OpenID connect authentication module

geoserver · Jul 9, 2018 · aa88e5a · aa88e5a
1 parent cce65e7
commit aa88e5a
Show file tree

Hide file tree

Showing 24 changed files with 979 additions and 30 deletions.
diff --git a/doc/en/user/source/community/oauth2/index.rst b/doc/en/user/source/community/oauth2/index.rst
@@ -254,6 +254,45 @@ Configure the GeoServer OAuth2 filter
    .. figure:: images/oauth2filter004.png
       :align: center
 
+
+It's now possible to test the authentication:
+
+#. Navigate to the GeoServer home page and log out of the admin account. 
+#. Try to login again, you should be able now to see the external Google login form.
+
+   .. figure:: images/test1.jpg
+:align: center
+
+   .. figure:: images/test2.jpg
+:align: center
+
+   .. figure:: images/test3.jpg
+:align: center
+
+   .. figure:: images/test4.jpg
+:align: center
+
+   .. figure:: images/test5.jpg
+:align: center
+
+OpenID connect authentication
+-----------------------------
+
+The OpenID connect authentication is working in a way quite similar to Google (and GitHub) 
+authentications, the only difference is that the authentication page cannot propose default
+values for the various endpoints, which have to be configured manually.
+
+In case the web login will not be used, the "client ID" and "client secret" are not actually
+needed, and can be filled with two made up values (the validation just checks they are present,
+but they will be used only in the "authorisation flow", but not when doing OGC requests
+where the client is supposed to have autonomously retrieved a valid bearer token).
+
+.. warning:: The oauth2-openid-connect does not implement the full protocol and has been tested
+   against a single server, more development and testing is needed before it can be consumed by
+   a wider audience. `Pull requests <https://github.com/geoserver/geoserver/blob/master/CONTRIBUTING.md`_
+   to improve the module are welcomed.
+
+
 SSL Trusted Certificates
 ------------------------
 
@@ -394,24 +433,4 @@ In order to do this you can follow the next steps:
 		# verify we've got it.
 		keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST}
 
-Test the Google OAuth2 Provider Based Login
--------------------------------------------
-
-#. Navigate to the GeoServer home page and log out of the admin account. 
-#. Try to login again, you should be able now to see the external Google login form.
-
-   .. figure:: images/test1.jpg
-      :align: center
-
-   .. figure:: images/test2.jpg
-      :align: center
-
-   .. figure:: images/test3.jpg
-      :align: center
-
-   .. figure:: images/test4.jpg
-      :align: center
-
-   .. figure:: images/test5.jpg
-      :align: center
 
diff --git a/src/community/pom.xml b/src/community/pom.xml
@@ -526,6 +526,13 @@
         <module>security/oauth2-geonode</module>
       </modules>
     </profile>
+    <profile>
+      <id>oauth2-openid-connect</id>
+      <modules>
+        <module>security/oauth2</module>
+        <module>security/oauth2-openid-connect</module>
+      </modules>
+    </profile>
     <profile>
       <id>wmts-multi-dimensional</id>
       <modules>

diff --git a/...rver/security/oauth2/LoginButtonTest.java → ...curity/oauth2/GeoNodeLoginButtonTest.java b/...rver/security/oauth2/LoginButtonTest.java → ...curity/oauth2/GeoNodeLoginButtonTest.java
@@ -24,7 +24,7 @@
 import org.geoserver.web.GeoServerWicketTestSupport;
 import org.junit.Test;
 
-public class LoginButtonTest extends GeoServerWicketTestSupport {
+public class GeoNodeLoginButtonTest extends GeoServerWicketTestSupport {
 
     @Override
     protected void onSetUp(SystemTestData testData) throws Exception {

diff --git a/...rver/security/oauth2/LoginButtonTest.java → ...ecurity/oauth2/GitHubLoginButtonTest.java b/...rver/security/oauth2/LoginButtonTest.java → ...ecurity/oauth2/GitHubLoginButtonTest.java
@@ -18,7 +18,7 @@
 import org.geoserver.web.GeoServerWicketTestSupport;
 import org.junit.Test;
 
-public class LoginButtonTest extends GeoServerWicketTestSupport {
+public class GitHubLoginButtonTest extends GeoServerWicketTestSupport {
 
     @Override
     protected void onSetUp(SystemTestData testData) throws Exception {

diff --git a/...rver/security/oauth2/LoginButtonTest.java → ...ecurity/oauth2/GoogleLoginButtonTest.java b/...rver/security/oauth2/LoginButtonTest.java → ...ecurity/oauth2/GoogleLoginButtonTest.java
@@ -25,7 +25,7 @@
 import org.geoserver.web.GeoServerWicketTestSupport;
 import org.junit.Test;
 
-public class LoginButtonTest extends GeoServerWicketTestSupport {
+public class GoogleLoginButtonTest extends GeoServerWicketTestSupport {
 
