-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ALS-6103] Architectural changes to support multiple auth providers (#…
…183) - Removed `OpenAuthenticationController`, `OktaAuthenticationController`, and `AuthController`. - Created the `AuthenticationService` interface. All authentication service classes **MUST** implement this interface. This interface contains three methods: `authenticate`, `getProvider()`, and `isEnabled()`. - `authenticate`: Implements the specific authentication logic for each authentication service. - `getProvider`: Returns the name of the provider, e.g., `fence`, `open`, `auth0`, etc. These values must correspond to the `idpProvider` value in the authentication controller path `/auth/authentication/{idpProvider}`. This value is used to look up the correct authentication service in the `AuthenticationServiceRegistry` class. - `isEnabled`: Returns `true` or `false` based on the corresponding `application.properties` value. - Created the `AuthenticationServiceRegistry`. This service registry maintains a map of all enabled `AuthenticationService` services and provides a `getAuthenticationService` method that returns an `AuthenticationService` based on the provider string. - Created the `AuthenticationController`. This controller uses the `AuthenticationServiceRegistry` to dynamically delegate authentication to the correct `AuthenticationService` based on the `{idpProvider}` path variable.
- Loading branch information
Showing
61 changed files
with
1,983 additions
and
3,194 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL8Dialect | ||
spring.datasource.driver-class-name=com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver | ||
spring.datasource.url=jdbc-secretsmanager:mysql://${DATASOURCE_URL}/auth?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&autoReconnectForPools=true | ||
spring.datasource.username=${DATASOURCE_USERNAME} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# This is a template file that can be used to configure the application. Pass this to the dockerfile and | ||
# the application will be configured with the values provided in this file. | ||
|
||
# These properties are used to configure our applications JWT token. | ||
# The JWT token is used to authenticate the user and authorize them to access the application | ||
# after initial login. | ||
APPLICATION_CLIENT_SECRET= | ||
APPLICATION_CLIENT_SECRET_IS_BASE_64=false | ||
|
||
# Fence IDP Configuration | ||
FENCE_IDP_PROVIDER_IS_ENABLED=false | ||
FENCE_CLIENT_ID= | ||
FENCE_CLIENT_SECRET= | ||
FENCE_IDP_PROVIDER_URI= | ||
|
||
# AIM AHEAD Authorized Access (A4) OKTA IDP Configuration | ||
A4_OKTA_IDP_PROVIDER_IS_ENABLED=false | ||
A4_OKTA_CLIENT_SECRET= | ||
A4_OKTA_CLIENT_ID= | ||
A4_OKTA_CONNECTION_ID= | ||
A4_OKTA_IDP_PROVIDER_URI= | ||
|
||
# Auth0 IDP Configuration (Generally, this is used for the All-In-One and Authorized Access) | ||
AUTH0_IDP_PROVIDER_IS_ENABLED=false | ||
AUTH0_HOST= | ||
AUTH0_DENIED_EMAIL_ENABLED= | ||
|
||
# Open Access IDP Configuration | ||
OPEN_IDP_PROVIDER_IS_ENABLED=false | ||
|
||
SYSTEM_NAME=PIC-SURE BioDataCatalyst |
File renamed without changes.
28 changes: 28 additions & 0 deletions
28
pic-sure-auth-db/db/sql/V6__UPDATE_EXISTING_ROLE_PRIVILEGE_RULE_NAMES.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# We have migrated our naming convention away from "FENCE_" to a more generalized "MANAGED_". | ||
|
||
-- Update roles table | ||
UPDATE role | ||
SET name = REPLACE(name, 'FENCE', 'MANAGED') | ||
WHERE name LIKE '%FENCE%'; | ||
|
||
UPDATE role | ||
SET description = REPLACE(description, 'FENCE', 'MANAGED') | ||
WHERE description LIKE '%FENCE%'; | ||
|
||
-- Update privileges table | ||
UPDATE privilege | ||
SET name = REPLACE(name, 'FENCE', 'MANAGED') | ||
WHERE name LIKE '%FENCE%'; | ||
|
||
UPDATE privilege | ||
SET description = REPLACE(description, 'FENCE', 'MANAGED') | ||
WHERE description LIKE '%FENCE%'; | ||
|
||
-- Update access rules table | ||
UPDATE access_rule | ||
SET name = REPLACE(name, 'FENCE', 'MANAGED') | ||
WHERE name LIKE '%FENCE%'; | ||
|
||
UPDATE access_rule | ||
SET description = REPLACE(description, 'FENCE', 'MANAGED') | ||
WHERE description LIKE '%FENCE%'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
FROM maven:3.9.6-amazoncorretto-21 as build | ||
|
||
# Copy the source code into the container | ||
COPY ./ /app | ||
|
||
# Change the working directory | ||
WORKDIR /app | ||
|
||
# Build the jar | ||
RUN mvn clean install -DskipTests | ||
|
||
FROM amazoncorretto:21.0.1-alpine3.18 | ||
|
||
ARG DATASOURCE_URL | ||
ARG DATASOURCE_USERNAME | ||
ARG STACK_SPECIFIC_APPLICATION_ID | ||
|
||
ENV DATASOURCE_URL=${DATASOURCE_URL} | ||
ENV DATASOURCE_USERNAME=${DATASOURCE_USERNAME} | ||
ENV STACK_SPECIFIC_APPLICATION_ID=${application_id_for_base_query} | ||
|
||
# Copy jar and access token from maven build | ||
COPY --from=build /app/pic-sure-auth-services/target/pic-sure-auth-services.jar /pic-sure-auth-service.jar | ||
|
||
# Copy additional bdc configuration files. Root of the project | ||
COPY config/psama/bdc/psama-db-config.properties /config/psama-db-config.properties | ||
