diff --git a/cypress.config.js b/cypress.config.js index e4fb11d4f..f2d91e0a3 100644 --- a/cypress.config.js +++ b/cypress.config.js @@ -1,7 +1,8 @@ -const { defineConfig } = require('cypress') +const { defineConfig } = require('cypress'); module.exports = defineConfig({ e2e: { - baseUrl: process.env.CYPRESS_BASE_URL ||'http://localhost:3000', + baseUrl: process.env.CYPRESS_BASE_URL || 'http://localhost:3000', + chromeWebSecurity: false, // Required for OIDC testing }, -}) \ No newline at end of file +}); diff --git a/cypress/e2e/login.cy.js b/cypress/e2e/login.cy.js index 179001c75..590506f62 100644 --- a/cypress/e2e/login.cy.js +++ b/cypress/e2e/login.cy.js @@ -1,19 +1,33 @@ -describe("Display finos UI",()=>{ - - beforeEach(() =>{ - cy.visit('/login') - }) - it('shoud find git proxy logo',() =>{ - cy.get('[data-test="git-proxy-logo"]').should('exist') -}) - it('shoud find username',() =>{ - cy.get('[data-test="username"]').should('exist') - }) +describe('Login page', () => { + beforeEach(() => { + cy.visit('/login'); + }); - it('shoud find passsword',() =>{ - cy.get('[data-test="password"]').should('exist') - }) - it('shoud find login button',() =>{ - cy.get('[data-test="login"]').should('exist') - }) -}) \ No newline at end of file + it('should have git proxy logo', () => { + cy.get('[data-test="git-proxy-logo"]').should('exist'); + }); + + it('should have username input', () => { + cy.get('[data-test="username"]').should('exist'); + }); + + it('should have passsword input', () => { + cy.get('[data-test="password"]').should('exist'); + }); + + it('should have login button', () => { + cy.get('[data-test="login"]').should('exist'); + }); + + describe('OIDC login button', () => { + it('should exist', () => { + cy.get('[data-test="oidc-login"]').should('exist'); + }); + + // Validates that OIDC is configured correctly + it('should redirect to /oidc', () => { + cy.get('[data-test="oidc-login"]').click(); + cy.url().should('include', '/oidc'); + }); + }); +}); diff --git a/package-lock.json b/package-lock.json index f82320fd0..4a3e553db 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.8.0", + "version": "1.8.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.8.0", + "version": "1.8.1", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" @@ -38,6 +38,7 @@ "moment": "^2.29.4", "mongodb": "^5.0.0", "nodemailer": "^6.6.1", + "openid-client": "^6.2.0", "parse-diff": "^0.11.1", "passport": "^0.7.0", "passport-activedirectory": "^1.0.4", @@ -8502,6 +8503,15 @@ "jiti": "lib/jiti-cli.mjs" } }, + "node_modules/jose": { + "version": "5.9.6", + "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz", + "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/js-tokens": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", @@ -9969,6 +9979,15 @@ "node": ">=6" } }, + "node_modules/oauth4webapi": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/oauth4webapi/-/oauth4webapi-3.2.0.tgz", + "integrity": "sha512-2sYwQXuuzGKOHpnM7QL9BssDrly5gKCgJKTyrhmFIHzJRj0fFsr6GVJEdesmrX6NpMg2u63V4hJwRsZE6PUSSA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/object-assign": { "version": "4.1.1", "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", @@ -10115,6 +10134,19 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/openid-client": { + "version": "6.2.0", + "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-6.2.0.tgz", + "integrity": "sha512-pvLVkLcRWNU7YuKKTto376rgL//+rn3ca0XRqsrQVN30lVlpXBPHhSLcGoM/hPbux5p+Ha4tdoz96eEYpyguOQ==", + "license": "MIT", + "dependencies": { + "jose": "^5.9.6", + "oauth4webapi": "^3.2.0" + }, + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/optionator": { "version": "0.9.3", "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", diff --git a/package.json b/package.json index 1b26cfee0..5af35bfd0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.8.0", + "version": "1.8.1", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js", @@ -59,6 +59,7 @@ "moment": "^2.29.4", "mongodb": "^5.0.0", "nodemailer": "^6.6.1", + "openid-client": "^6.2.0", "parse-diff": "^0.11.1", "passport": "^0.7.0", "passport-activedirectory": "^1.0.4", diff --git a/src/db/file/index.js b/src/db/file/index.js index f77833f52..03dd8ecf0 100644 --- a/src/db/file/index.js +++ b/src/db/file/index.js @@ -12,6 +12,7 @@ module.exports.canUserCancelPush = pushes.canUserCancelPush; module.exports.canUserApproveRejectPush = pushes.canUserApproveRejectPush; module.exports.findUser = users.findUser; +module.exports.findUserByOIDC = users.findUserByOIDC; module.exports.getUsers = users.getUsers; module.exports.createUser = users.createUser; module.exports.deleteUser = users.deleteUser; diff --git a/src/db/file/users.js b/src/db/file/users.js index e29dfa4f7..9d0d122e9 100644 --- a/src/db/file/users.js +++ b/src/db/file/users.js @@ -22,6 +22,22 @@ exports.findUser = function (username) { }); }; +exports.findUserByOIDC = function (oidcId) { + return