Merge pull request #700 from neicnordic/merge/sda-auth

[Merge] sda-auth

.github/dependabot.yaml

@@ -9,13 +9,6 @@ updates:
       - "neicnordic/sensitive-data-development-collaboration"
 
 # Each subfolder needs to be checked separately
-  - package-ecosystem: docker
-    directory: "/sda-auth"
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 10
-    reviewers:
-      - "neicnordic/sensitive-data-development-collaboration"
   - package-ecosystem: docker
     directory: "/postgresql"
     schedule:
@@ -54,18 +47,6 @@ updates:
 
 # Each subfolder needs to be checked separately
   - package-ecosystem: gomod
-    directory: "/sda-auth"
-    groups:
-      all-modules:
-        patterns:
-          - "*"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "neicnordic/sensitive-data-development-collaboration"
-    schedule:
-      interval: weekly
-
-  - package-ecosystem: "gomod"
     directory: "/sda"
     groups:
       all-modules:

.github/integration/sda-posix-integration.yml

@@ -46,7 +46,7 @@ services:
     command:
       [
         "python",
-        "/cega/users.py",
+        "/users.py",
         "0.0.0.0",
         "8443",
         "/shared/users.json"
@@ -58,7 +58,7 @@ services:
     ports:
       - "8443:8443"
     volumes:
-      - ./sda/users.py:/cega/users.py
+      - ./sda/users.py:/users.py
       - certs:/certs
       - shared:/shared
 

.github/integration/sda-s3-integration.yml

@@ -317,13 +317,78 @@ services:
       - ./sda/config.yaml:/config.yaml
       - shared:/shared
 
+  cega-nss:
+    container_name: cega-nss
+    depends_on:
+      credentials:
+        condition: service_completed_successfully
+    command:
+      [
+        "python",
+        "/cega/users.py",
+        "0.0.0.0",
+        "8443",
+        "/shared/users.json"
+      ]
+    environment:
+      - CEGA_USERS_PASSWORD=test
+      - CEGA_USERS_USER=test
+    image: "egarchive/lega-base:release.v0.2.0"
+    ports:
+      - "8443:8443"
+    volumes:
+      - ./sda/users.py:/cega/users.py
+      - shared:/shared
+
+  auth-cega:
+    command: [ sda-auth ]
+    container_name: auth-cega
+    depends_on:
+      cega-nss:
+        condition: service_started
+    environment:
+      - AUTH_RESIGNJWT=true
+      - AUTH_CEGA_ID=test
+      - AUTH_CEGA_SECRET=test
+    image: ghcr.io/neicnordic/sensitive-data-archive:PR${PR_NUMBER}
+    ports:
+      - "8888:8080"
+    restart: always
+    volumes:
+      - ./sda/config.yaml:/config.yaml
+      - shared:/shared
+
+  auth-oidc:
+    command: [ sda-auth ]
+    container_name: auth-oidc
+    depends_on:
+      oidc:
+        condition: service_healthy
+    environment:
+      - AUTH_RESIGNJWT=false
+      - OIDC_ID=XC56EL11xx
+      - OIDC_SECRET=wHPVQaYXmdDHg
+    image: ghcr.io/neicnordic/sensitive-data-archive:PR${PR_NUMBER}
+    ports:
+      - "8889:8080"
+    restart: always
+    volumes:
+      - ./sda/config.yaml:/config.yaml
+      - shared:/shared
+
   integration_test:
     container_name: tester
     command:
       - "/bin/sh"
       - "/tests/run_scripts.sh"
       - "/tests/sda"
     depends_on:
+      auth-cega:
+        condition: service_started
+      auth-oidc:
+        condition: service_started
+      cega-nss:
+        condition: service_started
       credentials:
         condition: service_completed_successfully
       finalize:

