diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json index 57dc4fc..1e60e44 100644 --- a/dev/alive/appsettings.json +++ b/dev/alive/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml index 5bff222..48133d6 100644 --- a/dev/alive/docker-compose.yaml +++ b/dev/alive/docker-compose.yaml @@ -19,22 +19,23 @@ services: LEAF_APP_DB: Server=alive-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=alive;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true - - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) + - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-alive-mssql: diff --git a/dev/default.env b/dev/default.env index 02f3eb5..5d33cf9 100644 --- a/dev/default.env +++ b/dev/default.env @@ -20,3 +20,11 @@ HYMTRUTH_JWT_KEY_PW= MASH_JWT_KEY_PW= MSTUDY_JWT_KEY_PW= RADAR_JWT_KEY_PW= + +# generate via: python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())' +OAUTH2_PROXY_COOKIE_SECRET= + +# obtain from Keycloak/OIDC provider +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_OIDC_ISSUER_URL= diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json index d1c8d97..24f5413 100644 --- a/dev/gateway/appsettings.json +++ b/dev/gateway/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index fc51233..aedbcf3 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -1,5 +1,62 @@ version: "3" services: + auth-proxy: + image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # oauth2-proxy does not EXPOSE (advertise) the ports it listens on in its docker image + expose: + - 4180 + environment: + OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 + OAUTH2_PROXY_REVERSE_PROXY: "true" + + # when authenticated, return a static 202 response + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration + OAUTH2_PROXY_UPSTREAMS: static://202 + + # needed to set X-Auth-Request-Email + OAUTH2_PROXY_SET_XAUTHREQUEST: "true" + + # general cookie settings + OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET} + OAUTH2_PROXY_COOKIE_DOMAINS: .${LEAF_DOMAIN} + OAUTH2_PROXY_WHITELIST_DOMAINS: .${LEAF_DOMAIN} + OAUTH2_PROXY_COOKIE_EXPIRE: 30m + OAUTH2_PROXY_COOKIE_REFRESH: 1m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" + OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: "true" + # TODO test how leaf handles usernames that are not email addresses + # base session cookie on Keycloak username (email not always set in Keycloak) + OAUTH2_PROXY_USER_ID_CLAIM: preferred_username + + # OIDC integration settings + OAUTH2_PROXY_PROVIDER: oidc + OAUTH2_PROXY_SCOPE: openid profile email + OAUTH2_PROXY_OIDC_ISSUER_URL: ${OAUTH2_PROXY_OIDC_ISSUER_URL} + OAUTH2_PROXY_CLIENT_ID: ${OAUTH2_PROXY_CLIENT_ID} + OAUTH2_PROXY_CLIENT_SECRET: ${OAUTH2_PROXY_CLIENT_SECRET} + labels: + - traefik.enable=true + # TODO fix HostRegexp syntax, after upgrading to traefik v3 + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.rule=Host(`auth-proxy.${LEAF_DOMAIN}`) || (PathPrefix(`/oauth2`) && (Host(`${LEAF_DOMAIN}`) || HostRegexp(`{subdomain:.+}.${LEAF_DOMAIN}`))) + + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + # https://oauth2-proxy.github.io/oauth2-proxy/configuration/integration/#forwardauth-with-static-upstreams-configuration + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.address=http://auth-proxy-${COMPOSE_PROJECT_NAME}:4180/ + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization + + # TODO dynamically look up from OIDC tokens + # add Leaf group to all users via HTTP request header; see appsettings.json for available roles + - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users + + networks: + ingress: + aliases: + - auth-proxy-${COMPOSE_PROJECT_NAME} + internal: + gateway-mssql: extends: file: ../common-services.yaml @@ -19,26 +76,27 @@ services: LEAF_APP_DB: Server=gateway-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=gateway;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: extends: file: ../common-services.yaml service: node labels: - traefik.enable=true - - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) + - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr clin-db: extends: file: ../common-services.yaml diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json index 7d35068..9cb1503 100644 --- a/dev/hymtruth/appsettings.json +++ b/dev/hymtruth/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml index 43e5814..b32f0c2 100644 --- a/dev/hymtruth/docker-compose.yaml +++ b/dev/hymtruth/docker-compose.yaml @@ -19,22 +19,23 @@ services: LEAF_APP_DB: Server=hymtruth-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=hymtruth;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true - - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) + - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-hymtruth-mssql: diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json index b428163..823fba3 100644 --- a/dev/mash/appsettings.json +++ b/dev/mash/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml index 6c1b939..102b4ec 100644 --- a/dev/mash/docker-compose.yaml +++ b/dev/mash/docker-compose.yaml @@ -19,22 +19,23 @@ services: LEAF_APP_DB: Server=mash-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=mash;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true - - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) + - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-mash-mssql: diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json index 27e84db..541e81d 100644 --- a/dev/mstudy/appsettings.json +++ b/dev/mstudy/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml index 06f4570..8d228b5 100644 --- a/dev/mstudy/docker-compose.yaml +++ b/dev/mstudy/docker-compose.yaml @@ -19,22 +19,23 @@ services: LEAF_APP_DB: Server=mstudy-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=mstudy;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true - - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) + - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-mstudy-mssql: diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json index ef2abdc..eab749c 100644 --- a/dev/radar/appsettings.json +++ b/dev/radar/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,14 +33,14 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml index 849b496..e5e81d2 100644 --- a/dev/radar/docker-compose.yaml +++ b/dev/radar/docker-compose.yaml @@ -19,23 +19,23 @@ services: LEAF_APP_DB: Server=radar-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=radar;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true - - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) + - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr - volumes: leaf-radar-mssql: