Cherry-pick superuser feature from main (#1549)

* Auth SignIn - OIDC / Superuser (#1490)

* WG309 Auth Context and Welcome screen - WIP

* WG309 Auth Context and Welcome screen - WIP2

* WG309 Auth Context and Welcome screen - WIP

* Add sign_in handler

* WG309 Update welcome screen form

* WG309 Update sign in formData submit

* WG309 Update sign in req and payload

* Fix format in helm testdata

* Enable CORS for dev

* Remove unnecessary package

* WG309 Userinfo draft and cleanup

* Callback working - use REACT_API_URL=http://0.0.0.0:9001

* WG309 User info returns 200

* WG309 Remove CORS related code

* WG309 Remove CORS related code - update

* Add tests for Signin handler

* Update tests

* Remove username from sign in form

* Add token signer/verifier

* Fix test

* Add new middleware

* Add tests for Signin handler

* User from stash

* WG309 AuthContext update on user info check

* WG309 AuthContext update on user info check - 2

* WG309 Refactor loading in AuthContext

* WG309 AuthContext reruns on history change

* Fix conflict

* WG309 AuthContext refactor

* WG309 On refresh page doesnt go to 404 anymore

* Wrap loading page

* WG309 Fix oidc return url

* Issued cookies should have the Secure attribute to true

* WG309 Display alert error

* Remove secret yaml example

* WG309 Improve loading transition

* Add OIDC flow test for user info endpoint

* WG309 Improve loading transition - 2

* Fix eslint errors

* Split out authchecking from the authcontext, single router

* WG309 Add switch for password visibility

* WG309 Add switch for password visibility - updated

* Update package.json with main version

* Lint it

* Rm security risk printing user-supplied value

* WG309 Hide UI behind flag - WIP

* Push first pass at GET /v1/config

* https in tests

* Revert "https in tests"

This reverts commit 286211b.

* get feature flags innit

* WG309 Hide UI behind feature flag - updated

* Linting and testing

* Update exports

* untagglin

* fix fix fix

* OIDC is optional now

* Update package.lock

* WG309 Hide UI behind feature flag - updated2

* Fix issues in package-lock.json

* Fix issues in package-lock.json - 2

Co-authored-by: Yiannis <yiannis@weave.works>
Co-authored-by: Simon Howe <footless@gmail.com>

* Auth logout (#1492)

* WG309 Auth Context and Welcome screen - WIP

* WG309 Auth Context and Welcome screen - WIP2

* WG309 Auth Context and Welcome screen - WIP

* Add sign_in handler

* WG309 Update welcome screen form

* WG309 Update sign in formData submit

* WG309 Update sign in req and payload

* Fix format in helm testdata

* Enable CORS for dev

* Remove unnecessary package

* WG309 Userinfo draft and cleanup

* Callback working - use REACT_API_URL=http://0.0.0.0:9001

* WG309 User info returns 200

* WG309 Remove CORS related code

* WG309 Remove CORS related code - update

* Add tests for Signin handler

* Update tests

* Remove username from sign in form

* Add token signer/verifier

* Fix test

* Add new middleware

* Add tests for Signin handler

* User from stash

* WG309 AuthContext update on user info check

* WG309 AuthContext update on user info check - 2

* WG309 Refactor loading in AuthContext

* WG309 AuthContext reruns on history change

* Fix conflict

* WG309 AuthContext refactor

* WG309 On refresh page doesnt go to 404 anymore

* Wrap loading page

* WG309 Fix oidc return url

* Issued cookies should have the Secure attribute to true

* WG309 Display alert error

* Remove secret yaml example

* WG309 Improve loading transition

* Add OIDC flow test for user info endpoint

* WG309 Improve loading transition - 2

* Fix eslint errors

* Split out authchecking from the authcontext, single router

* WG309 Add switch for password visibility

* WG309 Add switch for password visibility - updated

* Add BE logout code

* Update package.json with main version

* Lint it

* WG407 Add user settings section - WIP

* Rm security risk printing user-supplied value

* WG407 Add user settings section - WIP2

* WG309 Hide UI behind flag - WIP

* Push first pass at GET /v1/config

* https in tests

* Revert "https in tests"

This reverts commit 286211b.

