wip

README.md

@@ -8,7 +8,7 @@ The mission is to bring software dev inspired features (refactoring, testing, li
 
 ## Latest version
 
-v0.43.1
+v0.44.0
 
 ## OS Support
 
@@ -28,12 +28,19 @@ v0.43.1
 - [Install for development guide](https://developers.documize.com/s/VzO9ZqMOCgABGyfW/installation/d/V16LOMucxwABhZF1/install-documize-for-development-guide)
 - [Configuration guide](https://developers.documize.com/s/VzO9ZqMOCgABGyfW/installation/d/VzSL8cVZ4QAB2B4Y/configure-documize-guide)
 
+## Keycloak Integration
+
+Documize provides out-of-the-box integration with [Redhat Keycloak](http://www.keycloak.org) for open source identity and access management.
+
 ## Auth0 Integration
 
 Documize is compatible with Auth0 identity as a service.
 
 [![JWT Auth for open source projects](https://cdn.auth0.com/oss/badges/a0-badge-dark.png)](https://auth0.com/?utm_source=oss&utm_medium=gp&utm_campaign=oss)
 
+
+Open Source Identity and Access Management
+
 ## Word Conversion to HTML
 
 - [Code for `wordconvert` utility](https://github.com/documize/community/tree/master/cmd/wordconvert)

app/app/components/auth-settings.js

@@ -0,0 +1,70 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+import Ember from 'ember';
+import constants from '../utils/constants';
+
+const {
+	computed
+} = Ember;
+
+export default Ember.Component.extend({
+	isDocumizeProvider: computed.equal('authProvider', constants.AuthProvider.Documize),
+	isKeycloakProvider: computed.equal('authProvider', constants.AuthProvider.Keycloak),
+	KeycloakConfigError: computed.empty('keycloakConfig'),
+	keycloakConfig: '',
+
+	didReceiveAttrs() {
+		this._super(...arguments);
+
+		let provider = this.get('authProvider');
+
+		switch (provider) {
+			case constants.AuthProvider.Documize:
+				break;
+			case constants.AuthProvider.Keycloak:
+				this.set('keycloakConfig', this.get('authConfig'));
+				break;
+		}
+	},
+
+	actions: {
+		onDocumize() {
+			this.set('authProvider', constants.AuthProvider.Documize);
+		},
+
+		onKeycloak() {
+			this.set('authProvider', constants.AuthProvider.Keycloak);
+		},
+
+		onSave() {
+			if (this.get('KeycloakConfigError')) {
+				this.$("#keycloak-id").focus();
+				return;
+			}
+
+			let provider = this.get('authProvider');
+			let config = this.get('authConfig');
+
+			switch (provider) {
+				case constants.AuthProvider.Documize:
+					config = {};
+					break;
+				case constants.AuthProvider.Keycloak:
+					config = this.get('keycloakConfig');
+					break;
+			}
+
+			this.get('onSave')(provider, config).then(() => {
+			});
+		},
+	}
+});

app/app/pods/customize/auth/controller.js

@@ -0,0 +1,32 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+import Ember from 'ember';
+import NotifierMixin from "../../../mixins/notifier";
+
+export default Ember.Controller.extend(NotifierMixin, {
+	global: Ember.inject.service(),
+
+	actions: {
+		onSave(provider, config) {
+			if(this.get('session.isGlobalAdmin')) {
+				let data = { authProvider: provider, authConfig: config };
+
+				return this.get('global').saveAuthConfig(data).then(() => {
+					this.showNotification('Saved');
+					if (this.get('authProvider') !== provider) {
+						// window.location.reload();
+					}
+				});
+			}
+		}
+	}
+});

app/app/pods/customize/auth/route.js

@@ -0,0 +1,48 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+import Ember from 'ember';
+import AuthenticatedRouteMixin from 'ember-simple-auth/mixins/authenticated-route-mixin';
+import constants from '../../../utils/constants';
+
+export default Ember.Route.extend(AuthenticatedRouteMixin, {
+	appMeta: Ember.inject.service(),
+	session: Ember.inject.service(),
+	global: Ember.inject.service(),
+
+	beforeModel() {
+		if (!this.get("session.isGlobalAdmin")) {
+			this.transitionTo('auth.login');
+		}
+	},
+
+	model() {
+		let data = {
+			authProvider: this.get('appMeta.authProvider'),
+			authConfig: null,
+		};
+
+		switch (data.authProvider) {
+			case constants.AuthProvider.Keycloak:
+				data.authConfig = this.get('appMeta.authConfig');
+				break;
+			case constants.AuthProvider.Documize:
+				data.authConfig = '';
+				break;
+		}
+
+		return data;
+	},
+
+	activate() {
+		document.title = "Authentication | Documize";
+	}
+});

