feat: community auth updates and finalization (#13333)

Author: pmossman

airbyte-api/server-api/src/main/openapi/config.yaml

@@ -11778,6 +11778,7 @@ components:
         - airbyteUrl
         - auth
         - defaultOrganizationId
+        - defaultOrganizationEmail
         - defaultUserId
         - defaultWorkspaceId
         - edition
@@ -11811,6 +11812,9 @@ components:
         defaultOrganizationId:
           type: string
           format: uuid
+        defaultOrganizationEmail:
+          type: string
+          format: email
         defaultWorkspaceId:
           type: string
           format: uuid

airbyte-bootloader/src/main/kotlin/io/airbyte/bootloader/AuthKubernetesSecretInitializer.kt

@@ -14,8 +14,7 @@ import java.util.UUID
 
 private val logger = KotlinLogging.logger {}
 
-const val SECRET_LENGTH = 16
-private const val DEFAULT_USERNAME_VALUE = "airbyte"
+const val SECRET_LENGTH = 32
 
 @Singleton
 @Requires(env = [Environment.KUBERNETES])
@@ -48,12 +47,6 @@ class AuthKubernetesSecretInitializer(
   }
 
   private fun getSecretDataMap(): Map<String, String> {
-    val usernameValue =
-      getOrCreateSecretEncodedValue(
-        secretKeysConfig.instanceAdminUsernameSecretKey,
-        providedSecretValuesConfig.instanceAdminUsername,
-        DEFAULT_USERNAME_VALUE,
-      )
     val passwordValue =
       getOrCreateSecretEncodedValue(
         secretKeysConfig.instanceAdminPasswordSecretKey,
@@ -76,10 +69,9 @@ class AuthKubernetesSecretInitializer(
       getOrCreateSecretEncodedValue(
         secretKeysConfig.jwtSignatureSecretKey,
         providedSecretValuesConfig.jwtSignatureSecret,
-        UUID.randomUUID().toString(),
+        RandomStringUtils.randomAlphanumeric(SECRET_LENGTH),
       )
     return mapOf(
-      secretKeysConfig.instanceAdminUsernameSecretKey!! to usernameValue,
       secretKeysConfig.instanceAdminPasswordSecretKey!! to passwordValue,
       secretKeysConfig.instanceAdminClientIdSecretKey!! to clientIdValue,
       secretKeysConfig.instanceAdminClientSecretSecretKey!! to clientSecretValue,
@@ -115,7 +107,6 @@ class AuthKubernetesSecretInitializer(
 
 @ConfigurationProperties("airbyte.auth.kubernetes-secret.keys")
 open class AuthKubernetesSecretKeysConfig {
-  var instanceAdminUsernameSecretKey: String? = null
   var instanceAdminPasswordSecretKey: String? = null
   var instanceAdminClientIdSecretKey: String? = null
   var instanceAdminClientSecretSecretKey: String? = null
@@ -124,7 +115,6 @@ open class AuthKubernetesSecretKeysConfig {
 
 @ConfigurationProperties("airbyte.auth.kubernetes-secret.values")
 open class AuthKubernetesSecretValuesConfig {
-  var instanceAdminUsername: String? = null
   var instanceAdminPassword: String? = null
   var instanceAdminClientId: String? = null
   var instanceAdminClientSecret: String? = null

airbyte-bootloader/src/main/resources/application.yml

@@ -35,13 +35,11 @@ airbyte:
       creation-enabled: ${AB_AUTH_SECRET_CREATION_ENABLED:false}
       name: ${AB_KUBERNETES_SECRET_NAME:airbyte-auth-secrets}
       keys:
-        instance-admin-username-secret-key: ${AB_INSTANCE_ADMIN_USERNAME_SECRET_KEY:instance-admin-username}
         instance-admin-password-secret-key: ${AB_INSTANCE_ADMIN_PASSWORD_SECRET_KEY:instance-admin-password}
         instance-admin-client-id-secret-key: ${AB_INSTANCE_ADMIN_CLIENT_ID_SECRET_KEY:instance-admin-client-id}
         instance-admin-client-secret-secret-key: ${AB_INSTANCE_ADMIN_CLIENT_SECRET_SECRET_KEY:instance-admin-client-secret}
         jwt-signature-secret-key: ${AB_JWT_SIGNATURE_SECRET_KEY:jwt-signature-secret}
       values:
-        instance-admin-username: ${AB_INSTANCE_ADMIN_USERNAME:}
         instance-admin-password: ${AB_INSTANCE_ADMIN_PASSWORD:}
         instance-admin-client-id: ${AB_INSTANCE_ADMIN_CLIENT_ID:}
         instance-admin-client-secret: ${AB_INSTANCE_ADMIN_CLIENT_SECRET:}

airbyte-bootloader/src/test-integration/kotlin/io/airbyte/bootloader/AuthKubernetesSecretInitializerTest.kt

@@ -22,12 +22,10 @@ import org.junit.jupiter.api.Test
 import java.util.Base64
 
 private const val SECRET_NAME = "test-secret"
-private const val USERNAME_KEY = "username"
 private const val PASSWORD_KEY = "password"
 private const val CLIENT_ID_KEY = "clientId"
 private const val CLIENT_SECRET_KEY = "clientSecret"
 private const val JWT_SIGNATURE_KEY = "jwtSignature"
-private const val PROVIDED_USERNAME_VALUE = "admin"
 private const val PROVIDED_PASSWORD_VALUE = "hunter2"
 private const val PROVIDED_CLIENT_ID_VALUE = "myClientId"
 private const val PROVIDED_CLIENT_SECRET_VALUE = "myClientSecret"
@@ -86,8 +84,7 @@ class AuthKubernetesSecretInitializerTest {
     verify { mockKubernetesClient.resource(capture(secretSlot)) }
     val capturedSecret = secretSlot.captured
     assertEquals(SECRET_NAME, capturedSecret.metadata.name)
-    assertEquals(5, capturedSecret.data.size)
-    assertEquals(Base64.getEncoder().encodeToString(PROVIDED_USERNAME_VALUE.toByteArray()), capturedSecret.data[USERNAME_KEY])
+    assertEquals(4, capturedSecret.data.size)
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_PASSWORD_VALUE.toByteArray()), capturedSecret.data[PASSWORD_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_ID_VALUE.toByteArray()), capturedSecret.data[CLIENT_ID_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_SECRET_VALUE.toByteArray()), capturedSecret.data[CLIENT_SECRET_KEY])
@@ -115,8 +112,7 @@ class AuthKubernetesSecretInitializerTest {
     verify { mockKubernetesClient.resource(capture(secretSlot)) }
     val capturedSecret = secretSlot.captured
     assertEquals(SECRET_NAME, capturedSecret.metadata.name)
-    assertEquals(5, capturedSecret.data.size)
-    assertEquals(Base64.getEncoder().encodeToString(PROVIDED_USERNAME_VALUE.toByteArray()), capturedSecret.data[USERNAME_KEY])
+    assertEquals(4, capturedSecret.data.size)
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_PASSWORD_VALUE.toByteArray()), capturedSecret.data[PASSWORD_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_ID_VALUE.toByteArray()), capturedSecret.data[CLIENT_ID_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_SECRET_VALUE.toByteArray()), capturedSecret.data[CLIENT_SECRET_KEY])
@@ -135,11 +131,10 @@ class AuthKubernetesSecretInitializerTest {
         .withNewMetadata()
         .withName(SECRET_NAME)
         .endMetadata()
-        // username is already set in the secret, so it should persist through the update as it
-        // was not provided.
-        .addToData(USERNAME_KEY, Base64.getEncoder().encodeToString("preExistingUsername".toByteArray()))
         // clientId is already set in the secret, but a new value was provided, so it should be updated.
         .addToData(CLIENT_ID_KEY, Base64.getEncoder().encodeToString("preExistingClientId".toByteArray()))
+        // clientSecret is already set in the secret, and no new value was provided, so it should remain the same.
+        .addToData(CLIENT_SECRET_KEY, Base64.getEncoder().encodeToString(PROVIDED_CLIENT_SECRET_VALUE.toByteArray()))
         .build()
     every { mockKubernetesClient.secrets().withName(any()).get() } returns existingSecret
     every { mockKubernetesClient.resource(any<Secret>()) } returns mockResource
@@ -154,8 +149,7 @@ class AuthKubernetesSecretInitializerTest {
     verify { mockKubernetesClient.resource(capture(secretSlot)) }
     val capturedSecret = secretSlot.captured
     assertEquals(SECRET_NAME, capturedSecret.metadata.name)
-    assertEquals(5, capturedSecret.data.size)
-    assertEquals(Base64.getEncoder().encodeToString("preExistingUsername".toByteArray()), capturedSecret.data[USERNAME_KEY])
+    assertEquals(4, capturedSecret.data.size)
     assertEquals(Base64.getEncoder().encodeToString(randomPassword.toByteArray()), capturedSecret.data[PASSWORD_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_ID_VALUE.toByteArray()), capturedSecret.data[CLIENT_ID_KEY])
     assertEquals(Base64.getEncoder().encodeToString(PROVIDED_CLIENT_SECRET_VALUE.toByteArray()), capturedSecret.data[CLIENT_SECRET_KEY])
@@ -166,23 +160,20 @@ class AuthKubernetesSecretInitializerTest {
   }
 
