Support For External IDP and External User Pool Provider In data.all #897

TejasRGitHub · 2023-12-01T17:41:19Z

Feature or Bugfix

Feature

Detail

Currently data.all uses Cognito for user login and also maintains the user pool for teams/groups in data.all.

This feature adds support to add any external OIDC based IdP. Apart from that , any external service provider can be used for maintaining teams/groups information.

This PR contains both backend and frontend changes for External IDP.

Note - When deploying with External IDP the user guide won't be setup as a part of deployment. Created following github issue to track this incremental change - #898

Testing

Local Development environment with Local Auth Context
make test - Unit Tests
Deployment to AWS With Cognito
Deployment to AWS with External IDP

Relates

Github Issue - #872

Credits - This code change was build on top of work done by @blitzmohit

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

Does this PR introduce or modify any input fields or queries - this includes
fetching data from storage outside the application (e.g. a database, an S3 bucket)? Yes
- Is the input sanitized? Yes
- What precautions are you taking before deserializing the data you consume? N/A
- Is injection prevented by parametrizing queries? N/A
- Have you ensured no eval or similar functions are used? N/A
Does this PR introduce any functionality or component that requires authorization? Yes
- How have you ensured it respects the existing AuthN/AuthZ mechanisms? Yes
- Are you logging failed auth attempts? Yes ( At External IDP )
Are you using or adding any cryptographic features? No
- Do you use a standard proven implementations?
- Are the used keys controlled by the customer? Where are they stored?
Are you introducing any new policies/roles/users? Yes
- Have you used the least-privilege principle? How? Yes

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Changes from Open Source

Merged From Open source

TejasRGitHub · 2023-12-01T20:03:54Z

Todo -

Fix Semgrep Issue occuring in GenericAuthContext.js file
Add Readme for this change in gh-pages branch -> Readme for Setting up External Idp #903

New Changed Merged

deploy/configs/frontend_config.py

deploy/stacks/pipeline.py

deploy/stacks/cloudfront.py

dlpzx

I am reviewing in parts. At the moment I am reviewing the deployment part

dlpzx

Some more comments. I still need to review the custom resources in the deployment

deploy/stacks/cloudfront.py

backend/api_handler.py

deploy/stacks/lambda_api.py

tests/core/groups/test_group.py

frontend/src/reauthentication/contexts/RequestContext.js

frontend/src/services/hooks/useGroups.js

frontend/src/authentication/services/getServiceProviderInfo.js

dlpzx · 2023-12-08T12:38:39Z

I am testing in AWS in a deployment with default parameters. (Cognito Auth)

There is a conflict to be resolved but is a very straight forward one @TejasRGitHub
Tests:
CICD deploys successfully
login window rendered
open UI, first API call to api handler listEnvironments successfully returns the environments of my user
open catalog, API call to search handler successfully returns all data items
UI shows user guide
UI shows user name in the top right corner
invite team modal in environment lists all Cognito groups
create Dataset, list groups successfully and passes user as owner

backend/dataall/core/groups/api/resolvers.py

backend/dataall/base/aws/cognito.py

noah-paige · 2023-12-08T14:48:48Z

backend/dataall/core/groups/api/queries.py

+from dataall.base.api import gql
+from dataall.core.groups.api.resolvers import get_group, list_groups, get_groups_for_user
+
+getGroup = gql.QueryField(


is getGroup used anywhere other than tests?

Yes, atleast from what I searched . It just seems to have been used in tests.

@noah-paige is there any clean-up issue that is already filed ? This can be added into it

…d alb frontend changes as per custom auth

deploy/stacks/albfront_stack.py

…naming conventiosn and added guardrails

noah-paige · 2023-12-11T18:27:09Z

deploy/stacks/pipeline.py

noah-paige · 2023-12-12T15:06:24Z

Testing Custom Auth + VPC Facing (updating as I test):

CICD Pipeline Deploys --> Only After fixing ...-cognito-config-role issue
- No User Guide Resources Created
- Custom Authorizer Created
Log In via External IdP
Open UI, first API call to api handler listEnvironments successfully returns the environments of my user
open catalog, API call to search handler successfully returns all data items
UI shows user name in the top right corner
ReAuth on ListOrg successful and successfully lists orgs and re-directs to page after providing credentials again
User Log Out from UI successfully

dlpzx · 2023-12-12T17:07:00Z

dlpzx

Good to merge!

…nd (#913) …nd stack ### Feature or Bugfix  - Bugfix ### Detail - Config Role used to read SSM parameters in deployment account assumed by tooling account needs to be created in the BackendStack so it can be used in the pre CodeBuild commands of the ALBFront Stack - Applies for VPC Facing Deployments ### Relates - #897 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

TejasRGitHub and others added 8 commits December 1, 2023 11:05

Backend and Frontend Changes For External Idp Changes

ed8b16f

Merge branch 'main' of https://github.com/TejasRGitHub/aws-dataall

93e64fe

Changes from Open Source

Backend and Frontend Changes For External Idp Changes -1

89af5ab

Merge branch 'main' of https://github.com/TejasRGitHub/aws-dataall

684ed18

Merged From Open source

Backend and Frontend Changes For External Idp Changes - 2

f173c2a

semgrep and linting corrections

0f4b88e

npm audit corrections

e844dae

npm audit corrections - 1

e39f7ab

TejasRGitHub marked this pull request as ready for review December 1, 2023 18:43

TejasRGitHub mentioned this pull request Dec 1, 2023

Authentication and Authorization Using External Identity and Service Provider without Cognito Setup #872

Closed

TejasRGitHub marked this pull request as draft December 1, 2023 21:50

TejasRGitHub closed this Dec 1, 2023

TejasRGitHub force-pushed the main branch from e39f7ab to 2e78ef8 Compare December 1, 2023 21:54

Resolving Merge Conflicts

0bba194

TejasRGitHub reopened this Dec 1, 2023

TejasRGitHub marked this pull request as ready for review December 1, 2023 22:11

TejasRGitHub and others added 4 commits December 1, 2023 17:07

Resolved Merged Conflicts and added for tests

f67153f

Merge branch 'main' of https://github.com/TejasRGitHub/aws-dataall

ee21ca4

New Changed Merged

Fixing Semgrep Error in Frontend

622b923

Added Redirect URL as a config

83d482b