🎨 Adds authentication for new style dynamic services and platform vendor services ⚠️

.env-devel

@@ -220,6 +220,13 @@ STORAGE_PROFILING=1
 
 SWARM_STACK_NAME=master-simcore
 
+## VENDOR DEVELOPMENT SERVICES ---
+VENDOR_DEV_MANUAL_IMAGE=containous/whoami
+VENDOR_DEV_MANUAL_REPLICAS=1
+VENDOR_DEV_MANUAL_SUBDOMAIN=manual
+
+## VENDOR DEVELOPMENT SERVICES ---
+
 WB_API_WEBSERVER_HOST=wb-api-server
 WB_API_WEBSERVER_PORT=8080
 

Makefile

@@ -269,6 +269,11 @@ CPU_COUNT = $(shell cat /proc/cpuinfo | grep processor | wc -l )
 		services/docker-compose.local.yml \
 		> $@
 
+.stack-vendor-services.yml: .env $(docker-compose-configs)
+	# Creating config for vendors stack to $@
+	@scripts/docker/docker-stack-config.bash -e $< \
+		services/docker-compose-dev-vendors.yml \
+		> $@
 
 .stack-ops.yml: .env $(docker-compose-configs)
 	# Creating config for ops stack to $@
@@ -288,7 +293,11 @@ endif
 
 
 
-.PHONY: up-devel up-prod up-prod-ci up-version up-latest .deploy-ops
+.PHONY: up-devel up-prod up-prod-ci up-version up-latest .deploy-ops .deploy-vendors
+
+.deploy-vendors: .stack-vendor-services.yml
+	# Deploy stack 'vendors'
+	docker stack deploy --detach=true --with-registry-auth -c $< vendors
 
 .deploy-ops: .stack-ops.yml
 	# Deploy stack 'ops'
@@ -338,6 +347,7 @@ up-devel: .stack-simcore-development.yml .init-swarm $(CLIENT_WEB_OUTPUT) ## Dep
 	@$(MAKE_C) services/dask-sidecar certificates
 	# Deploy stack $(SWARM_STACK_NAME) [back-end]
 	@docker stack deploy --detach=true --with-registry-auth -c $< $(SWARM_STACK_NAME)
+	@$(MAKE) .deploy-vendors
 	@$(MAKE) .deploy-ops
 	@$(_show_endpoints)
 	@$(MAKE_C) services/static-webserver/client follow-dev-logs
@@ -348,6 +358,7 @@ up-devel-frontend: .stack-simcore-development-frontend.yml .init-swarm ## Every
 	@$(MAKE_C) services/dask-sidecar certificates
 	# Deploy stack $(SWARM_STACK_NAME)  [back-end]
 	@docker stack deploy --detach=true --with-registry-auth -c $< $(SWARM_STACK_NAME)
+	@$(MAKE) .deploy-vendors
 	@$(MAKE) .deploy-ops
 	@$(_show_endpoints)
 	@$(MAKE_C) services/static-webserver/client follow-dev-logs
@@ -358,6 +369,7 @@ ifeq ($(target),)
 	@$(MAKE_C) services/dask-sidecar certificates
 	# Deploy stack $(SWARM_STACK_NAME)
 	@docker stack deploy --detach=true --with-registry-auth -c $< $(SWARM_STACK_NAME)
+	@$(MAKE) .deploy-vendors
 	@$(MAKE) .deploy-ops
 else
 	# deploys ONLY $(target) service
@@ -369,6 +381,7 @@ up-version: .stack-simcore-version.yml .init-swarm ## Deploys versioned stack '$
 	@$(MAKE_C) services/dask-sidecar certificates
 	# Deploy stack $(SWARM_STACK_NAME)
 	@docker stack deploy --detach=true --with-registry-auth -c $< $(SWARM_STACK_NAME)
+	@$(MAKE) .deploy-vendors
 	@$(MAKE) .deploy-ops
 	@$(_show_endpoints)
 

api/specs/web-server/_auth.py

@@ -19,6 +19,7 @@
 from simcore_service_webserver._meta import API_VTAG
 from simcore_service_webserver.login._2fa_handlers import Resend2faBody
 from simcore_service_webserver.login._auth_handlers import (
+    CheckAuthBody,
     LoginBody,
     LoginNextPage,
     LoginTwoFactorAuthBody,
@@ -155,6 +156,21 @@ async def logout(_body: LogoutBody):
     """user logout"""
 