     @Override
     protected void onSetUp(SystemTestData testData) throws Exception {

diff --git a/src/community/security/oauth2-openid-connect/pom.xml b/src/community/security/oauth2-openid-connect/pom.xml
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  ~ (c) 2018 Open Source Geospatial Foundation - all rights reserved
+  ~ This code is licensed under the GPL 2.0 license, available at the root
+  ~ application directory.
+  ~
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.geoserver.community</groupId>
+		<artifactId>gs-security</artifactId>
+		<version>2.14-SNAPSHOT</version>
+	</parent>
+
+	<groupId>org.geoserver.community</groupId>
+	<artifactId>gs-sec-oauth2-openid-connect</artifactId>
+	<packaging>jar</packaging>
+	<version>2.14-SNAPSHOT</version>
+	<name>GeoServer OAuth2 Connect Security Module - OpenId Connect</name>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.geoserver</groupId>
+			<artifactId>gs-main</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.geoserver.web</groupId>
+			<artifactId>gs-web-sec-core</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.geoserver.community</groupId>
+			<artifactId>gs-sec-oauth2</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.security.oauth</groupId>
+			<artifactId>spring-security-oauth2</artifactId>
+			<version>2.0.11.RELEASE</version>
+		</dependency>
+
+		<dependency>
+			<groupId>net.sf.json-lib</groupId>
+			<artifactId>json-lib</artifactId>
+			<classifier>jdk15</classifier>
+		</dependency>
+		<dependency>
+			<groupId>org.codehaus.jackson</groupId>
+			<artifactId>jackson-mapper-asl</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-core</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-annotations</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.geoserver.community</groupId>
+			<artifactId>gs-sec-oauth2</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.geoserver</groupId>
+			<artifactId>gs-main</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.geoserver</groupId>
+			<artifactId>gs-wms</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.geoserver.web</groupId>
+			<artifactId>gs-web-core</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.geoserver.web</groupId>
+			<artifactId>gs-web-sec-core</artifactId>
+			<version>${project.version}</version>
+			<classifier>tests</classifier>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>xmlunit</groupId>
+			<artifactId>xmlunit</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.easymock</groupId>
+			<artifactId>easymock</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.easymock</groupId>
+			<artifactId>easymockclassextension</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.hamcrest</groupId>
+			<artifactId>hamcrest-library</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.hamcrest</groupId>
+			<artifactId>hamcrest-core</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+</project>
diff --git a/...onnect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationFilter.java b/...onnect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationFilter.java
@@ -0,0 +1,23 @@
+/*
+ * (c) 2018 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ *
+ */
+package org.geoserver.security.oauth2;
+
+import org.geoserver.security.config.SecurityNamedServiceConfig;
+import org.springframework.security.oauth2.client.OAuth2RestOperations;
+import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
+
+/** OpenID Connect authentication filter. */
+public class OpenIdConnectAuthenticationFilter extends GeoServerOAuthAuthenticationFilter {
+
+    public OpenIdConnectAuthenticationFilter(
+            SecurityNamedServiceConfig config,
+            RemoteTokenServices tokenServices,
+            GeoServerOAuth2SecurityConfiguration oauth2SecurityConfiguration,
+            OAuth2RestOperations oauth2RestTemplate) {
+        super(config, tokenServices, oauth2SecurityConfiguration, oauth2RestTemplate);
+    }
+}
diff --git a/...nect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationProvider.java b/...nect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationProvider.java
@@ -0,0 +1,43 @@
+/*
+ * (c) 2018 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ *
+ */
+package org.geoserver.security.oauth2;
+
+import org.geoserver.config.util.XStreamPersister;
+import org.geoserver.security.GeoServerSecurityManager;
+import org.geoserver.security.config.SecurityNamedServiceConfig;
+import org.geoserver.security.filter.GeoServerSecurityFilter;
+
+public class OpenIdConnectAuthenticationProvider extends GeoServerOAuthAuthenticationProvider {
+
+    public OpenIdConnectAuthenticationProvider(
+            GeoServerSecurityManager securityManager,
+            String tokenServices,
+            String oauth2SecurityConfiguration,
+            String geoServerOauth2RestTemplate) {
+        super(
+                securityManager,
+                tokenServices,
+                oauth2SecurityConfiguration,
+                geoServerOauth2RestTemplate);
+    }
+
+    @Override
+    public void configure(XStreamPersister xp) {
+        xp.getXStream().alias("openIdConnectAuthentication", OpenIdConnectFilterConfig.class);
+    }
+
+    @Override
+    public Class<? extends GeoServerSecurityFilter> getFilterClass() {
+        return OpenIdConnectAuthenticationFilter.class;
+    }
+
+    @Override
+    public GeoServerSecurityFilter createFilter(SecurityNamedServiceConfig config) {
+        return new OpenIdConnectAuthenticationFilter(
+                config, tokenServices, oauth2SecurityConfiguration, geoServerOauth2RestTemplate);
+    }
+}
diff --git a/...openid-connect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectFilterConfig.java b/...openid-connect/src/main/java/org/geoserver/security/oauth2/OpenIdConnectFilterConfig.java
@@ -0,0 +1,24 @@
+/*
+ * (c) 2018 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ *
+ */
+package org.geoserver.security.oauth2;
+
+/**
+ * Filter configuration for OpenId Connect. This is completely freeform, so adding only the basic
+ * bits in here.
+ */
+public class OpenIdConnectFilterConfig extends GeoServerOAuth2FilterConfig {
+
+    public OpenIdConnectFilterConfig() {
+        this.redirectUri = "http://localhost:8080/geoserver";
+        this.scopes = "user";
+        this.enableRedirectAuthenticationEntryPoint = false;
+        this.forceAccessTokenUriHttps = true;
+        this.forceUserAuthorizationUriHttps = true;
+        this.loginEndpoint = "/j_spring_oauth2_openid_connect_login";
+        this.logoutEndpoint = "/j_spring_oauth2_openid_connect_logout";
+    };
+}