feat: [WIP] Implement OIDC sign-in

.devcontainer/devcontainer.json

@@ -21,7 +21,9 @@
     "frontend",
     "incron",
     "minion",
-    "redis"
+    "redis",
+    "redis-listener",
+    "keycloak"
   ],
   "workspaceFolder": "/opt/product-opener",
   "customizations": {

.env

@@ -53,7 +53,7 @@ FACETS_KP_URL = https://facets-kp.openfoodfacts.org/render-to-html
 # we push updated products to Redis stream so that every service is notified
 # when a product is updated/deleted/created
 # use `redis:6379` locally if you want to enable Redis
-REDIS_URL=
+REDIS_URL=redis:6379
 GOOGLE_CLOUD_VISION_API_KEY=
 CROWDIN_PROJECT_IDENTIFIER=
 CROWDIN_PROJECT_KEY=
@@ -64,4 +64,17 @@ ELASTICSEARCH_HOSTS=
 LOG_LEVEL_ROOT=TRACE
 LOG_LEVEL_MONGODB=TRACE
 
-BUILD_CACHE_REPO=openfoodfacts/openfoodfacts-build-cache
+KEYCLOAK_ADMIN=root
+KEYCLOAK_ADMIN_PASSWORD=test
+KEYCLOAK_BASE_URL=http://auth.openfoodfacts.localhost:5600
+KEYCLOAK_REALM_NAME=open-products-facts
+KEYCLOAK_EXPOSE_PORT=5600
+KC_HOSTNAME_URL=http://auth.openfoodfacts.localhost:5600
+KC_HOSTNAME_ADMIN_URL=http://auth.openfoodfacts.localhost:5600
+KC_PROXY_HEADERS=xforwarded
+
+PRODUCT_OPENER_OIDC_CLIENT_ID=ProductOpener
+PRODUCT_OPENER_OIDC_CLIENT_SECRET=Cf4NdSAjZsNO9HLcuXeuvukzFu00roQa
+PRODUCT_OPENER_OIDC_DISCOVERY_ENDPOINT=http://auth.openfoodfacts.localhost:5600/realms/open-products-facts/.well-known/openid-configuration
+
+BUILD_CACHE_REPO=openfoodfacts/openfoodfacts-build-cache

.gitignore

@@ -66,7 +66,6 @@ nytprof*.out
 # Local databases
 data/mongodb
 Lang.open*
-users_emails.sto
 html/data/*
 html/products_countries.js
 products_stats_*.html

Dockerfile

@@ -53,7 +53,6 @@ RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt set -x && \
         libcache-memcached-fast-perl \
         libjson-pp-perl \
         libclone-perl \
-        libcrypt-passwdmd5-perl \
         libencode-detect-perl \
         libgraphics-color-perl \
         libbarcode-zbar-perl \
@@ -67,6 +66,7 @@ RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt set -x && \
         libdbd-pg-perl \
         libtemplate-perl \
         liburi-escape-xs-perl \
+        libanyevent-redis-perl \
         # NB: not available in ubuntu 1804 LTS:
         libmath-random-secure-perl \
         libfile-copy-recursive-perl \
@@ -78,8 +78,7 @@ RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt set -x && \
         liblog-log4perl-perl \
         liblog-any-adapter-log4perl-perl \
         # NB: not available in ubuntu 1804 LTS:
-        libgeoip2-perl \
-        libemail-valid-perl
+        libgeoip2-perl
 RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt set -x && \
     apt install -y \
         #
@@ -158,6 +157,8 @@ RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt set -x && \
         libperl-dev \
         # needed to build Apache2::Connection::XForwardedFor
         libapache2-mod-perl2-dev \
+        # OpenSSL dev needed by OIDC::Lite
+        libssl-dev \
         # Imager::zxing - build deps
         cmake \
         pkg-config \

Makefile

@@ -119,7 +119,7 @@ build:
 	@echo "🥫 Building containers …"
 	${DOCKER_COMPOSE} build ${args} ${container} 2>&1
 