 
+@router.get(
+    "/auth:check",
+    response_model=Envelope[CheckAuthBody],
+    operation_id="check_authentication",
+    responses={
+        status.HTTP_401_UNAUTHORIZED: {
+            "model": Envelope[Error],
+            "description": "unauthorized reset due to invalid token code",
+        }
+    },
+)
+async def check_auth():
+    """checks if user is autheticated in the platform"""
+
+
 @router.post(
     "/auth/reset-password",
     response_model=Envelope[Log],

services/director-v2/src/simcore_service_director_v2/core/dynamic_services_settings/__init__.py

@@ -1,5 +1,6 @@
 from pydantic import Field
 from settings_library.base import BaseCustomSettings
+from settings_library.webserver import WebServerSettings
 
 from .egress_proxy import EgressProxySettings
 from .proxy import DynamicSidecarProxySettings
@@ -29,3 +30,5 @@ class DynamicServicesSettings(BaseCustomSettings):
     DYNAMIC_SIDECAR_PLACEMENT_SETTINGS: PlacementSettings = Field(
         auto_default_from_env=True
     )
+
+    WEBSERVER_SETTINGS: WebServerSettings = Field(auto_default_from_env=True)

services/director-v2/src/simcore_service_director_v2/modules/dynamic_sidecar/docker_service_specs/proxy.py

@@ -9,6 +9,8 @@
 )
 from pydantic import ByteSize
 from servicelib.common_headers import X_SIMCORE_USER_AGENT
+from settings_library import webserver
+from settings_library.utils_session import DEFAULT_SESSION_COOKIE_NAME
 
 from ....core.dynamic_services_settings import DynamicServicesSettings
 from ....core.dynamic_services_settings.proxy import DynamicSidecarProxySettings
@@ -43,6 +45,9 @@ def get_dynamic_proxy_spec(
     dynamic_services_scheduler_settings: DynamicServicesSchedulerSettings = (
         dynamic_services_settings.DYNAMIC_SCHEDULER
     )
+    webserver_settings: webserver.WebServerSettings = (
+        dynamic_services_settings.WEBSERVER_SETTINGS
+    )
 
     mounts = [
         # docker socket needed to use the docker api
@@ -77,9 +82,11 @@ def get_dynamic_proxy_spec(
             "io.simcore.zone": f"{dynamic_services_scheduler_settings.TRAEFIK_SIMCORE_ZONE}",
             "traefik.docker.network": swarm_network_name,
             "traefik.enable": "true",
+            # security
+            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accesscontrolallowcredentials": "true",
             f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.customresponseheaders.Content-Security-Policy": f"frame-ancestors {scheduler_data.request_dns} {scheduler_data.node_uuid}.services.{scheduler_data.request_dns}",
             f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT,POST,DELETE,PATCH,HEAD",
-            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accesscontrolallowheaders": f"{X_SIMCORE_USER_AGENT}",
+            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accesscontrolallowheaders": f"{X_SIMCORE_USER_AGENT},Set-Cookie",
             f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accessControlAllowOriginList": ",".join(
                 [
                     f"{scheduler_data.request_scheme}://{scheduler_data.request_dns}",
@@ -88,11 +95,22 @@ def get_dynamic_proxy_spec(
             ),
             f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.accesscontrolmaxage": "100",
             f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-security-headers.headers.addvaryheader": "true",
+            # auth
+            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-auth.forwardauth.address": f"{webserver_settings.api_base_url}/auth:check",
+            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-auth.forwardauth.trustForwardHeader": "true",
+            f"traefik.http.middlewares.{scheduler_data.proxy_service_name}-auth.forwardauth.authResponseHeaders": f"Set-Cookie,{DEFAULT_SESSION_COOKIE_NAME}",
+            # routing
             f"traefik.http.services.{scheduler_data.proxy_service_name}.loadbalancer.server.port": "80",
             f"traefik.http.routers.{scheduler_data.proxy_service_name}.entrypoints": "http",
             f"traefik.http.routers.{scheduler_data.proxy_service_name}.priority": "10",
             f"traefik.http.routers.{scheduler_data.proxy_service_name}.rule": rf"HostRegexp(`{scheduler_data.node_uuid}\.services\.(?P<host>.+)`)",
-            f"traefik.http.routers.{scheduler_data.proxy_service_name}.middlewares": f"{dynamic_services_scheduler_settings.SWARM_STACK_NAME}_gzip@swarm, {scheduler_data.proxy_service_name}-security-headers",
+            f"traefik.http.routers.{scheduler_data.proxy_service_name}.middlewares": ",".join(
+                [
+                    f"{dynamic_services_scheduler_settings.SWARM_STACK_NAME}_gzip@swarm",
+                    f"{scheduler_data.proxy_service_name}-security-headers",
+                    f"{scheduler_data.proxy_service_name}-auth",
+                ]
+            ),
             "dynamic_type": "dynamic-sidecar",  # tagged as dynamic service
         }
         | StandardSimcoreDockerLabels(

