[DRAFT] Add OpenMFP support

backend/lib/app.js

@@ -20,7 +20,11 @@ const githubWebhook = require('./github/webhook')
 
 const { healthCheck } = require('./healthz')
 
-const { port, metricsPort } = config
+const {
+  port,
+  metricsPort,
+  cspFrameAncestors = []
+} = config
 const periodSeconds = config.readinessProbe?.periodSeconds || 10
 
 // resolve pathnames
@@ -73,7 +77,7 @@ app.use(helmet.contentSecurityPolicy({
     fontSrc: ['\'self\'', 'data:'],
     imgSrc,
     scriptSrc: ['\'self\'', '\'unsafe-eval\''],
-    frameAncestors: ['\'self\'']
+    frameAncestors: ['\'self\'', ...cspFrameAncestors]
   }
 }))
 app.use(helmet.referrerPolicy({
@@ -89,10 +93,6 @@ app.use(expressStaticGzip(PUBLIC_DIRNAME, {
   }
 }))
 app.use(STATIC_PATHS, notFound)
-
-app.use(helmet.xFrameOptions({
-  action: 'deny'
-}))
 app.use(historyFallback(INDEX_FILENAME))
 
 app.use(renderError)

backend/lib/config/gardener.js

@@ -116,11 +116,44 @@ const configMappings = [
     environmentVariableName: 'METRICS_PORT',
     configPath: 'metricsPort',
     type: 'Integer'
+  },
+  {
+    environmentVariableName: 'COOKIE_SAME_SITE_POLICY',
+    configPath: 'cookieSameSitePolicy'
+  },
+  {
+    environmentVariableName: 'CSP_FRAME_ANCESTORS',
+    configPath: 'cspFrameAncestors',
+    type: 'Object'
+  },
+  {
+    environmentVariableName: 'FGA_API_URL',
+    filePath: '/etc/gardener-dashboard/secrets/fga/apiUrl',
+    configPath: 'fgaApiUrl'
+  },
+  {
+    environmentVariableName: 'FGA_STORE_ID',
+    filePath: '/etc/gardener-dashboard/secrets/fga/storeId',
+    configPath: 'fgaStoreId'
+  },
+  {
+    environmentVariableName: 'FGA_AUTHORIZATION_MODEL_ID',
+    filePath: '/etc/gardener-dashboard/secrets/fga/authorizationModelId',
+    configPath: 'fgaAuthorizationModelId'
+  },
+  {
+    environmentVariableName: 'FGA_API_TOKEN',
+    filePath: '/etc/gardener-dashboard/secrets/fga/apiToken',
+    configPath: 'fgaApiToken'
   }
 ]
 
 function parseConfigValue (value, type) {
   switch (type) {
+    case 'Object':
+      return value
+        ? JSON.parse(value)
+        : undefined
     case 'Integer':
       value = parseInt(value, 10)
       return Number.isInteger(value) ? value : undefined

backend/lib/openfga/index.js

@@ -0,0 +1,94 @@
+//
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+const { extend } = require('@gardener-dashboard/request')
+
+const config = require('../config')
+const logger = require('../logger')
+const cache = require('../cache')
+
+const {
+  fgaApiUrl,
+  fgaStoreId,
+  fgaApiToken
+} = config
+
+const fgaClient = fgaApiUrl && fgaStoreId && fgaApiToken
+  ? extend({
+    url: `${fgaApiUrl}/stores/${fgaStoreId}`,
+    responseType: 'json',
+    auth: {
+      bearer: fgaApiToken
+    }
+  })
+  : null
+
+function writeProject (namespace, accountId) {
+  return fgaClient.request('write', {
+    method: 'POST',
+    json: {
+      writes: {
+        tuple_keys: [
+          {
+            object: `gardener_project:${namespace}`,
+            relation: 'parent',
+            user: `account:${accountId}`
+          }
+        ]
+      }
+    }
+  })
+}
+
+function deleteProject (namespace, accountId) {
+  return fgaClient.request('write', {
+    method: 'POST',
+    json: {
+      deletes: {
+        tuple_keys: [
+          {
+            object: `gardener_project:${namespace}`,
+            relation: 'parent',
+            user: `account:${accountId}`
+          }
+        ]
+      }
+    }
+  })
+}
+
+async function listProjects (username, relation = 'viewer') {
+  const type = 'gardener_project'
+  const { objects = [] } = await fgaClient.request('list-objects', {
+    method: 'POST',
+    json: {
+      user: `user:${username}`,
+      relation,
+      type
+    }
+  })
+  logger.debug('Openfga response objects: %s', objects)
+  const projects = []
+  for (const object of objects) {
+    const [prefix, namespace] = object.split(':')
+    if (prefix === type) {
+      try {
+        const project = cache.findProjectByNamespace(namespace)
+        projects.push(project.metadata.name)
+      } catch (err) {
+        logger.debug('Openfga gardener project "%s" not found', namespace)
+      }
+    }
+  }
+  return projects
+}
+
+module.exports = {
+  client: fgaClient,
+  listProjects,
+  writeProject,
+  deleteProject
+}

