handle password management for preauth mode

datadir/gateway/gateway.yaml

@@ -26,6 +26,7 @@ georchestra:
       orgLastUpdated: false
       jsonUser: false
       jsonOrganization: false
+      preAuth: true
     global-access-rules:
     - intercept-url:
       - /**

datadir/nginx-preauth/nginx.conf

@@ -9,8 +9,10 @@ server {
         proxy_set_header  preauth-firstname   "test";
         proxy_set_header  preauth-lastname    "admin";
         proxy_set_header  preauth-org         "georchestra";
+        proxy_set_header  preauth-idp	      "INRAE";
+        proxy_set_header  preauth-idp-userid  "f77ded4f-734e-4cbf-8003-627a49c0c499";
 
         proxy_pass http://gateway:8080;
     }
 
-}
+}

gateway/src/main/java/org/georchestra/gateway/accounts/admin/AccountManager.java

@@ -38,7 +38,8 @@ public interface AccountManager {
      * @param mappedUser the user {@link ResolveGeorchestraUserGlobalFilter}
      *                   resolved by calling
      *                   {@link GeorchestraUserMapper#resolve(Authentication)}
-     * @return the stored version of the user if it exists, otherwise an empty Optional
+     * @return the stored version of the user if it exists, otherwise an empty
+     *         Optional
      */
     Optional<GeorchestraUser> find(GeorchestraUser mappedUser);
 

gateway/src/main/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizer.java

@@ -82,9 +82,15 @@ public class CreateAccountUserCustomizer implements GeorchestraUserCustomizerExt
                 user = accounts.getOrCreate(mappedUser);
             }
             loggedInUsers.put(auth, user);
-            return user;
+            if (isOauth2) {
+                return accounts.getOrCreate(mappedUser);
+            }
+            GeorchestraUser preAuthUser = accounts.getOrCreate(mappedUser);
+            preAuthUser.setIsPreAuth(mappedUser.getIsPreAuth());
+            preAuthUser.setPreauthIdp(mappedUser.getPreauthIdp());
+            preAuthUser.setPreauthIdpUserId(mappedUser.getPreauthIdpUserId());
+            return preAuthUser;
         }
         return mappedUser;
     }
-
 }

gateway/src/main/java/org/georchestra/gateway/filter/headers/providers/GeorchestraUserHeadersContributor.java

@@ -63,6 +63,14 @@ public class GeorchestraUserHeadersContributor extends HeaderContributor {
                         add(headers, "sec-ldap-remaining-days", Optional
                                 .of(user.isPresent() && user.get().getLdapWarn() != null && user.get().getLdapWarn()),
                                 user.map(GeorchestraUser::getLdapRemainingDays));
+                        add(headers, "sec-external-authentication", mappings.getPreAuth(),
+                                user.map(GeorchestraUser::getIsPreAuth));
+                        add(headers, "sec-preauth-idp",
+                                Optional.of(user.isPresent() && user.get().getIsPreAuth().equals("true")),
+                                user.map(GeorchestraUser::getPreauthIdp));
+                        add(headers, "sec-preauth-idp-user-id",
+                                Optional.of(user.isPresent() && user.get().getIsPreAuth().equals("true")),
+                                user.map(GeorchestraUser::getPreauthIdpUserId));
                     });
         };
     }

gateway/src/main/java/org/georchestra/gateway/model/HeaderMappings.java

@@ -97,6 +97,12 @@ public class HeaderMappings {
      */
     private Optional<Boolean> jsonOrganization = Optional.empty();
 
+    /**
+     * Append the standard {@literal sec-external-authentication} header to proxied
+     * requests
+     */
+    private Optional<Boolean> preAuth = Optional.empty();
+
     public @VisibleForTesting HeaderMappings enableAll() {
         this.setAll(Optional.of(Boolean.TRUE));
         return this;

gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java

@@ -48,6 +48,8 @@ class PreauthAuthenticationManager implements ReactiveAuthenticationManager, Ser
     private static final String PREAUTH_LASTNAME = "preauth-lastname";
     private static final String PREAUTH_ORG = "preauth-org";
     private static final String PREAUTH_ROLES = "preauth-roles";
+    private static final String PREAUTH_IDP = "preauth-idp";
+    private static final String PREAUTH_IDP_USER_ID = "preauth-idp-userid";
 
     /**
      * @return {@code Mono.empty()} if the pre-auth request headers are not
@@ -92,6 +94,8 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
         String lastName = SecurityHeaders.decode(requestHeaders.get(PREAUTH_LASTNAME));
         String org = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ORG));
         String rolesValue = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ROLES));
+        String preauthIdp = SecurityHeaders.decode(requestHeaders.get(PREAUTH_IDP));
+        String preauthIdpUserId = SecurityHeaders.decode(requestHeaders.get(PREAUTH_IDP_USER_ID));
         List<String> roleNames = Optional.ofNullable(rolesValue)
                 .map(roles -> Stream
                         .concat(Stream.of("ROLE_USER"), Stream.of(roles.split(";")).filter(StringUtils::hasText))
@@ -105,6 +109,9 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
         user.setLastName(lastName);
         user.setOrganization(org);
         user.setRoles(roleNames);
+        user.setPreauthIdp(preauthIdp);
+        user.setPreauthIdpUserId(preauthIdpUserId);
+        user.setIsPreAuth("true");
         return user;
     }
 
@@ -116,5 +123,7 @@ public void removePreauthHeaders(HttpHeaders mutableHeaders) {
         mutableHeaders.remove(PREAUTH_LASTNAME);
         mutableHeaders.remove(PREAUTH_ORG);
         mutableHeaders.remove(PREAUTH_ROLES);
+        mutableHeaders.remove(PREAUTH_IDP);
+        mutableHeaders.remove(PREAUTH_IDP_USER_ID);
     }
 }