Take over the responsibility of pass-auth and pass-docker reverse proxy

[markpatton]

This pr updates to pass-core to take over the responsibility of the reverse proxy and pass-auth in pass-docker.

Major changes:

• Support SAML login
• Stateful because otherwise every request would result in hitting the IDP
• Logout of session by using /logout. Does not log out of IDP.
• Serve out /app/ from a resource specified by PASS_CORE_APP_LOCATION
• Integration tests run against IDP in Docker container on port 8090 and pass-core on port 8080
• Expected keys for SAML user properties are configurable
• CSP header set here and not in pass-ui now
• / redirects to /app/index.html
• /swagger/ now forward to /swagger/index.html
  • The /doc and /swagger endpoint locations are not actually configurable although the Elide docs say they are

By default pass-core is configured to run against an IDP on port 8090 base on SimpleSAMLphp. See https://github.com/kenchan0130/docker-simplesamlphp/ for info about the image. Resources for this are in in saml2/ on the classpath.

The /app/ requests are handled by the Spring Boot support for serving out static resources from a location. The location can be on the classpath, a file, or a http url. Requests to /app/* that do not match a resource result in /app/index.html being served out. This is needed for the routes that that the ui handles.

In order to work around some SAML login issues /favicon.ico is forwarded to /app/favicon.ico and both are public.

In order for logout to completely logout of the IDP in pass-docker, there is special handling where it can be configured to delete the idp session cookie on logout. See PASS_CORE_LOGOUT_DELETE_COOKIES. We will not be able to delete the IDP cookies on staging so will have to see what the logout behavior is like.

For how to test see description on this pr: eclipse-pass/pass-acceptance-testing#16

Related prs:

• Have pass-core take over reverse proxy and pass-auth pass-docker#365
• Replace pass-auth authenticated service with user service pass-ui#1260
• Update for pass-auth consolidation pass-acceptance-testing#16

Open questions:

• Session timeout handling by pass-ui

Known problems:

• Acceptance tests will not pass until related prs are merged
• Looks like pass-support integration tests which use testcontainers waiting for /data/grant on pass-core are timing out. It may be the case testcontainers is setting Accept headers such that it looks like a browser and initiating SAML login. Fixed by: Modify pass-core test container to use basic auth in wait strategy. pass-support#104

TODO (create issues for these):

• Turn on CSRF
• Update documentation in main:
  • https://github.com/eclipse-pass/main/blob/main/docs/dev/authentication-authorization.md

[rpoet-jh]

Great job, Mark! I haven't performed any testing yet. I figured I'd post this review with the questions/comments I have first.

[rpoet-jh]

I did a round of testing using pass-docker and all the associated changes. Here are the results:

Things that may need tuning:

test logout, switching to different user
- had to go and clear all cookies, then the login page was displayed
- I think it would be good to figure out how to clear all the cookies on logout and redirect to idp login page

after logged in, clear all cookies, browser redirects to idp and logs in. I see two JSESSIONID cookies, one for / and one for /idp with an info that it was blocked. not sure if this is an issue, but maybe something to investigate.

login, then restart pass-docker, then click on link, and basic auth prompt from browser popped up

If going to root path http://localhost:8080/, i think it should redirect to http://localhost:8080/app/ since most users are not concerned with swagger docs. The swagger docs should be associated to another path, some like http://localhost:8080/api-docs/

type invalid path: http://localhost:8080/app/grants/52ggg resulted in blank page

logged in as nih-user, http://localhost:8080/app/grants/62 show grant page even though not a pi or co-pi, i guess this is how it is, but it seems odd from an authorization perspective

Tests completed that worked as expected:

pass-acceptance-tests passed

test deposit into local jscholarship, passed
test deposit into local jscholarship and fake pmc sftp server, passed
test deposit with doi into local jscholarship and fake pmc sftp server, passed

test going to /, /app/* and /data/* path without login, passed with redirect to idp login page

http://localhost:8080/swagger/index.html - passed, redirected to idp login before access

http://localhost:8080/app/assets/chunk.app.888ed776cb92702e5241.js without login, passed with redirect to login

Test with postman

In general, this worked fine. However, I saw in some cases a JSESSIONID was set even though a 401 was returned.

http://localhost:8080/data/grant - no auth, return 401 html page (accept set to */*) No Set-Cookie of JSESSIONID=node0ue094...mmr924.node0; Path=/

http://localhost:8080/data/grant - no auth, return 401 status, no body (accept set to application/vnd.api+json). Has Set-Cookie of JSESSIONID=node0ue094...mmr924.node0; Path=/

http://localhost:8080/data/grant - no auth, return 401 status with standard json body (accept set to application/json). No Set-Cookie of JSESSIONID=node0ue094...mmr924.node0; Path=/

http://localhost:8080/data/grant - with basic auth, returned grants. JSESSIONID with node... set, cookie is expired session, httponly false, secure false

http://localhost:8080/user/whoami - with basic auth (backend/backend) - 500 error, json body (accept set to */*)
{
"message": "No user matching principal: backend"
}

[rpoet-jh]

@markpatton just a heads up that I see three comments that look to still have pending questions/actions.

[rpoet-jh]

@msp just confirming this is staying as is? #82 (comment)

[markpatton]

@msp just confirming this is staying as is? #82 (comment)

Correct. Added a comment.