Updated the progress; described the error and potential solutions

Create nginx template
ncsa · Aug 22, 2024 · d7c4ab9 · d7c4ab9
1 parent 21d513f
commit d7c4ab9
Show file tree

Hide file tree

Showing 8 changed files with 495 additions and 0 deletions.
diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml
@@ -0,0 +1,84 @@
+name: GHCR Publish
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "**" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*' ]
+  #schedule:
+  #  - cron: '30 15 * * *'
+  #pull_request:
+  #  branches: [ main ]
+
+env:
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: "ghcr.io"
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # # Install the cosign tool except on PR
+      # # https://github.com/sigstore/cosign-installer
+      # - name: Install cosign
+      #   if: github.event_name != 'pull_request'
+      #   uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+      #   with:
+      #     cosign-release: 'v1.4.0'
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            "type=raw,value={{date 'X'}}_{{tag}}{{branch}}_{{sha}}"
+            "type=raw,value=latest"
+            "type=ref,event=tag"
+            "type=semver,pattern=v{{major}}"
+            "type=ref,event=branch"
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v3
+        with:
+          #context: "{{defaultContext}}:jiracmdline"
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/CILogon/README.md b/CILogon/README.md
@@ -0,0 +1,60 @@
+## CILogon Authentication Workflow
+
+- [CILogon (OIDC)](https://www.cilogon.org/oidc)
+- The Curl example is able to function normally.
+- A place to reset cookies (may or may not be related): https://cilogon.org/me/
+
+## OIDC Authentication Error
+
+**Error**: request to the redirect_uri path but there's no session state found \
+**Url**: GET
+/redirect_uri?code=NB2HI4DTHIXS6Y3JNRXWO33OFZXXEZZPN5QXK5DIGIXTIYZXG43DQZRRMIZGMOJWG5TGIZLCGIYDGM3DMFQTMZLDMY4TEYR7OR4XAZJ5MF2XI2D2I5ZGC3TUEZ2HGPJRG4ZDENJUHE4TINJYHA3SM5TFOJZWS33OHV3DELRQEZWGSZTFORUW2ZJ5HEYDAMBQGA&state=d8adb4fd4055cbb6ecd091b74d26317a
+HTTP/1.1
+
+In the keycloak error, the url also contains **session_state** and **state** parameters. This url only contains **code**.
+In the Curl example from CILogon, the returned url also only contains **code**.
+
+### Possible Solutions?
+
+- https://github.com/bungle/lua-resty-session#string-sessioncookiesamesite
+  - Changing settings for `lua-resty-session` may help?
+- https://github.com/zmartzone/lua-resty-openidc/issues/338
+    - Something related to `$session_cookie_samesite` being `strict`.
+    - Something related to not having callback url as `/redirect_uri`.
+- https://github.com/zmartzone/lua-resty-openidc/issues/422
+    - **Quote**: "no session state found" means your user's browser has invoked the redirect_uri but the request does
+      not
+      contain a session cookie (or it has expired). There are many reasons why a browser does not send the cookie, the
+      cookie's SameSite setting mentioned in #338 is only one of them. I don't think it is possible to guess why it
+      happens
+      on your side, the best you can do is try to reproduce the problem and watch the developer tools of your browser to
+      see
+      why it does not send the cookie - it usually will tell you.
+- https://github.com/zmartzone/lua-resty-openidc/issues/499
+    - **Quote**: There is no reason why anybody would want to navigate the redirect_uri outside of the OIDC
+      authentication flow. This should never be a "normal" URI of your application. The premise "when users configure
+      the redirect_uri value as 127.0.0.1:8080/test" simply should never happen.
+- https://github.com/zmartzone/lua-resty-openidc/issues/462
+  - Something related to package versions.
+- https://github.com/apache/apisix/issues/3200
+  - Seems like putting `"session": {
+        "secret": "<a random string>"
+      }` in the opts table might help.
