LDAP integration (#143)

* Add LDAP container

* BE v4 LDAP config

* FE LDAP config

* Add `LDAP_ENABLED` feature flag in CI/README

* BE v3 LDAP config

* Update README for BE v3 and v4

* Implement comments

* Fix CI

* Include ldap from shared BE compose

* Implement commens

---------

Co-authored-by: minottic <carlo.minotti1@gmail.com>

Author: fpotier

.env

@@ -6,3 +6,6 @@ BE_VERSION=v4
 
 ## Enable v4 ELASTIC feature (disable if required or set in command line). To later disable, either unset or set to an empty value
 # ELASTIC_ENABLED=true
+
+## Enable LDAP authentication backend (disable if required or set in command line). To later disable, either unset or set to an empty value
+# LDAP_ENABLED=true

.github/workflows/compose_test.yaml

@@ -54,12 +54,14 @@ jobs:
     strategy:
       matrix:
         BE_VERSION: [v3, v4]
-        JOBS_AND_ELASTIC_ENABLED: ['', true]
+        ELASTIC_OR_JOBS_ENABLED: ['', true]
+        LDAP_ENABLED: ['', true]
     steps:
       - uses: actions/checkout@v4
       - name: Test compose.yaml
         run: |-
-          export JOBS_ENABLED=${{ matrix.JOBS_AND_ELASTIC_ENABLED }}
-          export ELASTIC_ENABLED=${{ matrix.JOBS_AND_ELASTIC_ENABLED }}
+          export JOBS_ENABLED=${{ matrix.ELASTIC_OR_JOBS_ENABLED }}
+          export ELASTIC_ENABLED=${{ matrix.ELASTIC_OR_JOBS_ENABLED }}
+          export LDAP_ENABLED=${{ matrix.LDAP_ENABLED }}
           export BE_VERSION=${{ matrix.BE_VERSION }}
           docker compose --profile '*' up --wait --wait-timeout 300

README.md

@@ -41,6 +41,7 @@ They are used when adding new services or grouping services together (and do not
 | env     | `BE_VERSION`       | <li>`v3`: backend/v3<li>`v4`: backend/v4                                          | `v4`    | as set                | Sets the be version to use in (2) of [default setup](#default-setup) to v3                                                                                             | mongodb,frontend        |
 | env     | `JOBS_ENABLED`     | `true`: rabbitmq,archivemock,jobs feature                                       | `''`    | v3                    | Creates a rabbitmq message broker which the be posts to and the archivemock listens to. It emulates the data long-term archive/retrieve workflow                       |                         |
 | env     | `ELASTIC_ENABLED`  | `true`: elastic,elastic feature                                                 | `''`    | v4                    | Creates an elastic search service and sets the be to use it for full-text searches                                                                                     |                         |
+| env     | `LDAP_ENABLED`     | `true`: ldap auth                                                              | `''`    | as set                | Creates an LDAP service and sets the be to use it as authentication backend                                                                                                    |                         |
 
 
 After optionally setting any configuration option, one can still select the services to run as described [here](README.md#select-the-services).

services/backend/README.md

@@ -5,3 +5,12 @@ The SciCat backend HTTP service.
 ## Dependency on `BE_VERSION`
 
 The `BE_VERSION` value controls which version of the backend should be started, either [v3](./services/v3) or [v4](./services/v4) (default).
+
+## Dependencies
+
+Here below we show the internal dependencies of the service, which are not already covered [here](../../../../README.md) (if `B` depends on `A`, then we visualize as `A --> B`). The same subdomain to service convention applies.
+
+```mermaid
+graph TD
+    ldap --> backend
+```

services/backend/compose.yaml

@@ -1,2 +1,4 @@
 include:
-  - ./services/${BE_VERSION:-v4}/compose.yaml
+  - path:
+      - ./services/${BE_VERSION:-v4}/compose.yaml
+      - ./services/ldap/.${LDAP_ENABLED:+./${BE_VERSION:-v4}/}compose${LDAP_ENABLED:+.ldap}.yaml

