Merge branch 'feature/oidc-support' of https://github.com/Budibase/budibase into oidc-config-management

2021-07-08 14:29:28 +01:00 · 2021-07-08 14:29:28 +01:00 · 6be38bcefd
parent cd1e5c8087 c16cfc328f
commit 6be38bcefd
5 changed files with 148 additions and 115 deletions
--- a/packages/auth/src/middleware/passport/google.js
+++ b/packages/auth/src/middleware/passport/google.js
@ -11,14 +11,15 @@ async function authenticate(accessToken, refreshToken, profile, done) {
    email: profile._json.email,
    oauth2: {
      accessToken: accessToken,
-      refreshToken: refreshToken
-    }
+      refreshToken: refreshToken,
+    },
  }

  return authenticateThirdParty(
    thirdPartyUser,
    true, // require local accounts to exist
-    done)
+    done
+  )
 }

 /**
--- a/packages/auth/src/middleware/passport/oidc.js
+++ b/packages/auth/src/middleware/passport/oidc.js
@ -2,24 +2,6 @@ const fetch = require("node-fetch")
 const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
 const { authenticateThirdParty } = require("./third-party-common")

-/**
- * @param {*} profile The structured profile created by passport using the user info endpoint
- * @param {*} jwtClaims The claims returned in the id token
- */
-function getEmail(profile, jwtClaims) {
-  // profile not guaranteed to contain email e.g. github connected azure ad account
-  if (profile._json.email) {
-    return profile._json.email
-  }
-
-  // fallback to id token
-  if (jwtClaims.email) {
-    return jwtClaims.email
-  }
-
-  return null;
-}
-
 /**
 * @param {*} issuer The identity provider base URL
 * @param {*} sub The user ID
@ -30,7 +12,6 @@ function getEmail(profile, jwtClaims) {
 * @param {*} idToken The id_token - always a JWT
 * @param {*} params The response body from requesting an access_token
 * @param {*} done The passport callback: err, user, info
- * @returns 
 */
 async function authenticate(
  issuer,
@ -52,14 +33,48 @@ async function authenticate(
    email: getEmail(profile, jwtClaims),
    oauth2: {
      accessToken: accessToken,
-      refreshToken: refreshToken
-    }
+      refreshToken: refreshToken,
+    },
  }

  return authenticateThirdParty(
    thirdPartyUser,
    false, // don't require local accounts to exist
-    done)
+    done
+  )
+}
+
+/**
+ * @param {*} profile The structured profile created by passport using the user info endpoint
+ * @param {*} jwtClaims The claims returned in the id token
+ */
+function getEmail(profile, jwtClaims) {
+  // profile not guaranteed to contain email e.g. github connected azure ad account
+  if (profile._json.email) {
+    return profile._json.email
+  }
+
+  // fallback to id token email
+  if (jwtClaims.email) {
+    return jwtClaims.email
+  }
+
+  // fallback to id token preferred username
+  const username = jwtClaims.preferred_username
+  if (username && validEmail(username)) {
+    return username
+  }
+
+  return null
+}
+
+function validEmail(value) {
+  return (
+    value &&
+    !!value.match(
+      /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
+    )
+  )
 }

 /**
@ -67,23 +82,22 @@ async function authenticate(
 * from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
 * @returns Dynamically configured Passport OIDC Strategy
 */
-exports.strategyFactory = async function (callbackUrl) {
+exports.strategyFactory = async function (config, callbackUrl) {
  try {
-    const configurationUrl =
-      "https://login.microsoftonline.com/2668c0dd-7ed2-4db3-b387-05b6f9204a70/v2.0/.well-known/openid-configuration"
-    const clientSecret = "g-ty~2iW.bo.88xj_QI6~hdc-H8mP2Xbnd"
-    const clientId = "bed2017b-2f53-42a9-8ef9-e58918935e07"
+    const { clientId, clientSecret, configUrl } = config