+- https://github.com/zmartzone/lua-resty-openidc/issues/243
+  - Making the callback url as `/callback` somehow magically solves this person's problem??
+- https://github.com/zmartzone/lua-resty-openidc/issues/213
+  - Something related to `$session_secret`.
+
+### Recommended Future Approaches
+- **Find a way to debug the issue**. Since the error is not very descriptive, it is hard to find the root cause.
+- Submit an issue to the `lua-resty-openidc` repo.
+- Try the above methods (although most of them have been tested).
+- Compare results with the keycloak authentication.
+- Understand more about how the sessions/cookies are being set. Understand more about the OIDC Authentication Flow.
+- Try to find an alternative to `lua-resty-openidc`?
+
+## TODO
+- Regenerate Client ID and Secret.
+- May need to create another confluence account or renew the current PAT once in a while (or set a permanent one).
+- Solve the authentication error...
+- After solving the error, implement the proxy in the virtual environment.
diff --git a/CILogon/nginx.conf b/CILogon/nginx.conf
@@ -0,0 +1,143 @@
+#user  nobody;
+worker_processes  1;
+
+error_log  /opt/homebrew/var/log/openresty/error.log debug;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    resolver 8.8.8.8;
+
+    lua_package_path '~/lua/?.lua;;';
+    lua_shared_dict discovery 1m;
+    lua_shared_dict jwks 1m;
+    lua_shared_dict sessions 10m;
+
+    init_by_lua_block {
+        require("resty.core")
+        ngx.log(ngx.ERR, "OpenResty initialization started")
+    }
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    access_log  /opt/homebrew/var/log/openresty/access.log;
+
+    server {
+        listen 8080;
+        server_name localhost;
+        root /opt/nginx/html;
+
+        location / {
+            access_by_lua_block {
+                local opts = {
+                    redirect_uri = "http://localhost:8080/redirect_uri",
+                    discovery = "https://cilogon.org/.well-known/openid-configuration",
+                    client_id = "<client_id>",
+                    client_secret = "<client_secret>",
+                    ssl_verify = "no",
+                    scope = "openid email profile org.cilogon.userinfo",
+                    redirect_uri_scheme = "http",
+                    session_contents = {id_token=true},
+                    renew_access_token_on_expiry = true,
+                    accept_none_alg = false
+                }
+
+                ngx.log(ngx.ERR, "Starting OpenID Connect authentication")
+
+                local res, err = require("resty.openidc").authenticate(opts)
+
+                if err then
+                    ngx.log(ngx.ERR, "Authentication failed: " .. err)
+                    ngx.status = 403
+                    ngx.say(err)
+                    ngx.exit(ngx.HTTP_FORBIDDEN)
+                end
+
+                ngx.log(ngx.ERR, "Authentication successful, session created")
+            }
+
+            proxy_pass https://wiki.ncsa.illinois.edu;
+            proxy_set_header Host wiki.ncsa.illinois.edu;
+            proxy_set_header Authorization "Bearer <PAT>";  # Your PAT
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-NginX-Proxy true;
+
+            proxy_set_header Accept-Encoding "";
+            proxy_set_header Accept-Language $http_accept_language;
+            proxy_set_header Cookie $http_cookie;
+            proxy_set_header User-Agent $http_user_agent;
+
+            proxy_set_header Origin "https://wiki.ncsa.illinois.edu";
+            proxy_set_header Referer "https://wiki.ncsa.illinois.edu/plugins/personalaccesstokens/usertokens.action";
+
+            proxy_set_header X-Atlassian-Token no-check;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+
+            proxy_hide_header Content-Security-Policy;
+
+            add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always;
+
+            add_header Access-Control-Allow-Origin * always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always;
+
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        }
+
+        location /synchrony {
+            proxy_pass https://wiki.ncsa.illinois.edu/synchrony;
