Updating authenticators from latest in Tiled#81
Conversation
|
Wow, thanks @davidpcls! |
|
Thank you. I am going to try to fix the unit tests first, I may push a few commits. |
|
If either of you intend to commit more work to this PR, put it in Draft mode. Change the mode back when you are ready for final review. |
dmgav
force-pushed
the
auth_updates_from_tiled
branch
from
579d82a to
f54ef36
Compare
|
I fixed the unit tests. I also rebased the branch to main, so I had to force push the changes. |
|
Thanks for working on that @dmgav! I just got things setup so I can test with this against MS Entra, so I'll go about verifying there are no other changes required for this to work properly. Took a little longer than expected to get the Entra stuff worked out. |
This is working okay, although it doens't really work smoothly for the API based login and the http command based login isn't great, as it requires the user to copy and past token around. Compared to ldap which just logs the user in. So still some work to do here to smooth out the user experience.
This solves the problem that what was implemented was actually authenticating the application and not the user like expected. It worked but it required that the user input a code. This solves that problem so that when you click the login link, if you are already logged in with you SSO provider you'll just automatically log in to the HTTP Server. Likewise if you use the bluesky queueserver api, when you call RM.Login you'll automatically be logged in, no user interaction required.
These should correct some of the problems in the last CI workflow. I moved the LDAP and docker image into the continuous_integration folder so it matches tiled.
This addresses documentation problems, the levels were incorrect as I did not understand what the next level should have been in the docs. I've also updated the usage documentation a little to be more useful.
These allow for running the unit tests in a containerized system just like how they are done in the ci pipeline, but locally and in a way that can maximize processor usage and minimize runtime.
Testing with ms entra
|
I've added in these changes, I'm going to work on cleaning up failing unit tests now and then I will update the pull request description to match your style and provide information on testing. After that I will remove the WIP status. |
|
Please also see the related PR for the API: bluesky/bluesky-queueserver-api#62 |
This is a set of test changes intended to improve the reliability of unit testing, as the current unit tests are randomly failing due to test design. Primarily this appears to be centered around LDAP. So this work was to: * Fix for ldap errors * Hardening unit tests so they fail less frequency * Try to handle console output more reliably
davidpcls
changed the title
|
Sorry, got excited about the unit tests passing. I need to do one last integration test first, which is why I converted it back into a WIP |
|
@dmgav , I've now tested this on remote machines and with httpserver running locally and both work. Let me know if you want an example. I'm not adding a whole lot here for evidence just because I'm not entirely sure what could be leaking security-sensitive information out. |
|
@davidpcls With Tiled v0.2.10 (released this morning) we addressed several issues in OIDC authentication. I think it would make sense to incorporate those fixes in this PR, so that QS will be fully caught up. Do you have capacity to take that on? See the diff in |
|
@danielballan, I'll take a look and see if it's something I can do. The unit tests are usually the hard part here as they take a long time to run, if anyone wants to tackle improving that it would help immensely. |
|
New Issues (6)Checkmarx found the following issues in this Pull Request
Fixed Issues (9)Great job! The following issues were fixed in this Pull Request
Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here. |
|
@danielballan, I think this is going to take a little bit, as I won't be able to work on this for a couple weeks and I've not made huge progress so far. If you need to get this going I'd suggest someone else take over integrating in the latest from Tiled. If not I'll work on it later. |
4 participants
Description
These changes bring in the authenticators from Tiled into HTTP Bluesky. This allows us to use the same authentication setup as from Tiled deployments (at least at the current moment). The main other change is to remove the "mode" flag and instead use the class type to determine if it is an internal or external authenticator.
Part of this work is also the updating of the bluesky-queueserver-api, for which I have created a PR. Both are required in order for the OIDC workflows to work.
Motivation and Context
This solves the problem of having different authentication schemes to maintain between Tiled and HTTP server, which came from the same code around 3 years ago. Tiled has been updated but HTTP server was not. This addresses that.
Summary of Changes for Release Notes
Updated authenticators based off Tiled main.
Made minimal changes to app.py and authentication.py to support the changes. Some new endpoints needed to be created to do this, but fairly minimal. The majority of the work was getting the unit test runners stable.
Added local parallel unit test runners to aid development
Updated the github runners to be more stable and reliable.
Fixed
Added
Changed
Removed
How Has This Been Tested?
Testing was done against MS Entra. I tested that these workflows work for both internal (localhost) and external servers. Using this the login workflow changes to just simply being:
At which point the user will be logged in and can immediately issue the RM.status(). If the user does not already have an authenticated session in their browser they will need to login and they will be prompted to do so.
While this was tested with MS Entra, the design is based on Tiled's OIDC and testing used the OIDC flow with MS Entra, so it should theoretically work with both.