Fix the ansible variables, rename some files.

shinyproxy/ansible_vars/nginx.yml

@@ -10,10 +10,13 @@ nginx_disable_content_security_options: true
 nginx_x_frame_options: ''
 nginx_pep_debug_enabled: true
 nginx_conf_remote_snippets:
-  - url: 'https://code-repo.d4science.org/gCubeSystem/d4s-nginx-pep-examples/raw/branch/master/shinyproxy/pep-gcube.js.j2'
-    name: pep_gcube.js
+  - url: 'https://code-repo.d4science.org/gCubeSystem/d4s-nginx-pep-examples/raw/branch/master/shinyproxy/pep.js.j2'
+    name: pep.js
+nginx_conf_remote_global_conf:
   - url: 'https://code-repo.d4science.org/gCubeSystem/d4s-nginx-pep-examples/raw/branch/master/shinyproxy/nginx_pep_gcube.conf.j2'
-    name: nginx_pep_gcube.conf
+    name: nginx_pep_gcube
+  - url: 'https://code-repo.d4science.org/gCubeSystem/d4s-nginx-pep-examples/raw/branch/master/shinyproxy/nginx_pep_global.conf.j2'
+    name: nginx_pep_global
 nginx_virthosts:
   - virthost_name: 'shinyproxy.garr.d4science.org'
     server_name: 'shinyproxy.garr.d4science.org'
@@ -35,7 +38,7 @@ nginx_virthosts:
     proxy_standard_setup: true
     include_global_proxy_conf: true
     proxy_additional_options:
-      - 'proxy_cache_path /tmp/shinyproxy_sdg levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off'
+      - 'proxy_cache_path /tmp/shinyproxy_sdg levels=1:2 keys_zone=shinyproxy_sdg_cache:10m max_size=10g inactive=60m use_temp_path=off'
     websockets: true
     locations:
       - location: '~ /app/'
@@ -54,7 +57,7 @@ nginx_virthosts:
           - 'gunzip on'
           - 'proxy_set_header  Authorization "{{ keycloak_auth_credentials_prod }}"'
           - 'proxy_set_header  Content-Type "application/x-www-form-urlencoded"'
-          - 'proxy_cache           social_cache'
+          - 'proxy_cache           shinyproxy_sdg_cache'
           - 'proxy_cache_key       $source_auth'
           - 'proxy_cache_lock      on'
           - 'proxy_cache_valid     200 10s'
@@ -89,6 +92,6 @@ nginx_virthosts:
           - 'proxy_method      GET'
           - 'gunzip on'
           - 'proxy_set_header  gcube-token "$auth_token"'
-          - 'proxy_cache           social_cache'
+          - 'proxy_cache           shinyproxy_sdg_cache'
           - 'proxy_cache_key       $auth_token'
 

shinyproxy/nginx_pep_gcube.conf.j2

@@ -2,6 +2,6 @@
 js_var $auth_token;
 js_var $account_record;
 
-js_import /etc/nginx/snippets/pep_gcube.js;
+js_import /etc/nginx/snippets/pep.js;
 # added to bind enforce function
 js_set $authorization pep.enforce;

