api/sso")
+public class SsoController {
+    @Value("${sso.redirect}")
+    private String redirect;
+
+    @Value("${sso.enabled:false}")
+    private Boolean ssoEnabled;
+
+    @Value("${pac4j.properties.principalNameAttribute:#{null}}")
+    private String principalNameAttribute;
+
+    @Autowired
+    private Config config;
+
+    @Autowired
+    CallbackController callbackController;
+
+    @Autowired
+    private ProfileManager profileManager;
+
+    @Autowired
+    private UserService userService;
+
+    @PostConstruct
+    protected void afterPropertiesSet() {
+        callbackController.setDefaultUrl(redirect);
+        callbackController.setConfig(config);
+    }
+
+    @GetMapping("/token")
+    public Result<UserDTO> ssoToken() throws AuthException {
+        if (!ssoEnabled) {
+            return Result.failed(Status.SINGLE_LOGIN_DISABLED);
+        }
+        List<CommonProfile> all = profileManager.getAll(true);
+        String username = all.get(0).getAttribute(principalNameAttribute).toString();
+        if (username == null) {
+            throw new AuthException(Status.NOT_MATCHED_PRINCIPAL_NAME_ATTRIBUTE);
+        }
+        LoginDTO loginDTO = new LoginDTO();
+        loginDTO.setUsername(username);
+        loginDTO.setSsoLogin(true);
+        return userService.loginUser(loginDTO);
+    }
+
+    @GetMapping("/login")
+    public ModelAndView ssoLogin() {
+        RedirectView redirectView = new RedirectView(redirect);
+        return new ModelAndView(redirectView);
+    }
+
+    @GetMapping("/ssoEnableStatus")
+    @SaIgnore
+    @ApiOperation("Get SSO enable status")
+    public Result<Boolean> ssoStatus() {
+        return Result.succeed(ssoEnabled);
+    }
+}

dinky-admin/src/main/java/org/dinky/data/dto/LoginDTO.java

@@ -19,6 +19,8 @@
 
 package org.dinky.data.dto;
 
+import org.dinky.data.enums.UserType;
+
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Getter;
@@ -48,4 +50,18 @@ public class LoginDTO {
 
     @ApiModelProperty(value = "ldapLogin", required = true, example = "false", dataType = "Boolean")
     private boolean ldapLogin;
+
+    @ApiModelProperty(value = "ssoLogin", required = true, example = "false", dataType = "Boolean")
+    private boolean ssoLogin;
+
+    public UserType getLoginType() {
+        if (isLdapLogin()) {
+            return UserType.LDAP;
+        }
+        if (isSsoLogin()) {
+            return UserType.SSO;
+        }
+
+        return UserType.LOCAL;
+    }
 }

dinky-admin/src/main/java/org/dinky/service/impl/UserServiceImpl.java

@@ -63,6 +63,7 @@
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.stream.Collectors;
 
+import org.pac4j.core.profile.ProfileManager;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -86,6 +87,7 @@
 @RequiredArgsConstructor
 @Slf4j
 public class UserServiceImpl extends SuperServiceImpl<UserMapper, User> implements UserService {
+    private final ProfileManager profileManager;
 
     private static final String DEFAULT_PASSWORD = "123456";
 
@@ -177,9 +179,19 @@ public Boolean removeUser(Integer id) {
     @Override
     public Result<UserDTO> loginUser(LoginDTO loginDTO) {
         User user = null;
+
         try {
-            // Determine the login method (LDAP or local) based on the flag in loginDTO
-            user = loginDTO.isLdapLogin() ? ldapLogin(loginDTO) : localLogin(loginDTO);
+
+            switch (loginDTO.getLoginType()) {
+                case LDAP:
+                    user = ldapLogin(loginDTO);
+                    break;
+                case SSO:
+                    user = ssoLogin(loginDTO);
+                    break;
+                default:
+                    user = localLogin(loginDTO);
+            }
         } catch (AuthException e) {
             // Handle authentication exceptions and return the corresponding error status
             return Result.authorizeFailed(e.getStatus());
@@ -210,6 +222,36 @@ public Result<UserDTO> loginUser(LoginDTO loginDTO) {
         return Result.succeed(userInfo, Status.LOGIN_SUCCESS);
     }
 
+    private User ssoLogin(LoginDTO loginDTO) throws AuthException {
+        // Get user from local database by username
+        User user = getUserByUsername(loginDTO.getUsername());
+        if (Asserts.isNull(user)) {
+            // User doesn't exist,Create a user
+            // Get default tenant from system configuration
+            String defaultTeantCode =
+                    SystemConfiguration.getInstances().getLdapDefaultTeant().getValue();
+            Tenant tenant = tenantService.getTenantByTenantCode(defaultTeantCode);
+            User userForm = new User();
+            userForm.setUsername(loginDTO.getUsername());
+            userForm.setNickname(loginDTO.getUsername());
+            userForm.setUserType(UserType.SSO.getCode());
+            userForm.setEnabled(true);
+            userForm.setSuperAdminFlag(false);
+            userForm.setIsDelete(false);
+            this.getBaseMapper().insert(userForm);
+            // Assign the user to the default tenant
+            List<Integer> userIds = getUserIdsByTenantId(tenant.getId());
+            userIds.add(userForm.getId());
+            tenantService.assignUserToTenant(new AssignUserToTenantDTO(tenant.getId(), userIds));
+            return userForm;
+        } else {
+            if (user.getUserType() != UserType.SSO.getCode()) {
+                throw new AuthException(Status.USER_TYPE_ERROR);
+            }
+        }
+        return user;
+    }
+
     private void upsertToken(UserDTO userInfo) {
         Integer userId = userInfo.getUser().getId();
         SysToken sysToken = new SysToken();
@@ -443,6 +485,10 @@ public void buildRowPermission() {
 
     @Override
     public void outLogin() {
+        if (profileManager != null) {
+            profileManager.logout();
+        }
+
         StpUtil.logout(StpUtil.getLoginIdAsInt());
     }
 

dinky-admin/src/main/resources/application-mysql.yml

@@ -20,4 +20,4 @@ spring:
     url: jdbc:mysql://${MYSQL_ADDR:127.0.0.1:3306}/${MYSQL_DATABASE:dinky}?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&useSSL=false&zeroDateTimeBehavior=convertToNull&serverTimezone=Asia/Shanghai&allowPublicKeyRetrieval=true
     username: ${MYSQL_USERNAME:dinky}
     password: ${MYSQL_PASSWORD:dinky}
-    driver-class-name: com.mysql.cj.jdbc.Driver
+    driver-class-name: com.mysql.cj.jdbc.Driver

dinky-admin/src/main/resources/application.yml

@@ -165,3 +165,28 @@ knife4j:
 crypto:
   enabled: false
   encryption-password:
+
+---
+#################################################################################################################
+################################################# SSO Config ####################################################
+#################################################################################################################
+#see https://github.com/pac4j/spring-webmvc-pac4j-boot-demo/blob/master/src/main/resources/application.properties
+sso:
+  enabled: false  #enable sso default false
+  redirect: http://localhost:8000/#/user/login?from=sso  #Front-end address
+
+---
+#################################################################################################################
+################################################# pac4j Config ####################################################
+#################################################################################################################
+pac4j:
+  callbackUrl: http://localhost:${server.port}/callback # The callback URL
+  # Put all parameters under `properties`
+  # Check supported sso config parameters for different authentication clients from the below link
+  # https://github.com/pac4j/pac4j/blob/master/documentation/docs/config-module.md
+  properties:
+    principalNameAttribute: login #Authenticate user principal
+    github.id:
+    github.secret:
+
+