From 69a4412d7583eff63252cec06ed64b49218c26d3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Mon, 11 Jul 2022 21:11:17 -0500 Subject: [PATCH] Remove pre-configured Okta & Google OAuth providers (#793) * Remove pre-configured Okta & Google OAuth providers, update docs * Upgrade docs clarifications & remove unused auth code for pre-configured providers (google/okta) * Fix docs url for upgrade note --- .../controllers/root_controller.ex | 2 -- .../fz_http_web/templates/root/auth.html.heex | 18 ---------- .../fz_http/lib/fz_http_web/user_from_auth.ex | 8 ----- apps/fz_http/mix.exs | 3 -- .../controllers/auth_controller_test.exs | 4 +-- config/dev.exs | 27 ++------------ config/prod.exs | 6 +--- config/runtime.exs | 36 +------------------ config/test.exs | 6 +--- docs/docs/administer/upgrade.md | 35 ++++++++++++++++++ docs/docs/authenticate/google.md | 11 ------ docs/docs/authenticate/okta.md | 11 ------ docs/docs/reference/configuration-file.md | 8 ----- .../cookbooks/firezone/attributes/default.rb | 17 --------- .../cookbooks/firezone/libraries/config.rb | 8 ----- omnibus/package-scripts/firezone/postinst | 4 ++- omnibus/package-scripts/firezone/preinst | 15 +++++++- 17 files changed, 58 insertions(+), 161 deletions(-) diff --git a/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex index 41907e38b..11f605ea6 100644 --- a/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex +++ b/apps/fz_http/lib/fz_http_web/controllers/root_controller.ex @@ -8,8 +8,6 @@ defmodule FzHttpWeb.RootController do conn |> render( "auth.html", - okta_enabled: conf(:okta_auth_enabled), - google_enabled: conf(:google_auth_enabled), local_enabled: conf(:local_auth_enabled), openid_connect_providers: conf(:openid_connect_providers) ) diff --git a/apps/fz_http/lib/fz_http_web/templates/root/auth.html.heex b/apps/fz_http/lib/fz_http_web/templates/root/auth.html.heex index 328aadf6d..18788638e 100644 --- a/apps/fz_http/lib/fz_http_web/templates/root/auth.html.heex +++ b/apps/fz_http/lib/fz_http_web/templates/root/auth.html.heex @@ -25,22 +25,4 @@ class: "button") %>

<% end %> - - <%= if @okta_enabled do %> -

- <%= link( - "Sign in with Okta", - to: Routes.auth_path(@conn, :request, "okta"), - class: "button") %> -

- <% end %> - - <%= if @google_enabled do %> -

- <%= link( - "Sign in with Google", - to: Routes.auth_path(@conn, :request, "google"), - class: "button") %> -

- <% end %> diff --git a/apps/fz_http/lib/fz_http_web/user_from_auth.ex b/apps/fz_http/lib/fz_http_web/user_from_auth.ex index bbf95451e..95d0b28f5 100644 --- a/apps/fz_http/lib/fz_http_web/user_from_auth.ex +++ b/apps/fz_http/lib/fz_http_web/user_from_auth.ex @@ -17,14 +17,6 @@ defmodule FzHttpWeb.UserFromAuth do Users.get_by_email(email) |> Authentication.authenticate(password) end - def find_or_create(%Auth{provider: provider, info: %Auth.Info{email: email}} = _auth) - when provider in [:google, :okta] do - case Users.get_by_email(email) do - nil -> maybe_create_user(email) - user -> {:ok, user} - end - end - def find_or_create(_provider, %{"email" => email, "sub" => _sub}) do case Users.get_by_email(email) do nil -> maybe_create_user(email) diff --git a/apps/fz_http/mix.exs b/apps/fz_http/mix.exs index 08ad5b811..695392408 100644 --- a/apps/fz_http/mix.exs +++ b/apps/fz_http/mix.exs @@ -39,7 +39,6 @@ defmodule FzHttp.MixProject do extra_applications: [ :logger, :runtime_tools, - :ueberauth_okta, :ueberauth_identity ], registered: [:fz_http_server] @@ -67,8 +66,6 @@ defmodule FzHttp.MixProject do {:guardian_db, "~> 2.0"}, {:openid_connect, "~> 0.2.2"}, {:ueberauth, "~> 0.7"}, - {:ueberauth_google, "~> 0.10"}, - {:ueberauth_okta, "~> 0.2"}, {:ueberauth_identity, "~> 0.4"}, {:httpoison, "~> 1.8"}, {:argon2_elixir, "~> 2.0"}, diff --git a/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs b/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs index 2c1134655..0c4cb796b 100644 --- a/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs +++ b/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs @@ -13,9 +13,7 @@ defmodule FzHttpWeb.AuthControllerTest do # Assert that we email, OIDC and Oauth2 buttons provided for expected <- [ "Sign in with email", - "Sign in with OIDC Google", - "Sign in with Google", - "Sign in with Okta" + "Sign in with OIDC Google" ] do assert html_response(test_conn, 200) =~ expected end diff --git a/config/dev.exs b/config/dev.exs index 6754c82db..ab74daf46 100644 --- a/config/dev.exs +++ b/config/dev.exs @@ -53,8 +53,6 @@ config :fz_vpn, # Auth local_auth_enabled = System.get_env("LOCAL_AUTH_ENABLED") == "true" -okta_auth_enabled = System.get_env("OKTA_AUTH_ENABLED") == "true" -google_auth_enabled = System.get_env("GOOGLE_AUTH_ENABLED") == "true" # Configure strategies identity_strategy = @@ -65,34 +63,15 @@ identity_strategy = uid_field: :email ]}} -okta_strategy = {:okta, {Ueberauth.Strategy.Okta, []}} -google_strategy = {:google, {Ueberauth.Strategy.Google, []}} - providers = [ - {local_auth_enabled, identity_strategy}, - {google_auth_enabled, google_strategy}, - {okta_auth_enabled, okta_strategy} + {local_auth_enabled, identity_strategy} ] |> Enum.filter(fn {key, _val} -> key end) |> Enum.map(fn {_key, val} -> val end) config :ueberauth, Ueberauth, providers: providers -if okta_auth_enabled do - config :ueberauth, Ueberauth.Strategy.Okta.OAuth, - client_id: System.get_env("OKTA_CLIENT_ID"), - client_secret: System.get_env("OKTA_CLIENT_SECRET"), - site: System.get_env("OKTA_SITE") -end - -if google_auth_enabled do - config :ueberauth, Ueberauth.Strategy.Google.OAuth, - client_id: System.get_env("GOOGLE_CLIENT_ID"), - client_secret: System.get_env("GOOGLE_CLIENT_SECRET"), - redirect_uri: System.get_env("GOOGLE_REDIRECT_URI") -end - # ## SSL Support # # In order to use HTTPS in development, a self-signed @@ -145,8 +124,6 @@ config :phoenix, :plug_init_mode, :runtime config :fz_http, cookie_secure: false, telemetry_module: FzCommon.MockTelemetry, - local_auth_enabled: local_auth_enabled, - okta_auth_enabled: google_auth_enabled, - google_auth_enabled: okta_auth_enabled + local_auth_enabled: local_auth_enabled config :fz_http, FzHttp.Mailer, adapter: Swoosh.Adapters.Local, from_email: "dev@firez.one" diff --git a/config/prod.exs b/config/prod.exs index 29c53b82c..422f89c43 100644 --- a/config/prod.exs +++ b/config/prod.exs @@ -45,8 +45,6 @@ config :logger, level: :info config :fz_http, sandbox: false, local_auth_enabled: true, - google_auth_enabled: true, - okta_auth_enabled: true, connectivity_checks_url: "https://ping.firez.one/" config :ueberauth, Ueberauth, @@ -56,9 +54,7 @@ config :ueberauth, Ueberauth, [ callback_methods: ["POST"], uid_field: :email - ]}}, - {:okta, {Ueberauth.Strategy.Okta, []}}, - {:google, {Ueberauth.Strategy.Google, []}} + ]}} ] config :swoosh, local: false diff --git a/config/runtime.exs b/config/runtime.exs index caf28b61d..c6c6301bd 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -76,18 +76,6 @@ if config_env() == :prod do # Local auth local_auth_enabled = FzString.to_boolean(System.fetch_env!("LOCAL_AUTH_ENABLED")) - # Okta auth - okta_auth_enabled = FzString.to_boolean(System.fetch_env!("OKTA_AUTH_ENABLED")) - okta_client_id = System.get_env("OKTA_CLIENT_ID") - okta_client_secret = System.get_env("OKTA_CLIENT_SECRET") - okta_site = System.get_env("OKTA_SITE") - - # Google auth - google_auth_enabled = FzString.to_boolean(System.fetch_env!("GOOGLE_AUTH_ENABLED")) - google_client_id = System.get_env("GOOGLE_CLIENT_ID") - google_client_secret = System.get_env("GOOGLE_CLIENT_SECRET") - google_redirect_uri = System.get_env("GOOGLE_REDIRECT_URI") - max_devices_per_user = System.fetch_env!