* get feature flags innit

* WG309 Hide UI behind feature flag - updated

* Linting and testing

* Update exports

* untagglin

* fix fix fix

* OIDC is optional now

* Update package.lock

* WG407 Hide userSettings when authFlag is null

* WG309 Hide UI behind feature flag - updated2

* WG407 Hide userSettings when authFlag is null - 2

* Fix issues in package-lock.json

* Fix issues in package-lock.json - 2

* WG407 Add FeatureFlags context

* WG407 Add FeatureFlags context - updated

* WG407 Add FeatureFlags context - updated2

* Fix linting error

* Update ui/contexts/AuthContext.tsx

Co-authored-by: Simon <footless@gmail.com>

* Implement PR feedback

* Implement PR feedback - 2

Co-authored-by: Yiannis <yiannis@weave.works>
Co-authored-by: Simon Howe <footless@gmail.com>

* Add logout endpoint (#1472)

* Add logout endpoint

* linting

* more linting

* Add test

* Remove extra cookie

* Add failure test

* Set UI proxy port back to 9000

* Render UI even when featureflags route has an error

* run make proto

Co-authored-by: AlinaGoaga <35202557+AlinaGoaga@users.noreply.github.com>
Co-authored-by: Yiannis <yiannis@weave.works>
Co-authored-by: Simon Howe <footless@gmail.com>
Co-authored-by: sarataha <sara@weave.works>
Co-authored-by: Claudia Beresford <claudiaberesford@gmail.com>

.proxyrc

@@ -1,5 +1,8 @@
 {
   "/v1": {
     "target": "http://localhost:9000/",
-  }
+  }, 
+  "/oauth2": {
+    "target": "http://localhost:9001/"
+  },
 }

api/applications/applications.proto

@@ -154,6 +154,15 @@ service Applications {
         };
     }
 
+    /**
+    * Config returns configuration information about the server
+    */
+    rpc GetFeatureFlags(GetFeatureFlagsRequest) returns (GetFeatureFlagsResponse) {
+        option (google.api.http) = {
+            get : "/v1/featureflags"
+        };
+    }
+
 }
 
 // This object represents a single condition for a Kubernetes object.
@@ -385,3 +394,9 @@ message ValidateProviderTokenRequest {
 message ValidateProviderTokenResponse {
     bool valid = 1;
 }
+
+message GetFeatureFlagsRequest {}
+
+message GetFeatureFlagsResponse {
+    map<string, string> flags = 1;
+}

api/applications/applications.swagger.json

@@ -494,6 +494,29 @@
           "Applications"
         ]
       }
+    },
+    "/v1/featureflags": {
+      "get": {
+        "summary": "Config returns configuration information about the server",
+        "operationId": "Applications_GetFeatureFlags",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1GetFeatureFlagsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "tags": [
+          "Applications"
+        ]
+      }
     }
   },
   "definitions": {
@@ -679,6 +702,17 @@
         }
       }
     },
+    "v1GetFeatureFlagsResponse": {
+      "type": "object",
+      "properties": {
+        "flags": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        }
+      }
+    },
     "v1GetGithubAuthStatusRequest": {
       "type": "object",
       "properties": {

cmd/gitops-server/cmd/cmd.go

@@ -45,11 +45,11 @@ type Options struct {
 // OIDCAuthenticationOptions contains the OIDC authentication options for the
 // gitops-server
 type OIDCAuthenticationOptions struct {
-	IssuerURL      string
-	ClientID       string
-	ClientSecret   string
-	RedirectURL    string
-	CookieDuration time.Duration
+	IssuerURL     string
+	ClientID      string
+	ClientSecret  string
+	RedirectURL   string
+	TokenDuration time.Duration
 }
 
 var options Options
@@ -79,27 +79,32 @@ func NewCommand() *cobra.Command {
 		cmd.Flags().StringVar(&options.OIDC.ClientID, "oidc-client-id", "", "The client ID for the OpenID Connect client")
 		cmd.Flags().StringVar(&options.OIDC.ClientSecret, "oidc-client-secret", "", "The client secret to use with OpenID Connect issuer")
 		cmd.Flags().StringVar(&options.OIDC.RedirectURL, "oidc-redirect-url", "", "The OAuth2 redirect URL")
-		cmd.Flags().DurationVar(&options.OIDC.CookieDuration, "oidc-cookie-duration", time.Hour, "The duration of the ID token cookie. It should be set in the format: number + time unit (s,m,h) e.g., 20m")
+		cmd.Flags().DurationVar(&options.OIDC.TokenDuration, "oidc-token-duration", time.Hour, "The duration of the ID token. It should be set in the format: number + time unit (s,m,h) e.g., 20m")
 	}
 
 	return cmd
 }
 
 func preRunCmd(cmd *cobra.Command, args []string) error {
-	if server.AuthEnabled() {
-		if options.OIDC.IssuerURL == "" {
+	issuerURL := options.OIDC.IssuerURL
+	clientID := options.OIDC.ClientID
+	clientSecret := options.OIDC.ClientSecret
+	redirectURL := options.OIDC.RedirectURL
+
+	if issuerURL != "" || clientID != "" || clientSecret != "" || redirectURL != "" {
+		if issuerURL == "" {
 			return cmderrors.ErrNoIssuerURL
 		}
 
