Add DS_Store to ignore, fix logging for SMS

Author: gcurbelo123

.gitignore

@@ -106,3 +106,6 @@ venv.bak/
 
 # defualt config
 config-local.json
+
+# MacOS
+*.DS_Store

configschema.json

@@ -126,10 +126,16 @@
       "default": "Tapis Token Webapp"
     },
     "turn_off_mfa": {
-        "type": "boolean",
-        "description": "A single configuration that will cause Authenticator to disable all MFA checks.",
-        "default": false
-      }
+      "type": "boolean",
+      "description": "A single configuration that will cause Authenticator to disable all MFA checks.",
+      "default": false
     },
-  "required": ["dev_ldap_tenant_id"]
+    "privacy_idea_jwt": {
+      "type": "string",
+      "description": "The Tapis service token to authenticate to Privacy Idea."
+    }
+  },
+  "required": [
+    "dev_ldap_tenant_id"
+  ]
 }

service/mfa.py

@@ -52,18 +52,16 @@ def check_sms(tenant_id, username):
             config_data = get_config_data(mfa_config)
 
             if config_data:
-                if 'privacy_idea_jwt' in config_data:
-                    jwt = config_data['privacy_idea_jwt']
-                else:
-                    jwt = get_privacy_idea_jwt(config_data['privacy_idea_url'], config_data['privacy_idea_client_id'], config_data['privacy_idea_client_key'])
+                jwt = conf.privacy_idea_jwt if conf.privacy_idea_jwt else get_privacy_idea_jwt(config_data['privacy_idea_url'], config_data['privacy_idea_client_id'], config_data['privacy_idea_client_key'])
                 headers = {"Authorization": jwt}
+                logger.debug(headers)
                 data = {"serial": username}
                 res = requests.get(f"{config_data['privacy_idea_url']}/token?serial={username}", headers=headers, data=data)
                 result = res.json()["result"]
-                logger.debug(f"REQUEST RESULT: {result}")
+                logger.debug(f"Serial request from Privacy Idea for {username}: {result}")
                 return res.json()["result"]["value"]["tokens"][0]["tokentype"] == "sms"
     except Exception as e:
-        logger.debug(e)
+        logger.debug(f"Error checking SMS for {username}: {e}")
 
     return False
 
@@ -77,13 +75,14 @@ def send_sms(tenant_id, username):
             config_data = get_config_data(mfa_config)
 
             if config_data:
-                jwt = config_data['privacy_idea_jwt']
+                jwt = conf.privacy_idea_jwt
                 headers = {"Authorization": jwt}
+                logger.debug(headers)
                 data = {"serial": username}
                 res = requests.post(f"{config_data['privacy_idea_url']}/validate/triggerchallenge", headers=headers, data=data)
                 return res.status_code == 200
     except Exception as e:
-        logger.debug(e)
+        logger.debug(f"Error sending SMS to {username}: {e}")
 
 
 def call_mfa(token, tenant_id, username):
@@ -99,10 +98,7 @@ def call_mfa(token, tenant_id, username):
 
     if "tacc" in mfa_config:
         config = get_config_data(mfa_config)
-        if 'privacy_idea_jwt' in config:
-            jwt = config['privacy_idea_jwt']
-        else:
-            jwt = get_privacy_idea_jwt(config['privacy_idea_url'], config['privacy_idea_client_id'], config['privacy_idea_client_key'])
+        jwt = conf.privacy_idea_jwt if conf.privacy_idea_jwt else get_privacy_idea_jwt(config['privacy_idea_url'], config['privacy_idea_client_id'], config['privacy_idea_client_key'])
         return verify_mfa_token(config['privacy_idea_url'], jwt, token, username, config['realm'])
 
 
@@ -111,21 +107,12 @@ def get_config_data(config):
     data['privacy_idea_url'] = config['tacc']['privacy_idea_url']
     data['privacy_idea_client_id'] = config['tacc']['privacy_idea_client_id']
     data['privacy_idea_client_key'] = config['tacc']['privacy_idea_client_key']
-    data['privacy_idea_jwt'] = config['tacc'].get('privacy_idea_jwt', None)
     data['grant_types'] = config['tacc'].get('grant_types', '')
     data['realm'] = config['tacc'].get('realm', 'tacc')
 
     return data
 
 
-def privacy_idea_tacc(config, token, username):
-    jwt = get_privacy_idea_jwt(config['privacy_idea_url'], config['privacy_idea_client_id'], config['privacy_idea_client_key'])
-    if not jwt:
-        return False
-
-    return verify_mfa_token(config['privacy_idea_url'], config['privacy_idea_jwt'], token, username, config['realm'])
-
-
 def get_privacy_idea_jwt(url, username, password):
     data = {
         "username": username,

service/templates/login.html

@@ -15,6 +15,9 @@ <h1>
       <span>Log In</span>
     </h1>
     <p>to continue to the <var>{{ client_display_name }}</var></p>
+    {% if client_display_name == 'DesignSafe JupyterHub' %}
+      <p>Warning: Files saved in the top most directory will be wiped on server restart. Please save files to MyData or to a Project.</p>
+    {% endif %}
 
