Merge pull request #906 from jescalada/oidc-implementation

feat: Preliminary OIDC implementation

Author: JamieSlome

cypress.config.js

@@ -1,7 +1,8 @@
-const { defineConfig } = require('cypress')
+const { defineConfig } = require('cypress');
 
 module.exports = defineConfig({
   e2e: {
-    baseUrl: process.env.CYPRESS_BASE_URL ||'http://localhost:3000',
+    baseUrl: process.env.CYPRESS_BASE_URL || 'http://localhost:3000',
+    chromeWebSecurity: false, // Required for OIDC testing
   },
-})
+});

cypress/e2e/login.cy.js

@@ -1,19 +1,33 @@
-describe("Display finos UI",()=>{
-  
-  beforeEach(() =>{
-    cy.visit('/login')
- })
- it('shoud find git proxy logo',() =>{
-  cy.get('[data-test="git-proxy-logo"]').should('exist')
-})
-  it('shoud find username',() =>{
-    cy.get('[data-test="username"]').should('exist')
-  })
+describe('Login page', () => {
+  beforeEach(() => {
+    cy.visit('/login');
+  });
 
-  it('shoud find passsword',() =>{
-    cy.get('[data-test="password"]').should('exist')
-  })
-  it('shoud find login button',() =>{
-    cy.get('[data-test="login"]').should('exist')
-  })
-})
+  it('should have git proxy logo', () => {
+    cy.get('[data-test="git-proxy-logo"]').should('exist');
+  });
+
+  it('should have username input', () => {
+    cy.get('[data-test="username"]').should('exist');
+  });
+
+  it('should have passsword input', () => {
+    cy.get('[data-test="password"]').should('exist');
+  });
+
+  it('should have login button', () => {
+    cy.get('[data-test="login"]').should('exist');
+  });
+
+  describe('OIDC login button', () => {
+    it('should exist', () => {
+      cy.get('[data-test="oidc-login"]').should('exist');
+    });
+
+    // Validates that OIDC is configured correctly
+    it('should redirect to /oidc', () => {
+      cy.get('[data-test="oidc-login"]').click();
+      cy.url().should('include', '/oidc');
+    });
+  });
+});

package-lock.json

@@ -59,6 +59,7 @@
     "moment": "^2.29.4",
     "mongodb": "^5.0.0",
     "nodemailer": "^6.6.1",
+    "openid-client": "^6.2.0",
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.0.4",

package.json

@@ -12,6 +12,7 @@ module.exports.canUserCancelPush = pushes.canUserCancelPush;
 module.exports.canUserApproveRejectPush = pushes.canUserApproveRejectPush;
 
 module.exports.findUser = users.findUser;
+module.exports.findUserByOIDC = users.findUserByOIDC;
 module.exports.getUsers = users.getUsers;
 module.exports.createUser = users.createUser;
 module.exports.deleteUser = users.deleteUser;

src/db/file/index.js

@@ -22,6 +22,22 @@ exports.findUser = function (username) {
   });
 };
 
+exports.findUserByOIDC = function (oidcId) {
+  return new Promise((resolve, reject) => {
+    db.findOne({ oidcId: oidcId }, (err, doc) => {
+      if (err) {
+        reject(err);
+      } else {
+        if (!doc) {
+          resolve(null);
+        } else {
+          resolve(doc);
+        }
+      }
+    });
+  });
+};
+
 exports.createUser = function (data) {
   return new Promise((resolve, reject) => {
     db.insert(data, (err) => {

src/db/file/users.js

@@ -7,21 +7,30 @@ if (config.getDatabase().type === 'mongo') {
   sink = require('../db/file');
 }
 
-module.exports.createUser = async (username, password, email, gitAccount, admin = false) => {
+module.exports.createUser = async (
+  username,
+  password,
+  email,
+  gitAccount,
+  admin = false,
+  oidcId = null,
+) => {
   console.log(
     `creating user
         user=${username},
         gitAccount=${gitAccount}
         email=${email},
-        admin=${admin}`,
+        admin=${admin}
+        oidcId=${oidcId}`,
   );
 
   const data = {
     username: username,
-    password: await bcrypt.hash(password, 10),
+    password: oidcId ? null : await bcrypt.hash(password, 10),
     gitAccount: gitAccount,
     email: email,
     admin: admin,
+    oidcId: oidcId,
   };
 
   if (username === undefined || username === null || username === '') {
@@ -56,6 +65,7 @@ module.exports.getPushes = sink.getPushes;
 module.exports.writeAudit = sink.writeAudit;
 module.exports.getPush = sink.getPush;
 module.exports.findUser = sink.findUser;
+module.exports.findUserByOIDC = sink.findUserByOIDC;
 module.exports.getUsers = sink.getUsers;
 module.exports.deleteUser = sink.deleteUser;
 module.exports.updateUser = sink.updateUser;

