magda-io · AlexGilleran · Jun 24, 2019 · Jun 11, 2019 · Jun 11, 2019 · Jun 11, 2019
diff --git a/CHANGES.md b/CHANGES.md
@@ -49,6 +49,7 @@ UI:
 Gateway:
 
 - Add ArcGIS/ESRI Authentication provider
+- Add Vanguard (WS-FED) Authentication provider
 
 Access Control:
 

diff --git a/deploy/helm/magda/charts/gateway/templates/deployment.yaml b/deploy/helm/magda/charts/gateway/templates/deployment.yaml
@@ -45,6 +45,15 @@ spec:
 {{- if .Values.auth.aafClientUri}}
  "--aafClientUri", {{ .Values.auth.aafClientUri| quote }},
 {{- end }}
+{{- if .Values.auth.googleClientId }}
+ "--googleClientId", {{ .Values.auth.googleClientId | quote }},
+{{- end }}
+{{- if .Values.auth.vanguardWsFedIdpUrl }}
+ "--vanguardWsFedIdpUrl", {{ .Values.auth.vanguardWsFedIdpUrl | quote }},
+{{- end }}
+{{- if .Values.auth.vanguardWsFedRealm }}
+ "--vanguardWsFedRealm", {{ .Values.auth.vanguardWsFedRealm | quote }},
+{{- end }}
 {{- if .Values.enableAuthEndpoint }}
  "--enableAuthEndpoint", {{ .Values.enableAuthEndpoint | quote }},
 {{- end }}
@@ -124,6 +133,14 @@ spec:
  key: facebook-client-secret
  optional: true
 {{- end }}
+{{- if .Values.auth.vanguardWsFedRealm }}
+ - name: VANGUARD_CERTIFICATE
+ valueFrom:
+ secretKeyRef:
+ name: oauth-secrets
+ key: vanguard-certificate
+ optional: true
+{{- end }}
 {{- if .Values.auth.arcgisClientId }}
  - name: ARCGIS_CLIENT_SECRET
  valueFrom:

diff --git a/deploy/helm/preview.yml b/deploy/helm/preview.yml
@@ -24,6 +24,8 @@ gateway:
  arcgisClientId: "d0MgVUbbg5Z6vmWo"
  googleClientId: "275237095477-f7ej2gsvbl2alb8bcqcn7r5jk0ur719p.apps.googleusercontent.com"
  ckanAuthenticationUrl: https://data.gov.au/data
+ vanguardWsFedIdpUrl: https://thirdparty.authentication.business.gov.au/fas/v2/wsfed12/authenticate
+ vanguardWsFedRealm: https://environment.magda.io/integration-test-2
  autoscaler:
  enabled: false
  helmet:

diff --git a/magda-builder-nodejs/Dockerfile b/magda-builder-nodejs/Dockerfile
@@ -2,6 +2,7 @@ FROM mhart/alpine-node:8
 
 RUN npm install -g lerna
 
-RUN apk --update add git openssh bash && \
+RUN apk --update add git openssh bash \
+ python make g++ && \
  rm -rf /var/lib/apt/lists/* && \
- rm /var/cache/apk/*
+ rm /var/cache/apk/*
diff --git a/magda-gateway/Dockerfile b/magda-gateway/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:10
+FROM mhart/alpine-node:8
 
 RUN mkdir -p /usr/src/app
 COPY . /usr/src/app

diff --git a/magda-gateway/package.json b/magda-gateway/package.json
@@ -43,6 +43,7 @@
  "passport-facebook": "^2.0.0",
  "passport-google-oauth20": "^1.0.0",
  "passport-local": "^1.0.0",
+ "passport-wsfed-saml2": "^3.0.17",
  "pg": "^6.4.0",
  "read-pkg-up": "^3.0.0",
  "request": "^2.88.0",