     {% if error %}
     <ul>

service/tests/basic_test.py

@@ -194,16 +194,17 @@ def check_device_code_table(client_id, user_code, device_code, verification_url,
     retrieved = models.DeviceCode.query.filter_by(user_code=user_code).first()
     print(f'DEBUG: got device code object:: {retrieved}')
     if negative:
-        assert retrieved == None
+        assert retrieved is None
         return
     assert retrieved.code == device_code
     assert retrieved.user_code == user_code
     assert retrieved.tenant_id == TEST_TENANT_ID
     assert retrieved.client_id == client_id
-    assert retrieved.client_key ==  TEST_CLIENT_KEY
+    assert retrieved.client_key == TEST_CLIENT_KEY
     assert retrieved.status == status
     assert retrieved.verification_uri == verification_url
 
+
 def validate_refresh_token(response):
     """
     Validate that a response has a refresh token and it is properly formatted.
@@ -221,6 +222,7 @@ def validate_refresh_token(response):
     assert claims['tapis/access_token']['sub'] == f'{TEST_USERNAME}@{TEST_TENANT_ID}'
     return claims
 
+
 def get_jwt(client):
     # TODO: add assertions for failing to get a token -- this should fail the current test somehow
     # auth_header = {'Authorization': get_basic_auth_header(TEST_CLIENT_ID, TEST_CLIENT_KEY)}
@@ -241,17 +243,20 @@ def get_jwt(client):
     access_token_str = response.json['result']['access_token']['access_token']
     return access_token_str
 
+
 def gen_mfa_token(username, tokencode=None):
     """
     Generate a OTP mfa code using pyotp given a username and token code.
     If a token code is not provided, a random one will be used.
     """
     pass
 
+
 # =====================
 # Actual test functions
 # =====================
 
+
 ## utility tests
 # get jwt
 def test_get_jwt(client):
@@ -262,6 +267,7 @@ def test_get_jwt(client):
     result = get_jwt(client)
     print(f'got result = {result}')
 
+
 # get mfa config
 def test_get_mfa_config(client):
     print('top of get mfa config')
@@ -289,6 +295,7 @@ def test_get_mfa_config(client):
         print(f'got {e} while trying to get mfa config for tenant {TEST_TENANT_ID}')
         raise Exception()
 
+
 ## Health Check
 # hello
 def test_authenticator_hello(client):
@@ -301,23 +308,27 @@ def test_authenticator_ready(client):
     result = client.get('http://localhost:5000/v3/oauth2/ready')
     assert result.status_code == 200
 
+
 ## Metadata
 # get_server_metadata
 def test_get_metadata(client):
     result = client.get("http://localhost:5000/v3/oauth2/.well-known/oauth-authorization-server")
     assert result.status_code == 200
 
+
 ## Admin
 # get_config
 # update_config
 
 ## Clients
 
+
 def test_invalid_post(client):
     with client:
         response = client.post("http://localhost:5000/v3/oauth2/clients")
         assert response.status_code == 400
 
+
 # list_clients
 def test_authenticator_list_clients(client, capsys):
     # result = client.authenticator.list_clients()
@@ -326,6 +337,7 @@ def test_authenticator_list_clients(client, capsys):
         result = client.get('http://localhost:5000/v3/oauth2/clients', headers=header)
         assert result.status_code == 200
 
+
 # create_client
 def test_authenticator_create_clients(client, capsys): ## TODO: this works, but doing it twice violates uniqueness constraint. Need to find a way to reliably erase it without using another endpoint
     # result = client.authenticator.create_client(client_id=TEST_CLIENT_ID, callback_url='https://foo.example.com/oauth2/callback')
@@ -522,7 +534,7 @@ def test_password_grant_no_client(client, init_db):
     assert 'access_token' in response.json['result']
     # validate access_token:
     claims = validate_access_token(response)
-    assert claims['tapis/client_id'] == None
+    assert claims['tapis/client_id'] is None
     assert claims['tapis/grant_type'] == 'password'
     # when not using an oauth client, refresh tokens are not returned:
     assert 'refresh_token' not in response.json['result']
@@ -565,7 +577,7 @@ def test_revoke_token(client, init_db):
             data=json.dumps(payload),
             content_type='application/json'
         )
-        assert response.status_code == 200        
+        assert response.status_code == 200 
         check_access_token_table(access_token_claims, "password", True, TEST_CLIENT_ID)
 
         # then the refresh token
@@ -575,7 +587,7 @@ def test_revoke_token(client, init_db):
             data=json.dumps(payload),
             content_type='application/json'
         )
-        assert response.status_code == 200        
+        assert response.status_code == 200       
 
         check_refresh_token_table(refresh_token_claims, "password", True, TEST_CLIENT_ID)
 
@@ -799,12 +811,12 @@ def test_exchange_device_code(client):
                                     access_token_ttl=models.DeviceCode.set_ttl())
     except Exception as e:
         print(f'ERROR: exception while generating device code object:: {e}')
-    assert device_code != None
+    assert device_code is not None
     print(f'DEBUG: have device code object: {device_code}')
     try:
         models.db.session.add(device_code)
         models.db.session.commit()
-        print(f'DEBUG: committed device code object to DB')
+        print('DEBUG: committed device code object to DB')
     except Exception as e:
             print(f"Got exception trying to add and commit the device code. e: {e}; type(e): {type(e)}")
             raise Exception("Internal error saving device code. Please try again later.")