feat: OIDC authentication flow v2 (#3527)

* wip back port oidc login flow Signed-off-by: Pablo Hernán Carle <[email protected]> * add fixes Signed-off-by: Pablo Hernán Carle <[email protected]> * fix build issues Signed-off-by: Pablo Hernán Carle <[email protected]> * wip fix Signed-off-by: Pablo Hernán Carle <[email protected]> * add cloud gateway to local npm startup script Signed-off-by: Pablo Hernán Carle <[email protected]> * use compatible spring security version (local) Signed-off-by: Pablo Hernán Carle <[email protected]> --------- Signed-off-by: Pablo Hernán Carle <[email protected]> Co-authored-by: Pablo Hernán Carle <[email protected]>
zowe · May 3, 2024 · 4c81a7c · 4c81a7c
1 parent da29403
commit 4c81a7c
Show file tree

Hide file tree

Showing 17 changed files with 923 additions and 53 deletions.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -31,12 +31,46 @@ runs:
                 path: |
                     ~/.gradle/caches
                     ~/.gradle/wrapper
-                key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
-
-        -   name: Cache Node.js modules
+                key: ${{ runner.os }}-gradle-${{ hashFiles('build.gradle', 'settings.gradle', '*/build.gradle', '*/gradle/**/*.gradle', '*/gradle/**/*.properties') }}
+        -   name: Cache Node.js modules of root folder
+            uses: actions/cache@v4
+            with:
+                path: |
+                    ~/.npm
+                    node_modules
+                key: ${{ runner.OS }}-node-${{ hashFiles('*.json') }}
+        -   name: Cache Node.js modules of API Catalog
+            uses: actions/cache@v4
+            with:
+                path: |
+                    ~/.npm
+                    api-catalog-ui/frontend/node_modules
+                key: ${{ runner.OS }}-api-catalog-ui-node-${{ hashFiles('api-catalog-ui/frontend/*.json') }}
+        -   name: Cache Node.js modules of Zowe CLI ID Federation Plugin
+            uses: actions/cache@v4
+            with:
+                path: |
+                    ~/.npm
+                    zowe-cli-id-federation-plugin/node_modules
+                key: ${{ runner.OS }}-zowe-cli-id-federation-plugin-node-${{ hashFiles('zowe-cli-id-federation-plugin/*.json') }}
+        -   name: Cache Node.js modules of Onboarding Enabler Nodejs
+            uses: actions/cache@v4
+            with:
+                path: |
+                    ~/.npm
+                    onboarding-enabler-nodejs/node_modules
+                key: ${{ runner.OS }}-onboarding-enabler-nodejs-node-${{ hashFiles('onboarding-enabler-nodejs/*.json') }}
+        -   name: Cache Node.js modules of Onboarding Enabler Nodejs Sample App
+            uses: actions/cache@v4
+            with:
+                path: |
+                    ~/.npm
+                    onboarding-enabler-nodejs-sample-app/node_modules
+                key: ${{ runner.OS }}-onboarding-enabler-nodejs-sample-app-node-${{ hashFiles('onboarding-enabler-nodejs-sample-app/*.json') }}
+        -   name: Cache Node.js modules of ZSS Sample Service
             uses: actions/cache@v4
             with:
                 path: |
                     ~/.npm
-                    **/node_modules
-                key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json', '**/package.json') }}
+                    zss-sample-service/node_modules
+                key: ${{ runner.OS }}-zss-sample-service-node-${{ hashFiles('zss-sample-service/*.json') }}
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -763,7 +763,6 @@ jobs:
                     name: ContainerCITestsWithRedisReplica-${{ env.JOB_ID }}
                     path: |
                         integration-tests/build/reports/**
-                        results/**
 
             -   uses: ./.github/actions/teardown
 
@@ -832,7 +831,6 @@ jobs:
                     name: ContainerCITestsWithRedisSentinel-${{ env.JOB_ID }}
                     path: |
                         integration-tests/build/reports/**
-                        results/**
 
