Support single-host mode on the multi-user server

assembly/assembly-root-war/src/main/webapp/_app/loader.js

@@ -278,10 +278,8 @@ class Loader {
      * @param {string} token
      */
     asyncAuthenticate(redirectUrl, token) {
-        const re = new RegExp(/(https?:\/\/[^\/]+?)(?:$|\/).*/),
-            //                  \    /     \     /
-            //                  scheme    host:port
-            url = redirectUrl.replace(re, "$1" + "/jwt/auth");
+        redirectUrl = new URL(redirectUrl);
+        const url = redirectUrl.origin + redirectUrl.pathname + "/jwt/auth";
         return new Promise((resolve, reject) => {
             const request = new XMLHttpRequest();
             request.open('GET', url);
@@ -293,7 +291,7 @@ class Loader {
                     return;
                 }
                 if (request.status !== 204) {
-                    const errorMessage = 'Failed to authenticate: "' + this.getRequestErrorMessage(xhr) + '"';
+                    const errorMessage = 'Failed to authenticate: "' + this.getRequestErrorMessage(request) + '"';
                     reject(new Error(errorMessage));
                     return;
                 }

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/KubernetesServerExposer.java

@@ -174,7 +174,7 @@ public void expose(Map<String, ? extends ServerConfig> servers) throws Infrastru
       Map<String, ServerConfig> matchedExternalServers = match(externalServers, servicePort);
       if (!matchedExternalServers.isEmpty()) {
         externalServerExposer.expose(
-            k8sEnv, machineName, serviceName, servicePort, matchedExternalServers);
+            k8sEnv, machineName, serviceName, serviceName, servicePort, matchedExternalServers);
       }
 
       // expose service port related secure servers if exist

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/external/ExternalServerExposer.java

@@ -51,22 +51,27 @@ public ExternalServerExposer(
    * @param k8sEnv Kubernetes environment
    * @param machineName machine containing servers
    * @param serviceName service associated with machine, mapping all machine server ports
+   * @param pathBase the basis for the path to be used in the ingress - usually this should be the
+   *     service name or the name of the proxy fronting the service
    * @param servicePort specific service port to be exposed externally
    * @param externalServers server configs of servers to be exposed externally
    */
   public void expose(
       T k8sEnv,
       String machineName,
       String serviceName,
+      String pathBase,
       ServicePort servicePort,
       Map<String, ServerConfig> externalServers) {
-    Ingress ingress = generateIngress(machineName, serviceName, servicePort, externalServers);
+    Ingress ingress =
+        generateIngress(machineName, serviceName, pathBase, servicePort, externalServers);
     k8sEnv.getIngresses().put(ingress.getMetadata().getName(), ingress);
   }
 
   private Ingress generateIngress(
       String machineName,
       String serviceName,
+      String pathBase,
       ServicePort servicePort,
       Map<String, ServerConfig> ingressesServers) {
 
@@ -80,7 +85,7 @@ private Ingress generateIngress(
         .withPath(
             String.format(
                 pathTransformFmt,
-                ensureEndsWithSlash(strategy.getIngressPath(serviceName, servicePort))))
+                ensureEndsWithSlash(strategy.getIngressPath(pathBase, servicePort))))
         .withName(getIngressName(serviceName, servicePort))
         .withMachineName(machineName)
         .withServiceName(serviceName)

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/DefaultSecureServersFactory.java

@@ -48,7 +48,7 @@ public void expose(
         String serviceName,
         ServicePort servicePort,
         Map<String, ServerConfig> secureServers) {
-      exposer.expose(k8sEnv, machineName, serviceName, servicePort, secureServers);
+      exposer.expose(k8sEnv, machineName, serviceName, serviceName, servicePort, secureServers);
     }
   }
 }