shinyproxy/pep.js.j2

@@ -13,45 +13,49 @@ function enforce(r) {
   var context = {
     request: r
   }
-  
+
   log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
   context.authn = {}
-  context.authn.token = getBearerToken(context)
+  context.authn.token = getGCubeToken(context)
   if(context.authn.token != null){
     debug(context, "[PEP] token is " + context.authn.token)
     exportVariable(context, "auth_token", context.authn.token)
-    verifyToken(context)
+    verifyGCubeToken(context)
     .then(ctx=>{
-        const jwt = context.authn.verified_token
-        debug(context, "[PEP] Token is valid:" + njs.dump(jwt))
-        if(!checkAudience(context, jwt.aud)){
-          debug(context, "[PEP] Unathorized context " + jwt.aud)
-          throw new Error("Unauthorized")
+        debug(context, "[PEP] Token is valid:" + njs.dump(context.userinfo))
+        if(!checkAudience(context, context.userinfo.context)){
+          throw new Error("Unauthorized context")
         }
-        context.userinfo = { username : jwt.preferred_username }
         return Promise.resolve(context)
     }).then(ctx => {
       debug(context, "[HOMESERV] creating home for username " + context.userinfo.username)
       return context.request.subrequest("/_homeserv", {"body" : "user=" + context.userinfo.username })
     }).then(reply => {
       if(reply.status !== 200){
-	      throw new Error("Unauthorized: Unable to create home for user")
+        throw new Error("Unauthorized: Unable to create home for user")
       }
       context.record = buildAccountingRecord(context)
       return context.request.subrequest("/_backend", { method : context.request.method, args : context.request.args, headers : context.request.headersIn})
-    }).then(reply=>{ 
+    }).then(reply=>{
       debug(context, "[SHINYPROXY] response status: " + reply.status)
-      closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204))
+      copyHeaders(context, reply.headersOut, r.headersOut)
+      closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204 || reply.status === 302))
       context.request.subrequest("/_accounting", { detached : true, body : JSON.stringify(context.record) })
       r.return(reply.status, reply.responseBody)
     }).catch(e => { log(context, "Error .... " + njs.dump(e)); context.request.return(e.message === "Unauthorized" ? 403 : 500)} )
-  
+
     return
-  } 
+  }
 
   r.return(401, "Authorization required")
 }
 
+function copyHeaders(context, hin, hout){
+  for (var h in hin) {
+    hout[h] = hin[h];
+  }
+}
+
 function getBearerToken(context){
   if (context.request.headersIn['Authorization']){
     return context.request.headersIn['Authorization'].split(/Bearer\s+/)[1];
@@ -59,8 +63,17 @@ function getBearerToken(context){
   return null;
 }
 
+function getGCubeToken(context){
+  if(context.request.args["gcube-token"]){
+    return context.request.args["gcube-token"];
+  }else if (context.request.headersIn['gcube-token']){
+    return context.request.headersIn['gcube-token'];
+  }
+  return null;
+}
+
 function checkAudience(context, aud){
-  context.log("Audience to verify is " + njs.dump(aud))
+  debug(context, "Audience to verify is " + aud)
   return true
 }
 
@@ -78,14 +91,14 @@ function buildAccountingRecord(context){
     "serviceName": context.request.uri.split("app/")[1],
     "duration": 0,
     "maxInvocationTime": 0,
-    "scope": context.verified_token.aud,
-    "host": icontext.request.host,
+    "scope": context.userinfo.context,
+    "host": context.request.host,
     "startTime": t,
     "id": uuid(),
     "calledMethod": context.request.method + " " + context.request.uri,
     "endTime": 0,
     "minInvocationTime": 0,
-    "operationResult": null 
+    "operationResult": null
   }
 }
 
@@ -109,7 +122,7 @@ function exportVariable(context, name, value){
   return context
 }
 
-function verifyToken(context){
+function verifyiBearerToken(context){
   debug(context, "Inside verifyToken")
   var options = {
     "body" : "token=" + context.authn.token + "&token_type_hint=access_token"
@@ -134,3 +147,19 @@ function verifyToken(context){
     })
 }
 
+function verifyGCubeToken(context){
+  return context.request.subrequest("/_gcube_user_info")
+    .then(reply=>{
+      if (reply.status === 200) {
+        debug(context, "[Social Service] got response " + reply.responseBody)
+        var response = JSON.parse(reply.responseBody);
+        return response
+      } else {
+        debug(context, "[Social Service] failed " + reply.status + ":" + reply.responseBody)
+        throw new Error("Unauthorized")
+      }
+    }).then(response => {
+      context.userinfo = response.result
+      return context
+    })
+}

