Merge branch 'release/0.8.4'

Author: Sasa Berberovic

Jenkinsfile

@@ -0,0 +1,30 @@
+pipeline {
+
+    agent {
+        kubernetes {
+            yamlFile 'kubernetesPod.yaml'
+        }
+    }
+
+    options {
+        buildDiscarder(logRotator(numToKeepStr: '3'))
+    }
+    
+    stages {
+        
+        stage('build and deploy to nexus'){
+        
+            steps {
+            
+                container('containerproxy-build') {
+                     
+                     configFileProvider([configFile(fileId: 'maven-settings-rsb', variable: 'MAVEN_SETTINGS_RSB')]) {
+                         
+                         sh 'mvn -s $MAVEN_SETTINGS_RSB -U clean install deploy -DskipTests=true'
+                         
+                     }
+                }
+            }
+        }
+    }
+}

README.md

@@ -18,7 +18,7 @@ It is the engine that powers a.o. [ShinyProxy](https://shinyproxy.io) but can be
 
 Learn more at https://containerproxy.io (in progress)
 
-#### (c) Copyright Open Analytics NV, 2017-2018 - Apache License 2.0
+#### (c) Copyright Open Analytics NV, 2017-2019 - Apache License 2.0
 
 ## Building from source
 

kubernetesPod.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: containerproxy
+  labels:
+    ci: containerproxy-build
+spec:
+  volumes:
+    - name: maven-repo
+      emptyDir: {}
+  containers:
+   - name: containerproxy-build
+     image: 196229073436.dkr.ecr.eu-west-1.amazonaws.com/openanalytics/containerproxy-build
+     securityContext:
+      privileged: true  
+     command: ["sh"]
+     args: ["/usr/src/app/docker-entrypoint.sh"]
+     tty: true
+     volumeMounts:
+      - mountPath: ~/.m2
+        name: maven-repo

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>eu.openanalytics</groupId>
 	<artifactId>containerproxy</artifactId>
-	<version>0.8.3</version>
+	<version>0.8.4</version>
 	<name>ContainerProxy</name>
 	<packaging>jar</packaging>
 
@@ -25,12 +25,12 @@
 		<snapshotRepository>
 			<id>oa-nexus-snapshots</id>
 			<name>OpenAnalytics Snapshots Repository</name>
-			<url>http://nexus.openanalytics.eu/nexus/content/repositories/snapshots</url>
+			<url>https://nexus.openanalytics.eu/nexus/content/repositories/snapshots</url>
 		</snapshotRepository>
 		<repository>
 			<id>oa-nexus-releases</id>
 			<name>OpenAnalytics Release Repository</name>
-			<url>http://nexus.openanalytics.eu/nexus/content/repositories/releases</url>
+			<url>https://nexus.openanalytics.eu/nexus/content/repositories/releases</url>
 		</repository>
 	</distributionManagement>
 
@@ -293,6 +293,7 @@
 						<exclude>**/*.yml</exclude>
 						<exclude>**/*.json</exclude>
 						<exclude>**/*.raml</exclude>
+						<exclude>**/*.sh</exclude>
 						<exclude>LICENSE</exclude>
 						<exclude>LICENSE_HEADER</exclude>
 						<exclude>README.md</exclude>

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -40,6 +40,7 @@
 
 import eu.openanalytics.containerproxy.util.ProxyMappingManager;
 import io.undertow.Handlers;
+import io.undertow.servlet.api.ServletSessionConfig;
 
 @SpringBootApplication
 @ComponentScan("eu.openanalytics")
@@ -80,6 +81,10 @@ public UndertowServletWebServerFactory servletContainer() {
 			info.addInnerHandlerChainWrapper(defaultHandler -> {
 				return mappingManager.createHttpHandler(defaultHandler);
 			});
+			ServletSessionConfig sessionConfig = new ServletSessionConfig();
+			sessionConfig.setHttpOnly(true);
+			sessionConfig.setSecure(Boolean.valueOf(environment.getProperty("server.secureCookies", "false")));
+			info.setServletSessionConfig(sessionConfig);
 		});
 		try {
 			factory.setAddress(InetAddress.getByName(environment.getProperty("proxy.bind-address", "0.0.0.0")));

