FS-4794 enable SSO active directory login feature in designer side (#93)

* FS-4794: adding sso auth into designer

* FS-4794: adding co - pilot configs

* e2e fix for designer

* ignore login if there is no auth also remove sign out button from the login screen adding common footer

* adding fixes for e2e

Author: nuwan-samarasinghe

.run/DESIGNER No AUTH.run.xml

@@ -10,6 +10,8 @@
     <envs>
       <env name="ACCESSIBILITY_STATEMENT_URL" value="http://localhost:3008/accessibility_statement" />
       <env name="ALLOW_USER_TEMPLATES" value="true" />
+      <env name="AUTH_COOKIE_NAME" value="fsd_user_token" />
+      <env name="AUTH_ENABLED" value="false" />
       <env name="AWS_ACCESS_KEY_ID" value="FSDIOSFODNN7EXAMPLE" />
       <env name="AWS_BUCKET_NAME" value="fsd-bucket" />
       <env name="AWS_DEFAULT_REGION" value="eu-west-2" />
@@ -21,13 +23,11 @@
       <env name="COOKIE_POLICY_URL" value="http://localhost:3008/cookie_policy" />
       <env name="ELIGIBILITY_RESULT_URL" value="http://localhost:3008/eligibility-result" />
       <env name="FEEDBACK_LINK" value="http://localhost:3008/feedback" />
-      <env name="JWT_AUTH_COOKIE_NAME" value="fsd_user_token" />
-      <env name="JWT_AUTH_ENABLED" value="false" />
-      <env name="JWT_REDIRECT_TO_AUTHENTICATION_URL" value="http://localhost:3004/sessions/sign-out" />
       <env name="LOG_LEVEL" value="debug" />
       <env name="LOGOUT_URL" value="http://localhost:3004/sessions/sign-out" />
       <env name="MULTIFUND_URL" value="http://localhost:3008/account" />
       <env name="PRIVACY_POLICY_URL" value="http://localhost:3008/privacy" />
+      <env name="REDIRECT_TO_AUTHENTICATION_URL" value="http://localhost:3004/sessions/sign-out" />
       <env name="RSA256_PUBLIC_KEY_BASE64" value="&quot;LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTUFEQ0JpQUtCZ0hHYnRGMXlWR1crckNBRk9JZGFrVVZ3Q2Z1dgp4SEUzOGxFL2kwS1dwTXdkU0haRkZMWW5IakJWT09oMTVFaWl6WXphNEZUSlRNdkwyRTRRckxwcVlqNktFNnR2CkhyaHlQL041ZnlwU3p0OHZDajlzcFo4KzBrRnVjVzl6eU1rUHVEaXNZdG1rV0dkeEJta2QzZ3RZcDNtT0k1M1YKVkRnS2J0b0lGVTNzSWs1TkFnTUJBQUU9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ\=\=&quot;" />
       <env name="SERVICE_START_PAGE" value="http://localhost:3008/account" />
     </envs>
@@ -44,4 +44,4 @@
       </option>
     </method>
   </configuration>
-</component>
+</component>

copilot/fsd-form-designer-adapter/manifest.yml

@@ -55,6 +55,11 @@ variables:
   CHOKIDAR_USEPOLLING: true
   PREVIEW_URL: "https://forms.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk"
   PUBLISH_URL: "http://fsd-form-runner-adapter:3009"
+  AUTH_SERVICE_URL: "https://authenticator.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk"
+  SSO_LOGIN_URL: "/sso/login?return_app=form-designer"
+  SSO_LOGOUT_URL: "/sessions/sign-out"
+  AUTH_COOKIE_NAME: "fsd_user_token"
+  AUTH_ENABLED: true
 
 secrets:
   RSA256_PUBLIC_KEY_BASE64: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/RSA256_PUBLIC_KEY_BASE64
@@ -65,6 +70,38 @@ environments:
   dev:
     count:
       spot: 1
+  sidecars:
+    nginx:
+      port: 8087
+      image:
+        location: xscys/nginx-sidecar-basic-auth
+      variables:
+        FORWARD_PORT: 8080
+        CLIENT_MAX_BODY_SIZE: 10m
+      secrets:
+        BASIC_AUTH_USERNAME: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/BASIC_AUTH_USERNAME
+        BASIC_AUTH_PASSWORD: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/BASIC_AUTH_PASSWORD
+  http:
+    target_container: nginx
+    healthcheck:
+      path: /healthcheck
+      port: 8080
   test:
     count:
       spot: 2
+    sidecars:
+      nginx:
+        port: 8087
+        image:
+          location: xscys/nginx-sidecar-basic-auth
+        variables:
+          FORWARD_PORT: 8080
+          CLIENT_MAX_BODY_SIZE: 10m
+        secrets:
+          BASIC_AUTH_USERNAME: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/BASIC_AUTH_USERNAME
+          BASIC_AUTH_PASSWORD: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/BASIC_AUTH_PASSWORD
+    http:
+      target_container: nginx
+      healthcheck:
+        path: /healthcheck
+        port: 8080

