Closed groldan closed 10 months ago
Starting off where #58 was left, the following issues are identified:
OpenIdConnectUserMapperTest
, OAuth2SecurityAutoConfigurationTest
. Reason being the following statement added at 3a5d74ce and 3a5d74ce: assumeTrue(System.getProperty("console.test.openldap.ldapurl") != null && System.getProperty("console.test.openldap.basedn") != null);
. Which changes the original tests to sort of integration tests but the System properties are never set.org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'connectionFactory' defined in null: Could not resolve placeholder 'rabbitmqHost' in value "${rabbitmqHost}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'rabbitmqHost' in value "${rabbitmqHost}"
georchestra.gateway.security.createNonExistingUsersInLDAP
is not true
ROLE_
prefix confusion)preauth-org
header for thatAuthentication
object in the security context (i.e. it does not go through the auth chain, just sets the GeorchestraUser
request property. It should authenticate and produce a PreAuthenticatedAuthenticationToken
org.georchestra.gateway.security.oauth2.OAuth2Configuration
(see comment about FranceConnect, a french OpenID provider)
/**
* TODO: REVISIT, we don't know why this bean has been added, but it breaks
* OAuth2SecurityAutoConfigurationTest as there's no
* InMemoryReactiveClientRegistrationRepository
*/
// @Bean
ServerLogoutSuccessHandler oidcLogoutSuccessHandler(
Current status of the unit tests testsuite:
[ERROR] Failures:
[ERROR] OAuth2SecurityAutoConfigurationTest.testEnabled:61->lambda$testEnabled$0:63
Expecting:
<Unstarted application context org.springframework.boot.test.context.assertj.AssertableApplicationContext[startupFailure=org.springframework.beans.factory.UnsatisfiedDependencyException]>
to have a single bean of type:
<org.georchestra.gateway.security.oauth2.OAuth2ProxyConfigProperties>:
but context failed to start:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'oidcLogoutSuccessHandler' defined in org.georchestra.gateway.security.oauth2.OAuth2Configuration: Unsatisfied dependency expressed through method 'oidcLogoutSuccessHandler' parameter 0; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
integration tests looks ok
About the headers name, in order to avoid messing around with headers being used by geOrchestra usually and the ones we are receiving in the preauthentication concept, we decided that using preauth-*
prefixed headers is more relevant.
I guess we are ready for this one
I guess we are ready for this one
With one caveat: it is insane to merge the 40 commits in this PR as they're. I don't care if we had to go back and forth on every little thing, apply formatting to one single file, etc etc. All in all, there's no commit message that explains what this is about and provides the context to evaluate it as a whole. What we need to do (as a rule of thumb), is once we're done, distill it in one or two commits with good commit messages.
@pmauduit @marwanehcine @emmdurin I've squashed all the refactoring work performed as part of this PR onto #72 and merged it, leaving this PR to be only about the new feature it's meant to be. Also squashed this PR into a single commit with a sensible explanation. Please review.
@groldan shall we merge ?
Add the ability to proxy pre-authenticated users from a proxy in front of the Gateway.
NOTE this functionality is meant to ONLY be enabled under the following circumstances:
This is so because this patch does NOT include any means of verifying the authenticity of the call from the proxy.
The following headers are expected to be received by the Gateway:
sec-georchestra-preauthenticated
: set totrue
preauth-username
: set to the username / user identifier (e.g. "pmauduit")preauth-email
: the email address of the user (e.g. "pierre.mauduit@example.org")preauth-firstname
: the first name of the user (e.g. "Pierre")preauth-lastname
: the surname of the user (e.g. "Mauduit")preauth-org
: the organisation identifier (e.g. "geOrchestra")Here's a sample
nginx.conf
file to pre-authenticate a fixed user:Remarks:
CreateAccountUserCustomizer
enhanced to account for pre-authenticated users as well as OAuth2 authentications.docker-compose-preauth.yaml
Co-authored-by: marwanehcine marwane.benhcine@camptocamp.com Co-authored-by: Pierre Mauduit pierre.mauduit@camptocamp.com Co-authored-by: Emmanuel Durin emmanuel.durin@camptocamp.com
This feature is similar to the security-proxy's "SP trust SP" one here: https://github.com/georchestra/georchestra/blob/master/security-proxy/src/main/java/org/georchestra/security/ProxyTrustAnotherProxy.java
Supersedes #58