Convert ckan provider to ckan Auth plugin

CHANGES.md

@@ -23,6 +23,13 @@
 -   Turn off `Open In National Map` Button for Internal Storage data file Link
 -   Use [magda-preview-map](https://github.com/magda-io/magda-preview-map) v0.0.58
 -   Fixed: Dataset Creation Tool may not always capture format properly #3001
+-   Add Authentication Plugin Support to Gateway & UI
+-   Authentication Plugin Documentation
+-   Publish AuthApiClient as a NPM package
+-   Publish Authentication Plugin SDK as a NPM package
+-   Publish create-secrets tool as a NPM package
+-   Replace google auth provider with auth plugin [magda-auth-google](https://github.com/magda-io/magda-auth-google)
+-   Replace ckan auth provider with auth plugin [magda-auth-ckan](https://github.com/magda-io/magda-auth-ckan)
 
 ## 0.0.57
 

deploy/helm/local-deployment/Chart.lock

@@ -5,6 +5,9 @@ dependencies:
 - name: magda-auth-google
   repository: https://charts.magda.io
   version: 1.0.0
+- name: magda-auth-ckan
+  repository: https://charts.magda.io
+  version: 1.0.0
 - name: magda-ckan-connector
   repository: https://charts.magda.io
   version: 0.0.57-0
@@ -104,5 +107,5 @@ dependencies:
 - name: magda-project-open-data-connector
   repository: https://charts.magda.io
   version: 0.0.57-0
-digest: sha256:f9d6c8a4839b99f18c6b57281a52bfe911cb467e04d05bd0c1856532b1820e71
-generated: "2020-10-23T00:26:35.281893+11:00"
+digest: sha256:f22bfd0054f50405970f4c8984570bb5f5ee07deb030dc6d29013d13b49da305
+generated: "2020-10-28T21:22:32.375466+11:00"

deploy/helm/local-deployment/Chart.yaml

@@ -14,6 +14,13 @@ dependencies:
     tags:
       - all
       - magda-auth-google
+
+  - name: magda-auth-ckan
+    version: 1.0.0
+    repository: https://charts.magda.io
+    tags:
+      - all
+      - magda-auth-ckan
 
   ## Data.gov.au connector to provide some initial data. Remove this if you
   ## don't want any data.gov.au connector

deploy/helm/magda-dev.yml

@@ -67,12 +67,13 @@ magda:
       auth:
         facebookClientId: "173073926555600"
         arcgisClientId: "d0MgVUbbg5Z6vmWo"
-        ckanAuthenticationUrl: https://data.gov.au/data
         vanguardWsFedIdpUrl: https://thirdparty.authentication.business.gov.au/fas/v2/wsfed12/authenticate
         vanguardWsFedRealm: https://environment.magda.io/integration-test-2
       authPlugins:
       - key: google
         baseUrl: http://magda-auth-google
+      - key: ckan
+        baseUrl: http://magda-auth-ckan
       cors:
         credentials: true
         origin: true
@@ -176,6 +177,16 @@ magda-auth-google:
     tag: 1.0.0
     repository: docker.io/data61
 
+magda-auth-ckan:
+  ckanUrl: "https://data.gov.au/data"
+  authPluginConfig:
+    name: "Data.gov.au"
+    loginFormExtraInfoHeading: "Register"
+    loginFormExtraInfoContent: "To register a new [data.gov.au](https://data.gov.au/) account, [click here](https://data.gov.au/data/user/register)"
+  image:
+    tag: 1.0.0
+    repository: docker.io/data61
+
 # Connectors settings is built in local-deployment chart value file but you can override as the followings:
 # e.g. dga connector:
 # connector-dga:

deploy/helm/minikube-dev.yml

@@ -69,10 +69,11 @@ magda:
       auth:
         facebookClientId: "173073926555600"
         arcgisClientId: "d0MgVUbbg5Z6vmWo"
-        ckanAuthenticationUrl: https://data.gov.au/data
       authPlugins:
       - key: google
         baseUrl: http://magda-auth-google
+      - key: ckan
+        baseUrl: http://magda-auth-ckan
 
     registry-api:
       skipAuthorization: false
@@ -141,6 +142,16 @@ connector-dga:
 
