Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ui5-middleware-onelogin): possible to provide certificate to login directly #1079

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

feat(ui5-middleware-onelogin): possible to provide certificate to login directly #1079

wants to merge 14 commits into from

Conversation

marianfoo
Copy link
Member

@marianfoo marianfoo commented Sep 13, 2024
edited
Loading

fix #1078

i added a sample app to login to BTP Cockpit

TODO:

  • Login was successfull but still says looks like a login page, reloading...
  • Don´t know how to implement the parameter for clientCertificates, currently just use some of the directly
    • ClientCertificate is currently a Array Object Property as defined in playwright api reference.
  • Just reuse useCertificate like i did in the sample?
    • Currently the Property ClientCertificate is only used if useCertficate is true and ClientCertificate is defined.
  • Add Documentation
  • Avoid having passphrase in log output?
  • maybe passphrase only through env?

Playwright API Reference for clientCertificates:

https://playwright.dev/docs/api/class-testoptions#test-options-client-certificates

Array<Object>
origin string

Exact origin that the certificate is valid for. Origin includes https protocol, a hostname and optionally a port.

certPath string (optional)

Path to the file with the certificate in PEM format.

cert Buffer (optional)

Direct value of the certificate in PEM format.

keyPath string (optional)

Path to the file with the private key in PEM format.

key Buffer (optional)

Direct value of the private key in PEM format.

pfxPath string (optional)

Path to the PFX or PKCS12 encoded private key and certificate chain.

pfx Buffer (optional)

Direct value of the PFX or PKCS12 encoded private key and certificate chain.

passphrase string (optional)

Passphrase for the private key (PEM or PFX).

Current Output

npm start 

> [email protected] start
> ui5 serve --port 8080 -o index.html

info graph:helpers:ui5Framework Using OpenUI5 version: 1.120.20
info server:custom-middleware:ui5-middleware-livereload Livereload server started!
Server started
URL: http://localhost:8080
info server:custom-middleware:ui5-middleware-onelogin Fetching cookie, hang on!
info server:custom-middleware:ui5-middleware-onelogin Default options:
info server:custom-middleware:ui5-middleware-onelogin {
  configuration: { subdirectory: 'sap/bc/ui2/flp/', useCertificate: false }
}
info server:custom-middleware:ui5-middleware-onelogin Env options:
info server:custom-middleware:ui5-middleware-onelogin { configuration: { useCertificate: false, debug: false } }
info server:custom-middleware:ui5-middleware-onelogin Yaml options:
info server:custom-middleware:ui5-middleware-onelogin {
  configuration: {
    debug: true,
    path: 'https://emea.cockpit.btp.cloud.sap',
    subdirectory: 'cockpit#/',
    useCertificate: true,
    clientCertificatesOrigin: 'https://accounts.sap.com',
    clientCertificatesPfxPath: 'sap.pfx',
    clientCertificatesPfxPpassphrase: 'XXX'
  },
  middlewareName: 'ui5-middleware-onelogin'
}
info server:custom-middleware:ui5-middleware-onelogin Effective options:
info server:custom-middleware:ui5-middleware-onelogin {
  configuration: {
    subdirectory: 'cockpit#/',
    useCertificate: true,
    debug: true,
    path: 'https://emea.cockpit.btp.cloud.sap',
    clientCertificatesOrigin: 'https://accounts.sap.com',
    clientCertificatesPfxPath: 'sap.pfx',
    clientCertificatesPfxPpassphrase: 'XXX'
  },
  middlewareName: 'ui5-middleware-onelogin'
}
info server:custom-middleware:ui5-middleware-onelogin Trying to fetch cookie from "https://emea.cockpit.btp.cloud.sap/cockpit#/"
info server:custom-middleware:ui5-middleware-onelogin "https://emea.cockpit.btp.cloud.sap/cockpit#/" looks like a login page, reloading...
info server:custom-middleware:ui5-middleware-onelogin "https://emea.cockpit.btp.cloud.sap/cockpit#/" looks like a login page, reloading...
info server:custom-middleware:ui5-middleware-onelogin "https://emea.cockpit.btp.cloud.sap/cockpit#/" looks like a login page, reloading...
info server:custom-middleware:ui5-middleware-onelogin Couldn't login using a certificate!
info server:custom-middleware:ui5-middleware-onelogin Parsed cookie is dtCookie=v_4_srv_24_sn_8A31D654D1F57B8420411A106CD110CB_perc_100000_ol_0_mul_1_app-3Acab67a9e1543df82_1; Domain=.cloud.sap; Path=/; SameSite=Lax; IDP_USER=NzY0OTYwMzY

