Fixes for /oauth2/userinfo/oidc endpoints

Author: NotChristianGarcia

Dockerfile

@@ -1,5 +1,5 @@
 # image: tapis/authenticator
-FROM tapis/flaskbase:1.7.0
+FROM tapis/flaskbase:1.8.0
 
 COPY requirements.txt /home/tapis/requirements.txt
 RUN pip install -r /home/tapis/requirements.txt

Makefile

@@ -6,6 +6,14 @@
 #        CONSIDER USING VIM (sigh!) WHICH ACTUALLY HAS GOOD MAKEFILE EDITING SUPPORT.
 
 
+
+# To run tests ensure service_password and token_url in .env
+# make clean
+# make build
+# make init_dbs
+# make migrate.upgrade
+# make test
+
 # it is required that the operator export API_NAME=<name_of_the_api> before using this makefile/
 # default to authenticator
 API_NAME ?=authenticator

service/__init__.py

@@ -19,7 +19,7 @@
 logger.debug("creating the authenticator tapis service client...")
 t = get_service_tapis_client(tenants=auth_tenants, 
                              # todo -- change back once tokens api update is in prod
-                             resource_set='dev'
+                             # resource_set='dev'
                             )
 
 

service/auth.py

@@ -148,6 +148,48 @@ def authentication():
                                                 f"served by this authenticator.")
         return True
 
+    # token should come from `Authorization: Bearer $token` header. rather than x-tapis-token
+    # this endpoint takes both, converts Authorization to x-tapis-token for simplicity
+    if '/v3/oauth2/userinfo/oidc' in request.url_rule.rule:
+        logger.debug(f"top of /v3/oauth2/userinfo/oidc auth: request.headers: {request.headers}")
+
+        auth_token = request.headers.get('Authorization')
+        if auth_token and auth_token.startswith('Bearer ') and not request.headers.get('X-Tapis-Token'):
+            try:
+                # overwrite the headers via wsgi environ. request.headers itself is read-only
+                tapis_token = auth_token.replace('Bearer ', '')
+                logger.debug(f"found auth header; setting environ X-Tapis-Token to {tapis_token}")
+
+                # tokens might have aud, if jwt.decode in tapisservice doesn't specify expected aud you'll
+                # get invalid aud. Either we can somehow pop aud or specify to jwt.decode(options={'verify_aud': False})
+                # Instead of verify = false we can also specify a list of valid auds. Pop aud would require
+                # re-encoding+sigining key. We don't have private tenant key in auth though. Ignoring for now, only
+                # bookstack looks for this when running their auth.
+                # resolve_tenant_id_for_request decode needs aud to expect - https://github.com/jpadilla/pyjwt/blob/master/docs/usage.rst#audience-claim-aud
+
+                # modify the WSGI environment directly
+                # wsgi requires headers be uppercase, no dashes, and prefixed with HTTP_
+                request.environ['HTTP_X_TAPIS_TOKEN'] = tapis_token
+            except Exception as e:
+                logger.error(f"found auth header, but failed to parse it; exception: {e}")
+
+        # debug logs
+        try:
+            headers = request.headers
+            logger.debug(f"before auth.authentication(). request.headers: {headers}")
+        except Exception as e:
+            pass
+        
+        auth.authentication()
+        # always resolve the request tenant id based on the URL:
+        auth.resolve_tenant_id_for_request()
+        # make sure this request is for a tenant served by this authenticator
+        if g.request_tenant_id not in conf.tenants:
+            raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
+                                                 f"served by this authenticator.")
+        logger.debug(f"End of v3/oauth2/userinfo/oidc auth: final request_tenant_id: {g.request_tenant_id}")
+        return True
+
     # the profiles endpoints always use standard Tapis Token auth -
     if '/v3/oauth2/profiles' in request.url_rule.rule or \
             '/v3/oauth2/userinfo' in request.url_rule.rule:

service/controllers.py

@@ -227,17 +227,25 @@ def _handle_userinfo_request(request, oidc=False):
     ## Rubin Science place needs
     # rubin scope with info via data_rights
     # adding data rights for specific users for rubin - test
-    logger.debug(f"userinfo: {userinfo}")
-    username = userinfo.get('username')
-    if oidc and username and username in ["cgarcia", "mpackard", "kprice", "jstubbs"]:
-        data_rights = get_user_data_rights(username)
-        if data_rights:
-            userinfo["data_rights"] = " ".join(data_rights)
+    logger.debug(f"userinfo: {userinfo.serialize}")
+    try:
+        username = userinfo.get('username')
+    except:
+        username = "TALKTODEV"
+    if oidc:
+        logger.debug(f"inside of oidc userinfo; username: {username}")
+        ## This code still doesn't matter, was attempting some debugging for rubin place
+        # Kevin got Gafaelfawr to look in the "correct field" to map groups
+        if username and username in ["cgarcia", "mpackard", "kprice", "jstubbs"]:
+            data_rights = get_user_data_rights(username)
+            if data_rights:
+                userinfo["data_rights"] = " ".join(data_rights)
+        return jsonify(userinfo.serialize)
 
     return utils.ok(result=userinfo.serialize, msg="User profile retrieved successfully.")
 
 
-def get_user_data_rights(user):
+def get_user_data_rights(username):
     # Implement logic to retrieve the list of data releases the user has access to
     # This function should return a list of strings representing data releases
     return ["release1", "release2", "lsst-sqre", "admin:jupyterlab", "admin", "jupyterlab", "square", "tacc-spherex"]
@@ -1553,6 +1561,7 @@ def _handle_tokens_request(request, oidc=False):
             content['claims']['tapis/idp_id'] = idp_id
         if oidc:
             if client_id:
+                # bookstack for example requires aud to match client id
                 content['claims']['aud'] = client_id
             content['claims']['iat'] = int(time.time())
             content['claims']['extravar'] = username