Merge branch 'staging' into prod

Author: NotChristianGarcia

.gitignore

@@ -103,3 +103,9 @@ venv.bak/
 
 # mypy
 .mypy_cache/
+
+# defualt config
+config-local.json
+
+# MacOS
+*.DS_Store

CHANGELOG.md

@@ -2,7 +2,86 @@
 All notable changes to this project will be documented in this file.
 
 
-## 1.6.0 - 2024-02-06 (estimated)
+## 1.8.2 - 2024-02-28
+### Breaking Changes:
+- None
+
+### New features:
+- 100% tests coverage aside from V2 endpoints
+- Now grabbing uid from tokens if DN not set by CN for tenant
+- Introduced OIDC support with jwks endpoints and dedicated oidc response endpoints.
+- Now works better with Jenkins
+
+### Bug Fixes:
+- None
+
+
+## 1.8.0 - 2024-12-04
+### Breaking Changes:
+- None
+
+### New features:
+- Change help message per tenant
+
+### Bug Fixes:
+- Release for 1.8.0
+
+
+## 1.7.0 - 2024-09-13
+### Breaking Changes:
+- None
+
+### New features:
+- None
+
+### Bug Fixes:
+- Release for 1.7.0
+
+
+## 1.6.3 - 2024-08-28
+### Breaking Changes:
+- None
+
+### New features:
+- This release makes some minor updates to the TACC MFA login page.  
+- Add SMS support to MFA authentication workflow (need to update tenant config with JWT for PIdea).
+
+### Bug Fixes:
+- None
+
+
+## 1.6.2 - 2024-06-18
+### Breaking Changes:
+- None
+
+### New features:
+- None 
+
+### Bug Fixes:
+- This minor release updates Authenticator to the latest tapisservice Python package, 1.6.0 
+  (previously it was 1.4.0). See issue #70.
+
+
+## 1.6.1 - 2024-05-21
+### Breaking Changes:
+- None
+
+### New features:
+- None 
+
+### Bug Fixes:
+- This release changes the behavior of the limit and offset paging query parameters in the Profiles API so that, 
+  whenever an offset value is sent that is larger that the size of the collection, no records are returned. 
+  Prior to this release, whenever an offset larger than the collection was sent, the query would "wrap" around 
+  and send results from the start of the collection.
+- Since LDAP DNs are almost always case insensitive, usernames that are the same up to case are equivalent 
+  for binding. This change updates the check of a username/password combination to reject any username that 
+  contains uppercase letters. This prevents an issue where users could authenticate with different usernames 
+  that are the same up to case and retrieve JWTs with different subjects. (See issue #69).
+
+  
+
+## 1.6.0 - 2024-02-06
 
 ### Breaking Changes:
 - None

Dockerfile

@@ -1,12 +1,12 @@
 # image: tapis/authenticator
-FROM tapis/flaskbase:1.4.0
+FROM tapis/flaskbase:1.7.0
 
 COPY requirements.txt /home/tapis/requirements.txt
 RUN pip install -r /home/tapis/requirements.txt
 
 # give tapis permissions to write to tapipy -- this is important if you want tapipy to download more
 # recent specs.
-RUN chmod -R a+w /usr/local/lib/python3.7/site-packages/tapipy/
+RUN chmod -R a+w /usr/local/lib/python3.8/site-packages/tapipy/
 
 COPY configschema.json /home/tapis/configschema.json
 COPY config-local.json /home/tapis/config.json

Dockerfile-migrations

@@ -1,14 +1,14 @@
 # image: tapis/authenticator-migrations
-from tapis/authenticator
+FROM tapis/authenticator
 
 RUN pip install --upgrade alembic==1.10.4
-RUN pip install --upgrade Flask-Migrate
+RUN pip install --upgrade Flask-Migrate==4.0.7
 
 COPY migrations /home/tapis/migrations
 
 ENV MIGRATIONS_RUNNING=True
 
-User root
+USER root
 RUN chown -R tapis:tapis /home/tapis
 USER tapis
 

Dockerfile-tests

@@ -1,5 +1,5 @@
 # Image: tapis/authenticator-tests
-from tapis/authenticator
+FROM tapis/authenticator
 
 USER root
 ADD tests-requirements.txt /home/tapis/tests-requirements.txt

Makefile

@@ -7,9 +7,8 @@
 
 
 # it is required that the operator export API_NAME=<name_of_the_api> before using this makefile/
-ifndef API_NAME
--include .env
-endif
+# default to authenticator
+API_NAME ?=authenticator
 api=${API_NAME}
 
 cwd=$(shell pwd)
@@ -30,7 +29,7 @@ build: build.api build.migrations build.test
 
 # ----- run tests
 test: build.test
-	cd $(cwd); touch service.log; chmod a+w service.log; docker-compose run $(api)-tests;
+	cd $(cwd); touch service.log; chmod a+w service.log; docker-compose run -e MFA_GEN_CODE=$(MFA_GEN_CODE) $(api)-tests;
 
