refactor(calm-hub-ui): improve authorization header handling when hosted behind ADC/reverse proxy (#1780)

* refactor(calm-hub-ui): improve authorization header handling when hosted behind ADC/reverse proxy

set AUTH_SERVICE_OIDC_ENABLE to true when backend is running with secure profile

* docs(calm-hub): update setup instructions for secure profile

* docs(calm-hub): update setup instructions for secure profile

* refactor(calm-hub): addressing review comments

* docs(calm-hub): Update readme instructions to launch calm-hub using a secure profile

Author: challamani-ms

calm-hub-ui/src/authService.tsx

@@ -1,7 +1,7 @@
 import { UserManager, Log, User } from 'oidc-client';
 
 const config = {
-    authority: 'https://localhost:9443/realms/calm-hub-realm',
+    authority: 'https://calm-hub.finos.org:9443/realms/calm-hub-realm',
     client_id: 'calm-hub-authz-code',
     redirect_uri: window.location.origin,
     response_type: 'code',
@@ -12,9 +12,20 @@ const config = {
     loadUserInfo: true,
 };
 
+//Set AUTH_SERVICE_OIDC_ENABLE to true only when the backend is running with a secure profile and is NOT behind an ADC/Reverse-Proxy that handles user authentication.
+export const AUTH_SERVICE_OIDC_ENABLE: boolean = false;
 let userManager: UserManager | null = null;
-const isHttps = window.location.protocol === 'https:';
-if (isHttps) {
+
+export function isAuthServiceEnabled(): boolean {
+    const oidcEnabled = AUTH_SERVICE_OIDC_ENABLE;
+    const isHttps =
+        typeof window !== 'undefined' &&
+        typeof window.location !== 'undefined' &&
+        window.location.protocol === 'https:';
+    return (oidcEnabled && isHttps);
+}
+
+if (isAuthServiceEnabled()) {
     userManager = new UserManager(config);
     Log.logger = console;
     Log.level = Log.INFO;
@@ -56,7 +67,7 @@ export async function clearSession(): Promise<void> {
 }
 
 export async function getToken(): Promise<string> {
-    if (!isHttps) {
+    if (!AUTH_SERVICE_OIDC_ENABLE) {
         return '';
     }
     const user = await userManager?.getUser();
@@ -76,6 +87,15 @@ export async function getToken(): Promise<string> {
     return '';
 }
 
+export async function getAuthHeaders(): Promise<HeadersInit> {
+    const accessToken = await getToken();
+    const headers: HeadersInit = {};
+    if (accessToken) {
+        headers['Authorization'] = `Bearer ${accessToken}`;
+    }
+    return headers;
+}
+
 export async function checkAuthorityService(): Promise<boolean> {
     try {
         const response = await fetch(config.authority, { method: 'HEAD' });
@@ -93,4 +113,6 @@ export const authService = {
     logout,
     clearSession,
     getToken,
+    getAuthHeaders,
+    isAuthServiceEnabled,
 };

calm-hub-ui/src/index.tsx

@@ -2,7 +2,7 @@ import './index.css';
 import React from 'react';
 import ReactDOM from 'react-dom/client';
 import ProtectedRoute from './ProtectedRoute.js';
-import { authService } from './authService.js';
+import { isAuthServiceEnabled, authService } from './authService.js';
 import App from './App.js';
 
 const root = ReactDOM.createRoot(document.getElementById('root') as HTMLElement);
@@ -19,11 +19,11 @@ const LogoutButton: React.FC = () => {
     );
 };
 
-const isHttps = window.location.protocol === 'https:';
+const isAuthenticationEnabled = isAuthServiceEnabled();
 
 root.render(
     <React.StrictMode>
-        {isHttps ? (
+        {isAuthenticationEnabled ? (
             <ProtectedRoute>
                 <App />
                 <LogoutButton />

calm-hub-ui/src/service/adr-service/adr-service.tsx

@@ -1,5 +1,5 @@
 import axios, { AxiosInstance } from 'axios';
-import { getToken } from '../../authService.js';
+import { getAuthHeaders } from '../../authService.js';
 import { CalmAdrMeta } from '@finos/calm-shared/src/view-model/adr.js';
 
 export class AdrService {
@@ -16,11 +16,10 @@ export class AdrService {
      * Fetch adr IDs for a given namespace and set them using the provided setter function.
      */
     async fetchAdrIDs(namespace: string) : Promise<number[]> {
+        const headers = await getAuthHeaders();
         return this.ax
             .get(`/calm/namespaces/${namespace}/adrs`, {
-                headers: {
-                    Authorization: `Bearer ${await getToken()}`,
-                },
+                headers,
             })
             .then((res) => res.data.values)
             .catch((error) => {
@@ -34,11 +33,10 @@ export class AdrService {
      * Fetch revisions for a given namespace and adr ID and set them using the provided setter function.
      */
     async fetchAdrRevisions(namespace: string, adrID: string): Promise<number[]> {
+        const headers = await getAuthHeaders();
         return this.ax
             .get(`/calm/namespaces/${namespace}/adrs/${adrID}/revisions`, {
-                headers: {
-                    Authorization: `Bearer ${await getToken()}`,
-                },
+                headers,
             })
             .then((res) => res.data.values)
             .catch((error) => {
@@ -52,11 +50,10 @@ export class AdrService {
      * Fetch a specific adr by namespace, adr ID, and revision, and set it using the provided setter function.
      */
     async fetchAdr(namespace: string, adrID: string, revision: string): Promise<CalmAdrMeta> {
+        const headers = await getAuthHeaders();
         return this.ax
             .get(`/calm/namespaces/${namespace}/adrs/${adrID}/revisions/${revision}`, {
-                headers: {
-                    Authorization: `Bearer ${await getToken()}`,
-                },
+                headers,
             })
             .then((res) => res.data)
             .catch((error) => {

