From 8e26fe628753f5ab6620603fa5457a49daa0e52f Mon Sep 17 00:00:00 2001
From: Cristine Guadelupe <cristineguadelupe@me.com>
Date: Fri, 4 Aug 2023 00:25:05 +0700
Subject: [PATCH] Adds ZTA support for offline deployment (#2136)

---
 .../live/hub/edit/team_component.ex           | 112 ++++++++++++++++--
 1 file changed, 100 insertions(+), 12 deletions(-)

diff --git a/lib/livebook_web/live/hub/edit/team_component.ex b/lib/livebook_web/live/hub/edit/team_component.ex
index 653b23d6b..fa73ccb6f 100644
--- a/lib/livebook_web/live/hub/edit/team_component.ex
+++ b/lib/livebook_web/live/hub/edit/team_component.ex
@@ -13,6 +13,7 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
     show_key? = assigns.params["show-key"] == "true"
     secrets = Livebook.Hubs.get_secrets(assigns.hub)
     secret_name = assigns.params["secret_name"]
+    zta = %{"provider" => "", "key" => ""}
 
     secret_value =
       if assigns.live_action == :edit_secret do
@@ -27,7 +28,8 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
        show_key: show_key?,
        secret_name: secret_name,
        secret_value: secret_value,
-       hub_metadata: Provider.to_metadata(assigns.hub)
+       hub_metadata: Provider.to_metadata(assigns.hub),
+       zta: zta
      )
      |> assign_dockerfile()
      |> assign_form(changeset)}
@@ -136,6 +138,62 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
               />
             </div>
 
+            <div class="flex flex-col space-y-4">
+              <h2 class="text-xl text-gray-800 font-medium pb-2 border-b border-gray-200">
+                Zero Trust Authentication
+              </h2>
+
+              <p class="text-gray-700">
+                Enables Zero Trust Authentication to be used as the identity provider.
+              </p>
+
+              <.form :let={f} for={@zta} phx-change="change_zta" phx-target={@myself}>
+                <div class="grid grid-cols-1 md:grid-cols-2 gap-3">
+                  <.select_field
+                    name="provider"
+                    label="Provider"
+                    value={@zta["provider"]}
+                    options={[
+                      {"None", ""},
+                      {"Cloudflare", "cloudflare"},
+                      {"GoogleIAP", "google_iap"}
+                    ]}
+                  />
+                  <span class={[@zta["provider"] == "" && "hidden"]}>
+                    <.text_field
+                      field={f[:key]}
+                      label={"#{if @zta["provider"] == "cloudflare", do: "Team name (domain)", else: "Audience (aud)"}"}
+                      phx-debounce
+                    />
+                  </span>
+                </div>
+                <%= if @zta["provider"] == "cloudflare" do %>
+                  <span>
+                    See the
+                    <a
+                      class="text-blue-800 hover:text-blue-600"
+                      href="https://developers.cloudflare.com/cloudflare-one/"
+                    >
+                      CloudFlare docs
+                    </a>
+                    for more information about Cloudflare Zero Trust.
+                  </span>
+                <% end %>
+                <%= if @zta["provider"] == "google_iap" do %>
+                  <span>
+                    See the
+                    <a
+                      class="text-blue-800 hover:text-blue-600"
+                      href="https://cloud.google.com/iap/docs/concepts-overview"
+                    >
+                      Google docs
+                    </a>
+                    for more information about Google Identity-Aware Proxy (IAP).
+                  </span>
+                <% end %>
+              </.form>
+            </div>
+
             <div class="flex flex-col space-y-4">
               <h2 class="text-xl text-gray-800 font-medium pb-2 border-b border-gray-200">
                 Airgapped Deployment
@@ -387,6 +445,16 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
      )}
   end
 
+  def handle_event("change_zta", %{"provider" => ""}, socket) do
+    zta = %{"provider" => "", "key" => ""}
+    {:noreply, assign(socket, zta: zta) |> assign_dockerfile()}
+  end
+
+  def handle_event("change_zta", %{"provider" => provider, "key" => key}, socket) do
+    zta = %{"provider" => provider, "key" => key}
+    {:noreply, assign(socket, zta: zta) |> assign_dockerfile()}
+  end
+
   defp assign_form(socket, %Ecto.Changeset{} = changeset) do
     assign(socket, form: to_form(changeset))
   end
@@ -395,19 +463,29 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
     version = to_string(Application.spec(:livebook, :vsn))
     version = if version =~ "dev", do: "edge", else: version
 
-    assign(socket, :dockerfile, """
-    FROM ghcr.io/livebook-dev/livebook:#{version}
+    base =
+      """
+      FROM ghcr.io/livebook-dev/livebook:#{version}
 
-    ENV LIVEBOOK_APPS_PATH_HUB_ID "#{socket.assigns.hub.id}"
-    ENV LIVEBOOK_TEAMS_NAME "#{socket.assigns.hub.hub_name}"
-    ENV LIVEBOOK_TEAMS_OFFLINE_KEY "#{socket.assigns.hub.org_public_key}"
-    ENV LIVEBOOK_TEAMS_SECRETS "#{encrypt_secrets_to_dockerfile(socket)}"
+      ENV LIVEBOOK_APPS_PATH_HUB_ID "#{socket.assigns.hub.id}"
+      ENV LIVEBOOK_TEAMS_NAME "#{socket.assigns.hub.hub_name}"
+      ENV LIVEBOOK_TEAMS_OFFLINE_KEY "#{socket.assigns.hub.org_public_key}"
+      ENV LIVEBOOK_TEAMS_SECRETS "#{encrypt_secrets_to_dockerfile(socket)}"
 
-    COPY /path/to/my/notebooks /apps
-    ENV LIVEBOOK_APPS_PATH "/apps"
-    ENV LIVEBOOK_APPS_PATH_WARMUP "manual"
-    RUN /app/bin/warmup_apps.sh\
-    """)
+      """
+
+    apps =
+      """
+      COPY /path/to/my/notebooks /apps
+      ENV LIVEBOOK_APPS_PATH "/apps"
+      ENV LIVEBOOK_APPS_PATH_WARMUP "manual"
+      RUN /app/bin/warmup_apps.sh\
+      """
+
+    zta = zta_env(socket.assigns.zta)
+    dockerfile = if zta, do: base <> zta <> apps, else: base <> apps
+
+    assign(socket, :dockerfile, dockerfile)
   end
 
   defp encrypt_secrets_to_dockerfile(socket) do
@@ -422,4 +500,14 @@ defmodule LivebookWeb.Hub.Edit.TeamComponent do
 
     Livebook.Teams.encrypt(stringified_secrets, secret_key, sign_secret)
   end
+
+  defp zta_env(%{"provider" => ""}), do: nil
+  defp zta_env(%{"key" => ""}), do: nil
+
+  defp zta_env(%{"provider" => provider, "key" => key}) do
+    """
+    ENV LIVEBOOK_IDENTITY_PROVIDER "#{provider}:#{key}"
+
+    """
+  end
 end