Skip to content

Commit e9d3769

Browse files
kevinpricethesecondkevinpricethesecond
committed
changes
1 parent 4c884eb commit e9d3769

File tree

2 files changed

+25
-16
lines changed

2 files changed

+25
-16
lines changed

service/auth.py

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ def authentication():
6060
raise common_errors.ResourceError("The endpoint and HTTP method combination "
6161
"are not available from this service.")
6262

63+
6364
# the metadata endpoint is publicly available
6465
if '/v3/oauth2/.well-known/' in request.url_rule.rule:
6566
logger.debug(".well-known endpoint; request is allowed to be made unauthenticated.")
@@ -82,7 +83,7 @@ def authentication():
8283
# first, make sure this request is for a tenant served by this authenticator
8384
if g.request_tenant_id not in conf.tenants:
8485
raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
85-
f"served by this authenticator.")
86+
f"served by this authenticator.")
8687
# we only want to honor tokens from THIS authenticator; i.e., not some other authenticator. therefore, we need
8788
# to check that the tenant_id associated with the token (g.tenant_id) is the same as THIS authenticator's tenant
8889
# id;
@@ -91,28 +92,28 @@ def authentication():
9192
f"and tenant was {conf.service_tenant_id}")
9293
return True
9394
logger.debug(f"request token does not represent THIS authenticator: token username: {g.username};"
94-
f" request tenant: {g.tenant_id}. Now checking for tenant admin...")
95+
f" request tenant: {g.tenant_id}. Now checking for tenant admin...")
9596
# all other service accounts are not allowed to update authenticator
9697
if g.account_type == 'service':
9798
raise common_errors.PermissionsError("Not authorized -- service accounts are not allowed to access the"
98-
"authenticator admin endpoints.")
99+
"authenticator admin endpoints.")
99100
# sanity check -- the request tenant id should be the same as the token tenant id in the remaining cases because
100101
# they are all user tokens
101102
if not g.request_tenant_id == g.tenant_id:
102103
logger.error(f"program error -- g.request_tenant_id: {g.request_tenant_id} not equal to "
103-
f"g.tenant_id: {g.tenant_id} even though account type was user!")
104+
f"g.tenant_id: {g.tenant_id} even though account type was user!")
104105
raise common_errors.ServiceConfigError(f"Unexpected program error checking permissions. The tenant id of"
105-
f"the request ({g.request_tenant_id}) did not match the tenant id "
106-
f"of the access token ({g.tenant_id}). Please contact server "
107-
f"administrators.")
106+
f"the request ({g.request_tenant_id}) did not match the tenant id "
107+
f"of the access token ({g.tenant_id}). Please contact server "
108+
f"administrators.")
108109
# check SK for tenant admin --
109110
try:
110111
rsp = t.sk.isAdmin(tenant=g.tenant_id, user=g.username)
111112
except Exception as e:
112113
logger.error(f"Got exception trying to check tenant admin role for tenant: {g.tenant_id} "
113-
f"and user: {g.username}; exception: {e}")
114+
f"and user: {g.username}; exception: {e}")
114115
raise common_errors.PermissionsError("Could not check tenant admin role with SK; this role is required for "
115-
"accessing the authenticator admin endpoints.")
116+
"accessing the authenticator admin endpoints.")
116117
try:
117118
if rsp.isAuthorized:
118119
logger.info(f"user {g.username} had tenant admin role for tenant {g.tenant_id}; allowing request.")
@@ -121,14 +122,14 @@ def authentication():
121122
logger.info(f"user {g.username} DID NOT have tenant admin role for tenant {g.tenant_id}; "
122123
f"NOT allowing request.")
123124
raise common_errors.PermissionsError("Permission denied -- Tenant admin role required for accessing "
124-
"the authenticator admin endpoints.")
125+
"the authenticator admin endpoints.")
125126
except Exception as e:
126127
logger.error(f"got exception trying to check isAuthorized property from isAdmin() call to SK."
127-
f"username: {g.username}; tenant: {g.tenant_id}; rsp: {rsp}; e: {e}")
128+
f"username: {g.username}; tenant: {g.tenant_id}; rsp: {rsp}; e: {e}")
128129
logger.info(f"user {g.username} DID NOT have tenant admin role for tenant {g.tenant_id}; "
129130
f"NOT allowing request.")
130131
raise common_errors.PermissionsError("Permission denied -- Tenant admin role required for accessing the "
131-
"authenticator admin endpoints.")
132+
"authenticator admin endpoints.")
132133

133134
# no credentials required on the authorize, login and oa2 extension pages
134135
if '/v3/oauth2/authorize' in request.url_rule.rule or '/v3/oauth2/login' in request.url_rule.rule \
@@ -144,7 +145,7 @@ def authentication():
144145
# make sure this request is for a tenant served by this authenticator
145146
if g.request_tenant_id not in conf.tenants:
146147
raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
147-
f"served by this authenticator.")
148+
f"served by this authenticator.")
148149
return True
149150

150151
# the profiles endpoints always use standard Tapis Token auth -
@@ -156,7 +157,7 @@ def authentication():
156157
# make sure this request is for a tenant served by this authenticator
157158
if g.request_tenant_id not in conf.tenants:
158159
raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
159-
f"served by this authenticator.")
160+
f"served by this authenticator.")
160161
return True
161162

162163
# the clients endpoints need to accept both standard Tapis Token auth and basic auth,
@@ -244,7 +245,7 @@ def authentication():
244245
# make sure this request is for a tenant served by this authenticator
245246
if g.request_tenant_id not in conf.tenants:
246247
raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
247-
f"served by this authenticator.")
248+
f"served by this authenticator.")
248249
return True
249250

250251
# Special v3->v2 token generation endpoint.

service/controllers.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -397,11 +397,18 @@ def get(self):
397397
pem_key = tenant.public_key
398398
key = jwk.JWK.from_pem(pem_key.encode('utf-8'))
399399
jwk_json = key.export(as_dict=True)
400+
# check for required values:
401+
if 'alg' not in jwk_json.keys():
402+
jwk_json['alg'] = 'RS256'
403+
if 'typ' not in jwk_json.keys():
404+
jwk_json['typ'] = 'JWT'
405+
# NOTE 2025.3.28 kprice -- these values can be hard coded since they are also hard coded in tokens. If these values ever change in tokens we'll need to update this block.
400406

401407
json_response = {
402408
'keys': [jwk_json]
403409
}
404-
return json_response #utils.ok(result=metadata, msg='OAuth OIDC metadata retrieved successfully.')
410+
logger.debug(f'Got JWKS keys: {json.dumps(json_response, indent=4)}')
411+
return jsonify(json_response) #utils.ok(result=metadata, msg='OAuth OIDC metadata retrieved successfully.')
405412

406413

407414
# ---------------------------------
@@ -1405,6 +1412,7 @@ def _handle_tokens_request(request, oidc=False):
14051412
client = Client.query.filter_by(tenant_id=tenant_id, client_id=client_id, client_key=client_key).first()
14061413
if not client:
14071414
# todo -- remove session
1415+
logger.debug(f'Client with id {client_id} and key {client_key} not found on tenant {tenant_id}.')
14081416
raise errors.ResourceError(msg=f'Invalid client credentials: {client_id}, {client_key}. '
14091417
f'session: {session}')
14101418

0 commit comments

Comments
 (0)