new Promise((resolve, reject) => { + db.findOne({ oidcId: oidcId }, (err, doc) => { + if (err) { + reject(err); + } else { + if (!doc) { + resolve(null); + } else { + resolve(doc); + } + } + }); + }); +}; + exports.createUser = function (data) { return new Promise((resolve, reject) => { db.insert(data, (err) => { diff --git a/src/db/index.js b/src/db/index.js index e685279f5..ed2c13524 100644 --- a/src/db/index.js +++ b/src/db/index.js @@ -7,21 +7,30 @@ if (config.getDatabase().type === 'mongo') { sink = require('../db/file'); } -module.exports.createUser = async (username, password, email, gitAccount, admin = false) => { +module.exports.createUser = async ( + username, + password, + email, + gitAccount, + admin = false, + oidcId = null, +) => { console.log( `creating user user=${username}, gitAccount=${gitAccount} email=${email}, - admin=${admin}`, + admin=${admin} + oidcId=${oidcId}`, ); const data = { username: username, - password: await bcrypt.hash(password, 10), + password: oidcId ? null : await bcrypt.hash(password, 10), gitAccount: gitAccount, email: email, admin: admin, + oidcId: oidcId, }; if (username === undefined || username === null || username === '') { @@ -56,6 +65,7 @@ module.exports.getPushes = sink.getPushes; module.exports.writeAudit = sink.writeAudit; module.exports.getPush = sink.getPush; module.exports.findUser = sink.findUser; +module.exports.findUserByOIDC = sink.findUserByOIDC; module.exports.getUsers = sink.getUsers; module.exports.deleteUser = sink.deleteUser; module.exports.updateUser = sink.updateUser; diff --git a/src/service/passport/index.js b/src/service/passport/index.js index 92a1c0bd5..a2d7931ef 100644 --- a/src/service/passport/index.js +++ b/src/service/passport/index.js @@ -1,5 +1,6 @@ const local = require('./local'); const activeDirectory = require('./activeDirectory'); +const oidc = require('./oidc'); const config = require('../../config'); const authenticationConfig = config.getAuthentication(); let _passport; @@ -14,10 +15,15 @@ const configure = async () => { case 'local': _passport = await local.configure(); break; + case 'openidconnect': + _passport = await oidc.configure(); + break; default: throw Error(`uknown authentication type ${type}`); } - _passport.type = authenticationConfig.type; + if (!_passport.type) { + _passport.type = type; + } return _passport; }; diff --git a/src/service/passport/local.js b/src/service/passport/local.js index 6bcce7e7e..c75676577 100644 --- a/src/service/passport/local.js +++ b/src/service/passport/local.js @@ -43,7 +43,7 @@ const configure = async () => { const admin = await db.findUser('admin'); if (!admin) { - await db.createUser('admin', 'admin', 'admin@place.com', 'none', true, true, true, true); + await db.createUser('admin', 'admin', 'admin@place.com', 'none', true); } passport.type = 'local'; diff --git a/src/service/passport/oidc.js b/src/service/passport/oidc.js new file mode 100644 index 000000000..904faff04 --- /dev/null +++ b/src/service/passport/oidc.js @@ -0,0 +1,114 @@ +const passport = require('passport'); +const db = require('../../db'); + +const configure = async () => { + // Temp fix for ERR_REQUIRE_ESM, will be changed when we refactor to ESM + const { discovery, fetchUserInfo } = await import('openid-client'); + const { Strategy } = await import('openid-client/passport'); + const config = require('../../config').getAuthentication(); + const { oidcConfig } = config; + const { issuer, clientID, clientSecret, callbackURL, scope } = oidcConfig; + + if (!oidcConfig || !oidcConfig.issuer) { + throw new Error('Missing OIDC issuer in configuration') + } + + const server = new URL(issuer); + + try { + const config = await discovery(server, clientID, clientSecret); + + const strategy = new Strategy({ callbackURL, config, scope }, async (tokenSet, done) => { + // Validate token sub for added security + const idTokenClaims = tokenSet.claims(); + const expectedSub = idTokenClaims.sub; + const userInfo = await fetchUserInfo(config, tokenSet.access_token, expectedSub); + handleUserAuthentication(userInfo, done); + }); + + // currentUrl must be overridden to match the callback URL + strategy.currentUrl = function (request) { + const callbackUrl = new URL(callbackURL); + const currentUrl = Strategy.prototype.currentUrl.call(this, request); + currentUrl.host = callbackUrl.host; + currentUrl.protocol = callbackUrl.protocol; + return currentUrl; + }; + + passport.use(strategy); + + passport.serializeUser((user, done) => { + done(null, user.oidcId || user.username); + }) + + passport.deserializeUser(async (id, done) => { + try { + const user = await db.findUserByOIDC(id); + done(null, user); + } catch (err) { + done(err); + } + }) + passport.type = server.host; + + return passport; + } catch (error) { + console.error('OIDC configuration failed:', error); + throw error; + } +} + + +module.exports.configure = configure; + +/** + * Handles user