 # ----- shutdown the currently running services
 down:
@@ -42,7 +41,7 @@ clean: down
 
 # ----- start databases
 run_dbs: build.api down
-	cd $(cwd); docker-compose up -d postgres; docker-compose up -d authenticator-ldap
+	cd $(cwd); docker-compose --compatibility up -d postgres; docker-compose up -d authenticator-ldap
 
 # ----- connect to db as root
 connect_db:

README.md

@@ -13,8 +13,12 @@ First, make sure the following passwords are set correctly.
    in develop.
 2. Within ``docker-compose.yml``, update the ``LDAP_ROOTPASS`` to match the ``password`` key in the secret ``ldap.tapis-dev`` stored in SK.
 
-#### Working With Secrets in the SK ####
-We are now storing LDAP secrets within the SK. To retrieve them, use the Python SDK with a token representing the
+#### Working With Secrets in the Tapis Security Kernel (SK) ####
+We are now storing LDAP secrets within the Tapis Security Kernel (SK). This is the official Tapis service for
+storing secrets and authorization data. For more background information on the Tapis SK, see 
+the [documentation](https://tapis.readthedocs.io/en/latest/technical/security.html).
+
+To retrieve them, use the Python SDK with a token representing the
 authenticator. For example:
 
 List all secrets:
@@ -155,7 +159,7 @@ from service.models import TenantConfig, db
 import json
 c = TenantConfig.query.filter_by(tenant_id='jupyter-tacc-dev')[0]
 d = {"tacc": {"grant_types": [], "privacy_idea_client_id": "<get_from_stache>", "privacy_idea_client_key": "<get_from_stache>", "privacy_idea_url": "https://pidea02.tacc.utexas.edu", "realm": "tacc"}}
-c.mfa_config = json_dumps(d)
+c.mfa_config = json.dumps(d)
 db.session.commit()
 ```
 

configschema.json

@@ -126,10 +126,16 @@
       "default": "Tapis Token Webapp"
     },
     "turn_off_mfa": {
-        "type": "boolean",
-        "description": "A single configuration that will cause Authenticator to disable all MFA checks.",
-        "default": false
-      }
+      "type": "boolean",
+      "description": "A single configuration that will cause Authenticator to disable all MFA checks.",
+      "default": false
     },
-  "required": ["dev_ldap_tenant_id"]
+    "privacy_idea_jwt": {
+      "type": "string",
+      "description": "The Tapis service token to authenticate to Privacy Idea."
+    }
+  },
+  "required": [
+    "dev_ldap_tenant_id"
+  ]
 }

requirements.txt

@@ -1,4 +1,5 @@
 hashids==1.2.0
 ldap3
 requests
-flask-wtf
+flask-wtf
+jwcrypto

service/api.py

@@ -9,7 +9,7 @@
     ProfilesResource, ProfileResource, StaticFilesResource, LoginResource, SetTenantResource, LogoutResource, \
     WebappTokenGen, WebappTokenAndRedirect, TenantConfigResource, UserInfoResource, OAuth2ProviderExtCallback, \
     OAuthMetadataResource, MFAResource, DeviceFlowResource, DeviceCodeResource, V2TokenResource, \
-    RevokeTokensResource, SetIdentityProvider, WebappLogout
+    RevokeTokensResource, SetIdentityProvider, WebappLogout, OIDCjwksResource, OIDCTokensResource#, OIDCUserInfoResource, OIDCMetadataResource
 from service.ldap import populate_test_ldap
 from service.models import db, app, initialize_tenant_configs
 
@@ -75,6 +75,11 @@ def authnz_for_authenticator():
 api.add_resource(ProfilesResource, '/v3/oauth2/profiles')
 api.add_resource(ProfileResource, '/v3/oauth2/profiles/<username>')
 
+# API OIDC resources
+#api.add_resource(OIDCMetadataResource, '/v3/oauth2/.well-known/openid-configuration')
+api.add_resource(OIDCjwksResource, '/v3/oauth2/jwks')
+api.add_resource(OIDCTokensResource, '/v3/oauth2/tokens/oidc')
+
 # Auth server resources
 api.add_resource(AuthorizeResource, '/v3/oauth2/authorize')
 api.add_resource(LoginResource, '/v3/oauth2/login')