-_up:
+_up: deps
 	@echo "🥫 Starting containers …"
 	${DOCKER_COMPOSE} up -d 2>&1
 	@echo "🥫 started service at http://openfoodfacts.localhost"
@@ -255,7 +255,7 @@ checks: front_build front_lint check_perltidy check_perl_fast check_critic check
 
 lint: lint_perltidy lint_taxonomies
 
-tests: build_taxonomies_test build_lang_test unit_test integration_test
+tests: deps build_taxonomies_test build_lang_test unit_test integration_test
 
 # add COVER_OPTS='-e HARNESS_PERL_SWITCHES="-MDevel::Cover"' if you want to trigger code coverage report generation
 unit_test: create_folders
@@ -270,7 +270,7 @@ integration_test: create_folders
 # we launch the server and run tests within same container
 # we also need dynamicfront for some assets to exists
 # this is the place where variables are important
-	${DOCKER_COMPOSE_INT_TEST} up -d memcached postgres mongodb backend dynamicfront incron minion redis
+	${DOCKER_COMPOSE_INT_TEST} up -d memcached postgres mongodb backend dynamicfront incron minion redis redis-listener frontend
 # note: we need the -T option for ci (non tty environment)
 	${DOCKER_COMPOSE_INT_TEST} exec ${COVER_OPTS} -e PO_EAGER_LOAD_DATA=1 -T backend yath -PProductOpener::LoadData tests/integration
 	${DOCKER_COMPOSE_INT_TEST} stop
@@ -295,7 +295,7 @@ test-unit: guard-test create_folders
 # you can also add args= to pass more options to your test command
 test-int: guard-test create_folders
 	@echo "🥫 Running test: 'tests/integration/${test}' …"
-	${DOCKER_COMPOSE_INT_TEST} up -d memcached postgres mongodb backend dynamicfront incron minion redis
+	${DOCKER_COMPOSE_INT_TEST} up -d memcached postgres mongodb backend dynamicfront incron minion redis redis-listener frontend
 	${DOCKER_COMPOSE_INT_TEST} exec -e PO_EAGER_LOAD_DATA=1 backend ${TEST_CMD} ${args} tests/integration/${test}
 # better shutdown, for if we do a modification of the code, we need a restart
 	${DOCKER_COMPOSE_INT_TEST} stop backend
@@ -310,7 +310,7 @@ clean_tests:
 
 update_tests_results: build_taxonomies_test build_lang_test
 	@echo "🥫 Updated expected test results with actuals for easy Git diff"
-	${DOCKER_COMPOSE_TEST} up -d memcached postgres mongodb backend dynamicfront incron
+	${DOCKER_COMPOSE_TEST} up -d memcached postgres mongodb backend dynamicfront incron redis redis-listener keycloak  redis redis-listener frontend
 	${DOCKER_COMPOSE_TEST} run --no-deps --rm -e GITHUB_TOKEN=${GITHUB_TOKEN} backend /opt/product-opener/scripts/taxonomies/build_tags_taxonomy.pl ${name}
 	${DOCKER_COMPOSE_TEST} run --rm backend perl -I/opt/product-opener/lib -I/opt/perl/local/lib/perl5 /opt/product-opener/scripts/build_lang.pl
 	${DOCKER_COMPOSE_TEST} exec -T -w /opt/product-opener/tests backend bash update_tests_results.sh
@@ -494,3 +494,12 @@ guard-%: # guard clause for targets that require an environment variable (usuall
    		exit 1; \
 	fi;
 
+# Load dependent projects
+deps:
+	@for dep in "openfoodfacts-auth" ; do \
+		if [ ! -d ../$$dep ]; then \
+			git clone --filter=blob:none --sparse \
+				https://github.com/openfoodfacts/$$dep.git ../$$dep; \
+		fi; \
+		cd ../$$dep && make -e run; \
+	done

cgi/auth.pl

@@ -31,6 +31,7 @@
 use ProductOpener::Users qw/$User_id %User is_admin_user/;
 use ProductOpener::Lang qw/:all/;
 use ProductOpener::Tags qw/country_to_cc/;
+use ProductOpener::Auth qw/write_auth_deprecated_headers/;
 
 use Apache2::Const -compile => qw(OK);
 use CGI qw/:cgi :form escapeHTML/;

