Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cb 4389 convert reverse proxy #2300

Merged
merged 49 commits into from
Jan 23, 2024
Merged

Cb 4389 convert reverse proxy #2300

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
434af0f
CB-4389. Converted reverse proxy to identity provider
DenisSinelnikov Jan 11, 2024
1dc6a11
CB-4039 build logout redirect link on backend side
alexander-skoblikov Jan 12, 2024
476f297
Merge branch 'devel' into CB-4039-logout-with-context
Jan 12, 2024
5585b07
CB-4039 fix return value
alexander-skoblikov Jan 12, 2024
557910c
CB-4389. Added auto configuration for Reverse proxy if its enabled on…
DenisSinelnikov Jan 15, 2024
2c6cd7a
CB-4389. Added check for already exist configuration
DenisSinelnikov Jan 15, 2024
2f2c214
Merge branch 'devel' into CB-4039-logout-with-context
Jan 16, 2024
1712a63
CB-4389. Refactor after review
DenisSinelnikov Jan 16, 2024
5602f68
CB-4039 adds logout with context for Okta Identity Provider
Jan 16, 2024
18be424
CB-4039 backward compatibility fix
alexander-skoblikov Jan 16, 2024
121883d
Merge branch 'devel' into CB-4039-logout-with-context
Jan 16, 2024
dfea9e7
CB-4039 add since annotation
alexander-skoblikov Jan 16, 2024
a547a29
CB-4039 api return type fix
alexander-skoblikov Jan 16, 2024
2d943a5
CB-4039 logout extended
Jan 16, 2024
1a17447
CB-4389. Refactor after review
DenisSinelnikov Jan 16, 2024
eabdb15
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 16, 2024
8724726
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 17, 2024
1f6f9f3
Merge branch 'devel' into CB-4039-logout-with-context
Jan 17, 2024
ed66382
CB-4389. Refactor after review
DenisSinelnikov Jan 17, 2024
38341af
CB-4039 okta logout redirect moved to AuthenticationService
Jan 17, 2024
b08cfa1
CB-4039 remove windowService dep
Jan 17, 2024
e20314e
CB-4039 removes old logic of identity provider logout links
Jan 17, 2024
3e4587c
CB-4039 okta review changes
Jan 17, 2024
afe11af
Merge branch 'devel' into CB-4039-logout-with-context
dariamarutkina Jan 17, 2024
c895e4c
Merge branch 'CB-4039-logout-with-context' into CB-4389-convert-rever…
DenisSinelnikov Jan 17, 2024
83292a2
CB-4389. Merge logout logic into branch
DenisSinelnikov Jan 17, 2024
cbeddec
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 17, 2024
8e6ab28
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 18, 2024
41edc6a
Merge remote-tracking branch 'origin/CB-4389-convert-reverse-proxy' i…
DenisSinelnikov Jan 18, 2024
6af4e79
CB-4389. Delete param after review
DenisSinelnikov Jan 22, 2024
97fdb60
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 22, 2024
b493de9
Merge branch 'devel' into CB-4389-convert-reverse-proxy
DenisSinelnikov Jan 22, 2024
addf652
Merge branch 'devel' into CB-4389-convert-reverse-proxy
EvgeniaBzzz Jan 22, 2024
051946b
Merge branch 'devel' into CB-4389-convert-reverse-proxy
EvgeniaBzzz Jan 23, 2024
48eece4
CB-4389. Converted reverse proxy to identity provider
DenisSinelnikov Jan 11, 2024
3a8034a
CB-4389. Added auto configuration for Reverse proxy if its enabled on…
DenisSinelnikov Jan 15, 2024
7649de1
CB-4389. Added check for already exist configuration
DenisSinelnikov Jan 15, 2024
e7cc756
CB-4389. Refactor after review
DenisSinelnikov Jan 16, 2024
10a93cb
CB-4389. Refactor after review
DenisSinelnikov Jan 16, 2024
285e1a7
CB-4389. Refactor after review
DenisSinelnikov Jan 17, 2024
2e1826c
CB-4039 adds logout with context for Okta Identity Provider
Jan 16, 2024
41ef8c5
CB-4039 okta logout redirect moved to AuthenticationService
Jan 17, 2024
f2569fc
CB-4389. Merge logout logic into branch
DenisSinelnikov Jan 17, 2024
8b4dd63
CB-4389. Delete param after review
DenisSinelnikov Jan 22, 2024
c68e688
CB-4546 shows hex/base64 only on blob column selection (#2314)
sergeyteleshev Jan 22, 2024
20291de
Merge remote-tracking branch 'origin/CB-4389-convert-reverse-proxy' i…
DenisSinelnikov Jan 23, 2024
0bdb8f3
CB-4389. Fix logout redirect and npe for logout parameter
DenisSinelnikov Jan 23, 2024
b43f639
CB-4389. Fix logout redirect and npe for logout parameter
DenisSinelnikov Jan 23, 2024
4c3f481
CB-4389. Change version
DenisSinelnikov Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions server/bundles/io.cloudbeaver.service.auth/plugin.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@
<service id="auth" label="User authentication" description="User authentication services" class="io.cloudbeaver.service.auth.WebServiceBindingAuth">

</service>
<service id="reverse.configurator" label="Reverse Proxy Configurator" description="Reverse proxy configurator"
class="io.cloudbeaver.service.auth.ReverseProxyConfigurator">
</service>
</extension>
<extension point="io.cloudbeaver.handler">
<sessionHandler id="RPSessionHandler" class="io.cloudbeaver.service.auth.RPSessionHandler"/>
Expand Down
10 changes: 10 additions & 0 deletions server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package io.cloudbeaver.service.auth;
DenisSinelnikov marked this conversation as resolved.
Show resolved Hide resolved

interface RPConstants {
String PARAM_LOGOUT_URL = "logout-url-header";
String PARAM_USER = "user-header";
String PARAM_TEAM = "team-header";
String PARAM_FIRST_NAME = "first-name-header";
String PARAM_LAST_NAME = "last-name-header";
String PARAM_ROLE_NAME = "role-header";
}
37 changes: 31 additions & 6 deletions ...bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPSessionHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.auth.SMAuthInfo;
import org.jkiss.dbeaver.model.security.SMAuthProviderCustomConfiguration;
import org.jkiss.dbeaver.model.security.SMConstants;
import org.jkiss.dbeaver.model.security.SMController;
import org.jkiss.dbeaver.model.security.SMStandardMeta;
Expand Down Expand Up @@ -62,22 +63,38 @@
return false;
}

public void reverseProxyAuthentication(@NotNull HttpServletRequest request, @NotNull WebSession webSession) throws DBWebException {
public void reverseProxyAuthentication(@NotNull HttpServletRequest request, @NotNull WebSession webSession) throws DBException {

Check warning on line 66 in server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPSessionHandler.java

