Adding Azure AD authentication/authorization

[pettermk]

Hi, My team and I would like to use CDash inside the organization and having user roles managed in AD. Given the efforts in migrating functionality towards laravel, I assume that it makes sense to develop such functionality on top of code that has already been migrated to laravel, at the same time we would like to have a stable implementation running. I don't think working on top of 2.6 is a good idea, and master seems a bit, well, scary. Do you have any suggestions for how we could proceed? Thanks, Petter

[zackgalbreath]

On Tue, Feb 25, 2020 at 6:25 AM Petter Moe Kvalvaag < notifications@github.com> wrote:

Hi, My team and I would like to use CDash inside the organization and having user roles managed in AD. Given the efforts in migrating functionality towards laravel, I assume that it makes sense to develop such functionality on top of code that has already been migrated to laravel, at the same time we would like to have a stable implementation running. I don't think working on top of 2.6 is a good idea, and master seems a bit, well, scary. Do you have any suggestions for how we could proceed? Thanks, Petter

That sentiment is certainly understandable. We're working towards a CDash 3.0 release, but we're not quite ready to put a firm date on it yet.

The good news is that CDash already supports ActiveDirectory logins through our LDAP authentication service. I'll try to whip up some better documentation on how to do this soon, but the relevant settings are here:

https://github.com/Kitware/CDash/blob/master/.env.example#L58

[pettermk]

Thanks for the feedback! I might have a hard time bringing an LDAP solution into our company at this time, but I might give it a shot until the 3.0 release is maturing. Another possibility I have is to put an Azure AD authentication layer around the web app. Then a JWT token will be passed on each request, it could be decoded and the administrator role picked up in a middleware (the goal, ultimately, is to be able to have that role managed in Azure AD). But do you see CDash user management supporting such a scenario? Not sure if it makes sense. Edit: I also don't see how the submission pipeline would handle that scenario, so it might be best to forget about it.

[pettermk]

As the way forward is clear, I am closing this ticket. We will probably start tinkering with an Azure AD authentication backend, ramp it up towards 3.0, and if you are interested in it we could try to contribute it back.

[pettermk]

Hi again,

I am revisiting this these days as I see that 3.0 is maturing. I have some work in progress where I have added an oauth2 provider for Azure AD, it seems to be working ok. I am having a few issues though, how is the oauth authentication intended to be enabled from a local config? I am trying to set the OAUTH2_PROVIDERS as documented in config.php but it does not seem to enable oauth2. I seem to only be able to enable oauth by explicitly setting 'enabled' => true in config/oauth2.php which seems cumbersome to deploy.

If needed, here are my changes https://github.com/Kitware/CDash/compare/master...pettermk:add-azure-ad-oauth2-authentication?expand=1

[zackgalbreath]

Great point, Peter. As a general policy we shouldn't expect CDash admins to modify files in the config/ directory. Rather, it should be possible to set variables in .env to change config behavior.

I'll take a crack at improving our oauth2 support along these lines if you don't beat me to it.

[pettermk]

Awesome, thanks for clarifying that. I'll deploy it locally with the change in the config directory, that's fine for now, not sure I dare touch those configuration internals..

When I'm confident that things are working as they should I'll make a PR so you can evaluate if you want to have this added to CDash.