Improve authorized domains and email exceptions config

assets/locales/en/translation.json

@@ -777,5 +777,8 @@
   "system-message-title": "System Notification",
   "system-message-description": "ReDBox will be unavailable from 9am to 12pm on October 20 for system upgrades. Please contact support for any help",
   "system-lookup-records": "Lookup records",
-  "system-lookup-record-item1": "Parties"
+  "system-lookup-record-item1": "Parties",
+  "oidc-authorized-email-no-email": "No email address provided.",
+  "oidc-authorized-email-unexpected-format": "Unexpected email format: {{-email}}.",
+  "oidc-authorized-email-denied": "Email is not authorized to login: {{-email}}."
 }

support/integration-testing/docker-compose.bruno.yml

@@ -52,6 +52,8 @@ services:
       # - sails_log__level=verbose
       - sails_auth__default__local__default__token=d077835a-696b-4728-85cf-3ffd57152b1e
       - sails_security__csrf=false
+      - sails_auth__default__oidc__authorizedEmailDomains='["researcher.com"]'
+      - sails_auth__default__oidc__authorizedEmailExceptions='["test@exception.example.com"]'
     networks:
      main:
        aliases:

test/bruno/5 - OpenID Connect Denied/Begin OIDC login for denied user.bru

@@ -0,0 +1,46 @@
+meta {
+  name: Begin OIDC login
+  type: http
+  seq: 2
+}
+
+get {
+  url: {{host}}/user/begin_oidc
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Referer: {{host}}/default/rdmp/user/login
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: same-origin
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
+  sec-ch-ua-mobile: ?0
+  sec-ch-ua-platform: "macOS"
+}
+
+script:pre-request {
+  req.setMaxRedirects(0);
+  const cookie = bru.getVar("cookie");
+
+  if(cookie) {
+    req.setHeader("Cookie", cookie)
+  }
+}
+
+tests {
+  test("Status code is 302", function () {
+      expect(res.getStatus()).to.equal(302);
+     bru.setVar("kc_redir_url", res.headers['location']);
+    console.log(bru.getVar("kc_redir_url"))
+  });
+}

test/bruno/5 - OpenID Connect Denied/Keycloak login action for denied user.bru

@@ -0,0 +1,46 @@
+meta {
+  name: Keycloak login action
+  type: http
+  seq: 4
+}
+
+post {
+  url: {{kc_login_url}}
+  body: formUrlEncoded
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Content-Type: application/x-www-form-urlencoded
+  Origin: null
+  Pragma: no-cache
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+}
+
+body:form-urlencoded {
+  username: test-external
+  password: password
+  credentialId: 
+}
+
+script:pre-request {
+  req.setMaxRedirects(0);
+  const cookie = bru.getVar("kc_cookie");
+    console.log(`Cookie is: ${cookie}`)
+  if(cookie) {
+    req.setHeader("Cookie", cookie)
+  }
+}
+
+tests {
+  test("Status code is 302", function () {
+      expect(res.getStatus()).to.equal(302);
+      bru.setVar("rb_login_url", res.headers['location']);
+      console.log(bru.getVar("rb_login_url"))
+  });
+}

test/bruno/5 - OpenID Connect Denied/Keycloak login page for denied user.bru

@@ -0,0 +1,43 @@
+meta {
+  name: Keycloak login page
+  type: http
+  seq: 3
+}
+
+get {
+  url: {{kc_redir_url}}
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Referer: {{host}}/default/rdmp/user/login
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: same-origin
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
+  sec-ch-ua-mobile: ?0
+  sec-ch-ua-platform: "macOS"
+}
+
+script:post-response {
+  bru.setVar("kc_cookie",res.headers['set-cookie']);
+}
+
+tests {
+  const cheerio = require('cheerio')
+  test("Status code is 200", function () {
+      expect(res.getStatus()).to.equal(200);
+      const $ = cheerio.load(res.getBody());
+
+      bru.setVar("kc_login_url", $("#kc-form-login").attr('action'));
+  });
+}

test/bruno/5 - OpenID Connect Denied/Load login page for denied user.bru

@@ -0,0 +1,40 @@
+meta {
+  name: Load login page
+  type: http
+  seq: 1
+}
+
+get {
+  url: {{host}}/default/rdmp/user/login
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Referer: {{host}}/default/rdmp/user/login
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: same-origin
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
+  sec-ch-ua-mobile: ?0
+  sec-ch-ua-platform: "macOS"
+}
+
+script:post-response {
+  bru.setVar("cookie",res.headers['set-cookie']);
+}
+
+tests {
+  test("Status code is 200", function () {
+      // Just loading page to get a session cookie
+      expect(res.getStatus()).to.equal(200);
+  });
+}

test/bruno/5 - OpenID Connect Denied/RedBox OIDC return login for denied user.bru

