Add authorization via HTTP header using static list of roles

uwcirg · Nov 25, 2024 · f8ff8f0 · f8ff8f0
1 parent 665d304
commit f8ff8f0
Show file tree

Hide file tree

Showing 12 changed files with 46 additions and 42 deletions.
diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 

diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml
@@ -47,6 +47,10 @@ services:
       - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization
 
+      # TODO dynamically look up from OIDC tokens
+      # add Leaf group to all users via HTTP request header; see appsettings.json for available roles
+      - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users;leaf_phi;leaf_admin
+
     networks:
       ingress:
         aliases:
@@ -74,7 +78,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 

diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 

diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 

diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
 

diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json
@@ -38,7 +38,7 @@
       }
     },
   "Authorization": {
-    "Mechanism": "UNSECURED",
+    "Mechanism": "SAML2",
     "AllowAllAuthenticatedUsers": true,
     "UnsecuredIsAdmin": false,
     "SAML2": {
@@ -49,11 +49,11 @@
         }
       },
       "RolesMapping": {
-        "User": "urn:mace:users",
-        "Super": "urn:mace:supers",
-        "Identified": "urn:mace:phi",
-        "Admin": "urn:mace:sudos",
-        "Federated": "urn:mace:federated"
+        "User": "leaf_users",
+        "Super": "leaf_supers",
+        "Identified": "leaf_phi",
+        "Admin": "leaf_admin",
+        "Federated": "leaf_federated"
       }
     }
   },

diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml
@@ -21,7 +21,7 @@ services:
     labels:
       # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup
       - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && Path(`/api/user`)
-      - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME}
       - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
       - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt