Merge branch 'staging' into prod

Author: NotChristianGarcia

Dockerfile

@@ -1,5 +1,5 @@
 # image: tapis/authenticator
-FROM tapis/flaskbase:1.7.0
+FROM tapis/flaskbase:1.8.1
 
 COPY requirements.txt /home/tapis/requirements.txt
 RUN pip install -r /home/tapis/requirements.txt

Makefile

@@ -6,6 +6,14 @@
 #        CONSIDER USING VIM (sigh!) WHICH ACTUALLY HAS GOOD MAKEFILE EDITING SUPPORT.
 
 
+
+# To run tests ensure service_password and token_url in .env
+# make clean
+# make build
+# make init_dbs
+# make migrate.upgrade
+# make test
+
 # it is required that the operator export API_NAME=<name_of_the_api> before using this makefile/
 # default to authenticator
 API_NAME ?=authenticator

service/__init__.py

@@ -19,7 +19,7 @@
 logger.debug("creating the authenticator tapis service client...")
 t = get_service_tapis_client(tenants=auth_tenants, 
                              # todo -- change back once tokens api update is in prod
-                             resource_set='dev'
+                             # resource_set='dev'
                             )
 
 

service/api.py

@@ -9,7 +9,7 @@
     ProfilesResource, ProfileResource, StaticFilesResource, LoginResource, SetTenantResource, LogoutResource, \
     WebappTokenGen, WebappTokenAndRedirect, TenantConfigResource, UserInfoResource, OAuth2ProviderExtCallback, \
     OAuthMetadataResource, MFAResource, DeviceFlowResource, DeviceCodeResource, V2TokenResource, \
-    RevokeTokensResource, SetIdentityProvider, WebappLogout, OIDCjwksResource, OIDCTokensResource#, OIDCUserInfoResource, OIDCMetadataResource
+    RevokeTokensResource, SetIdentityProvider, WebappLogout, OIDCjwksResource, OIDCTokensResource, OIDCUserInfoResource #, OIDCMetadataResource
 from service.ldap import populate_test_ldap
 from service.models import db, app, initialize_tenant_configs
 
@@ -79,6 +79,7 @@ def authnz_for_authenticator():
 #api.add_resource(OIDCMetadataResource, '/v3/oauth2/.well-known/openid-configuration')
 api.add_resource(OIDCjwksResource, '/v3/oauth2/jwks')
 api.add_resource(OIDCTokensResource, '/v3/oauth2/tokens/oidc')
+api.add_resource(OIDCUserInfoResource, '/v3/oauth2/userinfo/oidc')
 
 # Auth server resources
 api.add_resource(AuthorizeResource, '/v3/oauth2/authorize')

service/auth.py

@@ -60,6 +60,7 @@ def authentication():
         raise common_errors.ResourceError("The endpoint and HTTP method combination "
                                           "are not available from this service.")
 
