Fix OIDC function and tests

bafa8aed · Sébastien DA ROCHA · d200b0dd · bafa8aed · bafa8aed · bafa8aed
Commit bafa8aed authored May 14, 2021 by Sébastien DA ROCHA
9 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,6 @@ node_modules

 /dist

-.vscode
\ No newline at end of file
+.vscode
+
+*.sw[op]
--- a/Pipfile
+++ b/Pipfile
@@ -6,6 +6,7 @@ verify_ssl = true
 [dev-packages]

 [packages]
+pyjwt = {extras = ["crypto"], version = "*"}

 [requires]
 python_version = "3.7"
--- a/Pipfile.lock
+++ b/Pipfile.lock
 {
    "_meta": {
        "hash": {
-            "sha256": "7e7ef69da7248742e869378f8421880cf8f0017f96d94d086813baa518a65489"
+            "sha256": "447bb53ac82c4d9d20580bfcaa2c383ff7f35d9d48bc2b71d74c2246aee8b724"
        },
        "pipfile-spec": 6,
        "requires": {
@@ -15,6 +15,85 @@
            }
        ]
    },
-    "default": {},
+    "default": {
+        "cffi": {
+            "hashes": [
+                "sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
+                "sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
+                "sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
+                "sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
+                "sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
+                "sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
+                "sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
+                "sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
+                "sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
+                "sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
+                "sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
+                "sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
+                "sha256:51182f8927c5af975fece87b1b369f722c570fe169f9880764b1ee3bca8347b5",
+                "sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
+                "sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
+                "sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
+                "sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
+                "sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
+                "sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
+                "sha256:72d8d3ef52c208ee1c7b2e341f7d71c6fd3157138abf1a95166e6165dd5d4369",
+                "sha256:8ae6299f6c68de06f136f1f9e69458eae58f1dacf10af5c17353eae03aa0d827",
+                "sha256:8b198cec6c72df5289c05b05b8b0969819783f9418e0409865dac47288d2a053",
+                "sha256:99cd03ae7988a93dd00bcd9d0b75e1f6c426063d6f03d2f90b89e29b25b82dfa",
+                "sha256:9cf8022fb8d07a97c178b02327b284521c7708d7c71a9c9c355c178ac4bbd3d4",
+                "sha256:9de2e279153a443c656f2defd67769e6d1e4163952b3c622dcea5b08a6405322",
+                "sha256:9e93e79c2551ff263400e1e4be085a1210e12073a31c2011dbbda14bda0c6132",
+                "sha256:9ff227395193126d82e60319a673a037d5de84633f11279e336f9c0f189ecc62",
+                "sha256:a465da611f6fa124963b91bf432d960a555563efe4ed1cc403ba5077b15370aa",
+                "sha256:ad17025d226ee5beec591b52800c11680fca3df50b8b29fe51d882576e039ee0",
+                "sha256:afb29c1ba2e5a3736f1c301d9d0abe3ec8b86957d04ddfa9d7a6a42b9367e396",
+                "sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
+                "sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
+                "sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
+                "sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
+                "sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
+                "sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
+                "sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
+            ],
+            "version": "==1.14.5"
+        },
+        "cryptography": {
+            "hashes": [
+                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
+                "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
+                "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
+                "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
+                "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
+                "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
+                "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
+                "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
+                "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
+                "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
+                "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
+                "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
+            ],
+            "version": "==3.4.7"
+        },
+        "pycparser": {
+            "hashes": [
+                "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0",
+                "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"
+            ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==2.20"
+        },
+        "pyjwt": {
+            "extras": [
+                "crypto"
+            ],
+            "hashes": [
+                "sha256:934d73fbba91b0483d3857d1aff50e96b2a892384ee2c17417ed3203f173fca1",
+                "sha256:fba44e7898bbca160a2b2b501f492824fc8382485d3a6f11ba5d0c1937ce6130"
+            ],
+            "index": "pypi",
+            "version": "==2.1.0"
+        }
+    },
    "develop": {}
 }
--- a/src/legacy/legacy.controller.ts
+++ b/src/legacy/legacy.controller.ts
@@ -23,11 +23,6 @@ export class LegacyController {
    private tokenService: TokenService,
  ) { }

