Oauth authentication rebase

[mattjackson220]

What does this PR (Pull Request) do?

Sets up integration with OAuth providers to allow Single Sign On instead of username/password login to Traffic Portal. It defaults to disabled. Once OAuth is set up, login will follow these steps:

• User will go to TP login page as usual, for example at tp.domain.com. If OAuth is enabled, a single button will be visible to login with SSO.

• When button is clicked, it will redirect to the OAuth provider URL from the traffic_portal_properties.json.

• OAuth provider will authenticate the user using SSO. If user is not logged in, they will be redirected to SSO login page. If user is logged in, they will be redirected to tp.domain.com/#!/sso?auth_token=encryptedTokenFromOAuthProvider

• the /sso page will parse the token and POST to the API /user/login/oauth endpoint

• the API /user/login/oauth endpoint will decode and validate the token, cross reference the Json Key Set URL against the whitelisted URLs in the cdn.conf file, query the database to get the user's role, and if all of that is successful, return a cookie.

• If the login is successful, the user will be redirected to the page they were trying to see. If login was unsuccessful, a 401 error will be returned and the user will be redirected back to the login page.

• This PR is not related to any Issue

Which Traffic Control components are affected by this PR?

• Documentation
• Traffic Ops
• Traffic Portal

What is the best way to verify this PR?

To test using CDN In A Box:

• Update config.sh to
:
  "whitelisted_oauth_urls": [
  "insert domain for your expected Json Key Set returned by oAuth provider"
  ]

• Update traffic_portal_properties.json to:
  
"oAuth": {
  "_comment": "Opt-in OAuth properties for SSO login",
  "enabled": true,
  "oAuthUrl": "insert your oAuth provider URL",
  "oAuthTokenQueryParam": "insert your oAuth provider's token query parameter"
  }

• Run CDN in a box

• Verify new login page only shows button to login with SSO

• Click button with Network panel open and verify that it makes call to OAuth provider

• Verify that login failed

• Login to db container:

  docker exec -it cdn-in-a-box_db_1 /bin/bash

• Login to postgres

  psql -d traffic_ops -U traffic_ops

• Insert your user into db
  
insert into tm_user (username, role, tenant_id) values ('yourUserId', (SELECT id FROM role WHERE name = 'admin'), (SELECT id FROM tenant WHERE name='root'));

• Click Login button again, Verify call to OAuth provider, Verify that login succeeds

• Log out

• Try to go directly to /#!/servers endpoint

• Verify it requires login and shows SSO login page

• Click Login

• Verify call to OAuth provider, verify login successful, verify it redirects to /#!/servers endpoint

• Update config.sh to
:
  "whitelisted_oauth_urls": []

• Restart Traffic Ops

• Try to log in and verify it returns the following error:
  "Key URL from token is not included in the whitelisted urls. Received: //url"

The following criteria are ALL met by this PR

• This PR includes tests OR I have explained why tests are unnecessary
• This PR includes documentation OR I have explained why documentation is unnecessary
• This PR includes an update to CHANGELOG.md OR such an update is not necessary
• This PR includes any and all required license headers
• This PR ensures that database migration sequence is correct OR this PR does not include a database migration
• This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY (see the Apache Software Foundation's security guidelines for details)

[ocket8888]

You accidentally committed your traffic-ops-overrides tarball

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4057/
Test FAILed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4067/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4091/
Test PASSed.

[mitchell852]

improvement suggestion

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4092/
Test PASSed.

[mitchell852]

tested the following UI flows:

• positive: clicked login via SSO button, redirect to oauth provider, successful auth, redirect back to TP/sso view, successfully logged in to TP
• negative: removed my user from TP, clicked login via SSO button, redirect to oauth provider, successful auth, redirect back to TP/sso view, 403 forbidden message as expected.

nice work.

[mitchell852]

i think @ocket8888 did most of the review of this so i'll leave it to him to merge

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/4096/
Test PASSed.