.github/integration/sda/config.yaml

@@ -10,6 +10,22 @@ archive:
   secretKey: "secretKey"
   bucket: "archive"
   region: "us-east-1"
+
+auth:
+  cega:
+    authUrl: "http://cega-nss:8443/username/"
+    id:
+    secret:
+  infoText: "About service text"
+  infoURL: "http://example.org/about"
+  jwt:
+    issuer: "https://auth:8888"
+    privateKey: /shared/keys/jwt.key
+    signatureAlg: ES256
+  publicFile: "/shared/c4gh.pub.pem"
+  resignJwt:
+  s3Inbox: "http://inbox:8000"
+
 backup:
   type: s3
   url: "http://s3"
@@ -52,6 +68,13 @@ c4gh:
   passphrase: "c4ghpass"
   syncPubKeyPath: /shared/sync.pub.pem
 
+oidc:
+  id:
+  jwkPath: /jwk
+  provider: http://oidc:8080
+  redirectUrl: http://auth_oidc:8080/oidc/login
+  secret:
+
 server:
   cert: ""
   key: ""
@@ -78,4 +101,4 @@ sync:
     password: "pass"
     user: "user"
 
-schema.type: "isolated"
+schema.type: "isolated"

.github/integration/sda/users.py

@@ -7,7 +7,7 @@
 import json
 from base64 import b64decode
 import ssl
-
+from pathlib import Path
 from aiohttp import web
 
 logging.basicConfig(format="[%(levelname)-8s] (L:%(lineno)s) %(message)s")
@@ -49,6 +49,7 @@ async def user(request):
         raise web.HTTPBadRequest(text=f"No info for that user\n")
     return web.json_response(user_info)
 
+HTTP_PROTOCOL = "http"
 
 def main():
 
@@ -69,14 +70,20 @@ def main():
     server.router.add_get("/username/{identifier}", user, name="user")
 
     # SSL settings
-    cacertfile = "/certs/ca.crt"
-    certfile = "/certs/server.crt"
-    keyfile = "/certs/server.key"
-
-    ssl_ctx = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=cacertfile)
-    ssl_ctx.check_hostname = False
-    ssl_ctx.verify_mode = ssl.CERT_NONE
-    ssl_ctx.load_cert_chain(certfile, keyfile=keyfile)
+    here = Path(__file__)
+    cacertfile = here.parent / "certs" / "ca.crt"
+    certfile = here.parent / "certs" / "server.crt"
+    keyfile = here.parent / "certs" / "server.key"
+
+    global HTTP_PROTOCOL
+    if keyfile.is_file():
+        ssl_ctx = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=cacertfile)
+        ssl_ctx.check_hostname = False
+        ssl_ctx.verify_mode = ssl.CERT_NONE
+        ssl_ctx.load_cert_chain(certfile, keyfile=keyfile)
+        HTTP_PROTOCOL = "https"
+    else:
+        ssl_ctx = None
 
     web.run_app(server, host=host, port=port, shutdown_timeout=0, ssl_context=ssl_ctx)
 

.github/integration/tests/sda/99_auth_test.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+python -m pip install --upgrade pip
+pip install tox
+
+tox -e unit_tests -c /tests/sda/auth/tox.ini
+
+echo "auth test completes successfully"

.github/integration/tests/sda/auth/integration/test_auth.py

@@ -0,0 +1,28 @@
+import unittest
+import requests
+
+class TestEGAAuth(unittest.TestCase):
+    """Testing EgaAuth."""
+
+    def setUp(self):
+        """Initialise authenticator."""
+        self.backend_url = "http://auth-cega:8080/ega"
+
+
+    def tearDown(self):
+        """Finalise test."""
+        print("Finishing test")
+
+
+    def test_valid_ega_login(self):
+        """Test that the login is successful."""
+        creds_payload = { "username":'[email protected]', "password":'dummy', "submit": 'log+in' }
+        login_response = requests.post(self.backend_url, allow_redirects=False, data=creds_payload, cookies=None)
+        self.assertEqual(login_response.status_code, 200)
+
+
+    def test_invalid_ega_login(self):
+        """Test that the login is not successful."""
+        creds_payload = { "username":'[email protected]', "password":'wrongpassword', "submit": 'log+in' }
+        login_response = requests.post(self.backend_url, allow_redirects=False, data=creds_payload, cookies=None)
+        self.assertEqual(login_response.status_code, 303)