-
-
-
-
-
  @Get('user')
  @ApiOperation({ title: 'Get user info.' })
  @ApiImplicitHeader({
@@ -103,7 +98,7 @@ export class LegacyController {
  @HttpCode(201)
  async createOidcAccount(@Req() req) {
    try {
-      return await this.legacyServiceOidc.createAccount(req.headers['email']);
+      return await this.legacyServiceOidc.createAccount(req.headers.token);
    } catch (error) {
      if (error instanceof HttpException) {
        throw error;
@@ -273,7 +268,8 @@ export class LegacyController {
    try {
      let userServices;
      if (token.authzKey == null) { // is OIDC token
-        userServices = await this.legacyServiceOidc.getUserResources(token, req.headers['apis_access_token']);
+        const access_token = await this.tokenService.getAccessToken(token)
+        userServices = await this.legacyServiceOidc.getUserResources(token, access_token);
      } else {
        userServices = await this.legacyService.getUserResources(token);
      }
@@ -303,7 +299,8 @@ export class LegacyController {
    const token: JWTToken = req.headers.token;
    try {
      if (token.authzKey == null) { // is OIDC token
-        return await this.legacyServiceOidc.addUserResource(token, body);
+        const access_token = await this.tokenService.getAccessToken(token)
+        return await this.legacyServiceOidc.addUserResource(token, body, access_token);
      } else {
        return await this.legacyService.addUserResource(token, body);
      }

--- a/src/legacy/legacy.service.oidc.ts
+++ b/src/legacy/legacy.service.oidc.ts
@@ -33,11 +33,12 @@ export class LegacyServiceOIDC extends LegacyService {
    super(configService);
  }

-  async createAccount(email): Promise<void> {
+  async createAccount(token): Promise<void> {
    this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);

    try {
-      this.logger.log('token ', email);
+      const email = token.email;
+      this.logger.log(' [*] user', email);
      
      if(email) {
        var tokenInfos= await this.tokenService.getTokenInfos(email);
@@ -58,12 +59,12 @@ export class LegacyServiceOIDC extends LegacyService {
        this.logger.log(`OIDC user account validation for : ${token_data['http://wso2.org/claims/emailaddress']}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);

        let res = await request.post(options).catch((error) => {
+          this.logger.error(`Couldn\'t create user (socle answer): ${error}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
          const inres = JSON.parse(error.error);
          // Normal use case
          if (inres.message === 'Account already exists') {
            return;
          }
-          this.logger.error(`Couldn\'t create user (socle answer): ${error}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
          throw new InternalServerErrorException({ error, message: 'Couldn\'t create user.' });
        });

@@ -97,11 +98,12 @@ export class LegacyServiceOIDC extends LegacyService {
    }
  }

-  async getUserResources(token: JWTToken, access_token: string=""): Promise<Resource[]> {
-    const username = token.username;
+  async getUserResources(token: JWTToken): Promise<Resource[]> {
    this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.getUserResources.name}`);
    try {
+      const username = token.email;

+      const access_token = await this.tokenService.getAccessToken(token)
      let options = {
        //method: 'POST',
        headers:{
@@ -141,7 +143,7 @@ export class LegacyServiceOIDC extends LegacyService {
    }
  }

-  async addUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRequestResponse> {
+  async addUserResource(token: JWTToken, accessRequests: AccessRequest[], access_token:string = ""): Promise<AccessRequestResponse> {
    this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.addUserResource.name}`);
    try {

@@ -156,8 +158,16 @@ export class LegacyServiceOIDC extends LegacyService {

      for (const accessRequest of accessRequests) {
        // Request access the the specified service and the specified modes
-        this.logger.log('got data', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
-        let res = await request.post(`${this.conf.legacyAuthOidcUrl}/add_user_service/`).form(
+        this.logger.log('got data', `${LegacyServiceOIDC.name} - ${this.addUserResource.name}`);
+
+        let options = {
+          method: 'POST',
+          headers:{
+            'Authorization': 'Bearer ' + access_token,
+          },
+          url: `${this.conf.legacyAuthOidcUrl}/add_user_service/`,
+        };
+        let res = await request(options).form(
          {
            username: token.email,
            service_id: accessRequest.id,
@@ -237,10 +247,11 @@ export class LegacyServiceOIDC extends LegacyService {
    }
  }

-  async renewUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRenewalResponse> {
+  async renewUserResource(token: JWTToken, accessRequests: AccessRequest[], access_token:string = ""): Promise<AccessRenewalResponse> {
    this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
    try {
      // Get the list of user access
+      const access_token = await this.tokenService.getAccessToken(token);
      const userAccess = await this.getUserResources(token);
      // Get the list of datasets
      const datasets = await this.getRestrictedAccessDatasets();