+
     # the metadata endpoint is publicly available
     if '/v3/oauth2/.well-known/' in request.url_rule.rule:
         logger.debug(".well-known endpoint; request is allowed to be made unauthenticated.")
@@ -82,7 +83,7 @@ def authentication():
         # first, make sure this request is for a tenant served by this authenticator
         if g.request_tenant_id not in conf.tenants:
             raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
-                                                 f"served by this authenticator.")
+                                                f"served by this authenticator.")
         # we only want to honor tokens from THIS authenticator; i.e., not some other authenticator. therefore, we need
         # to check that the tenant_id associated with the token (g.tenant_id) is the same as THIS authenticator's tenant
         # id;
@@ -91,28 +92,28 @@ def authentication():
                         f"and tenant was {conf.service_tenant_id}")
             return True
         logger.debug(f"request token does not represent THIS authenticator: token username: {g.username};"
-                     f" request tenant: {g.tenant_id}. Now checking for tenant admin...")
+                    f" request tenant: {g.tenant_id}. Now checking for tenant admin...")
         # all other service accounts are not allowed to update authenticator
         if g.account_type == 'service':
             raise common_errors.PermissionsError("Not authorized -- service accounts are not allowed to access the"
-                                                 "authenticator admin endpoints.")
+                                                "authenticator admin endpoints.")
         # sanity check -- the request tenant id should be the same as the token tenant id in the remaining cases because
         # they are all user tokens
         if not g.request_tenant_id == g.tenant_id:
             logger.error(f"program error -- g.request_tenant_id: {g.request_tenant_id} not equal to "
-                         f"g.tenant_id: {g.tenant_id} even though account type was user!")
+                        f"g.tenant_id: {g.tenant_id} even though account type was user!")
             raise common_errors.ServiceConfigError(f"Unexpected program error checking permissions. The tenant id of"
-                                                   f"the request ({g.request_tenant_id})  did not match the tenant id "
-                                                   f"of the access token ({g.tenant_id}). Please contact server "
-                                                   f"administrators.")
+                                                f"the request ({g.request_tenant_id})  did not match the tenant id "
+                                                f"of the access token ({g.tenant_id}). Please contact server "
+                                                f"administrators.")
         # check SK for tenant admin --
         try:
             rsp = t.sk.isAdmin(tenant=g.tenant_id, user=g.username)
         except Exception as e:
             logger.error(f"Got exception trying to check tenant admin role for tenant: {g.tenant_id} "
-                         f"and user: {g.username}; exception: {e}")
+                        f"and user: {g.username}; exception: {e}")
             raise common_errors.PermissionsError("Could not check tenant admin role with SK; this role is required for "
-                                                 "accessing the authenticator admin endpoints.")
+                                                "accessing the authenticator admin endpoints.")
         try:
             if rsp.isAuthorized:
                 logger.info(f"user {g.username} had tenant admin role for tenant {g.tenant_id}; allowing request.")
@@ -121,14 +122,14 @@ def authentication():
                 logger.info(f"user {g.username} DID NOT have tenant admin role for tenant {g.tenant_id}; "
                             f"NOT allowing request.")
                 raise common_errors.PermissionsError("Permission denied -- Tenant admin role required for accessing "
-                                                     "the authenticator admin endpoints.")
+                                                    "the authenticator admin endpoints.")
         except Exception as e:
             logger.error(f"got exception trying to check isAuthorized property from isAdmin() call to SK."
-                         f"username: {g.username}; tenant: {g.tenant_id}; rsp: {rsp}; e: {e}")
+                        f"username: {g.username}; tenant: {g.tenant_id}; rsp: {rsp}; e: {e}")
             logger.info(f"user {g.username} DID NOT have tenant admin role for tenant {g.tenant_id}; "
                         f"NOT allowing request.")
             raise common_errors.PermissionsError("Permission denied -- Tenant admin role required for accessing the "
-                                                 "authenticator admin endpoints.")
+                                                "authenticator admin endpoints.")
 
     # no credentials required on the authorize, login and oa2 extension pages
     if '/v3/oauth2/authorize' in request.url_rule.rule or '/v3/oauth2/login' in request.url_rule.rule \
@@ -142,9 +143,51 @@ def authentication():
         except AttributeError:
             raise common_errors.BaseTapisError("Unable to resolve tenant_id for request.")
         # make sure this request is for a tenant served by this authenticator
+        if g.request_tenant_id not in conf.tenants:
+            raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
+                                                f"served by this authenticator.")
+        return True
+
+    # token should come from `Authorization: Bearer $token` header. rather than x-tapis-token
+    # this endpoint takes both, converts Authorization to x-tapis-token for simplicity
+    if '/v3/oauth2/userinfo/oidc' in request.url_rule.rule:
+        logger.debug(f"top of /v3/oauth2/userinfo/oidc auth: request.headers: {request.headers}")
+
+        auth_token = request.headers.get('Authorization')
+        if auth_token and auth_token.startswith('Bearer ') and not request.headers.get('X-Tapis-Token'):
+            try:
+                # overwrite the headers via wsgi environ. request.headers itself is read-only
+                tapis_token = auth_token.replace('Bearer ', '')
+                logger.debug(f"found auth header; setting environ X-Tapis-Token to {tapis_token}")
+                # modify the WSGI environment directly
+                # wsgi requires headers be uppercase, no dashes, and prefixed with 'HTTP_'
+                request.environ['HTTP_X_TAPIS_TOKEN'] = tapis_token
+            except Exception as e:
+                logger.error(f"found auth header, but failed to parse it; exception: {e}")
+
+        # debug logs
+        try:
+            headers = request.headers
+            logger.debug(f"before auth.authentication(). request.headers: {headers.keys()}")
+        except Exception as e:
+            pass
+
+        # tokens might have aud, if jwt.decode in tapisservice doesn't specify expected aud you'll
+        # get invalid aud. Either we can somehow pop aud or specify to jwt.decode(options={'verify_aud': False})
+        # Instead of verify = false we can also specify a list of valid auds. Pop aud would require
+        # re-encoding+signing key. We don't have private tenant key in auth though. Ignoring for now, only
+        # bookstack looks for this when running their auth.
+        # resolve_tenant_id_for_request decode needs aud to expect - https://github.com/jpadilla/pyjwt/blob/master/docs/usage.rst#audience-claim-aud
+        # Edit, expected_aud now exists. Bookstack asks for aud == client_id. For now we'll just allow any aud, especially as this is one endpoint.
+
+        auth.authentication(expected_aud=["*"])
+        # always resolve the request tenant id based on the URL:
+        auth.resolve_tenant_id_for_request()
+        # make sure this request is for a tenant served by this authenticator
         if g.request_tenant_id not in conf.tenants:
             raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
                                                  f"served by this authenticator.")
+        logger.debug(f"End of v3/oauth2/userinfo/oidc auth: final request_tenant_id: {g.request_tenant_id}")
         return True
 
