Use Apricot for authentication/identity #1772

jemrobinson · 2024-04-08T10:04:29Z

✅ Checklist

You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).
You have marked this pull request as a draft and added '[WIP]' to the title if needed (if you're not yet ready to merge).
You have formatted your code using appropriate automated tools (for example ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory> for Powershell).

⤴️ Summary

Add an Apricot server to the SRE
Update SRE components to use Apricot for authentication/identity

🌂 Related issues

Depends on #1778
Second part of #1570
Closes #1645

🔬 Tests

Tested on a fresh SRE deployment

…rver

…tity server

…r than ActiveDirectory

…d specification of user/group lookup attributes and LDAP ports.

…QL format

…cot server

…e outputs

JimMadge

This looks good. Makes a lot more sense to me than DCs.

I've put a few formatting suggestions and questions. We might want to open issues for future improvements but I don't see much reason to hold this up.

data_safe_haven/external/api/graph_api.py

data_safe_haven/infrastructure/common/enums.py

data_safe_haven/infrastructure/stacks/declarative_sre.py

data_safe_haven/infrastructure/stacks/shm/domain_controllers.py

data_safe_haven/infrastructure/stacks/shm/firewall.py

data_safe_haven/infrastructure/stacks/sre/networking.py

data_safe_haven/infrastructure/stacks/sre/remote_desktop.py

JimMadge · 2024-04-17T09:43:22Z

I've removed the ldap-filter dependency as I'm not sure the Pythonic object structure is much clearer and the library seems to be inactive.

jemrobinson added 14 commits February 13, 2024 10:39

✨ Initial skeleton of SRE identity component

de17e60

✨ Add identity subnet and container group

d4b4b6f

✨ Add an AzureADApplication to the identity component

6d3a6d1

✨ Add a firewall rule for SRE identity servers

f69cb84

🔧 Add network rules to allow workspaces to connect to SRE identity se…

a2a790f

…rver

♻️ Simplify 'security_group_name' to 'group_name'

0d4421e

🔧 Add network rules to allow Guacamole desktop to connect to SRE iden…

5525095

…tity server

🚚 Move ordering of SRE component construction

4c189b2

⬆️ Update to apricot 0.0.5 which allows user/group ID caching

d217036

✨ Set LDAP lookup variables and filters appropriate for Apricot rathe…

29ca579

…r than ActiveDirectory

⬆️ Update to guacamole-user-sync 0.4.0 which allows anonymous bind an…

247edf5

…d specification of user/group lookup attributes and LDAP ports.

⬆️ Update workspace image to use SRE identity server instead of SHM

06fd05d

⚰️ Drop Domain SID extraction as this is not needed with Apricot

c80a4cf

♻️ Update Gitea server to use Apricot for identity

052a397

jemrobinson changed the base branch from develop to python-migration April 8, 2024 10:04

jemrobinson added 2 commits April 8, 2024 12:46

👽 Update connection details for Gitea database for new Azure PostgreS…

bea4172

…QL format

🔧 Allow network connections between user services containers and Apri…

6a1e9e9

…cot server

jemrobinson deleted the branch alan-turing-institute:develop April 8, 2024 13:20

jemrobinson closed this Apr 8, 2024

jemrobinson reopened this Apr 8, 2024

jemrobinson changed the base branch from python-migration to develop April 8, 2024 13:24

♻️ Update HedgeDoc server to use Apricot for identity

416f748

jemrobinson force-pushed the 1570-replace-domain-controller-with-apricot branch from edc55d5 to dbe1aa2 Compare April 8, 2024 13:51

jemrobinson added 7 commits April 8, 2024 15:21

🔧 Remove unused references to LDAP bind user/password in the SRE

aea776c

⚰️ Drop references to SHM identity subnet

85eede2

⚰️ Create AzureAD groups in AzureAD rather than on the SHM DC

1f0548e

♻️ Switch to AzureAD as default place to add/remove/alter user lists

6b4a8b3

⚰️ Drop code for interacting with AzureAD on the DC

0fe059b

⚰️ Drop password-domain-ldap-searcher from SHM

44770d0

⚰️ Remove remaining SRE dependencies on SHM domain controller resourc…

c84ccf2

…e outputs

jemrobinson force-pushed the 1570-replace-domain-controller-with-apricot branch from e44cde8 to 9fd8f69 Compare April 10, 2024 12:54

jemrobinson mentioned this pull request Apr 10, 2024

Pulumi: replace domain controller with AzureAD proxy #1570

Closed

8 tasks

jemrobinson changed the title ~~[WIP] Replace domain controller with Apricot~~ [WIP] Use Apricot for authentication/identity Apr 10, 2024

jemrobinson force-pushed the 1570-replace-domain-controller-with-apricot branch 2 times, most recently from 974825c to 974378c Compare April 10, 2024 14:03

jemrobinson mentioned this pull request Apr 11, 2024

Add AzureAD/EntraID functionality #1778

Merged

5 tasks

jemrobinson added 2 commits April 11, 2024 11:49

⚰️ Drop unused identity support subnet

a6b53e9

🐛 Construct SRE ldap_root_dn from SHM FQDN

5bf4bf2

jemrobinson force-pushed the 1570-replace-domain-controller-with-apricot branch from 974378c to 8706366 Compare April 15, 2024 10:10

jemrobinson changed the title ~~[WIP] Use Apricot for authentication/identity~~ Use Apricot for authentication/identity Apr 15, 2024

jemrobinson requested a review from a team April 15, 2024 10:11

jemrobinson marked this pull request as ready for review April 15, 2024 10:11

jemrobinson requested a review from a team as a code owner April 15, 2024 10:11

jemrobinson force-pushed the 1570-replace-domain-controller-with-apricot branch 2 times, most recently from ca29007 to 5bf4bf2 Compare April 15, 2024 12:57

jemrobinson mentioned this pull request Apr 15, 2024

Remove SHM DC #1805

Merged

4 tasks

Ensure NSG rule priorities are unique

050039c

JimMadge requested changes Apr 16, 2024

View reviewed changes

jemrobinson added 4 commits April 16, 2024 16:40

♻️ Simplify alphanumeric function and use in GraphAPI

6c204e9

✨ Use ldap-filter to construct more readable LDAP filters

ef7eda2

✨ Add firewall priority enum

ca5ba6c

⚰️ Remove unused port 389 for SRE identity servers

8646b65

jemrobinson requested a review from JimMadge April 16, 2024 16:38

This was referenced Apr 17, 2024

Remove the need to sync LDAP users with Guac database #1817

Open

Consider changing vnet specification #1818

Open

Revert some changes of ef7eda2

54d8591

JimMadge approved these changes Apr 17, 2024

View reviewed changes

JimMadge merged commit eb1a73b into alan-turing-institute:develop Apr 17, 2024
10 checks passed

jemrobinson deleted the 1570-replace-domain-controller-with-apricot branch April 19, 2024 11:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use Apricot for authentication/identity #1772

Use Apricot for authentication/identity #1772

jemrobinson commented Apr 8, 2024 •

edited

Loading

JimMadge left a comment

JimMadge commented Apr 17, 2024

Use Apricot for authentication/identity #1772

Use Apricot for authentication/identity #1772

Conversation

jemrobinson commented Apr 8, 2024 • edited Loading

✅ Checklist

⤴️ Summary

🌂 Related issues

🔬 Tests

JimMadge left a comment

Choose a reason for hiding this comment

JimMadge commented Apr 17, 2024

jemrobinson commented Apr 8, 2024 •

edited

Loading