feat: switch from Cognito to Oidcc

mbta · Nov 27, 2023 · 3958ee1 · 3958ee1
1 parent 6d9e33c
commit 3958ee1
Show file tree

Hide file tree

Showing 9 changed files with 267 additions and 4 deletions.
diff --git a/config/config.exs b/config/config.exs
@@ -61,7 +61,10 @@ config :arrow, ArrowWeb.AuthManager, issuer: "arrow"
 
 config :ueberauth, Ueberauth,
   providers: [
-    cognito: {Ueberauth.Strategy.Cognito, []}
+    cognito: {Ueberauth.Strategy.Cognito, []},
+    keycloak:
+      {Ueberauth.Strategy.Oidcc,
+       issuer: :keycloak_issuer, userinfo: true, uid_field: "email", scopes: ~w"openid email"}
   ]
 
 config :ueberauth, Ueberauth.Strategy.Cognito,

diff --git a/config/runtime.exs b/config/runtime.exs
@@ -1,5 +1,50 @@
 import Config
 
+is_test? = config_env() == :test
+
+keycloak_issuer =
+  case System.get_env() do
+    %{"KEYCLOAK_ISSUER" => issuer} when issuer != "" ->
+      issuer
+
+    %{"KEYCLOAK_DISCOVERY_URI" => well_known} when well_known != "" ->
+      String.replace_trailing(well_known, "/.well-known/openid-configuration", "")
+
+    _ ->
+      nil
+  end
+
+if is_binary(keycloak_issuer) and not is_test? do
+  config :arrow,
+    ueberauth_provider: :keycloak,
+    api_login_module: ArrowWeb.TryApiTokenAuth.Keycloak,
+    keycloak_client_uuid: System.fetch_env!("KEYCLOAK_CLIENT_UUID"),
+    keycloak_api_base: System.fetch_env!("KEYCLOAK_API_BASE")
+
+  keycloak_opts = [
+    client_id: System.fetch_env!("KEYCLOAK_CLIENT_ID"),
+    client_secret: System.fetch_env!("KEYCLOAK_CLIENT_SECRET")
+  ]
+
+  keycloak_opts =
+    if keycloak_idp = System.get_env("KEYCLOAK_IDP_HINT") do
+      Keyword.put(keycloak_opts, :authorization_params, %{kc_idp_hint: keycloak_idp})
+    else
+      keycloak_opts
+    end
+
+  config :ueberauth_oidcc,
+    issuers: [
+      %{
+        name: :keycloak_issuer,
+        issuer: keycloak_issuer
+      }
+    ],
+    strategies: [
+      keycloak: keycloak_opts
+    ]
+end
+
 if config_env() == :prod do
   sentry_env = System.get_env("SENTRY_ENV")
 

diff --git a/lib/arrow_web/controllers/auth_controller.ex b/lib/arrow_web/controllers/auth_controller.ex
@@ -2,6 +2,18 @@ defmodule ArrowWeb.AuthController do
   use ArrowWeb, :controller
   plug(Ueberauth)
 
+  @spec logout(Plug.Conn.t(), map()) :: Plug.Conn.t()
+  def logout(conn, _params) do
+    logout_url = Map.get(Guardian.Plug.current_claims(conn), "logout_url")
+    conn = clear_session(conn)
+
+    if logout_url do
+      redirect(conn, external: logout_url)
+    else
+      redirect(conn, to: "/")
+    end
+  end
+
   @cognito_groups Application.compile_env!(:arrow, :cognito_groups)
 
   @spec callback(Plug.Conn.t(), map()) :: Plug.Conn.t()
@@ -33,6 +45,37 @@ defmodule ArrowWeb.AuthController do
     |> redirect(to: Routes.disruption_path(conn, :index))
   end
 