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -30,6 +30,7 @@
 import javax.inject.Inject;
 import javax.servlet.ServletException;
 
+import org.keycloak.OAuth2Constants;
 import org.keycloak.adapters.AdapterDeploymentContext;
 import org.keycloak.adapters.KeycloakConfigResolver;
 import org.keycloak.adapters.KeycloakDeployment;
@@ -43,6 +44,7 @@
 import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
 import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
 import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
+import org.keycloak.adapters.springsecurity.filter.QueryParamPresenceRequestMatcher;
 import org.keycloak.adapters.springsecurity.management.HttpSessionManager;
 import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
 import org.keycloak.representations.IDToken;
@@ -63,6 +65,10 @@
 import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.stereotype.Component;
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
@@ -118,7 +124,17 @@ public String getLogoutSuccessURL() {
 	@Bean
 	@ConditionalOnProperty(name="proxy.authentication", havingValue="keycloak")
 	protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
-		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager);
+		// Possible solution for issue #21037, create a custom RequestMatcher that doesn't include a QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN) request matcher.
+		// The QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN) caused the HTTP requests to be changed before they where processed.
+		// Because the HTTP requests are adapted before they are processed, the requested failed to complete successfully and caused an io.undertow.server.TruncatedResponseException
+		// If in the future we need a RequestMatcher for het ACCESS_TOKEN, we can implement one ourself  
+		RequestMatcher requestMatcher =
+				new OrRequestMatcher(
+	                    new AntPathRequestMatcher(KeycloakAuthenticationProcessingFilter.DEFAULT_LOGIN_URL),
+	                    new RequestHeaderRequestMatcher(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER)
+	            );
+		
+		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.
 		filter.setApplicationContext(ctx);

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.auth.impl;
 
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -41,17 +42,25 @@
 import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.util.SessionHelper;
+import net.minidev.json.JSONArray;
+import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
 
 public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
 
@@ -89,7 +98,9 @@ public void configureHttpSecurity(HttpSecurity http) throws Exception {
 				.loginPage("/login")
 				.clientRegistrationRepository(clientRegistrationRepo)
 				.authorizedClientService(authorizedClientService)
-				.userInfoEndpoint().userAuthoritiesMapper(createAuthoritiesMapper());
+				.userInfoEndpoint()
+					.userAuthoritiesMapper(createAuthoritiesMapper())
+					.oidcUserService(createOidcUserService());
 	}
 
 	@Override
@@ -165,21 +176,82 @@ protected GrantedAuthoritiesMapper createAuthoritiesMapper() {
 							String claims = idToken.getClaims().entrySet().stream()
 								.map(e -> String.format("%s -> %s", e.getKey(), e.getValue()))
 								.collect(Collectors.joining(lineSep));
-							log.debug(String.format("Checking for roles in claim '%s'. Available claims in ID token:%s%s",
-									rolesClaimName, lineSep, claims));
-							
+							log.debug(String.format("Checking for roles in claim '%s'. Available claims in ID token (%d):%s%s",
+									rolesClaimName, idToken.getClaims().size(), lineSep, claims));
 						}
 