--- a/src/legacy/legacy.service.ts
+++ b/src/legacy/legacy.service.ts
@@ -570,6 +570,7 @@ export class LegacyService {

  async renewUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRenewalResponse> {
    this.logger.log('Entering function', `${LegacyService.name} - ${this.renewUserResource.name}`);
+    this.logger.log(this, `${LegacyService.name} - ${this.renewUserResource.name}`);
    try {
      // Decrypt the password
      const password = decrypt(token.authzKey, await this.configService.getPrivateKey());

--- a/test/Pipfile
+++ b/test/Pipfile
@@ -11,6 +11,7 @@ requests = "*"
 config = "*"
 python-decouple = "*"
 pyjwt = "*"
+redis = "*"

 [requires]
 python_version = "3.7"
--- a/test/Pipfile.lock
+++ b/test/Pipfile.lock
 {
    "_meta": {
        "hash": {
-            "sha256": "7558fd0f4c1afd71486dbc6f357b245b60c51edb176dc75d4f5013aae57ba783"
+            "sha256": "4ff476b96982764e5a2b0b4002d086299a9c47370979361d2e8d8c9c47008a23"
        },
        "pipfile-spec": 6,
        "requires": {
@@ -18,11 +18,11 @@
    "default": {
        "attrs": {
            "hashes": [
-                "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
-                "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
+                "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
+                "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==20.3.0"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "version": "==21.2.0"
        },
        "certifi": {
            "hashes": [
@@ -96,11 +96,11 @@
        },
        "pyjwt": {
            "hashes": [
-                "sha256:a5c70a06e1f33d81ef25eecd50d50bd30e34de1ca8b2b9fa3fe0daaabcf69bf7",
-                "sha256:b70b15f89dc69b993d8a8d32c299032d5355c82f9b5b7e851d1a6d706dffe847"
+                "sha256:934d73fbba91b0483d3857d1aff50e96b2a892384ee2c17417ed3203f173fca1",
+                "sha256:fba44e7898bbca160a2b2b501f492824fc8382485d3a6f11ba5d0c1937ce6130"
            ],
            "index": "pypi",
-            "version": "==2.0.1"
+            "version": "==2.1.0"
        },
        "pyparsing": {
            "hashes": [
@@ -112,11 +112,11 @@
        },
        "pytest": {
            "hashes": [
-                "sha256:671238a46e4df0f3498d1c3270e5deb9b32d25134c99b7d75370a68cfbe9b634",
-                "sha256:6ad9c7bdf517a808242b998ac20063c41532a570d088d77eec1ee12b0b5574bc"
+                "sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b",
+                "sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890"
            ],
            "index": "pypi",
-            "version": "==6.2.3"
+            "version": "==6.2.4"
        },
        "python-decouple": {
            "hashes": [
@@ -126,6 +126,14 @@
            "index": "pypi",
            "version": "==3.4"
        },
+        "redis": {
+            "hashes": [
+                "sha256:0e7e0cfca8660dea8b7d5cd8c4f6c5e29e11f31158c0b0ae91a397f00e5a05a2",
+                "sha256:432b788c4530cfe16d8d943a09d40ca6c16149727e4afe8c2c9d5580c59d9f24"
+            ],
+            "index": "pypi",
+            "version": "==3.5.3"
+        },
        "requests": {
            "hashes": [
                "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
@@ -144,12 +152,12 @@
        },
        "typing-extensions": {
            "hashes": [
-                "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
-                "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
-                "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
+                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
+                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
+                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
            ],
            "markers": "python_version < '3.8'",
-            "version": "==3.7.4.3"
+            "version": "==3.10.0.0"
        },
        "urllib3": {
            "hashes": [

--- a/test/test_oidc.py
+++ b/test/test_oidc.py
+import json
+
 import requests
 from decouple import config
 import jwt
+from redis import Redis

-TOKEN = ""
+TOKEN = config("TOKEN")

 PORT = config("PORT", 3000)
 ACCESS_TOKEN_COOKIE_KEY = config("ACCESS_TOKEN_COOKIE_KEY")

 BASE_URL = f"http://localhost:{PORT}"

-def test_user_createOidcAccount():
-    endpoint = "user/createOidcAccount"