-    if (!clientId || !clientSecret || !callbackUrl || !configurationUrl) {
+    if (!clientId || !clientSecret || !callbackUrl || !configUrl) {
      throw new Error(
-        "Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configurationUrl"
+        "Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configUrl"
      )
    }

-    const response = await fetch(configurationUrl)
+    const response = await fetch(configUrl)

    if (!response.ok) {
-      throw new Error(`Unexpected response when fetching openid-configuration: ${response.statusText}`)
+      throw new Error(
+        `Unexpected response when fetching openid-configuration: ${response.statusText}`
+      )
    }

    const body = await response.json()
@ -101,7 +115,6 @@ exports.strategyFactory = async function (callbackUrl) {
      },
      authenticate
    )
-    
  } catch (err) {
    console.error(err)
    throw new Error("Error constructing OIDC authentication strategy", err)
--- a/packages/auth/src/middleware/passport/third-party-common.js
+++ b/packages/auth/src/middleware/passport/third-party-common.js
@ -16,9 +16,12 @@ exports.authenticateThirdParty = async function (
  requireLocalAccount = true,
  done
 ) {
-    if (!thirdPartyUser.provider) return authError(done, "third party user provider required")
-    if (!thirdPartyUser.userId) return authError(done, "third party user id required")
-    if (!thirdPartyUser.email) return authError(done, "third party user email required")
+  if (!thirdPartyUser.provider)
+    return authError(done, "third party user provider required")
+  if (!thirdPartyUser.userId)
+    return authError(done, "third party user id required")
+  if (!thirdPartyUser.email)
+    return authError(done, "third party user email required")

  const db = database.getDB(StaticDatabases.GLOBAL.name)

@ -32,7 +35,11 @@ exports.authenticateThirdParty = async function (
  } catch (err) {
    // abort when not 404 error
    if (!err.status || err.status !== 404) {
-        return authError(done, "Unexpected error when retrieving existing user", err)
+      return authError(
+        done,
+        "Unexpected error when retrieving existing user",
+        err
+      )
    }

    // check user already exists by email
@ -40,10 +47,13 @@ exports.authenticateThirdParty = async function (
      key: thirdPartyUser.email,
      include_docs: true,
    })
-      let userExists = users.rows.length > 0
+    const userExists = users.rows.length > 0

    if (requireLocalAccount && !userExists) {
-        return authError(done, "Email does not yet exist. You must set up your local budibase account first.")         
+      return authError(
+        done,
+        "Email does not yet exist. You must set up your local budibase account first."
+      )
    }

    // create the user to save
@ -100,7 +110,8 @@ function constructNewUser(userId, thirdPartyUser) {
    _id: userId,
    provider: thirdPartyUser.provider,
    providerType: thirdPartyUser.providerType,
-    roles: {}
+    email: thirdPartyUser.email,
+    roles: {},
  }

  // persist profile information
@ -109,14 +120,14 @@ function constructNewUser(userId, thirdPartyUser) {
  //             Is this okay to change?
  if (thirdPartyUser.profile) {
    user.thirdPartyProfile = {
-      ...thirdPartyUser.profile._json
+      ...thirdPartyUser.profile._json,
    }
  }

  // persist oauth tokens for future use
  if (thirdPartyUser.oauth2) {
    user.oauth2 = {
-        ...thirdPartyUser.oauth2
+      ...thirdPartyUser.oauth2,
    }
  }

--- a/packages/worker/src/api/controllers/admin/auth.js
+++ b/packages/worker/src/api/controllers/admin/auth.js
@ -133,8 +133,16 @@ exports.googleAuth = async (ctx, next) => {
 }

 async function oidcStrategyFactory(ctx) {
+  const db = new CouchDB(GLOBAL_DB)
+
+  const config = await authPkg.db.getScopedConfig(db, {
+    type: Configs.OIDC,
+    group: ctx.query.group,
+  })
+
  const callbackUrl = `${ctx.protocol}://${ctx.host}/api/admin/auth/oidc/callback`
-  return oidc.strategyFactory(callbackUrl)
+
+  return oidc.strategyFactory(config, callbackUrl)
 }

 /**