services/docker-compose-dev-vendors.yml

@@ -0,0 +1,36 @@
+
+# NOTE: this stack is only for development and testing of vendor services.
+# the actualy code is deployed inside the ops repository.
+
+services:
+
+  manual:
+    image: ${VENDOR_DEV_MANUAL_IMAGE}
+    init: true
+    hostname: "{{.Node.Hostname}}-{{.Task.Slot}}"
+    deploy:
+      replicas: ${VENDOR_DEV_MANUAL_REPLICAS}
+      labels:
+        - io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}
+        - traefik.enable=true
+        - traefik.docker.network=${SWARM_STACK_NAME}_default
+        # auth
+        - traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.address=http://${WEBSERVER_HOST}:${WEBSERVER_PORT}/v0/auth:check
+        - traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.trustForwardHeader=true
+        - traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc
+        # routing
+        - traefik.http.services.${SWARM_STACK_NAME}_manual.loadbalancer.server.port=80
+        - traefik.http.services.${SWARM_STACK_NAME}_manual.loadbalancer.healthcheck.path=/
+        - traefik.http.services.${SWARM_STACK_NAME}_manual.loadbalancer.healthcheck.interval=2000ms
+        - traefik.http.services.${SWARM_STACK_NAME}_manual.loadbalancer.healthcheck.timeout=1000ms
+        - traefik.http.routers.${SWARM_STACK_NAME}_manual.entrypoints=http
+        - traefik.http.routers.${SWARM_STACK_NAME}_manual.priority=10
+        - traefik.http.routers.${SWARM_STACK_NAME}_manual.rule=HostRegexp(`${VENDOR_DEV_MANUAL_SUBDOMAIN}\.(?P<host>.+)`)
+        - traefik.http.routers.${SWARM_STACK_NAME}_manual.middlewares=${SWARM_STACK_NAME}_gzip@swarm, ${SWARM_STACK_NAME}_manual-auth
+    networks:
+      - simcore_default
+
+networks:
+  simcore_default:
+    name: ${SWARM_STACK_NAME}_default
+    external: true

services/docker-compose.yml

@@ -379,6 +379,9 @@ services:
       TRAEFIK_SIMCORE_ZONE: ${TRAEFIK_SIMCORE_ZONE}
       TRACING_OPENTELEMETRY_COLLECTOR_ENDPOINT: ${TRACING_OPENTELEMETRY_COLLECTOR_ENDPOINT}
       TRACING_OPENTELEMETRY_COLLECTOR_PORT: ${TRACING_OPENTELEMETRY_COLLECTOR_PORT}
+
+      WEBSERVER_HOST: ${WEBSERVER_HOST}
+      WEBSERVER_PORT: ${WEBSERVER_PORT}
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
     deploy:

services/static-webserver/client/source/class/osparc/data/model/IframeHandler.js

@@ -329,7 +329,7 @@ qx.Class.define("osparc.data.model.IframeHandler", {
         if (osparc.utils.Utils.isDevelopmentPlatform()) {
           console.log("Connecting: about to fetch", srvUrl);
         }
-        fetch(srvUrl)
+        fetch(srvUrl, {credentials: "include"})
           .then(response => {
             if (osparc.utils.Utils.isDevelopmentPlatform()) {
               console.log("Connecting: fetch's response status", response.status);

services/web/server/src/simcore_service_webserver/api/v0/openapi.yaml

@@ -233,6 +233,26 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Envelope_Log_'
+  /v0/auth:check:
+    get:
+      tags:
+      - auth
+      summary: Check Auth
+      description: checks if user is autheticated in the platform
+      operationId: check_authentication
+      responses:
+        '200':
+          description: Successful Response
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Envelope_CheckAuthBody_'
+        '401':
+          description: unauthorized reset due to invalid token code
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Envelope_Error_'
   /v0/auth/reset-password:
     post:
       tags:
@@ -6467,6 +6487,10 @@ components:
           format: password
           writeOnly: true
       additionalProperties: false
+    CheckAuthBody:
+      title: CheckAuthBody
+      type: object
+      properties: {}
     CheckpointAnnotations:
       title: CheckpointAnnotations
       type: object
@@ -7116,6 +7140,14 @@ components:
           $ref: '#/components/schemas/CatalogServiceGet'
         error:
           title: Error
+    Envelope_CheckAuthBody_:
+      title: Envelope[CheckAuthBody]
+      type: object
+      properties:
+        data:
+          $ref: '#/components/schemas/CheckAuthBody'
+        error:
+          title: Error
     Envelope_CheckpointApiModel_:
       title: Envelope[CheckpointApiModel]
       type: object

services/web/server/src/simcore_service_webserver/login/_auth_handlers.py

@@ -77,6 +77,10 @@ class LoginNextPage(NextPage[CodePageParams]):
     ...
 