diff --git a/magda-gateway/src/buildApp.ts b/magda-gateway/src/buildApp.ts
@@ -68,6 +68,9 @@ type Config = {
  enableCkanRedirection?: boolean;
  ckanRedirectionDomain?: string;
  ckanRedirectionPath?: string;
+ vanguardWsFedIdpUrl?: string;
+ vanguardWsFedRealm?: string;
+ vanguardWsFedCertificate?: string;
 };
 
 export default function buildApp(config: Config) {
@@ -163,7 +166,10 @@ export default function buildApp(config: Config) {
  ckanUrl: config.ckanUrl,
  authorizationApi: config.authorizationApi,
  externalUrl: config.externalUrl,
- userId: config.userId
+ userId: config.userId,
+ vanguardWsFedIdpUrl: config.vanguardWsFedIdpUrl,
+ vanguardWsFedRealm: config.vanguardWsFedRealm,
+ vanguardWsFedCertificate: config.vanguardWsFedCertificate
  })
  );
  }

diff --git a/magda-gateway/src/createAuthRouter.ts b/magda-gateway/src/createAuthRouter.ts
@@ -18,6 +18,9 @@ export interface AuthRouterOptions {
  authorizationApi: string;
  externalUrl: string;
  userId: string;
+ vanguardWsFedIdpUrl: string;
+ vanguardWsFedRealm: string;
+ vanguardWsFedCertificate: string;
 }
 
 export default function createAuthRouter(options: AuthRouterOptions): Router {
@@ -88,6 +91,18 @@ export default function createAuthRouter(options: AuthRouterOptions): Router {
  aafClientSecret: options.aafClientSecret,
  externalUrl: options.externalUrl
  })
+ },
+ {
+ id: "vanguard",
+ enabled: options.vanguardWsFedIdpUrl ? true : false,
+ authRouter: require("./oauth2/vanguard").default({
+ authorizationApi: authApi,
+ passport: passport,
+ wsFedIdpUrl: options.vanguardWsFedIdpUrl,
+ wsFedRealm: options.vanguardWsFedRealm,
+ wsFedCertificate: options.vanguardWsFedCertificate,
+ externalAuthHome: `${options.externalUrl}/auth`
+ })
  }
  ];
 

diff --git a/magda-gateway/src/createOrGetUserToken.ts b/magda-gateway/src/createOrGetUserToken.ts
@@ -10,6 +10,7 @@ export default function createOrGetUserToken(
  profile: passport.Profile,
  source: string
 ): Promise<UserToken> {
+ console.log("USER", profileToUser(profile, source));
  return authApi.lookupUser(source, profile.id).then(maybe =>
  maybe.caseOf({
  just: user => Promise.resolve(userToUserToken(user)),

diff --git a/magda-gateway/src/index.ts b/magda-gateway/src/index.ts
@@ -136,6 +136,30 @@ const argv = addJwtSecretFromEnvVar(
  process.env.ARCGIS_CLIENT_SECRET ||
  process.env.npm_package_config_arcgisClientSecret
  })
+ .option("vanguardWsFedCertificate", {
+ describe:
+ "The certificate to use for Vanguard WS-FED Login. This can also be specified with the VANGUARD_CERTIFICATE environment variable.",
+ type: "string",
+ default:
+ process.env.VANGUARD_CERTIFICATE ||
+ process.env.npm_package_config_vanguardCertificate
+ })
+ .option("vanguardWsFedIdpUrl", {
+ describe:
+ "Vanguard integration entry point. Can also be specified in VANGUARD_URL environment variable.",
+ type: "string",
+ default:
+ process.env.VANGUARD_URL ||
+ process.env.npm_package_config_vanguardUrl
+ })
+ .option("vanguardWsFedRealm", {
+ describe:
+ "Vanguard realm id for entry point. Can also be specified in VANGUARD_REALM environment variable.",
+ type: "string",
+ default:
+ process.env.VANGUARD_REALM ||
+ process.env.npm_package_config_vanguardRealm
+ })
  .option("aafClientUri", {
  describe: "The aaf client Uri to use for AAF Auth.",
  type: "string",

