feat(5388): Allow multiple external URLs for SSO access

[ClifHouck]

My organization has interest in getting this functionality merged, so I'm taking up the mantle. I've re-based the original PR on current (79b18e0) master. This currently builds, but tests do not pass. I'll be back online next week to fix tests, verify functionality of this change, and respond to any existing review comments from the original PR.

Preserving the original PR note here for reference:

With #4780, were introduced security measures to ensure the return_url is pointing to the current ArgoCD instance.

In several occasions, an ArgoCD isntance could be exposed through multiple network connections. Internal addresses and restricted public addresses.

Currently, a single base URL can be configured in the the argocd configmap, preventing from exposing ArgoCD on several access paths.

This change allows to define multiple hosts on which ArgoCD can be exposed, keeping backward compatibility by adding a field additionalUrls accepting a list of additional URLS on which argoCD can be exposed

Fixes #5388

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[agaudreault]

@ClifHouck make sure to adress the review in #14208 (review). You can switch the PR to draft until the test are passing and everything is implemented. Thanks for taking up the mantle! 💪

[codecov]

Codecov Report

Attention: Patch coverage is 73.07692% with 14 lines in your changes missing coverage. Please review.

Project coverage is 52.78%. Comparing base (6cc898f) to head (79555cd).
Report is 506 commits behind head on master.

Files with missing lines	Patch %	Lines
util/settings/settings.go	85.18%	2 Missing and 2 partials ⚠️
server/server.go	25.00%	3 Missing ⚠️
util/oidc/oidc.go	72.72%	2 Missing and 1 partial ⚠️
server/logout/logout.go	33.33%	1 Missing and 1 partial ⚠️
util/dex/config.go	71.42%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #18927      +/-   ##
==========================================
+ Coverage   50.70%   52.78%   +2.08%     
==========================================
  Files         316      316              
  Lines       43496    43579      +83     
==========================================
+ Hits        22054    23005     +951     
+ Misses      18930    18025     -905     
- Partials     2512     2549      +37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ClifHouck]

Regarding this last comment: https://github.com/argoproj/argo-cd/pull/14208/files#r1638649274 it seems like Dex is not using the new URLs setting. So I removed that addition.

[ClifHouck]

It seems like the request object is needed here. Re: https://github.com/argoproj/argo-cd/pull/14208/files#r1638640243

[ClifHouck]

Corrected messages here, re: https://github.com/argoproj/argo-cd/pull/14208/files#r1638642960

[ClifHouck]

@agaudreault I think I've addressed the comments you had on the previous PR. Except this:

I think the feature should be documented in the ArgoCD https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/ documentation.

Agreed. I can add some documentation around this feature.

Is url deprecated? are urls valid on their own or only additional urls? Is this feature supported by all identity providers, or only by OIDC?

@tjamet What do you think about the questions posed above?

[ClifHouck]

What do I need to about the license compliance failing? Is there a contributor agreement I need to sign?

[tjamet]

@agaudreault I think I've addressed the comments you had on the previous PR. Except this:

I think the feature should be documented in the ArgoCD https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/ documentation.

Agreed. I can add some documentation around this feature.

Is url deprecated? are urls valid on their own or only additional urls? Is this feature supported by all identity providers, or only by OIDC?

@tjamet What do you think about the questions posed above?

Hi!

Yes, it should be documented, happy to help doing so.

About the deprecation, this was my idea at the beginning but I faced some issues as url seemed used for more things. I will take a second look

[ClifHouck]

@tjamet Any updates?

[agaudreault]

I think the feature must be documented in the ArgoCD argo-cd.readthedocs.io/en/stable/operator-manual/user-management documentation.

[ClifHouck]

Added some short documentation in the user-management doc

[agaudreault]

Probably missing a log.Warnf("unable to find ArgoCD URL from request: %v", err)

[ClifHouck]

Added warning.

[agaudreault]

To provide feature parity, Dex should be configured to use all the urls as valid redirectUrls in

argo-cd/util/dex/config.go

Lines 62 to 64 in fe9aa54

	"redirectURIs": []string{
	redirectURL,
	},

and reload the config when fields are modified. Not sure if that will fully work because you can have multiple urls only between argo<->dex, but it seems only one is supported by dex between dex<->idp. If it does not, perhaps moving that config tooidc.config will be better.

[ClifHouck]

I think I've updated dex to at least load the additional URLs with the proper callback endpoint appended.

I've also handled config reload when settings.AdditionalURLs is modified.

[agaudreault]

Since this field does not replace the url field, I think it will be clearer if it is renamed to additionalUrls

[ClifHouck]

Renamed.

[tjamet]

@tjamet Any updates?

Taking a second look, indeed, URL is used to register in dex, and the update to replace by the new proposed list is not that trivial.

Eventually, a decision to deprecate the url config in favour of a list could be taken in the future

[ClifHouck]

I believe I've addressed everything brought up so far, and re-based on latest master e2c5a55 for good measure. Not sure what to do about the linter failing on files I haven't changed.

[ClifHouck]

Also need guidance on what to do about the license compliance check.

[agaudreault]

Also need guidance on what to do about the license compliance check.

@ClifHouck You can ignore that.

[agaudreault]

LGTM. Added in my sprint to give it a try internally, for both dex and native oidc. I should be able to test tomorrow.

[ClifHouck]

LGTM. Added in my sprint to give it a try internally, for both dex and native oidc. I should be able to test tomorrow.

Thank you!

[agaudreault]

@ClifHouck Have you tested this image on an actual deployment? I am getting constant Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided. Might be a configuration problem on my part, but everything looks as expected. I am testing with the native oidc auth.

[ClifHouck]

@ClifHouck Have you tested this image on an actual deployment? I am getting constant Invalid redirect URL: the protocol and host (including port) must match and the path must be within allowed URLs if provided. Might be a configuration problem on my part, but everything looks as expected. I am testing with the native oidc auth.

No, but I thought the included additional tests of the original PR would've covered this case. I'll setup an environment to do more in-depth testing. I may not be able to complete this before leaving for vacation though. I'll be back online on August 12th.

[agaudreault]

Using the correct value from config, it is working for dex+oidc and native oidc. 🎉

[agaudreault]

Lgtm @ishitasequeira

[ishitasequeira]

Thanks @ClifHouck for the PR!! and Thanks @agaudreault for the review!!

[alexmt]

LGTM

[akloss-cibo]

Any thoughts about when this will be in a tagged release?

[dave-gantenbein]

@ishitasequeira - we could really use a tagged release that contains this change, any idea when that might happen?

[blakepettersson]

This will be in 2.13.