add saml auth option

Author: ArtemHoruzhenko

redisinsight/api/config/default.ts

@@ -262,6 +262,16 @@ export default {
         redirectUri: process.env.RI_CLOUD_IDP_GH_REDIRECT_URI || process.env.RI_CLOUD_IDP_REDIRECT_URI,
         idp: process.env.RI_CLOUD_IDP_GH_ID,
       },
+      sso: {
+        authorizeUrl: process.env.RI_CLOUD_IDP_SSO_AUTHORIZE_URL || process.env.RI_CLOUD_IDP_AUTHORIZE_URL,
+        tokenUrl: process.env.RI_CLOUD_IDP_SSO_TOKEN_URL || process.env.RI_CLOUD_IDP_TOKEN_URL,
+        revokeTokenUrl: process.env.RI_CLOUD_IDP_SSO_REVOKE_TOKEN_URL || process.env.RI_CLOUD_IDP_REVOKE_TOKEN_URL,
+        issuer: process.env.RI_CLOUD_IDP_SSO_ISSUER || process.env.RI_CLOUD_IDP_ISSUER,
+        clientId: process.env.RI_CLOUD_IDP_SSO_CLIENT_ID || process.env.RI_CLOUD_IDP_CLIENT_ID,
+        redirectUri: process.env.RI_CLOUD_IDP_SSO_REDIRECT_URI || process.env.RI_CLOUD_IDP_REDIRECT_URI,
+        emailVerificationUri: process.env.RI_CLOUD_IDP_SSO_EMAIL_VERIFICATION_URI || 'saml/okta_idp_id',
+        idp: process.env.RI_CLOUD_IDP_SSO_ID,
+      },
     },
   },
   ai: {

redisinsight/api/src/constants/custom-error-codes.ts

@@ -14,6 +14,7 @@ export enum CustomErrorCodes {
   CloudOauthUnexpectedError = 11_008,
   CloudOauthMissedRequiredData = 11_009,
   CloudOauthCanceled = 11_010,
+  CloudOauthSsoUnsupportedEmail = 11_011,
   CloudCapiUnauthorized = 11_021,
   CloudCapiKeyUnauthorized = 11_022,
   CloudCapiKeyNotFound = 11_023,

redisinsight/api/src/constants/error-messages.ts

@@ -89,6 +89,7 @@ export default {
   CLOUD_OAUTH_CANCELED: 'Authorization request was canceled.',
   CLOUD_OAUTH_MISCONFIGURATION: 'Authorization server misconfiguration.',
   CLOUD_OAUTH_GITHUB_EMAIL_PERMISSION: 'Unable to get an email from the GitHub account. Make sure that it is available.',
+  CLOUD_OAUTH_SSO_UNSUPPORTED_EMAIL: 'Email is not recognized. Use an email associated with your organization’s SSO.',
   CLOUD_OAUTH_MISSED_REQUIRED_DATA: 'Unable to get required data from the user profile.',
   CLOUD_OAUTH_UNKNOWN_AUTHORIZATION_REQUEST: 'Unknown authorization request.',
   CLOUD_OAUTH_UNEXPECTED_ERROR: 'Unexpected error.',

redisinsight/api/src/modules/cloud/auth/auth-strategy/cloud-auth.strategy.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@nestjs/common';
-import { CloudAuthRequest } from 'src/modules/cloud/auth/models/cloud-auth-request';
+import { CloudAuthRequest, CloudAuthRequestOptions } from 'src/modules/cloud/auth/models/cloud-auth-request';
 import { SessionMetadata } from 'src/common/models';
 import { OktaAuth } from '@okta/okta-auth-js';
 import { plainToClass } from 'class-transformer';
@@ -11,7 +11,10 @@ export abstract class CloudAuthStrategy {
   /**
    * Create and store auth request params
    */
-  async generateAuthRequest(sessionMetadata: SessionMetadata): Promise<CloudAuthRequest> {
+  async generateAuthRequest(
+    sessionMetadata: SessionMetadata,
+    _options?: CloudAuthRequestOptions,
+  ): Promise<CloudAuthRequest> {
     const authClient = new OktaAuth(this.config);
     const tokenParams = await authClient.token.prepareTokenParams(this.config);
 