@marianfoo marianfoo marked this pull request as draft September 13, 2024 19:41
@petermuessig
Copy link
Member

@marianfoo : you also need to update the package-lock.json otherwise the build fails

@marianfoo
Copy link
Member Author

@marianfoo : you also need to update the package-lock.json otherwise the build fails

done

@marianfoo
Copy link
Member Author

added property ClientCertificate defined in

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/src/index.ts

Lines 18 to 28 in e555a5e

/**
* @typedef {Object} ClientCertificate
* @property {string} origin - Exact origin that the certificate is valid for. Origin includes https protocol, a hostname and optionally a port.
* @property {string} [certPath] - Path to the file with the certificate in PEM format.
* @property {Buffer} [cert] - Direct value of the certificate in PEM format.
* @property {string} [keyPath] - Path to the file with the private key in PEM format.
* @property {Buffer} [key] - Direct value of the private key in PEM format.
* @property {string} [pfxPath] - Path to the PFX or PKCS12 encoded private key and certificate chain.
* @property {Buffer} [pfx] - Direct value of the PFX or PKCS12 encoded private key and certificate chain.
* @property {string} [passphrase] - Passphrase for the private key (PEM or PFX).
*/

usage as object in env like in this sample

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/sample/certificate/.envTEMPLATE

Line 3 in e555a5e

UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES=[{"origin": "https://accounts.sap.com","pfxPath": "sap.pfx","passphrase": "XXX"}]

or in yaml like this

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/sample/certificate/ui5.yaml

Lines 25 to 33 in e555a5e

# clientCertificates:
# - origin: "https://accounts.sap.com"
# #certPath: "path/to/cert.pem"
# # cert: Buffer value (not applicable in YAML)
# #keyPath: "path/to/key.pem"
# # key: Buffer value (not applicable in YAML)
# pfxPath: "sap.pfx"
# # pfx: Buffer value (not applicable in YAML)
# #passphrase: "your_passphrase_here"

@marianfoo marianfoo requested a review from vobu September 16, 2024 09:37
@marianfoo marianfoo self-assigned this Nov 5, 2024
@marianfoo marianfoo marked this pull request as ready for review November 5, 2024 10:51
@marianfoo marianfoo force-pushed the feat/login-certificate branch from 891745a to 602cf6e Compare November 5, 2024 11:51
@marianfoo
Copy link
Member Author

marianfoo commented Nov 5, 2024
edited
Loading

Login was successfull but still says looks like a login page, reloading...

Created a new case avoid breaking changes, it´s assumed that after network idle the login with cert worked

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/src/cookieGetter.ts

Line 242 in 602cf6e

} else if (isUseCertificateEnabled && hasCertificateConfig) {

Don´t know how to implement the parameter for clientCertificates, currently just use some of the directly
ClientCertificate is currently a Array Object Property as defined in playwright api reference.

