cr-connect-workflow/crc/models/user.py

import datetime

import jwt
from marshmallow import fields
from marshmallow_sqlalchemy import SQLAlchemyAutoSchema

from crc import db, app
from crc.api.common import ApiError


class UserModel(db.Model):
    __tablename__ = 'user'
    id = db.Column(db.Integer, primary_key=True)
    uid = db.Column(db.String, unique=True)
    email_address = db.Column(db.String)
    display_name = db.Column(db.String)
    affiliation = db.Column(db.String, nullable=True)
    eppn = db.Column(db.String, nullable=True)
    first_name = db.Column(db.String, nullable=True)
    last_name = db.Column(db.String, nullable=True)
    title = db.Column(db.String, nullable=True)

    # TODO: Add Department and School

    def is_admin(self):
        # Currently admin abilities are set in the configuration, but this
        # may change in the future.
        return self.uid in app.config['ADMIN_UIDS']

    def encode_auth_token(self):
        """
        Generates the Auth Token
        :return: string
        """
        hours = float(app.config['TOKEN_AUTH_TTL_HOURS'])
        payload = {
            'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=hours, minutes=0, seconds=0),
            'iat': datetime.datetime.utcnow(),
            'sub': self.uid
        }
        return jwt.encode(
            payload,
            app.config.get('SECRET_KEY'),
            algorithm='HS256',
        )

    @staticmethod
    def decode_auth_token(auth_token):
        """
        Decodes the auth token
        :param auth_token:
        :return: integer|string
        """
        try:
            payload = jwt.decode(auth_token, app.config.get('SECRET_KEY'), algorithms='HS256')
            return payload
        except jwt.ExpiredSignatureError:
            raise ApiError('token_expired', 'The Authentication token you provided expired and must be renewed.')
        except jwt.InvalidTokenError:
            raise ApiError('token_invalid', 'The Authentication token you provided is invalid. You need a new token. ')


class UserModelSchema(SQLAlchemyAutoSchema):
    class Meta:
        model = UserModel
        load_instance = True
        include_relationships = True
    is_admin = fields.Method('get_is_admin', dump_only=True)

    def get_is_admin(self, obj):
        return obj.is_admin()


class AdminSessionModel(db.Model):
    __tablename__ = 'admin_session'
    id = db.Column(db.Integer, primary_key=True)
    token = db.Column(db.String, unique=True)
    admin_impersonate_uid = db.Column(db.String)
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`import datetime`

			`import jwt`
Adds is_admin boolean flag to user schema 2020-07-30 02:45:56 +00:00			`from marshmallow import fields`
Resolves marshmallow_sqlalchemy.ModelSchema deprecation warning 2020-03-16 17:37:31 +00:00			`from marshmallow_sqlalchemy import SQLAlchemyAutoSchema`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00
			`from crc import db, app`
			`from crc.api.common import ApiError`


			`class UserModel(db.Model):`
			`__tablename__ = 'user'`
			`id = db.Column(db.Integer, primary_key=True)`
			`uid = db.Column(db.String, unique=True)`
			`email_address = db.Column(db.String)`
			`display_name = db.Column(db.String)`
Adds SSO header attributes 2020-02-20 20:35:07 +00:00			`affiliation = db.Column(db.String, nullable=True)`
			`eppn = db.Column(db.String, nullable=True)`
			`first_name = db.Column(db.String, nullable=True)`
			`last_name = db.Column(db.String, nullable=True)`
			`title = db.Column(db.String, nullable=True)`
Adds is_admin boolean flag to user schema 2020-07-30 02:45:56 +00:00
Prevents non-admin users from editing each others' tasks. Fixes bug where test user uid was not being set from token. Moves complete form and get workflow API test utility methods into BaseTest. 2020-06-12 17:46:10 +00:00			`# TODO: Add Department and School`
Rough idea of what the Approvals model will look like. 2020-05-22 15:56:43 +00:00
Building out a user service for getting the current user, it will provide a number of functions, one of which will allow administrative users to impersonate other users in some circumstances (but will assure that we log events correctly when an impersonation occures) 2020-07-27 18:38:57 +00:00			`def is_admin(self):`
			`# Currently admin abilities are set in the configuration, but this`
			`# may change in the future.`
			`return self.uid in app.config['ADMIN_UIDS']`
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless. 2020-03-24 18:15:21 +00:00
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`def encode_auth_token(self):`
			`"""`
			`Generates the Auth Token`
			`:return: string`
			`"""`
Fixes broken unit tests. But still broken. 2020-06-11 15:29:58 +00:00			`hours = float(app.config['TOKEN_AUTH_TTL_HOURS'])`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`payload = {`
			`'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=hours, minutes=0, seconds=0),`
			`'iat': datetime.datetime.utcnow(),`
			`'sub': self.uid`
			`}`
			`return jwt.encode(`
			`payload,`
Renames TOKEN_AUTH_SECRET_KEY to SECRET_KEY 2020-07-10 15:26:15 +00:00			`app.config.get('SECRET_KEY'),`
Fixes broken unit tests. But still broken. 2020-06-11 15:29:58 +00:00			`algorithm='HS256',`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`)`

			`@staticmethod`
			`def decode_auth_token(auth_token):`
			`"""`
			`Decodes the auth token`
			`:param auth_token:`
			`:return: integer\|string`
			`"""`
			`try:`
Renames TOKEN_AUTH_SECRET_KEY to SECRET_KEY 2020-07-10 15:26:15 +00:00			`payload = jwt.decode(auth_token, app.config.get('SECRET_KEY'), algorithms='HS256')`
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless. 2020-03-24 18:15:21 +00:00			`return payload`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`except jwt.ExpiredSignatureError:`
Fixes broken unit tests. But still broken. 2020-06-11 15:29:58 +00:00			`raise ApiError('token_expired', 'The Authentication token you provided expired and must be renewed.')`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`except jwt.InvalidTokenError:`
Fixes broken unit tests. But still broken. 2020-06-11 15:29:58 +00:00			`raise ApiError('token_invalid', 'The Authentication token you provided is invalid. You need a new token. ')`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00

Resolves marshmallow_sqlalchemy.ModelSchema deprecation warning 2020-03-16 17:37:31 +00:00			`class UserModelSchema(SQLAlchemyAutoSchema):`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00			`class Meta:`
			`model = UserModel`
Resolves marshmallow_sqlalchemy.ModelSchema deprecation warning 2020-03-16 17:37:31 +00:00			`load_instance = True`
			`include_relationships = True`
Uses Flask session to store impersonation state. 2020-07-30 14:17:02 +00:00			`is_admin = fields.Method('get_is_admin', dump_only=True)`
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly. 2020-02-18 21:38:56 +00:00
Uses Flask session to store impersonation state. 2020-07-30 14:17:02 +00:00			`def get_is_admin(self, obj):`
			`return obj.is_admin()`
Adds AdminSession model and refactors impersonation methods to use it. 2020-07-30 16:40:53 +00:00

			`class AdminSessionModel(db.Model):`
			`__tablename__ = 'admin_session'`
			`id = db.Column(db.Integer, primary_key=True)`
			`token = db.Column(db.String, unique=True)`
			`admin_impersonate_uid = db.Column(db.String)`