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyConfigBuilder.java

@@ -71,9 +71,36 @@ public JwtProxyConfigBuilder(
     this.ttl = ttl;
   }
 
+  /**
+   * Adds a proxy before a service that will perform the JWT authentication on its behalf.
+   *
+   * @param listenPort the port to listen on
+   * @param upstream the URL to the backend service this proxy should be put in front of
+   * @param excludes the list of unsecured paths that the proxy should let pass through
+   * @param cookiesAuthEnabled should the JWT proxy use cookies?
+   * @param cookiePath the path of the cookie. This is should either be "/" or some portion of the
+   *     URL the JWT proxy will be exposed on. It is used to enable using different proxies for
+   *     different services, each with a different auth cookie. Super useful for having multiple
+   *     workspaces, each authenticated with its machine token.
+   * @param authErrorRedirectUriPrefix the prefix used to generate the redirect to the auth page.
+   *     This should be set to the a URL path where the JWT proxy can pick up the request to perform
+   *     the auth
+   */
   public void addVerifierProxy(
-      Integer listenPort, String upstream, Set<String> excludes, Boolean cookiesAuthEnabled) {
-    verifierProxies.add(new VerifierProxy(listenPort, upstream, excludes, cookiesAuthEnabled));
+      Integer listenPort,
+      String upstream,
+      Set<String> excludes,
+      Boolean cookiesAuthEnabled,
+      String cookiePath,
+      String authErrorRedirectUriPrefix) {
+    verifierProxies.add(
+        new VerifierProxy(
+            listenPort,
+            upstream,
+            excludes,
+            cookiesAuthEnabled,
+            cookiePath,
+            authErrorRedirectUriPrefix));
   }
 
   public String build() throws InternalInfrastructureException {
@@ -104,6 +131,7 @@ public String build() throws InternalInfrastructureException {
                               "public_key_path",
                               JWT_PROXY_CONFIG_FOLDER + '/' + JWT_PROXY_PUBLIC_KEY_FILE)))
               .withCookiesEnabled(verifierProxy.cookiesAuthEnabled)
+              .withCookiePath(ensureStartsWithSlash(verifierProxy.cookiePath))
               .withClaimsVerifier(
                   Collections.singleton(
                       new RegistrableComponentConfig()
@@ -119,6 +147,10 @@ public String build() throws InternalInfrastructureException {
         verifierConfig.setAuthUrl(authPageUrl.toString());
       }
 
+      if (verifierProxy.authErrorRedirectUriPrefix != null) {
+        verifierConfig.setAuthErrorRedirectUriPrefix(verifierProxy.authErrorRedirectUriPrefix);
+      }
+
       VerifierProxyConfig proxyConfig =
           new VerifierProxyConfig()
               .withListenAddr(":" + verifierProxy.listenPort)
@@ -135,18 +167,35 @@ public String build() throws InternalInfrastructureException {
     }
   }
 
-  private class VerifierProxy {
-    private Integer listenPort;
-    private String upstream;
-    private Set<String> excludes;
-    private boolean cookiesAuthEnabled;
+  private static final class VerifierProxy {
+    final Integer listenPort;
+    final String upstream;
+    final Set<String> excludes;
+    final boolean cookiesAuthEnabled;
+    final String cookiePath;
+    final String authErrorRedirectUriPrefix;
 
     VerifierProxy(
-        Integer listenPort, String upstream, Set<String> excludes, boolean cookiesAuthEnabled) {
+        Integer listenPort,
+        String upstream,
+        Set<String> excludes,
+        boolean cookiesAuthEnabled,
+        String cookiePath,
+        String authErrorRedirectUriPrefix) {
       this.listenPort = listenPort;
       this.upstream = upstream;
       this.excludes = excludes;
       this.cookiesAuthEnabled = cookiesAuthEnabled;
+      this.cookiePath = cookiePath;
+      this.authErrorRedirectUriPrefix = authErrorRedirectUriPrefix;
+    }
+  }
+
+  private static String ensureStartsWithSlash(String val) {
+    if (isNullOrEmpty(val)) {
+      return "/";
+    } else {
+      return val.charAt(0) == '/' ? val : "/" + val;
     }
   }
 }

