Cb 4389 convert reverse proxy

server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/auth/SMAuthProviderFederated.java

@@ -27,17 +27,12 @@
  * Federated auth provider.
  * Provides links to external auth resource
  */
-public interface SMAuthProviderFederated {
+public interface SMAuthProviderFederated extends SMSignOutLinkProvider {
 
     @NotNull
     String getSignInLink(String id, @NotNull Map<String, Object> providerConfig) throws DBException;
 
-    /**
-     * @return a common link for logout, not related with the user context
-     */
-    @NotNull
-    String getCommonSignOutLink(String id, @NotNull Map<String, Object> providerConfig) throws DBException;
-
+    @Override
     default String getUserSignOutLink(
         @NotNull SMAuthProviderCustomConfiguration providerConfig,
         @NotNull Map<String, Object> userCredentials

server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/auth/SMSignOutLinkProvider.java

@@ -0,0 +1,37 @@
+/*
+ * DBeaver - Universal Database Manager
+ * Copyright (C) 2010-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cloudbeaver.auth;
+
+import org.jkiss.code.NotNull;
+import org.jkiss.dbeaver.DBException;
+import org.jkiss.dbeaver.model.security.SMAuthProviderCustomConfiguration;
+
+import java.util.Map;
+
+public interface SMSignOutLinkProvider {
+
+    /**
+     * @return a common link for logout, not related with the user context
+     */
+    @NotNull
+    String getCommonSignOutLink(String id, @NotNull Map<String, Object> providerConfig) throws DBException;
+
+    String getUserSignOutLink(
+        @NotNull SMAuthProviderCustomConfiguration providerConfig,
+        @NotNull Map<String, Object> userCredentials
+    ) throws DBException;
+}

server/bundles/io.cloudbeaver.model/src/io/cloudbeaver/registry/WebAuthProviderConfiguration.java

@@ -18,6 +18,7 @@
 
 import io.cloudbeaver.auth.CBAuthConstants;
 import io.cloudbeaver.auth.SMAuthProviderFederated;
+import io.cloudbeaver.auth.SMSignOutLinkProvider;
 import io.cloudbeaver.utils.WebAppUtils;
 import org.jkiss.dbeaver.DBException;
 import org.jkiss.dbeaver.Log;
@@ -85,8 +86,8 @@ private String buildRedirectUrl(String baseUrl) {
     @Property
     public String getSignOutLink() throws DBException {
         SMAuthProvider<?> instance = providerDescriptor.getInstance();
-        return instance instanceof SMAuthProviderFederated
-            ? ((SMAuthProviderFederated) instance).getCommonSignOutLink(getId(), config.getParameters())
+        return instance instanceof SMSignOutLinkProvider
+            ? ((SMSignOutLinkProvider) instance).getCommonSignOutLink(getId(), config.getParameters())
             : null;
     }
 

server/bundles/io.cloudbeaver.service.auth/plugin.xml

@@ -7,6 +7,9 @@
         <service id="auth" label="User authentication" description="User authentication services" class="io.cloudbeaver.service.auth.WebServiceBindingAuth">
 
         </service>
+        <service id="reverse.configurator" label="Reverse Proxy Configurator" description="Reverse proxy configurator"
+                 class="io.cloudbeaver.service.auth.ReverseProxyConfigurator">
+        </service>
     </extension>
     <extension point="io.cloudbeaver.handler">
         <sessionHandler id="RPSessionHandler" class="io.cloudbeaver.service.auth.RPSessionHandler"/>

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPConstants.java

@@ -0,0 +1,26 @@
+/*
+ * DBeaver - Universal Database Manager
+ * Copyright (C) 2010-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cloudbeaver.service.auth;
+
+interface RPConstants {
+    String PARAM_LOGOUT_URL = "logout-url";
+    String PARAM_USER = "user-header";
+    String PARAM_TEAM = "team-header";
+    String PARAM_FIRST_NAME = "first-name-header";
+    String PARAM_LAST_NAME = "last-name-header";
+    String PARAM_ROLE_NAME = "role-header";
+}

