sartography
/
cr-connect-workflow
mirror of https://github.com/sartography/cr-connect-workflow.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cr-connect-workflow/crc/api/user.py

157 lines
4.9 KiB
Python
Raw Normal View History

adding a default url. And some debugging information to see if we hit he endpoint in the logs.
2020-05-14 19:07:05 +00:00
import json
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
import connexion
just a few more logging details.
2020-05-21 16:11:35 +00:00
from flask import redirect, g, request
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
from crc import app, db
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
from crc.api.common import ApiError
from crc.models.user import UserModel, UserModelSchema
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
from crc.services.ldap_service import LdapService, LdapUserInfo
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
"""
.. module:: crc.api.user
:synopsis: Single Sign On (SSO) user login and session handlers
"""
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
def verify_token(token):
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
failure_error = ApiError("invalid_token", "Unable to decode the token you provided. Please re-authenticate", status_code=403)
if (not 'PRODUCTION' in app.config or not app.config['PRODUCTION']) and token == app.config["SWAGGER_AUTH_KEY"]:
g.user = UserModel.query.first()
token = g.user.encode_auth_token()
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
try:
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
token_info = UserModel.decode_auth_token(token)
g.user = UserModel.query.filter_by(uid=token_info['sub']).first()
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
except:
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
raise failure_error
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
if g.user is not None:
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
return token_info
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
else:
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
raise failure_error
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
def get_current_user():
return UserModelSchema().dump(g.user)
Apparently, APPLICATION_ROOT does something.
2020-05-24 04:05:13 +00:00
@app.route('/v1.0/login')
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
def sso_login():
# This what I see coming back:
# X-Remote-Cn: Daniel Harold Funk (dhf8r)
# X-Remote-Sn: Funk
# X-Remote-Givenname: Daniel
# X-Remote-Uid: dhf8r
# Eppn: dhf8r@virginia.edu
# Cn: Daniel Harold Funk (dhf8r)
# Sn: Funk
# Givenname: Daniel
# Uid: dhf8r
# X-Remote-User: dhf8r@virginia.edu
# X-Forwarded-For: 128.143.0.10
# X-Forwarded-Host: dev.crconnect.uvadcos.io
# X-Forwarded-Server: dev.crconnect.uvadcos.io
# Connection: Keep-Alive
uid = request.headers.get("Uid")
if not uid:
uid = request.headers.get("X-Remote-Uid")
if not uid:
raise ApiError("invalid_sso_credentials", "'Uid' nor 'X-Remote-Uid' were present in the headers: %s"
% str(request.headers))
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
just a few more logging details.
2020-05-21 16:11:35 +00:00
redirect = request.args.get('redirect')
app.logger.info("SSO_LOGIN: Full URL: " + request.url)
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
app.logger.info("SSO_LOGIN: User Id: " + uid)
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
app.logger.info("SSO_LOGIN: Will try to redirect to : " + str(redirect))
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
ldap_service = LdapService()
info = ldap_service.user_info(uid)
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
return _handle_login(info, redirect)
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
Apparently, APPLICATION_ROOT does something.
2020-05-24 04:05:13 +00:00
@app.route('/sso')
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
def sso():
response = ""
response += "<h1>Headers</h1>"
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
response += "<ul>"
for k,v in request.headers:
response += "<li><b>%s</b> %s</li>\n" % (k, v)
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
response += "<h1>Environment</h1>"
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
for k,v in request.environ:
response += "<li><b>%s</b> %s</li>\n" % (k, v)
Dropping flask_sso library in favor of reading from the headers directly. Updating login to read from ldap once it has the user_id. Adding more information to the sso endpoint.
2020-05-22 11:55:58 +00:00
return response
adding an /sso endpoint for testing.
2020-05-21 20:02:45 +00:00
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
def _handle_login(user_info: LdapUserInfo, redirect_url=app.config['FRONTEND_AUTH_CALLBACK']):
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
"""On successful login, adds user to database if the user is not already in the system,
then returns the frontend auth callback URL, with auth token appended.
Args:
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
user_info - an ldap user_info object.
redirect_url: Optional[str]
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
Returns:
Moves sso_backdoor parameters to query string. Prevents duplication of user on update.
2020-02-21 16:24:39 +00:00
Response. 302 - Redirects to the frontend auth callback URL, with auth token appended.