     # the profiles endpoints always use standard Tapis Token auth -
@@ -156,7 +199,7 @@ def authentication():
         # make sure this request is for a tenant served by this authenticator
         if g.request_tenant_id not in conf.tenants:
             raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
-                                                 f"served by this authenticator.")
+                                                f"served by this authenticator.")
         return True
 
     # the clients endpoints need to accept both standard Tapis Token auth and basic auth,
@@ -244,7 +287,7 @@ def authentication():
         # make sure this request is for a tenant served by this authenticator
         if g.request_tenant_id not in conf.tenants:
             raise common_errors.PermissionsError(f"The request is for a tenant ({g.request_tenant_id}) that is not "
-                                                 f"served by this authenticator.")
+                                                f"served by this authenticator.")
         return True
 
     # Special v3->v2 token generation endpoint.

service/controllers.py

@@ -10,6 +10,7 @@
 from openapi_core import openapi_request_validator
 from openapi_core.contrib.flask import FlaskOpenAPIRequest
 from jwcrypto import jwk
+import jwt
 import sqlalchemy
 import secrets
 import random
@@ -203,19 +204,74 @@ def get(self):
         return resp
 
 
+def _handle_userinfo_request(request, oidc=False):
+    tenant_id = g.request_tenant_id
+    if oidc:
+        logger.debug(f'top of GET /v3/oauth2/userinfo/oidc - tenant_id: {tenant_id}')
+    else:
+        logger.debug(f'top of GET /v3/oauth2/userinfo - tenant_id: {tenant_id}')
+    # note that the user info endpoint is more limited for custom oauth idp extensions in general because the
+    # custom OAuth server may not provide a profile endpoint.
+    custom_oa2_extension_type = tenant_configs_cache.get_custom_oa2_extension_type(tenant_id=tenant_id)
+    ## token should maybe already have:
+    # jti iss sub exp tapis/tenant_id tapis/token_type
+    # tapis/delegation tapis/delegation_sub tapis/username
+    # tapis/account_type tapis/client_id tapis/grant_type
+
+    if custom_oa2_extension_type and not custom_oa2_extension_type == 'ldap':
+        logger.debug(f"Using custom auth for userinfo; custom_oa2_extension_type: {custom_oa2_extension_type}")
+        logger.debug(f"g.token_claims - {g.token_claims}")
+        result = {"username": g.username}
+        return utils.ok(result=result, msg="User profile retrieved successfully - custom auth extension provider")
+
+    userinfo = get_tenant_user(tenant_id=tenant_id, username=g.username)
+
+    ## Rubin Science place needs
+    # rubin scope with info via data_rights
+    # adding data rights for specific users for rubin - test
+    logger.debug(f"userinfo: {userinfo.serialize}")
+    try:
+        username = userinfo.get('username')
+    except:
+        username = "TALKTODEV"
+    if oidc:
+        logger.debug(f"inside of oidc userinfo; username: {username}")
+        ## This code still doesn't matter, was attempting some debugging for rubin place
+        # Kevin got Gafaelfawr to look in the "correct field" to map groups
+        if username and username in ["cgarcia", "mpackard", "kprice", "jstubbs"]:
+            data_rights = get_user_data_rights(username)
+            if data_rights:
+                userinfo["data_rights"] = " ".join(data_rights)
+
+        # return token + userinfo as return for bookstack OIDC userinfo call.
+        # bookstack at leasts needs sub claim.
+        try: 
+            token_dict = jwt.decode(g.x_tapis_token, options={"verify_signature": False})
+            newinfo = userinfo.serialize
+            newinfo.update(token_dict)
+        except Exception as e:
+            logger.debug(f"Error creating userinfo+token object: {e}, token: {g.x_tapis_token}")
+            raise errors.ResourceError("Error with token and userinfo objects.")
+        return jsonify(newinfo)
+
+    return utils.ok(result=userinfo.serialize, msg="User profile retrieved successfully.")
+
+
+def get_user_data_rights(username):
+    # Implement logic to retrieve the list of data releases the user has access to
+    # This function should return a list of strings representing data releases
+    return ["release1", "release2", "lsst-sqre", "admin:jupyterlab", "admin", "jupyterlab", "square", "tacc-spherex"]
+
+
 class UserInfoResource(Resource):
     def get(self):
-        logger.debug(f'top of GET /v3/oauth2/userinfo')
-        tenant_id = g.request_tenant_id
-        # note that the user info endpoint is more limited for custom oauth idp extensions in general because the
-        # custom OAuth server may not provider a profile endpoint.
-        custom_oa2_extension_type = tenant_configs_cache.get_custom_oa2_extension_type(tenant_id=tenant_id)
-        if custom_oa2_extension_type and not custom_oa2_extension_type == 'ldap':
-            result = {"username": g.username}
-            return utils.ok(result=result, msg="User profile retrieved successfully.")
+        return _handle_userinfo_request(request, oidc=False)
+
+
+class OIDCUserInfoResource(Resource):
+    def get(self):
+        return _handle_userinfo_request(request, oidc=True)
 
