From aefb92804c624e1af1ef8e340d233b1b03b14c68 Mon Sep 17 00:00:00 2001
From: Lubomir Bucek <lubomir.bucek@eox.at>
Date: Wed, 27 Jan 2021 17:16:50 +0100
Subject: [PATCH] WIP update labels for emg staging, allowing more shibboleth
 in parallel

---
 config/shibboleth/shib-apache.conf | 24 +++++++++++++++++++++-
 docker-compose.base.ops.yml        |  4 ++--
 docker-compose.emg.staging.yml     | 32 +++++++++++++++++-------------
 traefik-dynamic.yml                |  7 ++-----
 4 files changed, 45 insertions(+), 22 deletions(-)

diff --git a/config/shibboleth/shib-apache.conf b/config/shibboleth/shib-apache.conf
index 3d00b744..b0f744fc 100755
--- a/config/shibboleth/shib-apache.conf
+++ b/config/shibboleth/shib-apache.conf
@@ -7,11 +7,33 @@
 
   PassEnv APACHE_SERVERNAME
   ServerName "${APACHE_SERVERNAME}"
+  PassEnv PROXY_USER_CATEGORY_ALLOW_RENDERER
+  PassEnv PROXY_USER_CATEGORY_ALLOW_CACHE
 
   <Location "/Shibboleth.sso">
     SetHandler shib
   </Location>
 
+  # Internally redirected to here in case of Panda proxy access to renderer
+  <Location /proxy-renderer>
+    <If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_RENDERER}/">
+      Require all denied
+    </If>
+    <Else>
+      Require all granted
+    </Else>
+  </Location>
+  
+  # Internally redirected to here in case of Panda proxy access to cache
+  <Location /proxy-cache>
+    <If "%{HTTP:Oa-User-Category} !~ /${PROXY_USER_CATEGORY_ALLOW_CACHE}/">
+      Require all denied
+    </If>
+    <Else>
+      Require all granted
+    </Else>
+  </Location>
+
   # Internally redirected to here. Rewrite for proper relaystate in shib
   <Location /secure>
     <If "-n req('Authorization')">
@@ -38,7 +60,7 @@
   </LocationMatch>
 