diff --git a/magda-gateway/src/missing.d.ts b/magda-gateway/src/missing.d.ts
@@ -1,3 +1,4 @@
 // Declarations for third-party modules without a @types package.
 declare module "passport-google-oauth20";
 declare module "passport-arcgis";
+declare module "passport-wsfed-saml2";
diff --git a/magda-gateway/src/oauth2/vanguard.ts b/magda-gateway/src/oauth2/vanguard.ts
@@ -0,0 +1,88 @@
+import { Strategy } from "passport-wsfed-saml2";
+
+import * as express from "express";
+import { Router } from "express";
+import { Authenticator } from "passport";
+
+import ApiClient from "@magda/typescript-common/dist/authorization-api/ApiClient";
+import createOrGetUserToken from "../createOrGetUserToken";
+import { redirectOnSuccess } from "./redirect";
+
+export interface VanguardOptions {
+ authorizationApi: ApiClient;
+ passport: Authenticator;
+ wsFedIdpUrl: string;
+ wsFedRealm: string;
+ wsFedCertificate: string;
+ externalAuthHome: string;
+}
+
+const STRATEGY = "vanguard";
+
+export default function vanguard(options: VanguardOptions) {
+ const authorizationApi = options.authorizationApi;
+ const passport = options.passport;
+ const wsFedIdpUrl = options.wsFedIdpUrl;
+ const wsFedRealm = options.wsFedRealm;
+ const wsFedCertificate = options.wsFedCertificate;
+ const externalAuthHome = options.externalAuthHome;
+
+ // const loginBaseUrl = `${externalAuthHome}/login`;
+
+ if (!wsFedIdpUrl || !wsFedRealm || !wsFedCertificate) {
+ return undefined;
+ }
+
+ passport.use(
+ STRATEGY,
+ new Strategy(
+ {
+ identityProviderUrl: wsFedIdpUrl,
+ realm: wsFedRealm,
+ protocol: "wsfed",
+ cert: wsFedCertificate
+ },
+ function(profile: any, cb: Function) {
+ const email =
+ profile[
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
+ ];
+ const displayName =
+ profile[
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
+ ] || email;
+ const id =
+ profile[
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
+ ];
+ profile = Object.assign(profile, {
+ emails: [{ value: email }],
+ displayName,
+ id
+ });
+ createOrGetUserToken(authorizationApi, profile, "vanguard")
+ .then(userId => cb(null, userId))
+ .catch(error => cb(error));
+ }
+ )
+ );
+
+ const router: Router = express.Router();
+
+ router.all("/", (req, res, next) => {
+ passport.authenticate(STRATEGY, {})(req, res, next);
+ });
+
+ router.all(
+ "/return",
+ passport.authenticate(STRATEGY, {
+ failureRedirect: "/",
+ failureFlash: true
+ }),
+ function(req, res) {
+ redirectOnSuccess(req.query.redirect || externalAuthHome, req, res);
+ }
+ );
+
+ return router;
+}
diff --git a/magda-gateway/views/login.ejs b/magda-gateway/views/login.ejs
@@ -2,3 +2,4 @@
 <a href="/auth/login/google">Log In with Google</a>
 <a href="/auth/login/arcgis">Log In with ArcGIS</a>
 <a href="/auth/login/ckan">Log In with CKAN</a>
+<a href="/auth/login/vanguard">Log In with Vanguard</a>
diff --git a/magda-web-client/src/Components/Account/AccountLoginPage.js b/magda-web-client/src/Components/Account/AccountLoginPage.js
@@ -85,6 +85,18 @@ export default function Login(props) {
  </a>
  </li>
  )}
+ {props.providers.indexOf("vanguard") !== -1 && (
+ <li className="login__provider">
+ <a href={makeLoginUrl("vanguard")}>
+ <img
+ src={aafLogo}
+ className="login__logo"
+ alt="logo"
+ />
+ Vanguard
+ </a>
+ </li>
+ )}
  </ul>
  </div>
  {props.providers.indexOf("ckan") !== -1 && (