-		if options.OIDC.ClientID == "" {
+		if clientID == "" {
 			return cmderrors.ErrNoClientID
 		}
 
-		if options.OIDC.ClientSecret == "" {
+		if clientSecret == "" {
 			return cmderrors.ErrNoClientSecret
 		}
 
-		if options.OIDC.RedirectURL == "" {
+		if redirectURL == "" {
 			return cmderrors.ErrNoRedirectURL
 		}
 	}
@@ -180,29 +185,26 @@ func runCmd(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("invalid issuer URL: %w", err)
 		}
 
-		redirectURL, err := url.Parse(options.OIDC.RedirectURL)
+		_, err = url.Parse(options.OIDC.RedirectURL)
 		if err != nil {
 			return fmt.Errorf("invalid redirect URL: %w", err)
 		}
 
-		var oidcIssueSecureCookies bool
-		if redirectURL.Scheme == "https" {
-			oidcIssueSecureCookies = true
+		tsv, err := auth.NewHMACTokenSignerVerifier(options.OIDC.TokenDuration)
+		if err != nil {
+			return fmt.Errorf("could not create HMAC token signer: %w", err)
 		}
 
 		srv, err := auth.NewAuthServer(cmd.Context(), appConfig.Logger, http.DefaultClient,
 			auth.AuthConfig{
 				OIDCConfig: auth.OIDCConfig{
-					IssuerURL:    options.OIDC.IssuerURL,
-					ClientID:     options.OIDC.ClientID,
-					ClientSecret: options.OIDC.ClientSecret,
-					RedirectURL:  options.OIDC.RedirectURL,
-				},
-				CookieConfig: auth.CookieConfig{
-					CookieDuration:     options.OIDC.CookieDuration,
-					IssueSecureCookies: oidcIssueSecureCookies,
+					IssuerURL:     options.OIDC.IssuerURL,
+					ClientID:      options.OIDC.ClientID,
+					ClientSecret:  options.OIDC.ClientSecret,
+					RedirectURL:   options.OIDC.RedirectURL,
+					TokenDuration: options.OIDC.TokenDuration,
 				},
-			},
+			}, rawClient, tsv,
 		)
 		if err != nil {
 			return fmt.Errorf("could not create auth server: %w", err)
@@ -228,11 +230,7 @@ func runCmd(cmd *cobra.Command, args []string) error {
 		// This will return a 404 on normal page requests, ie /some-page.
 		// Redirect all non-file requests to index.html, where the JS routing will take over.
 		if extension == "" {
-			if server.AuthEnabled() {
-				auth.WithWebAuth(redirector, authServer).ServeHTTP(w, req)
-			} else {
-				redirector(w, req)
-			}
+			redirector(w, req)
 			return
 		}
 		assetHandler.ServeHTTP(w, req)

cmd/gitops-server/cmd/cmd_test.go

@@ -8,19 +8,6 @@ import (
 	"github.com/weaveworks/weave-gitops/cmd/gitops/cmderrors"
 )
 
-func TestNoIssuerURL(t *testing.T) {
-	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
-	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")
-
-	cmd := NewCommand()
-	cmd.SetArgs([]string{
-		"ui", "run",
-	})
-
-	err := cmd.Execute()
-	assert.ErrorIs(t, err, cmderrors.ErrNoIssuerURL)
-}
-
 func TestNoClientID(t *testing.T) {
 	os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true")
 	defer os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED")

go.mod

@@ -67,6 +67,7 @@ require (
 	github.com/gofrs/flock v0.8.1
 	github.com/google/uuid v1.3.0
 	github.com/oauth2-proxy/mockoidc v0.0.0-20210703044157-382d3faf2671
+	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	gopkg.in/square/go-jose.v2 v2.5.1
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -224,7 +225,6 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
 	golang.org/x/mod v0.5.1 // indirect
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect

package.json

@@ -41,9 +41,9 @@
   "peerDependencies": {
     "lodash": "^4.17.21",
     "luxon": "^1.27.0",
+    "react": "^17.0.2",
     "react-dom": "^17.0.2",
     "react-toastify": "^7.0.4",
-    "react": "^17.0.2",
     "styled-components": "^5.3.0"
   },
   "dependencies": {