Skip to content

Commit

Permalink
Auth group -> Aerie role mapping (#64)
Browse files Browse the repository at this point in the history 
* make `DEFAULT_ROLE` env var a string array

* add new `AUTH_GROUP_ROLE_MAPPINGS` env var

* Change `GroupRoleMapping` type to be a dynamically keyed obj

* add group -> role validation function

* Add helper function to get default role for auth group

* add helper functions to map auth groups to default / allowed roles

* extract LDAP groups from CAM response, map to roles

* rename function for clarity

* refactor for clarity

* add tests

* fix lint error

* fix destructuring names

* add format check to CI

* update gateway to node 20

* run prettier

* refactor `mapGroupsToRoles` for clarity

* Extract SSO token and use `loginSSO` in CAM user / pass flow

* make failed group mapping JSON parse a fatal error

* Conditionally update roles in DB with auth group mapping roles

* fail login if `allowed_roles` is empty

* run prettier

* update SSO auth env var docs

* add `getGroupsWithMappings` docs

* only upsert roles on first session login

* check JWT validity when determining if session is new

* wrap role updates in transaction

* Change upsert conditional logic

Upserts DB roles when they have changed, if group -> role mappings are
the source of truth. This removes the idea of a user "session", and auth
is reconsidered during each request, which simplifies things upstream.
  • Loading branch information
@skovati
skovati authored Feb 21, 2024
1 parent 0ac7258 commit d690c47
Show file tree
Hide file tree
Showing 14 changed files with 2,624 additions and 66 deletions.
6 changes: 4 additions & 2 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,11 @@ jobs:
packages: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: '16.13.0'
node-version-file: '.nvmrc'
cache: npm
- name: Install Dev Dependencies and Build
run: |
npm install
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,18 @@ jobs:
contents: read
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: '16.13.0'
node-version-file: '.nvmrc'
cache: npm
- name: Install Dev Dependencies and Build
run: |
npm install
npm run build
- name: Lint
run: |
npm run lint
- name: Check formatting
run: |
npm run format:check
29 changes: 29 additions & 0 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Test

on:
pull_request:
branches:
- develop
- dev-[0-9]+.[0-9]+.[0-9]+
push:
branches:
- develop
tags:
- v*
workflow_dispatch:

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
cache: npm
- name: Install Dependencies
run: npm ci
- name: Test
run: npm run test
1 change: 1 addition & 0 deletions .nvmrc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
20
5 changes: 4 additions & 1 deletion docs/ENVIRONMENT.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ This document provides detailed information about environment variables for the
| --------------------------- | ---------------------------------------------------------------------------------------------------- | -------- | ---------------------------------------------- |
| `ALLOWED_ROLES` | Allowed roles when authentication is enabled. | `array` | ["user", "viewer"] |
| `ALLOWED_ROLES_NO_AUTH` | Allowed roles when authentication is disabled. | `array` | ["aerie_admin", "user", "viewer"] |
| `AUTH_GROUP_ROLE_MAPPINGS` | JSON object that maps auth provider groups to Aerie roles. See [SSO authentication docs][SSO authn] | `JSON` | {} |
| `AUTH_TYPE` | Mode of authentication. Set to `cam` to enable CAM authentication. | `string` | none |
| `AUTH_URL` | URL of Auth provider's REST API. Used if the given `AUTH_TYPE` is not set to `none`. | `string` | https://atb-ocio-12b.jpl.nasa.gov:8443/cam-api |
| `AUTH_UI_URL` | URL of Auth provider's login UI. Returned to the UI if SSO token is invalid, so user is redirected | `string` | https://atb-ocio-12b.jpl.nasa.gov:8443/cam-ui |
| `AUTH_SSO_TOKEN_NAME` | The name of the SSO tokens the Gateway should parse cookies for. Likely found in auth provider docs. | `array` | ["iPlanetDirectoryPro"] |
| `DEFAULT_ROLE` | Default role when authentication is enabled. | `array` | user |
| `DEFAULT_ROLE` | Default roles when authentication is enabled. See [SSO authorization docs][SSO authz] for details. | `array` | ["user"] |
| `DEFAULT_ROLE_NO_AUTH` | Default role when authentication is disabled. | `array` | aerie_admin |
| `GQL_API_URL` | URL of GraphQL API for the GraphQL Playground. | `string` | http://localhost:8080/v1/graphql |
| `GQL_API_WS_URL` | URL of GraphQL WebSocket API for the GraphQL Playground. | `string` | ws://localhost:8080/v1/graphql |
Expand All @@ -29,3 +30,5 @@ This document provides detailed information about environment variables for the
| `RATE_LIMITER_LOGIN_MAX` | Max requests allowed every 15 minutes to login endpoints | `number` | 1000 |

[algorithms]: https://github.com/auth0/node-jsonwebtoken#algorithms-supported
[SSO authn]: https://nasa-ammos.github.io/aerie-docs/deployment/advanced-authentication
[SSO authz]: https://nasa-ammos.github.io/aerie-docs/deployment/advanced-permissions
Loading

0 comments on commit d690c47

Please sign in to comment.