+  def callback(%{assigns: %{ueberauth_auth: %{provider: :keycloak} = auth}} = conn, _params) do
+    username = auth.uid
+    expiration = auth.credentials.expires_at
+    current_time = System.system_time(:second)
+
+    roles = auth.extra.raw_info.userinfo["roles"] || []
+
+    logout_url =
+      case UeberauthOidcc.initiate_logout_url(auth, %{
+             post_logout_redirect_uri: "https://www.mbta.com/"
+           }) do
+        {:ok, url} ->
+          url
+
+        _ ->
+          nil
+      end
+
+    conn
+    |> Guardian.Plug.sign_in(
+      ArrowWeb.AuthManager,
+      username,
+      %{
+        roles: roles,
+        logout_url: logout_url
+      },
+      ttl: {expiration - current_time, :seconds}
+    )
+    |> redirect(to: Routes.disruption_path(conn, :index))
+  end
+
   def callback(
         %{assigns: %{ueberauth_failure: %Ueberauth.Failure{}}} = conn,
         _params

diff --git a/lib/arrow_web/router.ex b/lib/arrow_web/router.ex
@@ -11,7 +11,6 @@ defmodule ArrowWeb.Router do
 
   pipeline :json_api do
     plug(:accepts, ["json-api"])
-    plug(:fetch_session)
     plug(JaSerializer.ContentTypeNegotiation)
   end
 
@@ -42,6 +41,7 @@ defmodule ArrowWeb.Router do
   scope "/", ArrowWeb do
     pipe_through([:redirect_prod_http, :browser, :authenticate])
 
+    get("/logout", AuthController, :logout)
     get("/unauthorized", UnauthorizedController, :index)
     get("/feed", FeedController, :index)
     get("/mytoken", MyTokenController, :show)

diff --git a/lib/arrow_web/templates/layout/app.html.heex b/lib/arrow_web/templates/layout/app.html.heex
@@ -27,6 +27,11 @@
 
         <div class="m-header__long-name navbar-text justify-content-end navbar-collapse collapse">
           Adjustments to the Regular Right of Way
+          <%= if Map.has_key?(Guardian.Plug.current_claims(@conn), "logout_url"), do:
+            link("logout",
+              to: Routes.auth_path(@conn, :logout),
+              class: "ml-2 btn btn-outline-danger"
+          ) %>
         </div>
       </nav>
     </header>