calm-hub-ui/src/service/calm-service.tsx

@@ -1,15 +1,15 @@
 import { Data } from '../model/calm.js';
-import { getToken } from '../authService.js';
+import { getAuthHeaders } from '../authService.js';
 
 /**
  * Fetch namespaces and set them using the provided setter function.
  */
 export async function fetchNamespaces(setNamespaces: (namespaces: string[]) => void) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch('/calm/namespaces', {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setNamespaces(data.values);
@@ -26,10 +26,10 @@ export async function fetchPatternIDs(
     setPatternIDs: (patternIDs: string[]) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(`/calm/namespaces/${namespace}/patterns`, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setPatternIDs(data.values.map((num: number) => num.toString()));
@@ -43,10 +43,10 @@ export async function fetchPatternIDs(
  */
 export async function fetchFlowIDs(namespace: string, setFlowIDs: (flowIDs: string[]) => void) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(`/calm/namespaces/${namespace}/flows`, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setFlowIDs(data.values.map((id: number) => id.toString()));
@@ -64,10 +64,10 @@ export async function fetchPatternVersions(
     setVersions: (versions: string[]) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(`/calm/namespaces/${namespace}/patterns/${patternID}/versions`, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setVersions(data.values);
@@ -85,10 +85,10 @@ export async function fetchFlowVersions(
     setFlowVersions: (flowVersions: string[]) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(`/calm/namespaces/${namespace}/flows/${flowID}/versions`, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setFlowVersions(data.values);
@@ -107,12 +107,12 @@ export async function fetchPattern(
     setPattern: (pattern: Data) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(
             `/calm/namespaces/${namespace}/patterns/${patternID}/versions/${version}`,
             {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${accessToken}` },
+                headers,
             }
         );
         const response = await res.json();
@@ -142,12 +142,12 @@ export async function fetchFlow(
     setFlow: (flow: Data) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(
             `/calm/namespaces/${namespace}/flows/${flowID}/versions/${version}`,
             {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${accessToken}` },
+                headers,
             }
         );
         const response = await res.json();
@@ -175,10 +175,10 @@ export async function fetchArchitectureIDs(
     setArchitectureIDs: (architectureIDs: string[]) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(`/calm/namespaces/${namespace}/architectures`, {
             method: 'GET',
-            headers: { Authorization: `Bearer ${accessToken}` },
+            headers,
         });
         const data = await res.json();
         setArchitectureIDs(data.values.map((id: number) => id.toString()));
@@ -196,12 +196,12 @@ export async function fetchArchitectureVersions(
     setVersions: (versions: string[]) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(
             `/calm/namespaces/${namespace}/architectures/${architectureID}/versions`,
             {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${accessToken}` },
+                headers,
             }
         );
         const data = await res.json();
@@ -221,12 +221,12 @@ export async function fetchArchitecture(
     setArchitecture: (architecture: Data) => void
 ) {
     try {
-        const accessToken = await getToken();
+        const headers = await getAuthHeaders();
         const res = await fetch(
             `/calm/namespaces/${namespace}/architectures/${architectureID}/versions/${version}`,
             {
                 method: 'GET',
-                headers: { Authorization: `Bearer ${accessToken}` },
+                headers,
             }
         );
         const response = await res.json();

calm-hub/README.md

@@ -124,14 +124,14 @@ From the `calm-hub` directory
 
 From the `keycloak-dev` directory in `calm-hub`
 
-Create certs for KeyCloak:
+Create self-signed X.509 certificate for Keycloak:
 
 ```shell
   mkdir ./certs &&
   openssl req -x509 -newkey rsa:2048 \
     -keyout ./certs/key.pem \
     -out ./certs/cert.pem -days 90 -nodes \
-    -subj "/C=GB/ST=England/L=Manchester/O=finos/OU=Technology/CN=idp.finos.org"
+    -subj "/C=GB/ST=England/L=Manchester/O=finos/OU=Technology/CN=calm-hub.finos.org"
 ```
 
 Launch KeyCloak:
@@ -142,12 +142,12 @@ docker-compose up
 - Open KeyCloak UI: https://localhost:9443, login with admin user.
 - Switch realm from `master` to `calm-hub-realm`.
 - You can find a `demo` user with a temporary credentials under `calm-hub-realm` realm.
-- During the local development, the `demo` user you can use to authenticate with `keycloak-dev` when you integrate the `calm-ui` with `authorization-code` flow type.
+- During local development, you can use the `demo` user to authenticate with `keycloak-dev` when integrating calm-ui using the `authorization code flow`.
 