 magda-auth-google:
   googleClientId: "275237095477-f7ej2gsvbl2alb8bcqcn7r5jk0ur719p.apps.googleusercontent.com"
+  image:
+    tag: 1.0.0
+    repository: docker.io/data61
+
+magda-auth-ckan:
+  ckanUrl: "https://data.gov.au/data"
+  authPluginConfig:
+    name: "Data.gov.au"
+    loginFormExtraInfoHeading: "Register"
+    loginFormExtraInfoContent: "To register a new [data.gov.au](https://data.gov.au/) account, [click here](https://data.gov.au/data/user/register)"
   image:
     tag: 1.0.0
     repository: docker.io/data61

deploy/helm/preview-multi-tenant.yml

@@ -57,10 +57,11 @@ magda:
       enableHttpsRedirection: true
       auth:
         facebookClientId: "173073926555600"
-        ckanAuthenticationUrl: https://data.gov.au/data
       authPlugins:
       - key: google
         baseUrl: http://magda-auth-google
+      - key: ckan
+        baseUrl: http://magda-auth-ckan
       autoscaler:
         enabled: false
       helmet:
@@ -144,6 +145,16 @@ magda:
 # auth plugin for google
 magda-auth-google:
   googleClientId: "275237095477-f7ej2gsvbl2alb8bcqcn7r5jk0ur719p.apps.googleusercontent.com"
+  image:
+    tag: 1.0.0
+    repository: docker.io/data61
+
+magda-auth-ckan:
+  ckanUrl: "https://data.gov.au/data"
+  authPluginConfig:
+    name: "Data.gov.au"
+    loginFormExtraInfoHeading: "Register"
+    loginFormExtraInfoContent: "To register a new [data.gov.au](https://data.gov.au/) account, [click here](https://data.gov.au/data/user/register)"
   image:
     tag: 1.0.0
     repository: docker.io/data61

deploy/helm/preview.yml

@@ -51,12 +51,13 @@ magda:
       auth:
         facebookClientId: "173073926555600"
         arcgisClientId: "d0MgVUbbg5Z6vmWo"
-        ckanAuthenticationUrl: https://data.gov.au/data
         vanguardWsFedIdpUrl: https://thirdparty.authentication.business.gov.au/fas/v2/wsfed12/authenticate
         vanguardWsFedRealm: https://environment.magda.io/integration-test-2
       authPlugins:
       - key: google
         baseUrl: http://magda-auth-google
+      - key: ckan
+        baseUrl: http://magda-auth-ckan
       autoscaler:
         enabled: false
       helmet:
@@ -146,6 +147,16 @@ magda:
 # auth plugin for google
 magda-auth-google:
   googleClientId: "275237095477-f7ej2gsvbl2alb8bcqcn7r5jk0ur719p.apps.googleusercontent.com"
+  image:
+    tag: 1.0.0
+    repository: docker.io/data61
+
+magda-auth-ckan:
+  ckanUrl: "https://data.gov.au/data"
+  authPluginConfig:
+    name: "Data.gov.au"
+    loginFormExtraInfoHeading: "Register"
+    loginFormExtraInfoContent: "To register a new [data.gov.au](https://data.gov.au/) account, [click here](https://data.gov.au/data/user/register)"
   image:
     tag: 1.0.0
     repository: docker.io/data61

docs/docs/authentication-plugin-spec.md

@@ -16,6 +16,32 @@ The template also comes with CI scripts that can automatically pushing docker im
 
 Magda also provides NPM packages [@magda/authentication-plugin-sdk](https://www.npmjs.com/package/@magda/authentication-plugin-sdk) and [@magda/auth-api-client](https://www.npmjs.com/package/@magda/auth-api-client) that can assit you with implementing your authentication logic.
 
