From 3ab535011178391ba688623c4123e7886264744e Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Mon, 25 Nov 2024 12:22:30 -0800 Subject: [PATCH 1/5] Remove insecure config --- dev/alive/appsettings.json | 2 +- dev/gateway/appsettings.json | 2 +- dev/hymtruth/appsettings.json | 2 +- dev/mash/appsettings.json | 2 +- dev/mstudy/appsettings.json | 2 +- dev/radar/appsettings.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json index 57dc4fc..23eb9ef 100644 --- a/dev/alive/appsettings.json +++ b/dev/alive/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json index d1c8d97..3a41dbc 100644 --- a/dev/gateway/appsettings.json +++ b/dev/gateway/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json index 7d35068..30908d9 100644 --- a/dev/hymtruth/appsettings.json +++ b/dev/hymtruth/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json index b428163..1a63c1a 100644 --- a/dev/mash/appsettings.json +++ b/dev/mash/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json index 27e84db..356e962 100644 --- a/dev/mstudy/appsettings.json +++ b/dev/mstudy/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json index ef2abdc..c2a5b17 100644 --- a/dev/radar/appsettings.json +++ b/dev/radar/appsettings.json @@ -40,7 +40,7 @@ "Authorization": { "Mechanism": "UNSECURED", "AllowAllAuthenticatedUsers": true, - "UnsecuredIsAdmin": true, + "UnsecuredIsAdmin": false, "SAML2": { "HeadersMapping": { "Entitlements": { From eb5193e49d85191cb55b051433524e0c91d60551 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Tue, 19 Nov 2024 23:07:30 -0800 Subject: [PATCH 2/5] Revert "Only allow localhost access, temporarily (#7)" This reverts commit b33e861a493cfaf618f6acda54b4c7234afc79c6. --- dev/alive/docker-compose.yaml | 6 ------ dev/gateway/docker-compose.yaml | 6 ------ dev/hymtruth/docker-compose.yaml | 6 ------ dev/mash/docker-compose.yaml | 6 ------ dev/mstudy/docker-compose.yaml | 6 ------ dev/radar/docker-compose.yaml | 7 ------- 6 files changed, 37 deletions(-) diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml index 5bff222..d1f7046 100644 --- a/dev/alive/docker-compose.yaml +++ b/dev/alive/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true @@ -33,8 +30,5 @@ services: - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-alive-mssql: diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index fc51233..0b51607 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: extends: file: ../common-services.yaml @@ -36,9 +33,6 @@ services: - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr clin-db: extends: file: ../common-services.yaml diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml index 43e5814..a6353df 100644 --- a/dev/hymtruth/docker-compose.yaml +++ b/dev/hymtruth/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true @@ -33,8 +30,5 @@ services: - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-hymtruth-mssql: diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml index 6c1b939..0087eba 100644 --- a/dev/mash/docker-compose.yaml +++ b/dev/mash/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true @@ -33,8 +30,5 @@ services: - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-mash-mssql: diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml index 06f4570..4a17f00 100644 --- a/dev/mstudy/docker-compose.yaml +++ b/dev/mstudy/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true @@ -33,8 +30,5 @@ services: - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr volumes: leaf-mstudy-mssql: diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml index 849b496..6c98d6e 100644 --- a/dev/radar/docker-compose.yaml +++ b/dev/radar/docker-compose.yaml @@ -23,9 +23,6 @@ services: - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr node: labels: - traefik.enable=true @@ -33,9 +30,5 @@ services: - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt - # TODO remove after auth implemented via oauth2-proxy - # only allow access from localhost and CIRG IP ranges - - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.middlewares=limit-access-to-cirg-dc-cidr - volumes: leaf-radar-mssql: From 665d304f7ae71ae38ca334524d2e84f565759bd7 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Mon, 25 Nov 2024 12:34:19 -0800 Subject: [PATCH 3/5] Add email authentication with oauth2-proxy via HTTP headers --- dev/alive/appsettings.json | 4 +- dev/alive/docker-compose.yaml | 15 +++++-- dev/default.env | 8 ++++ dev/gateway/appsettings.json | 4 +- dev/gateway/docker-compose.yaml | 68 ++++++++++++++++++++++++++++++-- dev/hymtruth/appsettings.json | 4 +- dev/hymtruth/docker-compose.yaml | 15 +++++-- dev/mash/appsettings.json | 4 +- dev/mash/docker-compose.yaml | 15 +++++-- dev/mstudy/appsettings.json | 4 +- dev/mstudy/docker-compose.yaml | 15 +++++-- dev/radar/appsettings.json | 4 +- dev/radar/docker-compose.yaml | 15 +++++-- 13 files changed, 139 insertions(+), 36 deletions(-) diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json index 23eb9ef..d0e1508 100644 --- a/dev/alive/appsettings.json +++ b/dev/alive/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml index d1f7046..51762f5 100644 --- a/dev/alive/docker-compose.yaml +++ b/dev/alive/docker-compose.yaml @@ -19,14 +19,21 @@ services: LEAF_APP_DB: Server=alive-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=alive;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.alive-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.alive-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: labels: - traefik.enable=true - - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) + - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/default.env b/dev/default.env index 02f3eb5..5d33cf9 100644 --- a/dev/default.env +++ b/dev/default.env @@ -20,3 +20,11 @@ HYMTRUTH_JWT_KEY_PW= MASH_JWT_KEY_PW= MSTUDY_JWT_KEY_PW= RADAR_JWT_KEY_PW= + +# generate via: python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())' +OAUTH2_PROXY_COOKIE_SECRET= + +# obtain from Keycloak/OIDC provider +OAUTH2_PROXY_CLIENT_ID= +OAUTH2_PROXY_CLIENT_SECRET= +OAUTH2_PROXY_OIDC_ISSUER_URL= diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json index 3a41dbc..162b8c9 100644 --- a/dev/gateway/appsettings.json +++ b/dev/gateway/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index 0b51607..6be9792 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -1,5 +1,58 @@ version: "3" services: + auth-proxy: + image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # oauth2-proxy does not EXPOSE (advertise) the ports it listens on in its docker image + expose: + - 4180 + environment: + OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 + OAUTH2_PROXY_REVERSE_PROXY: "true" + + # when authenticated, return a static 202 response + # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration + OAUTH2_PROXY_UPSTREAMS: static://202 + + # needed to set X-Auth-Request-Email + OAUTH2_PROXY_SET_XAUTHREQUEST: "true" + + # general cookie settings + OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET} + OAUTH2_PROXY_COOKIE_DOMAINS: .${LEAF_DOMAIN} + OAUTH2_PROXY_WHITELIST_DOMAINS: .${LEAF_DOMAIN} + OAUTH2_PROXY_COOKIE_EXPIRE: 30m + OAUTH2_PROXY_COOKIE_REFRESH: 1m + OAUTH2_PROXY_EMAIL_DOMAINS: "*" + OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: "true" + # TODO test how leaf handles usernames that are not email addresses + # base session cookie on Keycloak username (email not always set in Keycloak) + OAUTH2_PROXY_USER_ID_CLAIM: preferred_username + + # OIDC integration settings + OAUTH2_PROXY_PROVIDER: oidc + OAUTH2_PROXY_SCOPE: openid profile email + OAUTH2_PROXY_OIDC_ISSUER_URL: ${OAUTH2_PROXY_OIDC_ISSUER_URL} + OAUTH2_PROXY_CLIENT_ID: ${OAUTH2_PROXY_CLIENT_ID} + OAUTH2_PROXY_CLIENT_SECRET: ${OAUTH2_PROXY_CLIENT_SECRET} + labels: + - traefik.enable=true + # TODO fix HostRegexp syntax, after upgrading to traefik v3 + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.rule=Host(`auth-proxy.${LEAF_DOMAIN}`) || (PathPrefix(`/oauth2`) && (Host(`${LEAF_DOMAIN}`) || HostRegexp(`{subdomain:.+}.${LEAF_DOMAIN}`))) + + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + # https://oauth2-proxy.github.io/oauth2-proxy/configuration/integration/#forwardauth-with-static-upstreams-configuration + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.address=http://auth-proxy-${COMPOSE_PROJECT_NAME}:4180/ + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true + - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization + + networks: + ingress: + aliases: + - auth-proxy-${COMPOSE_PROJECT_NAME} + internal: + gateway-mssql: extends: file: ../common-services.yaml @@ -19,9 +72,15 @@ services: LEAF_APP_DB: Server=gateway-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=gateway;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.gateway-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.gateway-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: extends: @@ -29,7 +88,8 @@ services: service: node labels: - traefik.enable=true - - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) + - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json index 30908d9..f87db7b 100644 --- a/dev/hymtruth/appsettings.json +++ b/dev/hymtruth/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml index a6353df..0b376d0 100644 --- a/dev/hymtruth/docker-compose.yaml +++ b/dev/hymtruth/docker-compose.yaml @@ -19,14 +19,21 @@ services: LEAF_APP_DB: Server=hymtruth-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=hymtruth;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.hymtruth-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.hymtruth-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: labels: - traefik.enable=true - - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) + - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json index 1a63c1a..0e42141 100644 --- a/dev/mash/appsettings.json +++ b/dev/mash/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml index 0087eba..dfc3e67 100644 --- a/dev/mash/docker-compose.yaml +++ b/dev/mash/docker-compose.yaml @@ -19,14 +19,21 @@ services: LEAF_APP_DB: Server=mash-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=mash;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.mash-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mash-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: labels: - traefik.enable=true - - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) + - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json index 356e962..2b3212d 100644 --- a/dev/mstudy/appsettings.json +++ b/dev/mstudy/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml index 4a17f00..58a7d32 100644 --- a/dev/mstudy/docker-compose.yaml +++ b/dev/mstudy/docker-compose.yaml @@ -19,14 +19,21 @@ services: LEAF_APP_DB: Server=mstudy-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=mstudy;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.mstudy-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.mstudy-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: labels: - traefik.enable=true - - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) + - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json index c2a5b17..d417660 100644 --- a/dev/radar/appsettings.json +++ b/dev/radar/appsettings.json @@ -24,7 +24,7 @@ } }, "Authentication": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "SessionTimeoutMinutes": 480, "InactivityTimeoutMinutes": 20, "Logout": { @@ -33,7 +33,7 @@ }, "SAML2": { "Headers": { - "ScopedIdentity": "eppn" + "ScopedIdentity": "X-Auth-Request-Email" } } }, diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml index 6c98d6e..7ef635d 100644 --- a/dev/radar/docker-compose.yaml +++ b/dev/radar/docker-compose.yaml @@ -19,14 +19,21 @@ services: LEAF_APP_DB: Server=radar-mssql,1433;Database=LeafDB;uid=sa;Password=${MSSQL_SA_PASSWORD} LEAF_CLIN_DB: Server=clin-db,3306;Database=radar;uid=db-user;Password=${MYSQL_PASSWORD};Pooling=false labels: - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && PathPrefix(`/api`) - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - - traefik.http.routers.radar-coreapi-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && Path(`/api/user`) + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt + + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && PathPrefix(`/api`) && !Path(`/api/user`) + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure + - traefik.http.routers.radar-coreapi-unauth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt node: labels: - traefik.enable=true - - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) + - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && !PathPrefix(`/api`) + - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-node-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt From f8ff8f03c8b603d35bc38627925aa029d1733352 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Mon, 25 Nov 2024 12:34:58 -0800 Subject: [PATCH 4/5] Add authorization via HTTP header using static list of roles --- dev/alive/appsettings.json | 12 ++++++------ dev/alive/docker-compose.yaml | 2 +- dev/gateway/appsettings.json | 12 ++++++------ dev/gateway/docker-compose.yaml | 6 +++++- dev/hymtruth/appsettings.json | 12 ++++++------ dev/hymtruth/docker-compose.yaml | 2 +- dev/mash/appsettings.json | 12 ++++++------ dev/mash/docker-compose.yaml | 2 +- dev/mstudy/appsettings.json | 12 ++++++------ dev/mstudy/docker-compose.yaml | 2 +- dev/radar/appsettings.json | 12 ++++++------ dev/radar/docker-compose.yaml | 2 +- 12 files changed, 46 insertions(+), 42 deletions(-) diff --git a/dev/alive/appsettings.json b/dev/alive/appsettings.json index d0e1508..1e60e44 100644 --- a/dev/alive/appsettings.json +++ b/dev/alive/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/alive/docker-compose.yaml b/dev/alive/docker-compose.yaml index 51762f5..48133d6 100644 --- a/dev/alive/docker-compose.yaml +++ b/dev/alive/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`alive.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.alive-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/gateway/appsettings.json b/dev/gateway/appsettings.json index 162b8c9..24f5413 100644 --- a/dev/gateway/appsettings.json +++ b/dev/gateway/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index 6be9792..1f7289b 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -47,6 +47,10 @@ services: - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization + # TODO dynamically look up from OIDC tokens + # add Leaf group to all users via HTTP request header; see appsettings.json for available roles + - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users;leaf_phi;leaf_admin + networks: ingress: aliases: @@ -74,7 +78,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.gateway-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/hymtruth/appsettings.json b/dev/hymtruth/appsettings.json index f87db7b..9cb1503 100644 --- a/dev/hymtruth/appsettings.json +++ b/dev/hymtruth/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/hymtruth/docker-compose.yaml b/dev/hymtruth/docker-compose.yaml index 0b376d0..b32f0c2 100644 --- a/dev/hymtruth/docker-compose.yaml +++ b/dev/hymtruth/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`hymtruth.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.hymtruth-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mash/appsettings.json b/dev/mash/appsettings.json index 0e42141..823fba3 100644 --- a/dev/mash/appsettings.json +++ b/dev/mash/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mash/docker-compose.yaml b/dev/mash/docker-compose.yaml index dfc3e67..102b4ec 100644 --- a/dev/mash/docker-compose.yaml +++ b/dev/mash/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mash.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mash-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/mstudy/appsettings.json b/dev/mstudy/appsettings.json index 2b3212d..541e81d 100644 --- a/dev/mstudy/appsettings.json +++ b/dev/mstudy/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/mstudy/docker-compose.yaml b/dev/mstudy/docker-compose.yaml index 58a7d32..8d228b5 100644 --- a/dev/mstudy/docker-compose.yaml +++ b/dev/mstudy/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`mstudy.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.mstudy-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt diff --git a/dev/radar/appsettings.json b/dev/radar/appsettings.json index d417660..eab749c 100644 --- a/dev/radar/appsettings.json +++ b/dev/radar/appsettings.json @@ -38,7 +38,7 @@ } }, "Authorization": { - "Mechanism": "UNSECURED", + "Mechanism": "SAML2", "AllowAllAuthenticatedUsers": true, "UnsecuredIsAdmin": false, "SAML2": { @@ -49,11 +49,11 @@ } }, "RolesMapping": { - "User": "urn:mace:users", - "Super": "urn:mace:supers", - "Identified": "urn:mace:phi", - "Admin": "urn:mace:sudos", - "Federated": "urn:mace:federated" + "User": "leaf_users", + "Super": "leaf_supers", + "Identified": "leaf_phi", + "Admin": "leaf_admin", + "Federated": "leaf_federated" } } }, diff --git a/dev/radar/docker-compose.yaml b/dev/radar/docker-compose.yaml index 7ef635d..e5e81d2 100644 --- a/dev/radar/docker-compose.yaml +++ b/dev/radar/docker-compose.yaml @@ -21,7 +21,7 @@ services: labels: # https://leafdocs.rit.uw.edu/installation/installation_steps/9_saml2/#route-protection-setup - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.rule=Host(`radar.${LEAF_DOMAIN}`) && Path(`/api/user`) - - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME} + - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},leaf-groups-${COMPOSE_PROJECT_NAME} - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.entrypoints=websecure - traefik.http.routers.radar-coreapi-auth-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt From f9068f87c5fc0f58c82cb6feb33513952adb561a Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Mon, 30 Dec 2024 12:34:58 -0800 Subject: [PATCH 5/5] Remove admin and PHI roles from static default role list --- dev/gateway/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/gateway/docker-compose.yaml b/dev/gateway/docker-compose.yaml index 1f7289b..aedbcf3 100644 --- a/dev/gateway/docker-compose.yaml +++ b/dev/gateway/docker-compose.yaml @@ -49,7 +49,7 @@ services: # TODO dynamically look up from OIDC tokens # add Leaf group to all users via HTTP request header; see appsettings.json for available roles - - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users;leaf_phi;leaf_admin + - traefik.http.middlewares.leaf-groups-${COMPOSE_PROJECT_NAME}.headers.customrequestheaders.gws-groups=leaf_users networks: ingress: