-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STCOR-875 merge eureka work to mainline #1532
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There's a lot going on here, but fundamentally the changes are split into two main categories: * route authentication requests to/from keycloak * handle discovery dynamically via an API request AFTER authentication instead of reading a static module list from `stripes.config.js`
* Update URL redirect to allow back button support * Clean up unused and duplicate code * lint * Add URL param to indicate Consortium --------- Co-authored-by: Zak Burke <zburke@ebsco.com>
* handle legacy discovery via Okapi APIs * handle legacy logout via internal redirect to `/` * handle legacy version display on `/settings/about` There is not really as much work here as it appears. All the new components were split out of `About` in order to allow sub-sections to be reused with both application-based and module-based discovery information. Likewise, `loginServices.js` and `discoveryServices.js` were modestly refactored to handled both APIs. And there are Jest/RTL tests to replace the BTOG test that could not be easily updated to handle the new APIs since its `stripes-config` stub is part of `@folio/stripes-cli` instead of being declared locally. Refs STCOR-773
…1399) When the `users-keycloak` interface is available, use the endpoints it provides in place of the legacy endpoints. Refs STCOR-795, UIU-3031
Move auth tokens into HTTP-only cookies and implement refresh token rotation (STCOR-671) by overriding global.fetch and global.XMLHttpRequest, disabling login when cookies are disabled (STCOR-762). This functionality is implemented behind an opt-in feature-flag (STCOR-763). Okapi and Keycloak do not handle the same situations in the same ways. Changes from the original implementation in PR #1376: * When a token is missing: * Okapi sends a 400 `text/plain` response * Keycloak sends a 401 `application/json` response * Keycloak authentication includes the extra step of exchanging the OTP for the AT/RT and that request needs the `credentials` and `mode` options * Some `loginServices` functions now retrieve the host the access from the `stripes-config` import instead of a function argument * always permit `/authn/token` requests to go through Refs STCOR-796, STCOR-671 (cherry picked from commit 0361353)
* STCOR-803 Add config option for logout mode * Lint fix
…component. (#1411) (#1422) * move async localforage.clear to afterEach * remove BTOG sso login tests, add sso login jest tests * Update CHANGELOG.md * move describe block comments to it blocks.. remove describe blocks (cherry picked from commit 79c76c4) Co-authored-by: John Coburn <jcoburn@ebsco.com>
If the response from `/auth/token?code=...` is OK, parse it to immediately store the AT/RT expiration values (or use a near-future date if values are not provided). Stripes must expect the RT to be valid for any future API call to succeed; otherwise, it will assume the RT has expired resulting in a race condition with the RTR handler dispatching an RTR_ERROR_EVENT but discovery succeeding and re-rendering. This would result in the API call to `.../_self` issued by `requestUserWithPerms` being swallowed and `stripes.user` being populated with an empty object, causing all kinds of problems down the line for any code that leveraged it. Refs STCOR-811
) Include the `X-Okapi-Tenant` header in `/authn/logout` requests, and clear `localStorage` settings as well. `X-Okapi-Tenant` is required for requests to be properly routed; if this request failed, the browser session would be destroyed by the keycloak session would remain active, a security risk. Clearing `localStorage.tenant` is necessary to prevent an incorrect value from being cached and inadvertently reused on subsequent login requests. Refs STCOR-812
The shape of the permissions object differs between responses from calls to `login` and calls to `_self`. This is not awesome. We didn't notice this glitch prior to implementing keycloak because when resuming an existing session (i.e. when calling `_self`), permissions are set as the union of permissions in storage (i.e. stored by a call to `login`) and those from the call to `_self`. We just never noticed that the latter was always empty. With keycloak handling authentication, however, the _only_ permissions we ever receive are in the response from `_self`, so we noticed this immediately. Refs STCOR-813
Remove references to the `stripes.config.js::config` values `tenantManagerUrl` and `applicationManagerUrl`. These were present in early drafts of this work but have since been deprecated and therefore must be removed from code as well. Refs STCOR-810
…page (#1426) * STCOR-803 Add config option for logout mode * Lint fix * Revert "STCOR-803 Add config option for logout mode" This reverts commit b9d2604. * STCOR-803 Simplify logout workflow to bypass keycloak confirmation page. * STCOR-803 PR comments * Revert "STCOR-803 PR comments" This reverts commit 037b6a2. * STCOR-803 Restore console log
Remove references to the `stripes.config.js::config` values `tenantManagerUrl` and `applicationManagerUrl`. These were present in early drafts of the new discovery work but have since been deprecated and therefore must be removed from code as well. Replaces #1418, which did this work incorrectly (referring to `okapi.[...]` instead of `config.[...]`). Refs STCOR-810
* STCOR-816 only fetch /saml/check when login-saml is present When restoring an existing session, after discovery, do not fetch from `/saml/check` unless the `login-saml` interface (indicating SSO/SAML is available). The 404 clutters the log. Refs STCOR-816 * Missing semicolon --------- Co-authored-by: Ryan Berger <rberger@ebsco.com>
* STCOR-776 show "Keep working?" prompt when session ages The main feature here is to track the RT's TTL and use it to show a "Your session is about to expire; keep working?" prompt so the user can fire off RTR in order to keep the session alive. Knock-on effects include tracking such events across multiple windows, so logging out in one window immediately logs you out in others, and so a successful RTR event in one window closes any open "Still working?" prompts in others. It sounds big, and it looks big, but once you wrap your head around it isn't so bad. A couple things to note: The `loginServices::eventManager()` function provides two event-related function, `listen` and `emit` that handle single-window events (i.e. `window.dispatchEvent()`/`window.addEventListener()`) and multi-window events (i.e. BroadcastChannel.post() and BroadcastChannel.addEventListener()`). This simplifies the API for sending and receiving events. [Documentation for BroadcastChannel](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API) is pretty good and worth a look. The thing to keep in mind with single-window events is that they are sent and received in the same window, whereas BroadcastChannel events are sent in one window but received in all others. `<SessionEventContainer>` is instantiated near the top of `<RootWithIntl>`, just like `<OverlayContainer>`. It sets itself up as the listener for all session-related events, including RTR-success (which will close an open "Keep working?" prompt), RTR-failure (which will cause logout), logout (i.e. a logout event from another window), and idle session (i.e. the RT is about to expire, which will show the "Keep working?" modal). Other session-related event handlers have been removed in favor of consolidating them all in this component. The `<KeepWorkingModal>` calls RTR if the user closes it, causing the session to be extended. By default it displays 60 seconds before the session expires but this can be changed by adjusting `stripes.config.js::config.idleSessionWarningSeconds`. If the timer counts down to 0, it emits a session-expired event, causing logout. Refs STCOR-776 * test repair * tests are nice * test infrastructure cleanup * import from @folio/jest-config-stripes/testing-library to get current versions * rename `dismissible` to `_dismissible` on destructure to prevent complaints about it not being used. lint and jest are both happy! * fix prop-types in test props, which is probably a losing battle * tests for SessionEventContainer, KeepWorkingModal Externalize SessionEventContainer event handlers and call them with 1,000 arguments, but at least DI makes them testable. I don't love this, but jest really couldn't grok having an event-handler trigger a state-change. If the render and event were both triggered within a single `act()` the re-render got swallowed. If the original render was outside an `act()` then jest complained state was changing outside the `act()` function. Whaddayawant? * codesmell cleanup recommended by sonar * tyop * Lint fixes * Remove commented-out code --------- Co-authored-by: Ryan Berger <rberger@ebsco.com>
…LFetch` (#1438) * STCOR-821 Add `idName` and `limit` as passable parameters to `useChunkedCQLFetch` * Update CHANGELOG
Refs STCOR-789.
…in the path or query arguments (#1445) * STCOR-820 Add support for optionaly passing token by URL param * Remove console.log * Update CHANGELOG.md
Stripes should render `<ModuleContainer>` either when discovery is complete or when okapi isn't present at all, i.e. when `stripes.config.js` doesn't even contain an `okapi` entry. What's most amazing about this bug is not the bug, which is a relatively simple typo, but that it didn't bite us for more than six years. BTOG init never conducted discovery, but _did_ pass an okapi object during application setup, which is another way of saying that our application didn't have anything that relied on the presence of this bug, but our test suite did. :| Ignore the "new" AuthnLogin test file; those tests were previously stashed in `RootWithIntl.test.js` for some reason and have just been relocated. Refs STCOR-864
Two things happen when idle-session-timeout kicks in: 1. the redux store is updated to clear out the session 2. the URL is updated to `/logout-timeout` It sounds simple, but it gets messy when `<RootWithIntl>` re-renders when the store updates because that's where routes are defined. Previously, with event-handlers separately calling `logout()` to update the store and `history.push()` to update the URL, you could end up in an unexpected situation such as being logged-out before the URL updated to `/logout-timeout`, causing the default route-match handler to kick in and redirect to the login screen. The changes here consolidate calls to `logout()` into the components bound to `/logout` (`<Logout>`) and `/logout-timeout` (`<LogoutTimeout>`). Event handlers that previously did things like ``` return logout(...) // update redux and other storage .then(history.push(...)) // update URL ``` are now limited to updating the URL. This means directly accessing the routes `/logout` and `/logout-timeout` always terminates a session, and the logic around logout is both simpler and better contained within components whose purpose, by dint of their names, is blindingly clear. The minor changes in `<MainNav>` are just clean-up work, removing cruft that is no longer in use. Refs STCOR-865
…rmissions instead of okapi permissions if roles interface is presented (#1491) Refs STCOR-834.
The RTR cycle is kicked off when processing the response from an authentication-related request. `/users-keycloak/_self` was missing from the list, which meant that RTR would never kick off when a new tab was opened for an existing session. Refs STCOR-866
* Add permission display names lookup table to Redux * Sonar fixes
RTR may be implemented such that each refresh extends the session by a fixed interval, or the session-length may be fixed causing the RT TTL to gradually shrink until the session ends and the user is forced to re-authenticate. This PR implements handling for the latter scenario, showing a non-interactive "this session will expire" banner before the session expires and then redirecting to `/logout` to clear out session data. By default the warning is visible for one minute. It may be changed at build-time by setting the `stripes.config.js` value `config.rtr.fixedLengthSessionWarningTTL` to any value parseable by `ms()`, e.g. `30s`, `1m`, `1h`. Cache the current path in session storage prior to a timeout-logout, allowing the user to return directly to that page when re-authenticating. The "interesting" bits are mostly in `FFetch` where, in addition to scheduling AT rotation, there are two new `setTimer()` calls to dispatch the FLS-warning and FLS-timeout events. Handlers for these are events are located with other RTR event handlers in `SessionEventContainer`. There are corresponding reducer functions in `okapiActions`. Both it and `okapiReducer` were refactored to use constants instead of strings for their action-types. The refactor is otherwise insignificant. Refs STCOR-862
so that state is not dropped when adding permission display names. The previous code was improper Redux behavior.
When a session ends due to timeout, the current location is stored in order to allow the subsequent session to begin where the previous one left off. If the "session timeout" event fires more than once**, however, this could lead to the `/logout` location being stored as the "return to" location with obvious dire consequences. There are two changes here: 1. Don't allow locations beginning with `/logout` to be stored. This fixes the symptom, not the root cause, but is still worthwhile. 2. Store the session-timeout interval ID in redux, and manage that timer via a redux action. Even though this _still_ shouldn't fire more than once, if it does, this allows us to cancel the previous timer before adding the next one. This is an attempt to fix the root cause. Refs STCOR-869
…e expires (#1513) * Added a small time margin to wait so that cookie is not deleted before /logout request * Fix test and lint issue
#1524) Without a `key` prop to distinguish the elements rendered by `<SessionEventContainer>`, they could interact badly. In particular, if both elements (`<KeepWorkingModal>`, `<FixedLengthSessionWarning>`) were displayed, dismissing the former would cause the latter to remount, thus restarting the timer and putting it out of sync with when the session will actually end. When React warns you about missing keys, it ain't foolin'! Refs STCOR-874 (cherry picked from commit d4e9f1d)
…edCQLFetch` for manipulations in the context of a specific tenant (#1519) * STCOR-873 Ensure support for the passed 'tenantId' value by 'useChunkedCQLFetch' for manipulations in the context of a specific tenant * resolve description issues * tests
… default base URL. (#1531) * Clear saved entry path so that subsequent logins will use default base URL * Moving removeUnauthorizedPathFromSession() to OIDCRedirect so the value is cleared right after being used rather than on logout * Add comment
`keycloak-ramsons` is different from `master` in numerous small but significant ways. This brings them back into compatibility. Refs STCOR-875
zburke
force-pushed
the
keycloak-ramsons
branch
from
September 16, 2024 12:30
4176fde
to
f694821
Compare
The bugfix for STCOR-865, #1500, resulted in vastly simpler logic in the SessionEventContainer event handlers as well as simple and predictable and behavior in the Logout and LogoutTimeout components. Restore that logic; it's better. Refs STCOR-865, STCOR-875
STCOR-875 sync keycloak-ramsons to master
…#1536) Include the optional interfaces `consortia`, `roles`, and `users-keycloak`. Refs STCOR-889
Quality Gate failedFailed conditions |
zburke
added a commit
that referenced
this pull request
Sep 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The time has come. The time is now.
keycloak-eureka
will you please merge now!You can go in a merge commit. You can squash with ease.
You can go in a rebase. But please merge. Please!
provides
property on interfaces in Settings > Aboutusers-keycloak
interface is present, use its API for password-reset/authn/token
responseX-Okapi-Tenant
header in call to/authn/logout
.../_self
permissionsstripes-config::config.tenantOptions
in place of deprecated tenant-entitlement values/saml/check
whenlogin-saml
interface is presenttypeof stripes.okapi
logout()
exclusively from/logout*
routes: refactor
useUserTenantPermissionsto switch on
roles` interface presence/users-keycloak/_self
in auth-n requests #1502: include/users-keycloak/_self
in list of authentication-related endpoints/logout*
as a return-to URL; ensure/logout
is called with a valid tokenuseChunkedCQLFetch()
key
to<SessionEventContainer>
componentstenantId
value byuseChunkedCQLFetch
for manipulations in the context of a specific tenant #1519:useChunkedCQLFetch()
should usetenantId
argument when presentI said MERGE and MERGE I meant....
The time had come ... so keycloak went.