datahub/datahub-frontend/app/controllers/SsoCallbackController.java

package controllers;

import auth.CookieConfigs;
import auth.sso.SsoManager;
import auth.sso.SsoProvider;
import auth.sso.oidc.OidcCallbackLogic;
import client.AuthServiceClient;
import com.datahub.authentication.Authentication;
import com.linkedin.entity.client.SystemEntityClient;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import lombok.extern.slf4j.Slf4j;
import org.pac4j.core.config.Config;
import org.pac4j.core.engine.CallbackLogic;
import org.pac4j.core.http.adapter.HttpActionAdapter;
import org.pac4j.play.CallbackController;
import org.pac4j.play.PlayWebContext;
import play.mvc.Http;
import play.mvc.Result;
import play.mvc.Results;

/**
 * A dedicated Controller for handling redirects to DataHub by 3rd-party Identity Providers after
 * off-platform authentication.
 *
 * <p>Handles a single "callback/{protocol}" route, where the protocol (ie. OIDC / SAML) determines
 * the handling logic to invoke.
 */
@Slf4j
public class SsoCallbackController extends CallbackController {

  private final SsoManager _ssoManager;

  @Inject
  public SsoCallbackController(
      @Nonnull SsoManager ssoManager,
      @Nonnull Authentication systemAuthentication,
      @Nonnull SystemEntityClient entityClient,
      @Nonnull AuthServiceClient authClient,
      @Nonnull com.typesafe.config.Config configs) {
    _ssoManager = ssoManager;
    setDefaultUrl("/"); // By default, redirects to Home Page on log in.
    setSaveInSession(false);
    setCallbackLogic(
        new SsoCallbackLogic(
            ssoManager,
            systemAuthentication,
            entityClient,
            authClient,
            new CookieConfigs(configs)));
  }

  public CompletionStage<Result> handleCallback(String protocol, Http.Request request) {
    if (shouldHandleCallback(protocol)) {
      log.debug(String.format("Handling SSO callback. Protocol: %s", protocol));
      return callback(request)
          .handle(
              (res, e) -> {
                if (e != null) {
                  log.error(
                      "Caught exception while attempting to handle SSO callback! It's likely that SSO integration is mis-configured.",
                      e);
                  return Results.redirect(
                          String.format(
                              "/login?error_msg=%s",
                              URLEncoder.encode(
                                  "Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.",
                                  StandardCharsets.UTF_8)))
                      .discardingCookie("actor")
                      .withNewSession();
                }
                return res;
              });
    }
    return CompletableFuture.completedFuture(
        Results.internalServerError(
            String.format(
                "Failed to perform SSO callback. SSO is not enabled for protocol: %s", protocol)));
  }

  /** Logic responsible for delegating to protocol-specific callback logic. */
  public class SsoCallbackLogic implements CallbackLogic<Result, PlayWebContext> {

    private final OidcCallbackLogic _oidcCallbackLogic;

    SsoCallbackLogic(
        final SsoManager ssoManager,
        final Authentication systemAuthentication,
        final SystemEntityClient entityClient,
        final AuthServiceClient authClient,
        final CookieConfigs cookieConfigs) {
      _oidcCallbackLogic =
          new OidcCallbackLogic(
              ssoManager, systemAuthentication, entityClient, authClient, cookieConfigs);
    }

    @Override
    public Result perform(
        PlayWebContext context,
        Config config,
        HttpActionAdapter<Result, PlayWebContext> httpActionAdapter,
        String defaultUrl,
        Boolean saveInSession,
        Boolean multiProfile,
        Boolean renewSession,
        String defaultClient) {
      if (SsoProvider.SsoProtocol.OIDC.equals(_ssoManager.getSsoProvider().protocol())) {
        return _oidcCallbackLogic.perform(
            context,
            config,
            httpActionAdapter,
            defaultUrl,
            saveInSession,
            multiProfile,
            renewSession,
            defaultClient);
      }
      // Should never occur.
      throw new UnsupportedOperationException(
          "Failed to find matching SSO Provider. Only one supported is OIDC.");
    }
  }

  private boolean shouldHandleCallback(final String protocol) {
    return _ssoManager.isSsoEnabled()
        && _ssoManager.getSsoProvider().protocol().getCommonName().equals(protocol);
  }
}
feat(graphql): migrating GraphQL API to metadata-service (nee GMS) (#3131) 2021-08-20 10:58:07 -07:00			`package controllers;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
fix(sso) Retrieve cookie configs separately from SSO configs (#7330) 2023-02-14 13:36:47 -05:00			`import auth.CookieConfigs;`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`import auth.sso.SsoManager;`
			`import auth.sso.SsoProvider;`
			`import auth.sso.oidc.OidcCallbackLogic;`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`import client.AuthServiceClient;`
			`import com.datahub.authentication.Authentication;`
feat(entity-client): enable client side cache for entity-client and usage-client (#8877) 2023-09-21 22:00:14 -05:00			`import com.linkedin.entity.client.SystemEntityClient;`
fix(ui): Long overdue - Fix red error screens during OIDC login, logout exception scenarios (#5708) 2022-08-23 09:54:34 -07:00			`import java.net.URLEncoder;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import java.nio.charset.StandardCharsets;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import java.util.concurrent.CompletableFuture;`
			`import java.util.concurrent.CompletionStage;`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`import javax.annotation.Nonnull;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import javax.inject.Inject;`
			`import lombok.extern.slf4j.Slf4j;`
			`import org.pac4j.core.config.Config;`
			`import org.pac4j.core.engine.CallbackLogic;`
			`import org.pac4j.core.http.adapter.HttpActionAdapter;`
			`import org.pac4j.play.CallbackController;`
			`import org.pac4j.play.PlayWebContext;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import play.mvc.Http;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import play.mvc.Result;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import play.mvc.Results;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
			`/**`
			`* A dedicated Controller for handling redirects to DataHub by 3rd-party Identity Providers after`
			`* off-platform authentication.`
			`*`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`* <p>Handles a single "callback/{protocol}" route, where the protocol (ie. OIDC / SAML) determines`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`* the handling logic to invoke.`
			`*/`
			`@Slf4j`
			`public class SsoCallbackController extends CallbackController {`

feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`private final SsoManager _ssoManager;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
			`@Inject`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`public SsoCallbackController(`
			`@Nonnull SsoManager ssoManager,`
			`@Nonnull Authentication systemAuthentication,`
feat(entity-client): enable client side cache for entity-client and usage-client (#8877) 2023-09-21 22:00:14 -05:00			`@Nonnull SystemEntityClient entityClient,`
fix(sso) Retrieve cookie configs separately from SSO configs (#7330) 2023-02-14 13:36:47 -05:00			`@Nonnull AuthServiceClient authClient,`
			`@Nonnull com.typesafe.config.Config configs) {`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`_ssoManager = ssoManager;`
			`setDefaultUrl("/"); // By default, redirects to Home Page on log in.`
fix(oidc): Avoid storing Pac4j profile in cookie (#6260) 2022-10-21 10:58:27 -07:00			`setSaveInSession(false);`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`setCallbackLogic(`
			`new SsoCallbackLogic(`
			`ssoManager,`
			`systemAuthentication,`
			`entityClient,`
			`authClient,`
			`new CookieConfigs(configs)));`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`public CompletionStage<Result> handleCallback(String protocol, Http.Request request) {`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`if (shouldHandleCallback(protocol)) {`
			`log.debug(String.format("Handling SSO callback. Protocol: %s", protocol));`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return callback(request)`
			`.handle(`
			`(res, e) -> {`
			`if (e != null) {`
			`log.error(`
			`"Caught exception while attempting to handle SSO callback! It's likely that SSO integration is mis-configured.",`
			`e);`
			`return Results.redirect(`
			`String.format(`
			`"/login?error_msg=%s",`
			`URLEncoder.encode(`
			`"Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.",`
			`StandardCharsets.UTF_8)))`
			`.discardingCookie("actor")`
			`.withNewSession();`
			`}`
			`return res;`
			`});`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return CompletableFuture.completedFuture(`
			`Results.internalServerError(`
			`String.format(`
			`"Failed to perform SSO callback. SSO is not enabled for protocol: %s", protocol)));`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`/** Logic responsible for delegating to protocol-specific callback logic. */`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`public class SsoCallbackLogic implements CallbackLogic<Result, PlayWebContext> {`

			`private final OidcCallbackLogic _oidcCallbackLogic;`

feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`SsoCallbackLogic(`
			`final SsoManager ssoManager,`
			`final Authentication systemAuthentication,`
			`final SystemEntityClient entityClient,`
			`final AuthServiceClient authClient,`
			`final CookieConfigs cookieConfigs) {`
			`_oidcCallbackLogic =`
			`new OidcCallbackLogic(`
			`ssoManager, systemAuthentication, entityClient, authClient, cookieConfigs);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

			`@Override`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`public Result perform(`
			`PlayWebContext context,`
			`Config config,`
			`HttpActionAdapter<Result, PlayWebContext> httpActionAdapter,`
			`String defaultUrl,`
			`Boolean saveInSession,`
			`Boolean multiProfile,`
			`Boolean renewSession,`
			`String defaultClient) {`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`if (SsoProvider.SsoProtocol.OIDC.equals(_ssoManager.getSsoProvider().protocol())) {`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return _oidcCallbackLogic.perform(`
			`context,`
			`config,`
			`httpActionAdapter,`
			`defaultUrl,`
			`saveInSession,`
			`multiProfile,`
			`renewSession,`
			`defaultClient);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`// Should never occur.`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`throw new UnsupportedOperationException(`
			`"Failed to find matching SSO Provider. Only one supported is OIDC.");`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`}`

			`private boolean shouldHandleCallback(final String protocol) {`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return _ssoManager.isSsoEnabled()`
			`&& _ssoManager.getSsoProvider().protocol().getCommonName().equals(protocol);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`}`