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java

@@ -58,6 +58,7 @@
 import org.eclipse.che.workspace.infrastructure.kubernetes.Names;
 import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.ServerServiceBuilder;
+import org.eclipse.che.workspace.infrastructure.kubernetes.server.external.IngressServiceExposureStrategy;
 import org.eclipse.che.workspace.infrastructure.kubernetes.server.secure.jwtproxy.factory.JwtProxyConfigBuilderFactory;
 
 /**
@@ -106,12 +107,16 @@ public class JwtProxyProvisioner {
   private final Map<String, String> attributes;
 
   private final String serviceName;
+  private final String pathBase;
   private int availablePort;
 
+  private final IngressServiceExposureStrategy ingressServiceExposureStrategy;
+
   @Inject
   public JwtProxyProvisioner(
       SignatureKeyManager signatureKeyManager,
       JwtProxyConfigBuilderFactory jwtProxyConfigBuilderFactory,
+      IngressServiceExposureStrategy ingressServiceExposureStrategy,
       @Named("che.server.secure_exposer.jwtproxy.image") String jwtProxyImage,
       @Named("che.server.secure_exposer.jwtproxy.memory_limit") String memoryLimitBytes,
       @Assisted RuntimeIdentity identity) {
@@ -120,8 +125,13 @@ public JwtProxyProvisioner(
     this.jwtProxyImage = jwtProxyImage;
 
     this.proxyConfigBuilder = jwtProxyConfigBuilderFactory.create(identity.getWorkspaceId());
+
+    this.ingressServiceExposureStrategy = ingressServiceExposureStrategy;
+
     this.identity = identity;
     this.serviceName = generate(SERVER_PREFIX, SERVER_UNIQUE_PART_SIZE) + "-jwtproxy";
+    this.pathBase = generate(serverPrefix(identity), SERVER_UNIQUE_PART_SIZE) + "-jwtproxy";
+
     this.availablePort = FIRST_AVAILABLE_PORT;
     long memoryLimitLong = Size.parseSizeToMegabytes(memoryLimitBytes) * MEGABYTES_TO_BYTES_DIVIDER;
     this.attributes =
@@ -148,7 +158,7 @@ public JwtProxyProvisioner(
   public ServicePort expose(
       KubernetesEnvironment k8sEnv,
       String backendServiceName,
-      int backendServicePort,
+      ServicePort backendServicePort,
       String protocol,
       Map<String, ServerConfig> secureServers)
       throws InfrastructureException {
@@ -180,17 +190,6 @@ public ServicePort expose(
       }
     }
 
-    proxyConfigBuilder.addVerifierProxy(
-        listenPort,
-        "http://" + backendServiceName + ":" + backendServicePort,
-        excludes,
-        cookiesAuthEnabled);
-    k8sEnv
-        .getConfigMaps()
-        .get(getConfigMapName())
-        .getData()
-        .put(JWT_PROXY_CONFIG_FILE, proxyConfigBuilder.build());
-
     ServicePort exposedPort =
         new ServicePortBuilder()
             .withName("server-" + listenPort)
@@ -199,7 +198,20 @@ public ServicePort expose(
             .withNewTargetPort(listenPort)
             .build();
 
-    k8sEnv.getServices().get(getServiceName()).getSpec().getPorts().add(exposedPort);
+    k8sEnv.getServices().get(serviceName).getSpec().getPorts().add(exposedPort);
+
+    proxyConfigBuilder.addVerifierProxy(
+        listenPort,
+        "http://" + backendServiceName + ":" + backendServicePort.getTargetPort().getIntVal(),
+        excludes,
+        cookiesAuthEnabled,
+        identity.getWorkspaceId(),
+        ingressServiceExposureStrategy.getIngressPath(pathBase, exposedPort));
+    k8sEnv
+        .getConfigMaps()
+        .get(getConfigMapName())
+        .getData()
+        .put(JWT_PROXY_CONFIG_FILE, proxyConfigBuilder.build());
 
     return exposedPort;
   }
@@ -209,6 +221,11 @@ public String getServiceName() {
     return serviceName;
   }
 