 
+class CheckAuthBody(BaseModel):
+    ...
+
+
 @routes.post(f"/{API_VTAG}/auth/login", name="auth_login")
 @on_success_grant_session_access_to(
     name="auth_register_phone",
@@ -300,3 +304,18 @@ async def logout(request: web.Request) -> web.Response:
         await forget_identity(request, response)
 
         return response
+
+
+@routes.get(f"/{API_VTAG}/auth:check", name="check_authentication")
+@login_required
+async def check_auth(request: web.Request) -> web.Response:
+    # lightweight endpoint for checking if users are authenticated
+    # used primarily by Traefik auth middleware to verify session cookies
+
+    # NOTE: for future development
+    # if databse access is added here, services like jupyter-math
+    # which load a lot of resources will have a big performance hit
+    # consider caching some properties required by this endpoit or rely on Redis
+
+    _ = request
+    return envelope_response(CheckAuthBody())

services/web/server/src/simcore_service_webserver/session/plugin.py

@@ -3,6 +3,7 @@
 """
 
 import logging
+import time
 
 import aiohttp_session
 from aiohttp import web
@@ -15,6 +16,45 @@
 _logger = logging.getLogger(__name__)
 
 
+class SharedCookieEncryptedCookieStorage(EncryptedCookieStorage):
+    async def save_session(
+        self,
+        request: web.Request,
+        response: web.StreamResponse,
+        session: aiohttp_session.Session,
+    ) -> None:
+        # link response to originating request (allows to detect the orginal request url)
+        response._req = request  # pylint:disable=protected-access  # noqa: SLF001
+
+        await super().save_session(request, response, session)
+
+    def save_cookie(
+        self,
+        response: web.StreamResponse,
+        cookie_data: str,
+        *,
+        max_age: int | None = None,
+    ) -> None:
+        params = self._cookie_params.copy()
+
+        # share cookie accross all subdomains
+        # overwrite domain from `None` (browser sets `example.com`) to `.example.com`
+        request = response._req  # pylint:disable=protected-access  # noqa: SLF001
+        assert isinstance(request, web.Request)  # nosec
+        params["domain"] = f".{request.url.host}"
+
+        if max_age is not None:
+            params["max_age"] = max_age
+            t = time.gmtime(time.time() + max_age)
+            params["expires"] = time.strftime("%a, %d-%b-%Y %T GMT", t)
+        if not cookie_data:
+            response.del_cookie(
+                self._cookie_name, domain=params["domain"], path=params["path"]
+            )
+        else:
+            response.set_cookie(self._cookie_name, cookie_data, **params)
+
+
 @app_module_setup(
     __name__, ModuleCategory.ADDON, settings_name="WEBSERVER_SESSION", logger=_logger
 )
@@ -34,7 +74,7 @@ def setup_session(app: web.Application):
     #
 
     # SEE https://aiohttp-session.readthedocs.io/en/latest/reference.html#abstract-storage
-    encrypted_cookie_sessions = EncryptedCookieStorage(
+    encrypted_cookie_sessions = SharedCookieEncryptedCookieStorage(
         secret_key=settings.SESSION_SECRET_KEY.get_secret_value(),
         cookie_name=DEFAULT_SESSION_COOKIE_NAME,
         secure=settings.SESSION_COOKIE_SECURE,

services/web/server/tests/unit/with_dbs/03/login/test_login_registration_handlers.py

@@ -63,6 +63,22 @@ def mocked_captcha_session(mocker: MockerFixture) -> MagicMock:
     )
 
 
+@pytest.mark.parametrize(
+    "user_role", [role for role in UserRole if role >= UserRole.USER]
+)
+async def test_check_auth(client: TestClient, logged_user: UserInfoDict):
+    assert client.app
+
+    response = await client.get("/v0/auth:check")
+    await assert_status(response, status.HTTP_200_OK)
+
+    response = await client.post("/v0/auth/logout")
+    await assert_status(response, status.HTTP_200_OK)
+
+    response = await client.get("/v0/auth:check")
+    await assert_status(response, status.HTTP_401_UNAUTHORIZED)
+
+
 @pytest.mark.parametrize(
     "user_role", [role for role in UserRole if role >= UserRole.USER]
 )