redisinsight/api/src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy.ts

@@ -0,0 +1,78 @@
+import { OktaAuth, SimpleStorage } from '@okta/okta-auth-js';
+import config from 'src/utils/config';
+import { CloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/cloud-auth.strategy';
+import {
+  CloudAuthIdpType,
+  CloudAuthRequest,
+  CloudAuthRequestOptions,
+} from 'src/modules/cloud/auth/models/cloud-auth-request';
+import { SessionMetadata } from 'src/common/models';
+import { plainToClass } from 'class-transformer';
+import axios from 'axios';
+import * as path from 'path';
+import {
+  CloudOauthSsoUnsupportedEmailException,
+} from 'src/modules/cloud/auth/exceptions/cloud-oauth.sso-unsupported-email.exception';
+import { Logger } from '@nestjs/common';
+
+const { idp: { sso: idpConfig } } = config.get('cloud');
+const cloudConfig = config.get('cloud');
+
+export class SsoIdpCloudAuthStrategy extends CloudAuthStrategy {
+  private logger = new Logger('SsoIdpCloudAuthStrategy');
+
+  constructor() {
+    super();
+
+    this.config = {
+      idpType: CloudAuthIdpType.Sso,
+      authorizeUrl: idpConfig.authorizeUrl,
+      tokenUrl: idpConfig.tokenUrl,
+      revokeTokenUrl: idpConfig.revokeTokenUrl,
+      issuer: idpConfig.issuer,
+      clientId: idpConfig.clientId,
+      pkce: true,
+      redirectUri: idpConfig.redirectUri,
+      idp: idpConfig.idp,
+      scopes: ['offline_access', 'openid', 'email', 'profile'],
+      responseMode: 'query',
+      responseType: 'code',
+      tokenManager: {
+        storage: {} as SimpleStorage,
+      },
+    };
+  }
+
+  private async determineIdp(email: string) {
+    try {
+      const apiUrl = new URL(path.posix.join(cloudConfig.apiUrl, idpConfig.emailVerificationUri));
+      apiUrl.searchParams.set('email', email);
+      const { data: idp } = await axios.get(apiUrl.toString());
+
+      return idp;
+    } catch (e) {
+      this.logger.error('Unable to get idp by email', e);
+      throw new CloudOauthSsoUnsupportedEmailException();
+    }
+  }
+
+  /**
+   * Create and store auth request params
+   */
+  async generateAuthRequest(
+    sessionMetadata: SessionMetadata,
+    options?: CloudAuthRequestOptions,
+  ): Promise<CloudAuthRequest> {
+    const idp = await this.determineIdp(options?.data?.email);
+    const authClient = new OktaAuth(this.config);
+    const tokenParams = await authClient.token.prepareTokenParams(this.config);
+
+    return plainToClass(CloudAuthRequest, {
+      ...this.config,
+      ...tokenParams,
+      idp,
+      sessionMetadata,
+      createdAt: new Date(),
+    });
+  }
+}

redisinsight/api/src/modules/cloud/auth/cloud-auth.module.ts

@@ -2,6 +2,7 @@ import { Module } from '@nestjs/common';
 import { CloudSessionModule } from 'src/modules/cloud/session/cloud-session.module';
 import { GoogleIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/google-idp.cloud.auth-strategy';
 import { GithubIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/github-idp.cloud.auth-strategy';
+import { SsoIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy';
 import { CloudAuthService } from 'src/modules/cloud/auth/cloud-auth.service';
 import { CloudAuthController } from 'src/modules/cloud/auth/cloud-auth.controller';
 import { CloudAuthAnalytics } from 'src/modules/cloud/auth/cloud-auth.analytics';
@@ -11,6 +12,7 @@ import { CloudAuthAnalytics } from 'src/modules/cloud/auth/cloud-auth.analytics'
   providers: [
     GoogleIdpCloudAuthStrategy,
     GithubIdpCloudAuthStrategy,
+    SsoIdpCloudAuthStrategy,
     CloudAuthService,
     CloudAuthAnalytics,
   ],

