From 4f74db696552164e36456a7484e0628aa7160bb7 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Tue, 4 Feb 2025 22:44:58 +0100 Subject: [PATCH 01/12] [auth] serves both raw and resigned tokens along with s3 config files --- sda/cmd/auth/frontend/static/custom.css | 2 +- sda/cmd/auth/frontend/templates/oidc.html | 15 ++++---- sda/cmd/auth/main.go | 46 +++++++++++++++-------- sda/cmd/auth/oidc.go | 12 ++++-- 4 files changed, 48 insertions(+), 27 deletions(-) diff --git a/sda/cmd/auth/frontend/static/custom.css b/sda/cmd/auth/frontend/static/custom.css index d442c23dd..6fa3a0535 100644 --- a/sda/cmd/auth/frontend/static/custom.css +++ b/sda/cmd/auth/frontend/static/custom.css @@ -7,7 +7,7 @@ } #loginbox1 { - max-width: 600px; + max-width: 800px; } #logintext { diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index 4d14a5afa..adf8daac7 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -38,19 +38,20 @@ 
{{.}}
{{ end }} {{ end }} - {{if .Token}} + {{if .ResignedToken}}

- Your access token is: + Your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} for uploading to the Inbox is:

- 
{{.Token}}
+ 
{{.ResignedToken}}
{{end}} - {{if .ExpDate}} + {{if .RawToken}}

- Your access token expires (UTC): + Your access token {{if .ExpDateRaw}}(expires at {{.ExpDateRaw}} UTC){{end}} for downloading from the Archive is:

- 
{{.ExpDate}}
+ 
{{.RawToken}}
{{end}} - Download inbox s3cmd credentials + Download credentials for uploading to the Inbox + Download credentials for downloading from the Archive Continue diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index b2b8c17ed..5dab75177 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -27,7 +27,8 @@ type LoginOption struct { } type OIDCData struct { - S3Conf map[string]string + S3ConfInbox map[string]string + S3ConfDownload map[string]string OIDCID OIDCIdentity } @@ -40,7 +41,10 @@ type AuthHandler struct { pubKey string } -func (auth AuthHandler) getInboxConfig(ctx iris.Context, authType string) { +// getS3Config retrieves S3 config from session flash and serves it as a +// downloadable s3cmd file with the specified fileName. Redirects to home if +// config is missing. +func (auth AuthHandler) getS3Config(ctx iris.Context, authType string, fileName string) { log.Infoln(ctx.Request().URL.Path) @@ -52,7 +56,8 @@ func (auth AuthHandler) getInboxConfig(ctx iris.Context, authType string) { return } s3cfmap := s3conf.(map[string]string) - ctx.ResponseWriter().Header().Set("Content-Disposition", "attachment; filename=s3cmd.conf") + ctx.ResponseWriter().Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", fileName)) + s3c := "[default]\n" for k, v := range s3cfmap { @@ -215,7 +220,7 @@ func (auth AuthHandler) getEGALogin(ctx iris.Context) { // getEGAConf returns an s3config file for an oidc login func (auth AuthHandler) getEGAConf(ctx iris.Context) { - auth.getInboxConfig(ctx, "ega") + auth.getS3Config(ctx, "ega", "s3cmd.conf") } // getOIDC redirects to the oidc page defined in auth.Config @@ -270,6 +275,7 @@ func (auth AuthHandler) elixirLogin(ctx iris.Context) *OIDCData { } if auth.Config.ResignJwt { + log.Debugf("Resigning token for user %s", idStruct.User) claims := map[string]interface{}{ jwt.ExpirationKey: time.Now().UTC().Add(time.Duration(auth.Config.JwtTTL) * time.Hour), jwt.IssuedAtKey: time.Now().UTC(), @@ -280,14 +286,15 @@ func (auth AuthHandler) elixirLogin(ctx iris.Context) *OIDCData { if err != nil { log.Errorf("error when generating token: %v", err) } - idStruct.Token = token - idStruct.ExpDate = expDate + idStruct.ResignedToken = token + idStruct.ExpDateResigned = expDate } log.WithFields(log.Fields{"authType": "oidc", "user": idStruct.User}).Infof("User was authenticated") - s3conf := getS3ConfigMap(idStruct.Token, auth.Config.S3Inbox, idStruct.User) + s3confInbox := getS3ConfigMap(idStruct.ResignedToken, auth.Config.S3Inbox, idStruct.User) + s3confDownload := getS3ConfigMap(idStruct.RawToken, auth.Config.S3Inbox, idStruct.User) - return &OIDCData{S3Conf: s3conf, OIDCID: idStruct} + return &OIDCData{S3ConfInbox: s3confInbox, S3ConfDownload: s3confDownload, OIDCID: idStruct} } // getOIDCLogin renders the `oidc.html` template to the given iris context @@ -299,13 +306,16 @@ func (auth AuthHandler) getOIDCLogin(ctx iris.Context) { } s := sessions.Get(ctx) - s.SetFlash("oidc", oidcData.S3Conf) + s.SetFlash("oidcInbox", oidcData.S3ConfInbox) + s.SetFlash("oidcDownload", oidcData.S3ConfDownload) ctx.ViewData("infoUrl", auth.Config.InfoURL) ctx.ViewData("infoText", auth.Config.InfoText) ctx.ViewData("User", oidcData.OIDCID.User) ctx.ViewData("Passport", oidcData.OIDCID.Passport) - ctx.ViewData("Token", oidcData.OIDCID.Token) - ctx.ViewData("ExpDate", oidcData.OIDCID.ExpDate) + ctx.ViewData("RawToken", oidcData.OIDCID.RawToken) + ctx.ViewData("ResignedToken", oidcData.OIDCID.ResignedToken) + ctx.ViewData("ExpDateRaw", oidcData.OIDCID.ExpDateRaw) + ctx.ViewData("ExpDateResigned", oidcData.OIDCID.ExpDateResigned) err := ctx.View("oidc.html") if err != nil { @@ -331,9 +341,14 @@ func (auth AuthHandler) getOIDCCORSLogin(ctx iris.Context) { } } -// getOIDCConf returns an s3config file for an oidc login -func (auth AuthHandler) getOIDCConf(ctx iris.Context) { - auth.getInboxConfig(ctx, "oidc") +// getOIDCConfInbox returns an s3config file for uploading to the Inbox +func (auth AuthHandler) getOIDCConfInbox(ctx iris.Context) { + auth.getS3Config(ctx, "oidcInbox", "s3cmd-inbox.conf") +} + +// getOIDCConfDownload returns an s3config file for downloading from the Archive +func (auth AuthHandler) getOIDCConfDownload(ctx iris.Context) { + auth.getS3Config(ctx, "oidcDownload", "s3cmd-download.conf") } // globalHeaders presets common response headers @@ -427,7 +442,8 @@ func main() { // OIDC endpoints app.Get("/oidc", authHandler.getOIDC) - app.Get("/oidc/s3conf", authHandler.getOIDCConf) + app.Get("/oidc/s3conf-inbox", authHandler.getOIDCConfInbox) + app.Get("/oidc/s3conf-download", authHandler.getOIDCConfDownload) app.Get("/oidc/login", authHandler.getOIDCLogin) app.Get("/oidc/cors_login", authHandler.getOIDCCORSLogin) diff --git a/sda/cmd/auth/oidc.go b/sda/cmd/auth/oidc.go index 5f30858e7..6637c403a 100644 --- a/sda/cmd/auth/oidc.go +++ b/sda/cmd/auth/oidc.go @@ -18,11 +18,13 @@ import ( type OIDCIdentity struct { User string Passport []string - Token string + RawToken string + ResignedToken string Profile string Email string EdupersonEntitlement []string - ExpDate string + ExpDateRaw string + ExpDateResigned string } // Configure an OpenID Connect aware OAuth2 client. @@ -104,12 +106,14 @@ func authenticateWithOidc(oauth2Config oauth2.Config, provider *oidc.Provider, c idStruct = OIDCIdentity{ User: userInfo.Subject, - Token: rawAccessToken, + RawToken: rawAccessToken, + ResignedToken: rawAccessToken, Passport: claims.PassportClaim, Profile: claims.ProfileClaim, Email: claims.EmailClaim, EdupersonEntitlement: claims.EdupersonEntitlement, - ExpDate: rawExpDate, + ExpDateRaw: rawExpDate, + ExpDateResigned: rawExpDate, } return idStruct, err From f90e7f20a08fe00744f5118cd62a3683a3696254 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Wed, 5 Feb 2025 14:27:34 +0100 Subject: [PATCH 02/12] update gitignore --- .gitignore | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.gitignore b/.gitignore index 3c3f6f5a2..e3ca9a9c3 100644 --- a/.gitignore +++ b/.gitignore @@ -189,3 +189,13 @@ buildNumber.properties # End of https://www.gitignore.io/api/java,maven,eclipse,intellij+all db/ + +# MacOS desktop service store +.DS_Store + +# crypt4gh key files +*.pub.pem +*.sec.pem + +# sda-admin binary +sda-admin/sda-admin \ No newline at end of file From ddc91bceef330b46fcbd34d852a07d39deba1fa5 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Wed, 5 Feb 2025 16:22:43 +0100 Subject: [PATCH 03/12] [auth] do not show visas on OIDC page --- sda/cmd/auth/frontend/templates/oidc.html | 8 -------- 1 file changed, 8 deletions(-) diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index adf8daac7..ef36d01e6 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -30,14 +30,6 @@