app/app/pods/customize/auth/template.hbs

@@ -0,0 +1 @@
+{{auth-settings authProvider=model.authProvider authConfig=model.authConfig onSave=(action 'onSave')}}

app/app/pods/customize/template.hbs

@@ -9,6 +9,7 @@
 			{{#link-to 'customize.users' activeClass='selected' class="option" tagName="li"}}Users{{/link-to}}
 			{{#if session.isGlobalAdmin}}
 				{{#link-to 'customize.global' activeClass='selected' class="option" tagName="li"}}Global{{/link-to}}
+				{{#link-to 'customize.auth' activeClass='selected' class="option" tagName="li"}}Authentication{{/link-to}}
 			{{/if}}
 		</ul>
 	</div>

app/app/router.js

@@ -58,6 +58,9 @@ export default Router.map(function () {
 		this.route('global', {
 			path: 'global'
 		});
+		this.route('auth', {
+			path: 'auth'
+		});
 	});
 
 	this.route('setup', {

app/app/services/app-meta.js

@@ -30,6 +30,8 @@ export default Ember.Service.extend({
 	edition: 'Community',
 	valid: true,
 	allowAnonymousAccess: false,
+	authProvider: 'documize',
+	authConfig: null,
 	setupMode: false,
 
 	invalidLicense() {

app/app/services/global.js

@@ -63,5 +63,15 @@ export default Ember.Service.extend({
 				data: license
 			});
 		}
+	},
+
+	// Saves auth config for Documize instance.
+	saveAuthConfig(config) {
+		if(this.get('sessionService.isGlobalAdmin')) {
+			return this.get('ajax').request(`global/auth`, {
+				method: 'PUT',
+				data: JSON.stringify(config)
+			});
+		}
 	}
 });

app/app/templates/components/auth-settings.hbs

@@ -0,0 +1,22 @@
+<form class="form-bordered">
+    <div class="form-header">
+        <div class="title">Authentication</div>
+        <div class="tip">Determine the method for user authentication</div>
+    </div>
+    <div class="input-control">
+        <label>Provider</label>
+        <div class="tip">External authentication servers, services must be accessible from the server running this Documize instance</div>
+        {{#ui/ui-radio selected=isDocumizeProvider onClick=(action 'onDocumize')}}Documize &mdash; email/password{{/ui/ui-radio}}
+        {{#ui/ui-radio selected=isKeycloakProvider onClick=(action 'onKeycloak')}}Keycloak &mdash; bring your own authenticaiton server{{/ui/ui-radio}}
+    </div>
+
+    {{#if isKeycloakProvider}}
+        <div class="input-control">
+            <label>Keycloak OIDC JSON</label>
+            <div class="tip">Realm Client JSON configuration from Keycloak admin console</div>
+            {{textarea id="keycloak-config" type="text" rows=7 value=keycloakConfig class=(if KeycloakUrlError 'error')}}
+        </div>
+    {{/if}}
+
+    <div class="regular-button button-blue" {{action 'onSave'}}>save</div>
+</form>

app/app/utils/constants.js

@@ -15,4 +15,9 @@ export default {
         Private: 2,
         Protected: 3
     },
+
+    AuthProvider: {
+        Documize: 'documize',
+        Keycloak: 'keycloak'
+    }
 };

app/ember-cli-build.js

@@ -60,6 +60,7 @@ module.exports = function (defaults) {
 	app.import('vendor/waypoints.js');
 	app.import('vendor/velocity.js');
 	app.import('vendor/velocity.ui.js');
+	app.import('vendor/keycloak.js');
 
 	return app.toTree();
 };

app/package.json

@@ -16,7 +16,7 @@
   "engines": {
     "node": ">= 0.10.0"
   },
-  "author": "",
+  "author": "Documize Inc.",
   "license": "AGPL",
   "devDependencies": {
     "broccoli-asset-rev": "^2.4.5",
@@ -41,7 +41,7 @@
     "ember-export-application-global": "^1.0.5",
     "ember-load-initializers": "^0.6.0",
     "ember-resolver": "^2.0.3",
-    "ember-simple-auth": "git+https://github.com/documize/ember-simple-auth.git#21e638f9e33267d8944835002ee96884d34d568a",
+    "ember-simple-auth": "1.2.0",
     "ember-source": "~2.11.0",
     "loader.js": "^4.0.10"
   },