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
"""
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
user = db.session.query(UserModel).filter(UserModel.uid == user_info.uid).first()
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
Moves sso_backdoor parameters to query string. Prevents duplication of user on update.
2020-02-21 16:24:39 +00:00
if user is None:
# Add new user
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
user = UserModel()
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
user.uid = user_info.uid
user.display_name = user_info.display_name
user.email_address = user_info.email_address
user.affiliation = user_info.affiliation
user.title = user_info.title
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
db.session.add(user)
db.session.commit()
# Return the frontend auth callback URL, with auth token appended.
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
auth_token = user.encode_auth_token().decode()
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
if redirect_url is not None:
just a few more logging details.
2020-05-21 16:11:35 +00:00
app.logger.info("SSO_LOGIN: REDIRECTING TO: " + redirect_url)
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
return redirect('%s/%s' % (redirect_url, auth_token))
else:
just a few more logging details.
2020-05-21 16:11:35 +00:00
app.logger.info("SSO_LOGIN: NO REDIRECT, JUST RETURNING AUTH TOKEN.")
It became impossible to use the Swagger ui when we started adding authentication to all of the calls. I discovered Connexion and Swagger have a default way of handing JTW authentication and this cleans up our code quite a bit, moves the securing of endpoints into the API Definition, which is quite nice, and removes a whole library dependency (I never get to do that!) I added a SWAGGER_AUTH_KEY that can be used in non-production environments to allow users to quickly authenticate from the Swagger ui. I also removed all api calls to simple little happy api services, because that is just mean and pointless.
2020-03-24 18:15:21 +00:00
return auth_token
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
Moves sso_backdoor parameters to query string. Prevents duplication of user on update.
2020-02-21 16:24:39 +00:00
def backdoor(
uid=None,
affiliation=None,
display_name=None,
email_address=None,
eppn=None,
first_name=None,
last_name=None,
Adds redirect URL to login handler
2020-02-24 21:59:16 +00:00
title=None,
redirect_url=None,
Moves sso_backdoor parameters to query string. Prevents duplication of user on update.
2020-02-21 16:24:39 +00:00
):
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
"""A backdoor for end-to-end system testing that allows the system to simulate logging in as a specific user.
Only works if the application is running in a non-production environment.
Args:
Moves sso_backdoor parameters to query string. Prevents duplication of user on update.
2020-02-21 16:24:39 +00:00
uid: str
affiliation: Optional[str]
display_name: Optional[str]
email_address: Optional[str]
eppn: Optional[str]
first_name: Optional[str]
last_name: Optional[str]
title: Optional[str]
Adds redirect URL to login handler
2020-02-24 21:59:16 +00:00
redirect_url: Optional[str]
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
Returns:
str. If not on production, returns the frontend auth callback URL, with auth token appended.
Raises:
ApiError. If on production, returns a 404 error.
"""
if not 'PRODUCTION' in app.config or not app.config['PRODUCTION']:
Fixing add_study api endpoint, so you can actually add a new "Study" with just some basic information. Using the LDAP service for checking user details in development mode - even if you are using the back door. Added a new Flask fucntion load-example-rrt-data that loads the rrt workflow, and not the CRC wrokflows. Modified the "load-example-data" in the tests to use some test data, rather than loading up all the workflows[ in CRC each time, with a parameter to load crc data if that is required - which is enabled for just a handful of tests. (Tests run in 1/4 the time now)
2020-05-25 16:29:05 +00:00
ldap_info = LdapService().user_info(uid)
dropping the remaining config stuff for flask_sso. updaing the user 'sso' endpoint to provide additional information for debugging. Pulling information from ldap to stay super consistent on where we get our information.
2020-05-22 13:50:18 +00:00
return _handle_login(ldap_info, redirect_url)
Adding support to handle Single Sign On (Shibboleth) authentication using Flask SSO and an attribute map that has worked in the past with UVA's implementation. Aside from the new user endpoint, nothing requires authentication, but soon everything will expect it. I'm setting up a backdoor we can use for development and staging that will cause a round-robin affair that should make this relatively painless. Dropped "RestException" as we had two ways or raising errors, and that was silly.
2020-02-18 21:38:56 +00:00
else:
Adds SSO header attributes
2020-02-20 20:35:07 +00:00
raise ApiError('404', 'unknown')