Welcome, {{.User}}!

- {{if .Passport}} -

- Your visas are the following: -

- {{ range .Passport }} - 
{{.}}
- {{ end }} - {{ end }} {{if .ResignedToken}}

Your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} for uploading to the Inbox is: From 09434b8e29b8eefc393f0d9a40f4f52c626f5c46 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Thu, 6 Feb 2025 14:41:13 +0100 Subject: [PATCH 04/12] [auth] fix unit tests for oidc --- sda/cmd/auth/oidc_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sda/cmd/auth/oidc_test.go b/sda/cmd/auth/oidc_test.go index 6a3d395cc..62160aab0 100644 --- a/sda/cmd/auth/oidc_test.go +++ b/sda/cmd/auth/oidc_test.go @@ -69,9 +69,7 @@ func (suite *OIDCTests) TestGetOidcClient() { } func (suite *OIDCTests) TestAuthenticateWithOidc() { - // Create a code to authenticate - session, err := suite.mockServer.SessionStore.NewSession( "openid email profile", "nonce", mockoidc.DefaultUser(), "", "") if err != nil { @@ -84,7 +82,9 @@ func (suite *OIDCTests) TestAuthenticateWithOidc() { elixirIdentity, err := authenticateWithOidc(oauth2Config, provider, code, jwkURL) assert.Nil(suite.T(), err, "Failed to authenticate with OIDC") - assert.NotEqual(suite.T(), "", elixirIdentity.Token, "Empty token returned from OIDC authentication") + // Ensure both RawToken and ResignedToken are not empty + assert.NotEqual(suite.T(), "", elixirIdentity.RawToken, "Empty RawToken returned from OIDC authentication") + assert.NotEqual(suite.T(), "", elixirIdentity.ResignedToken, "Empty ResignedToken returned from OIDC authentication") } func (suite *OIDCTests) TestValidateJwt() { @@ -93,7 +93,7 @@ func (suite *OIDCTests) TestValidateJwt() { oauth2Config, provider := getOidcClient(suite.OIDCConfig) jwkURL := suite.mockServer.JWKSEndpoint() elixirIdentity, _ := authenticateWithOidc(oauth2Config, provider, session.SessionID, jwkURL) - elixirJWT := elixirIdentity.Token + elixirJWT := elixirIdentity.RawToken claims := map[string]interface{}{ jwt.ExpirationKey: time.Now().UTC().Add(2 * time.Hour), @@ -146,7 +146,7 @@ func (suite *OIDCTests) TestValidateJwt() { // sanity check _, expDate, err := validateToken(elixirJWT, suite.mockServer.JWKSEndpoint()) assert.Nil(suite.T(), err) - assert.Equal(suite.T(), expDate, elixirIdentity.ExpDate, "Returned wrong exp date but without returning errors") + assert.Equal(suite.T(), expDate, elixirIdentity.ExpDateRaw, "Returned wrong exp date but without returning errors") // Not a jwk url _, _, err = validateToken(elixirJWT, "http://some/jwk/endpoint") From ddf88410064b53263eef5b18ab82479420a88895 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Thu, 6 Feb 2025 16:44:13 +0100 Subject: [PATCH 05/12] update config for running sda-download with go run --- sda-download/dev_utils/config-notls_local.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sda-download/dev_utils/config-notls_local.yaml b/sda-download/dev_utils/config-notls_local.yaml index d425077a8..57cd74d5d 100644 --- a/sda-download/dev_utils/config-notls_local.yaml +++ b/sda-download/dev_utils/config-notls_local.yaml @@ -32,4 +32,4 @@ db: oidc: # oidc configuration API must have values for "userinfo_endpoint" and "jwks_uri" configuration: - url: "http://localhost:8080/.well-known/openid-configuration" + url: "http://localhost:8800/oidc/.well-known/openid-configuration" From 2de433d9e0dfd7bfa7d66677624180deb20eea46 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Thu, 6 Feb 2025 22:58:17 +0100 Subject: [PATCH 06/12] Fix linter --- sda/cmd/auth/main.go | 8 ++++---- sda/cmd/auth/oidc.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index 5dab75177..28189a902 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -27,9 +27,9 @@ type LoginOption struct { } type OIDCData struct { - S3ConfInbox map[string]string + S3ConfInbox map[string]string S3ConfDownload map[string]string - OIDCID OIDCIdentity + OIDCID OIDCIdentity } type AuthHandler struct { @@ -341,12 +341,12 @@ func (auth AuthHandler) getOIDCCORSLogin(ctx iris.Context) { } } -// getOIDCConfInbox returns an s3config file for uploading to the Inbox +// getOIDCConfInbox returns an s3config file for uploading to the Inbox func (auth AuthHandler) getOIDCConfInbox(ctx iris.Context) { auth.getS3Config(ctx, "oidcInbox", "s3cmd-inbox.conf") } -// getOIDCConfDownload returns an s3config file for downloading from the Archive +// getOIDCConfDownload returns an s3config file for downloading from the Archive func (auth AuthHandler) getOIDCConfDownload(ctx iris.Context) { auth.getS3Config(ctx, "oidcDownload", "s3cmd-download.conf") } diff --git a/sda/cmd/auth/oidc.go b/sda/cmd/auth/oidc.go index 6637c403a..eb6496cb3 100644 --- a/sda/cmd/auth/oidc.go +++ b/sda/cmd/auth/oidc.go @@ -107,7 +107,7 @@ func authenticateWithOidc(oauth2Config oauth2.Config, provider *oidc.Provider, c idStruct = OIDCIdentity{ User: userInfo.Subject, RawToken: rawAccessToken, - ResignedToken: rawAccessToken, + ResignedToken: rawAccessToken, Passport: claims.PassportClaim, Profile: claims.ProfileClaim, Email: claims.EmailClaim, From 4b686de5ad0b99eed0c76f39bc5798e6e8116905 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Fri, 7 Feb 2025 11:23:10 +0100 Subject: [PATCH 07/12] [auth] set correct subjectKey for resigning --- sda/cmd/auth/main.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index 28189a902..903bec1e2 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -280,7 +280,7 @@ func (auth AuthHandler) elixirLogin(ctx iris.Context) *OIDCData { jwt.ExpirationKey: time.Now().UTC().Add(time.Duration(auth.Config.JwtTTL) * time.Hour), jwt.IssuedAtKey: time.Now().UTC(), jwt.IssuerKey: auth.Config.JwtIssuer, - jwt.SubjectKey: idStruct.Profile, + jwt.SubjectKey: idStruct.User, } token, expDate, err := generateJwtToken(claims, auth.Config.JwtPrivateKey, auth.Config.JwtSignatureAlg) if err != nil { @@ -311,6 +311,7 @@ func (auth AuthHandler) getOIDCLogin(ctx iris.Context) { ctx.ViewData("infoUrl", auth.Config.InfoURL) ctx.ViewData("infoText", auth.Config.InfoText) ctx.ViewData("User", oidcData.OIDCID.User) + ctx.ViewData("Profile", oidcData.OIDCID.Profile) ctx.ViewData("Passport", oidcData.OIDCID.Passport) ctx.ViewData("RawToken", oidcData.OIDCID.RawToken) ctx.ViewData("ResignedToken", oidcData.OIDCID.ResignedToken) From 16fff5b1decb42ef2188df9aef97c50c9ee5a8ef Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Fri, 7 Feb 2025 11:24:02 +0100 Subject: [PATCH 08/12] [auth] show full name instead of username at the welcome page --- sda/cmd/auth/frontend/templates/oidc.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index ef36d01e6..3a0c2ff45 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -28,7 +28,7 @@