diff --git a/lib/arrow_web/try_api_token_auth/keycloak.ex b/lib/arrow_web/try_api_token_auth/keycloak.ex
@@ -0,0 +1,102 @@
+defmodule ArrowWeb.TryApiTokenAuth.Keycloak do
+  @moduledoc """
+  Signs in an API client via Keycloak.
+  """
+
+  require Logger
+
+  def sign_in(conn, auth_token) do
+    with {:ok, user_id} <- lookup_user_id(auth_token.username),
+         {:ok, roles} <- lookup_user_roles(user_id) do
+      conn
+      |> Guardian.Plug.sign_in(
+        ArrowWeb.AuthManager,
+        auth_token.username,
+        %{roles: roles},
+        ttl: {0, :second}
+      )
+    else
+      other ->
+        Logger.warn(
+          "unexpected response when logging #{auth_token.username} in via Keycloak API: #{inspect(other)}"
+        )
+
+        conn
+    end
+  end
+
+  defp lookup_user_id(email) do
+    case keycloak_api("/users", %{
+           max: 1,
+           email: String.downcase(email),
+           exact: true,
+           briefRepresentation: true
+         }) do
+      {:ok, [%{"id" => user_id}]} ->
+        {:ok, user_id}
+
+      {:ok, []} ->
+        {:error, :no_users}
+
+      {:ok, [_, _ | _]} ->
+        {:error, :multiple_users}
+
+      e ->
+        e
+    end
+  end
+
+  defp lookup_user_roles(user_id) do
+    client_uuid = Application.get_env(:arrow, :keycloak_client_uuid)
+    url = "/users/#{user_id}/role-mappings/clients/#{client_uuid}/composite"
+
+    case keycloak_api(url) do
+      {:ok, response} ->
+        roles = for r <- response, do: r["name"]
+        {:ok, roles}
+
+      e ->
+        e
+    end
+  end
+
+  defp keycloak_api(url, params \\ %{}) do
+    base_url =
+      String.replace_suffix(
+        Application.get_env(:arrow, :keycloak_api_base),
+        "/",
+        ""
+      )
+
+    {_, base_opts} = Application.get_env(:ueberauth, Ueberauth)[:providers][:keycloak]
+    runtime_opts = Application.get_env(:ueberauth_oidcc, :strategies)[:keycloak]
+
+    opts =
+      base_opts
+      |> Keyword.merge(runtime_opts)
+      |> Map.new()
+
+    with {:ok, token} <-
+           Oidcc.client_credentials_token(opts.issuer, opts.client_id, opts.client_secret, %{}),
+         headers = [{"authorization", "Bearer #{token.access.token}"}],
+         {:ok, %{status_code: 200} = response} <-
+           HTTPoison.get("#{base_url}#{url}", headers,
+             params: params,
+             hackney: [
+               ssl_options: [
+                 verify: :verify_peer,
+                 cacerts: :public_key.cacerts_get(),
+                 versions: [:"tlsv1.2"],
+                 customize_hostname_check: [
+                   match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+                 ]
+               ]
+             ]
+           ) do
+      Jason.decode(response.body)
+    else
+      {:ok, %{status_code: _} = response} -> {:error, response}
+      e -> e
+    end
+  end
+end
diff --git a/mix.exs b/mix.exs
@@ -75,7 +75,8 @@ defmodule Arrow.MixProject do
       {:react_phoenix, "1.2.0"},
       {:tzdata, "~> 1.1"},
       {:ueberauth_cognito, "0.4.0"},
-      {:ueberauth, "~> 0.9"},
+      {:ueberauth_oidcc, "~> 0.1.0-rc"},
+      {:ueberauth, "~> 0.10"},
       {:wallaby, "~> 0.30.6", runtime: false, only: :test},
       {:sentry, "~> 8.0"}
     ]

