Plat 602 keycloak integration

config/config.md

@@ -71,6 +71,7 @@ The following config option are provided by the OpenHIM. All of these options ha
     // * "local" means through the UI with hitting "/authentication/local" endpoint with username and password, 
     // this will create a session for the user and set cookies in the browser.
     // * "basic" means with basic auth either through browser or postman by giving also username and password.
+    // * "openid" means with a third party authentication provider (keycloak).
     // * [Deprecated] "token" means that a request should provide in the header an 'auth-token', 'auth-salt' and 'auth-ts' to be authenticated.
     "authenicationTypes": ["token"]
   },

config/default.json

@@ -42,7 +42,14 @@
     "maxPayloadSizeMB": 50,
     "truncateSize": 15000,
     "truncateAppend": "\n[truncated ...]",
-    "authenticationTypes": ["basic", "local", "token"]
+    "authenticationTypes": ["basic", "local", "token", "openid"],
+    "keycloak": {
+      "url": "http://localhost:9088/realms/platform-realm",
+      "callbackUrl": "http://localhost:9000",
+      "clientId": "openhim-oauth",
+      "clientSecret": "tZKfEbWf0Ka5HBNZwFrdSyQH2xT1sNMR",
+      "scope": "openid email profile offline_access roles"
+    }
   },
   "rerun": {
     "httpPort": 7786,

config/test.json

@@ -26,7 +26,14 @@
     "maxPayloadSizeMB": 50,
     "truncateSize": 10,
     "truncateAppend": "\n[truncated ...]",
-    "authenticationTypes": ["token", "basic", "local"]
+    "authenticationTypes": ["token", "basic", "local", "openid"],
+    "keycloak": {
+      "url": "http://localhost:10000/realms/realm",
+      "callbackUrl": "http://localhost:10010",
+      "clientId": "client-id",
+      "clientSecret": "client-secret",
+      "scope": "openid email profile offline_access roles"
+    }
   },
   "caching": {
     "enabled": false

package.json

@@ -74,6 +74,7 @@
     "passport-custom": "^1.1.1",
     "passport-http": "^0.3.0",
     "passport-local": "^1.0.0",
+    "passport-openidconnect": "^0.1.1",
     "pem": "^1.14.4",
     "raw-body": "^2.4.1",
     "semver": "^7.3.2",

src/api/authentication.js

@@ -80,19 +80,35 @@ export function isAuthenticationTypeEnabled(type) {
   return getEnabledAuthenticationTypesFromConfig(config).includes(type)
 }
 
+function requestType(ctx, type) {
+  const {headers} = ctx.request
+
+  if (
+    headers['auth-username'] ||
+    headers['auth-ts'] ||
+    headers['auth-salt'] ||
+    headers['auth-token']
+  ) {
+    return type === 'token'
+  } else if (headers.authorization && headers.authorization.includes('Basic')) {
+    return type === 'basic'
+  }
+  return false
+}
+
 async function authenticateRequest(ctx) {
   let user = null
 
-  // First attempt local authentication if enabled
+  // First attempt local or openid authentication if enabled
   if (user == null && ctx.req.user) {
     user = ctx.req.user
   }
   // Otherwise try token based authentication if enabled (@deprecated)
-  if (user == null) {
+  if (user == null && requestType(ctx, 'token')) {
     user = await authenticateToken(ctx)
   }
   // Otherwise try basic based authentication if enabled
-  if (user == null) {
+  if (user == null && requestType(ctx, 'basic')) {
     // Basic auth using middleware
     user = await authenticateBasic(ctx)
   }

src/api/users.js

@@ -39,14 +39,7 @@ export function me(ctx) {
 }
 
 export async function authenticate(ctx) {
-  if (!ctx.req.user) {
-    utils.logAndSetResponse(
-      ctx,
-      404,
-      `Could not be authenticaticated`,
-      'info'
-    )
-  } else {
+  if (ctx.req.user) {
     ctx.body = {
       result: 'User authenticated successfully',
       user: ctx.req.user
@@ -66,7 +59,6 @@ export async function authenticateToken(ctx, email) {
     'Token authentication strategy is deprecated. Please consider using Local or Basic authentication.'
   )
 