- Welcome, {{.User}}! + Welcome, {{.Profile}}!

{{if .ResignedToken}}

From 51b74604a827587f3558f8ded58a4d686a40e485 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Fri, 7 Feb 2025 15:52:42 +0100 Subject: [PATCH 09/12] [auth] refactor: better variable name --- sda/cmd/auth/frontend/templates/oidc.html | 2 +- sda/cmd/auth/main.go | 4 ++-- sda/cmd/auth/oidc.go | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index 3a0c2ff45..ecfe129e7 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -28,7 +28,7 @@

- Welcome, {{.Profile}}! + Welcome, {{.Fullname}}!

{{if .ResignedToken}}

diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index 903bec1e2..794dfd99b 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -269,7 +269,7 @@ func (auth AuthHandler) elixirLogin(ctx iris.Context) *OIDCData { return nil } - err = auth.Config.DB.UpdateUserInfo(idStruct.User, idStruct.Profile, idStruct.Email, idStruct.EdupersonEntitlement) + err = auth.Config.DB.UpdateUserInfo(idStruct.User, idStruct.Fullname, idStruct.Email, idStruct.EdupersonEntitlement) if err != nil { log.Warn("Could not log user info.") } @@ -311,7 +311,7 @@ func (auth AuthHandler) getOIDCLogin(ctx iris.Context) { ctx.ViewData("infoUrl", auth.Config.InfoURL) ctx.ViewData("infoText", auth.Config.InfoText) ctx.ViewData("User", oidcData.OIDCID.User) - ctx.ViewData("Profile", oidcData.OIDCID.Profile) + ctx.ViewData("Fullname", oidcData.OIDCID.Fullname) ctx.ViewData("Passport", oidcData.OIDCID.Passport) ctx.ViewData("RawToken", oidcData.OIDCID.RawToken) ctx.ViewData("ResignedToken", oidcData.OIDCID.ResignedToken) diff --git a/sda/cmd/auth/oidc.go b/sda/cmd/auth/oidc.go index eb6496cb3..a95a0e8af 100644 --- a/sda/cmd/auth/oidc.go +++ b/sda/cmd/auth/oidc.go @@ -20,7 +20,7 @@ type OIDCIdentity struct { Passport []string RawToken string ResignedToken string - Profile string + Fullname string Email string EdupersonEntitlement []string ExpDateRaw string @@ -94,7 +94,7 @@ func authenticateWithOidc(oauth2Config oauth2.Config, provider *oidc.Provider, c // Extract custom passports, name and email claims var claims struct { PassportClaim []string `json:"ga4gh_passport_v1"` - ProfileClaim string `json:"name"` + FullnameClaim string `json:"name"` EmailClaim string `json:"email"` EdupersonEntitlement []string `json:"eduperson_entitlement"` } @@ -109,7 +109,7 @@ func authenticateWithOidc(oauth2Config oauth2.Config, provider *oidc.Provider, c RawToken: rawAccessToken, ResignedToken: rawAccessToken, Passport: claims.PassportClaim, - Profile: claims.ProfileClaim, + Fullname: claims.FullnameClaim, Email: claims.EmailClaim, EdupersonEntitlement: claims.EdupersonEntitlement, ExpDateRaw: rawExpDate, From 65ae7b7c28a8ed2d8596c555be724186aba5fec6 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Fri, 7 Feb 2025 16:24:17 +0100 Subject: [PATCH 10/12] [auth] Improve UX for login page --- sda/cmd/auth/frontend/templates/oidc.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index ecfe129e7..9dbc30934 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -32,18 +32,18 @@