   # Match everything not above like /cache or the client
-  <LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch))">
+  <LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch|proxy-renderer|proxy-cache))">
     RewriteEngine On
     AuthType shibboleth
     ShibRequestSetting requireSession 1
diff --git a/docker-compose.base.ops.yml b/docker-compose.base.ops.yml
index 6f198777..8c585e0b 100644
--- a/docker-compose.base.ops.yml
+++ b/docker-compose.base.ops.yml
@@ -2,7 +2,7 @@ version: "3.6"
 x-vs-version: :release-1.1.1 # bumpversion
 services:
   reverse-proxy:
-    image: traefik:2.1
+    image: traefik:2.4
     ports:
       - target: 80
         published: 80
@@ -20,7 +20,7 @@ services:
     environment:
       HTTP_PROXY: "http://172.30.252.68:3128"
       HTTPS_PROXY: "http://172.30.252.68:3128"
-      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth"
+      NO_PROXY: "172.0.0.0/8,192.168.0.0/16,10.0.0.0/8,shibauth-emg,shibauth-dem,shibauth-vhr18"
     deploy:
       placement:
         constraints: [node.role == manager]
diff --git a/docker-compose.emg.staging.yml b/docker-compose.emg.staging.yml
index c63a245d..622e074d 100644
--- a/docker-compose.emg.staging.yml
+++ b/docker-compose.emg.staging.yml
@@ -15,7 +15,8 @@ services:
       labels:
         # router for shib auth based access (https)
         - "traefik.http.routers.emg-renderer-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-shib.middlewares=shibAuth@file,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-renderer-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.routers.emg-renderer-shib.middlewares=emg-renderer-shib-fa,compress@file,cors@file"
         - "traefik.http.routers.emg-renderer-shib.tls=true"
         - "traefik.http.routers.emg-renderer-shib.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer-shib.entrypoints=https"
@@ -25,19 +26,16 @@ services:
         - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
         # router for internal proxy based access (https)
         - "traefik.http.middlewares.emg-pass-whitelist.ipwhitelist.sourcerange=178.248.89.10"
-        - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
-        - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-renderer-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-renderer"
+        - "traefik.http.routers.emg-renderer-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
+        - "traefik.http.routers.emg-renderer-proxy.middlewares=emg-pass-whitelist,emg-renderer-proxy-fa,compress@file,cors@file"
         - "traefik.http.routers.emg-renderer-proxy.tls=true"
         - "traefik.http.routers.emg-renderer-proxy.tls.certresolver=default"
         - "traefik.http.routers.emg-renderer-proxy.entrypoints=https"
         # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+        - "traefik.http.routers.emg-renderer-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer-redirect-proxy.middlewares=emg-pass-whitelist,redirect@file"
         - "traefik.http.routers.emg-renderer-redirect-proxy.entrypoints=http"
-        # router for shib auth based access (http)
-        - "traefik.http.routers.emg-renderer-redirect-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
-        - "traefik.http.routers.emg-renderer-redirect-shib.middlewares=redirect@file"
-        - "traefik.http.routers.emg-renderer-redirect-shib.entrypoints=http"
         # router for basic auth based access (https)
         - "traefik.http.routers.emg-renderer.rule=Host(`emg.pdas.prism.eox.at`, `a.emg.pdas.prism.eox.at`, `b.emg.pdas.prism.eox.at`, `c.emg.pdas.prism.eox.at`, `d.emg.pdas.prism.eox.at`, `e.emg.pdas.prism.eox.at`, `f.emg.pdas.prism.eox.at`, `g.emg.pdas.prism.eox.at`, `h.emg.pdas.prism.eox.at`) && PathPrefix(`/ows`, `/opensearch`, `/admin`)"
         - "traefik.http.routers.emg-renderer.middlewares=auth@file,compress@file,cors@file"
@@ -71,7 +69,8 @@ services:
         # router for shib auth based access (https)
         - "traefik.http.routers.emg-cache-shib.rule=Host(`emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
         - "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-shib-chain"
-        - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=shibAuth@file,cache-stripprefix,compress@file,cors@file"
+        - "traefik.http.middlewares.emg-cache-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.middlewares.emg-cache-shib-chain.chain.middlewares=emg-cache-shib-fa,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.emg-cache-shib.tls=true"
         - "traefik.http.routers.emg-cache-shib.tls.certresolver=default"
         - "traefik.http.routers.emg-cache-shib.entrypoints=https"
@@ -81,13 +80,15 @@ services:
         - "traefik.http.routers.emg-cache-redirect-shib.entrypoints=http"
         # router for internal proxy based access (https)
         - "traefik.http.middlewares.emg-pass-whitelist-cache.ipwhitelist.sourcerange=178.248.89.10"
-        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
-        - "traefik.http.routers.emg-cache-proxy.middlewares=emg-pass-whitelist-cache,compress@file,cors@file"
+        - "traefik.http.routers.emg-cache-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
+        - "traefik.http.middlewares.emg-cache-proxy-fa.forwardauth.address=http://shibauth-emg/proxy-cache"
+        - "traefik.http.routers.emg-cache-shib.middlewares=emg-cache-proxy-chain"
+        - "traefik.http.middlewares.emg-cache-proxy-chain.chain.middlewares=emg-pass-whitelist-cache,emg-cache-proxy-fa,cache-stripprefix,compress@file,cors@file"
         - "traefik.http.routers.emg-cache-proxy.tls=true"
         - "traefik.http.routers.emg-cache-proxy.tls.certresolver=default"
         - "traefik.http.routers.emg-cache-proxy.entrypoints=https"
         # router for internal proxy based access (http)
-        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`) && HeadersRegexp(`HTTP_Oa-User-Category`,`(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)`)"
+        - "traefik.http.routers.emg-cache-redirect-proxy.rule=Host(`proxy.emg.pass.copernicus.eu`) && PathPrefix(`/cache`)"
         - "traefik.http.routers.emg-cache-redirect-proxy.middlewares=emg-pass-whitelist-cache,redirect@file"
         - "traefik.http.routers.emg-cache-redirect-proxy.entrypoints=http"
         # router for basic auth based access (https)
@@ -135,7 +136,8 @@ services:
       labels:
         # router for shib auth based access (https)
         - "traefik.http.routers.emg-client-shib.rule=Host(`emg.pass.copernicus.eu`)"
-        - "traefik.http.routers.emg-client-shib.middlewares=shibAuth@file,compress@file"
+        - "traefik.http.middlewares.emg-client-shib-fa.forwardauth.address=http://shibauth-emg/secure"
+        - "traefik.http.routers.emg-client-shib.middlewares=emg-client-shib-fa,compress@file"
         - "traefik.http.routers.emg-client-shib.tls=true"
         - "traefik.http.routers.emg-client-shib.tls.certresolver=default"
         - "traefik.http.routers.emg-client-shib.entrypoints=https"
@@ -171,10 +173,12 @@ services:
       replicas: 1
     environment:
       UPLOAD_CONTAINER: "emg-data-staging"
-  shibauth:
+  shibauth-emg:
     image: registry.gitlab.eox.at/esa/prism/vs/pvs_shibauth:staging
     environment:
       APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
+      PROXY_USER_CATEGORY_ALLOW_RENDERER: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
+      PROXY_USER_CATEGORY_ALLOW_CACHE: "(Copernicus_Services|Union_Inst|Union_Research_Projects_space|Union_Research_Projects_non-space|Public_Auth|CDS Operations)"
     secrets:
       - source: EMG_SHIB_CERT
         target: SHIB_CERT
diff --git a/traefik-dynamic.yml b/traefik-dynamic.yml
index 8b7369b7..2569b05f 100644
--- a/traefik-dynamic.yml
+++ b/traefik-dynamic.yml
@@ -18,10 +18,6 @@ http:
       basicAuth:
         realm: "PRISM View Server (PVS)"
         usersFile: "/run/secrets/BASIC_AUTH_USERS_AUTH"
-    shibAuth:
-      forwardAuth:
-        address: http://shibauth/secure/
-        trustForwardHeader: true
     compress:
       compress: {}
     redirect:
@@ -33,6 +29,7 @@ http:
           - GET
           - OPTIONS
           - POST
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - "*"
         accessControlMaxAge: 7200
         addVaryHeader: false
-- 
GitLab