   private fun setupProvidedSecretValuesConfigWithoutPassword() {
-    every { mockProvidedSecretValuesConfig.instanceAdminUsername } returns null
     every { mockProvidedSecretValuesConfig.instanceAdminPassword } returns null
     every { mockProvidedSecretValuesConfig.instanceAdminClientId } returns PROVIDED_CLIENT_ID_VALUE
     every { mockProvidedSecretValuesConfig.instanceAdminClientSecret } returns PROVIDED_CLIENT_SECRET_VALUE
     every { mockProvidedSecretValuesConfig.jwtSignatureSecret } returns PROVIDED_JWT_SIGNATURE_VALUE
   }
 
   private fun setupSecretKeysConfig() {
-    every { mockSecretKeysConfig.instanceAdminUsernameSecretKey } returns USERNAME_KEY
     every { mockSecretKeysConfig.instanceAdminPasswordSecretKey } returns PASSWORD_KEY
     every { mockSecretKeysConfig.instanceAdminClientIdSecretKey } returns CLIENT_ID_KEY
     every { mockSecretKeysConfig.instanceAdminClientSecretSecretKey } returns CLIENT_SECRET_KEY
     every { mockSecretKeysConfig.jwtSignatureSecretKey } returns JWT_SIGNATURE_KEY
   }
 
   private fun setupProvidedSecretValuesConfig() {
-    every { mockProvidedSecretValuesConfig.instanceAdminUsername } returns PROVIDED_USERNAME_VALUE
     every { mockProvidedSecretValuesConfig.instanceAdminPassword } returns PROVIDED_PASSWORD_VALUE
     every { mockProvidedSecretValuesConfig.instanceAdminClientId } returns PROVIDED_CLIENT_ID_VALUE
     every { mockProvidedSecretValuesConfig.instanceAdminClientSecret } returns PROVIDED_CLIENT_SECRET_VALUE

airbyte-commons-server/src/main/java/io/airbyte/commons/server/handlers/InstanceConfigurationHandler.java

@@ -76,7 +76,7 @@ public InstanceConfigurationHandler(@Named("airbyteUrl") final Optional<String>
   }
 
   public InstanceConfigurationResponse getInstanceConfiguration() throws IOException {
-    final UUID defaultOrganizationId = getDefaultOrganizationId();
+    final Organization defaultOrganization = getDefaultOrganization();
     final Boolean initialSetupComplete = workspacePersistence.getInitialSetupComplete();
 
     return new InstanceConfigurationResponse()
@@ -87,18 +87,23 @@ public InstanceConfigurationResponse getInstanceConfiguration() throws IOExcepti
         .auth(getAuthConfiguration())
         .initialSetupComplete(initialSetupComplete)
         .defaultUserId(getDefaultUserId())
-        .defaultOrganizationId(defaultOrganizationId)
+        .defaultOrganizationId(defaultOrganization.getOrganizationId())
+        .defaultOrganizationEmail(defaultOrganization.getEmail())
         .trackingStrategy("segment".equalsIgnoreCase(trackingStrategy) ? TrackingStrategyEnum.SEGMENT : TrackingStrategyEnum.LOGGING);
   }
 
   public InstanceConfigurationResponse setupInstanceConfiguration(final InstanceConfigurationSetupRequestBody requestBody)
       throws IOException, JsonValidationException, ConfigNotFoundException {
 
