diff --git a/src/spiffworkflow_backend/__init__.py b/src/spiffworkflow_backend/__init__.py index 4ffc2f59..f67dccc0 100644 --- a/src/spiffworkflow_backend/__init__.py +++ b/src/spiffworkflow_backend/__init__.py @@ -23,7 +23,8 @@ from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_b from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import ( openid_blueprint, ) -from spiffworkflow_backend.routes.user import set_new_access_token_in_cookie, verify_token +from spiffworkflow_backend.routes.user import set_new_access_token_in_cookie +from spiffworkflow_backend.routes.user import verify_token from spiffworkflow_backend.routes.user_blueprint import user_blueprint from spiffworkflow_backend.services.authorization_service import AuthorizationService from spiffworkflow_backend.services.background_processing_service import ( diff --git a/src/spiffworkflow_backend/config/default.py b/src/spiffworkflow_backend/config/default.py index 0032a8a8..763474e0 100644 --- a/src/spiffworkflow_backend/config/default.py +++ b/src/spiffworkflow_backend/config/default.py @@ -29,7 +29,8 @@ CONNECTOR_PROXY_URL = environ.get( # Open ID server OPEN_ID_SERVER_URL = environ.get( - "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow" + "OPEN_ID_SERVER_URL", + default="http://localhost:7002/realms/spiffworkflow" # "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid" ) @@ -38,7 +39,8 @@ OPEN_ID_SERVER_URL = environ.get( OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend") OPEN_ID_CLIENT_SECRET_KEY = environ.get( # "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" - "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" + "OPEN_ID_CLIENT_SECRET_KEY", + default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q", ) # noqa: S105 SPIFFWORKFLOW_BACKEND_LOG_TO_FILE = ( diff --git a/src/spiffworkflow_backend/routes/health_controller.py b/src/spiffworkflow_backend/routes/health_controller.py index 30757e2a..31154e15 100644 --- a/src/spiffworkflow_backend/routes/health_controller.py +++ b/src/spiffworkflow_backend/routes/health_controller.py @@ -1,17 +1,15 @@ """APIs for dealing with process groups, process models, and process instances.""" import json -from flask import current_app -import flask.wrappers from flask.wrappers import Response from spiffworkflow_backend.models.process_instance import ProcessInstanceModel -def status() -> flask.wrappers.Response: +def status() -> Response: """Status.""" ProcessInstanceModel.query.filter().first() - response = Response(json.dumps({"ok": True}), status=200, mimetype="application/json") - # print(f"current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', ''): {current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', '')}") - response.set_cookie('TEST_COOKIE1', 'HEY', domain=None) + response = Response( + json.dumps({"ok": True}), status=200, mimetype="application/json" + ) return response diff --git a/src/spiffworkflow_backend/routes/process_groups_controller.py b/src/spiffworkflow_backend/routes/process_groups_controller.py index 5a593cd5..a548099f 100644 --- a/src/spiffworkflow_backend/routes/process_groups_controller.py +++ b/src/spiffworkflow_backend/routes/process_groups_controller.py @@ -1,10 +1,10 @@ """APIs for dealing with process groups, process models, and process instances.""" import json -from flask import current_app from typing import Any from typing import Optional import flask.wrappers +from flask import current_app from flask import g from flask import jsonify from flask import make_response @@ -90,9 +90,11 @@ def process_group_list( }, } # response = make_response(jsonify(response_json), 200) - response = Response(json.dumps(response_json), status=200, mimetype="application/json") + response = Response( + json.dumps(response_json), status=200, mimetype="application/json" + ) current_app.logger.info("SETTING COOKIE") - response.set_cookie('TEST_COOKIE', 'HEY1') + response.set_cookie("TEST_COOKIE", "HEY1") return response diff --git a/src/spiffworkflow_backend/routes/user.py b/src/spiffworkflow_backend/routes/user.py index c1966c3a..499a0eda 100644 --- a/src/spiffworkflow_backend/routes/user.py +++ b/src/spiffworkflow_backend/routes/user.py @@ -7,6 +7,7 @@ from typing import Dict from typing import Optional from typing import Union +import flask import jwt from flask import current_app from flask import g @@ -14,17 +15,18 @@ from flask import redirect from flask import request from flask_bpmn.api.api_error import ApiError from werkzeug.wrappers import Response -# from flask.wrappers import Response -import flask from spiffworkflow_backend.models.user import UserModel -from spiffworkflow_backend.services.authentication_service import TokenExpiredError, AuthenticationService +from spiffworkflow_backend.services.authentication_service import AuthenticationService from spiffworkflow_backend.services.authentication_service