CustomHeaderAuthenticationBackend to run container proxy behind trusted http proxy

.gitignore

@@ -8,3 +8,4 @@ logs
 .project
 .classpath
 .settings
+.vscode

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>eu.openanalytics</groupId>
     <artifactId>containerproxy</artifactId>
-    <version>1.1.1-SNAPSHOT</version>
+    <version>1.1.1</version>
     <name>ContainerProxy</name>
     <packaging>jar</packaging>
 

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -120,7 +120,7 @@ public static void main(String[] args) {
         boolean hasExternalConfig = Files.exists(Paths.get(CONFIG_FILENAME))
             || System.getProperty("spring.config.location") != null
             || System.getenv("SPRING_CONFIG_LOCATION") != null
-            || Arrays.asList(args).contains("--spring.config.location");
+            || Arrays.stream(args).anyMatch(s -> s.contains("--spring.config.location"));
 
         if (!hasExternalConfig) {
             app.setAdditionalProfiles(CONFIG_DEMO_PROFILE);

src/main/java/eu/openanalytics/containerproxy/auth/AuthenticationBackendFactory.java

@@ -26,6 +26,7 @@
 import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.SimpleAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.WebServiceAuthenticationBackend;
+import eu.openanalytics.containerproxy.auth.impl.CustomHeaderAuthenticationBackend;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.AbstractFactoryBean;
 import org.springframework.context.ApplicationContext;
@@ -72,6 +73,7 @@ protected IAuthenticationBackend createInstance() {
             case LDAPAuthenticationBackend.NAME -> backend = new LDAPAuthenticationBackend();
             case OpenIDAuthenticationBackend.NAME -> backend = new OpenIDAuthenticationBackend();
             case WebServiceAuthenticationBackend.NAME -> backend = new WebServiceAuthenticationBackend(environment);
+            case CustomHeaderAuthenticationBackend.NAME -> backend = new CustomHeaderAuthenticationBackend(environment);
             case SAMLAuthenticationBackend.NAME -> {
                 return samlBackend;
             }

src/main/java/eu/openanalytics/containerproxy/auth/impl/CustomHeaderAuthenticationBackend.java

@@ -0,0 +1,92 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2024 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl;
+
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.AuthorizedUrl;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.stereotype.Component;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.auth.impl.customHeader.CustomHeaderAuthenticationFilter;
+import eu.openanalytics.containerproxy.auth.impl.customHeader.CustomHeaderAuthenticationToken;
+
+@Component
+public class CustomHeaderAuthenticationBackend implements IAuthenticationBackend{
+
+    public final static String NAME = "customHeader";
+
+    @Override
+    public String getName() {
+        return NAME;
+    }
+
+    @Override
+    public boolean hasAuthorization() {
+        return false;
+    }
+
+    @Override
+    public void configureHttpSecurity(HttpSecurity http) throws Exception {
+        http.formLogin().disable();
+
+		http.addFilterBefore(new CustomHeaderAuthenticationFilter(), BasicAuthenticationFilter.class);
+    }
+
+    @Override
+    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder auth) throws Exception {
+        // Configure a custom Authentication Provider
+        CustomHeaderAuthenticationProvider authenticationProvider = new CustomHeaderAuthenticationProvider();
+
+		auth.authenticationProvider(authenticationProvider);  
+    }
+
+
+    public class CustomHeaderAuthenticationProvider implements 
+        org.springframework.security.authentication.AuthenticationProvider, 
+        org.springframework.beans.factory.InitializingBean {
+
+        @Override
+        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+            CustomHeaderAuthenticationToken token = (CustomHeaderAuthenticationToken) authentication;
+            if (token.isValid()) 
+                return new CustomHeaderAuthenticationToken(token.getPrincipal().toString());
+
+            throw new BadCredentialsException("Invalid username");
+
+        }
+
+        @Override
+        public boolean supports(Class<?> authentication) {
+            return false;
+        }
+
+        @Override
+        public void afterPropertiesSet() throws Exception {
+
+        }
+    }
+
+}

src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.java

@@ -0,0 +1,72 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2024 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import java.io.IOException;
+
+import javax.annotation.Nonnull;
+import javax.inject.Inject;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.context.annotation.Lazy;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+public class CustomHeaderAuthenticationFilter extends OncePerRequestFilter {
+
+    private final Logger log = LogManager.getLogger(CustomHeaderAuthenticationFilter.class);
+
+    private final RequestMatcher requestMatcher = new OrRequestMatcher(
+            new AntPathRequestMatcher("/app/**"),
+            new AntPathRequestMatcher("/app_i/**"),
+            new AntPathRequestMatcher("/**"));
+
+    @Override
+    protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpServletResponse response,
+            @Nonnull FilterChain chain) throws ServletException, IOException {
+
+        log.debug(String.format("CustomHeaderAuthenticationFilter CALLED"));
+        if (requestMatcher.matches(request)) {
+            String remoteUser = request.getHeader("REMOTE_USER");
+            log.debug(String.format("CustomHeaderAuthenticationFilter REMOTE_USER: %s", remoteUser));
+            try {
+                Authentication authRequest = new CustomHeaderAuthenticationToken(remoteUser);
+                SecurityContextHolder.getContext().setAuthentication(authRequest);
+            } catch (AuthenticationException e) {
+                throw e;
+            }
+
+        }
+        chain.doFilter(request, response);
+    }
+}

src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationToken.java

@@ -0,0 +1,57 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2024 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+public class CustomHeaderAuthenticationToken extends AbstractAuthenticationToken{
+
+    private final String remoteUser;
+
+    public CustomHeaderAuthenticationToken(String userName) {
+        super(null);
+        this.remoteUser = userName;
+    }
+
+    public boolean isValid() { 
+        if (remoteUser != null && !remoteUser.isEmpty()) 
+            return true;
+        return false;
+    }
+
+
+    @Override
+    public Object getPrincipal() {
+        return remoteUser;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return null;
+    }
+
+    @Override
+	public String getName() {
+        return this.remoteUser;
+    }
+
+}
+

src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderConfiguration.java

@@ -0,0 +1,41 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2024 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.customHeader;
+
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConditionalOnProperty(name = "proxy.authentication", havingValue = "customHeader")
+public class CustomHeaderConfiguration {
+
+    public static final String REG_ID = "shinyproxy";
+    public static final String PROP_CUSTOM_HEADER = "proxy.customHeader";
+
+
+    @Bean
+    public CustomHeaderAuthenticationFilter customHeaderAuthorizeFilter() {
+        return new CustomHeaderAuthenticationFilter();
+    }
+
+}