README
¶
PASI (Portail d'accès au SI)
Sonarqube audit
General information
This projects presents an access portal to the user with urls to the applications he is allowed to use. To work out what those applications are, the user is logged in on a OAuth2 Identity provider and the portal get back the groups the user is member of in a "MemberOf" array claim.
The user info is then stored partly in an encrypted session cookie, and partly in an in-memory database indexed with the user login. When the portal front end asks for the apps, only the apps that the user is allowed to see are sent back.
If the user is a member of a designated admin group, all apps are sent back to him, and he's allowed to alter which apps are allowed to which groups, by activating the "admin mode".
The following sequence diagram shows the flow of the application.
autonumber
actor user
hide footbox
title OAuth2 Authentication
== First connection (or session expired) ==
User -> "Browser (web app)"
"Browser (web app)" -> Backend : redirect to /OAuth2Login
Backend -> "OAuth2 IdP" : redirect to /auth, with claims, credentials, state
User -> "OAuth2 IdP" : authenticate
"OAuth2 IdP" --> "Browser (web app)" : redirect to /OAuthCallBack with authorization code and state
"Browser (web app)" -> Backend : GET request to /OAuthCallBack with authorization code and state
Backend -> Backend : check states match
Backend -> "OAuth2 IdP" : exchange authorization code for a token on /token
"OAuth2 IdP"--> Backend : token
Backend -> "OAuth2 IdP" : get user infos on /userinfo (auth with token)
"OAuth2 IdP"--> Backend : user infos (stored in session cookie + in memory db)
== Following connections (existing session) ==
User -> "Browser (web app)"
"Browser (web app)" -> Backend : GET request on /api/user
Backend --> "Browser (web app)" : if user exists (session cookie) user infos
"Browser (web app)" -> Backend : GET request on /api/apps
Backend --> "Browser (web app)" : apps infos
hnote over "Browser (web app)" : renders apps list
User -> "Browser (web app)" : click on an app
"Browser (web app)" -> "Target app" : go to target app
Architecture
The application is a single page application (SPA) with a Vue.JS 2 front end communicating with a Go (Golang) back end.
Front end
The front end application is pretty straightforward, it uses vuex for state management.
Detailed specifications can be found in the unit tests (./tests), ran with npm test:unit.
Back end
The back end is a Golang web server. Detailled documentation and specification can be found in comments and firstly in tests ran with go test ./....
The applications tries to follow the Standard Go Project Layout.
The tests are very important to ensure that the applications is working and secure. Any alteration that breaks the tests must not be committed.
The user info is stored partly in an encrypted session cookie, and partly in an in-memory database indexed with the user login. That is so because the "memberOf" array was to large to encode in the cookie.
The application provide out of the box HTTPS with automatically provided Let's Encrypt certificates.
This feature can be deactivated with the -behind-proxy flag, for the application to be used behind a ssl reverse proxy.
Other flags : -letsencrypt_cache : letsencrypt cache location -debug : Debug mode, disable let's encrypt, enable CORS and more logging -https_port : HTTPS port to serve on (default to 443) -http_port : HTTP port to serve on (default to 80) -hostname : Main hostname, default to localhost (used to get Let's Encrypt certificates.)
The applications configuration (which apps are allowed to whom) is store in a apps.json file stored into the server/configs directory. Using docker allows to map this directory to any convenient host system directory.
Project setup
Get the project
git clone https://forge.grandlyon.com/systemes-dinformation/pasi-portail-d-acces-au-si
cd pasi-portail-d-acces-au-si
Running in a docker container
Alter .docker-compose environment variables to needs (see below), do not forget to set a proper session key.
docker-compose build && docker-compose up -d
Running directly (require golang, nodejs and npm for building purposes)
npm install
npm run build
rm -Rf ./server/web/*
mv -f ./dist/* ./server/web/
cd server
go build
# Set environment variables
REDIRECT_URL=https://[server hostname]/OAuth2Callback
CLIENT_ID=[Identity Provider client id]
CLIENT_SECRET=[Identity Provider client secret]
AUTH_URL=[Identity Provider auth url]
TOKEN_URL=[Identity Provider token url]
USERINFO_URL=[Identity Provider user infos url]
LOGOUT_URL=[Identity Provider logout url]
ADMIN_GROUP=[Group allowed to alter apps configuration]
PROFILE_URL=[Url on a click on the profile icon on main screens redirects to]
SESSION_KEY=$(openssl rand -base64 32)
# Start the server
server -hostname=[server hostname]
Use -behind-proxy flag to disable https with automatic let's encrypt certificate (in order to put the application behind a reverse proxy).
Front end developpment
Install dependencies
npm install
Compiles and hot-reloads for development
npm run serve
Compiles and minifies for production
npm run build
Run your tests
npm run test
Lints and fixes files
npm run lint
Run your unit tests
npm run test:unit
Customize configuration
Back end developpment
Install Golang tooling Go Downloads.
Directories