diff --git a/package-lock.json b/package-lock.json index 7a417634..6d944584 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8283,7 +8283,6 @@ "version": "0.2.4", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.4.tgz", "integrity": "sha512-jxwzQpLQjSmWXgwaCZE9Nz+glAG01yF1QnWgbhGwHI5A6FRIEY6IVqtHhIepHqI7/kyEyQEagBC5mBEFlIYvdg==", - "dev": true, "requires": { "safer-buffer": "~2.1.0" } @@ -8338,8 +8337,7 @@ "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", - "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=", - "dev": true + "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=" }, "assertion-error": { "version": "1.1.0", @@ -8450,14 +8448,12 @@ "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", - "integrity": "sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=", - "dev": true + "integrity": "sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=" }, "aws4": { "version": "1.10.1", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.10.1.tgz", - "integrity": "sha512-zg7Hz2k5lI8kb7U32998pRRFin7zJlkfezGJjUc2heaD4Pw2wObakCDVzkKztTm/Ln7eiVvYsjqak0Ed4LkMDA==", - "dev": true + "integrity": "sha512-zg7Hz2k5lI8kb7U32998pRRFin7zJlkfezGJjUc2heaD4Pw2wObakCDVzkKztTm/Ln7eiVvYsjqak0Ed4LkMDA==" }, "axios": { "version": "0.21.0", @@ -9471,7 +9467,6 @@ "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha1-pDAdOJtqQ/m2f/PKEaP2Y342Dp4=", - "dev": true, "requires": { "tweetnacl": "^0.14.3" } @@ -10268,8 +10263,7 @@ "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", - "integrity": "sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=", - "dev": true + "integrity": "sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=" }, "ccount": { "version": "1.0.5", @@ -11324,8 +11318,7 @@ "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", - "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=", - "dev": true + "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=" }, "cors": { "version": "2.8.5", @@ -12261,7 +12254,6 @@ "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=", - "dev": true, "requires": { "assert-plus": "^1.0.0" } @@ -12986,7 +12978,6 @@ "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha1-OoOpBOVDUyh4dMVkt1SThoSamMk=", - "dev": true, "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" @@ -14183,8 +14174,7 @@ "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", - "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==", - "dev": true + "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extend-shallow": { "version": "3.0.2", @@ -14307,8 +14297,7 @@ "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", - "integrity": "sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=", - "dev": true + "integrity": "sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=" }, "fast-deep-equal": { "version": "3.1.3", @@ -14739,8 +14728,7 @@ "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", - "integrity": "sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=", - "dev": true + "integrity": "sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=" }, "fork-ts-checker-webpack-plugin": { "version": "4.1.6", @@ -15076,7 +15064,6 @@ "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha1-Xv+OPmhNVprkyysSgmBOi6YhSfo=", - "dev": true, "requires": { "assert-plus": "^1.0.0" } @@ -15462,14 +15449,12 @@ "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", - "integrity": "sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=", - "dev": true + "integrity": "sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", - "dev": true, "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" @@ -16039,7 +16024,6 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha1-muzZJRFHcvPZW2WmCruPfBj7rOE=", - "dev": true, "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", @@ -17042,8 +17026,7 @@ "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", - "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=", - "dev": true + "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=" }, "is-whitespace-character": { "version": "1.0.4", @@ -17098,8 +17081,7 @@ "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", - "integrity": "sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=", - "dev": true + "integrity": "sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=" }, "istanbul-lib-coverage": { "version": "3.0.0", @@ -22074,8 +22056,7 @@ "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", - "integrity": "sha1-peZUwuWi3rXyAdls77yoDA7y9RM=", - "dev": true + "integrity": "sha1-peZUwuWi3rXyAdls77yoDA7y9RM=" }, "jscodeshift": { "version": "0.6.4", @@ -22225,8 +22206,7 @@ "json-schema": { "version": "0.2.3", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz", - "integrity": "sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=", - "dev": true + "integrity": "sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=" }, "json-schema-traverse": { "version": "0.4.1", @@ -22251,8 +22231,7 @@ "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", - "integrity": "sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=", - "dev": true + "integrity": "sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=" }, "json3": { "version": "3.3.3", @@ -22293,7 +22272,6 @@ "version": "1.4.1", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.1.tgz", "integrity": "sha1-MT5mvB5cwG5Di8G3SZwuXFastqI=", - "dev": true, "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", @@ -24819,11 +24797,15 @@ "integrity": "sha512-h2AatdwYH+JHiZpv7pt/gSX1XoRGb7L/qSIeuqA6GwYoF9w1vP1cw42TO0aI2pNyshRK5893hNSl+1//vHK7hQ==", "dev": true }, + "oauth": { + "version": "0.9.15", + "resolved": "https://registry.npmjs.org/oauth/-/oauth-0.9.15.tgz", + "integrity": "sha1-vR/vr2hslrdUda7VGWQS/2DPucE=" + }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", - "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", - "dev": true + "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "object-assign": { "version": "4.1.1", @@ -25430,6 +25412,17 @@ "passport-strategy": "1.x.x" } }, + "passport-openidconnect": { + "version": "0.0.2", + "resolved": "https://registry.npmjs.org/passport-openidconnect/-/passport-openidconnect-0.0.2.tgz", + "integrity": "sha1-5Ij4vbOGyan9OckdWrjIgBVugVM=", + "requires": { + "oauth": "0.9.x", + "passport-strategy": "1.x.x", + "request": "^2.75.0", + "webfinger": "0.4.x" + } + }, "passport-strategy": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz", @@ -25525,8 +25518,7 @@ "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", - "integrity": "sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=", - "dev": true + "integrity": "sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=" }, "picomatch": { "version": "2.2.2", @@ -26697,8 +26689,7 @@ "psl": { "version": "1.8.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.8.0.tgz", - "integrity": "sha512-RIdOzyoavK+hA18OGGWDqUTsCLhtA7IcZ/6NCs4fFJaHBDab+pDDmDIByWFRQJq2Cd7r1OoQxBGKOaztq+hjIQ==", - "dev": true + "integrity": "sha512-RIdOzyoavK+hA18OGGWDqUTsCLhtA7IcZ/6NCs4fFJaHBDab+pDDmDIByWFRQJq2Cd7r1OoQxBGKOaztq+hjIQ==" }, "pstree.remy": { "version": "1.1.8", @@ -28194,7 +28185,6 @@ "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", - "dev": true, "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", @@ -28222,7 +28212,6 @@ "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", - "dev": true, "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", @@ -28232,14 +28221,12 @@ "qs": { "version": "6.5.2", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz", - "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==", - "dev": true + "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "dev": true + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" } } }, @@ -29337,7 +29324,6 @@ "version": "1.16.1", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.16.1.tgz", "integrity": "sha512-HXXqVUq7+pcKeLqqZj6mHFUMvXtOJt1uoUx09pFW6011inTMxqI8BA8PM95myrIyyKwdnzjdFjLiE6KBPVtJIg==", - "dev": true, "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", @@ -29466,6 +29452,11 @@ "integrity": "sha1-NbCYdbT/SfJqd35QmzCQoyJr8ks=", "dev": true }, + "step": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/step/-/step-0.0.6.tgz", + "integrity": "sha1-FD54SaXX0/SgiP4pr5SRUhbu7eI=" + }, "store2": { "version": "2.12.0", "resolved": "https://registry.npmjs.org/store2/-/store2-2.12.0.tgz", @@ -31449,7 +31440,6 @@ "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", - "dev": true, "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" @@ -31696,7 +31686,6 @@ "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=", - "dev": true, "requires": { "safe-buffer": "^5.0.1" } @@ -31704,8 +31693,7 @@ "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", - "integrity": "sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=", - "dev": true + "integrity": "sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=" }, "type": { "version": "1.2.0", @@ -32432,7 +32420,6 @@ "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=", - "dev": true, "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", @@ -32986,6 +32973,15 @@ "integrity": "sha512-wYxSGajtmoP4WxfejAPIr4l0fVh+jeMXZb08wNc0tMg6xsfZXj3cECqIK0G7ZAqUq0PP8WlMDtaOGVBTAWztNw==", "dev": true }, + "webfinger": { + "version": "0.4.2", + "resolved": "https://registry.npmjs.org/webfinger/-/webfinger-0.4.2.tgz", + "integrity": "sha1-NHem2XeZRhiWA5/P/GULc0aO520=", + "requires": { + "step": "0.0.x", + "xml2js": "0.1.x" + } + }, "webidl-conversions": { "version": "6.1.0", "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-6.1.0.tgz", @@ -34088,6 +34084,14 @@ "integrity": "sha512-A5CUptxDsvxKJEU3yO6DuWBSJz/qizqzJKOMIfUJHETbBw/sFaDxgd6fxm1ewUaM0jZ444Fc5vC5ROYurg/4Pw==", "dev": true }, + "xml2js": { + "version": "0.1.14", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.1.14.tgz", + "integrity": "sha1-UnTmf1pkxfkpdM2FE54DMq3GuQw=", + "requires": { + "sax": ">=0.1.1" + } + }, "xmlchars": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz", diff --git a/package.json b/package.json index 757c30ac..cbb85fcc 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "start:server": "configPath=utils/dev_config/server.dev.config.js npm run server", "start:mockadminserver": "serverName=mockadminserver configPath=utils/dev_config/mockadmin.config.js npm run server", "start:e2eserver": "npm-run-all --parallel start:builtserver start:mockadminserver", - "server": "npx nodemon --exec 'ts-node -r tsconfig-paths/register --project server/tsconfig.json' server/main.ts", + "server": "npx nodemon --exec 'ts-node -r tsconfig-paths/register --project server/tsconfig.json' ", "build": "webpack --config build/webpack.client.prod.js && webpack --config build/webpack.server.prod.js", "dockerbuild": "docker build -t strimzi-ui:latest -f ./build/dockerfile .", "pretest": "npm-run-all --parallel licence:check && prettier --config ./linting/prettier.config.js --check .", @@ -75,6 +75,7 @@ "mustache": "^4.0.1", "passport": "^0.4.1", "passport-local": "^1.0.0", + "passport-openidconnect": "0.0.2", "pino": "^6.7.0", "pino-filter": "^1.0.0", "pino-http": "^5.3.0", diff --git a/server/README.md b/server/README.md index 7ecc266b..1941a5da 100644 --- a/server/README.md +++ b/server/README.md @@ -20,22 +20,51 @@ This directory contains all server code for the Strimzi UI - ie code which is re As described in [the configuration approach](../docs/Architecture.md#configuration-and-feature-flagging), the