cgi/change_password.pl

@@ -3,7 +3,7 @@
 # This file is part of Product Opener.
 #
 # Product Opener
-# Copyright (C) 2011-2023 Association Open Food Facts
+# Copyright (C) 2011-2024 Association Open Food Facts
 # Contact: [email protected]
 # Address: 21 rue des Iles, 94100 Saint-Maur des Fossés, France
 #
@@ -25,78 +25,17 @@
 use CGI::Carp qw(fatalsToBrowser);
 
 use ProductOpener::Config qw/:all/;
-use ProductOpener::Paths qw/:all/;
-use ProductOpener::Store qw/:all/;
-use ProductOpener::Display qw/$tt display_page init_request process_template single_param/;
-use ProductOpener::Users qw/$User_id check_password_hash create_password_hash retrieve_user store_user/;
-use ProductOpener::Lang qw/lang/;
+use ProductOpener::Display qw/init_request display_error_and_exit redirect_to_url/;
 
-use Apache2::Const -compile => qw(OK);
-use CGI qw/:cgi :form escapeHTML/;
-use URI::Escape::XS;
-use Encode;
-use Log::Any qw($log);
+use URI::Escape::XS qw/uri_escape/;
 
 my $request_ref = ProductOpener::Display::init_request();
 
-my $template_data_ref = {method => $ENV{'REQUEST_METHOD'}};
-
-$log->info('start') if $log->is_info();
-if (not defined $User_id) {
-	my $r = shift;
-	$r->headers_out->set(Location => '/cgi/login.pl?redirect=/cgi/change_password.pl');
-	$r->status(307);
-	return Apache2::Const::OK;
+unless ((defined $oidc_options{keycloak_base_url}) and (defined $oidc_options{keycloak_realm_name})) {
+	display_error_and_exit($request_ref, 'File not found.', 404);
 }
 
-my @errors = ();
-
-if ($ENV{'REQUEST_METHOD'} eq 'POST') {
-	# TODO: This will change for Keycloak
-	my $user_ref = retrieve_user($User_id);
-	if (not(defined $user_ref)) {
-		push @errors, 'undefined user';
-		$template_data_ref->{success} = 0;
-	}
-
-	my $hash_is_correct = check_password_hash(encode_utf8(decode utf8 => single_param('current_password')),
-		$user_ref->{'encrypted_password'});
-
-	# We don't have the right password
-	if (not $hash_is_correct) {
-		$log->info(
-			'bad password - input does not match stored hash',
-			{encrypted_password => $user_ref->{'encrypted_password'}}
-		) if $log->is_info();
-		push @errors, lang('error_bad_login_password');
-	}
-
-	if (length(single_param('password')) < 6) {
-		push @errors, lang('error_invalid_password');
-	}
-
-	if ((single_param('password')) ne (single_param('confirm_password'))) {
-		push @errors, lang('error_different_passwords');
-	}
-
-	if (scalar(@errors) > 0) {
-		$template_data_ref->{success} = 0;
-	}
-	else {
-		$user_ref->{encrypted_password} = create_password_hash(encode_utf8(decode utf8 => single_param('password')));
-		store_user($user_ref);
-		$template_data_ref->{success} = 1;
-	}
-}
-
-$template_data_ref->{errors} = \@errors;
-
-my $html;
-process_template('web/pages/change_password/change_password.tt.html', $template_data_ref, \$html) or $html = '';
-if ($tt->error()) {
-	$html .= '<p>' . $tt->error() . '</p>';
-}
+my $redirect
+	= $oidc_options{keycloak_base_url} . '/admin/realms/' . uri_escape($oidc_options{keycloak_realm_name}) . '/users';
 
-$request_ref->{title} = lang('change_password');
-$request_ref->{content_ref} = \$html;
-display_page($request_ref);
+redirect_to_url($request_ref, 302, $redirect);

cgi/login.pl

@@ -3,7 +3,7 @@
 # This file is part of Product Opener.
 #
 # Product Opener
-# Copyright (C) 2011-2023 Association Open Food Facts
+# Copyright (C) 2011-2024 Association Open Food Facts
 # Contact: [email protected]
 # Address: 21 rue des Iles, 94100 Saint-Maur des Fossés, France
 #
@@ -28,71 +28,55 @@
 use ProductOpener::Paths qw/:all/;
 use ProductOpener::Store qw/:all/;
 use ProductOpener::Display qw/:all/;
-use ProductOpener::Users qw/$User_id check_password_hash retrieve_user/;
+use ProductOpener::Users qw/$User_id retrieve_user/;
 use ProductOpener::Lang qw/lang/;
+use ProductOpener::Auth qw/password_signin access_to_protected_resource/;
 
