datahub/datahub-frontend/app/controllers/SsoCallbackController.java

package controllers;

import auth.CookieConfigs;
import auth.sso.SsoManager;
import auth.sso.SsoProvider;
import auth.sso.oidc.OidcCallbackLogic;
import client.AuthServiceClient;
import com.linkedin.entity.client.SystemEntityClient;
import io.datahubproject.metadata.context.OperationContext;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import javax.annotation.Nonnull;
import javax.inject.Inject;
import javax.inject.Named;
import lombok.extern.slf4j.Slf4j;
import org.pac4j.core.adapter.FrameworkAdapter;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.FrameworkParameters;
import org.pac4j.core.engine.CallbackLogic;
import org.pac4j.play.CallbackController;
import org.pac4j.play.context.PlayFrameworkParameters;
import play.mvc.Http;
import play.mvc.Result;
import play.mvc.Results;

/**
 * A dedicated Controller for handling redirects to DataHub by 3rd-party Identity Providers after
 * off-platform authentication.
 *
 * <p>Handles a single "callback/{protocol}" route, where the protocol (ie. OIDC / SAML) determines
 * the handling logic to invoke.
 */
@Slf4j
public class SsoCallbackController extends CallbackController {

  private final SsoManager ssoManager;
  private final Config config;
  private final CallbackLogic callbackLogic;

  @Inject
  public SsoCallbackController(
      @Nonnull SsoManager ssoManager,
      @Named("systemOperationContext") @Nonnull OperationContext systemOperationContext,
      @Nonnull SystemEntityClient entityClient,
      @Nonnull AuthServiceClient authClient,
      @Nonnull Config config,
      @Nonnull com.typesafe.config.Config configs) {
    this.ssoManager = ssoManager;
    this.config = config;
    setDefaultUrl("/"); // By default, redirects to Home Page on log in.

    callbackLogic =
        new SsoCallbackLogic(
            ssoManager,
            systemOperationContext,
            entityClient,
            authClient,
            new CookieConfigs(configs));
  }

  @Override
  public CompletionStage<Result> callback(Http.Request request) {
    FrameworkAdapter.INSTANCE.applyDefaultSettingsIfUndefined(this.config);

    return CompletableFuture.supplyAsync(
        () -> {
          return (Result)
              callbackLogic.perform(
                  this.config,
                  getDefaultUrl(),
                  getRenewSession(),
                  getDefaultClient(),
                  new PlayFrameworkParameters(request));
        },
        this.ec.current());
  }

  public CompletionStage<Result> handleCallback(String protocol, Http.Request request) {
    if (shouldHandleCallback(protocol)) {
      log.debug(
          "Handling SSO callback. Protocol: {}",
          ssoManager.getSsoProvider().protocol().getCommonName());
      return callback(request)
          .handle(
              (res, e) -> {
                if (e != null) {
                  log.error(
                      "Caught exception while attempting to handle SSO callback! It's likely that SSO integration is mis-configured.",
                      e);
                  return Results.redirect(
                          String.format(
                              "/login?error_msg=%s",
                              URLEncoder.encode(
                                  "Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.",
                                  StandardCharsets.UTF_8)))
                      .discardingCookie("actor")
                      .withNewSession();
                }
                return res;
              });
    }
    return CompletableFuture.completedFuture(
        Results.internalServerError(
            String.format(
                "Failed to perform SSO callback. SSO is not enabled for protocol: %s", protocol)));
  }

  /** Logic responsible for delegating to protocol-specific callback logic. */
  public class SsoCallbackLogic implements CallbackLogic {

    private final OidcCallbackLogic oidcCallbackLogic;

    SsoCallbackLogic(
        final SsoManager ssoManager,
        final OperationContext systemOperationContext,
        final SystemEntityClient entityClient,
        final AuthServiceClient authClient,
        final CookieConfigs cookieConfigs) {
      oidcCallbackLogic =
          new OidcCallbackLogic(
              ssoManager, systemOperationContext, entityClient, authClient, cookieConfigs);
    }