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts

@@ -1,11 +1,16 @@
 import { Injectable, Logger } from '@nestjs/common';
 import axios from 'axios';
 import { GoogleIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/google-idp.cloud.auth-strategy';
-import { CloudAuthIdpType, CloudAuthRequest } from 'src/modules/cloud/auth/models/cloud-auth-request';
+import {
+  CloudAuthIdpType,
+  CloudAuthRequest,
+  CloudAuthRequestOptions,
+} from 'src/modules/cloud/auth/models/cloud-auth-request';
 import { CloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/cloud-auth.strategy';
 import { SessionMetadata } from 'src/common/models';
 import { CloudSessionService } from 'src/modules/cloud/session/cloud-session.service';
 import { GithubIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/github-idp.cloud.auth-strategy';
+import { SsoIdpCloudAuthStrategy } from 'src/modules/cloud/auth/auth-strategy/sso-idp.cloud.auth-strategy';
 import { wrapHttpError } from 'src/common/utils';
 import {
   CloudOauthCanceledException,
@@ -20,6 +25,9 @@ import { CloudSsoFeatureStrategy } from 'src/modules/cloud/cloud-sso.feature.fla
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import { CloudAuthServerEvent } from 'src/modules/cloud/common/constants';
 import { CloudApiUnauthorizedException } from 'src/modules/cloud/common/exceptions';
+import {
+  CloudOauthSsoUnsupportedEmailException,
+} from 'src/modules/cloud/auth/exceptions/cloud-oauth.sso-unsupported-email.exception';
 
 @Injectable()
 export class CloudAuthService {
@@ -31,10 +39,19 @@ export class CloudAuthService {
     private readonly sessionService: CloudSessionService,
     private readonly googleIdpAuthStrategy: GoogleIdpCloudAuthStrategy,
     private readonly githubIdpCloudAuthStrategy: GithubIdpCloudAuthStrategy,
+    private readonly ssoIdpCloudAuthStrategy: SsoIdpCloudAuthStrategy,
     private readonly analytics: CloudAuthAnalytics,
     private readonly eventEmitter: EventEmitter2,
   ) {}
 
+  static getOAuthHttpRequestHeaders() {
+    return {
+      accept: 'application/json',
+      'cache-control': 'no-cache',
+      'content-type': 'application/x-www-form-urlencoded',
+    };
+  }
+
   static getAuthorizationServerRedirectError(
     query: { error_description: string, error: string },
     authRequest?: CloudAuthRequest,
@@ -69,6 +86,8 @@ export class CloudAuthService {
         return this.googleIdpAuthStrategy;
       case CloudAuthIdpType.GitHub:
         return this.githubIdpCloudAuthStrategy;
+      case CloudAuthIdpType.Sso:
+        return this.ssoIdpCloudAuthStrategy;
       default:
         throw new CloudOauthUnknownAuthorizationRequestException('Unknown cloud auth strategy');
     }
@@ -81,14 +100,11 @@ export class CloudAuthService {
    */
   async getAuthorizationUrl(
     sessionMetadata: SessionMetadata,
-    options: {
-      strategy: CloudAuthIdpType,
-      action?: string,
-      callback?: Function,
-    },
+    options: CloudAuthRequestOptions,
   ): Promise<string> {
     try {
-      const authRequest: any = await this.getAuthStrategy(options?.strategy).generateAuthRequest(sessionMetadata);
+      const authRequest: any = await this.getAuthStrategy(options?.strategy)
+        .generateAuthRequest(sessionMetadata, options);
       authRequest.callback = options?.callback;
       authRequest.action = options?.action;
 
@@ -100,6 +116,10 @@ export class CloudAuthService {
 
       return CloudAuthStrategy.generateAuthUrl(authRequest).toString();
     } catch (e) {
+      if (e instanceof CloudOauthSsoUnsupportedEmailException) {
+        throw e;
+      }
+
       throw new CloudOauthMisconfigurationException();
     }
   }
@@ -114,11 +134,7 @@ export class CloudAuthService {
       const tokenUrl = CloudAuthStrategy.generateExchangeCodeUrl(authRequest, code);
 
       const { data } = await axios.post(tokenUrl.toString().split('?')[0], tokenUrl.searchParams, {
-        headers: {
-          accept: 'application/json',
-          'cache-control': 'no-cache',
-          'content-type': 'application/x-www-form-urlencoded',
-        },
+        headers: CloudAuthService.getOAuthHttpRequestHeaders(),
       });
 
       return data;
@@ -195,11 +211,7 @@ export class CloudAuthService {
 
       await axios.post(tokenUrl.toString()
         .split('?')[0], tokenUrl.searchParams, {
-        headers: {
-          accept: 'application/json',
-          'cache-control': 'no-cache',
-          'content-type': 'application/x-www-form-urlencoded',
-        },
+        headers: CloudAuthService.getOAuthHttpRequestHeaders(),
       });
     } catch (e) {
       // ignore error
@@ -252,11 +264,7 @@ export class CloudAuthService {
 
       const { data } = await axios.post(tokenUrl.toString()
         .split('?')[0], tokenUrl.searchParams, {
-        headers: {
-          accept: 'application/json',
-          'cache-control': 'no-cache',
-          'content-type': 'application/x-www-form-urlencoded',
-        },
+        headers: CloudAuthService.getOAuthHttpRequestHeaders(),
       });
 
       await this.sessionService.updateSessionData(sessionMetadata.sessionId, {

redisinsight/api/src/modules/cloud/auth/exceptions/cloud-oauth.sso-unsupported-email.exception.ts

