Updating authenticators from latest in Tiled

[davidpcls]

Description

These changes bring in the authenticators from Tiled into HTTP Bluesky. This allows us to use the same authentication setup as from Tiled deployments (at least at the current moment). The main other change is to remove the "mode" flag and instead use the class type to determine if it is an internal or external authenticator.

Part of this work is also the updating of the bluesky-queueserver-api, for which I have created a PR. Both are required in order for the OIDC workflows to work.

Motivation and Context

This solves the problem of having different authentication schemes to maintain between Tiled and HTTP server, which came from the same code around 3 years ago. Tiled has been updated but HTTP server was not. This addresses that.

Summary of Changes for Release Notes

Updated authenticators based off Tiled main.
Made minimal changes to app.py and authentication.py to support the changes. Some new endpoints needed to be created to do this, but fairly minimal. The majority of the work was getting the unit test runners stable.
Added local parallel unit test runners to aid development
Updated the github runners to be more stable and reliable.

Fixed

Added

• Authenticators.py from Tiled (fd2a646e4ec73e08fb206f18deaa51c166ccd37a)
• new endpoints for authorization workflows in app.py
• Pending sessions in the database
• Documentation and examples on using OIDC based off Tiled

Changed

• Unit tests to support above changes
• Unit test structure to be a little more stable
• The LDAP container as the previous one was no longer supported

Removed

How Has This Been Tested?

Testing was done against MS Entra. I tested that these workflows work for both internal (localhost) and external servers. Using this the login workflow changes to just simply being:

from bluesky_queueserver_api.http import REManagerAPI
from bluesky_queueserver_api import BPlan
RM = REManagerAPI(http_server_uri="http://localhost:60610", http_auth_provider="entra/authorize")
RM.login()

At which point the user will be logged in and can immediately issue the RM.status(). If the user does not already have an authenticated session in their browser they will need to login and they will be prompted to do so.

While this was tested with MS Entra, the design is based on Tiled's OIDC and testing used the OIDC flow with MS Entra, so it should theoretically work with both.

[danielballan]

Wow, thanks @davidpcls!

[dmgav]

Thank you. I am going to try to fix the unit tests first, I may push a few commits.

[prjemian]

If either of you intend to commit more work to this PR, put it in Draft mode. Change the mode back when you are ready for final review.

[davidpcls]

@prjemian , thanks I've converted it.

@dmgav sure that sounds good.

[dmgav]

I fixed the unit tests. I also rebased the branch to main, so I had to force push the changes.

[davidpcls]

Thanks for working on that @dmgav! I just got things setup so I can test with this against MS Entra, so I'll go about verifying there are no other changes required for this to work properly. Took a little longer than expected to get the Entra stuff worked out.

[davidpcls]

I've added in these changes, I'm going to work on cleaning up failing unit tests now and then I will update the pull request description to match your style and provide information on testing. After that I will remove the WIP status.

[davidpcls]

Please also see the related PR for the API: bluesky/bluesky-queueserver-api#62

[davidpcls]

Sorry, got excited about the unit tests passing. I need to do one last integration test first, which is why I converted it back into a WIP

[davidpcls]

@dmgav , I've now tested this on remote machines and with httpserver running locally and both work. Let me know if you want an example. I'm not adding a whole lot here for evidence just because I'm not entirely sure what could be leaking security-sensitive information out.