             -   uses: ./.github/actions/teardown
 
@@ -1397,6 +1395,18 @@ jobs:
                 image: ghcr.io/balhar-jakub/discovery-service:${{ github.run_id }}-${{ github.run_number }}
                 volumes:
                     - /api-defs:/api-defs
+            cloud-gateway-service:
+                image: ghcr.io/balhar-jakub/cloud-gateway-service:${{ github.run_id }}-${{ github.run_number }}
+                env:
+                    SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OKTA_CLIENTID: ${{ secrets.OKTA_CLIENT_ID }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OKTA_CLIENTSECRET: ${{ secrets.OKTA_CLIENT_PASSWORD }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_ISSUER: ${{ secrets.OKTA_ISSUER }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_AUTHORIZATIONURI: ${{ secrets.OKTA_AUTH_URI }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_TOKENURI: ${{ secrets.OKTA_TOKEN_URI }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_USERINFOURI: ${{ secrets.OKTA_USER_INFO_URI }}
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_USERNAMEATTRIBUTE: sub
+                    SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OKTA_JWKSETURI: ${{ secrets.OKTA_JWKSET_URI }}
+                    APIML_SECURITY_OIDC_COOKIE_SAMESITE: None
             gateway-service:
                 image: ghcr.io/balhar-jakub/gateway-service:${{ github.run_id }}-${{ github.run_number }}
             mock-services:
@@ -1422,12 +1432,24 @@ jobs:
                 with:
                     path: |
                         ~/.cache/Cypress
-                        node_modules
-                    key: my-cache-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
+                        api-catalog-ui/frontend/node_modules
+                    key: my-cache-${{ runner.os }}-${{ hashFiles('api-catalog-ui/frontend/*.json') }}
             -   name: Cypress run API Catalog
                 run: |
                     cd api-catalog-ui/frontend
+                    export CYPRESS_OKTA_USERNAME=${{ secrets.OKTA_WINNIE_USER }}
+                    export CYPRESS_OKTA_PASSWORD=${{ secrets.OKTA_WINNIE_PASS }}
                     npm run cy:e2e:ci
+            -   name: Dump CGW jacoco data
+                run: >
+                    java -jar ./scripts/jacococli.jar dump --address cloud-gateway-service --port 6310 --destfile ./results/cloud-gateway-service.exec
+            -   name: Store results
+                uses: actions/upload-artifact@v4
+                if: always()
+                with:
+                    name: E2EUITests-${{ env.JOB_ID }}
+                    path: |
+                        results/**
             -   name: Cypress run Metrics service
                 run: |
                     cd metrics-service-ui/frontend

diff --git a/api-catalog-ui/frontend/cypress.config.js b/api-catalog-ui/frontend/cypress.config.js
@@ -1,24 +1,37 @@
-const { defineConfig } = require('cypress')
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+const { defineConfig } = require('cypress');
 
