Merge pull request #21 from HSLdevcom/134-hsl-id

134 hsl-id

Author: ahjyrkia

.env.dev

@@ -2,6 +2,15 @@
 # Set PG_JORE_CONNECTION_STRING in the environment
 JORE_GRAPHQL_URL=https://dev.kartat.hsl.fi/jore/graphql
 GENERATE_API_URL=https://dev.kartat.hsl.fi/map-generator
-AZURE_STORAGE_ACCOUNT=secret
-AZURE_STORAGE_KEY=secret
+AZURE_STORAGE_ACCOUNT=
+AZURE_STORAGE_KEY=
 AZURE_UPLOAD_CONTAINER=routemap-dev
+
+CLIENT_ID=7833861618225795
+CLIENT_SECRET=
+API_CLIENT_ID=2411181397763460
+API_CLIENT_SECRET=
+REDIRECT_URI=https://dev.kartat.hsl.fi/kartta
+LOGIN_PROVIDER_URI=https://hslid-uat.cinfra.fi
+DOMAINS_ALLOWED_TO_GENERATE=
+DOMAINS_ALLOWED_TO_LOGIN=

.env.latest

@@ -5,3 +5,12 @@ GENERATE_API_URL=https://prod.kartat.hsl.fi/map-generator
 AZURE_STORAGE_ACCOUNT=secret
 AZURE_STORAGE_KEY=secret
 AZURE_UPLOAD_CONTAINER=routemap-prod
+
+CLIENT_ID=7833861618225795
+CLIENT_SECRET=
+API_CLIENT_ID=2411181397763460
+API_CLIENT_SECRET=
+REDIRECT_URI=
+LOGIN_PROVIDER_URI=https://hslid-uat.cinfra.fi
+DOMAINS_ALLOWED_TO_GENERATE=
+DOMAINS_ALLOWED_TO_LOGIN=

.env.production

@@ -5,3 +5,12 @@ GENERATE_API_URL=https://prod.kartat.hsl.fi/map-generator
 AZURE_STORAGE_ACCOUNT=secret
 AZURE_STORAGE_KEY=secret
 AZURE_UPLOAD_CONTAINER=routemap-prod
+
+CLIENT_ID=7833861618225795
+CLIENT_SECRET=
+API_CLIENT_ID=2411181397763460
+API_CLIENT_SECRET=
+REDIRECT_URI=https://kartat.hsl.fi/kartta
+LOGIN_PROVIDER_URI=https://hslid-uat.cinfra.fi
+DOMAINS_ALLOWED_TO_GENERATE=
+DOMAINS_ALLOWED_TO_LOGIN=

.env.stage

@@ -5,3 +5,5 @@ GENERATE_API_URL=https://stage.kartat.hsl.fi/map-generator
 AZURE_STORAGE_ACCOUNT=secret
 AZURE_STORAGE_KEY=secret
 AZURE_UPLOAD_CONTAINER=routemap-stage
+DOMAINS_ALLOWED_TO_GENERATE=
+DOMAINS_ALLOWED_TO_LOGIN=

constants.js

@@ -38,4 +38,9 @@ module.exports = {
   AZURE_UPLOAD_CONTAINER: secretsEnv.AZURE_UPLOAD_CONTAINER || 'routemap-prod',
   AZURE_STORAGE_ACCOUNT: secretsEnv.AZURE_STORAGE_ACCOUNT || '',
   AZURE_STORAGE_KEY: secretsEnv.AZURE_STORAGE_KEY || '',
+  CLIENT_SECRET: secretsEnv.CLIENT_SECRET || '',
+  API_CLIENT_SECRET: secretsEnv.API_CLIENT_SECRET || '',
+  DOMAINS_ALLOWED_TO_LOGIN: secretsEnv.DOMAINS_ALLOWED_TO_LOGIN || '',
+  HSL_TESTING_HSLID_USERNAME: secretsEnv.HSL_TESTING_HSLID_USERNAME || '',
+  HSL_TESTING_HSLID_PASSWORD: secretsEnv.HSL_TESTING_HSLID_PASSWORD || '',
 };