+def send_request(endpoint, method="GET", data=None):
+
+    # Store OIDC token in Redis
+    oidc_token = jwt.decode(TOKEN, options={"verify_signature": False}, algorithms=["RS256"])
+    email = oidc_token["http://wso2.org/claims/emailaddress"]
+    tokens = json.dumps({"access_token": TOKEN})
+
+    client = Redis(config('REDIS_MASTER_HOST'))
+    client.set(email, tokens)
+
+    # Forge Kong Token + XSRF protection
+    encoded_jwt = None
+    cookies = None
+    headers = dict()
    encoded_jwt = jwt.encode(
        {
+            "email": email,
            "some": "payload",
            "xsrfToken": "x-xsrf-token_secret",
        },
@@ -25,87 +41,98 @@ def test_user_createOidcAccount():
    headers = {
        "x-anonymous-consumer": "false",
        "x-xsrf-token": "x-xsrf-token_secret",
-        "apis_access_token": TOKEN,
    }
-    resp = requests.post(
+
+    if email:
+        headers["email"] = email
+
+    return requests.request(
+        method,
        f"{BASE_URL}/{endpoint}",
-        #json=data_input,
-        #data = form,
+        json=data,
        cookies=cookies,
        headers=headers,
-        #files=files
    )

-    resp.raise_for_status()
+def test_user_createOidcAccount():
+    endpoint = "user/createOidcAccount"

-    resp_json = resp.json()
+    resp = send_request(endpoint,
+                        method="POST",
+                       )
+
+    #resp.raise_for_status()
+    assert resp.status_code == 201
+    assert not resp.content


 def test_user_resources():
    endpoint = "user/resources"

-    encoded_jwt = jwt.encode(
-        {
-            "some": "payload",
-            "xsrfToken": "x-xsrf-token_secret",
-        },
-        "secret",
-        algorithm="HS256",
-    )
-
-    cookies = {ACCESS_TOKEN_COOKIE_KEY: encoded_jwt}
-    headers = {
-        "x-anonymous-consumer": "false",
-        "x-xsrf-token": "x-xsrf-token_secret",
-        "apis_access_token": TOKEN,
-    }
-    resp = requests.get(
-        f"{BASE_URL}/{endpoint}",
-        cookies=cookies,
-        headers=headers,
-    )
+    resp = send_request(endpoint)

-    resp.raise_for_status()
+    #resp.raise_for_status()
+    assert resp.status_code == 200

    resp_json = resp.json()
+    assert  resp_json == [
+        {
+            'datasetId': 3,
+            'datasetName': 'Rdata',
+            'geonetUuid': None,
+            'serviceName': 'wms',
+            'status': 'opened',
+            'urlPattern': 'rdata',
+            'validUntil': 'Tue Dec 31 2030 00:00:00 GMT+0000',
+        }
+    ]


 def test_user_addUserResource():
    endpoint = "user/resources/add"


-    data_input = {
-        "id": 55,
-        "servicesId": [
-            1,
-            2,
-            5,
-        ]
-    }
+    data_input = [
+        {
+            "id": 55,
+            "servicesId": [
+                1,
+                2,
+                5,
+            ]
+        }
+    ]

-    encoded_jwt = jwt.encode(
+    resp = send_request(endpoint, method="POST", data=data_input)
+
+    #resp.raise_for_status()
+    assert resp.status_code == 201
+
+    resp_json = resp.json()
+    assert {
+        'successfullyRequested': ['Rdata / Confluence - Etat du trafic temps réel (wms,wfs,files)'], 
+        'unsuccessfullyRequested': []
+    } == resp_json
+
+
+def test_user_renewUserResource():
+    endpoint = "user/resources/renew"
+
+    data_input = [
        {
-            "some": "payload",
-            "xsrfToken": "x-xsrf-token_secret",
-        },
-        "secret",
-        algorithm="HS256",
-    )
-    cookies = {ACCESS_TOKEN_COOKIE_KEY: encoded_jwt}
-    headers = {
-        "x-anonymous-consumer": "false",
-        "x-xsrf-token": "x-xsrf-token_secret",
-        "apis_access_token": TOKEN,
-    }
-    resp = requests.post(
-        f"{BASE_URL}/{endpoint}",
-        json=data_input,
-        #data = form,
-        cookies=cookies,
-        headers=headers,
-        #files=files
-    )
+            "id": 55,
+            "servicesId": [
+                1,
+                2,
+                5,
+            ]
+        }
+    ]
+
+    resp = send_request(endpoint, method="POST", data=data_input)

-    resp.raise_for_status()
+    #resp.raise_for_status()
+    assert resp.status_code == 201

    resp_json = resp.json()
+    assert {'successfullyRenewalRequested': [], 'unsuccessfullyRenewalRequested': ['Rdata / Confluence - Etat du trafic temps réel (wms,wfs,files)']} == resp_json