View check run for this annotation

Jenkins-CI-integration / CheckStyle Java Report

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPSessionHandler.java#L66 

Missing a Javadoc comment.
SMController securityController = webSession.getSecurityController();
WebAuthProviderDescriptor authProvider = WebAuthProviderRegistry.getInstance().getAuthProvider(RPAuthProvider.AUTH_PROVIDER);
if (authProvider == null) {
throw new DBWebException("Auth provider " + RPAuthProvider.AUTH_PROVIDER + " not found");
}
SMAuthProviderExternal<?> authProviderExternal = (SMAuthProviderExternal<?>) authProvider.getInstance();
String userName = request.getHeader(RPAuthProvider.X_USER);
String teams = request.getHeader(RPAuthProvider.X_TEAM);
SMAuthProviderCustomConfiguration configuration = WebAppUtils.getWebAuthApplication()
.getAuthConfiguration()
.getAuthCustomConfigurations()
.stream()
.filter(p -> p.getProvider().equals(authProvider.toString()))
.findFirst()
.orElse(null);
Map<String, Object> paramConfigMap = new HashMap<>();
if (configuration != null) {
authProvider.getConfigurationParameters().forEach(p ->
paramConfigMap.put(p.getId(), configuration.getParameters().get(p.getId())
));
}
String userName = request.getHeader(
resolveParam(paramConfigMap.get(RPConstants.PARAM_USER), RPAuthProvider.X_USER)
);
String teams = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_TEAM), RPAuthProvider.X_TEAM));
if (CommonUtils.isEmpty(teams)) {
// backward compatibility
teams = request.getHeader(RPAuthProvider.X_ROLE);
}
String role = request.getHeader(RPAuthProvider.X_ROLE_TE);
String firstName = request.getHeader(RPAuthProvider.X_FIRST_NAME);
String lastName = request.getHeader(RPAuthProvider.X_LAST_NAME);
String role = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_ROLE_NAME), RPAuthProvider.X_ROLE_TE));
String firstName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_FIRST_NAME), RPAuthProvider.X_FIRST_NAME));
String lastName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_LAST_NAME), RPAuthProvider.X_LAST_NAME));
String logoutUrl = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_LOGOUT_URL), RPAuthProvider.X_LOGOUT_URL));
List<String> userTeams = teams == null ? Collections.emptyList() : List.of(teams.split("\\|"));
if (userName != null) {
try {
Expand All @@ -92,6 +109,7 @@
Map<String, Object> sessionParameters = webSession.getSessionParameters();
sessionParameters.put(SMConstants.SESSION_PARAM_TRUSTED_USER_TEAMS, userTeams);
sessionParameters.put(SMConstants.SESSION_PARAM_TRUSTED_USER_ROLE, role);
sessionParameters.put(SMConstants.SESSION_PARAM_LOGOUT_URL, logoutUrl);
Map<String, Object> userCredentials = authProviderExternal.authExternalUser(
webSession.getProgressMonitor(), null, credentials);
String currentSmSessionId = webSession.getUser() == null ? null : webSession.getUserContext().getSmSessionId();
Expand Down Expand Up @@ -120,4 +138,11 @@
public boolean handleSessionClose(WebSession webSession) throws DBException, IOException {
return false;
}

private String resolveParam(Object value, String defaultValue) {
if (value != null && !value.toString().isEmpty()) {
return value.toString();
}
return defaultValue;
}
}
96 changes: 96 additions & 0 deletions ...io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/ReverseProxyConfigurator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
package io.cloudbeaver.service.auth;
DenisSinelnikov marked this conversation as resolved.
Show resolved Hide resolved

import io.cloudbeaver.auth.provider.rp.RPAuthProvider;
import io.cloudbeaver.model.app.WebAppConfiguration;
import io.cloudbeaver.model.app.WebApplication;
import io.cloudbeaver.model.app.WebAuthApplication;
import io.cloudbeaver.model.session.WebSession;
import io.cloudbeaver.service.DBWServiceServerConfigurator;
import org.jkiss.code.NotNull;
import org.jkiss.code.Nullable;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.security.SMAuthProviderCustomConfiguration;

import java.util.HashMap;
import java.util.Map;

public class ReverseProxyConfigurator implements DBWServiceServerConfigurator {
private static final Log log = Log.getLog(ReverseProxyConfigurator.class);

@Override
public void configureServer(
@NotNull WebApplication application,
@Nullable WebSession session,
@NotNull WebAppConfiguration appConfig
) throws DBException {
}

@Override
public void migrateConfigurationIfNeeded(@NotNull WebApplication application) throws DBException {
if (migrationNotNeeded(application)) {
return;
}
migrateConfiguration(application);
}

@Override
public void reloadConfiguration(@NotNull WebAppConfiguration appConfig) throws DBException {

}

private void migrateConfiguration(
@NotNull WebApplication application
) {
if (!(application instanceof WebAuthApplication authApplication)) {
return;
}