{{if .ResignedToken}}

- Your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} for uploading to the Inbox is: + For uploading to the Inbox, your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} is: 

{{.ResignedToken}}
{{end}} + Download credentials to upload to the Inbox {{if .RawToken}}

- Your access token {{if .ExpDateRaw}}(expires at {{.ExpDateRaw}} UTC){{end}} for downloading from the Archive is: + For downloading from the Archive, your access token {{if .ExpDateRaw}}(expires at {{.ExpDateRaw}} UTC){{end}} is: 

{{.RawToken}}
{{end}} - Download credentials for uploading to the Inbox - Download credentials for downloading from the Archive + Download credentials to access the Archive Continue
From a69bb3ac068e5946be348838ba389a9528d4fb40 Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Tue, 18 Feb 2025 11:19:49 +0100 Subject: [PATCH 11/12] [auth] make sure only the download token is shown when login via AAI as FEGA user --- .github/integration/sda-s3-integration.yml | 3 +++ .../integration/sda/aai-mock/clients/aai-auth.yaml | 2 +- .../sda/aai-mock/clients/cega-auth.yaml | 8 ++++++++ sda/cmd/auth/frontend/templates/oidc.html | 14 ++++++++------ sda/cmd/auth/main.go | 1 + 5 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 .github/integration/sda/aai-mock/clients/cega-auth.yaml diff --git a/.github/integration/sda-s3-integration.yml b/.github/integration/sda-s3-integration.yml index 5e303114c..5ae0a4391 100644 --- a/.github/integration/sda-s3-integration.yml +++ b/.github/integration/sda-s3-integration.yml @@ -282,6 +282,9 @@ services: - AUTH_RESIGNJWT=true - AUTH_CEGA_ID=test - AUTH_CEGA_SECRET=test + - OIDC_REDIRECTURL=http://localhost:8888/oidc/login + - OIDC_ID=XC56EL11zz + - OIDC_SECRET=wHPVQaYXmdDHa - DB_PASSWORD=auth - DB_USER=auth extra_hosts: diff --git a/.github/integration/sda/aai-mock/clients/aai-auth.yaml b/.github/integration/sda/aai-mock/clients/aai-auth.yaml index e785e83cf..b6ec2ed32 100644 --- a/.github/integration/sda/aai-mock/clients/aai-auth.yaml +++ b/.github/integration/sda/aai-mock/clients/aai-auth.yaml @@ -1,4 +1,4 @@ -client-name: "auth" +client-name: "aai-auth" client-id: "XC56EL11xx" client-secret: "wHPVQaYXmdDHg" redirect-uris: ["http://localhost:8801/oidc/login"] diff --git a/.github/integration/sda/aai-mock/clients/cega-auth.yaml b/.github/integration/sda/aai-mock/clients/cega-auth.yaml new file mode 100644 index 000000000..c0c28a73f --- /dev/null +++ b/.github/integration/sda/aai-mock/clients/cega-auth.yaml @@ -0,0 +1,8 @@ +client-name: "cega-auth" +client-id: "XC56EL11zz" +client-secret: "wHPVQaYXmdDHa" +redirect-uris: ["http://localhost:8888/oidc/login"] +token-endpoint-auth-method: "client_secret_basic" +scope: ["openid", "profile", "email", "ga4gh_passport_v1", "eduperson_entitlement"] +grant-types: ["authorization_code"] +post-logout-redirect-uris: ["http://localhost:8888/oidc/login"] \ No newline at end of file diff --git a/sda/cmd/auth/frontend/templates/oidc.html b/sda/cmd/auth/frontend/templates/oidc.html index 9dbc30934..012388737 100644 --- a/sda/cmd/auth/frontend/templates/oidc.html +++ b/sda/cmd/auth/frontend/templates/oidc.html @@ -30,13 +30,15 @@