-
   try {
     email = unescape(email)
 
@@ -179,10 +171,9 @@ export async function userPasswordResetRequest(ctx, email) {
   }
 
   try {
-    const user = await UserModelAPI.findOneAndUpdate(
-      {email: utils.caseInsensitiveRegex(email)},
-      updateUserTokenExpiry
-    )
+    const user = await UserModelAPI.findOne({
+      email: utils.caseInsensitiveRegex(email)
+    })
     if (!user) {
       ctx.body = `Tried to request password reset for invalid email address: ${email}`
       ctx.status = 404
@@ -192,6 +183,17 @@ export async function userPasswordResetRequest(ctx, email) {
       return
     }
 
+    if (user.provider === 'keycloak') {
+      ctx.body = `User was provided by Keycloak. Could not be updated.`
+      ctx.status = 403
+      logger.info(
+        `Tried to request password reset for a user provided by Keycloak: ${email}`
+      )
+      return
+    }
+
+    await UserModelAPI.findByIdAndUpdate(user.id, updateUserTokenExpiry)
+
     const {consoleURL} = config.alerts
     const setPasswordLink = `${consoleURL}/#!/set-password/${token}`
 
@@ -299,6 +301,15 @@ export async function updateUserByToken(ctx, token) {
       ctx.status = 410
       return
     }
+
+    if (userDataExpiry.provider === 'keycloak') {
+      ctx.body = `User was provided by Keycloak. Could not be updated.`
+      ctx.status = 403
+      logger.info(
+        `Tried to request update by token for a user provided by Keycloak: ${token}`
+      )
+      return
+    }
   } catch (error) {
     utils.logAndSetResponse(
       ctx,
@@ -346,7 +357,10 @@ export async function updateUserByToken(ctx, token) {
       logger.warn(
         'Token authentication strategy is deprecated. Please consider using Local or Basic authentication.'
       )
-      ;({user, error} = await updateTokenUser(userUpdateObj))
+      ;({user, error} = await updateTokenUser({
+        ...userUpdateObj,
+        provider: 'token'
+      }))
       // Other providers
     } else {
       ;({user, error} = await apiUpdateUser(userUpdateObj))
@@ -430,6 +444,8 @@ export async function addUser(ctx) {
       delete userData.passwordSalt
       delete userData.passwordAlgorithm
       delete userData.password
+
+      userData.provider = password ? 'local' : 'token'
     }
 
     const user = new UserModelAPI(userData)
@@ -567,6 +583,15 @@ export async function updateUser(ctx, email) {
       ctx.status = 404
       return
     }
+
+    if (userDetails.provider === 'keycloak') {
+      ctx.body = `User was provided by Keycloak. Could not be updated.`
+      ctx.status = 403
+      logger.info(
+        `Tried to request update for a user provided by Keycloak via API: ${email}`
+      )
+      return
+    }
   } catch (e) {
     utils.logAndSetResponse(
       ctx,
@@ -615,6 +640,7 @@ export async function updateUser(ctx, email) {
         passwordAlgorithm,
         passwordHash,
         passwordSalt,
+        provider: 'token',
         ...userData
       }))
       // Other providers

src/koaApi.js

@@ -85,6 +85,20 @@ export function setupApp(done) {
       compose([passport.authenticate('local'), users.authenticate])
     )
   )
+  // Openid authentication
+  app.use(
+    route.post(
+      '/authenticate/openid',
+      compose([
+        (ctx, next) => {
+          ctx.request.query = ctx.request.body
+          return next()
+        },
+        passport.authenticate('openidconnect'),
+        users.authenticate
+      ])
+    )
+  )
   // @deprecated: Token authentication
   app.use(route.get('/authenticate/:username', users.authenticateToken))
 

src/middleware/sessionStore.js

@@ -1,4 +1,4 @@
-import {connectionAPI} from '../config'
+import {config, connectionAPI} from '../config'
 import {Schema} from 'mongoose'
 
