diff --git a/app/controllers/admin/api/services/proxies_controller.rb b/app/controllers/admin/api/services/proxies_controller.rb index b459af5ee8..66e462e021 100644 --- a/app/controllers/admin/api/services/proxies_controller.rb +++ b/app/controllers/admin/api/services/proxies_controller.rb @@ -54,6 +54,7 @@ def show ##~ op.parameters.add name: "error_status_no_match", description: "Status code when no mapping rule is matched.", dataType: "int", paramType: "query", required: false ##~ op.parameters.add name: "error_headers_no_match", description: "Content-Type header when no mapping rule is matched.", dataType: "string", paramType: "query", required: false ##~ op.parameters.add name: "oidc_issuer_endpoint", description: "Location of your OpenID Provider.", dataType: "string", paramType: "query", required: false + ##~ op.parameters.add name: "oidc_issuer_type", description: "Type of your OpenID Provider.", dataType: "string", paramType: "query", required: false ##~ op.parameters.add name: "sandbox_endpoint", description: "Sandbox endpoint.", dataType: "string", paramType: "query", required: false # def update @@ -76,7 +77,7 @@ def proxy_params error_status_auth_failed error_status_auth_failed error_headers_auth_failed error_status_auth_missing error_headers_auth_missing error_no_match error_status_no_match error_headers_no_match secret_token hostname_rewrite - oauth_login_url api_test_path oidc_issuer_endpoint] + oauth_login_url api_test_path oidc_issuer_endpoint oidc_issuer_type] params.require(:proxy).permit(permitted_params) end diff --git a/app/controllers/api/integrations_controller.rb b/app/controllers/api/integrations_controller.rb index a77792a178..fb53ffd027 100644 --- a/app/controllers/api/integrations_controller.rb +++ b/app/controllers/api/integrations_controller.rb @@ -233,7 +233,10 @@ def proxy_params basic_fields << :endpoint if @service.using_proxy_pro? || @proxy.saas_script_driven_apicast_self_managed? - basic_fields << :oidc_issuer_endpoint if provider_can_use?(:apicast_oidc) + if provider_can_use?(:apicast_oidc) + basic_fields << :oidc_issuer_endpoint + basic_fields << :oidc_issuer_type + end params.require(:proxy).permit(*basic_fields) end diff --git a/app/models/proxy.rb b/app/models/proxy.rb index abf6ca55b9..e9a9349fd7 100644 --- a/app/models/proxy.rb +++ b/app/models/proxy.rb @@ -31,6 +31,11 @@ class Proxy < ApplicationRecord HTTP_HEADER = /\A[{}\[\]\d,.;@#~%&()?\w_"= \/\\:-]+\Z/ + OIDC_ISSUER_TYPES = { + keycloak: I18n.t(:keycloak, scope: 'proxy.oidc_issuer_type').freeze, + rest: I18n.t(:rest, scope: 'proxy.oidc_issuer_type').freeze, + }.freeze + validates :api_backend, uri: { path: proc { provider_can_use?(:proxy_private_base_path) } }, non_localhost: { message: :protected_domain } @@ -59,12 +64,14 @@ class Proxy < ApplicationRecord format: { with: HTTP_HEADER } validates :api_test_path, length: { maximum: 8192 } - validates :endpoint, :api_backend, :auth_app_key, :auth_app_id, :auth_user_key, :oidc_issuer_endpoint, + validates :endpoint, :api_backend, :auth_app_key, :auth_app_id, :auth_user_key, + :oidc_issuer_endpoint, :oidc_issuer_type, :credentials_location, :error_auth_failed, :error_auth_missing, :authentication_method, :error_headers_auth_failed, :error_headers_auth_missing, :error_no_match, :error_headers_no_match, :secret_token, :hostname_rewrite, :sandbox_endpoint, length: { maximum: 255 } + validates :oidc_issuer_type, inclusion: { in: OIDC_ISSUER_TYPES.keys.map(&:to_s), allow_blank: true }, presence: { if: ->(proxy) { proxy.oidc_issuer_endpoint.present? } } validate :policies_config_structure accepts_nested_attributes_for :proxy_rules, allow_destroy: true @@ -142,6 +149,10 @@ def oidc_configuration super || build_oidc_configuration(standard_flow_enabled: true) end + def self.oidc_issuer_types + OIDC_ISSUER_TYPES.invert + end + class DeploymentStrategy # @return Proxy attr_reader :proxy diff --git a/app/representers/proxy_representer.rb b/app/representers/proxy_representer.rb index f21888fe72..76600ef373 100644 --- a/app/representers/proxy_representer.rb +++ b/app/representers/proxy_representer.rb @@ -36,6 +36,7 @@ class ProxyRepresenter < ThreeScale::Representer property :lock_version property :oidc_issuer_endpoint, if: ->(*) { oidc? } + property :oidc_issuer_type, if: ->(*) { oidc? } class JSON < ProxyRepresenter include Roar::JSON diff --git a/app/views/api/integrations/apicast/shared/_authentication_settings.html.slim b/app/views/api/integrations/apicast/shared/_authentication_settings.html.slim index 67968c1c6e..6fe2815d20 100644 --- a/app/views/api/integrations/apicast/shared/_authentication_settings.html.slim +++ b/app/views/api/integrations/apicast/shared/_authentication_settings.html.slim @@ -1,5 +1,7 @@ = f.toggled_inputs 'Authentication Settings' do - if @service.oidc? + = f.input :oidc_issuer_type, hint: true, as: :select, + collection: Proxy.oidc_issuer_types, selected: @proxy.oidc_issuer_type || Proxy.column_defaults['oidc_issuer_type'] = f.input :oidc_issuer_endpoint, hint: true, input_html: { placeholder: "https://sso.example.com/auth/realms/gateway" } = f.inputs "OIDC Authorization flow" do = f.semantic_fields_for :oidc_configuration do |config| diff --git a/config/locales/en.yml b/config/locales/en.yml index 115a60a76a..668f9ed4a6 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1072,6 +1072,7 @@ en: hosted_proxy_endpoint: "Public Base URL" production_endpoint: "Public Base URL" oidc_issuer_endpoint: "OpenID Connect Issuer" + oidc_issuer_type: "OpenID Connect Issuer Type" profile: company_url: URL @@ -1124,7 +1125,9 @@ en: headers: "As HTTP Headers" query: "As query parameters (GET) or body parameters (POST/PUT/DELETE)" authorization: "As HTTP Basic Authentication" - + oidc_issuer_type: + keycloak: 'Red Hat Single Sign-On' + rest: 'REST API' formtastic: hints: user: diff --git a/db/migrate/20190530065503_add_proxies_oidc_issuer_type.rb b/db/migrate/20190530065503_add_proxies_oidc_issuer_type.rb new file mode 100644 index 0000000000..5285e2ae94 --- /dev/null +++ b/db/migrate/20190530065503_add_proxies_oidc_issuer_type.rb @@ -0,0 +1,15 @@ +class AddProxiesOIDCIssuerType < ActiveRecord::Migration + def change + add_column :proxies, :oidc_issuer_type, :string, default: nil + + reversible do |dir| + dir.up do + Proxy.where.not(oidc_issuer_endpoint: nil).select(:id).find_in_batches(batch_size: 10_000) do |batch| + Proxy.where(id: batch).update_all(oidc_issuer_type: 'keycloak') + end + + change_column_default :proxies, :oidc_issuer_type, 'keycloak' + end + end + end +end diff --git a/db/schema.rb b/db/schema.rb index bc00a56540..e8d74c3a40 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20190527104222) do +ActiveRecord::Schema.define(version: 20190530065503) do create_table "access_tokens", force: :cascade do |t| t.integer "owner_id", limit: 8, null: false @@ -1082,6 +1082,7 @@ t.integer "lock_version", limit: 8, default: 0, null: false t.string "authentication_method", limit: 255 t.text "policies_config", limit: 65535 + t.string "oidc_issuer_type", limit: 255, default: "keycloak" end add_index "proxies", ["service_id"], name: "index_proxies_on_service_id", using: :btree diff --git a/test/unit/proxy_test.rb b/test/unit/proxy_test.rb index ee9b96dec7..cc6145a6bd 100644 --- a/test/unit/proxy_test.rb +++ b/test/unit/proxy_test.rb @@ -505,6 +505,7 @@ def test_set_correct_endpoints assert_difference proxy_changed_events.method(:count) do @proxy.oidc_issuer_endpoint = 'http://example.com' + @proxy.oidc_issuer_type = 'keycloak' @proxy.save! end end