Intergrate Authorisation into embedded ui

[richard-cox]

Summary

Fixes: #358

Occurred changes and/or fixed issues

• Previously the username & password were hardcoded for demo purposes
• Now the user is shown a login modal when going to a cluster
• The user can choose to log in via the local user (username / password) or auth provider (aka dex)
• Requests made from within that cluster now use the credentials / tokens from that login process
• If the user wants to log out they can choose to via the epinio cluster list and the cluster's actions
  • There should be an option to log out from within the epinio context (RC to create issue)
• If the user has logged in via local user, they will need to do so after every refresh / visit
  • We have an idea on how to resolve this, which would also resolve CORS issues
  • See [ui] Investigate, if applicable, persist local user credentials in embedded ui #360
• If the user has logged in via dex, they will NOT need to log in again until they either log out or their token expires
  • There is a way to refresh the token silently in the background (RC to create issue)
• Discussion Point - The login modal doesn't really look / behave too great. Split out to [ui] Improve embedded ui log in UX #359

Technical notes summary

For this to work we also need to update the Dex config (see dependent PR epinio/helm-charts#504)

web: <-- this needs adding
  allowedOrigins: ['*'] <--- needs to be the rancher url

staticClients
- id: epinio-apo
  trustedPeers: 
    - rancher-dashboard <-- needs adding

- id: rancher-dashboard <-- this whole section needs adding
  name: 'Rancher Dashboard'
  public: true
  redirectURIs:
  - "https://<rancher url>/epinio/auth/verify/" <--- needs to be the rancher url

Depends on

• Allow extentions to redirect the user to another location if authentication fails rancher/dashboard#9941
• Optionally supplement Dex configuration with information required for embedded ui auth helm-charts#504
• API for enhanced epinio information pre-log in epinio#2515

Areas or cases that should be tested

• Refresh on an epinio cluster when logged in via local user. User should be redirect to epinio cluster list
• Refresh on an epinio cluster when logged in via a dex user. User should see the same page
• Functionality when there are two clusters that contain epinio. In theory user should be able to switch between them both fine

[torchiaf]

I've done some tests as first round of the review.

The login for local users works fine but there is something wrong with RedirectToError class from shell which is causing a crash during the logout.
Minor issue:
The link in the 'URL' column to get the Epinio UI certificate in the instances table is broken.

it redirects to https://localhost:8005/api/v1/info

[torchiaf]

RedirectToError is not exported by @shell/utils/error. Do we need to update the shell dependency maybe ?

This is causing an error during logout:

Loading error Error: _shell_utils_error__WEBPACK_IMPORTED_MODULE_30__.RedirectToError is not a constructor
    at Store.setError (index.js:654:1)
    at wrappedMutationHandler (vuex.esm.js:844:1)
    at commitIterator (vuex.esm.js:466:1)
    at Array.forEach (<anonymous>)
    at vuex.esm.js:465:1
    at Store._withCommit (vuex.esm.js:624:1)
    at Store.commit (vuex.esm.js:464:1)
    at Store.boundCommit [as commit] (vuex.esm.js:409:1)
    at _callee$ (authenticated.js:509:1)
    at tryCatch (regeneratorRuntime.js:44:1)

[richard-cox]

That was rancher/dashboard#9941, which was blocked on branching. If you yarn link to master the error should resolve itself.

Now that we've forked it has merged, so we can do another shell release

[richard-cox]

i've now published a new shell and referenced that from the extension

[richard-cox]

Thanks @torchiaf . I'll do the bump to shell and fix the url

[torchiaf]

Tested the Dex login as well + a couple of comments.

[torchiaf]

Is there a specific reason to define cluster as computed value ?

[richard-cox]

Just for readability. This makes it clearer that it's a cluster, instead of an odd first entry in an array

[torchiaf]

error_description should be removed:

const {
    error, errorDescription, errorCode, errorMsg
  } = route.query;

[richard-cox]

I've removed errorCode and errorMsg, as these weren't used by dex or the dep to deal with oidc. error_description is a valid param though

[richard-cox]

@torchiaf all comments should be addressed now. i've published a new verison of shell and references that as well. So no need now to yarn link @rancher/shell. I added a workaround for a dep missing from there, which can be removed in the future.

[torchiaf]

@torchiaf all comments should be addressed now. i've published a new verison of shell and references that as well. So no need now to yarn link @rancher/shell. I added a workaround for a dep missing from there, which can be removed in the future.

Working on the review, thanks!

[torchiaf]

LGTM