+						Object claimValue = idToken.getClaims().get(rolesClaimName);
+						if (claimValue == null) {
+							log.debug("No matching claim found.");
+						} else {
+							log.debug(String.format("Matching claim found: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
+						}
+
+						// Workaround: in some cases, getClaimAsStringList fails to parse??
 						List<String> roles = idToken.getClaimAsStringList(rolesClaimName);
-						if (roles == null) continue;
+						if (roles == null && claimValue instanceof String) {
+							List<String> parsedRoles = new ArrayList<>();
+							try {
+								Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse((String) claimValue);
+								if (value instanceof List) {
+									List<?> valueList = (List<?>) value;
+									valueList.forEach(o -> parsedRoles.add(o.toString()));
+								}
+							} catch (ParseException e) {
+								// Unable to parse JSON
+							}
+							roles = parsedRoles;
+						}
+						if (roles == null) {
+							if (log.isDebugEnabled()) log.debug("Failed to parse claim value as an array: " + claimValue);
+							continue;
+						}
+						
 						for (String role: roles) {
 							String mappedRole = role.toUpperCase().startsWith("ROLE_") ? role : "ROLE_" + role;
 							mappedAuthorities.add(new SimpleGrantedAuthority(mappedRole.toUpperCase()));
 						}
+						if (log.isDebugEnabled()) log.debug("The following roles were successfully parsed: " + roles);
 					}
 				}
 				return mappedAuthorities;
 			};
 		}
 	}
+	
+	protected OidcUserService createOidcUserService() {
+		// Use a custom UserService that supports the 'emails' array attribute.
+		return new OidcUserService() {
+			@Override
+			public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
+				OidcUser user = super.loadUser(userRequest);
+				String nameAttributeKey = environment.getProperty("proxy.openid.username-attribute", "email");
+				return new CustomNameOidcUser(new HashSet<>(user.getAuthorities()), user.getIdToken(), user.getUserInfo(), nameAttributeKey);
+			}
+		};
+	}
+	
+	private static class CustomNameOidcUser extends DefaultOidcUser {
+
+		private static final long serialVersionUID = 7563253562760236634L;
+		private static final String ID_ATTR_EMAILS = "emails";
+		
+		private boolean isEmailsAttribute;
+		
+		public CustomNameOidcUser(Set<GrantedAuthority> authorities, OidcIdToken idToken, OidcUserInfo userInfo, String nameAttributeKey) {
+			super(authorities, idToken, userInfo, nameAttributeKey);
+			this.isEmailsAttribute = nameAttributeKey.equals(ID_ATTR_EMAILS);
+		}
+
+		@Override
+		public String getName() {
+			if (isEmailsAttribute) {
+				Object emails = getAttributes().get(ID_ATTR_EMAILS);
+				if (emails instanceof String[]) return ((String[]) emails)[0];
+				else if (emails instanceof JSONArray) return ((JSONArray) emails).get(0).toString();
+				else return emails.toString();
+			}
+			else return super.getName();
+		}
+	}
 }

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java

@@ -110,6 +110,7 @@ public SAMLEntryPoint samlEntryPoint() {
 	public WebSSOProfileOptions defaultWebSSOProfileOptions() {
 		WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
 		webSSOProfileOptions.setIncludeScoping(false);
+		webSSOProfileOptions.setForceAuthN(Boolean.valueOf(environment.getProperty("proxy.saml.force-authn", "false")));
 		return webSSOProfileOptions;
 	}
 

src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerEngineBackend.java

@@ -76,6 +76,7 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 		ContainerConfig containerConfig = ContainerConfig.builder()
 			    .hostConfig(hostConfigBuilder.build())
 			    .image(spec.getImage())
+			    .labels(spec.getLabels())
 			    .exposedPorts(portBindings.keySet())
 			    .cmd(spec.getCmd())
 			    .env(buildEnv(spec, proxy))

src/main/java/eu/openanalytics/containerproxy/backend/docker/DockerSwarmBackend.java

@@ -71,6 +71,7 @@ protected Container startContainer(ContainerSpec spec, Proxy proxy) throws Excep
 		com.spotify.docker.client.messages.swarm.ContainerSpec containerSpec = 
 				com.spotify.docker.client.messages.swarm.ContainerSpec.builder()
 				.image(spec.getImage())
+				.labels(spec.getLabels())
 				.command(spec.getCmd())
 				.env(buildEnv(spec, proxy))
 				.dnsConfig(DnsConfig.builder().nameServers(spec.getDns()).build())