Merge pull request #2919 from penpot/niwinz-docker-oidc-fixes

🐛 Docker & OIDC fixes

backend/scripts/build

@@ -12,6 +12,7 @@ cp ../CHANGES.md target/classes/changelog.md;
 
 clojure -T:build jar;
 mv target/penpot.jar target/dist/penpot.jar
+cp resources/log4j2.xml target/dist/log4j2.xml
 cp scripts/run.template.sh target/dist/run.sh;
 cp scripts/manage.py target/dist/manage.py
 chmod +x target/dist/run.sh;

backend/scripts/run.template.sh

@@ -18,5 +18,7 @@ if [ -f ./environ ]; then
     source ./environ
 fi
 
+export JVM_OPTS="-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager -Dlog4j2.configurationFile=log4j2.xml -XX:-OmitStackTraceInFastThrow $JVM_OPTS"
+
 set -x
 exec $JAVA_CMD $JVM_OPTS "$@" -jar penpot.jar -m app.main

backend/src/app/auth/oidc.clj

@@ -64,10 +64,17 @@
         nil)
 
       (= 200 (:status response))
-      (let [data (json/decode (:body response))]
-        {:token-uri (get data :token_endpoint)
-         :auth-uri  (get data :authorization_endpoint)
-         :user-uri  (get data :userinfo_endpoint)})
+      (let [data      (json/decode (:body response))
+            token-uri (get data :token_endpoint)
+            auth-uri  (get data :authorization_endpoint)
+            user-uri  (get data :userinfo_endpoint)]
+        (l/debug :hint "oidc uris discovered"
+                 :token-uri token-uri
+                 :auth-uri auth-uri
+                 :user-uri user-uri)
+        {:token-uri token-uri
+         :auth-uri  auth-uri
+         :user-uri  user-uri})
 
       :else
       (do
@@ -110,7 +117,7 @@
     (if-let [opts (prepare-oidc-opts cfg)]
       (do
         (l/info :hint "provider initialized"
-                :provider :oidc
+                :provider "oidc"
                 :method (if (:discover? opts) "discover" "manual")
                 :client-id (:client-id opts)
                 :client-secret (obfuscate-string (:client-secret opts))
@@ -122,7 +129,7 @@
                 :roles      (:roles opts))
         opts)
       (do
-        (l/warn :hint "unable to initialize auth provider, missing configuration" :provider :oidc)
+        (l/warn :hint "unable to initialize auth provider, missing configuration" :provider "oidc")
         nil))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -144,13 +151,13 @@
                (string? (:client-secret opts)))
         (do
           (l/info :hint "provider initialized"
-                  :provider :google
+                  :provider "google"
                   :client-id (:client-id opts)
                   :client-secret (obfuscate-string (:client-secret opts)))
           opts)
 
         (do
-          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider :google)
+          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider "google")
           nil)))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -196,13 +203,13 @@
                (string? (:client-secret opts)))
         (do
           (l/info :hint "provider initialized"
-                  :provider :github
+                  :provider "github"
                   :client-id (:client-id opts)
                   :client-secret (obfuscate-string (:client-secret opts)))
           opts)
 
         (do
-          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider :github)
+          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider "github")
           nil)))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -225,14 +232,14 @@
                (string? (:client-secret opts)))
         (do
           (l/info :hint "provider initialized"
-                  :provider :gitlab
+                  :provider "gitlab"
                   :base-uri base
                   :client-id (:client-id opts)
                   :client-secret (obfuscate-string (:client-secret opts)))
           opts)
 
         (do
-          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider :gitlab)
+          (l/warn :hint "unable to initialize auth provider, missing configuration" :provider "gitlab")
           nil)))))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -275,8 +282,19 @@
                           "accept" "application/json"}
                 :uri (:token-uri provider)
                 :body (u/map->query-string params)}]
+
+    (l/trace :hint "request access token"
+             :provider (:name provider)
+             :client-id (:client-id provider)
+             :client-secret (obfuscate-string (:client-secret provider))
+             :grant-type (:grant_type params)
+             :redirect-uri (:redirect_uri params))
+
     (->> (http/req! cfg req)
          (p/map (fn [{:keys [status body] :as res}]
+                  (l/trace :hint "access token response"
+                           :status status
+                           :body body)
                   (if (= status 200)
                     (let [data (json/decode body)]
                       {:token (get data :access_token)
@@ -289,12 +307,19 @@
 (defn- retrieve-user-info
   [{:keys [provider] :as cfg} tdata]
   (letfn [(retrieve []
+            (l/trace :hint "request user info"
+                     :uri (:user-uri provider)
+                     :token (obfuscate-string (:token tdata))
+                     :token-type (:type tdata))
             (http/req! cfg
                        {:uri (:user-uri provider)
                         :headers {"Authorization" (str (:type tdata) " " (:token tdata))}
                         :timeout 6000
                         :method :get}))
           (validate-response [response]
+            (l/trace :hint "user info response"
+                     :status (:status response)
+                     :body   (:body response))
             (when-not (s/int-in-range? 200 300 (:status response))
               (ex/raise :type :internal
                         :code :unable-to-retrieve-user-info
@@ -309,7 +334,7 @@
             (if-let [get-email-fn (:get-email-fn provider)]
               (get-email-fn tdata info)
               (let [attr-kw (cf/get :oidc-email-attr :email)]
-                (get info attr-kw))))
+                (p/resolved (get info attr-kw)))))
 
           (get-name [info]
             (let [attr-kw (cf/get :oidc-name-attr :name)]
@@ -325,6 +350,7 @@
                               (qualify-props provider))}))
 
           (validate-info [info]
+            (l/trace :hint "authentication info" :info info)
             (when-not (s/valid? ::info info)
               (l/warn :hint "received incomplete profile info object (please set correct scopes)"
                       :info (pr-str info))
@@ -334,10 +360,10 @@
                         :info info))
             info)]
 
-    (-> (retrieve)
-        (p/then validate-response)
-        (p/then process-response)
-        (p/then validate-info))))
+    (->> (retrieve)
+         (p/fmap validate-response)
+         (p/mcat process-response)
+         (p/fmap validate-info))))
 
 (s/def ::backend ::us/not-empty-string)
 (s/def ::email ::us/not-empty-string)

docker/images/Dockerfile.backend

@@ -13,6 +13,7 @@ RUN set -ex; \
     apt-get -qq update; \
     apt-get -qq upgrade; \
     apt-get -qqy --no-install-recommends install \
+        nano \
         curl \
         tzdata \
         locales \

frontend/src/app/main/ui/routes.cljs

@@ -8,7 +8,6 @@
   (:require
    [app.common.spec :as us]
    [app.common.uuid :as uuid]
-   [app.config :as cf]
    [app.main.data.users :as du]
    [app.main.repo :as rp]
    [app.main.store :as st]
@@ -35,12 +34,9 @@
 (def routes
   [["/auth"
     ["/login"            :auth-login]
-    (when (contains? @cf/flags :registration)
-      ["/register"         :auth-register])
-    (when (contains? @cf/flags :registration)
-      ["/register/validate" :auth-register-validate])
-    (when (contains? @cf/flags :registration)
-      ["/register/success" :auth-register-success])
+    ["/register"         :auth-register]
+    ["/register/validate" :auth-register-validate]
+    ["/register/success" :auth-register-success]
     ["/recovery/request" :auth-recovery-request]
     ["/recovery"         :auth-recovery]
     ["/verify-token"     :auth-verify-token]]