WIP change authentication for preview and admin to `pan-domain-au…

…thentication` from plain Google auth
guardian · Apr 23, 2024 · 955b620 · 955b620
1 parent 6a9b63f
commit 955b620
Show file tree

Hide file tree

Showing 21 changed files with 229 additions and 561 deletions.
diff --git a/admin/app/AppLoader.scala b/admin/app/AppLoader.scala
@@ -8,10 +8,12 @@ import conf.switches.SwitchboardLifecycle
 import conf.CachedHealthCheckLifeCycle
 import controllers.{AdminControllers, HealthCheck}
 import _root_.dfp.DfpDataCacheLifecycle
+import com.amazonaws.regions.Regions
+import com.amazonaws.services.s3.AmazonS3ClientBuilder
 import org.apache.pekko.actor.{ActorSystem => PekkoActorSystem}
 import concurrent.BlockingOperations
 import contentapi.{CapiHttpClient, ContentApiClient, HttpClient}
-import http.{AdminFilters, AdminHttpErrorHandler, CommonGzipFilter}
+import http.{AdminHttpErrorHandler, CommonGzipFilter, Filters, GuardianAuthWithExemptions}
 import dev.DevAssetsController
 import jobs._
 import model.{AdminLifecycle, ApplicationIdentity}
@@ -25,6 +27,7 @@ import play.api.i18n.I18nComponents
 import play.api.libs.ws.WSClient
 import services.{ParameterStoreService, _}
 import router.Routes
+import conf.Configuration.aws.mandatoryCredentials
 
 import scala.concurrent.ExecutionContext
 
@@ -76,6 +79,31 @@ trait AdminServices extends I18nComponents {
 
 trait AppComponents extends FrontendComponents with AdminControllers with AdminServices {
 
+  private lazy val s3Client = AmazonS3ClientBuilder.standard().withRegion(Regions.EU_WEST_1).withCredentials(
+    mandatoryCredentials
+  ).build()
+
+  lazy val auth = new GuardianAuthWithExemptions(
+    controllerComponents,
+    wsClient,
+    toolsDomainPrefix = "frontend",
+    oauthCallbackPath = "oauthCallback", //FIXME get this from reverse router
+    s3Client,
+    system = "frontend-admin",
+    extraDoNotAuthenticatePathPrefixes = Seq(
+      "/deploys", //not authenticated so it can be accessed by Prout to determine which builds have been deployed
+      "/deploy", //not authenticated so it can be accessed by Riff-Raff to notify about a new build being deployed
+      // Date: 06 July 2021
+      // Author: Pascal
+      // Added as part of posing the ground for the interactive migration.
+      // It should be removed when the Interactives migration is complete, meaning when we no longer need the routes
+      // POST /interactive-librarian/live-presser/*path
+      // POST /interactive-librarian/read-clean-write/*path
+      // in [admin].
+      "/interactive-librarian/"
+    )
+  )
+
   lazy val healthCheck = wire[HealthCheck]
   lazy val devAssetsController = wire[DevAssetsController]
   lazy val logbackOperationsPool = wire[LogbackOperationsPool]
@@ -103,6 +131,8 @@ trait AppComponents extends FrontendComponents with AdminControllers with AdminS
 
   def pekkoActorSystem: PekkoActorSystem
 
+  override lazy val httpFilters: Seq[EssentialFilter] =
+    wire[CommonGzipFilter].filters :: auth.Filter :: Filters.common(frontend.admin.BuildInfo)
+
   override lazy val httpErrorHandler: HttpErrorHandler = wire[AdminHttpErrorHandler]
-  override lazy val httpFilters: Seq[EssentialFilter] = wire[CommonGzipFilter].filters ++ wire[AdminFilters].filters
 }
diff --git a/admin/app/controllers/admin/IndexController.scala b/admin/app/controllers/admin/IndexController.scala
@@ -1,25 +1,8 @@
 package controllers.admin
 
-import com.gu.googleauth.AuthAction
-import conf.AdminConfiguration
 import model.{ApplicationContext, NoCache}
-import play.api.http.HttpConfiguration
 import play.api.mvc._
 
-trait AdminAuthController {
-
-  def controllerComponents: ControllerComponents
-
-  case class AdminAuthAction(httpConfiguration: HttpConfiguration)
-      extends AuthAction(
-        conf
-          .GoogleAuth(None, httpConfiguration, AdminConfiguration.oauthCredentialsWithSingleCallBack(None))
-          .getConfigOrDie,
-        routes.OAuthLoginAdminController.login,
-        controllerComponents.parsers.default,
-      )(controllerComponents.executionContext)
-}
-
 class AdminIndexController(val controllerComponents: ControllerComponents)(implicit context: ApplicationContext)
     extends BaseController {
 

diff --git a/admin/app/controllers/admin/OAuthLoginAdminController.scala b/admin/app/controllers/admin/OAuthLoginAdminController.scala
diff --git a/admin/app/controllers/cache/ImageDecacheController.scala b/admin/app/controllers/cache/ImageDecacheController.scala
@@ -1,28 +1,22 @@
 package controllers.cache
 
