Add pre-auth header authentication to Gateway for trusted proxy

[groldan]

Add the ability to proxy pre-authenticated users from a proxy in front of the Gateway.

NOTE this functionality is meant to ONLY be enabled under the following circumstances:

• The gateway is behing a trusted proxy (e.g. Apache, Nginx, etc.)
• The trusted proxy is in charge of authenticating users any way it desires, and sends a specific set of request headers to the gateway with identity information and authorization info as role names.
• The trusted proxy REMOVES any incoming request header
• There's no other way to reach the gateway from the outside than through the trusted proxy

This is so because this patch does NOT include any means of verifying the authenticity of the call from the proxy.

The following headers are expected to be received by the Gateway:

• sec-georchestra-preauthenticated: set to true
• preauth-username: set to the username / user identifier (e.g. "pmauduit")
• preauth-email: the email address of the user (e.g. "pierre.mauduit@example.org")
• preauth-firstname: the first name of the user (e.g. "Pierre")
• preauth-lastname: the surname of the user (e.g. "Mauduit")
• preauth-org: the organisation identifier (e.g. "geOrchestra")

Here's a sample nginx.conf file to pre-authenticate a fixed user:

server {
    listen       8080;
    server_name  localhost;

    location / {
        proxy_set_header sec-georchestra-preauthenticated "true";
        proxy_set_header  preauth-username    "testadmin";
        proxy_set_header  preauth-email       "psc+testadmin@georchestra.org";
        proxy_set_header  preauth-firstname   "test";
        proxy_set_header  preauth-lastname    "admin";
        proxy_set_header  preauth-org         "georchestra";

        proxy_pass http://gateway:8080;
    }

}

Remarks:

• CreateAccountUserCustomizer enhanced to account for pre-authenticated users as well as OAuth2 authentications.
• A sample docker compose to demonstrate preauth mechanisms is provided at docker-compose-preauth.yaml
• Created integration tests using TestContainers to ensure the LDAP accounts are created when a non existing user is successfully pre-authenticated.

Co-authored-by: marwanehcine marwane.benhcine@camptocamp.com Co-authored-by: Pierre Mauduit pierre.mauduit@camptocamp.com Co-authored-by: Emmanuel Durin emmanuel.durin@camptocamp.com

---

This feature is similar to the security-proxy's "SP trust SP" one here: https://github.com/georchestra/georchestra/blob/master/security-proxy/src/main/java/org/georchestra/security/ProxyTrustAnotherProxy.java

---

Supersedes #58

[groldan]

TODO

Starting off where #58 was left, the following issues are identified:

• [x] The following tests are not run anymore OpenIdConnectUserMapperTest, OAuth2SecurityAutoConfigurationTest. Reason being the following statement added at 3a5d74ce and 3a5d74ce: assumeTrue(System.getProperty("console.test.openldap.ldapurl") != null && System.getProperty("console.test.openldap.basedn") != null);. Which changes the original tests to sort of integration tests but the System properties are never set.
• [x] Make the gateway run without RabbitMQ. Running the application as usual results in

  org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'connectionFactory' defined in null: Could not resolve placeholder 'rabbitmqHost' in value "${rabbitmqHost}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'rabbitmqHost' in value "${rabbitmqHost}"

• [x] Everything should work as usual if georchestra.gateway.security.createNonExistingUsersInLDAP is not true
• [x] docker-compose-preauth composition should work (logged in as testadmin) (ROLE_ prefix confusion)
• [x] new requirement: Create the org and use the preauth-org header for that
• [x] The http authentication does not produce an Authentication object in the security context (i.e. it does not go through the auth chain, just sets the GeorchestraUser request property. It should authenticate and produce a PreAuthenticatedAuthenticationToken
• [x] Documentation
• [x] Concurrency handling for LDAP user creation. If concurrent pre-auth requests are made, the LDAP user is attempted to be created multiple times, with undefined consequences.
• [x] Restore ability to customize the OAuth2 end session endpoint. Commented out to allow tests to pass and because we don't quite understand it. Revisit the following at org.georchestra.gateway.security.oauth2.OAuth2Configuration (see comment about FranceConnect, a french OpenID provider)

  /**
   * TODO: REVISIT, we don't know why this bean has been added, but it breaks
   * OAuth2SecurityAutoConfigurationTest as there's no
   * InMemoryReactiveClientRegistrationRepository
   */
  // @Bean
  ServerLogoutSuccessHandler oidcLogoutSuccessHandler(

TODO after merge

• [ ] synchronize georchestra/datadir/gateway with the state of the datadir/ directory

[pmauduit]

Current status of the unit tests testsuite:

[ERROR] Failures: 
[ERROR]   OAuth2SecurityAutoConfigurationTest.testEnabled:61->lambda$testEnabled$0:63 
Expecting:
 <Unstarted application context org.springframework.boot.test.context.assertj.AssertableApplicationContext[startupFailure=org.springframework.beans.factory.UnsatisfiedDependencyException]>
to have a single bean of type:
 <org.georchestra.gateway.security.oauth2.OAuth2ProxyConfigProperties>:
but context failed to start:
 org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'oidcLogoutSuccessHandler' defined in org.georchestra.gateway.security.oauth2.OAuth2Configuration: Unsatisfied dependency expressed through method 'oidcLogoutSuccessHandler' parameter 0; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}

integration tests looks ok

[pmauduit]

About the headers name, in order to avoid messing around with headers being used by geOrchestra usually and the ones we are receiving in the preauthentication concept, we decided that using preauth-* prefixed headers is more relevant.

[emmdurin]

We had to merge PR#62 as having RabbitMQ mandatory became too annoying. So I rebased this PR on it, keeping the changes to what was intended. For reference, old branch is still available here.

[pmauduit]

I guess we are ready for this one

[groldan]

I guess we are ready for this one

With one caveat: it is insane to merge the 40 commits in this PR as they're. I don't care if we had to go back and forth on every little thing, apply formatting to one single file, etc etc. All in all, there's no commit message that explains what this is about and provides the context to evaluate it as a whole. What we need to do (as a rule of thumb), is once we're done, distill it in one or two commits with good commit messages.

[groldan]

@pmauduit @marwanehcine @emmdurin I've squashed all the refactoring work performed as part of this PR onto #72 and merged it, leaving this PR to be only about the new feature it's meant to be. Also squashed this PR into a single commit with a sensible explanation. Please review.

[pmauduit]

@groldan shall we merge ?