Oauth authentication rebase

.dependency_license

@@ -107,6 +107,8 @@ traffic_portal/app/src/assets/js/jsonformatter\..*, Apache
 traffic_portal/app/src/assets/js/fast-json-patch\..*, MIT
 traffic_portal/app/src/assets/css/colReorder.dataTables\..*, MIT
 traffic_portal/app/src/assets/js/colReorder.dataTables\..*, MIT
+traffic_ops/traffic_ops_golang/vendor/github\.com/dgrijalva/.*, MIT
+traffic_ops/traffic_ops_golang/vendor/github\.com/lestrrat-go/.*, MIT
 
 # Ignored - Do not report.
 \.DS_Store, Ignore # Created automatically OSX.

CHANGELOG.md

@@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
   - /api/1.4/cdns/dnsseckeys/refresh `GET`
   - /api/1.1/cdns/name/:name/dnsseckeys `GET`
   - /api/1.4/cdns/name/:name/dnsseckeys `GET`
+  - /api/1.4/user/login/oauth `POST`
 - To support reusing a single riak cluster connection, an optional parameter is added to riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m) which affects how often the riak cluster is health checked.  Default is currently set to: "HealthCheckInterval": "5s".
 - Added a new Go db/admin binary to replace the Perl db/admin.pl script which is now deprecated and will be removed in a future release. The new db/admin binary is essentially a drop-in replacement for db/admin.pl since it supports all of the same commands and options; therefore, it should be used in place of db/admin.pl for all the same tasks.
 - Added an API 1.4 endpoint, /api/1.4/cdns/dnsseckeys/refresh, to perform necessary behavior previously served outside the API under `/internal`.
@@ -32,6 +33,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - In Traffic Portal, provides the ability to clone delivery service assignments from one cache to another cache of the same type. Issue #2963.
 - Traffic Ops now allows each delivery service to have a set of query parameter keys to be retained for consistent hash generation by Traffic Router.
 - In Traffic Portal, delivery service table columns can now be rearranged and their visibility toggled on/off as desired by the user. Hidden table columns are excluded from the table search. These settings are persisted in the browser.
+- Added an API 1.4 endpoint, /api/1.4/user/login/oauth to handle SSO login using OAuth.
+- Added /#!/sso page to Traffic Portal to catch redirects back from OAuth provider and POST token into the API.
 
 ### Changed
 - Traffic Router, added TLS certificate validation on certificates imported from Traffic Ops
@@ -58,6 +61,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Issue #3750: Fixed Grove access log fractional seconds.
 - Issue #3646: Fixed Traffic Monitor Thresholds.
 - Modified Traffic Router API to be available via HTTPS.
+- Added fields to traffic_portal_properties.json to configure SSO through OAuth.
+- Added field to cdn.conf to configure whitelisted URLs for Json Key Set URL returned from OAuth provider.
 
 ## [3.0.0] - 2018-10-30
 ### Added

LICENSE

@@ -432,3 +432,11 @@ The modern-go/concurrent component is used under the Apache 2.0 license:
 The modern-go/reflect2 component is used under the Apache 2.0 license:
 @vendor/github.com/modern-go/reflect2/*
 ./vendor/github.com/modern-go/reflect2/LICENSE
+
+For the lestrrat-go/jwx (commit e35178a) component:
+@traffic_ops/traffic_ops_golang/vendor/github.com/lestrrat-go/jwx/*
+./traffic_ops/traffic_ops_golang/vendor/github.com/lestrrat-go/jwx/LICENSE
+
+For the dgrijalva/jwt-go (commit 5e25c22) component:
+@traffic_ops/traffic_ops_golang/vendor/github.com/dgrijalva/jwt-go/*
+./traffic_ops/traffic_ops_golang/vendor/github.com/dgrijalva/jwt-go/LICENSE

docs/source/admin/quick_howto/index.rst

@@ -27,6 +27,7 @@ Traffic Control is a complicated system, and documenting it is not trivial. Some
 	ds_requests
 	federations
 	multi_site
+	oauth_login
 	regionalgeo
 	static_dns
 	steering

docs/source/admin/quick_howto/oauth_login.rst

@@ -0,0 +1,92 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+..     http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+.. _oauth_login:
+
+*********************
+Configure OAuth Login
+*********************
+
+An opt-in configuration for SSO using OAuth is supported and can be configured through the :file:`/opt/traffic_portal/public/traffic_portal_properties.json` and :file:`/opt/traffic_ops/app/conf/cdn.conf` files. OAuth uses a third party provider to authenticate the user. Once enabled, the Traffic Portal Login page will no longer accept username and password but instead will authenticate using OAuth. This will redirect to the ``oAuthUrl`` from :file:`/opt/traffic_portal/public/traffic_portal_properties.json` which will authenticate the user then redirect to the new ``/sso`` page with an authorization code. The new ``/sso`` page will then construct the full URL to exchange the authorization code for a JSON Web Token, and ``POST`` this information to the :ref:`to-api-user-login-oauth` API endpoint. The :ref:`to-api-user-login-oauth` API endpoint will ``POST`` to the URL provided and receive JSON Web Token. The :ref:`to-api-user-login-oauth` API endpoint will decode the token, validate that it is between the issued time and the expiration time, and validate that the public key set URL is allowed by the list of whitelisted URLs read from :file:`/opt/traffic_ops/app/conf/cdn.conf`. It will then authorize the user from the database and return a mojolicious cookie as per the normal login workflow.
+
+.. Note:: Ensure that the user names in the Traffic Ops database match the value returned in the `sub` field in the response from the OAuth provider when setting up with the OAuth provider.  The `sub` field is used to reference the roles in the Traffic Ops database in order to authorize the user.
+
+.. Note:: OAuth providers sometimes do not return the public key set URL but instead require a locally stored key. This functionality is not currently supported and will require further development.
+
+.. Note:: The ``POST`` from the API to the OAuth provider to exchange the code for a token expects the response to have the token in JSON format with `access_token` as the desired field (and can include other fields).  It also supports a response with just the token itself as the body.  Further development work will need to be done to allow other resposne forms or other response fields.
+
+.. Note:: Users must exist in both Traffic Ops as well as in the OAuth provider's system.  The user's rights are defined by the :term:`role` assigned to the user.
+
+To configure OAuth login:
+
+- Set up authentication with a third party OAuth provider.
+
+- Update :file:`/opt/traffic_portal/public/traffic_portal_properties.json` and ensure the following properties are set up correctly:
+
+	.. table:: OAuth Configuration Property Definitions In traffic_portal_properties.json
+
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+		| Name                         | Type       | Description                                                                                                                               |
+		+==============================+============+===========================================================================================================================================+
+		| enabled                      | boolean    | Allow OAuth SSO login                                                                                                                     |
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+		| oAuthUrl                     | string     | URL to your OAuth provider                                                                                                                |
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+		| redirectUriParameterOverride | string     | Query parameter override if the oAuth provider requires a different key for the redirect_uri parameter, defaults to ``redirect_uri``      |
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+		| clientId                     | string     | Client id registered with OAuth provider, passed in with `client_id` parameter                                                            |
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+		| oAuthCodeTokenUrl            | string     | URL to your OAuth provider's endpoint for exchanging the code (from oAuthUrl) for a token                                                 |
+		+------------------------------+------------+-------------------------------------------------------------------------------------------------------------------------------------------+
+
+
+	.. code-block:: json
+		:caption: Example OAuth Configuration Properties In traffic_portal_properties.json
+
+		{
+			"oAuth": {
+				"_comment": "Opt-in OAuth properties for SSO login. See http://traffic-control-cdn.readthedocs.io/en/release-4.0.0/admin/quick_howto/oauth_login.html for more details. redirectUriParameterOverride defaults to redirect_uri if left blank.",
+				"enabled": true,
+				"oAuthUrl": "example.oauth.com",
+				"redirectUriParameterOverride": "",
+				"clientId": "",
+				"oAuthCodeTokenUrl": "example.oauth.com/oauth/token"
+			}
+		}
+
+- Update :file:`/opt/traffic_ops/app/conf/cdn.conf` property traffic_ops_golang.whitelisted_oauth_urls to contain all allowed domains for the JSON key set (Use ``*`` for wildcard):
+
+	.. table:: OAuth Configuration Property Definitions In cdn.conf
+
+		+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
+		| Name                     | Type               | Description                                                                                                     |
+		+==========================+====================+=================================================================================================================+
+		| whitelisted_oauth_urls   | Array of strings   | List of whitelisted URLs for the JSON public key set returned by OAuth provider.  Can contain ``*`` wildcards.  |
+		+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
+		| oauth_client_secret      | string             | Client secret registered with OAuth provider to verify client, passed in with `client_secret` parameter         |
+		+--------------------------+--------------------+-----------------------------------------------------------------------------------------------------------------+
+
+
+	.. code-block:: json
+		:caption: Example OAuth Configuration Properties In cdn.conf
+
+		{
+			"traffic_ops_golang": {
+				"whitelisted_oauth_urls": [
+					"oauth.example.com",
+					"*.example.com"
+				],
+				"oauth_client_secret": "secret"
+			}
+		}