.github/workflows/build_pr_container.yaml

@@ -33,19 +33,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build container for sda-auth
-        uses: docker/build-push-action@v5
-        with:
-          context: ./sda-auth
-          push: true
-          tags: |
-            ghcr.io/${{ github.repository }}:sha-${{ github.sha }}-auth
-            ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-auth
-          labels: |
-            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
-            org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-            org.opencontainers.image.revision=${{ github.sha }}
-
       - name: Build container for sda-download
         uses: docker/build-push-action@v5
         with:
@@ -300,7 +287,10 @@ jobs:
       - name: Check deployment
         run: |
           sleep 30
-          for n in download finalize inbox ingest mapper verify; do
+          for n in auth download finalize inbox ingest mapper verify; do
+            if [ ${{matrix.storage}} == "posix" ] && [ "$n" == "auth" ]; then
+              continue
+            fi
             if [ ! $(kubectl get pods -l role="$n" -o=jsonpath='{.items[*].status.containerStatuses[0].ready}' | grep true) ]; then
               echo "$n is not ready after 30s, exiting"
               exit 1

.github/workflows/code-linter.yaml

@@ -8,29 +8,6 @@ on:
       - '**/go.*'
 
 jobs:
-  lint_auth:
-    name: Lint auth code
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        go-version: ['1.21']
-    steps:
-      - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ matrix.go-version }}
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
-
-      - name: Run golangci-lint
-        uses: golangci/[email protected]
-        with:
-          args: -E bodyclose,gocritic,gofmt,gosec,govet,nestif,nlreturn,revive,rowserrcheck --timeout 5m
-          working-directory: sda-auth
-
   lint_download:
     name: Lint download code
     runs-on: ubuntu-latest

.github/workflows/functionality.yml

@@ -7,7 +7,6 @@ on:
 jobs:
   check_changes:
     outputs:
-      sda-auth: ${{ steps.changes.outputs.sda-auth }}
       sda-download: ${{ steps.changes.outputs.sda-download }}
       sftp-inbox: ${{ steps.changes.outputs.sftp-inbox }}
     runs-on: ubuntu-latest
@@ -24,38 +23,6 @@ jobs:
             sftp-inbox:
             - 'sftp-inbox/**'
 
-  sda-auth:
-    needs: check_changes
-    if: needs.check_changes.outputs.sda-auth == 'true'
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        go-version: ['1.21']
-    steps:
-      - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ matrix.go-version }}
-      - uses: actions/checkout@v4
-      - name: Set up Python 3.11
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.11"
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install tox tox-gh-actions
-      - name: Add oidc to /etc/hosts
-        run: |
-          sudo echo "127.0.0.1 oidc" | sudo tee -a /etc/hosts
-      - name: Start virtual infrastructure
-        run: |
-          cd sda-auth
-          GOLANG_VERSION=${{ matrix.go-version }} docker-compose -f ./dev-server/docker-compose.yml up -d --force-recreate --build
-      - name: Run unit tests
-        run: tox -e unit_tests -c sda-auth/tests/tox.ini
-
   sda-download:
     needs: check_changes
     if: needs.check_changes.outputs.sda-download == 'true'

.github/workflows/publish_container.yml

@@ -54,16 +54,11 @@ jobs:
 
       - name: Pull PR containers
         run : |
-          for t in -auth -download -postgres -rabbitmq -sftp-inbox; do
+          for t in -download -postgres -rabbitmq -sftp-inbox; do
             docker pull ghcr.io/${{ github.repository }}:PR${{ github.event.number }}$t
           done
           docker pull ghcr.io/${{ github.repository }}:PR${{ github.event.number }}
 
-      - name: Retag PR image for auth
-        run: |
-          docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-auth ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-auth
-          docker push ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-auth
-
       - name: Retag PR image for download
         run: |
           docker tag ghcr.io/${{ github.repository }}:PR${{ github.event.number }}-download ghcr.io/${{ github.repository }}:${{ needs.tag_release.outputs.tag }}-download