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPSessionHandler.java

@@ -33,6 +33,7 @@
 import org.jkiss.dbeaver.DBException;
 import org.jkiss.dbeaver.Log;
 import org.jkiss.dbeaver.model.auth.SMAuthInfo;
+import org.jkiss.dbeaver.model.security.SMAuthProviderCustomConfiguration;
 import org.jkiss.dbeaver.model.security.SMConstants;
 import org.jkiss.dbeaver.model.security.SMController;
 import org.jkiss.dbeaver.model.security.SMStandardMeta;
@@ -41,10 +42,10 @@
 
 import java.io.IOException;
 import java.text.MessageFormat;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 public class RPSessionHandler implements DBWSessionHandler {
 
@@ -62,22 +63,38 @@
         return false;
     }
 
-    public void reverseProxyAuthentication(@NotNull HttpServletRequest request, @NotNull WebSession webSession) throws DBWebException {
+    public void reverseProxyAuthentication(@NotNull HttpServletRequest request, @NotNull WebSession webSession) throws DBException {
         SMController securityController = webSession.getSecurityController();
         WebAuthProviderDescriptor authProvider = WebAuthProviderRegistry.getInstance().getAuthProvider(RPAuthProvider.AUTH_PROVIDER);
         if (authProvider == null) {
             throw new DBWebException("Auth provider " + RPAuthProvider.AUTH_PROVIDER + " not found");
         }
         SMAuthProviderExternal<?> authProviderExternal = (SMAuthProviderExternal<?>) authProvider.getInstance();
-        String userName = request.getHeader(RPAuthProvider.X_USER);
-        String teams = request.getHeader(RPAuthProvider.X_TEAM);
+        SMAuthProviderCustomConfiguration configuration = WebAppUtils.getWebAuthApplication()
+            .getAuthConfiguration()
+            .getAuthCustomConfigurations()
+            .stream()
+            .filter(p -> p.getProvider().equals(authProvider.toString()))
+            .findFirst()
+            .orElse(null);
+        Map<String, Object> paramConfigMap = new HashMap<>();
+        if (configuration != null) {
+            authProvider.getConfigurationParameters().forEach(p ->
+                paramConfigMap.put(p.getId(), configuration.getParameters().get(p.getId())
+                ));
+        }
+        String userName = request.getHeader(
+            resolveParam(paramConfigMap.get(RPConstants.PARAM_USER), RPAuthProvider.X_USER)
+        );
+        String teams = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_TEAM), RPAuthProvider.X_TEAM));
         if (CommonUtils.isEmpty(teams)) {
             // backward compatibility
             teams = request.getHeader(RPAuthProvider.X_ROLE);
         }
-        String role = request.getHeader(RPAuthProvider.X_ROLE_TE);
-        String firstName = request.getHeader(RPAuthProvider.X_FIRST_NAME);
-        String lastName = request.getHeader(RPAuthProvider.X_LAST_NAME);
+        String role = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_ROLE_NAME), RPAuthProvider.X_ROLE_TE));
+        String firstName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_FIRST_NAME), RPAuthProvider.X_FIRST_NAME));
+        String lastName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_LAST_NAME), RPAuthProvider.X_LAST_NAME));
+        String logoutUrl = Objects.requireNonNull(configuration).getParameter(RPConstants.PARAM_LOGOUT_URL);
         List<String> userTeams = teams == null ? Collections.emptyList() : List.of(teams.split("\\|"));
         if (userName != null) {
             try {
@@ -89,6 +106,9 @@
                 if (!CommonUtils.isEmpty(lastName)) {
                     credentials.put(SMStandardMeta.META_LAST_NAME, lastName);
                 }
+                if (CommonUtils.isNotEmpty(logoutUrl)) {
+                    credentials.put("logoutUrl", logoutUrl);
+                }
                 Map<String, Object> sessionParameters = webSession.getSessionParameters();
                 sessionParameters.put(SMConstants.SESSION_PARAM_TRUSTED_USER_TEAMS, userTeams);
                 sessionParameters.put(SMConstants.SESSION_PARAM_TRUSTED_USER_ROLE, role);
@@ -102,7 +122,7 @@
                         webSession.getSessionId(),
                         currentSmSessionId,
                         sessionParameters,
-                        WebSession.CB_SESSION_TYPE, authProvider.getId(), null, userCredentials);
+                        WebSession.CB_SESSION_TYPE, authProvider.getId(), configuration.getId(), userCredentials);
                     new WebSessionAuthProcessor(webSession, smAuthInfo, false).authenticateSession();
                     log.debug(MessageFormat.format(
                         "Successful reverse proxy authentication: user ''{0}'' with teams {1}", userName, userTeams));
@@ -120,4 +140,11 @@
     public boolean handleSessionClose(WebSession webSession) throws DBException, IOException {
         return false;
     }
+
+    private String resolveParam(Object value, String defaultValue) {
+        if (value != null && !value.toString().isEmpty()) {
+            return value.toString();
+        }
+        return defaultValue;
+    }
 }