-        user = get_tenant_user(tenant_id=tenant_id, username=g.username)
-        return utils.ok(result=user.serialize, msg="User profile retrieved successfully.")
 
 
 class ProfileResource(Resource):
@@ -358,29 +414,6 @@ def put(self):
 # OIDC endpoints
 # ---------------------------------
 
-# class OIDCMetadataResource(Resource):
-#     """
-#     Provides the OIDC .well-known endpoint.
-#     """
-#     def get(self):
-#         logger.info("top of GET /v3/oauth2/.well-known/openid-configuration")
-#         tenant_id = g.request_tenant_id
-#         config = tenant_configs_cache.get_config(tenant_id)
-#         allowable_grant_types = json.loads(config.allowable_grant_types)
-#         tenant = t.tenant_cache.get_tenant_config(tenant_id=tenant_id)
-#         base_url = tenant.base_url
-#         json_response = {
-#             'issuer': f'{base_url}/v3/tokens',
-#             'authorization_endpoint': f'{base_url}/v3/oauth2/authorize',
-#             'token_endpoint': f'{base_url}/v3/oauth2/tokens/oidc?oidc=true',
-#             'jwks_uri': f'{base_url}/v3/oauth2/jwks',
-#             'registration_endpoint': f'{base_url}/v3/oauth2/clients',
-#             'grant_types_supported': allowable_grant_types,
-#             'userinfo_endpoint': f'{base_url}/v3/oauth2/userinfo/oidc',
-#         }
-#         return json_response #utils.ok(result=metadata, msg='OAuth OIDC metadata retrieved successfully.')
-
-
 class OIDCjwksResource(Resource):
     """
     Provides the OIDC jwks endpoint.
@@ -397,11 +430,17 @@ def get(self):
         pem_key = tenant.public_key
         key = jwk.JWK.from_pem(pem_key.encode('utf-8'))
         jwk_json = key.export(as_dict=True)
+        # check for required values:
+        if 'alg' not in jwk_json.keys():
+            jwk_json['alg'] = 'RS256'
+        if 'typ' not in jwk_json.keys():
+            jwk_json['typ'] = 'JWT'
+        # NOTE 2025.3.28 kprice -- these values can be hard coded since they are also hard coded in tokens. If these values ever change in tokens we'll need to update this block.
 
         json_response = {
             'keys': [jwk_json]
         }
-        return json_response #utils.ok(result=metadata, msg='OAuth OIDC metadata retrieved successfully.')
+        return jsonify(json_response) #utils.ok(result=metadata, msg='OAuth OIDC metadata retrieved successfully.')
 
 
 # ---------------------------------
@@ -459,7 +498,6 @@ def check_client(use_session=False):
         logout()
         raise errors.ResourceError("Required query parameter client_id missing.")
     # make sure the client exists and the redirect_uri matches
-    logger.debug(f"checking for client with id: {client_id} in tenant {tenant_id}")
     client = Client.query.filter_by(tenant_id=tenant_id, client_id=client_id).first()
     if not client:
         logout()
@@ -1405,6 +1443,7 @@ def _handle_tokens_request(request, oidc=False):
             client = Client.query.filter_by(tenant_id=tenant_id, client_id=client_id, client_key=client_key).first()
             if not client:
                 # todo -- remove session
+                logger.debug(f'Client with id {client_id} and key {client_key} not found on tenant {tenant_id}.')
                 raise errors.ResourceError(msg=f'Invalid client credentials: {client_id}, {client_key}. '
                                                f'session: {session}')
 
@@ -1511,6 +1550,7 @@ def _handle_tokens_request(request, oidc=False):
             content['claims']['tapis/idp_id'] = idp_id
         if oidc:
             if client_id:
+                # bookstack for example requires aud to match client id
                 content['claims']['aud'] = client_id
             content['claims']['iat'] = int(time.time())
             content['claims']['extravar'] = username