-import java.net.URI
-import java.util.UUID
-import com.gu.googleauth.UserIdentity
 import common.{GuLogging, ImplicitControllerExecutionContext}
-import controllers.admin.AdminAuthController
 import model.{ApplicationContext, NoCache}
-import play.api.http.HttpConfiguration
 import play.api.libs.ws.{WSClient, WSResponse}
-import play.api.mvc.Security.AuthenticatedRequest
 import play.api.mvc._
 
+import java.net.URI
+import java.util.UUID
 import scala.concurrent.Future
 import scala.concurrent.Future.successful
 
 class ImageDecacheController(
     wsClient: WSClient,
     val controllerComponents: ControllerComponents,
-    val httpConfiguration: HttpConfiguration,
 )(implicit context: ApplicationContext)
     extends BaseController
     with GuLogging
-    with ImplicitControllerExecutionContext
-    with AdminAuthController {
+    with ImplicitControllerExecutionContext {
   import ImageDecacheController._
 
   private val iGuim = """i.(guim|guimcode).co.uk/img/(static|media|uploads|sport)(/.*)""".r
@@ -33,66 +27,63 @@ class ImageDecacheController(
       NoCache(Ok(views.html.cache.imageDecache()))
     }
 
-  def decache(): Action[AnyContent] =
-    AdminAuthAction(httpConfiguration).async { implicit request =>
-      getSubmittedImage(request)
-        .map(new URI(_))
-        .map { imageUri =>
-          // here we limit the url to ones for which purging is supported
-          val originUrl: String = s"${imageUri.getHost}${imageUri.getPath}" match {
-            case iGuim(_, host, path) => s"${imageUri.getScheme}://$host.guim.co.uk$path"
-            case Origin(_)            => s"${imageUri.getScheme}://${imageUri.getHost}${imageUri.getPath}"
-
-            case _ => throw new RuntimeException(imageUri.toString)
-          }
+  def decache(): Action[AnyContent] = Action.async { implicit request =>
+    getSubmittedImageURI(request).map { imageUri =>
+        // here we limit the url to ones for which purging is supported
+        val originUrl: String = s"${imageUri.getHost}${imageUri.getPath}" match {
+          case iGuim(_, host, path) => s"${imageUri.getScheme}://$host.guim.co.uk$path"
+          case Origin(_)            => s"${imageUri.getScheme}://${imageUri.getHost}${imageUri.getPath}"
 
-          val cacheBust = UUID.randomUUID()
-          val originUri = new URI(originUrl)
+          case _ => throw new RuntimeException(imageUri.toString)
+        }
 
-          ImageServices.clearFastly(originUri, wsClient)
+        val cacheBust = UUID.randomUUID()
+        val originUri = new URI(originUrl)
 
-          val decacheRequest: Future[WSResponse] = wsClient.url(s"$originUrl?cachebust=$cacheBust").get()
-          decacheRequest
-            .map(_.status)
-            .map {
-              case NOT_FOUND =>
-                Ok(
-                  views.html.cache.imageDecache(
-                    messageType = Cleared,
-                    image = imageUri.toString,
-                    originImage = Some(originUrl),
-                  ),
-                )
-              case OK =>
-                Ok(
-                  views.html.cache.imageDecache(
-                    messageType = ImageStillOnOrigin,
-                    image = imageUri.toString,
-                    originImage = Some(originUrl),
-                  ),
-                )
-              case status =>
-                Ok(
-                  views.html.cache.imageDecache(
-                    messageType = Error,
-                    image = imageUri.toString,
-                    originImage = Some(originUrl),
-                  ),
-                )
-            }
-            .map(NoCache(_))
+        ImageServices.clearFastly(originUri, wsClient)
 
-        }
-        .getOrElse(successful(BadRequest("No image submitted")))
+        val decacheRequest: Future[WSResponse] = wsClient.url(s"$originUrl?cachebust=$cacheBust").get()
+        decacheRequest
+          .map(_.status)
+          .map {
+            case NOT_FOUND =>
+              Ok(
+                views.html.cache.imageDecache(
+                  messageType = Cleared,
+                  image = imageUri.toString,
+                  originImage = Some(originUrl),
+                ),
+              )
+            case OK =>
+              Ok(
+                views.html.cache.imageDecache(
+                  messageType = ImageStillOnOrigin,
+                  image = imageUri.toString,
+                  originImage = Some(originUrl),
+                ),
+              )
+            case status =>
+              Ok(
+                views.html.cache.imageDecache(
+                  messageType = Error,
+                  image = imageUri.toString,
+                  originImage = Some(originUrl),
+                ),
+              )
+          }
+          .map(NoCache(_))
 
