Draft: cri_auth: add endpoint for nginx's auth_request
OIDCClientExtension has been split into two models. As such, OIDCClientExtensionGroup has been renamed into AuthGroup and a new model AuthGroupsClientsMapping has been created. Aspects of the OIDCClientExtension model that were used for groups filtering have been moved to AuthGroupsClientsMapping, which is now referenced by OIDCClientExtension through a ForeignKey fields. This allows addition of new authentication methods without code duplication, or wonky logic such as those new methods depending on OIDCClientExtension, and thus an OIDC client. As such, a new AuthMethodMixin has been created that contains all common methods between authentication models. It also allows to link several clients to the same groups and filter options, and as such avoid duplication of business logic for users.
Unit tests have been added for the methods migrated from OIDCClientExtension to AuthGroupsClientsMapping.
Database migration steps are as follows:
- Rename model OIDCClientExtensionGroup to AuthGroup.
- Rename model OIDCClientExtension to AuthGroupsClientsMapping. This is done to prevent useless copying of managers and groups. Thus, we only have to re-create OIDCClientExtension objects with the OIDC client, is_restricted boolean field and a reference to AuthGroupsClientsMapping.
- AuthGroup: rename some fields to match the new logic.
- AuthGroup: rename oidc_client_extension field to groups_clients_mapping and change its type.
- AuthGroupsClientsMapping: add the name field, defaulting to "Placeholder" for the migration.
- Re-create the OIDCClientExtension model.
- Re-create the OIDCClientExtension objects from AuthGroupsClientsMapping data.
- Remove client, is_legacy fields from AuthGroupsClientsMapping.
- Populate the name field of AuthGroupsClientsMapping from the OIDCClientExtension client names.
Work to be done:
-
Add the model for auth_request clients. -
Add the logic for auth_request in cri_auth views.
Old description, kept for history's sake
Configuring nginx to use the intranet as an auth_request backend should be done as follows:
server {
listen 0.0.0.0:80 ;
listen [::]:80 ;
server_name something.cri.epita.fr ;
# Protect the whole vhost
auth_request /auth_request;
Automatically renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
location / {
proxy_pass http://something;
# Protect a single location using the auth_request
auth_request /auth_request;
# Automatically renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
}
location = /auth_request {
proxy_pass https://cri.epita.fr/auth/request/;
# Do not allow requests from outside
internal;
# Do not forward the request body (the intranet does not care about it)
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set custom information for ACL matching and redirection
proxy_set_header X-Origin-Scheme $scheme;
### This is used by the intranet to check if the user belongs to the authorized groups
### It should be set manually
proxy_set_header X-Origin-Host "lama-corp.cri.epita.net";
proxy_set_header X-Origin-URI $request_uri;
# Standard proxy information
proxy_set_header Host cri.epita.fr; # Needs to be set manually
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
}
location @error401 {
# "Forward" cookies set by auth_request backend needed for redirection
add_header Set-Cookie $cookie;
return 307 http://cri.epita.fr/auth/login/;
}
# Redirect the user to the login page when they are not logged in
error_page 401 = @error401;
}