("MAX_DEVICES_PER_USER") |> String.to_integer() @@ -197,8 +185,6 @@ if config_env() == :prod do allow_unprivileged_device_management: allow_unprivileged_device_management, max_devices_per_user: max_devices_per_user, local_auth_enabled: local_auth_enabled, - okta_auth_enabled: okta_auth_enabled, - google_auth_enabled: google_auth_enabled, wireguard_dns: wireguard_dns, wireguard_allowed_ips: wireguard_allowed_ips, wireguard_persistent_keepalive: wireguard_persistent_keepalive, @@ -227,34 +213,14 @@ if config_env() == :prod do uid_field: :email ]}} - okta_strategy = {:okta, {Ueberauth.Strategy.Okta, []}} - google_strategy = {:google, {Ueberauth.Strategy.Google, []}} - providers = [ - {local_auth_enabled, identity_strategy}, - {google_auth_enabled, google_strategy}, - {okta_auth_enabled, okta_strategy} + {local_auth_enabled, identity_strategy} ] |> Enum.filter(fn {key, _val} -> key end) |> Enum.map(fn {_key, val} -> val end) config :ueberauth, Ueberauth, providers: providers - - # Configure OAuth portion of enabled strategies - if okta_auth_enabled do - config :ueberauth, Ueberauth.Strategy.Okta.OAuth, - client_id: okta_client_id, - client_secret: okta_client_secret, - site: okta_site - end - - if google_auth_enabled do - config :ueberauth, Ueberauth.Strategy.Google.OAuth, - client_id: google_client_id, - client_secret: google_client_secret, - redirect_uri: google_redirect_uri - end end # OIDC Auth diff --git a/config/test.exs b/config/test.exs index d6a299ec2..8bd91ee0f 100644 --- a/config/test.exs +++ b/config/test.exs @@ -40,8 +40,6 @@ config :fz_http, FzHttpWeb.Endpoint, config :fz_http, mock_events_module_errors: false, local_auth_enabled: true, - google_auth_enabled: true, - okta_auth_enabled: true, telemetry_module: FzCommon.MockTelemetry, supervision_tree_mode: :test, connectivity_checks_interval: 86_400, @@ -54,9 +52,7 @@ config :logger, level: :warn config :ueberauth, Ueberauth, providers: [ - {:identity, {Ueberauth.Strategy.Identity, [callback_methods: ["POST"], uid_field: :email]}}, - {:okta, {Ueberauth.Strategy.Okta, []}}, - {:google, {Ueberauth.Strategy.Google, []}} + {:identity, {Ueberauth.Strategy.Identity, [callback_methods: ["POST"], uid_field: :email]}} ] # OIDC auth for testing diff --git a/docs/docs/administer/upgrade.md b/docs/docs/administer/upgrade.md index c3c96694b..8f8b0b86f 100644 --- a/docs/docs/administer/upgrade.md +++ b/docs/docs/administer/upgrade.md @@ -19,6 +19,41 @@ To upgrade Firezone, follow these steps: Occasionally problems arise. If you hit any, please let us know by [filing an issue](https://github.com/firezone/firezone/issues/new/choose). +## Upgrading from < 0.5.0 to >= 0.5.0 + +Firezone has removed support for pre-configured Okta and Google OAuth2 providers. +Follow the instructions below based on your current setup to migrate to OIDC providers: + +### I have an existing Google OAuth configuration + +Remove these lines containing the old Google OAuth configs from your configuration +file located at `/etc/firezone/firezone.rb` + +```rb +default['firezone']['authentication']['google']['enabled'] +default['firezone']['authentication']['google']['client_id'] +default['firezone']['authentication']['google']['client_secret'] +default['firezone']['authentication']['google']['redirect_uri'] +``` + +Then, follow the instructions [here](../authenticate/google) to configure Google +as an OIDC provider. + +### I have an existing Okta OAuth configuration + +Remove these lines containing the old Okta OAuth configs from your configuration +file located at `/etc/firezone/firezone.rb` + +```rb +default['firezone']['authentication']['okta']['enabled'] +default['firezone']['authentication']['okta']['client_id'] +default['firezone']['authentication']['okta']['client_secret'] +default['firezone']['authentication']['okta']['site'] +``` + +Then, follow the instructions [here](../authenticate/okta) to configure Okta as +an OIDC provider. + ## Upgrading from 0.3.x to >= 0.3.16 Follow the instructions below based on your current version and setup: diff --git a/docs/docs/authenticate/google.md b/docs/docs/authenticate/google.md index f343a3ea1..3208df9c4 100644 --- a/docs/docs/authenticate/google.md +++ b/docs/docs/authenticate/google.md @@ -22,17 +22,6 @@ to provide Firezone with the user's email in the returned claims. ![Firezone Google SSO Login](https://user-images.githubusercontent.com/52545545/156853456-1ab3f041-1002-4c79-a266-82acb5802890.gif) -Note: Previously, Firezone used pre-configured Oauth2 providers. We've moved to -OIDC based authentication, which allows for any OpenID Connect provider -(Google, Okta, Dex) to be used for authentication. - -We strongly recommend transitioning your existing Google or Okta-based SSO -configuration to the generic OIDC-based configuration format described here. -We'll be removing the Google-specific and Okta-specific SSO functionality -in a future release. - -To set up SSO, follow the steps below: - ## Obtain Config Settings ### Step 1 - OAuth Config Screen diff --git a/docs/docs/authenticate/okta.md b/docs/docs/authenticate/okta.md index fc93fc831..e7da9735f 100644 --- a/docs/docs/authenticate/okta.md +++ b/docs/docs/authenticate/okta.md @@ -22,17 +22,6 @@ to provide Firezone with the user's email in the returned claims. ![Firezone Okta SSO Login](https://user-images.githubusercontent.com/52545545/156855886-5a4a0da7-065c-4ec1-af33-583dff4dbb72.gif) -**Note:** Previously, Firezone used pre-configured Oauth2 providers. We've moved -to OIDC based authentication, which allows for any OpenID Connect provider -(Google, Okta, Dex) to be integrated. - -We strongly recommend transitioning your existing Google or Okta-based SSO -configuration to the generic OIDC-based configuration format described here. -We'll be removing the Google-specific and Okta-specific SSO functionality -in a future release. - -To set up SSO, follow the steps below: - ## Step 1 - Create Okta App Integration _This section of the guide is based on diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md index 1e68c2aa1..89dc4d3df 100644 --- a/docs/docs/reference/configuration-file.md +++ b/docs/docs/reference/configuration-file.md @@ -34,14 +34,6 @@ Shown below is a complete listing of the configuration options available in | `default['firezone']['authentication']['auto_create_oidc_users']` | Automatically create users signing in from OIDC for the first time. Disable to allow only existing users to sign in via OIDC. | `true` | | `default['firezone']['authentication']['disable_vpn_on_oidc_error']` | Disable a user's VPN if an error is detected trying to refresh their OIDC token. | `false` | | `default['firezone']['authentication']['oidc']` | OpenID Connect config, in the format of `{"provider" => [config...]}` - See [OpenIDConnect documentation](https://hexdocs.pm/openid_connect/readme.html) for config examples. | `{}` | -| `default['firezone']['authentication']['okta']['enabled']` | Enable or disable Okta SSO authentication. | `false` | -| `default['firezone']['authentication']['okta']['client_id']` | OAuth Client ID for Okta SSO authentication. | `nil` | -| `default['firezone']['authentication']['okta']['client_secret']` | OAuth Client Secret for Okta SSO authentication. | `nil` | -| `default['firezone']['authentication']['okta']['site']` | Okta site to redirect to after successful authentication. | `'https://your-domain.okta.com'` | -| `default['firezone']['authentication']['google']['enabled']` | Enable or disable Google SSO authentication. | `false` | -| `default['firezone']['authentication']['google']['client_id']` | OAuth Client ID for Google SSO authentication. | `nil` | -| `default['firezone']['authentication']['google']['client_secret']` | OAuth Client Secret for Google SSO authentication. | `nil` | -| `default['firezone']['authentication']['google']['redirect_uri']` | Google redirect URI for Google SSO authentication. | `nil` | | `default['firezone']['nginx']['enabled']` | Enable or disable the bundled nginx server. | `true` | | `default['firezone']['nginx']['non_ssl_port']` | HTTP listen port. | `80` | | `default['firezone']['nginx']['ssl_port']` | HTTPS listen port. | `443` | diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb index 5498da9e5..876481362 100644 --- a/omnibus/cookbooks/firezone/attributes/default.rb +++ b/omnibus/cookbooks/firezone/attributes/default.rb @@ -135,23 +135,6 @@ default['firezone']['authentication']['oidc'] = {} # } # } -# DEPRECATED -# Previously, Firezone used preconfigured Oauth2 providers. We've moved to OIDC authentication -# which allows for any OpenID Connect provider (Google, Okta, Dex) to be used for authetication. -# See the above OIDC Authentication section -# -# DEPRECATED: Okta example config -default['firezone']['authentication']['okta']['enabled'] = false -default['firezone']['authentication']['okta']['client_id'] = nil -default['firezone']['authentication']['okta']['client_secret'] = nil -default['firezone']['authentication']['okta']['site'] = 'https://your-domain.okta.com' - -# DEPRECATED: Google example config -default['firezone']['authentication']['google']['enabled'] = false -default['firezone']['authentication']['google']['client_id'] = nil -default['firezone']['authentication']['google']['client_secret'] = nil -default['firezone']['authentication']['google']['redirect_uri'] = nil - # ## Nginx # These attributes control Firezone-specific portions of the Nginx diff --git a/omnibus/cookbooks/firezone/libraries/config.rb b/omnibus/cookbooks/firezone/libraries/config.rb index 64f963a78..c746eecde 100644 --- a/omnibus/cookbooks/firezone/libraries/config.rb +++ b/omnibus/cookbooks/firezone/libraries/config.rb @@ -262,14 +262,6 @@ class Firezone # Auth 'LOCAL_AUTH_ENABLED' => attributes['authentication']['local']['enabled'].to_s, - 'OKTA_AUTH_ENABLED' => attributes['authentication']['okta']['enabled'].to_s, - 'OKTA_CLIENT_ID' => attributes['authentication']['okta']['client_id'], - 'OKTA_CLIENT_SECRET' => attributes['authentication']['okta']['client_secret'], - 'OKTA_SITE' => attributes['authentication']['okta']['site'], - 'GOOGLE_AUTH_ENABLED' => attributes['authentication']['google']['enabled'].to_s, - 'GOOGLE_CLIENT_ID' => attributes['authentication']['google']['client_id'], - 'GOOGLE_CLIENT_SECRET' => attributes['authentication']['google']['client_secret'], - 'GOOGLE_REDIRECT_URI' => attributes['authentication']['google']['redirect_uri'], 'DISABLE_VPN_ON_OIDC_ERROR' => attributes['authentication']['disable_vpn_on_oidc_error'].to_s, 'AUTO_CREATE_OIDC_USERS' => attributes['authentication']['auto_create_oidc_users'].to_s, diff --git a/omnibus/package-scripts/firezone/postinst b/omnibus/package-scripts/firezone/postinst index 3e69aa1e9..8e181654e 100755 --- a/omnibus/package-scripts/firezone/postinst +++ b/omnibus/package-scripts/firezone/postinst @@ -28,4 +28,6 @@ fi # Symlink ctl commands DEST_DIR=/opt/firezone -${DEST_DIR}/embedded/bin/symlink_ctl_cmds +if [ -e ${DEST_DIR}/embedded/bin/symlink_ctl_cmds ]; then + ${DEST_DIR}/embedded/bin/symlink_ctl_cmds +fi diff --git a/omnibus/package-scripts/firezone/preinst b/omnibus/package-scripts/firezone/preinst index c85466c2d..f88a80168 100755 --- a/omnibus/package-scripts/firezone/preinst +++ b/omnibus/package-scripts/firezone/preinst @@ -17,6 +17,18 @@ kernelCheck() { fi } +configCheck() { + config_file='/etc/firezone/firezone.rb' + error_color='\033[0;31m' + reset_color='\033[0m' + + if grep -q "^\s*default\['firezone'\]\['authentication'\]\['\(google\|okta\)'\]\['enabled'\]\s*=\s*true" $config_file ; then + echo "${error_color}ERROR: Firezone 0.5+ disables support for pre-configured Okta and Google OAuth2 providers!${reset_color}" + echo "Please see our transition guide to move to a generic OIDC config: https://docs.firezone.dev/administer/upgrade#upgrading-from--050-to--050" + exit 1 + fi +} + capture () { if type curl > /dev/null; then if [ -e /var/opt/firezone/cache/telemetry_id ]; then @@ -40,5 +52,6 @@ if [ ! -e /var/opt/firezone/.disable_telemetry ]; then capture || true fi -echo "You're about to install firezone!" kernelCheck +configCheck +echo "You're about to install firezone!"