src/db/index.js

@@ -1,5 +1,6 @@
 const local = require('./local');
 const activeDirectory = require('./activeDirectory');
+const oidc = require('./oidc');
 const config = require('../../config');
 const authenticationConfig = config.getAuthentication();
 let _passport;
@@ -14,10 +15,15 @@ const configure = async () => {
     case 'local':
       _passport = await local.configure();
       break;
+    case 'openidconnect':
+      _passport = await oidc.configure();
+      break;
     default:
       throw Error(`uknown authentication type ${type}`);
   }
-  _passport.type = authenticationConfig.type;
+  if (!_passport.type) {
+    _passport.type = type;
+  }
   return _passport;
 };
 

src/service/passport/index.js

@@ -43,7 +43,7 @@ const configure = async () => {
   const admin = await db.findUser('admin');
 
   if (!admin) {
-    await db.createUser('admin', 'admin', '[email protected]', 'none', true, true, true, true);
+    await db.createUser('admin', 'admin', '[email protected]', 'none', true);
   }
 
   passport.type = 'local';

src/service/passport/local.js

@@ -0,0 +1,114 @@
+const passport = require('passport');
+const db = require('../../db');
+
+const configure = async () => {
+  // Temp fix for ERR_REQUIRE_ESM, will be changed when we refactor to ESM
+  const { discovery, fetchUserInfo } = await import('openid-client');
+  const { Strategy } = await import('openid-client/passport');
+  const config = require('../../config').getAuthentication();
+  const { oidcConfig } = config;
+  const { issuer, clientID, clientSecret, callbackURL, scope } = oidcConfig;
+
+  if (!oidcConfig || !oidcConfig.issuer) {
+    throw new Error('Missing OIDC issuer in configuration')
+  }
+
+  const server = new URL(issuer);
+
+  try {
+    const config = await discovery(server, clientID, clientSecret);
+
+    const strategy = new Strategy({ callbackURL, config, scope }, async (tokenSet, done) => {
+      // Validate token sub for added security
+      const idTokenClaims = tokenSet.claims();
+      const expectedSub = idTokenClaims.sub;
+      const userInfo = await fetchUserInfo(config, tokenSet.access_token, expectedSub);
+      handleUserAuthentication(userInfo, done);
+    });
+    
+    // currentUrl must be overridden to match the callback URL
+    strategy.currentUrl = function (request) {
+      const callbackUrl = new URL(callbackURL);
+      const currentUrl = Strategy.prototype.currentUrl.call(this, request);
+      currentUrl.host = callbackUrl.host;
+      currentUrl.protocol = callbackUrl.protocol;
+      return currentUrl;
+    };
+
+    passport.use(strategy);
+
+    passport.serializeUser((user, done) => {
+      done(null, user.oidcId || user.username);
+    })
+
+    passport.deserializeUser(async (id, done) => {
+      try {
+        const user = await db.findUserByOIDC(id);
+        done(null, user);
+      } catch (err) {
+        done(err);
+      }
+    })
+    passport.type = server.host;
+
+    return passport;
+  } catch (error) {
+    console.error('OIDC configuration failed:', error);
+    throw error;
+  }
+}
+
+
+module.exports.configure = configure;
+
+/**
+ * Handles user authentication with OIDC.
+ * @param {Object} userInfo the OIDC user info object 
+ * @param {Function} done the callback function
+ * @return {Promise} a promise with the authenticated user or an error
+ */
+const handleUserAuthentication = async (userInfo, done) => {
+  try {
+    const user = await db.findUserByOIDC(userInfo.sub);
+
+    if (!user) {
+      const email = safelyExtractEmail(userInfo);
+      if (!email) return done(new Error('No email found in OIDC profile'));
+
+      const newUser = {
+        username: getUsername(email),
+        email,
+        oidcId: userInfo.sub,
+      };
+
+      await db.createUser(newUser.username, null, newUser.email, 'Edit me', false, newUser.oidcId);
+      return done(null, newUser);
+    }
+
+    return done(null, user);
+  } catch (err) {
+    return done(err);
+  }
+};
+
+/**
+ * Extracts email from OIDC profile.
+ * This function is necessary because OIDC providers have different ways of storing emails.
+ * @param {object} profile the profile object from OIDC provider
+ * @return {string | null} the email address
+ */
+const safelyExtractEmail = (profile) => {
+  return profile.email || (profile.emails && profile.emails.length > 0 ? profile.emails[0].value : null);
+};
+
+/**
+ * Generates a username from email address.
+ * This helps differentiate users within the specific OIDC provider.
+ * Note: This is incompatible with multiple providers. Ideally, users are identified by
+ * OIDC ID (requires refactoring the database).
+ * @param {string} email the email address
+ * @return {string} the username
+ */
+const getUsername = (email) => {
+  return email ? email.split('@')[0] : '';
+};