@@ -0,0 +1,16 @@
+import { HttpException, HttpExceptionOptions, HttpStatus } from '@nestjs/common';
+import { CustomErrorCodes } from 'src/constants';
+import ERROR_MESSAGES from 'src/constants/error-messages';
+
+export class CloudOauthSsoUnsupportedEmailException extends HttpException {
+  constructor(message = ERROR_MESSAGES.CLOUD_OAUTH_SSO_UNSUPPORTED_EMAIL, options?: HttpExceptionOptions) {
+    const response = {
+      message,
+      statusCode: HttpStatus.BAD_REQUEST,
+      error: 'CloudOauthSsoUnsupportedEmail',
+      errorCode: CustomErrorCodes.CloudOauthSsoUnsupportedEmail,
+    };
+
+    super(response, response.statusCode, options);
+  }
+}

redisinsight/api/src/modules/cloud/auth/models/cloud-auth-request.ts

@@ -3,16 +3,23 @@ import { SessionMetadata } from 'src/common/models';
 export enum CloudAuthIdpType {
   Google = 'google',
   GitHub = 'github',
+  Sso = 'sso',
 }
 
-export class CloudAuthRequest {
-  idpType: CloudAuthIdpType;
+export class CloudAuthRequestOptions {
+  strategy: CloudAuthIdpType;
 
-  sessionMetadata: SessionMetadata;
+  action?: string;
+
+  data?: Record<string, any>;
 
   callback?: Function;
+}
 
-  createdAt: Date;
+export class CloudAuthRequest extends CloudAuthRequestOptions {
+  idpType: CloudAuthIdpType;
 
-  action?: string;
+  sessionMetadata: SessionMetadata;
+
+  createdAt: Date;
 }

redisinsight/desktop/src/lib/cloud/cloud-oauth.handlers.ts

@@ -5,7 +5,11 @@ import { UrlWithParsedQuery } from 'url'
 import { wrapErrorMessageSensitiveData } from 'desktopSrc/utils'
 import { getBackendApp, getWindows } from 'desktopSrc/lib'
 import { IpcOnEvent, IpcInvokeEvent } from 'uiSrc/electron/constants'
-import { CloudAuthIdpType, CloudAuthResponse, CloudAuthStatus } from 'apiSrc/modules/cloud/auth/models'
+import {
+  CloudAuthRequestOptions,
+  CloudAuthResponse,
+  CloudAuthStatus,
+} from 'apiSrc/modules/cloud/auth/models'
 import { DEFAULT_SESSION_ID, DEFAULT_USER_ID } from 'apiSrc/common/constants'
 import { CloudOauthUnexpectedErrorException } from 'apiSrc/modules/cloud/auth/exceptions'
 import { CloudAuthService } from '../../../../api/dist/src/modules/cloud/auth/cloud-auth.service'
@@ -29,11 +33,9 @@ export const getTokenCallbackFunction = (webContents: WebContents) => (response:
   webContents.send(IpcOnEvent.cloudOauthCallback, response)
   webContents.focus()
 }
+
 export const initCloudOauthHandlers = () => {
-  ipcMain.handle(IpcInvokeEvent.cloudOauth, async (event, options: {
-    strategy: CloudAuthIdpType,
-    action?: string,
-  }) => {
+  ipcMain.handle(IpcInvokeEvent.cloudOauth, async (event, options: CloudAuthRequestOptions) => {
     try {
       const authService: CloudAuthService = getBackendApp()?.get?.(CloudAuthService)
 
@@ -57,9 +59,16 @@ export const initCloudOauthHandlers = () => {
     } catch (e) {
       log.error(wrapErrorMessageSensitiveData(e as Error))
 
+      const error = getOauthIpcErrorResponse(e)
+
       const [currentWindow] = getWindows().values()
 
-      currentWindow?.webContents.send(IpcOnEvent.cloudOauthCallback, getOauthIpcErrorResponse(e))
+      currentWindow?.webContents.send(IpcOnEvent.cloudOauthCallback, error)
+
+      return {
+        status: CloudAuthStatus.Failed,
+        error,
+      }
     }
   })
 }