authentication with OIDC. + * @param {Object} userInfo the OIDC user info object + * @param {Function} done the callback function + * @return {Promise} a promise with the authenticated user or an error + */ +const handleUserAuthentication = async (userInfo, done) => { + try { + const user = await db.findUserByOIDC(userInfo.sub); + + if (!user) { + const email = safelyExtractEmail(userInfo); + if (!email) return done(new Error('No email found in OIDC profile')); + + const newUser = { + username: getUsername(email), + email, + oidcId: userInfo.sub, + }; + + await db.createUser(newUser.username, null, newUser.email, 'Edit me', false, newUser.oidcId); + return done(null, newUser); + } + + return done(null, user); + } catch (err) { + return done(err); + } +}; + +/** + * Extracts email from OIDC profile. + * This function is necessary because OIDC providers have different ways of storing emails. + * @param {object} profile the profile object from OIDC provider + * @return {string | null} the email address + */ +const safelyExtractEmail = (profile) => { + return profile.email || (profile.emails && profile.emails.length > 0 ? profile.emails[0].value : null); +}; + +/** + * Generates a username from email address. + * This helps differentiate users within the specific OIDC provider. + * Note: This is incompatible with multiple providers. Ideally, users are identified by + * OIDC ID (requires refactoring the database). + * @param {string} email the email address + * @return {string} the username + */ +const getUsername = (email) => { + return email ? email.split('@')[0] : ''; +}; diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index d92a1a236..e433d7ad8 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -3,6 +3,7 @@ const router = new express.Router(); const passport = require('../passport').getPassport(); const db = require('../../db'); const passportType = passport.type; +const { GIT_PROXY_UI_HOST: uiHost = 'http://localhost', GIT_PROXY_UI_PORT: uiPort = 3000 } = process.env; router.get('/', (req, res) => { res.status(200).json({ @@ -41,6 +42,29 @@ router.post('/login', passport.authenticate(passportType), async (req, res) => { } }); +router.get('/oidc', passport.authenticate(passportType)); + +router.get('/oidc/callback', (req, res, next) => { + passport.authenticate(passportType, (err, user, info) => { + if (err) { + console.error('Authentication error:', err); + return res.status(401).end(); + } + if (!user) { + console.error('No user found:', info); + return res.status(401).end(); + } + req.logIn(user, (err) => { + if (err) { + console.error('Login error:', err); + return res.status(401).end(); + } + console.log('Logged in successfully. User:', user); + return res.redirect(`${uiHost}:${uiPort}/admin/profile`); + }); + })(req, res, next); +}); + // when login is successful, retrieve user info router.get('/success', (req, res) => { console.log('authenticated' + JSON.stringify(req.user)); @@ -114,10 +138,10 @@ router.post('/gitAccount', async (req, res) => { router.get('/userLoggedIn', async (req, res) => { if (req.user) { const user = JSON.parse(JSON.stringify(req.user)); - delete user.password; + if (user && user.password) delete user.password; const login = user.username; const userVal = await db.findUser(login); - delete userVal.password; + if (userVal && userVal.password) delete userVal.password; res.send(userVal); } else { res.status(401).end(); diff --git a/src/service/routes/users.js b/src/service/routes/users.js index d25bd84d2..118243d70 100644 --- a/src/service/routes/users.js +++ b/src/service/routes/users.js @@ -25,7 +25,7 @@ router.get('/:id', async (req, res) => { console.log(`Retrieving details for user: ${username}`); const data = await db.findUser(username); const user = JSON.parse(JSON.stringify(data)); - delete user.password; + if (user && user.password) delete user.password; res.send(user); }); diff --git a/src/ui/views/Login/Login.jsx b/src/ui/views/Login/Login.jsx index 46c989ca2..719714ec2 100644 --- a/src/ui/views/Login/Login.jsx +++ b/src/ui/views/Login/Login.jsx @@ -33,6 +33,10 @@ export default function UserProfile() { ); } + function handleOIDCLogin() { + window.location.href = `${import.meta.env.VITE_API_URI}/api/auth/oidc`; + } + function handleSubmit(event) { setIsLoading(true); axios @@ -104,7 +108,7 @@ export default function UserProfile() { width={'150px'} src={logo} alt='logo' - data-test ="git-proxy-logo" + data-test='git-proxy-logo' /> @@ -119,7 +123,7 @@ export default function UserProfile() { value={username} onChange={(e) => setUsername(e.target.value)} autoFocus={true} - data-test ='username' + data-test='username' /> @@ -133,7 +137,7 @@ export default function UserProfile() { type='password' value={password} onChange={(e) => setPassword(e.target.value)} - data-test ='password' + data-test='password' /> @@ -141,9 +145,20 @@ export default function UserProfile() { {!isLoading ? ( - + <> + + + ) : (