webauthinfra

Created 3 years ago
Maintained by adelton
Web application authentication developer setup
Members 1
Jan Pazdziora committed 4 months ago
==================================================
  Web application authentication developer setup
==================================================

Web applications that get deployed in large organizations typically
need to be able to work with user identities provided by external
identity sources like FreeIPA/IdM (IPA), Active Directory domains,
or SAML Identity Providers.

To support additional identity provider in Web application, using
front-end HTTP server for authentication and top-level authorization
with existing HTTP server modules might be preferred over implementing
every new protocol in every application or Web framework. The
applications then consume the authentication result as REMOTE_USER
environment variable or other means (for example X-Remote-User HTTP
header in case of HTTP proxy setup), as well as additional user
attributes and user group membership information that can be used
to control access within the application. More details about the
approach can be found at

  http://www.freeipa.org/page/Web_App_Authentication
  http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables

Even if consuming external authentication results might seem
straightforward, it is still useful to verify the interaction,
especially when HTTP status 401 for Kerberos or 30x redirects for
SAML are involved.

This repository aims to help with that task, providing multi-container
developer setup that can be used for development and testing of
external authentication methods for Web applications. By default,
the setup contains IPA server in container (service) "ipa", Ipsilon
SAML Identity Provider ("idp"), Firefox browser already configured
to use the server for Kerberos authentication ("client"), Apache
HTTP server with modules for GSS-API (Kerberos) and SAML ("www"),
as well as an example Django application that shows the effect of
propagating authentication result and the user information to an
application ("app").

                                                 HTTP with auth
  +----------+     HTTP    +------------------+  result      +-------------+
  | Browser  | ----------> | Web server       | -----------> | Application |
  | "client" | <---------- + with authn/authz | <----------  | "app"       |
  +----------+  Negotiate  | setup            |  application +-------------+
        |          or      | "www"            |  content
        |       redirect   +------------------+
        |
        \  Kerberos   +---------+
        | ----------> | FreeIPA |
        |             | "ipa"   |
        |             +---------+
        \  or SAML    +----------+
         -----------> | SAML IdP |
          redirects   | "idp"    |
                      +----------+

By changing the configuration of the Web server, it is possible to
switch from Kerberos to SAML and see the effects in action. It is
also possible to rebuild the setup to run the application directly
in the Web server container -- the example application would then
be deployed there via mod_wsgi.

This default setup can serve as demonstration of the concepts all by
itself but its primary goal is to help developers get infrastructure
for external authentication and plug in applications they develop
or test. Instead of the provided example application, developers can
instead put their application to the "app" or "www" containers, or
configure the Web server to proxy the requests to completely different
backend location where the application resides.

Instead of using the provided "client" container for browser testing,
it is possible to access the IPA, IdP, and the authentication HTTP
server from a Web client (browser) outside of the setup. However, DNS
or manual hosts records will likely need to be set up manually, as
well a local Kerberos configuration, so starting with the provided
"client" with Firefox might be easier.

-----------------
  Prerequisites

The setup uses docker and docker-compose, so they should be available.

When started, the containers will store their configuration and data
in *-data/ sub-directories, and their ownership will change to root
and their SELinux labels will likely change as well. You might want
to pick location for the local copy/clone of the repository where this
will not cause problems.

On SELinux enabled systems,

    setsebool -P container_manage_cgroup 1

might be needed to enable running systemd in the containers.

----------------------
  Building the setup

With the freeipa-server image available, running

  docker-compose build

in the directory of this repo will build create five container images.
Depending on the machine where you run the build, it might take
minutes to dozens of minutes to build.

---------------------
  Running the setup

The setup can be started with

  docker-compose up

It will provide long output starting with

  Creating webauthinfra_ipa_1 ... done
  Creating webauthinfra_app_1 ... done
  Creating webauthinfra_idp_1 ... done
  Creating webauthinfra_www_1 ... done
  Creating webauthinfra_client_1 ... done
  Attaching to webauthinfra_app_1, webauthinfra_ipa_1, webauthinfra_idp_1, webauthinfra_www_1, webauthinfra_client_1
  ipa_1     | Configuring ipa.example.test ...
  ipa_1     | Mon Dec 10 18:42:42 UTC 2018 /usr/sbin/ipa-server-configure-first
  ipa_1     |
  ipa_1     | The log file for this installation can be found in /var/log/ipaserver-install.log
  ipa_1     | ==============================================================================
  ipa_1     | This program will set up the FreeIPA Server.
  idp_1     | Waiting for FreeIPA server (HTTP Server) ...
  www_1     | Waiting for FreeIPA server (HTTP Server) ...

and you can watch IPA server and Ipsilon IdP being configured, and
then the client container with Firefox IPA-enrolled and www container
with the Apache HTTP server IPA-enrolled and configured as SAML Service
Provider, as well as the example Django application configured and
started.

After all the containers have initialized, you can use ssh -X to log
in to the container where Firefox is configured, and run the browser:

  ssh -X -i client-data/id_rsa -p 55022 developer@localhost firefox -no-remote

(When running ssh as root, chmod 600 client-data/id_rsa might be needed.)

It will open four tabs -- the example application, IPA and IdP logon
pages, and a page that allows you to obtain Kerberos Ticket Granting
Ticket (kinit) or change IPA user passwords in the client container.
There will be one admin user in the IPA server -- the password for
that account can be found with

  cat ipa-data/admin-password

You can log in to the IPA server WebUI, either by kinit-ing first or
with login and password and create more users and groups. Then you
can to log in into the example application via www.example.test
(again, Kerberos or login and password should work). The application
aims at easily presenting authentication-related information, so it
will show the list of last logged-in users, and for authenticated
access, it will display information about the user.