package-lock.json

@@ -95,6 +95,7 @@
     "koa": "^2.4.1",
     "koa-json-body": "^5.3.0",
     "koa-router": "7.3.0",
+    "koa-session": "^5.10.1",
     "lodash": "^4.17.4",
     "moment": "^2.19.2",
     "node-fetch": "^1.7.3",

package.json

@@ -0,0 +1,145 @@
+const { get, last, clone } = require('lodash');
+const AuthService = require('./authService');
+
+const { DOMAINS_ALLOWED_TO_LOGIN } = require('../../constants');
+
+// TODO: Envify
+const allowedDomains = DOMAINS_ALLOWED_TO_LOGIN.split(',');
+const allowedGroup = 'Karttageneraattori';
+
+const hasAllowedGroup = async userInfo => {
+  const groupNames = get(userInfo, 'groups');
+  const domain = last(userInfo.email.toLowerCase().split('@')) || '';
+
+  if (groupNames.includes(allowedGroup)) {
+    return true;
+  }
+
+  if (!allowedDomains.includes(domain)) {
+    console.log(`User does not have allowed domain. Logging out.`);
+    return false;
+  }
+
+  if (allowedDomains.includes(domain) && !groupNames.includes(allowedGroup)) {
+    groupNames.push(allowedGroup);
+    await AuthService.setGroup(userInfo.userId, groupNames);
+  }
+  return true;
+};
+
+const authorize = async (req, res, session) => {
+  const authRequest = req.body;
+  const modifiedSession = clone(session);
+  const { isTesting } = authRequest;
+
+  if (modifiedSession && isTesting) {
+    // When testing, code is already an access token (because tests fetched code with password grant request that gives you the correct access token)
+    modifiedSession.accessToken = authRequest.code;
+    const userInfo = await AuthService.requestUserInfo(authRequest.code);
+    modifiedSession.email = userInfo.email;
+    modifiedSession.groups = userInfo.groups;
+    return {
+      status: 200,
+      body: {
+        isOk: true,
+        email: userInfo.email,
+      },
+      modifiedSession,
+    };
+  }
+
+  if (!authRequest.code) {
+    console.log('No authorization code');
+    return {
+      body: {
+        isOk: false,
+      },
+      status: 401,
+    };
+  }
+  const tokenResponse = await AuthService.requestAccessToken(authRequest.code);
+
+  if (session && tokenResponse.access_token) {
+    modifiedSession.accessToken = tokenResponse.access_token;
+    const userInfo = await AuthService.requestUserInfo(modifiedSession.accessToken);
+    const isAllowed = await hasAllowedGroup(userInfo);
+    if (!isAllowed) {
+      return {
+        status: 401,
+        body: {
+          isOk: false,
+          message: 'No allowed group.',
+        },
+      };
+    }
+
+    modifiedSession.email = userInfo.email;
+    modifiedSession.groups = userInfo.groups;
+
+    const response = {
+      isOk: true,
+      email: userInfo.email,
+    };
+
+    return {
+      status: 200,
+      body: response,
+      modifiedSession,
+    };
+  }
+  console.log('No access token: ', tokenResponse);
+  const response = {
+    isOk: false,
+  };
+  return {
+    status: 401,
+    body: response,
+  };
+};
+
+const checkExistingSession = async (req, res, session) => {
+  if (session && session.accessToken) {
+    const isAllowed = await hasAllowedGroup(session);
+    if (!isAllowed) {
+      await AuthService.logoutFromIdentityProvider(session.accessToken);
+      return {
+        status: 200,
+      };
+    }
+
+    const response = {
+      isOk: true,
+      email: session.email,
+    };
+    return {
+      status: 200,
+      body: response,
+    };
+  }
+  console.log('No existing session');
+  const response = {
+    isOk: false,
+  };
+  return {
+    status: 200,
+    body: response,
+  };
+};
+
+const logout = async (req, res, session) => {
+  if (session && session.accessToken) {
+    await AuthService.logoutFromIdentityProvider(session.accessToken);
+    return {
+      status: 200,
+    };
+  }
+  return {
+    status: 401,
+  };
+};
+
+module.exports = {
+  authorize,
+  checkExistingSession,
+  logout,
+};