designer/server/config.ts

@@ -0,0 +1,143 @@
+import dotenv from "dotenv";
+import joi from "joi";
+import {CredentialsOptions} from "aws-sdk/lib/credentials";
+import * as AWS from "aws-sdk";
+
+dotenv.config({path: ".env"});
+
+export interface Config {
+    env: "development" | "test" | "production";
+    port: number;
+    previewUrl: string;
+    publishUrl: string;
+    persistentBackend: "s3" | "blob" | "preview";
+    s3Bucket?: string;
+    logLevel: "trace" | "info" | "debug" | "error";
+    phase?: "alpha" | "beta";
+    footerText?: string;
+    isProd: boolean;
+    isDev: boolean;
+    isTest: boolean;
+    lastCommit: string;
+    lastTag: string;
+    sessionTimeout: number;
+    sessionCookiePassword: string;
+    awsCredentials?: CredentialsOptions;
+    authEnabled: boolean,
+    ssoLoginUrl: string,
+    ssoLogoutUrl: string,
+    authServiceUrl: string,
+    rsa256PublicKeyBase64: string,
+    authCookieName: string,
+}
+
+// server-side storage expiration - defaults to 20 minutes
+const sessionSTimeoutInMilliseconds = 20 * 60 * 1000;
+
+// Define config schema
+const schema = joi.object({
+    port: joi.number().default(3000),
+    env: joi
+        .string()
+        .valid("development", "test", "production")
+        .default("development"),
+    previewUrl: joi.string(),
+    publishUrl: joi.string(),
+    persistentBackend: joi.string().valid("s3", "blob", "preview").optional(),
+    s3Bucket: joi.string().optional(),
+    logLevel: joi
+        .string()
+        .valid("trace", "info", "debug", "error")
+        .default("debug"),
+    phase: joi.string().valid("alpha", "beta").optional(),
+    footerText: joi.string().optional(),
+    lastCommit: joi.string().default("undefined"),
+    lastTag: joi.string().default("undefined"),
+    sessionTimeout: joi.number().default(sessionSTimeoutInMilliseconds),
+    sessionCookiePassword: joi.string().optional(),
+    authEnabled: joi.string().required(),
+    ssoLoginUrl: joi.string().optional(),
+    ssoLogoutUrl: joi.string().optional(),
+    authServiceUrl: joi.string().optional(),
+    rsa256PublicKeyBase64: joi.string().optional(),
+    authCookieName: joi.string().optional(),
+});
+
+// Build config
+const config = {
+    port: process.env.PORT,
+    env: process.env.NODE_ENV,
+    previewUrl: process.env.PREVIEW_URL || "http://localhost:3009",
+    publishUrl: process.env.PUBLISH_URL || "http://localhost:3009",
+    persistentBackend: process.env.PERSISTENT_BACKEND || "preview",
+    s3Bucket: process.env.S3_BUCKET,
+    logLevel: process.env.LOG_LEVEL || "error",
+    phase: process.env.PHASE || "alpha",
+    footerText: process.env.FOOTER_TEXT,
+    lastCommit: process.env.LAST_COMMIT || process.env.LAST_COMMIT_GH,
+    lastTag: process.env.LAST_TAG || process.env.LAST_TAG_GH,
+    sessionTimeout: process.env.SESSION_TIMEOUT,
+    sessionCookiePassword: process.env.SESSION_COOKIE_PASSWORD,
+    authEnabled: process.env.AUTH_ENABLED,
+    ssoLoginUrl: process.env.SSO_LOGIN_URL,
+    ssoLogoutUrl: process.env.SSO_LOGOUT_URL,
+    authServiceUrl: process.env.AUTH_SERVICE_URL,
+    rsa256PublicKeyBase64: process.env.RSA256_PUBLIC_KEY_BASE64,
+    authCookieName: process.env.AUTH_COOKIE_NAME,
+};
+
+// Validate config
+const result = schema.validate(
+    {
+        ...config,
+    },
+    {abortEarly: false}
+);
+
+// Throw if config is invalid
+if (result.error) {
+    throw new Error(`The server config is invalid. ${result.error.message}`);
+}
+
+// Use the joi validated value
+const value: Config = result.value;
+
+/**
+ * TODO:- replace this with a top-level await when upgraded to node 16
+ */
+async function getAwsConfigCredentials(): Promise<CredentialsOptions | {}> {
+    return new Promise(function (resolve, reject) {
+        if (value.persistentBackend === "s3") {
+            return AWS.config.getCredentials(async function (err) {
+                if (err) {
+                    console.error("Error getting AWS credentials", err);
+                    reject(err);
+                } else {
+                    resolve({
+                        // @ts-ignore
+                        accessKeyId: AWS.config.credentials.accessKeyId,
+                        // @ts-ignore
+                        secretAccessKey: AWS.config.credentials.secretAccessKey,
+                    });
+                }
+            });
+        } else {
+            resolve({});
+        }
+    });
+}
+
+getAwsConfigCredentials()
+    .then((awsConfig) => {
+        // @ts-ignore
+        value.awsCredentials = awsConfig;
+    })
+    .catch((e) => {
+        throw e;
+    });
+
+value.isProd = value.env === "production";
+value.isDev = !value.isProd;
+value.isTest = value.env === "test";
+
+export default value;