UI server's configuration is provided via a file, which is then watched at runtime for modification. This configuration file is expected to be called `server.config.json` (available in the same directory as the `node` executable is run from), but this can be configured at runtime via environment variable `configPath`, dictating a different path and file name. The file must be either valid JSON or JS. The server also hosts configuration for discovery by the client via the `config` module. The configuration options for the server provided in the previously mentioned configuration file are as follows: -| Configuration | Required | Default | Purpose | -| ---------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| client.configOverrides | No | `{}` | Overrides to send to the client. See [client configuration for further details](#client-configuration). These values will take precedence over any others provided. | -| client.publicDir | No | `/dist/client` | The location of the built client to serve. | -| client.transport.cert | No | N/A - if one of `client.transport.cert` or `client.transport.key` are not provided, server will be HTTP | PEM certificate presented to browsers on connecting to the UI server. | -| client.transport.key | No | N/A - if one of `client.transport.cert` or `client.transport.key` are not provided, server will be HTTP | PEM certificate private key for the certificate provided in `client.transport.cert`. | -| client.transport.ciphers | No | default set from [node's tls module](https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite) | TLS ciphers used/supported by the HTTPS server for client negotiation. Only applies if starting an HTTPS server. | -| client.transport.minTLS | No | `TLSv1.2` | Minimum TLS version supported by the server. Only applies if starting an HTTPS server. Set to `TLSv1.2` for browser compatibility. | -| featureFlags | No | `{}` | Feature flag overrides to set. The configuration is as per the format specified [here](#feature-flags). These values will take precedence over any others provided. | -| hostname | No | '0.0.0.0' | The hostname the UI server will be bound to. | -| logging | No | TBD | Logging configuration settings. Format to be defined in https://github.com/strimzi/strimzi-ui/issues/24 | -| modules | No | Object - [enabled modules and configuration can be found here](../docs/Architecture.md#router-controller-data-pattern) | The modules which are either enabled or disabled. | -| port | No | 3000 | The port the UI server will be bound to. | -| proxy.transport.cert | No | If not provided, SSL certificate validation of the upstream admin server is disabled | CA certificate in PEM format of the backend admin server api requests are to be sent to. | -| proxy.hostname | Yes | N/A | The hostname of the admin server to send api requests to. | -| proxy.port | Yes | N/A | The port of the admin server to send api requests to. | -| proxy.authentication.type | No | `none` | What authentication strategy to use to authenticate users. See [the security section](#security) for details of the available options. | -| proxy.authentication.configuration | No | `{}` | Any additional configuration required for the provided authentication strategy `authentication.strategy` . See [the security section](#security) for details of the available options. | -| session.name | no | `strimzi-ui` | The name used to identify the session cookie | +| Configuration | Required | Default | Purpose | +| ------------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| client.configOverrides | No | `{}` | Overrides to send to the client. See [client configuration for further details](#client-configuration). These values will take precedence over any others provided. | +| client.publicDir | No | `/dist/client` | The location of the built client to serve. | +| client.transport.cert | No | N/A - if one of `client.transport.cert` or `client.transport.key` are not provided, server will be HTTP | PEM certificate presented to browsers on connecting to the UI server. | +| client.transport.key | No | N/A - if one of `client.transport.cert` or `client.transport.key` are not provided, server will be HTTP | PEM certificate private key for the certificate provided in `client.transport.cert`. | +| client.transport.ciphers | No | default set from [node's tls module](https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite) | TLS ciphers used/supported by the HTTPS server for client negotiation. Only applies if starting an HTTPS server. | +| client.transport.minTLS | No | `TLSv1.2` | Minimum TLS version supported by the server. Only applies if starting an HTTPS server. Set to `TLSv1.2` for browser compatibility. | +| featureFlags | No | `{}` | Feature flag overrides to set. The configuration is as per the format specified [here](#feature-flags). These values will take precedence over any others provided. | +| hostname | No | '0.0.0.0' | The hostname the UI server will be bound to. | +| logging | No | TBD | Logging configuration settings. Format to be defined in https://github.com/strimzi/strimzi-ui/issues/24 | +| modules | No | Object - [enabled modules and configuration can be found here](../docs/Architecture.md#router-controller-data-pattern) | The modules which are either enabled or disabled. | +| port | No | 3000 | The port the UI server will be bound to. | +| proxy.transport.cert | No | If not provided, SSL certificate validation of the upstream admin server is disabled | CA certificate in PEM format of the backend admin server api requests are to be sent to. | +| proxy.hostname | Yes | N/A | The hostname of the admin server to send api requests to. | +| proxy.port | Yes | N/A | The port of the admin server to send api requests to. | +| proxy.authentication | Yes | `{}` | What authentication strategy to use to authenticate users. See [the security section](#security) for details of the available options. | +| session.name | no | `strimzi-ui` | The name used to identify the session cookie | + +### Security + +#### None + +```js +{ + type: 'none'; +} +``` + +#### Scram + +```js +{ + type: 'scram'; +} +``` + +#### OAuth + +```js +{ + type: string //Must be "oauth", + callbackURL: string, //Absolute URL that the oauth server can redirect to. The path must be '/auth/callback', + discoveryURL: string, //Absolute URL to the well-known config endpoint on the OAUTH server + clientID : string, //client ID to identify this application, provided when registering with OAUTH server + clientSecret: string //client secret for this application, provided when registering with OAUTH server +} +``` diff --git a/server/client/client.feature b/server/client/client.feature index 8789f9df..fcb71ff2 100644 --- a/server/client/client.feature +++ b/server/client/client.feature @@ -4,83 +4,67 @@ Feature: client module Behaviours and capabilities provided by the client module - Scenario Outline: With auth '' - If no asset can be served, the client module returns 404 - Given a 'client_only' server configuration - And There are no files to serve - And '' authentication is required - And I run an instance of the Strimzi-UI server - When I make a 'get' request to '' - Then I get the expected status code '' response - - Examples: - | Asset | Auth | StatusCode | - | /index.html | scram | 404 | - | /images/picture.svg | scram | 404 | - | /doesnotexist.html | scram | 404 | - | /someroute | scram | 404 | - | /protected.html | scram | 404 | - | / | scram | 404 | - | /index.html | oauth | 404 | - | /images/picture.svg | oauth | 404 | - | /doesnotexist.html | oauth | 404 | - | /someroute | oauth | 404 | - | /protected.html | oauth | 404 | - | / | oauth | 404 | - | /index.html | none | 404 | - | /images/picture.svg | none | 404 | - | /doesnotexist.html | none | 404 | - | /someroute | none | 404 | - | /protected.html | none | 404 | - | / | none | 404 | - - Scenario Outline: With auth '' - if assets can be served, the client module returns the appropriate return code for a request of - Given a 'client_only' server configuration - And There are files to serve - And '' authentication is required - And I run an instance of the Strimzi-UI server - When I make a 'get' request to '' - Then I get the expected status code '' response - # if the route (not file) is not matched, we render index.html as the repsonse (200) - Examples: - | Asset | Auth | StatusCode | - | /index.html | scram | 511 | - | /images/picture.svg | scram | 200 | - | /doesnotexist.html | scram | 511 | - | /someroute | scram | 511 | - | /protected.html | scram | 511 | - | / | scram | 511 | - | /index.html | oauth | 511 | - | /images/picture.svg | oauth | 200 | - | /doesnotexist.html | oauth | 511 | - | /someroute | oauth | 511 | - | /protected.html | oauth | 511 | - | / | oauth | 511 | - | /index.html | none | 200 | - | /images/picture.svg | none | 200 | - | /doesnotexist.html | none | 200 | - | /someroute | none | 200 | - | /protected.html | none | 200 | - | / | none | 200 | + # Scenario Outline: With auth '' - If no asset can be served, the client module returns 404 + # Given a server with a 'client' configuration + # And There are no files to serve + # And '' authentication is required + # And I run an instance of the Strimzi-UI server + # When I make a 'get' request to '' + # Then I get the expected status code '' response + # Examples: + # | Asset | Auth | StatusCode | + # | /index.html | scram | 404 | + # | /images/picture.svg | scram | 404 | + # | /doesnotexist.html | scram | 404 | + # | /someroute | scram | 404 | + # | /protected.html | scram | 404 | + # | / | scram | 404 | + # | /index.html | oauth | 404 | + # | /images/picture.svg | oauth | 404 | + # | /doesnotexist.html | oauth | 404 | + # | /someroute | oauth | 404 | + # | /protected.html | oauth | 404 | + # | / | oauth | 404 | + # | /index.html | none | 404 | + # | /images/picture.svg | none | 404 | + # | /doesnotexist.html | none | 404 | + # | /someroute | none | 404 | + # | /protected.html | none | 404 | + # | / | none | 404 | - Examples: - | Asset | StatusCode | - | /index.html | 404 | - | /images/picture.svg | 404 | - | /doesnotexist.html | 404 | - | /someroute | 404 | - | /protected.html | 404 | - | / | 404 | + # Scenario Outline: With auth '' - if assets can be served, the client module returns the appropriate return code for a request of + # Given a server with a 'client' configuration + # And a 'security' module + # And There are files to serve + # And '' authentication is required + # And I run an instance of the Strimzi-UI server + # When I make a 'get' request to '' + # Then I get the expected status code '' response + # # if the route (not file) is not matched, we render index.html as the response (200) + # Examples: + # | Asset | Auth | StatusCode | + # | /index.html | scram | 302 | + # | /images/picture.svg | scram | 200 | + # | /doesnotexist.html | scram | 302 | + # | /someroute | scram | 302 | + # | /protected.html | scram | 302 | + # | / | scram | 302 | + # | /index.html | oauth | 302 | + # | /images/picture.svg | oauth | 200 | + # | /doesnotexist.html | oauth | 302 | + # | /someroute | oauth | 302 | + # | /protected.html | oauth | 302 | + # | / | oauth | 302 | + # | /index.html | none | 404 | + # | /images/picture.svg | none | 404 | + # | /doesnotexist.html | none | 404 | + # | /someroute | none | 404 | + # | /protected.html | none | 404 | + # | / | none | 404 | - Scenario