I changed it to use currently only use one certificate instead of an array of certificates, makes the implementation easier

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/sample/certificate/.envTEMPLATE

Lines 3 to 7 in 602cf6e

UI5_MIDDLEWARE_ONELOGIN_CERTIFICATE_ORIGIN=https://accounts.sap.com
#UI5_MIDDLEWARE_ONELOGIN_CERTIFICATE_CERT_PATH=path/to/cert.pem
#UI5_MIDDLEWARE_ONELOGIN_CERTIFICATE_KEY_PATH=path/to/key.pem
UI5_MIDDLEWARE_ONELOGIN_CERTIFICATE_PFX_PATH=sap.pfx
UI5_MIDDLEWARE_ONELOGIN_CERTIFICATE_PASSPHRASE=your_passphrase_here

Just reuse useCertificate like i did in the sample?
Currently the Property ClientCertificate is only used if useCertficate is true and ClientCertificate is defined.
Add Documentation

useCertificate must be true to use login with certificate, if useCertificate is true and no certificateconfig is set, the old way for login is used

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/src/cookieGetter.ts

Lines 101 to 109 in 602cf6e

const isUseCertificateEnabled = effectiveOptions.configuration.useCertificate;
const hasCertificateConfig =
effectiveOptions.configuration.certificateCertPath ||
effectiveOptions.configuration.certificateCert ||
effectiveOptions.configuration.certificateKeyPath ||
effectiveOptions.configuration.certificateKey ||
effectiveOptions.configuration.certificatePfxPath ||
effectiveOptions.configuration.certificatePfx;
const useClientCertificates = isUseCertificateEnabled && hasCertificateConfig;

Avoid having passphrase in log output?

added

ui5-ecosystem-showcase/packages/ui5-middleware-onelogin/src/cookieGetter.ts

Lines 111 to 122 in 551dc58

const sanitizePassphrase = (obj: any) => {
// eslint-disable-next-line @typescript-eslint/no-unsafe-return
if (!obj?.configuration?.certificatePassphrase) return obj;
// eslint-disable-next-line @typescript-eslint/no-unsafe-return
return {
...obj,
configuration: {
...obj.configuration,
certificatePassphrase: "***",
},
};
};

@marianfoo
Copy link
Member Author

marianfoo commented Nov 5, 2024
edited
Loading

@uxkjaer @petermuessig @vobu
would be great to have some feedback from you!

wridgeu
wridgeu reviewed Nov 5, 2024
View reviewed changes
Copy link

@wridgeu wridgeu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @marianfoo as we spoke about it, I had a look. Just some general comments/feedback/hints from my side. hth.

packages/ui5-middleware-onelogin/README.md Outdated Show resolved Hide resolved
packages/ui5-middleware-onelogin/src/cookieGetter.ts Show resolved Hide resolved
packages/ui5-middleware-onelogin/src/cookieGetter.ts Show resolved Hide resolved
packages/ui5-middleware-onelogin/src/cookieGetter.ts Outdated Show resolved Hide resolved
packages/ui5-middleware-onelogin/src/types.ts Show resolved Hide resolved
@marianfoo marianfoo requested a review from Copilot November 5, 2024 14:25
Copilot
Copilot AI reviewed Nov 5, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 14 out of 29 changed files in this pull request and generated no suggestions.

Files not reviewed (15)
  • packages/ui5-middleware-onelogin/package.json: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/.envTEMPLATE: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/.gitignore: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/package.json: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/i18n/i18n.properties: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/i18n/i18n_de.properties: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/i18n/i18n_en.properties: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/index-cdn.html: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/index.html: Language not supported
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/manifest.json: Language not supported
  • packages/ui5-middleware-onelogin/lib/index.js: Evaluated as low risk
  • packages/ui5-middleware-onelogin/README.md: Evaluated as low risk
  • packages/ui5-middleware-onelogin/lib/cookieGetter.js: Evaluated as low risk
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/model/formatter.js: Evaluated as low risk
  • packages/ui5-middleware-onelogin/sample/certificate/webapp/controller/BaseController.js: Evaluated as low risk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@wridgeu wridgeu wridgeu left review comments

@petermuessig petermuessig Awaiting requested review from petermuessig

@uxkjaer uxkjaer Awaiting requested review from uxkjaer

@vobu vobu Awaiting requested review from vobu

At least 1 approving review is required to merge this pull request.

Assignees

@marianfoo marianfoo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ui5-middleware-onelogin] Login with SAP Passport Certificate
3 participants
@marianfoo @petermuessig @wridgeu