backend/lib/security/index.js

@@ -15,7 +15,11 @@ const pTimeout = require('p-timeout')
 const { authentication, authorization } = require('../services')
 const createError = require('http-errors')
 const logger = require('../logger')
-const { sessionSecrets, oidc = {} } = require('../config')
+const {
+  sessionSecrets,
+  cookieSameSitePolicy = 'Lax',
+  oidc = {}
+} = require('../config')
 
 const {
   sign,
@@ -44,6 +48,14 @@ const {
   GARDENER_AUDIENCE
 } = require('./constants')
 
+const cookieAtributes = {
+  secure: true,
+  sameSite: cookieSameSitePolicy
+}
+if (cookieSameSitePolicy === 'None') {
+  cookieAtributes.partitioned = true
+}
+
 const {
   issuer,
   redirect_uris: redirectUris = [],
@@ -159,10 +171,9 @@ async function authorizationUrl (req, res) {
     redirectOrigin,
     state
   }, {
-    secure: true,
+    ...cookieAtributes,
     httpOnly: true,
-    maxAge: 180_000, // cookie will be removed after 3 minutes
-    sameSite: 'Lax'
+    maxAge: 180_000 // cookie will be removed after 3 minutes
   })
   const client = await exports.getIssuerClient()
   if (!includes(redirectUris, backendRedirectUri)) {
@@ -177,10 +188,9 @@ async function authorizationUrl (req, res) {
     const codeChallengeMethod = getCodeChallengeMethod(client)
     const codeVerifier = generators.codeVerifier()
     res.cookie(COOKIE_CODE_VERIFIER, codeVerifier, {
-      secure: true,
+      ...cookieAtributes,
       httpOnly: true,
-      maxAge: 180_000, // cookie will be removed after 3 minutes
-      sameSite: 'Lax'
+      maxAge: 180_000 // cookie will be removed after 3 minutes
     })
     switch (codeChallengeMethod) {
       case 'S256':
@@ -251,26 +261,23 @@ async function setCookies (res, tokenSet) {
   const accessToken = tokenSet.access_token
   const [header, payload, signature] = split(accessToken, '.')
   res.cookie(COOKIE_HEADER_PAYLOAD, join([header, payload], '.'), {
-    secure: true,
-    expires: undefined,
-    sameSite: 'Lax'
+    ...cookieAtributes,
+    expires: undefined
   })
   res.cookie(COOKIE_SIGNATURE, signature, {
-    secure: true,
+    ...cookieAtributes,
     httpOnly: true,
-    expires: undefined,
-    sameSite: 'Lax'
+    expires: undefined
   })
   const values = [tokenSet.id_token]
   if (tokenSet.refresh_token) {
     values.push(tokenSet.refresh_token)
   }
   const encryptedValues = await encrypt(values.join(','))
   res.cookie(COOKIE_TOKEN, encryptedValues, {
-    secure: true,
+    ...cookieAtributes,
     httpOnly: true,
-    expires: undefined,
-    sameSite: 'Lax'
+    expires: undefined
   })
   return accessToken
 }