-use Apache2::Const -compile => qw(OK);
+use Apache2::Const -compile => qw/OK :http/;
 use CGI qw/:cgi :form escapeHTML/;
 use URI::Escape::XS;
 use Encode;
 use Log::Any qw($log);
 
 my $request_ref = ProductOpener::Display::init_request();
 
-my $template_data_ref = {};
-
 $log->info('start') if $log->is_info();
 
 my $r = shift;
 my $redirect = single_param('redirect');
-$template_data_ref->{redirect} = $redirect;
+my $loc = $redirect || $formatted_subdomain . "/cgi/session.pl";
+my $status_code = Apache2::Const::HTTP_BAD_REQUEST;
+my $final_status_set = 0;
 if (defined $User_id) {
-	my $loc = $redirect || $formatted_subdomain . "/cgi/session.pl";
+	# User is already signed in via cookie or similar, as determined by init_request.
 	$r->headers_out->set(Location => $loc);
-	$r->err_headers_out->add('Set-Cookie' => $request_ref->{cookie});
-	$r->status(302);
-	return Apache2::Const::OK;
+	$status_code = Apache2::Const::HTTP_MOVED_TEMPORARILY;
+	$final_status_set = 1;
 }
 
-my @errors = ();
-
-if ($ENV{'REQUEST_METHOD'} eq 'POST') {
-	my $user_ref = retrieve_user($User_id);
-	if (not(defined $user_ref)) {
-		push @errors, 'undefined user';
-		$template_data_ref->{success} = 0;
-	}
-
-	my $hash_is_correct
-		= check_password_hash(encode_utf8(decode utf8 => single_param('password')), $user_ref->{'encrypted_password'});
-
-	# We don't have the right password
-	if (not $hash_is_correct) {
-		$log->info(
-			'bad password - input does not match stored hash',
-			{encrypted_password => $user_ref->{'encrypted_password'}}
-		) if $log->is_info();
-		push @errors, lang('error_bad_login_password');
-	}
+if (not($final_status_set) and (not($ENV{'REQUEST_METHOD'} eq 'POST'))) {
+	# After OIDC/Keycloak integration, the original login form is no longer used.
+	# However, some external sites (ie. Hunger Games) may still be using it.
+	$request_ref->{return_url} = single_param('redirect');
+	access_to_protected_resource($request_ref);
+	$final_status_set = 1;
+}
 
-	if (scalar(@errors) > 0) {
-		$template_data_ref->{success} = 0;
+if (not($final_status_set)) {
+	my ($oidc_user_id, $refresh_token, $refresh_expires_at, $access_token, $access_expires_at, $id_token)
+		= password_signin(encode_utf8(decode utf8 => single_param('user_id')),
+		encode_utf8(decode utf8 => single_param('password')));
+	if ($oidc_user_id) {
+		$r->headers_out->set(Location => $loc);
+		$status_code = Apache2::Const::HTTP_MOVED_TEMPORARILY;
 	}
 	else {
-		$template_data_ref->{success} = 1;
+		$status_code = Apache2::Const::HTTP_UNAUTHORIZED;
 	}
-}
 
-$template_data_ref->{errors} = \@errors;
-
-# Display the sign in form
-my $html;
-process_template('web/pages/session/sign_in_form.tt.html', $template_data_ref, \$html) or $html = '';
-if ($tt->error()) {
-	$html .= '<p>' . $tt->error() . '</p>';
+	$final_status_set = 1;
 }
 
-$request_ref->{title} = lang('login_register_title');
-$request_ref->{content_ref} = \$html;
-display_page($request_ref);
-
+$r->err_headers_out->add('Set-Cookie' => $request_ref->{cookie});
+$r->status($status_code);
+return Apache2::Const::OK;