scripts/auth/authEndpoints.js

@@ -0,0 +1,85 @@
+const nodeFetch = require('node-fetch');
+
+const { CLIENT_ID, REDIRECT_URI, LOGIN_PROVIDER_URI, API_CLIENT_ID } = process.env;
+
+const { CLIENT_SECRET, API_CLIENT_SECRET } = require('../../constants');
+
+const authHash = Buffer.from(`${API_CLIENT_ID}:${API_CLIENT_SECRET}`).toString('base64');
+
+const requestAccessToken = async code => {
+  const url = `${LOGIN_PROVIDER_URI}/openid/token?client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&grant_type=authorization_code&code=${code}&redirect_uri=${REDIRECT_URI}`;
+  const response = await nodeFetch(url, {
+    method: 'POST',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+    },
+  });
+  return response.json();
+};
+
+const requestUserInfo = async accessToken => {
+  const url = `${LOGIN_PROVIDER_URI}/openid/userinfo`;
+  const response = await nodeFetch(url, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+  const responseJson = await response.json();
+
+  return {
+    userId: responseJson.sub,
+    email: responseJson.email,
+    emailVerified: responseJson.email_verified,
+    groups: responseJson['https://oneportal.trivore.com/claims/groups'],
+  };
+};
+
+const logoutFromIdentityProvider = async accessToken => {
+  const url = `${LOGIN_PROVIDER_URI}/openid/logout`;
+  return nodeFetch(url, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+};
+
+const requestGroups = async () => {
+  const url = `${LOGIN_PROVIDER_URI}/api/rest/v1/group`;
+  const groupsResponse = await nodeFetch(url, {
+    method: 'GET',
+    headers: {
+      Authorization: `Basic ${authHash}`,
+    },
+  });
+
+  return groupsResponse.json();
+};
+
+const setGroup = async (userId, groupNames) => {
+  const url = `${LOGIN_PROVIDER_URI}/api/rest/v1/user/${userId}`;
+  const groups = await requestGroups();
+  // const matchingSecrets = secrets.filter(secretFile => secretFile.startsWith(key));
+
+  const groupIds = [];
+  groups.resources.forEach(group => {
+    if (groupNames.includes(group.name)) {
+      groupIds.push(group.id);
+    }
+  });
+  const response = await nodeFetch(url, {
+    method: 'PUT',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+      Authorization: `Basic ${authHash}`,
+    },
+    body: JSON.stringify({
+      memberOf: groupIds,
+    }),
+  });
+
+  return response.json();
+};
+
+module.exports = { requestAccessToken, requestUserInfo, logoutFromIdentityProvider, setGroup };

scripts/auth/authService.js

@@ -1,8 +1,9 @@
 const Koa = require('koa');
 const Router = require('koa-router');
+const session = require('koa-session');
 const cors = require('@koa/cors');
 const jsonBody = require('koa-json-body');
-
+const authEndpoints = require('./auth/authEndpoints');
 const generator = require('./generator');
 const {
   migrate,
@@ -178,9 +179,43 @@ async function main() {
     ctx.body = await getConfig();
   });
 
+  router.post('/login', async ctx => {
+    const authResponse = await authEndpoints.authorize(ctx.request, ctx.response, ctx.session);
+    ctx.session = null;
+    if (authResponse.modifiedSession) {
+      ctx.session = authResponse.modifiedSession;
+    }
+    ctx.body = authResponse.body;
+    ctx.response.status = authResponse.status;
+  });
+
+  router.get('/logout', async ctx => {
+    const authResponse = await authEndpoints.logout(ctx.request, ctx.response, ctx.session);
+    ctx.session = null;
+    ctx.response.status = authResponse.status;
+  });
+
+  router.get('/session', async ctx => {
+    const authResponse = await authEndpoints.checkExistingSession(
+      ctx.request,
+      ctx.response,
+      ctx.session,
+    );
+    ctx.body = authResponse.body;
+    ctx.response.status = authResponse.status;
+  });
+
+  app.keys = ['secret key'];
+
+  app.use(session(app));
+
   app
     .use(errorHandler)
-    .use(cors())
+    .use(
+      cors({
+        credentials: true,
+      }),
+    )
     .use(jsonBody({ fallback: true, limit: '10mb' }))
     .use(router.routes())
     .use(router.allowedMethods())