Merge pull request ceph#58456 from rhcs-dashboard/auth2-sso

mgr/dashboard: Add SSO through oauth2 protocol

Reviewed-by: afreen23 <NOT@FOUND>
Reviewed-by: Ernesto Puerta <[email protected]>
Reviewed-by: Nizamudeen A <[email protected]>
Reviewed-by: Redouane Kachach <[email protected]>

Author: Pegonzal

qa/tasks/mgr/dashboard/test_auth.py

@@ -152,7 +152,8 @@ def test_logout(self):
         self._post("/api/auth/logout")
         self.assertStatus(200)
         self.assertJsonBody({
-            "redirect_url": "#/login"
+            "redirect_url": "#/login",
+            "protocol": 'local'
         })
         self._get("/api/host", version='1.1')
         self.assertStatus(401)
@@ -167,7 +168,8 @@ def test_logout(self):
         self._post("/api/auth/logout", set_cookies=True)
         self.assertStatus(200)
         self.assertJsonBody({
-            "redirect_url": "#/login"
+            "redirect_url": "#/login",
+            "protocol": 'local'
         })
         self._get("/api/host", set_cookies=True, version='1.1')
         self.assertStatus(401)

src/pybind/mgr/dashboard/controllers/auth.py

@@ -10,7 +10,7 @@
 
 from .. import mgr
 from ..exceptions import InvalidCredentialsError, UserDoesNotExist
-from ..services.auth import AuthManager, JwtManager
+from ..services.auth import AuthManager, AuthType, BaseAuth, JwtManager, OAuth2
 from ..services.cluster import ClusterModel
 from ..settings import Settings
 from . import APIDoc, APIRouter, ControllerAuthMixin, EndpointDoc, RESTController, allow_empty_body
@@ -132,7 +132,7 @@ def create(self, username, password, ttl: Optional[int] = None):
                     'username': username,
                     'permissions': user_perms,
                     'pwdExpirationDate': pwd_expiration_date,
-                    'sso': mgr.SSO_DB.protocol == 'saml2',
+                    'sso': BaseAuth.from_protocol(mgr.SSO_DB.protocol).sso,
                     'pwdUpdateRequired': pwd_update_required
                 }
             mgr.ACCESS_CTRL_DB.increment_attempt(username)
@@ -156,37 +156,33 @@ def create(self, username, password, ttl: Optional[int] = None):
     @RESTController.Collection('POST')
     @allow_empty_body
     def logout(self):
-        logger.debug('Logout successful')
-        token = JwtManager.get_token_from_header()
+        logger.debug('Logout started')
+        token = JwtManager.get_token(cherrypy.request)
         JwtManager.blocklist_token(token)
         self._delete_token_cookie(token)
-        redirect_url = '#/login'
-        if mgr.SSO_DB.protocol == 'saml2':
-            redirect_url = 'auth/saml2/slo'
         return {
-            'redirect_url': redirect_url
+            'redirect_url': BaseAuth.from_db(mgr.SSO_DB).LOGOUT_URL,
+            'protocol': BaseAuth.from_db(mgr.SSO_DB).get_auth_name()
         }
 
-    def _get_login_url(self):
-        if mgr.SSO_DB.protocol == 'saml2':
-            return 'auth/saml2/login'
-        return '#/login'
-
     @RESTController.Collection('POST', query_params=['token'])
     @EndpointDoc("Check token Authentication",
                  parameters={'token': (str, 'Authentication Token')},
                  responses={201: AUTH_CHECK_SCHEMA})
     def check(self, token):
         if token:
-            user = JwtManager.get_user(token)
+            if mgr.SSO_DB.protocol == AuthType.OAUTH2:
+                user = OAuth2.get_user(token)
+            else:
+                user = JwtManager.get_user(token)
             if user:
                 return {
                     'username': user.username,
                     'permissions': user.permissions_dict(),
-                    'sso': mgr.SSO_DB.protocol == 'saml2',
+                    'sso': BaseAuth.from_db(mgr.SSO_DB).sso,
                     'pwdUpdateRequired': user.pwd_update_required
                 }
         return {
-            'login_url': self._get_login_url(),
+            'login_url': BaseAuth.from_db(mgr.SSO_DB).LOGIN_URL,
             'cluster_status': ClusterModel.from_db().dict()['status']
         }

src/pybind/mgr/dashboard/controllers/oauth2.py

@@ -0,0 +1,32 @@
+import cherrypy
+
+from dashboard.exceptions import DashboardException
+from dashboard.services.auth.oauth2 import OAuth2
+
+from . import Endpoint, RESTController, Router
+
+
+@Router('/auth/oauth2', secure=False)
+class Oauth2(RESTController):
+
+    @Endpoint(json_response=False, version=None)
+    def login(self):
+        if not OAuth2.enabled():
+            raise DashboardException(500, msg='Failed to login: SSO OAuth2 is not enabled')
+
+        token = OAuth2.get_token(cherrypy.request)
+        if not token:
+            raise cherrypy.HTTPError()
+
+        raise cherrypy.HTTPRedirect(OAuth2.get_login_redirect_url(token))
+
+    @Endpoint(json_response=False, version=None)
+    def logout(self):
+        if not OAuth2.enabled():
+            raise DashboardException(500, msg='Failed to logout: SSO OAuth2 is not enabled')
+
+        token = OAuth2.get_token(cherrypy.request)
+        if not token:
+            raise cherrypy.HTTPError()
+
+        raise cherrypy.HTTPRedirect(OAuth2.get_logout_redirect_url(token))

src/pybind/mgr/dashboard/controllers/saml2.py

@@ -37,7 +37,7 @@ def _check_python_saml():
         if not python_saml_imported:
             raise cherrypy.HTTPError(400, 'Required library not found: `python3-saml`')
         try:
-            OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
+            OneLogin_Saml2_Settings(mgr.SSO_DB.config.onelogin_settings)
         except OneLogin_Saml2_Error:
             raise cherrypy.HTTPError(400, 'Single Sign-On is not configured.')
 