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/ReverseProxyConfigurator.java

@@ -0,0 +1,110 @@
+/*
+ * DBeaver - Universal Database Manager
+ * Copyright (C) 2010-2024 DBeaver Corp and others
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cloudbeaver.service.auth;
+
+import io.cloudbeaver.auth.provider.rp.RPAuthProvider;
+import io.cloudbeaver.model.app.WebAppConfiguration;
+import io.cloudbeaver.model.app.WebApplication;
+import io.cloudbeaver.model.app.WebAuthApplication;
+import io.cloudbeaver.model.session.WebSession;
+import io.cloudbeaver.service.DBWServiceServerConfigurator;
+import org.jkiss.code.NotNull;
+import org.jkiss.code.Nullable;
+import org.jkiss.dbeaver.DBException;
+import org.jkiss.dbeaver.Log;
+import org.jkiss.dbeaver.model.security.SMAuthProviderCustomConfiguration;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class ReverseProxyConfigurator implements DBWServiceServerConfigurator {
+    private static final Log log = Log.getLog(ReverseProxyConfigurator.class);
+
+    @Override
+    public void configureServer(
+        @NotNull WebApplication application,
+        @Nullable WebSession session,
+        @NotNull WebAppConfiguration appConfig
+    ) throws DBException {
+    }
+
+    @Override
+    public void migrateConfigurationIfNeeded(@NotNull WebApplication application) throws DBException {
+        if (migrationNotNeeded(application)) {
+            return;
+        }
+        migrateConfiguration(application);
+    }
+
+    @Override
+    public void reloadConfiguration(@NotNull WebAppConfiguration appConfig) throws DBException {
+
+    }
+
+    private void migrateConfiguration(
+        @NotNull WebApplication application
+    ) {
+        if (!(application instanceof WebAuthApplication authApplication)) {
+            return;
+        }
+
+        SMAuthProviderCustomConfiguration smReverseProxyProviderConfiguration =
+            authApplication.getAuthConfiguration().getAuthProviderConfiguration(RPAuthProvider.AUTH_PROVIDER);
+        if (smReverseProxyProviderConfiguration  == null) {
+            smReverseProxyProviderConfiguration  = new SMAuthProviderCustomConfiguration(RPAuthProvider.AUTH_PROVIDER);
+            smReverseProxyProviderConfiguration.setProvider(RPAuthProvider.AUTH_PROVIDER);
+            smReverseProxyProviderConfiguration.setDisplayName("Reverse Proxy");
+            smReverseProxyProviderConfiguration.setDescription(
+                "Automatically created provider after changing Reverse Proxy configuration way in 23.3.4 version"
+            );
+            smReverseProxyProviderConfiguration .setIconURL("");
+            Map<String, Object> parameters = new HashMap<>();
+            parameters.put(RPConstants.PARAM_USER, RPAuthProvider.X_USER);
+            parameters.put(RPConstants.PARAM_TEAM, RPAuthProvider.X_TEAM);
+            parameters.put(RPConstants.PARAM_FIRST_NAME, RPAuthProvider.X_FIRST_NAME);
+            parameters.put(RPConstants.PARAM_LAST_NAME, RPAuthProvider.X_LAST_NAME);
+            smReverseProxyProviderConfiguration.setParameters(parameters);
+            authApplication.getAuthConfiguration().addAuthProviderConfiguration(smReverseProxyProviderConfiguration );
+            try {
+                authApplication.flushConfiguration();
+            } catch (Exception e) {
+                log.error("Failed to save server configuration", e);
+            }
+        }
+    }
+
+    private boolean migrationNotNeeded(@NotNull WebApplication application) {
+        if (!(application instanceof WebAuthApplication authApplication)) {
+            return true;
+        }
+
+        if (!authApplication.getAuthConfiguration().isAuthProviderEnabled(RPAuthProvider.AUTH_PROVIDER)) {
+            log.debug("Reverse proxy provider disabled, migration not needed");
+            return true;
+        }
+
+        boolean isReverseProxyConfigured = authApplication.getAuthConfiguration()
+            .getAuthCustomConfigurations().stream()
+            .anyMatch(p -> p.getProvider().equals(RPAuthProvider.AUTH_PROVIDER));
+
+        if (isReverseProxyConfigured) {
+            log.debug("Reverse proxy provider already exist, migration not needed");
+            return true;
+        }
+        return false;
+    }
+}