core/api/endpoint/global_endpoint.go

@@ -176,3 +176,60 @@ type licenseJSON struct {
   <Signature>some signature</Signature>
 </DocumizeLicense>
 */
+
+// SaveAuthConfig returns installation-wide authentication configuration
+func SaveAuthConfig(w http.ResponseWriter, r *http.Request) {
+	method := "SaveAuthConfig"
+	p := request.GetPersister(r)
+
+	if !p.Context.Global {
+		writeForbiddenError(w)
+		return
+	}
+
+	defer r.Body.Close()
+
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		writePayloadError(w, method, err)
+		return
+	}
+
+	var data authData
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		writePayloadError(w, method, err)
+		return
+	}
+
+	org, err := p.GetOrganization(p.Context.OrgID)
+	if err != nil {
+		util.WriteGeneralSQLError(w, method, err)
+		return
+	}
+
+	org.AuthProvider = data.AuthProvider
+	org.AuthConfig = data.AuthConfig
+
+	p.Context.Transaction, err = request.Db.Beginx()
+	if err != nil {
+		writeTransactionError(w, method, err)
+		return
+	}
+
+	err = p.UpdateAuthConfig(org)
+	if err != nil {
+		util.WriteGeneralSQLError(w, method, err)
+		p.Context.Transaction.Rollback()
+		return
+	}
+
+	p.Context.Transaction.Commit()
+
+	util.WriteSuccessEmptyJSON(w)
+}
+
+type authData struct {
+	AuthProvider string `json:"authProvider"`
+	AuthConfig   string `json:"authConfig"`
+}

core/api/endpoint/meta_endpoint.go

@@ -33,7 +33,6 @@ func GetMeta(w http.ResponseWriter, r *http.Request) {
 	data.URL = request.GetSubdomainFromHost(r)
 
 	org, err := p.GetOrganizationByDomain(data.URL)
-
 	if err != nil {
 		log.Info(fmt.Sprintf("%s URL not found", data.URL))
 		writeForbiddenError(w)
@@ -44,12 +43,13 @@ func GetMeta(w http.ResponseWriter, r *http.Request) {
 	data.Title = org.Title
 	data.Message = org.Message
 	data.AllowAnonymousAccess = org.AllowAnonymousAccess
+	data.AuthProvider = org.AuthProvider
+	data.AuthConfig = org.AuthConfig
 	data.Version = Product.Version
 	data.Edition = Product.License.Edition
 	data.Valid = Product.License.Valid
 
 	json, err := json.Marshal(data)
-
 	if err != nil {
 		writeJSONMarshalError(w, method, "meta", err)
 		return

core/api/endpoint/router.go

@@ -233,6 +233,7 @@ func init() {
 	log.IfErr(Add(RoutePrefixPrivate, "global/smtp", []string{"PUT", "OPTIONS"}, nil, SaveSMTPConfig))
 	log.IfErr(Add(RoutePrefixPrivate, "global/license", []string{"GET", "OPTIONS"}, nil, GetLicense))
 	log.IfErr(Add(RoutePrefixPrivate, "global/license", []string{"PUT", "OPTIONS"}, nil, SaveLicense))
+	log.IfErr(Add(RoutePrefixPrivate, "global/auth", []string{"PUT", "OPTIONS"}, nil, SaveAuthConfig))
 
 	// Pinned items
 	log.IfErr(Add(RoutePrefixPrivate, "pin/{userID}", []string{"POST", "OPTIONS"}, nil, AddPin))

core/api/endpoint/server.go

@@ -34,8 +34,8 @@ var Product core.ProdInfo
 
 func init() {
 	Product.Major = "0"
-	Product.Minor = "43"
+	Product.Minor = "44"
-	Product.Patch = "1"
+	Product.Patch = "0"
 	Product.Version = fmt.Sprintf("%s.%s.%s", Product.Major, Product.Minor, Product.Patch)
 	Product.Edition = "Community"
 	Product.Title = fmt.Sprintf("%s Edition", Product.Edition)

core/api/entity/objects.go

@@ -74,6 +74,8 @@ type Organization struct {
 	Domain               string `json:"domain"`
 	Email                string `json:"email"`
 	AllowAnonymousAccess bool   `json:"allowAnonymousAccess"`
+	AuthProvider         string `json:"authProvider"`
+	AuthConfig           string `json:"authConfig"`
 	Serial               string `json:"-"`
 	Active               bool   `json:"-"`
 }
@@ -333,6 +335,8 @@ type SiteMeta struct {
 	Message              string `json:"message"`
 	URL                  string `json:"url"`
 	AllowAnonymousAccess bool   `json:"allowAnonymousAccess"`
+	AuthProvider         string `json:"authProvider"`
+	AuthConfig           string `json:"authConfig"`
 	Version              string `json:"version"`
 	Edition              string `json:"edition"`
 	Valid                bool   `json:"valid"`

core/api/request/organization.go

@@ -59,7 +59,7 @@ func (p *Persister) AddOrganization(org entity.Organization) error {
 