@@ -46,19 +46,19 @@ def _check_python_saml():
     def auth_response(self, **kwargs):
         Saml2._check_python_saml()
         req = Saml2._build_req(self._request, kwargs)
-        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
+        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.config.onelogin_settings)
         auth.process_response()
         errors = auth.get_errors()
 
         if auth.is_authenticated():
             JwtManager.reset_user()
-            username_attribute = auth.get_attribute(mgr.SSO_DB.saml2.get_username_attribute())
+            username_attribute = auth.get_attribute(mgr.SSO_DB.config.get_username_attribute())
             if username_attribute is None:
                 raise cherrypy.HTTPError(400,
                                          'SSO error - `{}` not found in auth attributes. '
                                          'Received attributes: {}'
                                          .format(
-                                             mgr.SSO_DB.saml2.get_username_attribute(),
+                                             mgr.SSO_DB.config.get_username_attribute(),
                                              auth.get_attributes()))
             username = username_attribute[0]
             url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
@@ -85,29 +85,29 @@ def auth_response(self, **kwargs):
     @Endpoint(xml=True, version=None)
     def metadata(self):
         Saml2._check_python_saml()
-        saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
+        saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.config.onelogin_settings)
         return saml_settings.get_sp_metadata()
 
     @Endpoint(json_response=False, version=None)
     def login(self):
         Saml2._check_python_saml()
         req = Saml2._build_req(self._request, {})
-        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
+        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.config.onelogin_settings)
         raise cherrypy.HTTPRedirect(auth.login())
 
     @Endpoint(json_response=False, version=None)
     def slo(self):
         Saml2._check_python_saml()
         req = Saml2._build_req(self._request, {})
-        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
+        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.config.onelogin_settings)
         raise cherrypy.HTTPRedirect(auth.logout())
 
     @Endpoint(json_response=False, version=None)
     def logout(self, **kwargs):
         # pylint: disable=unused-argument
         Saml2._check_python_saml()
         JwtManager.reset_user()
-        token = JwtManager.get_token_from_header()
+        token = JwtManager.get_token(cherrypy.request)
         self._delete_token_cookie(token)
         url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
         raise cherrypy.HTTPRedirect("{}/#/login".format(url_prefix))

src/pybind/mgr/dashboard/frontend/src/app/shared/api/auth.service.ts

@@ -42,6 +42,9 @@ export class AuthService {
   logout(callback: Function = null) {
     return this.http.post('api/auth/logout', null).subscribe((resp: any) => {
       this.authStorageService.remove();
+      if (resp.protocol == 'oauth2') {
+        return window.location.replace(resp.redirect_url);
+      }
       const url = _.get(this.route.snapshot.queryParams, 'returnUrl', '/login');
       this.router.navigate([url], { skipLocationChange: true });
       if (callback) {

src/pybind/mgr/dashboard/module.py

@@ -275,6 +275,7 @@ class Module(MgrModule, CherryPyConfig):
                min=400, max=599),
         Option(name='redirect_resolve_ip_addr', type='bool', default=False),
         Option(name='cross_origin_url', type='str', default=''),
+        Option(name='sso_oauth2', type='bool', default=False),
     ]
     MODULE_OPTIONS.extend(options_schema_list())
     for options in PLUGIN_MANAGER.hook.get_options() or []:

src/pybind/mgr/dashboard/services/access_control.py

@@ -193,6 +193,15 @@ def from_dict(cls, r_dict):
         return Role(r_dict['name'], r_dict['description'],
                     r_dict['scopes_permissions'])
 
+    @classmethod
+    def map_to_system_roles(cls, roles) -> List['Role']:
+        matches = []
+        for rn in SYSTEM_ROLES_NAMES:
+            for role in roles:
+                if role in SYSTEM_ROLES_NAMES[rn]:
+                    matches.append(rn)
+        return matches
+
 
 # static pre-defined system roles
 # this roles cannot be deleted nor updated
@@ -283,6 +292,12 @@ def from_dict(cls, r_dict):
     GANESHA_MGR_ROLE.name: GANESHA_MGR_ROLE,
 }
 
+# static name-like roles list for role mapping
+SYSTEM_ROLES_NAMES = {
+    ADMIN_ROLE: [ADMIN_ROLE.name, 'admin'],
+    READ_ONLY_ROLE: [READ_ONLY_ROLE.name, 'read', 'guest', 'monitor']
+}
+
 
 class User(object):
     def __init__(self, username, password, name=None, email=None, roles=None,

src/pybind/mgr/dashboard/services/auth/__init__.py

@@ -0,0 +1,16 @@
+from .auth import AuthManager, AuthManagerTool, AuthType, BaseAuth, \
+    JwtManager, SSOAuth, decode_jwt_segment
+from .oauth2 import OAuth2
+from .saml2 import Saml2
+
+__all__ = [
+    'AuthManager',
+    'AuthManagerTool',
+    'AuthType',
+    'BaseAuth',
+    'SSOAuth',
+    'JwtManager',
+    'decode_jwt_segment',
+    'Saml2',
+    'OAuth2'
+]