+  /** Returns the path base to be used for the ingress backed by the JWTProxy pod. */
+  public String getPathBase() {
+    return pathBase;
+  }
+
   /** Returns config map name that will be mounted into JWTProxy Pod. */
   @VisibleForTesting
   String getConfigMapName() {
@@ -288,4 +305,8 @@ private Pod createJwtProxyPod() {
         .endSpec()
         .build();
   }
+
+  private static String serverPrefix(RuntimeIdentity identity) {
+    return identity.getWorkspaceId() + "/" + SERVER_PREFIX;
+  }
 }

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxySecureServerExposer.java

@@ -70,13 +70,14 @@ public void expose(
       throws InfrastructureException {
     ServicePort exposedServicePort =
         proxyProvisioner.expose(
-            k8sEnv,
-            serviceName,
-            servicePort.getTargetPort().getIntVal(),
-            servicePort.getProtocol(),
-            secureServers);
+            k8sEnv, serviceName, servicePort, servicePort.getProtocol(), secureServers);
 
     exposer.expose(
-        k8sEnv, machineName, proxyProvisioner.getServiceName(), exposedServicePort, secureServers);
+        k8sEnv,
+        machineName,
+        proxyProvisioner.getServiceName(),
+        proxyProvisioner.getPathBase(),
+        exposedServicePort,
+        secureServers);
   }
 }

infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/model/VerifierConfig.java

@@ -50,6 +50,12 @@ public class VerifierConfig {
 
   private Set<String> excludes;
 
+  @JsonProperty("auth_error_redirect_uri_prefix")
+  private String authErrorRedirectUriPrefix;
+
+  @JsonProperty("cookie_path")
+  private String cookiePath;
+
   public String getAudience() {
     return audience;
   }
@@ -180,4 +186,30 @@ public VerifierConfig withCookiesEnabled(boolean cookiesEnabled) {
     this.cookiesEnabled = cookiesEnabled;
     return this;
   }
+
+  public String getAuthErrorRedirectUriPrefix() {
+    return authErrorRedirectUriPrefix;
+  }
+
+  public void setAuthErrorRedirectUriPrefix(String authErrorRedirectUriPrefix) {
+    this.authErrorRedirectUriPrefix = authErrorRedirectUriPrefix;
+  }
+
+  public VerifierConfig withAuthErrorRedirectUriPrefix(String authErrorRedirectUriPrefix) {
+    this.authErrorRedirectUriPrefix = authErrorRedirectUriPrefix;
+    return this;
+  }
+
+  public String getCookiePath() {
+    return cookiePath;
+  }
+
+  public void setCookiePath(String cookiePath) {
+    this.cookiePath = cookiePath;
+  }
+
+  public VerifierConfig withCookiePath(String cookiePath) {
+    this.cookiePath = cookiePath;
+    return this;
+  }
 }

infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/KubernetesServerExposerTest.java

@@ -349,6 +349,7 @@ private void assertThatExternalServersAreExposed(
             kubernetesEnvironment,
             machineName,
             service.getMetadata().getName(),
+            service.getMetadata().getName(),
             servicePort,
             expectedServers);
   }

infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/server/external/DefaultHostIngressServiceExposureStrategyTest.java

@@ -81,7 +81,12 @@ public void shouldCreateIngressForServer() {
 
     // when
     externalServerExposer.expose(
-        kubernetesEnvironment, MACHINE_NAME, SERVICE_NAME, servicePort, serversToExpose);
+        kubernetesEnvironment,
+        MACHINE_NAME,
+        SERVICE_NAME,
+        SERVICE_NAME,
+        servicePort,
+        serversToExpose);
 
     // then
     assertThatExternalServerIsExposed(
@@ -114,7 +119,12 @@ public void shouldCreateIngressForServerWhenTwoServersHasTheSamePort() {
 
     // when
     externalServerExposer.expose(
-        kubernetesEnvironment, MACHINE_NAME, SERVICE_NAME, servicePort, serversToExpose);
+        kubernetesEnvironment,
+        MACHINE_NAME,
+        SERVICE_NAME,
+        SERVICE_NAME,
+        servicePort,
+        serversToExpose);
 
     // then
     assertEquals(kubernetesEnvironment.getIngresses().size(), 1);