Welcome, {{.Fullname}}!

- {{if .ResignedToken}} -

- For uploading to the Inbox, your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} is: -

- 
{{.ResignedToken}}
+ {{if (not .cegaID)}} + {{if .ResignedToken}} +

+ For uploading to the Inbox, your access token {{if .ExpDateResigned}}(expires at {{.ExpDateResigned}} UTC){{end}} is: +

+ 
{{.ResignedToken}}
+ {{end}} + Download credentials to upload to the Inbox {{end}} - Download credentials to upload to the Inbox {{if .RawToken}}

For downloading from the Archive, your access token {{if .ExpDateRaw}}(expires at {{.ExpDateRaw}} UTC){{end}} is: diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index 794dfd99b..576b4266e 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -308,6 +308,7 @@ func (auth AuthHandler) getOIDCLogin(ctx iris.Context) { s := sessions.Get(ctx) s.SetFlash("oidcInbox", oidcData.S3ConfInbox) s.SetFlash("oidcDownload", oidcData.S3ConfDownload) + ctx.ViewData("cegaID", auth.Config.Cega.ID) ctx.ViewData("infoUrl", auth.Config.InfoURL) ctx.ViewData("infoText", auth.Config.InfoText) ctx.ViewData("User", oidcData.OIDCID.User) From 705dcdea83048d74c8944a41e9789ec7a3c37b2c Mon Sep 17 00:00:00 2001 From: Nanjiang Shu Date: Tue, 18 Feb 2025 11:44:54 +0100 Subject: [PATCH 12/12] [auth]: uniformed credential page for ega login and AAI login --- sda/cmd/auth/frontend/templates/ega.html | 16 +++++----------- sda/cmd/auth/main.go | 2 +- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/sda/cmd/auth/frontend/templates/ega.html b/sda/cmd/auth/frontend/templates/ega.html index 6e921f69a..ac3ec3f0a 100644 --- a/sda/cmd/auth/frontend/templates/ega.html +++ b/sda/cmd/auth/frontend/templates/ega.html @@ -31,18 +31,12 @@ Welcome, {{.User}}!

{{if .Token}} -

- Your access token is: -

- 
{{.Token}}
- {{end}} - {{if .ExpDate}} -

- Your access token expires (UTC): -

- 
{{.ExpDate}}
+

+ For uploading to the Inbox, your access token {{if .ExpDate}}(expires at {{.ExpDate}} UTC){{end}} is: +

+ 
{{.Token}}
{{end}} - Download inbox s3cmd credentials + Download credentials to upload to the Inbox Continue
diff --git a/sda/cmd/auth/main.go b/sda/cmd/auth/main.go index 576b4266e..1fe808846 100644 --- a/sda/cmd/auth/main.go +++ b/sda/cmd/auth/main.go @@ -220,7 +220,7 @@ func (auth AuthHandler) getEGALogin(ctx iris.Context) { // getEGAConf returns an s3config file for an oidc login func (auth AuthHandler) getEGAConf(ctx iris.Context) { - auth.getS3Config(ctx, "ega", "s3cmd.conf") + auth.getS3Config(ctx, "ega", "s3cmd-inbox.conf") } // getOIDC redirects to the oidc page defined in auth.Config