 #### Server Side with secure profile
 
 From the `calm-hub` directory
-1. Create a server side certificates
+1. Create a server-side certificate
     ```shell
     openssl req -x509 -newkey rsa:2048 \
       -keyout ./src/main/resources/key.pem \
@@ -156,7 +156,11 @@ From the `calm-hub` directory
     ```
 2. `../mvnw package`
 3. `../mvnw quarkus:dev -Dquarkus.profile=secure`
-4. Open Calm UI: https://localhost:8443
+4. When using a self-signed certificate, you have two options to avoid the `No name matching localhost found` CertificateException in the backend.
+   1. Add a host entry in `/etc/hosts` file, for example `127.0.0.1 calm-hub.finos.org`
+   2. Alternatively, create the self-signed certificate with localhost as the CN or SAN.
+5. Some browsers may block `.well-known` endpoints that use self-signed certificates (e.g., https://calm-hub.finos.org:9443/realms/calm-hub-realm/.well-known/openid-configuration). Ensure these endpoints are accessible in your browser before accessing `calm-hub-ui`.
+6. Open Calm UI at the URL matching your self-signed certificate’s CN: https://calm-hub.finos.org:8443 or https://localhost:8443.
 
 ### UI with hot reload (from src/main/webapp)
 

calm-hub/keycloak-dev/device-code-flow.sh

@@ -2,12 +2,16 @@
 
 CLIENT_ID="calm-hub-admin-app"
 SCOPE="namespace:admin"
-DEVICE_AUTH_ENDPOINT="https://localhost:9443/realms/calm-hub-realm/protocol/openid-connect/auth/device"
+DEVICE_AUTH_ENDPOINT="https://calm-hub.finos.org:9443/realms/calm-hub-realm/protocol/openid-connect/auth/device"
 DEVICE_AUTH_RESPONSE=$(curl --insecure -X POST \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "client_id=$CLIENT_ID" -d "scope=$SCOPE" \
   $DEVICE_AUTH_ENDPOINT)
 
+BLUE="\033[0;34m"
+YELLOW="\033[0;33m"
+NC="\033[0m"
+
 # Extract values from the device auth response.
 DEVICE_CODE=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.device_code')
 USER_CODE=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.user_code')
@@ -16,10 +20,12 @@ VERIFICATION_URI_COMPLETE=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.verification_
 EXPIRES_IN=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.expires_in')
 INTERVAL=$(echo "$DEVICE_AUTH_RESPONSE" | jq -r '.interval')
 
-echo -e "\nOpen the link in a browser \033[3m[$VERIFICATION_URI]\033[0m, and authenticate with the UserCode:[$USER_CODE] \n the associated device code for this request will expires in $EXPIRES_IN seconds.\n"
+echo -e "${YELLOW}\nThe user you use to authenticate must have the ${SCOPE} scope; otherwise, calm-hub will respond with a 401 or 403 error. For local development with a secure profile, you can use the *demo_admin* user, which is already created in Keycloak.\n${NC}"
+
+echo -e "\nOpen the link in a browser ${BLUE}[$VERIFICATION_URI]${NC}, and authenticate with the UserCode:[$USER_CODE],the associated device code for this request will expires in ${EXPIRES_IN} seconds.\n"
 
 # Poll the token endpoint
-TOKEN_URL="https://localhost:9443/realms/calm-hub-realm/protocol/openid-connect/token"
+TOKEN_URL="https://calm-hub.finos.org:9443/realms/calm-hub-realm/protocol/openid-connect/token"
 ACCESS_TOKEN=""
 POLL_INTERVAL=15 #Seconds
 
@@ -57,21 +63,21 @@ poll_token
 echo -e "\nPositive Case: Press enter to create a sample user-access for finos resources."
 read
 if [[ -n $ACCESS_TOKEN ]]; then
-  curl -X POST --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
+  curl -X POST --insecure -v "https://calm-hub.finos.org:8443/calm/namespaces/finos/user-access" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
     -d '{ "namespace": "finos", "resourceType": "patterns", "permission": "read", "username": "demo" }'
 
   echo -e "\nPositive Case: Press enter to get list of user-access details associated to namespace:finos"
   read
-  curl --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
+  curl --insecure -v "https://calm-hub.finos.org:8443/calm/namespaces/finos/user-access" \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer $ACCESS_TOKEN"
 
   echo
   echo -e "\nFailure Case: Press enter to create a sample user-access for traderx namespace."
   read
-  curl -X POST --insecure -v "https://localhost:8443/calm/namespaces/traderx/user-access" \
+  curl -X POST --insecure -v "https://calm-hub.finos.org:8443/calm/namespaces/traderx/user-access" \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer $ACCESS_TOKEN" \
       -d '{ "namespace": "traderx", "resourceType": "patterns", "permission": "read", "username": "demo" }'