docs/source/admin/traffic_portal/installation.rst

@@ -41,6 +41,11 @@ Configuring Traffic Portal
 - Optional: update :file:`/opt/traffic_portal/public/resources/assets/css/custom.css` to customize Traffic Portal styling.
 
 
+Configuring OAuth Through Traffic Portal
+========================================
+See :ref:`oauth_login`.
+
+
 Starting Traffic Portal
 =======================
 The Traffic Portal RPM comes with a :manpage:`systemd(1)` unit file, so under normal circumstances Traffic Portal may be started with :manpage:`systemctl(1)`.

docs/source/admin/traffic_portal/usingtrafficportal.rst

@@ -652,6 +652,8 @@ User management includes the ability to (where applicable):
 - update an existing user
 - view :term:`Delivery Service`\ s visible to a user
 
+.. Note:: If OAuth is enabled, the username must exist both here as well as with the OAuth provider. A user's rights are defined by the :term:`role` assigned to the user in Traffic Ops. Creating/deleting a user here will update the user's :term:`role` but the user needs to be created/deleted with the OAuth provider as well.
+
 Tenants
 -------
 Each entry in the table of :term:`Tenant`\ s on this page has the following entries:

docs/source/api/user_login_oauth.rst

@@ -0,0 +1,79 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+..     http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _to-api-user-login-oauth:
+
+********************
+``user/login/oauth``
+********************
+.. versionadded:: 1.4
+
+``POST``
+========
+
+Authentication of a user by exchanging a code for an encrypted JSON Web Token from an OAuth service. Traffic Ops will ``POST`` to the authCodeTokenUrl to exchange the code for an encrypted JSON Web Token.  It will then decode and validate the token, validate the key set domain, and send back a session cookie.
+
+:Auth. Required: No
+:Roles Required: None
+:Response Type:  ``undefined``
+
+Request Structure
+-----------------
+:authCodeTokenUrl: URL for code-to-token conversion
+:code: Code
+:clientId: Client Id
+:redirectUri: Redirect URI
+
+.. code-block:: http
+	:caption: Request Example
+
+	POST /api/1.4/user/login/oauth HTTP/1.1
+	Host: trafficops.infra.ciab.test
+	User-Agent: curl/7.47.0
+	Accept: */*
+	Cookie: mojolicious=...
+	Content-Length: 26
+	Content-Type: application/json
+
+	{
+		"authCodeTokenUrl": "https://url-to-convert-code-to-token.example.com",
+		"code": "AbCd123",
+		"clientId": "oauthClientId",
+		"redirectUri": "https://traffic-portal.example.com/sso"
+	}
+
+Response Structure
+------------------
+.. code-block:: http
+	:caption: Response Example
+
+	HTTP/1.1 200 OK
+	Access-Control-Allow-Credentials: true
+	Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Set-Cookie, Cookie
+	Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
+	Access-Control-Allow-Origin: *
+	Content-Type: application/json
+	Set-Cookie: mojolicious=...; Path=/; Expires=Thu, 13 Dec 2018 21:21:33 GMT; HttpOnly
+	Whole-Content-Sha512: UdO6T3tMNctnVusDXzRjVwwYOnD7jmnBzPEB9PvOt2bHajTv3SKTPiIZjDzvhU6EX4p+JoG4fA5wlhgxpsejIw==
+	X-Server-Name: traffic_ops_golang/
+	Date: Thu, 13 Dec 2018 15:21:33 GMT
+	Content-Length: 65
+
+	{ "alerts": [
+		{
+			"text": "Successfully logged in.",
+			"level": "success"
+		}
+	]}