SMAuthProviderCustomConfiguration smReverseProxyhProviderConfiguration =
DenisSinelnikov marked this conversation as resolved.
Show resolved Hide resolved
authApplication.getAuthConfiguration().getAuthProviderConfiguration(RPAuthProvider.AUTH_PROVIDER);
boolean createNew = false;
DenisSinelnikov marked this conversation as resolved.
Show resolved Hide resolved
if (smReverseProxyhProviderConfiguration == null) {
createNew = true;
smReverseProxyhProviderConfiguration = new SMAuthProviderCustomConfiguration(RPAuthProvider.AUTH_PROVIDER);
smReverseProxyhProviderConfiguration.setProvider(RPAuthProvider.AUTH_PROVIDER);
smReverseProxyhProviderConfiguration.setDisplayName("Reverse Proxy");
smReverseProxyhProviderConfiguration.setDescription(
"Automatically created provider after changing Reverse Proxy configuration way in 23.3.3 version"
);
smReverseProxyhProviderConfiguration.setIconURL("");
Map<String, Object> parameters = new HashMap<>();
parameters.put(RPConstants.PARAM_USER, RPAuthProvider.X_USER);
parameters.put(RPConstants.PARAM_LOGOUT_URL, RPAuthProvider.X_LOGOUT_URL);
parameters.put(RPConstants.PARAM_TEAM, RPAuthProvider.X_LOGOUT_URL);
parameters.put(RPConstants.PARAM_FIRST_NAME, RPAuthProvider.X_FIRST_NAME);
parameters.put(RPConstants.PARAM_LAST_NAME, RPAuthProvider.X_LAST_NAME);
smReverseProxyhProviderConfiguration.setParameters(parameters);
}

if (createNew) {
authApplication.getAuthConfiguration().addAuthProviderConfiguration(smReverseProxyhProviderConfiguration);
try {
authApplication.flushConfiguration();
} catch (Exception e) {
log.error("Failed to save server configuration", e);
}
}
}

private boolean migrationNotNeeded(@NotNull WebApplication application) {
if (!(application instanceof WebAuthApplication authApplication)) {
return true;
}

if (!authApplication.getAuthConfiguration().isAuthProviderEnabled(RPAuthProvider.AUTH_PROVIDER)) {
log.debug("Reverse proxy provider disabled, migration not needed");
return true;
}

if (authApplication.getAuthConfiguration().getAuthProviderConfiguration(RPAuthProvider.AUTH_PROVIDER) != null) {
DenisSinelnikov marked this conversation as resolved.
Show resolved Hide resolved
log.debug("Reverse proxy provider already exist, migration not needed");
return true;
}
return false;
}
}
11 changes: 11 additions & 0 deletions server/bundles/io.cloudbeaver.service.security/plugin.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,24 @@
<authProvider id="reverseProxy" label="Reverse proxy"
description="Reverse proxy header based authentication"
trusted="true"
configurable="true"
class="io.cloudbeaver.auth.provider.rp.RPAuthProvider"
icon="platform:/plugin/org.jkiss.dbeaver.model/icons/tree/key.png">
<credentials>
<propertyGroup label="General">
<property id="user" label="User name" type="string" description="User name" admin="true" user="true" identifying="true"/>
</propertyGroup>
</credentials>
<configuration>
<propertyGroup label="Configuration">
<property id="logout-url-header" label="Logout url" type="string" description="Logout url"/>
<property id="user-header" label="User header name" type="string" description="User header name"/>
<property id="team-header" label="Team name" type="string" description="Team header name"/>
<property id="first-name-header" label="First name header" type="string" description="First name header name"/>
<property id="last-name-header" label="Last name header" type="string" description="Last name header name"/>
<property id="role-header" label="Role header" type="string" description="Role header name" features="distributed"/>
</propertyGroup>
</configuration>
</authProvider>
</extension>
</plugin>
1 change: 1 addition & 0 deletions ...s/io.cloudbeaver.service.security/src/io/cloudbeaver/auth/provider/rp/RPAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ public class RPAuthProvider implements SMAuthProviderExternal<SMSession> {
public static final String X_ROLE_TE = "X-Role-TE";
public static final String X_FIRST_NAME = "X-First-name";
public static final String X_LAST_NAME = "X-Last-name";
public static final String X_LOGOUT_URL = "X-logout-url";
public static final String AUTH_PROVIDER = "reverseProxy";

@NotNull
Expand Down
Loading