[Feature][Login] Add OAuth login

[Abingcbc]

Purpose of the pull request

Add SSO login for Dolphinscheduler

This pull request will close
#4531
#3451

Usage

1. Start a Casdoor server
2. Configure your Casdoor in application.yaml

security:
  authentication:
    type: CASDOOR_SSO

casdoor:
  endpoint: http://localhost:8000
  client-id: 
  client-secret: 
  certificate: 
  organization-name: built-in
  application-name: app-built-in
  redirect-url: http://localhost:8888/view/login/index.html

You can find client id and client secret in Casdoor's application page and jwt public key in Casdoor's cert page.
3. Add your redirect URL http://localhost:8888/view/login/index.html in Casdoor's application setting.
4. Now start your DolphinScheduler and you can login by SSO in the way like the following video.

Brief change log

Old UI

Login.-.DolphinScheduler.-.Google.Chrome.2022-03-05.14-40-12.mp4

New UI

Screen.Recording.2022-04-10.at.22.55.34.mov

Verify this pull request

This change added tests and can be verified as follows:

• Added CasdoorAuthenticator test

[hsluoyz]

Hi @William-GuoWei @dailidong @break60 , I am Yang Luo from Casdoor team. Casdoor is a powerful open-source single-sign-on (SSO) platform. It has the following features:

1. Support OIDC, OAuth 2.0, SAML, LDAP
2. With Casbin based authorization management, Casdoor supports ACL, RBAC, ABAC, RESTful accessing control models
3. Front-end and back-end separate architecture, Casdoor supports high concurrency, provides web-based managing UI and have mature solution for springboot project https://casdoor.org/docs/integration/spring-boot
4. Casdoor supports Github, Google, QQ, WeChat third-party applications login, and support the extension of third-party login with plugins.
5. Phone verification code, email verification code and forget password features.
6. Accessing logs auditing and recording.
7. Casdoor supports integration with existing systems using db sync method, users can transition to Casdoor smoothly.
8. Casdoor supports mainstream databases: MySQL, PostgreSQL, SQL Server etc, and support the extension of new database with plugins.

There have been a lot of user requests about the SSO scenario. This integration proposal will greatly enhance the SSO feature of DolphinScheduler with better authentication and security protection. What do you think?

[ruanwenjun]

Just some comments about the naming. Maybe use Casdoor might be better rather than sso.

[Abingcbc]

@CalvinKirs @ruanwenjun I have fixed the CI error. Please approve to rerun :) Thanks❤️

[codecov-commenter]

Codecov Report

Merging #8706 (59e3a28) into dev (4545093) will increase coverage by 0.01%.
The diff coverage is 68.42%.

❗ Current head 59e3a28 differs from pull request most recent head dd1586b. Consider uploading reports for the commit dd1586b to get more accurate results

@@             Coverage Diff              @@
##                dev    #8706      +/-   ##
============================================
+ Coverage     38.20%   38.22%   +0.01%     
- Complexity     4436     4448      +12     
============================================
  Files          1220     1222       +2     
  Lines         42698    42733      +35     
  Branches       4734     4736       +2     
============================================
+ Hits          16314    16333      +19     
- Misses        24581    24593      +12     
- Partials       1803     1807       +4     

Impacted Files	Coverage Δ
...nscheduler/api/configuration/AppConfiguration.java	93.93% <ø> (ø)
...lphinscheduler/api/controller/LoginController.java	51.72% <0.00%> (-16.46%)	⬇️
...inscheduler/api/service/impl/UsersServiceImpl.java	70.78% <ø> (ø)
...e/dolphinscheduler/common/constants/Constants.java	75.00% <ø> (ø)
...er/api/security/impl/sso/CasdoorAuthenticator.java	72.22% <72.22%> (ø)
.../org/apache/dolphinscheduler/api/enums/Status.java	100.00% <100.00%> (ø)
...phinscheduler/api/security/AuthenticationType.java	100.00% <100.00%> (ø)
.../dolphinscheduler/api/security/SecurityConfig.java	72.72% <100.00%> (+2.72%)	⬆️
...duler/api/security/impl/AbstractAuthenticator.java	100.00% <100.00%> (ø)
...er/api/security/impl/AbstractSsoAuthenticator.java	100.00% <100.00%> (ø)

... and 2 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
1 Code Smell

70.8% Coverage
0.0% Duplication

[ruanwenjun]

@Abingcbc Thanks, right now we put the front-end code in dolphinscheduler-ui-next, and we will not maintain the dolphinscheduler-ui, could you please put your change in dolphinscheduler-ui-next.
And you may also need to add the document about this new feature in dolphinscheduler-website.

[Abingcbc]

@ruanwenjun I have implemented the front-end in dolphinscheduler-ui-next :) PTAL
BTW, should I keep the implementation in the old UI code? Thanks!

[sonarcloud]

SonarCloud Quality Gate failed.   

1 Bug
0 Vulnerabilities
1 Security Hotspot
61 Code Smells

30.7% Coverage
6.6% Duplication

[hsluoyz]

Hi @ruanwenjun any update on this PR?

[caishunfeng]

Hi @Abingcbc it's a good feature, can you resolve the conflicts?
BTW, the old UI was removed in dev branch, just update the dolphinscheduler-ui (new UI) is OK.

[Abingcbc]

@caishunfeng I have solved the conflicts and updated the code. Furthermore, Casdoor is developing rapidly. There are a lot of new features since the last commit. So I add some codes to use a random OAuth state to prevent a CRSF attack.
Would you like to review these codes? They are mainly in dolphinscheduler-api. THX :)

[caishunfeng]

@caishunfeng I have solved the conflicts and updated the code. Furthermore, Casdoor is developing rapidly. There are a lot of new features since the last commit. So I add some codes to use a random OAuth state to prevent a CRSF attack. Would you like to review these codes? They are mainly in dolphinscheduler-api. THX :)

Sure, I will review it.

[EricGao888]

@Abingcbc License check failed, could u plz fix it?

[EricGao888]

Please avoid wildcard imports, CI blocks this line.

[EricGao888]

@caishunfeng I have solved the conflicts and updated the code. Furthermore, Casdoor is developing rapidly. There are a lot of new features since the last commit. So I add some codes to use a random OAuth state to prevent a CRSF attack. Would you like to review these codes? They are mainly in dolphinscheduler-api. THX :)

@Abingcbc Thanks for submitting this PR. This is an important feature, as we are also working on supporting other OAuth2 providers such as Google and GitHub #12549. I will help review this PR too.

[EricGao888]

Hi @William-GuoWei @dailidong @break60 , I am Yang Luo from Casdoor team. Casdoor is a powerful open-source single-sign-on (SSO) platform. It has the following features:

1. Support OIDC, OAuth 2.0, SAML, LDAP
2. With Casbin based authorization management, Casdoor supports ACL, RBAC, ABAC, RESTful accessing control models
3. Front-end and back-end separate architecture, Casdoor supports high concurrency, provides web-based managing UI and have mature solution for springboot project https://casdoor.org/docs/integration/spring-boot
4. Casdoor supports Github, Google, QQ, WeChat third-party applications login, and support the extension of third-party login with plugins.
5. Phone verification code, email verification code and forget password features.
6. Accessing logs auditing and recording.
7. Casdoor supports integration with existing systems using db sync method, users can transition to Casdoor smoothly.
8. Casdoor supports mainstream databases: MySQL, PostgreSQL, SQL Server etc, and support the extension of new database with plugins.

There have been a lot of user requests about the SSO scenario. This integration proposal will greatly enhance the SSO feature of DolphinScheduler with better authentication and security protection. What do you think?

@hsluoyz Thanks for providing the detailed information and letting us know this fantastic tool. We will keep following up with the review and make sure it could get merged ASAP : )

[hsluoyz]

@caishunfeng plz approve

[EricGao888]

@caishunfeng plz approve

@hsluoyz Done, have approved and restarted the CI : )

[kezhenxu94]

You can modify this in local tests, but have to revert to PASSWORD when the PR is finalized before merging

[Abingcbc]

Yes, I will modify it back. THX!
The current version is just a draft for @EricGao888 to review.

[Abingcbc]

When I was trying to replace the configuration with Spring Security, it seems that the frontend block the second redirect because of CORS. May anyone have ideas about how to fix it? TAT

[hsluoyz]

@caishunfeng @EricGao888 any comments?

[Abingcbc]

@caishunfeng @EricGao888 @kezhenxu94 The migration to Spring Security brings significant changes to the existing login process. Besides SSO and OAuth (there are still problems with front-end redirects), the unified configuration and implementation of PASSWORD and LDAP also need to be considered.
Perhaps it's better to complete this migration work in a new PR. Therefore, I have reverted this PR and continued to use the existing configuration and method to implement the SSO function.
May you approve the CI? THX

[EricGao888]

@caishunfeng @EricGao888 @kezhenxu94 The migration to Spring Security brings significant changes to the existing login process. Besides SSO and OAuth (there are still problems with front-end redirects), the unified configuration and implementation of PASSWORD and LDAP also need to be considered. Perhaps it's better to complete this migration work in a new PR. Therefore, I have reverted this PR and continued to use the existing configuration and method to implement the SSO function. May you approve the CI? THX

CI approved.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
3 Code Smells

68.6% Coverage
0.0% Duplication

[caishunfeng]

I rerun the CI.

[jobmission]

Great , need this feature!

[EricGao888]

@Abingcbc LGTM, however, u still need to resolve the conflicts and add related docs in both Chinese and English.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
3 Code Smells

68.6% Coverage
0.0% Duplication

[Abingcbc]

@caishunfeng PTAL thx :)

[zhongjiajie]

I find this PR update many pnpm lock version, @devosend can you check whether it have to change or not?

[devosend]

Lock files can be changed.

[devosend]

LGTM for frontend

fix