-    final UUID defaultOrganizationId = getDefaultOrganizationId();
-    final StandardWorkspace defaultWorkspace = getDefaultWorkspace(defaultOrganizationId);
+    final Organization defaultOrganization = getDefaultOrganization();
+    final StandardWorkspace defaultWorkspace = getDefaultWorkspace(defaultOrganization.getOrganizationId());
 
-    // Update the default organization and user with the provided information
+    // Update the default organization and user with the provided information.
+    // note that this is important especially for Community edition w/ Auth enabled,
+    // because the login email must match the default organization's saved email in
+    // order to login successfully.
     updateDefaultOrganization(requestBody);
+
     updateDefaultUser(requestBody);
 
     // Update the underlying workspace to mark the initial setup as complete
@@ -154,10 +159,9 @@ private void updateDefaultUser(final InstanceConfigurationSetupRequestBody reque
     userPersistence.writeUser(defaultUser);
   }
 
-  private UUID getDefaultOrganizationId() throws IOException {
+  private Organization getDefaultOrganization() throws IOException {
     return organizationPersistence.getDefaultOrganization()
-        .orElseThrow(() -> new IllegalStateException("Default organization does not exist."))
-        .getOrganizationId();
+        .orElseThrow(() -> new IllegalStateException("Default organization does not exist."));
   }
 
   private void updateDefaultOrganization(final InstanceConfigurationSetupRequestBody requestBody) throws IOException {

airbyte-commons-server/src/test/java/io/airbyte/commons/server/handlers/InstanceConfigurationHandlerTest.java

@@ -55,6 +55,7 @@ class InstanceConfigurationHandlerTest {
   private static final UUID WORKSPACE_ID = UUID.randomUUID();
   private static final UUID USER_ID = UUID.randomUUID();
   private static final UUID ORGANIZATION_ID = UUID.randomUUID();
+  private static final String EMAIL = "[email protected]";
   private static final String DEFAULT_ORG_NAME = "Default Org Name";
   private static final String DEFAULT_USER_NAME = "Default User Name";
 
@@ -114,6 +115,7 @@ void testGetInstanceConfiguration(final boolean isEnterprise, final boolean isIn
         .initialSetupComplete(isInitialSetupComplete)
         .defaultUserId(USER_ID)
         .defaultOrganizationId(ORGANIZATION_ID)
+        .defaultOrganizationEmail(EMAIL)
         .trackingStrategy(TrackingStrategyEnum.LOGGING);
 
     final InstanceConfigurationResponse actual = instanceConfigurationHandler.getInstanceConfiguration();
@@ -199,8 +201,6 @@ void testSetupInstanceConfiguration(final boolean userNamePresent, final boolean
 
     instanceConfigurationHandler = getInstanceConfigurationHandler(true);
 
-    final String email = "[email protected]";
-
     final InstanceConfigurationResponse expected = new InstanceConfigurationResponse()
         .edition(EditionEnum.PRO)
         .version("0.50.1")
@@ -213,10 +213,11 @@ void testSetupInstanceConfiguration(final boolean userNamePresent, final boolean
         .initialSetupComplete(true)
         .defaultUserId(USER_ID)
         .defaultOrganizationId(ORGANIZATION_ID)
+        .defaultOrganizationEmail(EMAIL)
         .trackingStrategy(TrackingStrategyEnum.LOGGING);
 
     final InstanceConfigurationSetupRequestBody requestBody = new InstanceConfigurationSetupRequestBody()
-        .email(email)
+        .email(EMAIL)
         .displaySetupWizard(true)
         .anonymousDataCollection(true)
         .initialSetupComplete(true);
@@ -240,19 +241,19 @@ void testSetupInstanceConfiguration(final boolean userNamePresent, final boolean
     // verify the user was updated with the email and name from the request
     verify(mUserPersistence).writeUser(eq(new User()
         .withUserId(USER_ID)
-        .withEmail(email)
+        .withEmail(EMAIL)
         .withName(expectedUserName)));
 