If you want to drive permissions of users in the example application,
log in as admin to its Admin interface and create groups there,
with names matching user groups in IPA with "ext:" prefix. For example,
if you created group "webapp-admin" in IPA, the counterpart in the
example application would be "ext:webapp-admin". You can attach the
application-level permissions to the group. Upon logon, users will
have their user attributes and group membership synced into the
example Django database.

Note that the Admin part of the application is only accessible to
users with a Staff flag which the example application sets to members
of IPA's "admins" group. Due to the Django Admin internals, the Staff
flag cannot be linked to group membership to be populated with more
flexibility.

Explore

  src/django/identity/external.py

to see the approach used.

To switch the Kerberos-based authentication to SAML-based, copy the
example src/www-proxy-saml.conf to www's data directory:

  cp src/www-proxy-saml.conf www-data/www.conf

or

  docker cp src/www-proxy-saml.conf webauthinfra_www_1:/data/www.conf

and restart the Apache HTTP server:

  docker exec -ti webauthinfra_www_1 systemctl restart httpd

When you try to log in to the example application now, instead of
Kerberos authentication used, you should see HTTP redirection to the
IdP at idp.example.test/idp where you will authenticate and be
redirected back.

To switch back, use src/www-proxy-gssapi.conf which was the default
/data/www.conf configuration in the www container.

The tests/test.sh can be used for testing the basic operation.

-----------------------------
  Developing with the setup

There are multiple ways to use the setup with application that you
develop:

* Deploy application in the HTTP server ("www") container.
* Run application in the existing "app" container instead of the
  default example application, using the "www" container as
  authentication HTTP proxy.
* Point the setup to an external location (container, host) where the
  application runs, again, using the "www" container as authentication
  HTTP proxy.

Each method is described in more detail below.

---------------------------------------------------
  Deploy application in the HTTP server ("www") container

Amend src/Dockerfile.www to install additional Apache modules like
mod_wsgi, and either install the application into the image in build
time or make it available in the container via www-data/ or some
other bind mount location. This way you will test the application
on the same "machine" as the front-end authentication HTTP server.

Check the src/Dockerfile.www-with-app for an example of turning
the HTTP proxy based setup into mod_wsgi-based one, running the
application in the "www" container directly, instead of in the
"app" container. In fact, if you edit the docker-compose.yml file
and use the commented-out dockerfile: line instead of the original
one and rebuild the setup, you will get the example application
running locally in the HTTP server ("www") container. Explore the
diff of src/Dockerfile.www and src/Dockerfile.www-with-app to get
an inspiration for putting your application into the www container.

------------------------------------------------------------------------
  Replace example application with your application in "app" container

Change src/Dockerfile.app to include and run your application instead
of the example one in the separate container. Chances are your
application has different layout of the logon URLs, so the Apache
HTTP server configuration in the "www" container will need to be
tweaked a bit as well, either by changing the src/www*.conf files or
by putting the configuration to www-data/www.conf directly.

This will turn the HTTP server container into authentication HTTP
proxy for your application, instead of the default example one.

It is important that in production, the communication between the
authentication proxy and the application is protected as the
authentication and authorization result is passed via HTTP headers
of the HTTP request. If users are able to connect to the backend
application directly, they'd be able to provide any HTTP header
content they'd like, sidestepping the authentication setup.
Depending on the network and system infrastructure, iptables,
mutual TLS authentication, or other means might be appropriate.

-------------------------------------
  Use existing application location

Change www-data/www.conf to proxy the requests to whatever location
your application runs on, potentially on the host machine directly.
With this setup, you will use the authentication HTTP proxy approach,
without forcing the application to be run in container.

The note from the previous item about securing the communication in
production setups applies here as well.

-----------------------------
  The defaults of the setup

The services:

ipa	IPA server
	Hostname: ipa.example.test
	Persistent storage in ipa-data/

idp	Ipsilon IdP server
	Hostname: idp.example.test
	Persistent storage in idp-data/

www	Apache HTTP server with authn/authz modules
	Hostname: www.example.test
	Configuration stored in www-data/; namely Apache HTTP server
	loads www-data/www.conf.
	IPA-enrolled during the first run.

app	Back-end server with example application
	Hostname: app.example.test
	Database stored in app-data/

client	SSH server and Firefox
	Hostname: client.example.test
	Accessible on host's port 55022.
	IPA-enrolled during the first run.

Precreated accounts:

admin (IPA)	password in ipa-data/admin-password

admin (the example application)
		password in the docker-compose output
		(but access with IPA's admin password will also work)

PAM services and host-based access access control (HBAC) rules:

webapp		used for HBAC on http://www.example.test
		HBAC rule: allow_webapp

idp		used for HBAC idp.example.test/idp
		HBAC rule: allow_idp

Both HBAC rules are set up to allow access for any user but the HBAC
rules can be changed in IPA. The allow_all is disabled by default for
HBAC to work.

Set of applications and authentication modules was used to demonstrate
the external authentication concepts. In future versions, different
versions or different applications might be used to achieve the same
goal.

---------------------
  Automated testing

The "client" container has Selenium with Python bindings installed,
so it can be directly used for automated testing of the setup or
developed application. Examples of simple tests can be found in
src/test-kerberos.py and src/test-saml.py -- the are invoked from
tests/test.sh.

-----------
  Licence

Copyright 2016--2018 Jan Pazdziora

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.