    @Override
    public Object perform(
        Config config,
        String inputDefaultUrl,
        Boolean inputRenewSession,
        String defaultClient,
        FrameworkParameters parameters) {
      if (SsoProvider.SsoProtocol.OIDC.equals(ssoManager.getSsoProvider().protocol())) {
        return oidcCallbackLogic.perform(
            config, inputDefaultUrl, inputRenewSession, defaultClient, parameters);
      }
      // Should never occur.
      throw new UnsupportedOperationException(
          "Failed to find matching SSO Provider. Only one supported is OIDC.");
    }
  }

  private boolean shouldHandleCallback(final String protocol) {
    if (!ssoManager.isSsoEnabled()) {
      return false;
    }
    updateConfig();
    return ssoManager.getSsoProvider().protocol().getCommonName().equals(protocol);
  }

  private void updateConfig() {
    final Clients clients = new Clients();
    final List<Client> clientList = new ArrayList<>();
    clientList.add(ssoManager.getSsoProvider().client());
    clients.setClients(clientList);
    config.setClients(clients);
  }
}
feat(graphql): migrating GraphQL API to metadata-service (nee GMS) (#3131) 2021-08-20 10:58:07 -07:00			`package controllers;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
fix(sso) Retrieve cookie configs separately from SSO configs (#7330) 2023-02-14 13:36:47 -05:00			`import auth.CookieConfigs;`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`import auth.sso.SsoManager;`
			`import auth.sso.SsoProvider;`
			`import auth.sso.oidc.OidcCallbackLogic;`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`import client.AuthServiceClient;`
feat(entity-client): enable client side cache for entity-client and usage-client (#8877) 2023-09-21 22:00:14 -05:00			`import com.linkedin.entity.client.SystemEntityClient;`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`import io.datahubproject.metadata.context.OperationContext;`
fix(ui): Long overdue - Fix red error screens during OIDC login, logout exception scenarios (#5708) 2022-08-23 09:54:34 -07:00			`import java.net.URLEncoder;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import java.nio.charset.StandardCharsets;`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`import java.util.ArrayList;`
			`import java.util.List;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import java.util.concurrent.CompletableFuture;`
			`import java.util.concurrent.CompletionStage;`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`import javax.annotation.Nonnull;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import javax.inject.Inject;`
feat(graph-retriever): implement graph retriever (#10241) 2024-04-16 10:12:48 -05:00			`import javax.inject.Named;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import lombok.extern.slf4j.Slf4j;`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`import org.pac4j.core.adapter.FrameworkAdapter;`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`import org.pac4j.core.client.Client;`
			`import org.pac4j.core.client.Clients;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import org.pac4j.core.config.Config;`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`import org.pac4j.core.context.FrameworkParameters;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import org.pac4j.core.engine.CallbackLogic;`
			`import org.pac4j.play.CallbackController;`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`import org.pac4j.play.context.PlayFrameworkParameters;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import play.mvc.Http;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`import play.mvc.Result;`
fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`import play.mvc.Results;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
			`/**`
			`* A dedicated Controller for handling redirects to DataHub by 3rd-party Identity Providers after`
			`* off-platform authentication.`
			`*`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`* <p>Handles a single "callback/{protocol}" route, where the protocol (ie. OIDC / SAML) determines`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`* the handling logic to invoke.`
			`*/`
			`@Slf4j`
			`public class SsoCallbackController extends CallbackController {`

refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`private final SsoManager ssoManager;`
			`private final Config config;`
			`private final CallbackLogic callbackLogic;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
			`@Inject`
feat(auth): Metadata Service Authentication! (#3598) 2021-11-22 16:33:14 -08:00			`public SsoCallbackController(`
			`@Nonnull SsoManager ssoManager,`
feat(graph-retriever): implement graph retriever (#10241) 2024-04-16 10:12:48 -05:00			`@Named("systemOperationContext") @Nonnull OperationContext systemOperationContext,`
feat(entity-client): enable client side cache for entity-client and usage-client (#8877) 2023-09-21 22:00:14 -05:00			`@Nonnull SystemEntityClient entityClient,`
fix(sso) Retrieve cookie configs separately from SSO configs (#7330) 2023-02-14 13:36:47 -05:00			`@Nonnull AuthServiceClient authClient,`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`@Nonnull Config config,`
fix(sso) Retrieve cookie configs separately from SSO configs (#7330) 2023-02-14 13:36:47 -05:00			`@Nonnull com.typesafe.config.Config configs) {`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`this.ssoManager = ssoManager;`
			`this.config = config;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`setDefaultUrl("/"); // By default, redirects to Home Page on log in.`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00
			`callbackLogic =`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`new SsoCallbackLogic(`
			`ssoManager,`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`systemOperationContext,`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`entityClient,`
			`authClient,`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`new CookieConfigs(configs));`
			`}`

