Merge pull request #10560 from cBioPortal/fix-auth-integration

Fix auth integration

.github/workflows/security-integration-test.yml

@@ -0,0 +1,37 @@
+name: Security integration tests
+on: [push, pull_request]
+jobs:
+  build:
+    name: Security integration tests
+    runs-on: ubuntu-latest
+    env:
+      PORTAL_SOURCE_DIR: /home/runner/work/cbioportal/cbioportal/cbioportal
+      PORTAL_COMPOSE_DIR: /home/runner/work/cbioportal/cbioportal/cbioportal-docker-compose
+      PORTAL_INFO_DIR: /home/runner/work/cbioportal/cbioportal/portalInfo
+    steps:
+      - name: 'Checkout cbioportal repo'
+        uses: actions/checkout@v2
+        with:
+          path: ./cbioportal
+      - name: 'Set up JDK 21'
+        uses: oracle-actions/setup-java@v1
+        with:
+          website: oracle.com
+          release: 21
+      - name: 'Cache Maven packages'
+        uses: actions/cache@v1
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: 'Add host.testcontainers.internal to /etc/hosts'
+        run: |
+            echo "127.0.0.1 host.testcontainers.internal" | sudo tee -a /etc/hosts
+      - name: 'Copy Application.Properties'
+        working-directory: ./cbioportal
+        run: |
+          cp src/main/resources/application.properties.EXAMPLE src/main/resources/application.properties
+      - name: 'Run integration tests'
+        working-directory: ./cbioportal
+        run: |
+          mvn verify -Pintegration-test

.github/workflows/sonarcloud.yml

@@ -34,6 +34,11 @@ jobs:
           cp src/main/resources/application.properties.EXAMPLE src/main/resources/application.properties
       - name: Build and analyze
         env:
-          SONAR_TOKEN:  de1b5cc660cd210dde840f492c371da6cc801763
+          SONAR_TOKEN:  ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: mvn -DskipTests clean install verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+        run: mvn clean install verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+      - name: Code Coverage
+        env:
+          SONAR_TOKEN:  ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mvn sonar:sonar -Pcoverage

dev/.env

@@ -0,0 +1,4 @@
+DOCKER_IMAGE_SESSION_SERVICE=cbioportal/session-service:0.6.1
+DOCKER_IMAGE_MYSQL=mysql:8.1.0
+DOCKER_IMAGE_KEYCLOAK=quay.io/keycloak/keycloak:23.0
+DOCKER_IMAGE_MONGODB=mongo:4.2

dev/README.md

@@ -0,0 +1,58 @@
+# Tools for development
+
+In this folder is some additional configuration that can be useful for local development. None of this should be deployed directly to production
+
+# Set up keycloak for cBioPortal >v6
+
+Requirements:
+- System runs docker (including docker compose)
+
+  1. Run from the root of the repository:
+
+```
+cd dev
+docker compose up -d 
+```
+
+2. (Option 1) Apply SAML2 configuration to _security.properties_ in cBioPortal:
+
+```properties
+authenticate=saml
+spring.security.saml2.relyingparty.registration.keycloak.assertingparty.metadata-uri=http://localhost:8084/realms/cbio/protocol/saml/descriptor
+spring.security.saml2.relyingparty.registration.keycloak.assertingparty.entity-id=http://localhost:8084/realms/cbio
+spring.security.saml2.relyingparty.registration.keycloak.entity-id=cbioportal
+spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].certificate-location=classpath:/dev/security/signing-cert.pem
+spring.security.saml2.relyingparty.registration.keycloak.signing.credentials[0].private-key-location=classpath:/dev/security/signing-key.pem
+```
+
+3. (Option 2) Apply OIDC configuration to _security.properties_ in cBioPortal:
+
+```properties
+authenticate=oauth2
+spring.security.oauth2.client.registration.keycloak.redirect-uri=http://localhost:8080/login/oauth2/code/keycloak
+spring.security.oauth2.client.registration.keycloak.client-name=cbioportal_oauth2
+spring.security.oauth2.client.registration.keycloak.client-id=cbioportal_oauth2
+spring.security.oauth2.client.registration.keycloak.client-secret=client_secret
+spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
+spring.security.oauth2.client.registration.keycloak.client-authentication-method=client_secret_post
+spring.security.oauth2.client.registration.keycloak.scope=openid,email,roles
+spring.security.oauth2.client.provider.keycloak.issuer-uri=http://localhost:8084/realms/cbio
+spring.security.oauth2.client.provider.keycloak.user-name-attribute=email
+```
+
+4. Set the following in _portal.properties_:
+
+```properties
+persistence.cache_type=no-cache
+session.service.url=http://localhost:5000/api/sessions/my_portal/
+
+spring.datasource.url=jdbc:mysql://localhost:3306/cbioportal?useSSL=false&allowPublicKeyRetrieval=true
+spring.datasource.username=cbio_user
+spring.datasource.password=somepassword
+spring.jpa.database-platform=org.hibernate.dialect.MySQL5InnoDBDialect
+spring.datasource.driver-class-name=com.mysql.jdbc.Driver
+```
+
+4. Start cBioPortal application on port 8080. The login credentials are `testuser:P@assword1`.
+
+⚠️ Warning: Do not use this directly for production use as it takes several shortcuts to get a quick keycloak instance up.

dev/docker-compose.yml

@@ -0,0 +1,57 @@
+version: '3'
+
+services:
+  cbioportal-database:
+    restart: unless-stopped
+    image: ${DOCKER_IMAGE_MYSQL}
+    container_name: cbioportal-database
+    environment:
+      MYSQL_DATABASE: cbioportal
+      MYSQL_USER: cbio_user
+      MYSQL_PASSWORD: somepassword
+      MYSQL_ROOT_PASSWORD: somepassword
+    volumes:
+      - $PWD/../src/main/resources/db-scripts/cgds.sql:/docker-entrypoint-initdb.d/cgds.sql:ro
+      - $PWD/../src/test/resources/seed_mini.sql:/docker-entrypoint-initdb.d/seed.sql:ro
+    ports:
+      - 3306:3306
+  cbioportal-session:
+    restart: unless-stopped
+    image: ${DOCKER_IMAGE_SESSION_SERVICE}
+    container_name: cbioportal-session
+    environment:
+      SERVER_PORT: 5000
+      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
+    depends_on:
+      - cbioportal-session-database
+    ports:
+      - 5000:5000
+    networks:
+      - cbio-net
+  cbioportal-session-database:
+    restart: unless-stopped
+    image: ${DOCKER_IMAGE_MONGODB}
+    container_name: cbioportal-session-database
+    environment:
+      MONGO_INITDB_DATABASE: session-service
+    networks:
+      - cbio-net
+  keycloak:
+    restart: unless-stopped
+    container_name: keycloak
+    image: ${DOCKER_IMAGE_KEYCLOAK}
+    volumes:
+      - $PWD/../src/main/resources/dev/security/keycloak-configuration-generated.json:/opt/keycloak/data/import/realm.json:ro
+    environment:
+      - KC_HOSTNAME=localhost
+      - KC_DB_USERNAME=keycloak
+      - KC_DB_PASSWORD=password
+      - KC_DB_DATABASE=keycloak
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=admin
+    ports:
+      - 8084:8080
+    command: start-dev --import-realm
+
+networks:
+  cbio-net: