Merge pull request #1183 from jembi/PLAT-602-keycloak-integration

Plat 602 keycloak integration

Author: nour-borgi

config/config.md

@@ -71,8 +71,22 @@ The following config option are provided by the OpenHIM. All of these options ha
     // * "local" means through the UI with hitting "/authentication/local" endpoint with username and password, 
     // this will create a session for the user and set cookies in the browser.
     // * "basic" means with basic auth either through browser or postman by giving also username and password.
+    // * "openid" means with a third party authentication provider (e.g. keycloak).
     // * [Deprecated] "token" means that a request should provide in the header an 'auth-token', 'auth-salt' and 'auth-ts' to be authenticated.
-    "authenicationTypes": ["token"]
+    "authenicationTypes": ["token"],
+    // Openid connect provider configuration needed for the authentication
+    "openid": {
+      // Openid connect provider realm url link
+      "url": "http://localhost:9088/realms/platform-realm",
+      // Callback URL used by openid connect provider (should be the same callback URL specified in realm)
+      "callbackUrl": "http://localhost:9000",
+      // CLient ID specified in the realm
+      "clientId": "openhim-oauth",
+      // Client secret specified in the realm
+      "clientSecret": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
+      // Scopes to be requested from Openid connect provider
+      "scope": "openid email profile offline_access roles"
+    }
   },
   "rerun": {
     // The port that the transaction re-run processor runs on, this port is

config/default.json

@@ -42,7 +42,14 @@
     "maxPayloadSizeMB": 50,
     "truncateSize": 15000,
     "truncateAppend": "\n[truncated ...]",
-    "authenticationTypes": ["basic", "local", "token"]
+    "authenticationTypes": ["basic", "local", "token", "openid"],
+    "openid": {
+      "url": "http://localhost:9088/realms/platform-realm",
+      "callbackUrl": "http://localhost:9000",
+      "clientId": "openhim-oauth",
+      "clientSecret": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
+      "scope": "openid email profile offline_access roles"
+    }
   },
   "rerun": {
     "httpPort": 7786,

config/test.json

@@ -26,7 +26,14 @@
     "maxPayloadSizeMB": 50,
     "truncateSize": 10,
     "truncateAppend": "\n[truncated ...]",
-    "authenticationTypes": ["token", "basic", "local"]
+    "authenticationTypes": ["token", "basic", "local", "openid"],
+    "openid": {
+      "url": "http://localhost:10000/realms/realm",
+      "callbackUrl": "http://localhost:10010",
+      "clientId": "client-id",
+      "clientSecret": "client-secret",
+      "scope": "openid email profile offline_access roles"
+    }
   },
   "caching": {
     "enabled": false

package-lock.json

@@ -74,6 +74,7 @@
     "passport-custom": "^1.1.1",
     "passport-http": "^0.3.0",
     "passport-local": "^1.0.0",
+    "passport-openidconnect": "^0.1.1",
     "pem": "^1.14.4",
     "raw-body": "^2.4.1",
     "semver": "^7.3.2",

package.json

@@ -80,19 +80,35 @@ export function isAuthenticationTypeEnabled(type) {
   return getEnabledAuthenticationTypesFromConfig(config).includes(type)
 }
 
+function requestType(ctx, type) {
+  const {headers} = ctx.request
+
+  if (
+    headers['auth-username'] ||
+    headers['auth-ts'] ||
+    headers['auth-salt'] ||
+    headers['auth-token']
+  ) {
+    return type === 'token'
+  } else if (headers.authorization && headers.authorization.includes('Basic')) {
+    return type === 'basic'
+  }
+  return false
+}
+
 async function authenticateRequest(ctx) {
   let user = null
 
-  // First attempt local authentication if enabled
+  // First attempt local or openid authentication if enabled
   if (ctx.req.user) {
     user = ctx.req.user
   }
   // Otherwise try token based authentication if enabled (@deprecated)
-  if (user == null) {
+  if (user == null && requestType(ctx, 'token')) {
     user = await authenticateToken(ctx)
   }
   // Otherwise try basic based authentication if enabled
-  if (user == null) {
+  if (user == null && requestType(ctx, 'basic')) {
     // Basic auth using middleware
     user = await authenticateBasic(ctx)
   }

src/api/authentication.js

@@ -39,9 +39,7 @@ export function me(ctx) {
 }
 
 export async function authenticate(ctx) {
-  if (!ctx.req.user) {
-    utils.logAndSetResponse(ctx, 404, `Could not be authenticaticated`, 'info')
-  } else {
+  if (ctx.req.user) {
     ctx.body = {
       result: 'User authenticated successfully',
       user: ctx.req.user
@@ -173,10 +171,9 @@ export async function userPasswordResetRequest(ctx, email) {
   }
 
   try {
-    const user = await UserModelAPI.findOneAndUpdate(
-      {email: utils.caseInsensitiveRegex(email)},
-      updateUserTokenExpiry
-    )
+    const user = await UserModelAPI.findOne({
+      email: utils.caseInsensitiveRegex(email)
+    })
     if (!user) {
       ctx.body = `Tried to request password reset for invalid email address: ${email}`
       ctx.status = 404
@@ -186,6 +183,17 @@ export async function userPasswordResetRequest(ctx, email) {
       return
     }
 
+    if (user.provider === 'openid') {
+      ctx.body = `User supplied by OpenID Connect provider. Cannot request password reset.`
+      ctx.status = 403
+      logger.info(
+        `Tried to request password reset for a user supplied by OpenID Connect provider: ${email}`
+      )
+      return
+    }
+
+    await UserModelAPI.findByIdAndUpdate(user.id, updateUserTokenExpiry)
+
     const {consoleURL} = config.alerts
     const setPasswordLink = `${consoleURL}/#!/set-password/${token}`
 
@@ -293,6 +301,15 @@ export async function updateUserByToken(ctx, token) {
       ctx.status = 410
       return
     }
+
+    if (userDataExpiry.provider === 'openid') {
+      ctx.body = `User supplied by OpenID Connect provider. Could not be updated.`
+      ctx.status = 403
+      logger.info(
+        `Tried to request update by token for a user supplied by OpenID Connect provider: ${token}`
+      )
+      return
+    }
   } catch (error) {
     utils.logAndSetResponse(
       ctx,
@@ -340,7 +357,10 @@ export async function updateUserByToken(ctx, token) {
       logger.warn(
         'Token authentication strategy is deprecated. Please consider using Local or Basic authentication.'
       )
-      ;({user, error} = await updateTokenUser(userUpdateObj))
+      ;({user, error} = await updateTokenUser({
+        ...userUpdateObj,
+        provider: 'token'
+      }))
       // Other providers
     } else {
       ;({user, error} = await apiUpdateUser(userUpdateObj))
@@ -424,6 +444,8 @@ export async function addUser(ctx) {
       delete userData.passwordSalt
       delete userData.passwordAlgorithm
       delete userData.password
+
+      userData.provider = password ? 'local' : 'token'
     }
 
     const user = new UserModelAPI(userData)
@@ -570,7 +592,7 @@ export async function updateUser(ctx, email) {
     )
   }
 
-  const {_doc: userData} = new UserModelAPI(ctx.request.body)
+  let {_doc: userData} = new UserModelAPI(ctx.request.body)
   const {password} = ctx.request.body
 
   // @deprecated
@@ -597,6 +619,15 @@ export async function updateUser(ctx, email) {
     delete userData._id
   }
 
+  if (userDetails.provider === 'openid') {
+    userData = {
+      msisdn: userData.msisdn,
+      dailyReport: userData.dailyReport,
+      weeklyReport: userData.weeklyReport,
+      settings: userData.settings
+    }
+  }
+
   try {
     let user, error
     // @deprecated Token user update
@@ -609,6 +640,7 @@ export async function updateUser(ctx, email) {
         passwordAlgorithm,
         passwordHash,
         passwordSalt,
+        provider: 'token',
         ...userData
       }))
       // Other providers

src/api/users.js

@@ -85,6 +85,20 @@ export function setupApp(done) {
       compose([passport.authenticate('local'), users.authenticate])
     )
   )
+  // Openid authentication
+  app.use(
+    route.post(
+      '/authenticate/openid',
+      compose([
+        (ctx, next) => {
+          ctx.request.query = ctx.request.body
+          return next()
+        },
+        passport.authenticate('openidconnect'),
+        users.authenticate
+      ])
+    )
+  )
   // @deprecated: Token authentication
   app.use(route.get('/authenticate/:username', users.authenticateToken))