From f8ff8f03c8b603d35bc38627925aa029d1733352 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Mon, 25 Nov 2024 12:34:58 -0800 Subject: [PATCH] Add authorization via HTTP header using static list of roles --- dev/alive/appsettings.json | 12 ++++++------ dev/alive/docker-compose.yaml | 2 +- dev/gateway/appsettings.json | 12 ++++++------ dev/gateway/docker-compose.yaml | 6 +++++- dev/hymtruth/appsettings.json | 12 ++++++------ dev/hymtruth/docker-compose.yaml | 2 +- dev/mash/appsettings.json | 12 ++++++------ dev/mash/docker-compose.yaml | 2 +- dev/mstudy/appsettings.json | 12 ++++++------ dev/mstudy/docker-compose.yaml | 2 +- dev/radar/appsettings.json | 12 ++++++------ dev/radar/docker-compose.yaml | 2 +- 12 files changed, 46 insertions(+), 42 deletions(-) diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json index d0e1508..1e60e44 100644 --- a/dev/alive/appsettings.json +++ b/dev/alive/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml index 51762f5..48133d6 100644 --- a/dev/alive/docker-compose.yaml +++ b/dev/alive/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json index 162b8c9..24f5413 100644 --- a/dev/gateway/appsettings.json +++ b/dev/gateway/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index 6be9792..1f7289b 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -47,6 +47,10 @@ services: - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization + # TODO dynamically look up from OIDC tokens + # add Leaf group to all users via HTTP request header; see appsettings.json for available roles + - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users;leaf_phi;leaf_admin + networks: ingress: aliases: @@ -74,7 +78,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json index f87db7b..9cb1503 100644 --- a/dev/hymtruth/appsettings.json +++ b/dev/hymtruth/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml index 0b376d0..b32f0c2 100644 --- a/dev/hymtruth/docker-compose.yaml +++ b/dev/hymtruth/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json index 0e42141..823fba3 100644 --- a/dev/mash/appsettings.json +++ b/dev/mash/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml index dfc3e67..102b4ec 100644 --- a/dev/mash/docker-compose.yaml +++ b/dev/mash/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json index 2b3212d..541e81d 100644 --- a/dev/mstudy/appsettings.json +++ b/dev/mstudy/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml index 58a7d32..8d228b5 100644 --- a/dev/mstudy/docker-compose.yaml +++ b/dev/mstudy/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json index d417660..eab749c 100644 --- a/dev/radar/appsettings.json +++ b/dev/radar/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml index 7ef635d..e5e81d2 100644 --- a/dev/radar/docker-compose.yaml +++ b/dev/radar/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt