Take over the responsibility of pass-auth and pass-docker reverse proxy

README.md

@@ -20,7 +20,7 @@ java -jar pass-core-main.jar
 
 By default an in memory database is used.
 
-Look at http://localhost:8080/ to see the auto-created documentation and a UI for testing out the api.
+Look at http://localhost:8080/swagger/ to see the auto-created documentation and a UI for testing out the api.
 
 You can directly make request with the UI and see what happens. Note when doing a POST to create an object, be sure to edit the type field to have the correct object type and delete the id field to have the id auto-generated.
 
@@ -51,6 +51,8 @@ Environment variables:
 * AWS_REGION=us-east-1
 * AWS_ACCESS_KEY_ID=xxx
 * AWS_SECRET_ACCESS_KEY=xxx
+* PASS_CORE_APP_LOCATION=classpath:app
+* PASS_CORE_APP_CSP=default-src 'self';
 * PASS_CORE_DATABASE_URL=jdbc:postgresql://postgres:5432/pass
 * PASS_CORE_DATABASE_USERNAME=pass
 * PASS_CORE_DATABASE_PASSWORD=moo
@@ -62,6 +64,14 @@ Environment variables:
 * PASS_CORE_EMBED_JMS_BROKER=true
 * PASS_CORE_SUBMISSION_QUEUE=pass-submission
 * PASS_CORE_DEPOSIT_QUEUE=pass-deposit
+* PASS_CORE_IDP_METADATA=classpath:saml2/idp-metadata.xml
+* PASS_CORE_DEAULT_LOGIN_SUCCESS=/app/
+* PASS_CORE_LOGOUT_SUCCESS=/app/
+* PASS_CORE_LOGOUT_DELETE_COOKIES="JSESSIONID /"
+* PASS_CORE_SP_ID=https://sp.pass/shibboleth
+* PASS_CORE_SP_ACS=http://localhost:8080/login/saml2/sso/pass
+* PASS_CORE_SP_KEY=classpath:saml2/sp-key.pem
+* PASS_CORE_SP_CERT=classpath:saml2/sp-cert.pem
 * PASS_CORE_SUBMISSION_EVENT_QUEUE=pass-submission-event
 * PASS_CORE_USERTOKEN_KEY=xxx
   * If not present, one is generated. See the [user service](pass-core-user-service/README.md) for how to create manually.
@@ -71,22 +81,36 @@ Environment variables:
   * Used when services send URLs to the client such as relationship links.
 
 The environment variables in `pass-core-main/.env` are intended to be used for local testing of pass-core in isolation.
-For the local PASS demo environment, for example, we would specify `PASS_CORE_BASE_URL=https://pass.local`
 
 # Access control
 
-This application is meant to be deployed behind a proxy which ensures clients are authenticated.
-Clients either have a backend or submitter role. The backend can do everything.
-The submitter is restricted to creating and modifying certain objects in the data model.
-The submitter has full access to all other services.
+SAML 2.0 and HTTP basic authentication are supported. An authenticated user is either authorized with a `BACKEND` or `SUBMITTER` role.
 
-A request which has gone through the proxy must have headers set which give information about the client.
-The client is mapped to a PASS User object. That object is created if the client is formerly unknown. If the
-client is already known, the existing client User object updated with any new information. In this case the
-client will have a submitter role.
+A user that does a SAML login is mapped to a PASS user using locator ids. The provided SAML properties of the user
+are interpreted using the spring property `pass.auth.attribute-map`. The user is assigned the `SUBMITTER` role.
 