-    }
+      }
+      .getOrElse(successful(BadRequest("No image submitted")))
+  }
 
-  private def getSubmittedImage(request: AuthenticatedRequest[AnyContent, UserIdentity]): Option[String] =
+  private def getSubmittedImageURI(request: Request[AnyContent]): Option[URI] =
     request.body.asFormUrlEncoded
       .getOrElse(Map.empty)
       .get("url")
       .flatMap(_.headOption)
       .map(_.trim)
+      .map(new URI(_))
 
 }
 

diff --git a/admin/app/controllers/cache/PageDecacheController.scala b/admin/app/controllers/cache/PageDecacheController.scala
@@ -1,32 +1,24 @@
 package controllers.cache
 
 import java.net.URI
-import com.gu.googleauth.UserIdentity
 import common.{GuLogging, ImplicitControllerExecutionContext}
-import controllers.admin.AdminAuthController
 import model.{ApplicationContext, NoCache}
 import org.apache.commons.codec.digest.DigestUtils
-import play.api.http.HttpConfiguration
 import play.api.libs.ws.WSClient
-import play.api.mvc.Security.AuthenticatedRequest
 import play.api.mvc._
 import purge.{AjaxHost, CdnPurge, GuardianHost}
 
 import scala.concurrent.Future
 import scala.concurrent.Future.successful
 
-case class PrePurgeTestResult(url: String, passed: Boolean)
-
 class PageDecacheController(
     wsClient: WSClient,
     val controllerComponents: ControllerComponents,
-    val httpConfiguration: HttpConfiguration,
 )(implicit
     context: ApplicationContext,
 ) extends BaseController
     with GuLogging
-    with ImplicitControllerExecutionContext
-    with AdminAuthController {
+    with ImplicitControllerExecutionContext {
 
   def renderPageDecache(): Action[AnyContent] =
     Action.async { implicit request =>
@@ -38,8 +30,7 @@ class PageDecacheController(
       Future(NoCache(Ok(views.html.cache.ajaxDecache())))
     }
 
-  def decacheAjax(): Action[AnyContent] =
-    AdminAuthAction(httpConfiguration).async { implicit request =>
+  def decacheAjax(): Action[AnyContent] = Action.async { implicit request =>
       getSubmittedUrlPathMd5(request) match {
         case Some(path) =>
           CdnPurge.soft(wsClient, path, AjaxHost).map(message => NoCache(Ok(views.html.cache.ajaxDecache(message))))
@@ -48,7 +39,7 @@ class PageDecacheController(
     }
 
   def decachePage(): Action[AnyContent] =
-    AdminAuthAction(httpConfiguration).async { implicit request =>
+    Action.async { implicit request =>
       getSubmittedUrlPathMd5(request) match {
         case Some(md5Path) =>
           CdnPurge
@@ -58,13 +49,15 @@ class PageDecacheController(
       }
     }
 
-  private def getSubmittedUrlPathMd5(request: AuthenticatedRequest[AnyContent, UserIdentity]): Option[String] = {
+  private def getSubmittedUrlPathMd5(request: Request[AnyContent]): Option[String] = {
     request.body.asFormUrlEncoded
       .getOrElse(Map.empty)
       .get("url")
       .flatMap(_.headOption)
       .map(_.trim)
-      .map(url => DigestUtils.md5Hex(new URI(url).getPath))
+      .map(new URI(_))
+      .map(_.getPath)
+      .map(DigestUtils.md5Hex)
   }
 
 }
diff --git a/admin/app/http/AdminFilters.scala b/admin/app/http/AdminFilters.scala
diff --git a/admin/conf/routes b/admin/conf/routes
@@ -6,10 +6,7 @@
 GET         /_healthcheck                                                                           controllers.HealthCheck.healthCheck()
 
 # authentication endpoints
-GET         /login                                                                                  controllers.admin.OAuthLoginAdminController.login
-POST        /login                                                                                  controllers.admin.OAuthLoginAdminController.loginAction
-GET         /oauth2callback                                                                         controllers.admin.OAuthLoginAdminController.oauth2Callback
-GET         /logout                                                                                 controllers.admin.OAuthLoginAdminController.logout
+GET         /oauthCallback                                                                          http.GuardianAuthWithExemptions.oauthCallback
 
 # static files
 GET         /assets/admin/lib/*file                                                                 controllers.admin.UncachedWebAssets.at(file)

diff --git a/build.sbt b/build.sbt
@@ -38,7 +38,7 @@ val common = library("common")
       jodaTime,
       jSoup,
       json4s,
-      playGoogleAuth,
+      panDomainAuth,
       playSecretRotation,
       playSecretRotationAwsSdk,
       quartzScheduler,