 module.exports = defineConfig({
-  env: {
-    catalogHomePage: 'https://localhost:10010/apicatalog/ui/v1',
-    viewportWidth: 1400,
-    viewportHeight: 980,
-    username: 'USER',
-    password: 'validPassword',
-  },
-  reporter: 'junit',
-  defaultCommandTimeout: 30000,
-  reporterOptions: {
-    mochaFile: 'test-results/e2e/output-[hash].xml',
-  },
-  video: false,
-  e2e: {
-    // We've imported your old cypress plugins here.
-    // You may want to clean this up later by importing these.
-    setupNodeEvents(on, config) {
-      return require('./cypress/plugins/index.js')(on, config)
+    env: {
+        catalogHomePage: 'https://localhost:10010/apicatalog/ui/v1',
+        gatewayOktaRedirect:
+            'https://localhost:10023/cloud-gateway/oauth2/authorization/okta?returnUrl=https%3A%2F%2Flocalhost%3A10023%2Fapplication',
+        viewportWidth: 1400,
+        viewportHeight: 980,
+        username: 'USER',
+        password: 'validPassword',
+    },
+    chromeWebSecurity: false,
+    reporter: 'junit',
+    defaultCommandTimeout: 30000,
+    reporterOptions: {
+        mochaFile: 'test-results/e2e/output-[hash].xml',
+    },
+    video: false,
+    e2e: {
+        // We've imported your old cypress plugins here.
+        // You may want to clean this up later by importing these.
+        setupNodeEvents(on, config) {
+            return require('./cypress/plugins/index.js')(on, config);
+        },
     },
-  },
-})
+});
diff --git a/api-catalog-ui/frontend/cypress/e2e/login/login-oauth.cy.js b/api-catalog-ui/frontend/cypress/e2e/login/login-oauth.cy.js
@@ -0,0 +1,38 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+/* eslint-disable spaced-comment */
+
+describe('>>> Login through Okta OK', () => {
+    it('should log in user and check session cookie', () => {
+        cy.visit(`${Cypress.env('gatewayOktaRedirect')}`);
+
+        const username = Cypress.env('OKTA_USERNAME');
+        if (!username) {
+            cy.log('System env CYPRESS_OKTA_USERNAME is not set');
+        }
+
+        const password = Cypress.env('OKTA_PASSWORD');
+        if (!password) {
+            cy.log('System env CYPRESS_OKTA_PASSWORD is not set');
+        }
+
+        cy.get('form span.o-form-input-name-identifier input').type(username);
+        cy.get('form input[type="password"]').type(password);
+
+        cy.get('form input.button-primary').should('not.be.disabled');
+        cy.get('form input.button-primary').click();
+
+        cy.location('href').should('contain', '/oauth2/v1/authorize');
+
+        cy.url().should('contain', '/application');
+
+        cy.getCookie('apimlAuthenticationToken').should('exist');
+    });
+});
diff --git a/api-catalog-ui/frontend/package.json b/api-catalog-ui/frontend/package.json
@@ -57,7 +57,7 @@
         "postbuild": "rimraf build/**/*.map",
         "test": "react-app-rewired test --silent --watchAll=false --env=jsdom components/* utils/* reducers/* epics/* actions/* selectors/* ErrorBoundary/* helpers/* --reporters=default --reporters=jest-html-reporter --coverage",
         "cy:open": "cypress open",
-        "cy:e2e:ci": "cypress run --spec \"cypress/e2e/**/*.cy.js\" --env catalogHomePage=https://gateway-service:10010/apicatalog/ui/v1 --browser chrome --headless",
+        "cy:e2e:ci": "cypress run --spec \"cypress/e2e/**/*.cy.js\" --env catalogHomePage=https://gateway-service:10010/apicatalog/ui/v1,gatewayOktaRedirect=https://cloud-gateway-service:10023/cloud-gateway/oauth2/authorization/okta?returnUrl=https%3A%2F%2Fcloud-gateway-service%3A10023%2Fapplication --browser chrome --headless",
         "cy:e2e:localhost": "cypress run --spec \"cypress/e2e/**/*.cy.js\" --browser chrome --headless",
         "cy:e2e:localhost-headful": "cypress run --spec \"cypress/e2e/**/*.cy.js\" --browser chrome --headed",
         "cy:e2e:localhost-firefox": "cypress run --spec \"cypress/e2e/**/*.cy.js\" --browser firefox --headless",

diff --git a/cloud-gateway-service/build.gradle b/cloud-gateway-service/build.gradle
@@ -75,16 +75,19 @@ dependencies {
     implementation libs.spring.boot.starter.actuator
 
     implementation libs.spring.cloud.circuit.breaker
-    implementation libs.spring.security.config
-    implementation libs.spring.security.core
-    implementation libs.spring.security.web
+
+    implementation libs.spring.security57.config
+    implementation libs.spring.security57.core
+    implementation libs.spring.security57.web
+
     implementation libs.spring.aop
     implementation libs.spring.expression
     implementation libs.bcpkix
     implementation libs.nimbusJoseJwt
     implementation libs.janino
     implementation libs.spring.doc
     implementation libs.swagger3.parser
+    implementation libs.spring.boot.starter.oauth2.client
 
     compileOnly libs.lombok
     annotationProcessor libs.lombok

diff --git a/...vice/src/main/java/org/zowe/apiml/cloudgatewayservice/CloudGatewayServiceApplication.java b/...vice/src/main/java/org/zowe/apiml/cloudgatewayservice/CloudGatewayServiceApplication.java
@@ -12,8 +12,13 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration;
+import org.springframework.cloud.gateway.config.GatewayReactiveOAuth2AutoConfiguration;
 
-@SpringBootApplication
+@SpringBootApplication(exclude = {
+    ReactiveOAuth2ClientAutoConfiguration.class,
+    GatewayReactiveOAuth2AutoConfiguration.class
+})
 public class CloudGatewayServiceApplication {
 
     public static void main(String[] args) {