Changes to Cattle for SAML integration #2085
Changes to Cattle for SAML integration #2085
Conversation
test failures are unrelated to auth changes here. test_volume_create_from_driver Also a jooq error: |
return allowedPaths; | ||
} | ||
|
||
@Inject |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need @Inject here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wil remove
|
||
<bean class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" /> | ||
<bean id="AuthenticatedProxy" class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" > | ||
<property name="noAuthProxy"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No changes should be needed here. The defaults should suffice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, will correct it
@@ -519,8 +519,27 @@ | |||
|
|||
<bean id="TokenAccountLookup" class="io.cattle.platform.iaas.api.auth.integration.internal.rancher.TokenAccountLookup" /> | |||
|
|||
<bean id="NoAuthenticationProxy" class="io.cattle.platform.iaas.api.request.handler.GenericWhitelistedProxy" > | |||
<property name="noAuthProxy"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can just do value="true"
, much shorter XML
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah then its not a boolean property. It becomes a string. But I will change it and convert string to boolean in setter.
@@ -39,5 +39,10 @@ | |||
<scope>provided</scope> | |||
<optional>true</optional> | |||
</dependency> | |||
<dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What code changed in the docker/machine project that needed this? The github diff doesn't show me full filenames
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The AuthServiceLauncher is importing some Auth related DynamicStringProperties (for getReloadSettings()) from io.cattle.platform.iaas.api.auth.SecurityConstants and io.cattle.platform.iaas.api.auth.integration.external.ServiceAuthConstants;
public class AuthSchemaAdditionsPostProcessor extends AbstractSchemaPostProcessor implements SchemaPostProcessor, Priority { | ||
|
||
private static final DynamicStringProperty AUTH_SERVICE_EXTERNAL_ID_TYPES = ArchaiusUtil.getString("auth.service.external.id.types"); | ||
private static final List<String> EXTERNAL_ID_TYPES = new ArrayList<String>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't do this, it defeats the purpose of Dynamic properties. Use DynamicStringListProperty
|
||
@Override | ||
public SchemaImpl postProcess(SchemaImpl schema, SchemaFactory factory) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't put newlines at the beginning of functions
@@ -214,6 +217,21 @@ protected void generate(final ApiRequest request) throws IOException { | |||
throw new ClientVisibleException(ResponseCodes.FORBIDDEN); | |||
} | |||
|
|||
boolean matchesAllowedPath = false; | |||
if(isNoAuthProxy()) { | |||
if (uri.getPath() != null && allowedPaths != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are preforming this check on the redirect URL (the url we will hit) not the request URL. You need to check the request URL.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ibuildthecloud the request URL has the prefix /v1/proxy, while the redirect URL is the actual URL requested by the UI.
example:
requestURL is = http://localhost:8080/v1/proxy/http://localhost:8090/v1-auth/saml/login
redirect is= http://localhost:8090/v1-auth/saml/login
So I am checking the redirect.
Change to add AuthSchemaAdditionsPostProcessor to include github_user/github_group/github_team/shibboleth_user/shibboleth_group in schema Change to separate allowedIdentities using provider's separator Changes to call reload API for rancher-auth-service, when auth config changes Review changes
47e7a2f
to
fe873b9
Compare
@ibuildthecloud please review the changes |
All Test failures are unrelated: 2016-10-16 20:05:45,367 ERROR [3d832d9d-1757-4b15-aee5-c04130f76dd6:3793] [instance:220] [instance.start->(InstanceStart)] [] [cutorService-15] [i.c.p.process.instance.InstanceStart] Failed to Scheduling for instance [220] |
Changes include:
Added two instances of GenericWhitelistedProxy - first one will run before APIAuthenticator to allow some configured paths to be proxied through unauthenticated. The second instance will run after APIAuthenticator and perform default checks after auth is passed.
Added AuthSchemaAdditionsPostProcessor to include externalIdTypes (from cattle-global.properties) github_user/github_group/github_team/shibboleth_user/shibboleth_group in
schema
Change to separate allowedIdentities using provider's separator instead of always separating with a comma
Changes to call reload API for rancher-auth-service, when auth config changes