Changes to Cattle for SAML integration #2085
Conversation
|
test failures are unrelated to auth changes here. test_volume_create_from_driver Also a jooq error: |
| return allowedPaths; | ||
| } | ||
|
|
||
| @Inject |
There was a problem hiding this comment.
Don't need @Inject here
|
|
||
| <bean class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" /> | ||
| <bean id="AuthenticatedProxy" class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" > | ||
| <property name="noAuthProxy"> |
There was a problem hiding this comment.
No changes should be needed here. The defaults should suffice
There was a problem hiding this comment.
Yep, will correct it
| @@ -519,8 +519,27 @@ | |||
|
|
|||
| <bean id="TokenAccountLookup" class="io.cattle.platform.iaas.api.auth.integration.internal.rancher.TokenAccountLookup" /> | |||
|
|
|||
| <bean id="NoAuthenticationProxy" class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" > | |||
| <property name="noAuthProxy"> | |||
There was a problem hiding this comment.
You can just do value="true", much shorter XML
There was a problem hiding this comment.
Yeah then its not a boolean property. It becomes a string. But I will change it and convert string to boolean in setter.
| @@ -39,5 +39,10 @@ | |||
| <scope>provided</scope> | |||
| <optional>true</optional> | |||
| </dependency> | |||
| <dependency> | |||
There was a problem hiding this comment.
What code changed in the docker/machine project that needed this? The github diff doesn't show me full filenames
There was a problem hiding this comment.
The AuthServiceLauncher is importing some Auth related DynamicStringProperties (for getReloadSettings()) from io.cattle.platform.iaas.api.auth.SecurityConstants and io.cattle.platform.iaas.api.auth.integration.external.ServiceAuthConstants;
| public class AuthSchemaAdditionsPostProcessor extends AbstractSchemaPostProcessor implements SchemaPostProcessor, Priority { | ||
|
|
||
| private static final DynamicStringProperty AUTH_SERVICE_EXTERNAL_ID_TYPES = ArchaiusUtil.getString("auth.service.external.id.types"); | ||
| private static final List<String> EXTERNAL_ID_TYPES = new ArrayList<String>(); |
There was a problem hiding this comment.
Don't do this, it defeats the purpose of Dynamic properties. Use DynamicStringListProperty
|
|
||
| @Override | ||
| public SchemaImpl postProcess(SchemaImpl schema, SchemaFactory factory) { | ||
|
|
There was a problem hiding this comment.
Don't put newlines at the beginning of functions
| @@ -214,6 +217,21 @@ protected void generate(final ApiRequest request) throws IOException { | |||
| throw new ClientVisibleException(ResponseCodes.FORBIDDEN); | |||
| } | |||
|
|
|||
| boolean matchesAllowedPath = false; | |||
| if(isNoAuthProxy()) { | |||
| if (uri.getPath() != null && allowedPaths != null) { | |||
There was a problem hiding this comment.
You are preforming this check on the redirect URL (the url we will hit) not the request URL. You need to check the request URL.
There was a problem hiding this comment.
@ibuildthecloud the request URL has the prefix /v1/proxy, while the redirect URL is the actual URL requested by the UI.
example:
requestURL is = http://localhost:8080/v1/proxy/http://localhost:8090/v1-auth/saml/login
redirect is= http://localhost:8090/v1-auth/saml/login
So I am checking the redirect.
Change to add AuthSchemaAdditionsPostProcessor to include github_user/github_group/github_team/shibboleth_user/shibboleth_group in schema Change to separate allowedIdentities using provider's separator Changes to call reload API for rancher-auth-service, when auth config changes Review changes
prachidamle
force-pushed
the
go_auth_saml_integration
branch
from
47e7a2f
to
fe873b9
Compare
|
@ibuildthecloud please review the changes |
|
All Test failures are unrelated: 2016-10-16 20:05:45,367 ERROR [3d832d9d-1757-4b15-aee5-c04130f76dd6:3793] [instance:220] [instance.start->(InstanceStart)] [] [cutorService-15] [i.c.p.process.instance.InstanceStart] Failed to Scheduling for instance [220] |
Changes include:
Added two instances of GenericWhitelistedProxy - first one will run before APIAuthenticator to allow some configured paths to be proxied through unauthenticated. The second instance will run after APIAuthenticator and perform default checks after auth is passed.
Added AuthSchemaAdditionsPostProcessor to include externalIdTypes (from cattle-global.properties) github_user/github_group/github_team/shibboleth_user/shibboleth_group in
schema
Change to separate allowedIdentities using provider's separator instead of always separating with a comma
Changes to call reload API for rancher-auth-service, when auth config changes