 /**
@@ -47,6 +47,17 @@ class MongooseStore {
     return data
   }
 
+  // This function is required by 'passport-openidconnect'
+  verify = async function (req, handle, next) {
+    var state = {handle}
+    var ctx = {
+      maxAge: config.api.maxAge,
+      issued: ''
+    }
+
+    return next(null, ctx, state)
+  }
+
   static create() {
     return new MongooseStore()
   }

src/model/users.js

@@ -56,9 +56,9 @@ export const UserModel = connectionDefault.model('User', UserSchema)
  * and assign the newly created user a local Passport.
  *
  */
-export const createUser = async function (_user) {
-  // Create a clone to _user
-  const userToBeCreated = {..._user}
+export const createUser = async function (newUserData) {
+  // Create a clone to newUserData
+  const userToBeCreated = {...newUserData}
 
   let result = {error: null, user: null}
 
@@ -95,9 +95,9 @@ export const createUser = async function (_user) {
  * and assign the newly created user a local Passport.
  *
  */
-export const updateUser = async function (_user) {
-  // Create a clone to _user
-  const userToBeUpdated = {..._user}
+export const updateUser = async function (newUserData) {
+  // Create a clone to newUserData
+  const userToBeUpdated = {...newUserData}
 
   let result = {user: null, error: null}
 
@@ -118,15 +118,14 @@ export const updateUser = async function (_user) {
           await PassportModelAPI.findOne({
             protocol: 'local',
             user: user.id
+          }).then(async function (passport) {
+            if (passport) {
+              passport.password = password
+              result = await updatePassport(user, passport)
+            } else {
+              result = await createPassport(user, {password})
+            }
           })
-            .then(async function (passport) {
-              if (passport) {
-                passport.password = password
-                result = await updatePassport(user, passport)
-              } else {
-                result = await createPassport(user, {password})
-              }
-            })
         } else {
           result.user = user
         }
@@ -152,19 +151,20 @@ export const updateUser = async function (_user) {
  * and assign the newly created user a token Passport.
  *
  */
-export const updateTokenUser = async function (_user) {
-  // Create a clone to _user
-  const userToBeUpdated = {..._user, provider: 'token'}
+export const updateTokenUser = async function (newUserData) {
+  const provider = newUserData.provider ? newUserData.provider : 'token'
+  // Create a clone to newUserData
+  const userToBeUpdated = {...newUserData, provider}
 
   let result = {user: null, error: null}
 
-    const {passwordHash, passwordAlgorithm, passwordSalt} = userToBeUpdated
+  const {passwordHash, passwordAlgorithm, passwordSalt} = userToBeUpdated
 
-    if (passwordHash || passwordAlgorithm || passwordSalt) {
-      userToBeUpdated.passwordHash = null
-      userToBeUpdated.passwordSalt = null
-      userToBeUpdated.passwordAlgorithm = null
-    }
+  if (passwordHash || passwordAlgorithm || passwordSalt) {
+    userToBeUpdated.passwordHash = null
+    userToBeUpdated.passwordSalt = null
+    userToBeUpdated.passwordAlgorithm = null
+  }
 
   await UserModelAPI.findByIdAndUpdate(userToBeUpdated.id, userToBeUpdated, {
     new: true
@@ -175,21 +175,20 @@ export const updateTokenUser = async function (_user) {
         await PassportModelAPI.findOne({
           protocol: 'token',
           user: user.id
+        }).then(async function (passport) {
+          if (passport) {
+            passport.passwordHash = passwordHash
+            passport.passwordAlgorithm = passwordAlgorithm
+            passport.passwordSalt = passwordSalt
+            result = await updatePassport(user, passport)
+          } else {
+            result = await createPassport(user, {
+              passwordHash,
+              passwordAlgorithm,
+              passwordSalt
+            })
+          }
         })
-          .then(async function (passport) {
-            if (passport) {
-              passport.passwordHash = passwordHash
-              passport.passwordAlgorithm = passwordAlgorithm
-              passport.passwordSalt = passwordSalt
-              result = await updatePassport(user, passport)
-            } else {
-              result = await createPassport(user, {
-                passwordHash,
-                passwordAlgorithm,
-                passwordSalt
-              })
-            }
-          })
       } else {
         result.user = user
       }