@@ -0,0 +1,47 @@
+meta {
+  name: RedBox OIDC return login
+  type: http
+  seq: 5
+}
+
+get {
+  url: {{rb_login_url}}
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: cross-site
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+}
+
+script:pre-request {
+  req.setMaxRedirects(0);
+  const cookie = bru.getVar("cookie");
+
+  if(cookie) {
+    req.setHeader("Cookie", cookie)
+  }
+}
+
+tests {
+  test("Status code is 500", function () {
+    // TODO: this should be status 403 Forbidden, but that requires changes in how auth errors are processed
+    expect(res.getStatus()).to.equal(500);
+    bru.setVar("cookie", res.headers['set-cookie']);
+  });
+
+  test("Page contains expected error", function () {
+        var responseBody = res.getBody();
+        expect(responseBody).to.include('Email is not authorized to login:');
+  });
+}

test/bruno/6 - OpenID Connect Allowed/Begin OIDC login for allowed user.bru

@@ -0,0 +1,46 @@
+meta {
+  name: Begin OIDC login
+  type: http
+  seq: 2
+}
+
+get {
+  url: {{host}}/user/begin_oidc
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Referer: {{host}}/default/rdmp/user/login
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: same-origin
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
+  sec-ch-ua-mobile: ?0
+  sec-ch-ua-platform: "macOS"
+}
+
+script:pre-request {
+  req.setMaxRedirects(0);
+  const cookie = bru.getVar("cookie");
+
+  if(cookie) {
+    req.setHeader("Cookie", cookie)
+  }
+}
+
+tests {
+  test("Status code is 302", function () {
+      expect(res.getStatus()).to.equal(302);
+     bru.setVar("kc_redir_url", res.headers['location']);
+    console.log(bru.getVar("kc_redir_url"))
+  });
+}

test/bruno/6 - OpenID Connect Allowed/Keycloak login action for allowed user.bru

@@ -0,0 +1,46 @@
+meta {
+  name: Keycloak login action
+  type: http
+  seq: 4
+}
+
+post {
+  url: {{kc_login_url}}
+  body: formUrlEncoded
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Content-Type: application/x-www-form-urlencoded
+  Origin: null
+  Pragma: no-cache
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+}
+
+body:form-urlencoded {
+  username: test-exception
+  password: password
+  credentialId: 
+}
+
+script:pre-request {
+  req.setMaxRedirects(0);
+  const cookie = bru.getVar("kc_cookie");
+    console.log(`Cookie is: ${cookie}`)
+  if(cookie) {
+    req.setHeader("Cookie", cookie)
+  }
+}
+
+tests {
+  test("Status code is 302", function () {
+      expect(res.getStatus()).to.equal(302);
+      bru.setVar("rb_login_url", res.headers['location']);
+      console.log(bru.getVar("rb_login_url"))
+  });
+}

test/bruno/6 - OpenID Connect Allowed/Keycloak login page for allowed user.bru

@@ -0,0 +1,43 @@
+meta {
+  name: Keycloak login page
+  type: http
+  seq: 3
+}
+
+get {
+  url: {{kc_redir_url}}
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+  Accept-Language: en-US,en;q=0.9,en-AU;q=0.8,it;q=0.7
+  Cache-Control: no-cache
+  Connection: keep-alive
+  Pragma: no-cache
+  Referer: {{host}}/default/rdmp/user/login
+  Sec-Fetch-Dest: document
+  Sec-Fetch-Mode: navigate
+  Sec-Fetch-Site: same-origin
+  Sec-Fetch-User: ?1
+  Upgrade-Insecure-Requests: 1
+  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
+  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
+  sec-ch-ua-mobile: ?0
+  sec-ch-ua-platform: "macOS"
+}
+
+script:post-response {
+  bru.setVar("kc_cookie",res.headers['set-cookie']);
+}
+
+tests {
+  const cheerio = require('cheerio')
+  test("Status code is 200", function () {
+      expect(res.getStatus()).to.equal(200);
+      const $ = cheerio.load(res.getBody());
+
+      bru.setVar("kc_login_url", $("#kc-form-login").attr('action'));
+  });
+}