+            proxy_set_header Host wiki.ncsa.illinois.edu;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-NginX-Proxy true;
+
+            proxy_set_header Accept-Encoding "";
+            proxy_set_header Accept-Language $http_accept_language;
+            proxy_set_header Cookie $http_cookie;
+            proxy_set_header User-Agent $http_user_agent;
+
+            proxy_set_header Origin "https://wiki.ncsa.illinois.edu";
+            proxy_set_header Referer "https://wiki.ncsa.illinois.edu";
+
+            proxy_set_header X-Atlassian-Token no-check;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+
+            proxy_hide_header Content-Security-Policy;
+
+            add_header Content-Security-Policy "default-src 'self' https://wiki.ncsa.illinois.edu 'unsafe-inline' 'unsafe-eval' data:; img-src 'self' https://wiki.ncsa.illinois.edu data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://wiki.ncsa.illinois.edu; style-src 'self' 'unsafe-inline' https://wiki.ncsa.illinois.edu; connect-src 'self' https://wiki.ncsa.illinois.edu https://wiki.ncsa.illinois.edu/synchrony; frame-src 'self' https://wiki.ncsa.illinois.edu;" always;
+
+            add_header Access-Control-Allow-Origin * always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Origin, Authorization, X-Requested-With, Content-Type, Accept" always;
+
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+    }
+    include servers/*;
+}
diff --git a/CILogon/nginx.conf.template b/CILogon/nginx.conf.template
@@ -0,0 +1,74 @@
+#user  nobody;
+worker_processes  1;
+
+error_log  /usr/local/openresty/nginx/conf/error.log debug;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    resolver 8.8.8.8;
+
+    lua_package_path '~/lua/?.lua;;';
+    lua_shared_dict discovery 1m;
+    lua_shared_dict jwks 1m;
+    lua_shared_dict sessions 10m;
+
+    init_by_lua_block {
+        require("resty.core")
+        ngx.log(ngx.ERR, "OpenResty initialization started")
+    }
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    access_log  /usr/local/openresty/nginx/conf/access.log;
+
+    server {
+        listen 80;
+        server_name localhost;
+        root /opt/nginx/html;
+
+        location / {
+            access_by_lua_block {
+                local opts = {
+                    redirect_uri = "http://localhost:80/redirect_uri",
+                    discovery = "https://cilogon.org/.well-known/openid-configuration",
+                    client_id = "${CLIENT_ID}",
+                    client_secret = "${CLIENT_SECRET}",
+                    ssl_verify = "no",
+                    scope = "openid email profile org.cilogon.userinfo",
+                    redirect_uri_scheme = "http",
+                    session_contents = {id_token=true},
+                    renew_access_token_on_expiry = true,
+                    accept_none_alg = false
+                }
+
+                ngx.log(ngx.ERR, "Starting OpenID Connect authentication")
+
+                local res, err = require("resty.openidc").authenticate(opts)
+
+                if err then
+                    ngx.log(ngx.ERR, "Authentication failed: " .. err)
+                    ngx.status = 403
+                    ngx.say(err)
+                    ngx.exit(ngx.HTTP_FORBIDDEN)
+                end
+
+                ngx.log(ngx.ERR, "Authentication successful, session created")
+            }
+
+            proxy_pass https://wiki.ncsa.illinois.edu;
+            proxy_set_header Host wiki.ncsa.illinois.edu;
+            proxy_set_header Authorization "Bearer ${PAT}";  # Your PAT
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+    }
+    include servers/*;
+}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,16 @@
+# Start with an official OpenResty base image
+FROM openresty/openresty:centos
+
+# Set work directory 
+WORKDIR /
+
+# Installs lua_resty_openidc 
+RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-openidc 
+
+# Copy custom nginx.conf
+COPY ./CILogon/nginx.conf.template /usr/local/openresty/nginx/conf/
+
+CMD ["/bin/sh", "-c", "envsubst < /usr/local/openresty/nginx/conf/nginx.conf.template > /usr/local/openresty/nginx/conf/nginx.conf && openresty -g 'daemon off;'"]
+
+
+