     // verify the organization was updated with the name from the request
     verify(mOrganizationPersistence).updateOrganization(eq(new Organization()
         .withOrganizationId(ORGANIZATION_ID)
         .withName(expectedOrgName)
-        .withEmail(email)
+        .withEmail(EMAIL)
         .withUserId(USER_ID)));
 
     verify(mWorkspacesHandler).updateWorkspace(eq(new WorkspaceUpdate()
         .workspaceId(WORKSPACE_ID)
-        .email(email)
+        .email(EMAIL)
         .displaySetupWizard(true)
         .anonymousDataCollection(true)
         .initialSetupComplete(true)));
@@ -270,7 +271,8 @@ private void stubGetDefaultOrganization() throws IOException {
         Optional.of(new Organization()
             .withOrganizationId(ORGANIZATION_ID)
             .withName(DEFAULT_ORG_NAME)
-            .withUserId(USER_ID)));
+            .withUserId(USER_ID)
+            .withEmail(EMAIL)));
   }
 
   private void stubDefaultAuthConfigs() {

airbyte-server/src/main/kotlin/io/airbyte/server/config/community/auth/CommunityAuthProvider.kt

@@ -3,9 +3,12 @@
  */
 package io.airbyte.server.config.community.auth
 
+import io.airbyte.api.problems.model.generated.ProblemMessageData
+import io.airbyte.api.problems.throwable.generated.ForbiddenProblem
 import io.airbyte.commons.auth.RequiresAuthMode
 import io.airbyte.commons.auth.config.AuthMode
 import io.airbyte.commons.server.support.RbacRoleHelper
+import io.airbyte.config.persistence.OrganizationPersistence
 import io.airbyte.config.persistence.UserPersistence
 import io.airbyte.data.config.InstanceAdminConfig
 import io.micronaut.http.HttpRequest
@@ -24,12 +27,21 @@ const val SESSION_ID = "sessionId"
 @RequiresAuthMode(AuthMode.SIMPLE)
 class CommunityAuthProvider<B>(
   private val instanceAdminConfig: InstanceAdminConfig,
+  private val organizationPersistence: OrganizationPersistence,
 ) : HttpRequestAuthenticationProvider<B> {
   override fun authenticate(
     requestContext: HttpRequest<B>?,
     authRequest: AuthenticationRequest<String, String>,
   ): AuthenticationResponse? {
-    if (authRequest.identity == instanceAdminConfig.username && authRequest.secret == instanceAdminConfig.password) {
+    // The authRequest identity must match the default organization's email address that
+    // was collected during the instanceConfiguration step.
+    val defaultOrgEmail =
+      organizationPersistence.defaultOrganization
+        .orElseThrow {
+          ForbiddenProblem(ProblemMessageData().message("Default organization not found. Cannot authenticate."))
+        }.email
+
+    if (authRequest.identity == defaultOrgEmail && authRequest.secret == instanceAdminConfig.password) {
       val sessionId = UUID.randomUUID()
       val authenticationResponse =
         AuthenticationResponse.success(

airbyte-server/src/main/resources/application-edition-community.yml

@@ -19,12 +19,12 @@ micronaut:
       cookie:
         enabled: true
         cookie-same-site: ${AB_COOKIE_SAME_SITE:Strict}
-        cookie-secure: true
+        cookie-secure: ${AB_COOKIE_SECURE:true}
       refresh:
         cookie:
           enabled: true
-          cookie-same-site: None
-          cookie-secure: true
+          cookie-same-site: ${AB_COOKIE_SAME_SITE:Strict}
+          cookie-secure: ${AB_COOKIE_SECURE:true}
           cookie-max-age: PT5M
       generator:
         access-token:
@@ -45,7 +45,6 @@ airbyte:
   edition: community
   auth:
     instanceAdmin:
-      username: ${AB_INSTANCE_ADMIN_USERNAME:}
       password: ${AB_INSTANCE_ADMIN_PASSWORD:}
       clientId: ${AB_INSTANCE_ADMIN_CLIENT_ID:}
       clientSecret: ${AB_INSTANCE_ADMIN_CLIENT_SECRET:}