import ( MissingAccessTokenError, ) +from spiffworkflow_backend.services.authentication_service import TokenExpiredError from spiffworkflow_backend.services.authorization_service import AuthorizationService from spiffworkflow_backend.services.user_service import UserService +# from flask.wrappers import Response + # from flask_jwt_extended import set_access_cookies """ @@ -60,7 +62,7 @@ def verify_token( token = request.headers["Authorization"].removeprefix("Bearer ") # This should never be set here but just in case - tld = current_app.config['THREAD_LOCAL_DATA'] + tld = current_app.config["THREAD_LOCAL_DATA"] if hasattr(tld, "new_access_token"): tld.new_access_token = None @@ -84,7 +86,7 @@ def verify_token( try: if AuthenticationService.validate_id_or_access_token(token): user_info = decoded_token - except (TokenExpiredError) as token_expired_error: + except TokenExpiredError as token_expired_error: # Try to refresh the token user = UserService.get_user_by_service_and_service_id( decoded_token["iss"], decoded_token["sub"] @@ -100,10 +102,13 @@ def verify_token( if auth_token and "error" not in auth_token: print("SETTING NEW TOKEN") print(f"auth_token: {auth_token}") - tld.new_access_token = auth_token['access_token'] + tld.new_access_token = auth_token["access_token"] # We have the user, but this code is a bit convoluted, and will later demand # a user_info object so it can look up the user. Sorry to leave this crap here. - user_info = {"sub": user.service_id, "iss": user.service} + user_info = { + "sub": user.service_id, + "iss": user.service, + } if user_info is None: raise ApiError( @@ -162,8 +167,6 @@ def verify_token( g.token = token get_scope(token) return None - # return {"uid": g.user.id, "sub": g.user.id, "scope": scope} - # return validate_scope(token, user_info, user_model) else: raise ApiError(error_code="no_user_id", message="Cannot get a user id") @@ -172,26 +175,17 @@ def verify_token( ) -def set_new_access_token_in_cookie(response: flask.wrappers.Response) -> flask.wrappers.Response: - print(f"response: {response.__class__}") - tld = current_app.config['THREAD_LOCAL_DATA'] +def set_new_access_token_in_cookie( + response: flask.wrappers.Response, +) -> flask.wrappers.Response: + """Set_new_access_token_in_cookie.""" + tld = current_app.config["THREAD_LOCAL_DATA"] if hasattr(tld, "new_access_token") and tld.new_access_token: - response.set_cookie('access_token', tld.new_access_token) + response.set_cookie("access_token", tld.new_access_token) + tld.new_access_token = None return response -def validate_scope(token: Any) -> bool: - """Validate_scope.""" - print("validate_scope") - # token = AuthenticationService.refresh_token(token) - # user_info = AuthenticationService.get_user_info_from_public_access_token(token) - # bearer_token = AuthenticationService.get_bearer_token(token) - # permission = AuthenticationService.get_permission_by_basic_token(token) - # permissions = AuthenticationService.get_permissions_by_token_for_resource_and_scope(token) - # introspection = AuthenticationService.introspect_token(basic_token) - return True - - def encode_auth_token(sub: str, token_type: Optional[str] = None) -> str: """Generates the Auth Token. @@ -235,6 +229,7 @@ def parse_id_token(token: str) -> Any: decoded = base64.b64decode(padded) return json.loads(decoded) + def login_return(code: str, state: str, session_state: str) -> Optional[Response]: """Login_return.""" state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8")) @@ -258,8 +253,8 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response + f"access_token={auth_token_object['access_token']}&" + f"id_token={id_token}" ) - tld = current_app.config['THREAD_LOCAL_DATA'] - tld.new_access_token = auth_token_object['access_token'] + tld = current_app.config["THREAD_LOCAL_DATA"] + tld.new_access_token = auth_token_object["access_token"] return redirect(redirect_url) raise ApiError( diff --git a/src/spiffworkflow_backend/services/authentication_service.py b/src/spiffworkflow_backend/services/authentication_service.py index 309dca1e..92480f7b 100644 --- a/src/spiffworkflow_backend/services/authentication_service.py +++ b/src/spiffworkflow_backend/services/authentication_service.py @@ -22,11 +22,11 @@ class MissingAccessTokenError(Exception): # These could be either 'id' OR 'access' tokens and we can't always know which class TokenExpiredError(Exception): - pass + """TokenExpiredError.""" class TokenInvalidError(Exception): - pass + """TokenInvalidError.""" class AuthenticationProviderTypes(enum.Enum): @@ -144,7 +144,7 @@ class AuthenticationService: try: decoded_token = jwt.decode(token, options={"verify_signature": False}) except Exception as e: - raise TokenInvalidError('Cannot decode token') from e + raise TokenInvalidError("Cannot decode token") from e if decoded_token["iss"] != cls.server_url(): valid = False