services/backend/services/ldap/.compose.yaml

@@ -0,0 +1 @@
+## empty file used when override configs are not enabled

services/backend/services/ldap/README.md

@@ -0,0 +1,20 @@
+# LDAP (OpenLDAP)
+
+LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information such as user credentials.
+SciCat can use LDAP as third-party authentication provider.
+
+## Configuration options
+
+The OpenLDAP configuration is set by the [.env file](./config/.env).
+
+For an extensive list of available options see [here](https://hub.docker.com/r/bitnami/openldap).
+
+You can add other users by editing the [ldif file](./config/ldifs/02-users.ldif).
+:warning: User creation is only done once, when the container is created.
+
+## Default configuration
+The default configuration [.env file](./config/.env) creates the `dc=facility` domain with the following user:
+
+| Username  | Password |
+| --------- | -------- |
+| ldap-user | password |

services/backend/services/ldap/compose.yaml

@@ -0,0 +1,13 @@
+services:
+  ldap:
+    image: bitnami/openldap:2.6
+    volumes:
+      - ./config/ldifs:/ldifs:ro
+    env_file:
+      - ./config/.env
+    healthcheck:
+      test: ldapwhoami -H ldap://ldap:389 -D 'cn=admin,dc=facility' -w 'admin'
+      start_period: 5s
+      interval: 10s
+      timeout: 10s
+      retries: 5

services/backend/services/ldap/config/.env

@@ -0,0 +1,4 @@
+LDAP_ADMIN_USERNAME=admin
+LDAP_ADMIN_PASSWORD=admin
+LDAP_PORT_NUMBER=389
+LDAP_ROOT=dc=facility

services/backend/services/ldap/config/ldifs/01-bootstrap.ldif

@@ -0,0 +1,11 @@
+dn: dc=facility
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: My Organization
+dc: facility
+
+dn: ou=users,dc=facility
+objectClass: top
+objectClass: organizationalUnit
+ou: users

services/backend/services/ldap/config/ldifs/02-users.ldif

@@ -0,0 +1,12 @@
+dn: uid=ldap-user,ou=users,dc=facility
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: ldap-user
+cn: LDAP user
+displayName: ldap-user
+sn: LDAP
+givenName: User
+mail: ldap-user@facility.com
+userPassword: password

services/backend/services/v3/README.md

@@ -69,12 +69,14 @@ In the default configuration folder [config](./config), the backend is set to us
 
 Additionally, by setting the env variable [ENABLE_JOBS](../../.env#L5), the [archive mock](./services/archivemock/) and [rabbitmq](./services/rabbitmq/) services are started and the backend is configured to connect to them.
 
+If `LDAP_ENABLED` is toggled, you can use LDAP to log in with a [LDAP user](../ldap/README.md#default-configuration).
+
 ## Dependencies
 