			`@Override`
			`public CompletionStage<Result> callback(Http.Request request) {`
			`FrameworkAdapter.INSTANCE.applyDefaultSettingsIfUndefined(this.config);`

			`return CompletableFuture.supplyAsync(`
			`() -> {`
			`return (Result)`
			`callbackLogic.perform(`
			`this.config,`
			`getDefaultUrl(),`
			`getRenewSession(),`
			`getDefaultClient(),`
			`new PlayFrameworkParameters(request));`
			`},`
			`this.ec.current());`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

fix(security): play framework upgrade (#6626) * fix(security): play framework upgrade 2022-12-08 20:27:51 -06:00			`public CompletionStage<Result> handleCallback(String protocol, Http.Request request) {`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`if (shouldHandleCallback(protocol)) {`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`log.debug(`
			`"Handling SSO callback. Protocol: {}",`
			`ssoManager.getSsoProvider().protocol().getCommonName());`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return callback(request)`
			`.handle(`
			`(res, e) -> {`
			`if (e != null) {`
			`log.error(`
			`"Caught exception while attempting to handle SSO callback! It's likely that SSO integration is mis-configured.",`
			`e);`
			`return Results.redirect(`
			`String.format(`
			`"/login?error_msg=%s",`
			`URLEncoder.encode(`
			`"Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.",`
			`StandardCharsets.UTF_8)))`
			`.discardingCookie("actor")`
			`.withNewSession();`
			`}`
			`return res;`
			`});`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`return CompletableFuture.completedFuture(`
			`Results.internalServerError(`
			`String.format(`
			`"Failed to perform SSO callback. SSO is not enabled for protocol: %s", protocol)));`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`/** Logic responsible for delegating to protocol-specific callback logic. */`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`public class SsoCallbackLogic implements CallbackLogic {`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`private final OidcCallbackLogic oidcCallbackLogic;`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`SsoCallbackLogic(`
			`final SsoManager ssoManager,`
feat(graph-retriever): implement graph retriever (#10241) 2024-04-16 10:12:48 -05:00			`final OperationContext systemOperationContext,`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`final SystemEntityClient entityClient,`
			`final AuthServiceClient authClient,`
			`final CookieConfigs cookieConfigs) {`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`oidcCallbackLogic =`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`new OidcCallbackLogic(`
feat(graph-retriever): implement graph retriever (#10241) 2024-04-16 10:12:48 -05:00			`ssoManager, systemOperationContext, entityClient, authClient, cookieConfigs);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`

			`@Override`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`public Object perform(`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`Config config,`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`String inputDefaultUrl,`
			`Boolean inputRenewSession,`
			`String defaultClient,`
			`FrameworkParameters parameters) {`
			`if (SsoProvider.SsoProtocol.OIDC.equals(ssoManager.getSsoProvider().protocol())) {`
			`return oidcCallbackLogic.perform(`
			`config, inputDefaultUrl, inputRenewSession, defaultClient, parameters);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`// Should never occur.`
feat(lint): add spotless for java lint (#9373) 2023-12-06 11:02:42 +05:30			`throw new UnsupportedOperationException(`
			`"Failed to find matching SSO Provider. Only one supported is OIDC.");`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`}`

			`private boolean shouldHandleCallback(final String protocol) {`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`if (!ssoManager.isSsoEnabled()) {`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`return false;`
			`}`
			`updateConfig();`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`return ssoManager.getSsoProvider().protocol().getCommonName().equals(protocol);`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`}`

			`private void updateConfig() {`
			`final Clients clients = new Clients();`
			`final List<Client> clientList = new ArrayList<>();`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`clientList.add(ssoManager.getSsoProvider().client());`
feat(frontend): align frontend sso code with refactors (#9506) 2023-12-26 14:34:10 -06:00			`clients.setClients(clientList);`
refactor(datahub-frontend): upgrade frontend pac4j (#11709) 2024-10-28 09:05:16 -05:00			`config.setClients(clients);`
feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc) (#3082) 2021-08-20 07:42:18 -07:00			`}`
			`}`