-If a request has not gone through the proxy, it must be authenticated with HTTP basic. This is used for requests coming from the backend.
-Note the environment variables above which set the backend user credentials.
+There is a single `BACKEND` user specified which can be logged in as using HTTP basic.
+
+The `BACKEND` role can do everything. The `SUBMITTER` role is restricted to creating and modifying certain objects in the data model.
+The `SUBMITTER` has full access to all other services. 
+
+# SAML configuration
+
+The `PASS_CORE_SP_KEY` and `PASS_CORE_SP_CERT` environment variables set the location of the keys used by pass-core to encrypt SAML communication.
+Use `PASS_CORE_SP_ID` to set the identifier of the pass-core SP, `PASS_CORE_IDP_METADATA` to set the location where IDP metadata can be retrieved,
+and `PASS_CORE_SP_ACS` for the Assertion Consumer Service of the SP.
+
+The defaults are set such that the integration tests can run against a [SimpleSAMLphp based IDP](https://github.com/kenchan0130/docker-simplesamlphp/) using resources included in `saml2/`. These defaults should not be used in production.
+
+The image can be run with:
+```
+docker run --name=idp -p 8090:8080 -e SIMPLESAMLPHP_SP_ENTITY_ID=https://sp.pass/shibboleth -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:8080/login/saml2/sso/pass -e SIMPLESAMLPHP_IDP_BASE_URL=http://localhost:8090/   -v ./pass-core/pass-core/main/src/main/resources/saml2/authsources.php:/var/www/simplesamlphp/config/authsources.php -d kenchan0130/simplesamlphp
+```
+Note the volume mount which is set the user information appropriately for PASS.
+
+# App service
+
+The PASS application is available at `/app/` and `/` is redirected to `/app/`. Requests are resolved against the location given by the environment variable `PASS_CORE_APP_LOCATION`. If a request cannot be resolved, then `/app/index.html` will be returned.  This allows the user interface to handle paths which may not resolve to files.
 
 # User service
 
@@ -110,9 +134,12 @@ The [metadata schema service](pass-core-metadataschema-service/README.md) provid
 
 # JSON API
 
-JSON API is deployed at `/data`. All of our data model is available, just divided into attributes and relationships. Note that identifiers are now integers, not URIs.
+JSON API is deployed at `/data/`. All of our data model is available, just divided into attributes and relationships. Note that identifiers are now integers, not URIs.
 See https://elide.io/pages/guide/v6/10-jsonapi.html for information on how Elide provides support for filtering and sorting.
 
+See `/swagger/` for auto-generated documentation.
+
+
 ## Creating a RepositoryCopy
 
 ```

pass-core-main/pom.xml

@@ -9,6 +9,13 @@
 
   <artifactId>pass-core-main</artifactId>
 
+  <repositories>
+    <repository>
+      <id>shibboleth-releases</id>
+      <url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
+    </repository>
+  </repositories>
+
   <dependencies>
     <dependency>
       <groupId>org.slf4j</groupId>
@@ -147,7 +154,12 @@
       <artifactId>ocfl-java-api</artifactId>
       <version>${ocfl.java.core.version}</version>
     </dependency>
-
+
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-saml2-service-provider</artifactId>
+    </dependency>
+
     <!-- Test dependencies -->
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -174,6 +186,17 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.testcontainers</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.squareup.okhttp3</groupId>
+      <artifactId>okhttp-urlconnection</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

pass-core-main/src/main/java/org/eclipse/pass/main/JmsConfiguration.java

@@ -132,6 +132,7 @@ public TokenFactory userTokenFactory(@Value("${pass.usertoken.key:#{null}}") Str
      * Provide a JMS connection to Amazon SQS if configured to do so.
      *
      * @param awsRegion AWS region
+     * @throws URISyntaxException when failing to configure
      * @return JmsListenerContainerFactory
      */
     @Bean

pass-core-main/src/main/java/org/eclipse/pass/main/security/ShibAuthentication.java → pass-core-main/src/main/java/org/eclipse/pass/main/security/PassAuthentication.java

@@ -27,11 +27,11 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
- * A ShibAuthentication wraps information from a PASS user.
+ * A PassAuthentication wraps information from a PASS user.
  * The PASS user roles are mapped to authorities.
  * The PASS user username becomes the name and can be used to lookup the user object.
  */
-public class ShibAuthentication implements Authentication {
+public class PassAuthentication implements Authentication {
     private static final long serialVersionUID = 1L;
 
     /**
@@ -49,9 +49,9 @@ public class ShibAuthentication implements Authentication {
      *
      * @param user PASS user
      */
-    public ShibAuthentication(User user) {
+    public PassAuthentication(User user) {
         this.user_name = user.getUsername();
-        this.authorities = user.getRoles().stream().map(ShibAuthentication::as_authority).
+        this.authorities = user.getRoles().stream().map(PassAuthentication::as_authority).
                 filter(Objects::nonNull).collect(Collectors.toList());
     }