infrastructure/cdn-in-a-box/traffic_ops/config.sh

@@ -80,7 +80,7 @@ cat <<-EOF >/opt/traffic_ops/app/conf/cdn.conf
         "workers" : 12
     },
     "traffic_ops_golang" : {
-	"insecure": true,
+        "insecure": true,
         "port" : "$TO_PORT",
         "proxy_timeout" : 60,
         "proxy_keep_alive" : 60,
@@ -98,7 +98,9 @@ cat <<-EOF >/opt/traffic_ops/app/conf/cdn.conf
         "max_db_connections": 20,
         "backend_max_connections": {
             "mojolicious": 4
-        }
+        },
+        "whitelisted_oauth_urls": [],
+        "oauth_client_secret": ""
     },
     "cors" : {
         "access_control_allow_origin" : "*"

traffic_ops/app/conf/cdn.conf

@@ -31,7 +31,9 @@
         "backend_max_connections": {
             "mojolicious": 4
         },
-	"profiling_enabled": false
+        "whitelisted_oauth_urls": [],
+        "oauth_client_secret": "",
+        "profiling_enabled": false
     },
     "cors" : {
         "access_control_allow_origin" : "*"

traffic_ops/app/db/seeds.sql

@@ -397,6 +397,7 @@ INSERT INTO role_capability (role_id, cap_name) SELECT (SELECT id FROM role WHER
 
 -- auth
 insert into api_capability (http_method,  route, capability) values ('POST', 'user/login', 'auth') ON CONFLICT (http_method, route, capability) DO NOTHING;
+insert into api_capability (http_method,  route, capability) values ('POST', 'user/login/oauth', 'auth') ON CONFLICT (http_method, route, capability) DO NOTHING;
 insert into api_capability (http_method, route, capability) values ('POST', 'user/login/token', 'auth') ON CONFLICT (http_method, route, capability) DO NOTHING;
 insert into api_capability (http_method, route, capability) values ('POST', 'user/logout', 'auth') ON CONFLICT (http_method, route, capability) DO NOTHING;
 insert into api_capability (http_method, route, capability) values ('POST', 'user/reset_password', 'auth') ON CONFLICT (http_method, route, capability) DO NOTHING;

traffic_ops/traffic_ops_golang/config/config.go

@@ -87,6 +87,8 @@ type ConfigTrafficOpsGolang struct {
 	ProfilingEnabled         bool                       `json:"profiling_enabled"`
 	ProfilingLocation        string                     `json:"profiling_location"`
 	RiakPort                 *uint                      `json:"riak_port"`
+	WhitelistedOAuthUrls     []string                   `json:"whitelisted_oauth_urls"`
+	OAuthClientSecret        string                     `json:"oauth_client_secret"`
 
 	// CRConfigUseRequestHost is whether to use the client request host header in the CRConfig. If false, uses the tm.url parameter.
 	// This defaults to false. Traffic Ops used to always use the host header, setting this true will resume that legacy behavior.