shinyproxy/pep_jwt.js.j2

@@ -13,49 +13,45 @@ function enforce(r) {
   var context = {
     request: r
   }
-
+  
   log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
   context.authn = {}
-  context.authn.token = getGCubeToken(context)
+  context.authn.token = getBearerToken(context)
   if(context.authn.token != null){
     debug(context, "[PEP] token is " + context.authn.token)
     exportVariable(context, "auth_token", context.authn.token)
-    verifyGCubeToken(context)
+    verifyToken(context)
     .then(ctx=>{
-        debug(context, "[PEP] Token is valid:" + njs.dump(context.userinfo))
-        if(!checkAudience(context, context.userinfo.context)){
-          throw new Error("Unauthorized context")
+        const jwt = context.authn.verified_token
+        debug(context, "[PEP] Token is valid:" + njs.dump(jwt))
+        if(!checkAudience(context, jwt.aud)){
+          debug(context, "[PEP] Unathorized context " + jwt.aud)
+          throw new Error("Unauthorized")
         }
+        context.userinfo = { username : jwt.preferred_username }
         return Promise.resolve(context)
     }).then(ctx => {
       debug(context, "[HOMESERV] creating home for username " + context.userinfo.username)
       return context.request.subrequest("/_homeserv", {"body" : "user=" + context.userinfo.username })
     }).then(reply => {
       if(reply.status !== 200){
-        throw new Error("Unauthorized: Unable to create home for user")
+	      throw new Error("Unauthorized: Unable to create home for user")
       }
       context.record = buildAccountingRecord(context)
       return context.request.subrequest("/_backend", { method : context.request.method, args : context.request.args, headers : context.request.headersIn})
-    }).then(reply=>{
+    }).then(reply=>{ 
       debug(context, "[SHINYPROXY] response status: " + reply.status)
-      copyHeaders(context, reply.headersOut, r.headersOut)
-      closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204 || reply.status === 302))
+      closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204))
       context.request.subrequest("/_accounting", { detached : true, body : JSON.stringify(context.record) })
       r.return(reply.status, reply.responseBody)
     }).catch(e => { log(context, "Error .... " + njs.dump(e)); context.request.return(e.message === "Unauthorized" ? 403 : 500)} )
-
+  
     return
-  }
+  } 
 
   r.return(401, "Authorization required")
 }
 
-function copyHeaders(context, hin, hout){
-  for (var h in hin) {
-    hout[h] = hin[h];
-  }
-}
-
 function getBearerToken(context){
   if (context.request.headersIn['Authorization']){
     return context.request.headersIn['Authorization'].split(/Bearer\s+/)[1];
@@ -63,17 +59,8 @@ function getBearerToken(context){
   return null;
 }
 
-function getGCubeToken(context){
-  if(context.request.args["gcube-token"]){
-    return context.request.args["gcube-token"];
-  }else if (context.request.headersIn['gcube-token']){
-    return context.request.headersIn['gcube-token'];
-  }
-  return null;
-}
-
 function checkAudience(context, aud){
-  debug(context, "Audience to verify is " + aud)
+  context.log("Audience to verify is " + njs.dump(aud))
   return true
 }
 
@@ -91,14 +78,14 @@ function buildAccountingRecord(context){
     "serviceName": context.request.uri.split("app/")[1],
     "duration": 0,
     "maxInvocationTime": 0,
-    "scope": context.userinfo.context,
-    "host": context.request.host,
+    "scope": context.verified_token.aud,
+    "host": icontext.request.host,
     "startTime": t,
     "id": uuid(),
     "calledMethod": context.request.method + " " + context.request.uri,
     "endTime": 0,
     "minInvocationTime": 0,
-    "operationResult": null
+    "operationResult": null 
   }
 }
 
@@ -122,7 +109,7 @@ function exportVariable(context, name, value){
   return context
 }
 
-function verifyiBearerToken(context){
+function verifyToken(context){
   debug(context, "Inside verifyToken")
   var options = {
     "body" : "token=" + context.authn.token + "&token_type_hint=access_token"
@@ -147,19 +134,3 @@ function verifyiBearerToken(context){
     })
 }
 
-function verifyGCubeToken(context){
-  return context.request.subrequest("/_gcube_user_info")
-    .then(reply=>{
-      if (reply.status === 200) {
-        debug(context, "[Social Service] got response " + reply.responseBody)
-        var response = JSON.parse(reply.responseBody);
-        return response
-      } else {
-        debug(context, "[Social Service] failed " + reply.status + ":" + reply.responseBody)
-        throw new Error("Unauthorized")
-      }
-    }).then(response => {
-      context.userinfo = response.result
-      return context
-    })
-}