|
||
# Set SPRING_CONFIG_ADDITIONAL_LOCATION | ||
ENV SPRING_CONFIG_ADDITIONAL_LOCATION=file:/config/psama-db-config.properties | ||
|
||
# Copy the AWS certificate | ||
COPY pic-sure-auth-services/aws_certs/certificate.der /certificate.der | ||
|
||
# Import the certificate into the Java trust store | ||
RUN keytool -noprompt -import -alias aws_cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -file /certificate.der | ||
|
||
ENTRYPOINT ["sh", "-c", "java ${JAVA_OPTS} -jar /pic-sure-auth-service.jar"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
...-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/config/CustomKeyGenerator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
package edu.harvard.hms.dbmi.avillach.auth.config; | ||
|
||
import edu.harvard.hms.dbmi.avillach.auth.entity.User; | ||
import org.springframework.cache.interceptor.KeyGenerator; | ||
|
||
import java.lang.reflect.Method; | ||
|
||
public class CustomKeyGenerator implements KeyGenerator { | ||
|
||
@Override | ||
public Object generate(Object target, Method method, Object... params) { | ||
for (Object param : params) { | ||
if (param instanceof User user) { | ||
return user.getEmail(); | ||
} | ||
} | ||
|
||
throw new IllegalArgumentException("No valid params found. Cannot generate cache key"); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 0 additions & 75 deletions
75
...e-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/rest/AuthController.java
This file was deleted.
Oops, something went wrong.
71 changes: 71 additions & 0 deletions
71
...vices/src/main/java/edu/harvard/hms/dbmi/avillach/auth/rest/AuthenticationController.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
package edu.harvard.hms.dbmi.avillach.auth.rest; | ||
|
||
import edu.harvard.hms.dbmi.avillach.auth.model.response.PICSUREResponse; | ||
import edu.harvard.hms.dbmi.avillach.auth.service.AuthenticationService; | ||
import edu.harvard.hms.dbmi.avillach.auth.service.impl.authentication.AuthenticationServiceRegistry; | ||
import io.swagger.v3.oas.annotations.Operation; | ||
import io.swagger.v3.oas.annotations.Parameter; | ||
import io.swagger.v3.oas.annotations.tags.Tag; | ||
import jakarta.servlet.http.HttpServletRequest; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.http.ResponseEntity; | ||
import org.springframework.stereotype.Controller; | ||
import org.springframework.web.bind.annotation.PathVariable; | ||
import org.springframework.web.bind.annotation.PostMapping; | ||
import org.springframework.web.bind.annotation.RequestBody; | ||
import org.springframework.web.bind.annotation.RequestMapping; | ||
|
||
import java.io.IOException; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
|
||
/** | ||
* <p>The authentication endpoint for PSAMA.</p> | ||
*/ | ||
@Tag(name = "Authentication") | ||
@Controller | ||
@RequestMapping("/") | ||
public class AuthenticationController { | ||
|
||
private final static Logger logger = LoggerFactory.getLogger(AuthenticationController.class.getName()); | ||
|
||
private final AuthenticationServiceRegistry authenticationServiceRegistry; | ||
|
||
@Autowired | ||
public AuthenticationController(AuthenticationServiceRegistry authenticationServiceRegistry) { | ||
this.authenticationServiceRegistry = authenticationServiceRegistry; | ||
} | ||
|
||
@Operation(description = "The authentication endpoint for retrieving a valid user token") | ||
@PostMapping(path = "/authentication/{idpProvider}", consumes = "application/json", produces = "application/json") | ||
public ResponseEntity<?> authentication( | ||
@PathVariable("idpProvider") String idpProvider, | ||
@Parameter(required = true, description = "A json object that includes all Oauth authentication needs, for example, access_token and redirectURI") | ||
@RequestBody Map<String, String> authRequest, HttpServletRequest request) throws IOException { | ||
logger.debug("authentication() starting..."); | ||
logger.debug("authentication() requestHost: {}", request.getServerName()); | ||
|
||
if (authRequest == null) { | ||
logger.error("authentication() authRequest is null"); | ||
return ResponseEntity.badRequest().body("authRequest is null"); | ||
} | ||
|
||
AuthenticationService authenticationService = authenticationServiceRegistry.getAuthenticationService(idpProvider); | ||
if (authenticationService == null) { | ||
logger.error("authentication() authenticationService is null"); | ||
return ResponseEntity.badRequest().body("authenticationService is null"); | ||
} | ||
|
||
HashMap<String, String> authenticate = authenticationService.authenticate(authRequest, request.getServerName()); | ||
if (authenticate != null && !authenticate.isEmpty()) { | ||
logger.info("authentication() User authenticated successfully."); | ||
return PICSUREResponse.success(authenticate); | ||
} | ||
|
||
logger.error("authentication() User not authenticated."); | ||
return PICSUREResponse.unauthorizedError("User not authenticated."); | ||
} | ||
} |
Oops, something went wrong.