designer/server/createServer.ts

@@ -10,6 +10,8 @@ import {determinePersistenceService} from "../../digital-form-builder/designer/s
 import {configureBlankiePlugin} from "../../digital-form-builder/designer/server/plugins/blankie";
 import {configureYarPlugin} from "../../digital-form-builder/designer/server/plugins/session";
 import {designerPlugin} from "./plugins/DesignerRouteRegister";
+import errorHandlerPlugin from "./plugins/ErrorHandlerPlugin";
+import authPlugin from "./plugins/AuthPlugin";
 
 const serverOptions = () => {
     return {
@@ -40,6 +42,9 @@ const serverOptions = () => {
 export async function createServer() {
     //@ts-ignore
     const server = hapi.server(serverOptions());
+    await server.register(errorHandlerPlugin);
+    //@ts-ignore
+    await server.register(authPlugin);
     await server.register(inert);
     await server.register(Scooter);
     //@ts-ignore

designer/server/plugins/AuthPlugin.ts

@@ -0,0 +1,68 @@
+
+import JwtPlugin from "hapi-auth-jwt2"
+import {HapiServer} from "../../../digital-form-builder/designer/server/types";
+import config from "../config";
+
+export const jwtAuthStrategyName = "jwt_auth";
+
+// rsa256Options()
+// Returns configuration options for rsa256 auth strategy
+export function rsa256Options(jwtAuthCookieName) {
+    return {
+        key: keyFunc,
+        validate,
+        verifyOptions: {
+            algorithms: ["RS256"],
+        },
+        urlKey: false,
+        cookieKey: jwtAuthCookieName,
+    };
+}
+
+// keyFunc returns the key and any additional context required to
+// pass to validate the function (below) to validate signature
+// this is normally used to look up keys from list in a multi-tenant scenario
+const keyFunc = async function (decoded) {
+    const key = Buffer.from(config.rsa256PublicKeyBase64 ?? "", "base64");
+    return {key, additional: decoded};
+};
+
+// validate()
+// Checks validity of user credentials
+// @ts-ignore
+const validate = async function (decoded, request, h) {
+    // This runs if the jwt signature is verified
+    // It must return an object with an 'isValid' boolean property,
+    // this allows the user to continue if true or raises a 401 if false
+    const credentials = decoded;
+    if (request.plugins["hapi-auth-jwt2"]) {
+        credentials.extraInfo = request.plugins["hapi-auth-jwt2"].extraInfo;
+    }
+    if (!decoded.accountId) {
+        request.logger.error(
+            "JWT token has no accountID in jwt: " + credentials.extraInfo.toString()
+        );
+        return {isValid: false};
+    } else {
+        return {isValid: true, credentials};
+    }
+};
+
+export default {
+    plugin: {
+        name: "auth",
+        register: async (server: HapiServer) => {
+            // @ts-ignore
+            if (config.authEnabled && config.authEnabled === "true") {
+                // @ts-ignore
+                await server.register(JwtPlugin);
+                console.log(`JWT Authentication Enabled: ${config.authEnabled}`);
+                console.log(`JWT Authentication cookie name: ${config.rsa256PublicKeyBase64}`);
+                console.log(`JWT Authentication strategy name: ${jwtAuthStrategyName}`);
+                server.auth.strategy(jwtAuthStrategyName, "jwt", rsa256Options(config.authCookieName));
+            } else {
+                return;
+            }
+        },
+    },
+};