 // GetOrganization returns the Organization reocrod from the organization database table with the given id.
 func (p *Persister) GetOrganization(id string) (org entity.Organization, err error) {
-	stmt, err := Db.Preparex("SELECT id, refid, company, title, message, url, domain, email, serial, active, allowanonymousaccess, created, revised FROM organization WHERE refid=?")
+	stmt, err := Db.Preparex("SELECT id, refid, company, title, message, url, domain, email, serial, active, allowanonymousaccess, authprovider, coalesce(authconfig,JSON_UNQUOTE('{}')) as authconfig, created, revised FROM organization WHERE refid=?")
 	defer utility.Close(stmt)
 
 	if err != nil {
@@ -77,24 +77,6 @@ func (p *Persister) GetOrganization(id string) (org entity.Organization, err err
 	return
 }
 
-// CheckDomain makes sure there is an organisation with the correct domain
-func CheckDomain(domain string) string {
-	row := Db.QueryRow("SELECT COUNT(*) FROM organization WHERE domain=? AND active=1", domain)
-
-	var count int
-	err := row.Scan(&count)
-
-	if err != nil {
-		return ""
-	}
-
-	if count == 1 {
-		return domain
-	}
-
-	return ""
-}
-
 // GetOrganizationByDomain returns the organization matching a given URL subdomain.
 func (p *Persister) GetOrganizationByDomain(subdomain string) (org entity.Organization, err error) {
 	err = nil
@@ -104,7 +86,7 @@ func (p *Persister) GetOrganizationByDomain(subdomain string) (org entity.Organi
 
 		var stmt *sqlx.Stmt
 
-		stmt, err = Db.Preparex("SELECT id, refid, company, title, message, url, domain, email, serial, active, allowanonymousaccess, created, revised FROM organization WHERE domain=? AND active=1")
+		stmt, err = Db.Preparex("SELECT id, refid, company, title, message, url, domain, email, serial, active, allowanonymousaccess, authprovider, coalesce(authconfig,JSON_UNQUOTE('{}')) as authconfig, created, revised FROM organization WHERE domain=? AND active=1")
 		defer utility.Close(stmt)
 
 		if err != nil {
@@ -186,3 +168,42 @@ func (p *Persister) RemoveOrganization(orgID string) (err error) {
 
 	return
 }
+
+// UpdateAuthConfig updates the given organization record in the database with the auth config details.
+func (p *Persister) UpdateAuthConfig(org entity.Organization) (err error) {
+	org.Revised = time.Now().UTC()
+
+	stmt, err := p.Context.Transaction.PrepareNamed("UPDATE organization SET allowanonymousaccess=:allowanonymousaccess, authprovider=:authprovider, authconfig=:authconfig, revised=:revised WHERE refid=:refid")
+	if err != nil {
+		log.Error(fmt.Sprintf("Unable to prepare UpdateAuthConfig %s", org.RefID), err)
+		return
+	}
+
+	defer utility.Close(stmt)
+
+	_, err = stmt.Exec(&org)
+	if err != nil {
+		log.Error(fmt.Sprintf("Unable to execute UpdateAuthConfig %s", org.RefID), err)
+		return
+	}
+
+	return
+}
+
+// CheckDomain makes sure there is an organisation with the correct domain
+func CheckDomain(domain string) string {
+	row := Db.QueryRow("SELECT COUNT(*) FROM organization WHERE domain=? AND active=1", domain)
+
+	var count int
+	err := row.Scan(&count)
+
+	if err != nil {
+		return ""
+	}
+
+	if count == 1 {
+		return domain
+	}
+
+	return ""
+}

core/database/scripts/autobuild/db_00011.sql

@@ -0,0 +1,3 @@
+/* community edition */
+ALTER TABLE organization ADD COLUMN `authprovider` CHAR(20) NOT NULL DEFAULT 'documize' AFTER `allowanonymousaccess`;
+ALTER TABLE organization ADD COLUMN `authconfig` JSON AFTER `authprovider`;