diff --git a/mix.lock b/mix.lock
@@ -35,6 +35,7 @@
   "mime": {:hex, :mime, "2.0.5", "dc34c8efd439abe6ae0343edbb8556f4d63f178594894720607772a041b04b02", [:mix], [], "hexpm", "da0d64a365c45bc9935cc5c8a7fc5e49a0e0f9932a761c55d6c52b142780a05c"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
   "mox": {:hex, :mox, "1.0.1", "b651bf0113265cda0ba3a827fcb691f848b683c373b77e7d7439910a8d754d6e", [:mix], [], "hexpm", "35bc0dea5499d18db4ef7fe4360067a59b06c74376eb6ab3bd67e6295b133469"},
+  "oidcc": {:hex, :oidcc, "3.1.0-beta.2", "3a3f4d9cf9026392579684adfdd903e76b2cc7634a0c443fa477b940f31c3b83", [:mix, :rebar3], [{:jose, "~> 1.11", [hex: :jose, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.2", [hex: :telemetry, repo: "hexpm", optional: false]}, {:telemetry_registry, "~> 0.3.1", [hex: :telemetry_registry, repo: "hexpm", optional: false]}], "hexpm", "65f12afb4d0afa9f121ba419dcc88251163dd0553309b2e13b8edf217acda5c4"},
   "parse_trans": {:hex, :parse_trans, "3.4.1", "6e6aa8167cb44cc8f39441d05193be6e6f4e7c2946cb2759f015f8c56b76e5ff", [:rebar3], [], "hexpm", "620a406ce75dada827b82e453c19cf06776be266f5a67cff34e1ef2cbb60e49a"},
   "phoenix": {:hex, :phoenix, "1.6.16", "e5bdd18c7a06da5852a25c7befb72246de4ddc289182285f8685a40b7b5f5451", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 1.0 or ~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: false]}, {:plug, "~> 1.10", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.2", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "e15989ff34f670a96b95ef6d1d25bad0d9c50df5df40b671d8f4a669e050ac39"},
   "phoenix_ecto": {:hex, :phoenix_ecto, "4.4.3", "86e9878f833829c3f66da03d75254c155d91d72a201eb56ae83482328dc7ca93", [:mix], [{:ecto, "~> 3.5", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.14.2 or ~> 3.0 or ~> 4.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "d36c401206f3011fefd63d04e8ef626ec8791975d9d107f9a0817d426f61ac07"},
@@ -56,10 +57,12 @@
   "telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"},
   "telemetry_metrics": {:hex, :telemetry_metrics, "0.6.1", "315d9163a1d4660aedc3fee73f33f1d355dcc76c5c3ab3d59e76e3edf80eef1f", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "7be9e0871c41732c233be71e4be11b96e56177bf15dde64a8ac9ce72ac9834c6"},
   "telemetry_poller": {:hex, :telemetry_poller, "0.5.1", "21071cc2e536810bac5628b935521ff3e28f0303e770951158c73eaaa01e962a", [:rebar3], [{:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "4cab72069210bc6e7a080cec9afffad1b33370149ed5d379b81c7c5f0c663fd4"},
+  "telemetry_registry": {:hex, :telemetry_registry, "0.3.1", "14a3319a7d9027bdbff7ebcacf1a438f5f5c903057b93aee484cca26f05bdcba", [:mix, :rebar3], [{:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "6d0ca77b691cf854ed074b459a93b87f4c7f5512f8f7743c635ca83da81f939e"},
   "tesla": {:hex, :tesla, "1.8.0", "d511a4f5c5e42538d97eef7c40ec4f3e44effdc5068206f42ed859e09e51d1fd", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, ">= 1.0.0", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.2", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "10501f360cd926a309501287470372af1a6e1cbed0f43949203a4c13300bc79f"},
   "tzdata": {:hex, :tzdata, "1.1.1", "20c8043476dfda8504952d00adac41c6eda23912278add38edc140ae0c5bcc46", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "a69cec8352eafcd2e198dea28a34113b60fdc6cb57eb5ad65c10292a6ba89787"},
-  "ueberauth": {:hex, :ueberauth, "0.9.0", "9f2dc8f6158fc09d048da0c1a548a4b2f9326bf01a35acdcaa94f4bc5b936c9a", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "6d6e0c6f7191b8d25153ae3596b3d98b5c06f9bb887d1e2d7b98b74eff3d189b"},
+  "ueberauth": {:hex, :ueberauth, "0.10.5", "806adb703df87e55b5615cf365e809f84c20c68aa8c08ff8a416a5a6644c4b02", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "3efd1f31d490a125c7ed453b926f7c31d78b97b8a854c755f5c40064bf3ac9e1"},
   "ueberauth_cognito": {:hex, :ueberauth_cognito, "0.4.0", "62daa3f675298c2b03002d2e1b7e5a30cbc513400e5732a264864a26847e71ac", [:mix], [{:hackney, "~> 1.0", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:jose, "~> 1.0", [hex: :jose, repo: "hexpm", optional: false]}, {:ueberauth, "~> 0.7", [hex: :ueberauth, repo: "hexpm", optional: false]}], "hexpm", "62378f4f34c8569cd95cc4e7463c56e9981c8afc83fdc516922065f0e1302a35"},
+  "ueberauth_oidcc": {:hex, :ueberauth_oidcc, "0.1.0-rc.0", "6bf1404e35cf919f27e774ca990255725fdc4ea6198021b752d0244e4df74ef2", [:mix], [{:oidcc, "~> 3.1.0-beta", [hex: :oidcc, repo: "hexpm", optional: false]}, {:plug, "~> 1.11", [hex: :plug, repo: "hexpm", optional: false]}, {:ueberauth, "~> 0.10.5", [hex: :ueberauth, repo: "hexpm", optional: false]}], "hexpm", "319cd35580373e146b9f707ebbd6b86785b40e5136f7427e0af64abe5183e111"},
   "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
   "wallaby": {:hex, :wallaby, "0.30.6", "7dc4c1213f3b52c4152581d126632bc7e06892336d3a0f582853efeeabd45a71", [:mix], [{:ecto_sql, ">= 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: true]}, {:httpoison, "~> 0.12 or ~> 1.0 or ~> 2.0", [hex: :httpoison, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:phoenix_ecto, ">= 3.0.0", [hex: :phoenix_ecto, repo: "hexpm", optional: true]}, {:web_driver_client, "~> 0.2.0", [hex: :web_driver_client, repo: "hexpm", optional: false]}], "hexpm", "50950c1d968549b54c20e16175c68c7fc0824138e2bb93feb11ef6add8eb23d4"},
   "web_driver_client": {:hex, :web_driver_client, "0.2.0", "63b76cd9eb3b0716ec5467a0f8bead73d3d9612e63f7560d21357f03ad86e31a", [:mix], [{:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:tesla, "~> 1.3", [hex: :tesla, repo: "hexpm", optional: false]}], "hexpm", "83cc6092bc3e74926d1c8455f0ce927d5d1d36707b74d9a65e38c084aab0350f"},

diff --git a/test/arrow_web/controllers/auth_controller_test.exs b/test/arrow_web/controllers/auth_controller_test.exs
@@ -22,10 +22,71 @@ defmodule ArrowWeb.Controllers.AuthControllerTest do
       response = html_response(conn, 302)
 
       assert response =~ Routes.disruption_path(conn, :index)
+
       assert Enum.sort(Guardian.Plug.current_claims(conn)["roles"]) == ["admin", "read-only"]
       assert Guardian.Plug.current_resource(conn) == "[email protected]"
     end
 
+    test "redirects on success (keycloak)", %{conn: conn} do
+      current_time = System.system_time(:second)
+
+      auth = %Ueberauth.Auth{
+        uid: "[email protected]",
+        provider: :keycloak,
+        credentials: %Ueberauth.Auth.Credentials{
+          expires_at: current_time + 1_000,
+          other: %{id_token: "id_token"}
+        },
+        extra: %{
+          raw_info: %{
+            userinfo: %{
+              "roles" => ["admin"]
+            }
+          }
+        }
+      }
+
+      conn =
+        conn
+        |> assign(:ueberauth_auth, auth)
+        |> get(Routes.auth_path(conn, :callback, "keycloak"))
+
+      response = html_response(conn, 302)
+
+      assert response =~ Routes.disruption_path(conn, :index)
+      assert Guardian.Plug.current_claims(conn)["roles"] == ["admin"]
+      assert Guardian.Plug.current_resource(conn) == "[email protected]"
+    end
+
+    test "handles missing roles (keycloak)", %{conn: conn} do
+      current_time = System.system_time(:second)
+
+      auth = %Ueberauth.Auth{
+        uid: "[email protected]",
+        provider: :keycloak,
+        credentials: %Ueberauth.Auth.Credentials{
+          expires_at: current_time + 1_000,
+          other: %{id_token: "id_token"}
+        },
+        extra: %{
+          raw_info: %{
+            userinfo: %{}
+          }
+        }
+      }
+
+      conn =
+        conn
+        |> assign(:ueberauth_auth, auth)
+        |> get(Routes.auth_path(conn, :callback, "keycloak"))
+
+      response = html_response(conn, 302)
+
+      assert response =~ Routes.disruption_path(conn, :index)
+      assert Guardian.Plug.current_claims(conn)["roles"] == []
+      assert Guardian.Plug.current_resource(conn) == "[email protected]"
+    end
+
     test "handles generic failure", %{conn: conn} do
       conn =
         conn