AuthX - Extended authentication support (portable and router-friendly)

[totten]

Overview

This pull request introduces an extension, authx, which broadly improves support for HTTP authentication on any CiviCRM route. For example:

## Enable passwords and API keys for use in the `Authorization:` header
cv en authx
cv ev 'Civi::settings()->set("authx_header_cred",["pass","api_key","jwt"]);'

## Send API request with password authentication
curl 'http://demouser:demopass@dmaster.bknix:8001/civicrm/ajax/rest?entity=System&action=get'

## Send API request with api_key authentication
curl -H 'Authorization: Bearer MYKEY' 'http://dmaster.bknix:8001/civicrm/ajax/rest?entity=System&action=get'

Some key features:

• CMSs: Integrates with authentication and session APIs in Backdrop, Drupal 7, Drupal 8/9, Joomla, and WordPress
• Credentials: Accepts several types of credentials:
  • Username/Password (Basic {user:pass})
  • Contact api_key (Bearer {token})
  • JSON Web Token (Bearer {token})
• Sessions: Sessions are optional, depending on how you make the request.
  • Ex: Session-based auth may be appropriate for a long-running agent or for facilitating a browser-based flow
  • Ex: Stateless (non-session) auth may be appropriate for REST integrations or web-hooks
• Flows: Credentials may be submitted in different ways:
  • (Stateless) Parameter (?_authx=<CRED>)
  • (Stateless) Common Header (Authorization:<CRED>)
  • (Stateless) Alternate Header (X-Civi-Auth:<CRED>)
  • (Session) Explicit Login (/civicrm/authx/login, /civicrm/authx/logout)
  • (Session) Auto-Session (?_authx=<CRED>&authxSes=1)
• Configurable: Depending on the deployment (use-cases, security posture, etc), one may enable or disable any credential-type and/or flow-type.
• Testing: Civi\Authx\AllFlowsTest is an E2E test which covers every permutation of credentials+flows on every CMS.

The extension should help with several problems:

• To support self-service links, Afform needs support for hyperlinking with a signed token. (civicrm/my-form?_authx=MY_JWT)
• APIv4 is available for AJAX -- but is not currently available for REST (server-to-server). If you enable authx, then the existing AJAX route (civicrm/ajax/api4/ENTITY/ACTION) should be usable for REST purposes.
• APIv3 REST does not have a supported end-point URL on Drupal 8. If you enable authx, then the existing AJAX route (civicrm/ajax/rest) should be usable for REST purposes. (dev/core#2077)

Before

A handful of end-points (extern/rest.php, extern/cron.php) are able to accept requests based on an api_key. However, the code which implements this is extremely convoluted. Consequently, it is difficult to fix or improve.

After

Any CiviCRM route can accept an authentication token.

Comments

Why do this as a core extension?

• On one hand, this should be a shared basis for other core features (e.g. REST and Afform hyperlinks).
• On the other hand, it is sensitive functionality, and it will probably require a few policy options (vis-a-vis which authentication modes are allowed / when / for which users). It may take a few cycles to shake-out expectations on the policy side. Making it optional for interim seems prudent.

Technical Details

There's more information about the intended list of features in ext/authx/README.md.

These bits would be good additions, but I think it's mergable without them:

• Admin UI: Configuration matrix
• Strict interoperability for APIv3 REST: Allow existing integrations to change end-point URL from extern/rest.php to civicrm/ajax/rest without changing logic.
  • If the route is civicrm/ajax/rest, then accept ?api_key=XXX as an alias for ?_authx=Bearer+XXX.
  • site_key enforcement: Some admins may currently rely on site_key to distinguish between users who are or are not allowed to use REST-y dataflows. For JWT, the extra grant is implicit. However, for api_key and password based auth it may be appropriate to have an option for site_key enforcement.

I've been able to successfully run AllFlowsTest locally on every CMS. However, there were a few quirks/caveats. I don't think they're blockers for this PR.

• Drupal 8:
  • drush cc router: When you first enable the extension, D8's routing table remains stale. Clear it.
• WordPress:
  • sendsExcessCookies: It sometimes sends a Set-Cookie: in responses which don't merit a cookie.
  • Authorization:: To support common Authorization: headers, one must add a line to.htaccess. But if you're happy with the other flows, then don't worry about it. Other flows work out-of-the-box.

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    

  • Related bugs: WordPress - If we hit a "permission denied" error, return HTTP 403 #19608
• Joomla: It's a known-issue that Civi-Joomla support is not as good. It needed several incidental bug fixes, and it's harder to run, but it eventually passed.
  • sendsExcessCookies: It sometimes sends a Set-Cookie: in responses which don't merit a cookie.
  • authErrorShowsForm: In some error cases, it does not report the error well
  • Related bugs: Joomla - Implement getUfId(). Fix @user:<name>. #19615, Joomla - Allow E2E unit-test. Use Joomla Session API (and fake it when neceesary) #19616, CiviCRM-Joomla should accept web-service calls civicrm-joomla#58
  • Dev Workflow: My personal flow was like this:
    • Setup a D7 site. Checkout civicrm-joomla.git in a subdir.
    • Apply all patches
    • Setup and run distmaker
    • Use civihydra create /path/to/civicrm-XYZ-joomla.zip
    • Login as admin. Install Civi. Enable extension. Grant permission for 'demo' user to view their contact dashboard.
    • Write a long bash command to rsync files (D7=>J). Use this frequently while editing code and running tests.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[totten]

I've had some success using this for authenticated email links in Afform (#19660).

Removing the "(WIP)" flag.

There are some ideas in the description that haven't been done (e.g. a configuration UI and strict APIv3 REST interop). However, I don't think these are actually needed for the immediate goal of Afform/token support. They would matter more for achieving another goals (e.g. D8 REST), but I'm happy to kick that down to another issue/PR.

[totten]

Based on the last discussion, I've fully extracted the Joomla bugfixes as a set of parallel PRs so that they can be reviewed on a separate timeline. In no particular order, they are:

• CiviCRM-Joomla should accept web-service calls civicrm-joomla#58
• Joomla::synchronizeUsers - Fix notice due to old style reference #19677
• Joomla - Allow E2E unit-test. Use Joomla Session API (and fake it when neceesary) #19616
• Joomla - Implement getUfId(). Fix @user:<name>. #19615

Additionally, the GuzzleMiddleware bit is available as a separate PR #19678.

[seamuslee001]

@totten can you rebase this please given that the core PRs have been mostly been merged

[totten]

@seamuslee001 Sure. Rebased.

[seamuslee001]

@totten should we be hiding this extension from the GUI at this point or not?

[totten]

@seamuslee001 My vote would be to show it, but I don't feel super strongly in the first release with it.

[seamuslee001]

Yeh I guess the question I have is how supported is this but in any case I think its probably ok to show it

[seamuslee001]

I note that 95% of this PR is all the extension and the only changes to core code are very minimal and are only about a new hook / event and creating a fake session which is only called from within the extension so I think this is all very safe to be added merging