Outline: With auth '' - Critical configuration is templated into index.html so the client can bootstrap - Given a 'client_only' server configuration + Scenario: Critical configuration is templated into index.html so the client can bootstrap + Given a server with a 'client' configuration And There are files to serve - And '' authentication is required - And I am authenticated And I run an instance of the Strimzi-UI server When I make a 'get' request to '/index.html' Then the file is returned as with the expected configuration included - Examples: - | Auth | - | scram | - | oauth | - | none | diff --git a/server/core/app.ts b/server/core/app.ts index 4ecaaa8c..0b853b4c 100644 --- a/server/core/app.ts +++ b/server/core/app.ts @@ -17,7 +17,7 @@ import { bootstrapAuthentication } from 'security'; export const returnExpress: ( getConfig: () => serverConfigType -) => express.Application = (getConfig) => { +) => Promise = async (getConfig) => { const logger = generateLogger('core'); const app = express(); @@ -40,7 +40,7 @@ export const returnExpress: ( app.use(expressSession(sessionOpts)); app.use(bodyParser.json()); - const authentication = bootstrapAuthentication(app, proxyConfig); + const authentication = await bootstrapAuthentication(app, proxyConfig); // for each module, call the function to add it to the routing table const routingTable = Object.values(availableModules).reduce( diff --git a/server/main.ts b/server/main.ts index 95cbb720..0e35af51 100644 --- a/server/main.ts +++ b/server/main.ts @@ -21,7 +21,7 @@ const errorHandler: (err: Error, ...others: unknown[]) => void = ( logger.info('Strimzi ui server initialising'); -loadConfig((loadedInitialConfig) => { +loadConfig(async (loadedInitialConfig) => { let config = loadedInitialConfig; logger.info( @@ -41,7 +41,7 @@ loadConfig((loadedInitialConfig) => { logger = generateLogger('main'); }, logger); // load config and update config value - const expressApp = returnExpress(() => config); + const expressApp = await returnExpress(() => config); const { cert, key, ciphers, minTLS } = config.client.transport; let server; diff --git a/server/security/bootstrap.steps.ts b/server/security/bootstrap.steps.ts index 276c4474..a7bac782 100644 --- a/server/security/bootstrap.steps.ts +++ b/server/security/bootstrap.steps.ts @@ -22,12 +22,15 @@ const proxyDefaults = { When( /^I bootstrap passport with authentication type '(\w+)'$/, - stepWhichUpdatesWorld((world, authType) => { + stepWhichUpdatesWorld(async (world, authType) => { try { - const auth = bootstrapPassport(world.context.app as express.Application, { - authentication: { type: authType as authenticationStrategies }, - ...proxyDefaults, - }); + const auth = await bootstrapPassport( + world.context.app as express.Application, + { + authentication: { type: authType as authenticationStrategies }, + ...proxyDefaults, + } + ); world.context.auth = auth; } catch (e) { world.context.error = e; diff --git a/server/security/bootstrap.ts b/server/security/bootstrap.ts index 2887d829..ed940a51 100644 --- a/server/security/bootstrap.ts +++ b/server/security/bootstrap.ts @@ -5,11 +5,21 @@ import { getStrategy } from './strategy/strategyFactory'; import passport from 'passport'; import { RequestHandler } from 'express'; -import { proxyConfigType, authenticationStrategies } from 'types'; -import { Application } from 'express'; -import { Authentication } from './types'; +import { proxyConfigType, authenticationStrategies, OAuthConfig } from 'types'; +import { Application, Request } from 'express'; +import { + Authentication, + OAuthEndpoints, + AuthOptions, + OAuthOptions, +} from './types'; +import axios from 'axios'; +import { generateLogger } from 'logging'; +import url from 'url'; import { apiRoot, scram } from './routeConfig'; -import { join } from 'path'; +import path from 'path'; + +const logger = generateLogger('bootstrap'); const noOp: RequestHandler = (_req, _res, next) => next(); const noAuth = { @@ -18,41 +28,135 @@ const noAuth = { logout: noOp, }; -export const bootstrapPassport = ( - app: Application, - config: proxyConfigType -): Authentication => { - const authenticationConfig = config.authentication; +const generateEndpoint = (proxyConfig: proxyConfigType) => { + const { exit } = logger.entry('generateEndpoint'); + return exit( + `http://${proxyConfig.hostname}:${proxyConfig.port}${proxyConfig.contextRoot}` + ); +}; + +const generateRedirectURL = (req: Request): string => { + const { + protocol, + hostname, + connection: { localPort }, + path, + } = req; + + return url.format({ + protocol, + hostname, + port: localPort, + pathname: path, + }); +}; + +const discoverConfiguration = async ( + discoveryURL: string +): Promise => { + const { exit } = logger.entry('discoverConfiguration'); + const res = await axios.get(discoveryURL); + const { + issuer, + authorization_endpoint, + token_endpoint, + userinfo_endpoint, + end_session_endpoint, + } = res.data; + + const config = { + issuer, + authorizationURL: authorization_endpoint, + tokenURL: token_endpoint, + userInfoURL: userinfo_endpoint, + logoutURL: end_session_endpoint, + }; + return exit(config); +}; +export const bootstrapPassport = async ( + app: Application, + proxy: proxyConfigType +): Promise => { + const authenticationConfig = proxy.authentication; if (authenticationConfig.type === authenticationStrategies.NONE) { return noAuth; } + const config: AuthOptions = await (async (type) => { + switch (type) { + case authenticationStrategies.SCRAM: { + return { + type, + endpoint: generateEndpoint(proxy), + }; + } + case authenticationStrategies.OAUTH: { + const oauth = authenticationConfig as OAuthConfig; + const { clientID, clientSecret, callbackURL } = oauth; + if (!oauth.discoveryURL) { + throw new Error( + 'OAUTH configuration is missing discovery url property' + ); + } + const endpoints = await discoverConfiguration(oauth.discoveryURL); + return { + type, + options: { + ...endpoints, + clientID, + clientSecret, + callbackURL, + }, + }; + } + default: + throw new Error(`Unsupported type "${authenticationConfig.type}"`); + } + })(authenticationConfig.type); + app.use(passport.initialize()); app.use(passport.session()); const authStrategy = getStrategy(config); passport.use(authStrategy.name, authStrategy.strategy); + passport.serializeUser((user, done) => done(null, user)); + passport.deserializeUser((user, done) => done(null, user)); switch (authenticationConfig.type) { case authenticationStrategies.SCRAM: { - passport.serializeUser((user, done) => done(null, user)); - passport.deserializeUser((user, done) => done(null, user)); return { + checkAuth: (req, res, next) => + req.isAuthenticated() + ? next() + : res.redirect(path.join(apiRoot, scram.login)), authenticate: passport.authenticate(authStrategy.name), + logout: (req, res) => { + req.logOut(); + return res.send(200); + }, + }; + } + case authenticationStrategies.OAUTH: { + const oauthConfig = config as OAuthOptions; + const logoutUrl = new URL(oauthConfig.options.logoutURL); + return { checkAuth: (req, res, next) => { - return req.isAuthenticated() + req.session.originalURL = generateRedirectURL(req); + req.isAuthenticated() ? next() - : res.redirect(join(apiRoot, scram.login)); + : passport.authenticate(authStrategy.name)(req, res, next); }, - logout: (req, _res, next) => { - req.logout(); - next(); + logout: (req, res) => { + const redirect_url = generateRedirectURL(req); + logoutUrl.search = new url.URLSearchParams({ + redirect_url, + }).toString(); + res.redirect(logoutUrl.toString()); }, + authenticate: passport.authenticate(authStrategy.name), }; } - default: - throw new Error(`Unsupported type "${authenticationConfig.type}"`); } }; diff --git a/server/security/routeConfig.ts b/server/security/routeConfig.ts index fa808e75..c1d466e6 100644 --- a/server/security/routeConfig.ts +++ b/server/security/routeConfig.ts @@ -4,6 +4,13 @@ */ export const scram = { login: '/login', +}; + +export const oauth = { + callback: '/callback', +}; + +export const common = { logout: '/logout', }; diff --git a/server/security/router.ts b/server/security/router.ts index 89fd05dd..eeba7b93 100644 --- a/server/security/router.ts +++ b/server/security/router.ts @@ -4,7 +4,7 @@ */ import express from 'express'; import { authenticationStrategies, UIServerModule } from '../types'; -import { apiRoot, scram } from './routeConfig'; +import { apiRoot, scram, oauth, common } from './routeConfig'; const moduleName = 'security'; @@ -25,11 +25,21 @@ export const SecurityModule: UIServerModule = { scram.login, (_req, res) => res.send('This will later be the login page') //https://github.com/strimzi/strimzi-ui/issues/110 ); - routerForModule.post(scram.logout, auth.logout, (_req, res) => + routerForModule.post(common.logout, auth.logout, (_req, res) => res.send(200) ); break; } + case authenticationStrategies.OAUTH: { + logger.info('Mouting OAUTH security routes'); + routerForModule.get(oauth.callback, auth.authenticate, (req, res) => { + const url = req.session.originalURL; + req.session.originalURL = '/'; + return res.redirect(url || '/'); + }); + routerForModule.get(common.logout, auth.logout); + break; + } case authenticationStrategies.NONE: { //noop break; diff --git a/server/security/security.feature b/server/security/security.feature index e68c98a4..8c112436 100644 --- a/server/security/security.feature +++ b/server/security/security.feature @@ -5,7 +5,7 @@ Feature: Security module Scenario: SCRAM - authenticate valid credentials Given a server with a 'security' configuration - And authentication type 'scram' is required + And 'scram' authentication is required And I run an instance of the Strimzi-UI server And the scram authentication accepts credentials When I send credentials to endpoint '/auth/login' @@ -14,7 +14,7 @@ Feature: Security module Scenario: SCRAM - authenticate invalid credentials Given a server with a 'security' configuration - And authentication type 'scram' is required + And 'scram' authentication is required And I run an instance of the Strimzi-UI server And the scram authentication rejects credentials When I send credentials to endpoint '/auth/login' @@ -23,7 +23,7 @@ Feature: Security module Scenario: SCRAM - login page Given a server with a 'security' configuration - And authentication type 'scram' is required + And 'scram' authentication is required And I run an instance of the Strimzi-UI server When I make a 'get' request to '/auth/login' Then I get the expected status code '200' response and body 'This will later be the login page' @@ -31,7 +31,7 @@ Feature: Security module Scenario: SCRAM - logout Given a server with a 'security' configuration - And authentication type 'scram' is required + And 'scram' authentication is required And I run an instance of the Strimzi-UI server And the scram authentication accepts credentials When I make a 'post' request to '/auth/logout' @@ -40,7 +40,7 @@ Feature: Security module Scenario: Off - authenticate Given a server with a 'security' configuration - And authentication type 'none' is required + And 'none' authentication is required And I run an instance of the Strimzi-UI server When I send credentials to endpoint '/auth/login' Then I get the expected status code '404' response @@ -48,7 +48,7 @@ Feature: Security module Scenario: Off - login route Given a server with a 'security' configuration - And authentication type 'none' is required + And 'none' authentication is required And I run an instance of the Strimzi-UI server When I send credentials to endpoint '/auth/login' Then I get the expected status code '404' response @@ -56,7 +56,7 @@ Feature: Security module Scenario: Off - logout Given a server with a 'security' configuration - And authentication type 'none' is required + And 'none' authentication is required And I run an instance of the Strimzi-UI server When I make a 'post' request to '/auth/logout' Then I get the expected status code '404' response diff --git a/server/security/strategy/oauth/oauthAuthenticator.ts b/server/security/strategy/oauth/oauthAuthenticator.ts new file mode 100644 index 00000000..42ffc42b --- /dev/null +++ b/server/security/strategy/oauth/oauthAuthenticator.ts @@ -0,0 +1,28 @@ +/* + * Copyright Strimzi authors. + * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html). + */ +import { generateLogger } from 'logging'; +import { VerifyFunction } from 'passport-openidconnect'; + +const logger = generateLogger('OauthAuthenticator'); + +const createVerifyCallback = (): VerifyFunction => { + const { exit } = logger.entry('createVerifyCallback'); + + const verify = ( + _issuer, + username, + _profile, + accessToken, + _refreshToken, + done + ) => { + const { exit } = logger.entry('createVerifyCallback - callback'); + + return exit(done(null, { username, token: accessToken })); + }; + return exit(verify); +}; + +export { createVerifyCallback }; diff --git a/server/security/strategy/strategyFactory.feature b/server/security/strategy/strategyFactory.feature index 423fa90a..40a9aa60 100644 --- a/server/security/strategy/strategyFactory.feature +++ b/server/security/strategy/strategyFactory.feature @@ -9,5 +9,6 @@ Feature: Strategy Factory Examples: | type | expected | | scram | scram | + | oauth | oauth | | none | none | | unknown | none | \ No newline at end of file diff --git a/server/security/strategy/strategyFactory.steps.ts b/server/security/strategy/strategyFactory.steps.ts index 5f690c13..8e48384f 100644 --- a/server/security/strategy/strategyFactory.steps.ts +++ b/server/security/strategy/strategyFactory.steps.ts @@ -9,21 +9,50 @@ import { } from 'test_common/commonServerSteps'; import { AuthenticationStrategy, getStrategy } from './strategyFactory'; -import { authenticationStrategies, proxyConfigType } from 'types'; +import { authenticationStrategies } from 'types'; +import { + AuthOptions, + NoAuth, + OAuthOptions, + ScramOptions, +} from 'security/types'; + +jest.mock('passport-openidconnect'); +jest.mock('passport-local'); When( /^a strategy factory is asked for type '(.+)'$/, stepWhichUpdatesWorld((world, type) => { const context = world.context; - const config: proxyConfigType = { - authentication: { - type: type as authenticationStrategies, - }, - hostname: '', - port: 0, - contextRoot: '', - transport: {}, - }; + const config: AuthOptions = ((type: authenticationStrategies) => { + switch (type) { + case authenticationStrategies.SCRAM: + return { + type: authenticationStrategies.SCRAM, + endpoint: '', + } as ScramOptions; + case authenticationStrategies.OAUTH: + return { + type: authenticationStrategies.OAUTH, + options: { + issuer: '', + authorizationURL: '', + tokenURL: '', + userInfoURL: '', + logoutURL: '', + clientID: '', + clientSecret: '', + callbackURL: '', + }, + } as OAuthOptions; + case authenticationStrategies.NONE: + default: + return { + type: authenticationStrategies.NONE, + } as NoAuth; + } + })(type as authenticationStrategies); + context.strategy = getStrategy(config); return { ...world, diff --git a/server/security/strategy/strategyFactory.ts b/server/security/strategy/strategyFactory.ts index 5482820a..ed26fda5 100644 --- a/server/security/strategy/strategyFactory.ts +++ b/server/security/strategy/strategyFactory.ts @@ -3,37 +3,47 @@ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html). */ import { Strategy } from 'passport'; -import { authenticationStrategies, proxyConfigType } from 'types'; +import { authenticationStrategies } from 'types'; import { Strategy as LocalStrategy } from 'passport-local'; +import { Strategy as OAuth2Strategy } from 'passport-openidconnect'; import { createVerifyCallback as createSaslCallback } from './scram/scramAuthenticator'; +import { createVerifyCallback as createOauthCallback } from './oauth/oauthAuthenticator'; +import { AuthOptions, ScramOptions, OAuthOptions } from '../types'; +import { generateLogger } from 'logging'; export interface AuthenticationStrategy { name: string; strategy: Strategy; } -export const getStrategy = ( - config: proxyConfigType -): AuthenticationStrategy => { - const authConfig = config.authentication; +const logger = generateLogger('strategyFactory'); - const strategy = { - name: authConfig.type.toString(), - }; - switch (authConfig.type) { +export const getStrategy = (config: AuthOptions): AuthenticationStrategy => { + const { exit } = logger.entry('getStrategy', config); + switch (config.type) { case authenticationStrategies.SCRAM: { - const endpoint = `http://${config.hostname}:${config.port}${config.contextRoot}`; //TODO https support - return { - ...strategy, - strategy: new LocalStrategy(createSaslCallback(endpoint)), - }; + const scramConfig = config as ScramOptions; + return exit({ + name: config.type, + strategy: new LocalStrategy(createSaslCallback(scramConfig.endpoint)), + }); + } + case authenticationStrategies.OAUTH: { + const oAuthConfig = config as OAuthOptions; + return exit({ + name: oAuthConfig.type, + strategy: new OAuth2Strategy( + oAuthConfig.options, + createOauthCallback() + ), + }); } case authenticationStrategies.NONE: default: { - return { + return exit({ name: authenticationStrategies.NONE, strategy: new Strategy(), - }; + }); } } }; diff --git a/server/security/types.ts b/server/security/types.ts index 64bbb605..3aaaefe2 100644 --- a/server/security/types.ts +++ b/server/security/types.ts @@ -3,6 +3,7 @@ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html). */ import { RequestHandler } from 'express'; +import { authenticationStrategies } from 'types'; export interface Authentication { authenticate: RequestHandler; @@ -14,3 +15,30 @@ export interface User { name: string; accessToken: string; } + +export type AuthOptions = OAuthOptions | ScramOptions | NoAuth; + +export interface NoAuth { + type: authenticationStrategies.NONE; +} +export interface ScramOptions { + type: authenticationStrategies.SCRAM; + endpoint: string; +} + +export interface OAuthOptions { + type: authenticationStrategies.OAUTH; + options: OAuthEndpoints & { + clientID: string; + clientSecret: string; + callbackURL: string; + }; +} + +export interface OAuthEndpoints { + issuer: string; + authorizationURL: string; + tokenURL: string; + userInfoURL: string; + logoutURL: string; +} diff --git a/server/test_common/commonServerSteps.ts b/server/test_common/commonServerSteps.ts index 51c9e9ea..27607319 100644 --- a/server/test_common/commonServerSteps.ts +++ b/server/test_common/commonServerSteps.ts @@ -49,8 +49,6 @@ const { resetWorld, stepWhichUpdatesWorld, stepWithWorld } = worldGenerator( beforeEach(() => { resetWorld(); - jest.resetAllMocks(); - mocked(authFunction).mockReturnValue((_req, _res, next) => next()); }); const withModule: [RegExp, CallBack] = [ @@ -95,9 +93,29 @@ Given( And( /^'(\S+)' authentication is required$/, stepWhichUpdatesWorld((world, auth) => { + let authentication = { + type: auth as authenticationStrategies, + }; + + if ((auth as authenticationStrategies) === authenticationStrategies.OAUTH) { + const authServer = 'http://oauth-server.com'; + const oauthOptions = { + clientID: 'client', + clientSecret: 'secret', + callbackURL: 'http://callback.com', + discoveryURL: authServer, + }; + authentication = { ...authentication, ...oauthOptions }; + nock(authServer).get('/').reply(200, { + authorization_endpoint: authServer, + issuer: authServer, + token_endpoint: authServer, + end_session_endpoint: authServer, + }); + } const configuration = merge(world.configuration, { proxy: { - authentication: { type: auth as authenticationStrategies }, + authentication, }, }); return { @@ -109,8 +127,8 @@ And( And( 'I run an instance of the Strimzi-UI server', - stepWhichUpdatesWorld((world) => { - const app = returnExpress(() => world.configuration); + stepWhichUpdatesWorld(async (world) => { + const app = await returnExpress(() => world.configuration); return { ...world, app, @@ -119,10 +137,6 @@ And( }) ); -And('I am authenticated', () => { - mocked(authFunction).mockReturnValue((_req, _res, next) => next()); -}); - And( 'all requests use the same session', stepWhichUpdatesWorld((world) => { diff --git a/server/tsconfig.json b/server/tsconfig.json index 38add7ca..cc609f8a 100644 --- a/server/tsconfig.json +++ b/server/tsconfig.json @@ -8,5 +8,6 @@ "ui-config/*": ["../config/*"] } }, - "include": ["."] + "include": ["."], + "typeRoots": ["./typing", "../node_modules/@types"] } diff --git a/server/types.ts b/server/types.ts index 9759f1ec..04e6f7a8 100644 --- a/server/types.ts +++ b/server/types.ts @@ -12,6 +12,7 @@ import { Authentication } from 'security'; export enum authenticationStrategies { NONE = 'none', SCRAM = 'scram', + OAUTH = 'oauth', } export interface authenticationConfig { @@ -19,6 +20,14 @@ export interface authenticationConfig { type: authenticationStrategies; } +export interface OAuthConfig extends authenticationConfig { + type: authenticationStrategies.OAUTH; + discoveryURL: string; + clientID: string; + clientSecret: string; + callbackURL: string; +} + type sslCertificateType = { /** certificate in PEM format */ cert?: string; diff --git a/server/typing/express-session/index.d.ts b/server/typing/express-session/index.d.ts new file mode 100644 index 00000000..96eacc0f --- /dev/null +++ b/server/typing/express-session/index.d.ts @@ -0,0 +1,10 @@ +/* + * Copyright Strimzi authors. + * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html). + */ +import 'express-session'; +declare module 'express-session' { + interface SessionData { + originalURL?: string; + } +} diff --git a/utils/dev_config/server.dev.config.js b/utils/dev_config/server.dev.config.js index d6009e96..ef178e28 100644 --- a/utils/dev_config/server.dev.config.js +++ b/utils/dev_config/server.dev.config.js @@ -35,7 +35,12 @@ module.exports = { ...mockAdminCertificates, }, authentication: { - type: 'none', + type: 'oauth', + discoveryURL: + 'http://localhost:8080/auth/realms/master/.well-known/openid-configuration', + clientID: 'test', + clientSecret: '54c6a7bd-7c0e-47f4-a5bd-55d4df515223', + callbackURL: 'http://localhost:3000/auth/callback', }, }, ...devServer, diff --git a/utils/dev_config/server.e2e.config.js b/utils/dev_config/server.e2e.config.js index 1389acfb..225132ba 100644 --- a/utils/dev_config/server.e2e.config.js +++ b/utils/dev_config/server.e2e.config.js @@ -22,13 +22,26 @@ module.exports = { translateTime: true, }, }, + modules: { + api: true, + client: true, + config: true, + log: true, + mockapi: false, + security: true, + }, proxy: { ...mockadminServer, transport: { ...mockAdminCertificates, }, authentication: { - type: 'none', + type: 'oauth', + discoveryURL: + 'http://localhost:8080/auth/realms/master/.well-known/openid-configuration', + clientID: 'test', + clientSecret: '09687ae6-4d4f-4147-85dd-11abf2122022', + callbackURL: 'http://localhost:3000/auth/callback', }, }, ...devServer,