+## Common Parameters Available Through MAGDA
+
+When deploy with MAGDA, here are a list of common paramaters are made available to the authentication plugin via various ways.
+
+### `authPluginRedirectUrl`
+
+This parameter is available through Helm chart value [global.authPluginRedirectUrl](https://github.com/magda-io/magda/blob/master/deploy/helm/magda-core/README.md#user-content-values).
+
+Its default value can be found from [magda-core helm chart document](https://github.com/magda-io/magda/blob/master/deploy/helm/magda-core/README.md#user-content-values).
+
+Once the authentication plugin complete the authentication process, the plugin is required to redirect user agent to the url specified by this parameter.
+
+When redirect the user agent, the plugin can choose to passing the following query parameters:
+
+-   `result`: Possible value: "success" or "failure".
+    -   When the parameter not present, its value should be assumed as "success"
+-   `errorMessage`: error message that should be displayed to the user. Only available when `result`="success".
+
+[authentication-plugin-sdk](https://www.npmjs.com/package/@magda/authentication-plugin-sdk) provides function `redirectOnSuccess`, `redirectOnError` & `getAbsoluteUrl` to generate the redirection.
+
+### Cookie Options
+
+Cookie options are required by [authentication-plugin-sdk](https://www.npmjs.com/package/@magda/authentication-plugin-sdk) to create session that meet Gateway's requirements.
+
+This parameter is made available through [configMaps](https://kubernetes.io/docs/concepts/configuration/configmap/) `gateway-config` key `cookie.json`.
+
 ## Required HTTP endpoints
 
 Your auth plugin can choose to serve any endpioints as you want. All HTTP endpoint will be exposed by Magda Gateway at path `/auth/login/plugin/[your auth plugin key]/*`.
@@ -71,7 +97,9 @@ The GET `/` Endpoint is supported by all authentication plugins types. When acce
 -   if the user has been authenticated already, the endpoint should issue a `302` redirection that redirect the user's web browser to a pre-configured url (Specified by Helm Chart value `global.authPluginRedirectUrl`).
 -   if the user has not been authenticated, the endpoint should:
     -   For `IDP-URI-REDIRECTION` type plugin, the endpoint should issue a `302` redirection to start the authenticaiton process accordingly.
-    -   For `PASSWORD` or `QR-CODE` type plugin, the endpoint should issue a `401` Error.
+    -   For `PASSWORD` or `QR-CODE` type plugin, the endpoint should:
+    -   When the user has been authenticated, redirect user agent to `authPluginRedirectUrl` with `result` set to "success".
+    -   When the user has not been authenticated yet, edirect user agent to `authPluginRedirectUrl` with `result` set to "failure" and `errorMessage` set to "unauthorised".
 
 > If you use [Passport.js](http://www.passportjs.org/) to build your auth plugin, this will be handled via [passport.authenticate() method](http://www.passportjs.org/docs/authenticate/).
 

packages/authentication-plugin-sdk/README.md

@@ -64,4 +64,34 @@ export declare function createOrGetUserToken(
         profile: passport.Profile
     ) => Promise<void>
 ): Promise<UserToken>;
+
+/**
+ * Join `url` with `baseUrl` if `url` is not an absolute url
+ *
+ * @export
+ * @param {string} url
+ * @param {string} baseUrl
+ * @param {{ [key: string]: string }} [optionalQueries]
+ * @returns
+ */
+export declare function getAbsoluteUrl(
+    url: string,
+    baseUrl: string,
+    optionalQueries?: {
+        [key: string]: string;
+    }
+): string;
+
+export declare function redirectOnSuccess(
+    toURL: string,
+    req: Request,
+    res: Response
+): void;
+
+export declare function redirectOnError(
+    err: any,
+    toURL: string,
+    req: Request,
+    res: Response
+): void;
 ```

packages/authentication-plugin-sdk/src/index.ts

@@ -6,6 +6,22 @@ import AuthApiClient, { User, UserToken, Maybe } from "@magda/auth-api-client";
 import passport from "passport";
 import _ from "lodash";
 
+// Put default req.user session data definition here.
+// so that project uses this SDK don't have to always define it
+declare global {
+    namespace Express {
+        /**
+         * This defines magda session data type.
+         * the default session data type is `UserToken` (i.e. only user id field is available and is a compulsory field)
+         * But any auth plugin provider could choose to customise the session by adding more fields (e.g. `arcgis`).
+         * We also make sure it allows extra fields here.
+         */
+        interface User extends UserToken {
+            [key: string]: any;
+        }
+    }
+}
+
 export type MagdaSessionRouterOptions = {
     cookieOptions: SessionCookieOptions;
     sessionSecret: string;