-Here below we show the internal dependencies of the service, which are not already covered [here](../../../../README.md) (if `B` depends on `A`, then we visualize it as `A --> B`). The same subdomain to service convention applies.
+Here below we show the internal dependencies of the service, which are not already covered [here](../../../../README.md) and [here](../../README.md) (if `B` depends on `A`, then we visualize as `A --> B`). The same subdomain to service convention applies.
 
 ```mermaid
-graph TD   
+graph TD
     rabbitmq --> archivemock
     rabbitmq --> backend
     backend --> archivemock

services/backend/services/v3/compose.ldap.yaml

@@ -0,0 +1,10 @@
+include:
+  - ../ldap/compose.yaml
+
+services:
+  backend:
+    depends_on:
+      ldap:
+        condition: service_healthy
+    volumes:
+      - ./config/providers.ldap.json:/config/providers.ldap.json

services/backend/services/v3/config/providers.ldap.json

@@ -0,0 +1,24 @@
+{
+  "ldap": {
+    "provider": "ldap",
+    "authScheme": "ldap",
+    "module": "passport-ldapauth",
+    "authPath": "/auth/msad",
+    "successRedirect": "/auth/account",
+    "failureRedirect": "/msad",
+    "session": true,
+    "json": true,
+    "failureFlash": true,
+    "profileAttributesFromLDAP": {
+      "displayName": "displayName",
+      "email": "mail"
+    },
+    "server": {
+      "url": "ldap://ldap:389",
+      "bindDn": "cn=admin,dc=facility",
+      "bindCredentials": "admin",
+      "searchBase": "ou=users,dc=facility",
+      "searchFilter": "(uid={{username}})"
+    }
+  }
+}

services/backend/services/v4/README.md

@@ -23,11 +23,13 @@ In the default configuration folder [config](./config), the backend is set to us
 
 ## Enable additional features
 
-Additionally, by setting the env variable `ELASTIC_ENABLED`, the [elastic search](./services/elastic/) service is started and the backend is configured to connect to them. 
+Additionally, by setting the env variable `ELASTIC_ENABLED`, the [elastic search](./services/elastic/) service is started and the backend is configured to connect to them.
+
+If `LDAP_ENABLED` is toggled, you can use LDAP to log in with a [LDAP user](../ldap/README.md#default-configuration).
 
 ## Dependencies
 
-Here below we show the internal dependencies of the service, which are not already covered [here](../../../../README.md) (if `B` depends on `A`, then we visualize as `A --> B`). The same subdomain to service convention applies.
+Here below we show the internal dependencies of the service, which are not already covered [here](../../../../README.md) and [here](../../README.md) (if `B` depends on `A`, then we visualize as `A --> B`). The same subdomain to service convention applies.
 
 ```mermaid
 graph TD

services/backend/services/v4/compose.ldap.yaml

@@ -0,0 +1,10 @@
+include:
+  - ../ldap/compose.yaml
+
+services:
+  backend:
+    depends_on:
+      ldap:
+        condition: service_healthy
+    env_file:
+      - ./config/.ldap.env

services/backend/services/v4/config/.ldap.env

@@ -0,0 +1,3 @@
+LDAP_URL=ldap://ldap:389
+LDAP_SEARCH_BASE=ou=users,dc=facility
+LDAP_SEARCH_FILTER=(uid={{username}})

services/frontend/compose.yaml

@@ -13,5 +13,6 @@ services:
       - /config/init.sh && nginx -g "daemon off;"
     environment:
       BE_VERSION: ${BE_VERSION:-v4}
+      LDAP_ENABLED: ${LDAP_ENABLED:-}
     labels:
       - traefik.http.routers.frontend.rule=Host(`localhost`)

services/frontend/config/config.base.json

@@ -7,7 +7,7 @@
    "editMetadataEnabled":true,
    "editPublishedData":true,
    "editSampleEnabled":true,
-   "externalAuthEndpoint":"/auth/msad",
+   "externalAuthEndpoint":"/api/v3/auth/ldap",
    "facility":"SAMPLE-SITE",
    "fileColorEnabled":true,
    "fileDownloadEnabled":true,

services/frontend/config/config.ldap.json

@@ -0,0 +1,4 @@
+{
+  "loginLdapEnabled": true,
+  "loginLdapLabel": "Connect with LDAP"
+}

services/frontend/config/config.v3.json

@@ -1,3 +1,4 @@
 {
-    "accessTokenPrefix": ""
+    "accessTokenPrefix": "",
+    "externalAuthEndpoint":"/auth/msad"
 }

services/frontend/config/init.sh

@@ -10,6 +10,7 @@ exclude_config () {
 }
 
 [ "$BE_VERSION" = "v4" ] && exclude_config "v3.json"
+[ -z "$LDAP_ENABLED" ] && exclude_config "ldap.json"
 
 # shellcheck disable=SC2086
 jq -s 'reduce .[] as $item ({}; . * $item)' $FILES > /usr/share/nginx/html/assets/config.json