Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Panda v7 - support key rotation #247

Merged
merged 1 commit into from
Nov 12, 2024
Merged

Upgrade to Panda v7 - support key rotation #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions backend/app/AppComponents.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,7 @@ class AppComponents(context: Context, config: Config)
val publicSettings = new PublicSettings(config.publicSettingsKey, config.bucketName, pandaS3Client)
// start polling of S3 bucket for public key
publicSettings.start()
val getCurrentPublicKey: () => Option[pandomainauth.PublicKey] = () => publicSettings.publicKey
new PanDomainUserProvider(config, getCurrentPublicKey, users, metricsService)
new PanDomainUserProvider(config, () => publicSettings.verification, users, metricsService)
}

logger.info(s"Initialised authentication provider '${config.auth.provider}'")
Expand Down
22 changes: 11 additions & 11 deletions backend/app/utils/auth/providers/PanDomainUserProvider.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,27 @@
package utils.auth.providers

import com.gu.pandomainauth.{PanDomain, PublicKey}
import com.gu.pandomainauth.PanDomain
import com.gu.pandomainauth.model._
import model.frontend.user.PartialUser
import com.gu.pandomainauth.service.CryptoConf.Verification
import model.frontend.TotpActivation
import model.frontend.user.PartialUser
import model.user.{DBUser, UserPermissions}
import play.api.libs.json.{JsString, JsValue}
import play.api.mvc.{AnyContent, Request}
import services.users.UserManagement
import services.{MetricsService, PandaAuthConfig}
import utils.{Epoch, Logging}
import utils.attempt._
import utils.attempt.AttemptAwait._
import utils.attempt._
import utils.auth.totp.TfaToken
import utils.{Epoch, Logging}

import scala.concurrent.ExecutionContext
import scala.concurrent.duration._

/**
* A UserAuthenticator implementation that authenticates a valid user based on the presence of a pan-domain cookie
*/
class PanDomainUserProvider(val config: PandaAuthConfig, currentPublicKey: () => Option[PublicKey], users: UserManagement, metricsService: MetricsService)(implicit ec: ExecutionContext)
class PanDomainUserProvider(val config: PandaAuthConfig, verificationProvider: () => Verification, users: UserManagement, metricsService: MetricsService)(implicit ec: ExecutionContext)
extends UserProvider with Logging {

/** The client needs to know where to redirect the user so they can pick up a pan domain cookie **/
Expand All @@ -38,9 +39,9 @@ class PanDomainUserProvider(val config: PandaAuthConfig, currentPublicKey: () =>

val maybeCookie = request.cookies.get(config.cookieName)

(currentPublicKey(), maybeCookie) match {
case (Some(publicKey), Some(cookieData)) =>
val status = PanDomain.authStatus(cookieData.value, publicKey, validateUser, 0L, "giant", false, false)
maybeCookie match {
case Some(cookieData) =>
val status = PanDomain.authStatus(cookieData.value, verificationProvider(), validateUser, 0L, "giant", false, false)
status match {
case Authenticated(authedUser) =>
val downcasedAuthedUser = authedUser.copy(user = authedUser.user.copy(email = authedUser.user.email.toLowerCase()))
Expand All @@ -57,14 +58,13 @@ class PanDomainUserProvider(val config: PandaAuthConfig, currentPublicKey: () =>
PartialUser(user.username, user.displayName.getOrElse(displayName))
}
case NotAuthorized(authedUser) => Attempt.Left(PanDomainCookieInvalid(s"User ${authedUser.user.email} is not authorised to use this system.", reportAsFailure = true))
case InvalidCookie(exception) => Attempt.Left(PanDomainCookieInvalid(s"Pan domain cookie invalid: ${exception.getMessage}", reportAsFailure = true))
case InvalidCookie(integrityFailure) => Attempt.Left(PanDomainCookieInvalid(s"Pan domain cookie invalid: $integrityFailure", reportAsFailure = true))
case Expired(authedUser) => Attempt.Left(PanDomainCookieInvalid(s"User ${authedUser.user.email} panda cookie has expired.", reportAsFailure = false))
case other =>
logger.warn(s"Pan domain auth failure: $other")
Attempt.Left(AuthenticationFailure(s"Pan domain auth failed: $other", reportAsFailure = true))
}
case (None, _) => Attempt.Left(AuthenticationFailure("Pan domain library not initialised - no public key available", reportAsFailure = true))
case (_, None) => Attempt.Left(PanDomainCookieInvalid(s"No pan domain cookie available in request with name ${config.cookieName}", reportAsFailure = false))
case None => Attempt.Left(PanDomainCookieInvalid(s"No pan domain cookie available in request with name ${config.cookieName}", reportAsFailure = false))
}
}

Expand Down
Loading