server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/impl/WebServiceAuthImpl.java

@@ -19,6 +19,7 @@
 import io.cloudbeaver.DBWebException;
 import io.cloudbeaver.WebServiceUtils;
 import io.cloudbeaver.auth.SMAuthProviderFederated;
+import io.cloudbeaver.auth.SMSignOutLinkProvider;
 import io.cloudbeaver.auth.provider.local.LocalAuthProvider;
 import io.cloudbeaver.model.WebPropertyInfo;
 import io.cloudbeaver.model.session.WebAuthInfo;
@@ -148,18 +149,26 @@ public WebLogoutInfo authLogout(
             var cbApp = CBApplication.getInstance();
             for (WebAuthInfo removedInfo : removedInfos) {
                 if (removedInfo.getAuthProviderDescriptor()
-                    .getInstance() instanceof SMAuthProviderFederated federatedProvider
-                    && removedInfo.getAuthSession() instanceof SMSessionExternal externalSession
+                    .getInstance() instanceof SMSignOutLinkProvider provider
+                    && removedInfo.getAuthSession() != null
                 ) {
                     var providerConfig =
                         cbApp.getAuthConfiguration().getAuthProviderConfiguration(removedInfo.getAuthConfiguration());
                     if (providerConfig == null) {
                         log.warn(removedInfo.getAuthConfiguration() + " provider configuration wasn't found");
                         continue;
                     }
-                    String logoutUrl = federatedProvider.getUserSignOutLink(providerConfig,
-                        externalSession.getAuthParameters());
-                    logoutUrls.add(logoutUrl);
+                    String logoutUrl;
+                    if (removedInfo.getAuthSession() instanceof SMSessionExternal externalSession) {
+                        logoutUrl = provider.getUserSignOutLink(providerConfig,
+                            externalSession.getAuthParameters());
+                    } else {
+                        logoutUrl = provider.getUserSignOutLink(providerConfig,
+                            Map.of());
+                    }
+                    if (CommonUtils.isNotEmpty(logoutUrl)) {
+                        logoutUrls.add(logoutUrl);
+                    }
                 }
             }
             return new WebLogoutInfo(logoutUrls);

server/bundles/io.cloudbeaver.service.security/plugin.xml

@@ -18,13 +18,24 @@
         <authProvider id="reverseProxy" label="Reverse proxy"
                       description="Reverse proxy header based authentication"
                       trusted="true"
+                      configurable="true"
                       class="io.cloudbeaver.auth.provider.rp.RPAuthProvider"
                       icon="platform:/plugin/org.jkiss.dbeaver.model/icons/tree/key.png">
             <credentials>
                 <propertyGroup label="General">
                     <property id="user" label="User name" type="string" description="User name" admin="true" user="true" identifying="true"/>
                 </propertyGroup>
             </credentials>
+            <configuration>
+                <propertyGroup label="Configuration">
+                    <property id="logout-url" label="Logout url" type="string" description="Logout url"/>
+                    <property id="user-header" label="User header name" type="string" description="User header name"/>
+                    <property id="team-header" label="Team name" type="string" description="Team header name"/>
+                    <property id="first-name-header" label="First name header" type="string" description="First name header name"/>
+                    <property id="last-name-header" label="Last name header" type="string" description="Last name header name"/>
+                    <property id="role-header" label="Role header" type="string" description="Role header name" features="distributed"/>
+                </propertyGroup>
+            </configuration>
         </authProvider>
     </extension>
 </plugin>