Commit bafa8aed authored by Sébastien DA ROCHA's avatar Sébastien DA ROCHA
Browse files

Fix OIDC function and tests

parent d200b0dd
Pipeline #14034 passed with stage
in 4 seconds
......@@ -6,4 +6,6 @@ node_modules
/dist
.vscode
\ No newline at end of file
.vscode
*.sw[op]
......@@ -6,6 +6,7 @@ verify_ssl = true
[dev-packages]
[packages]
pyjwt = {extras = ["crypto"], version = "*"}
[requires]
python_version = "3.7"
{
"_meta": {
"hash": {
"sha256": "7e7ef69da7248742e869378f8421880cf8f0017f96d94d086813baa518a65489"
"sha256": "447bb53ac82c4d9d20580bfcaa2c383ff7f35d9d48bc2b71d74c2246aee8b724"
},
"pipfile-spec": 6,
"requires": {
......@@ -15,6 +15,85 @@
}
]
},
"default": {},
"default": {
"cffi": {
"hashes": [
"sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
"sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
"sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
"sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
"sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
"sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
"sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
"sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
"sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
"sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
"sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
"sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
"sha256:51182f8927c5af975fece87b1b369f722c570fe169f9880764b1ee3bca8347b5",
"sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
"sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
"sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
"sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
"sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
"sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
"sha256:72d8d3ef52c208ee1c7b2e341f7d71c6fd3157138abf1a95166e6165dd5d4369",
"sha256:8ae6299f6c68de06f136f1f9e69458eae58f1dacf10af5c17353eae03aa0d827",
"sha256:8b198cec6c72df5289c05b05b8b0969819783f9418e0409865dac47288d2a053",
"sha256:99cd03ae7988a93dd00bcd9d0b75e1f6c426063d6f03d2f90b89e29b25b82dfa",
"sha256:9cf8022fb8d07a97c178b02327b284521c7708d7c71a9c9c355c178ac4bbd3d4",
"sha256:9de2e279153a443c656f2defd67769e6d1e4163952b3c622dcea5b08a6405322",
"sha256:9e93e79c2551ff263400e1e4be085a1210e12073a31c2011dbbda14bda0c6132",
"sha256:9ff227395193126d82e60319a673a037d5de84633f11279e336f9c0f189ecc62",
"sha256:a465da611f6fa124963b91bf432d960a555563efe4ed1cc403ba5077b15370aa",
"sha256:ad17025d226ee5beec591b52800c11680fca3df50b8b29fe51d882576e039ee0",
"sha256:afb29c1ba2e5a3736f1c301d9d0abe3ec8b86957d04ddfa9d7a6a42b9367e396",
"sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
"sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
"sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
"sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
"sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
"sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
"sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
],
"version": "==1.14.5"
},
"cryptography": {
"hashes": [
"sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
"sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
"sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
"sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
"sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
"sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
"sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
"sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
"sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
"sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
"sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
"sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
],
"version": "==3.4.7"
},
"pycparser": {
"hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.20"
},
"pyjwt": {
"extras": [
"crypto"
],
"hashes": [
"sha256:934d73fbba91b0483d3857d1aff50e96b2a892384ee2c17417ed3203f173fca1",
"sha256:fba44e7898bbca160a2b2b501f492824fc8382485d3a6f11ba5d0c1937ce6130"
],
"index": "pypi",
"version": "==2.1.0"
}
},
"develop": {}
}
......@@ -23,11 +23,6 @@ export class LegacyController {
private tokenService: TokenService,
) { }
@Get('user')
@ApiOperation({ title: 'Get user info.' })
@ApiImplicitHeader({
......@@ -103,7 +98,7 @@ export class LegacyController {
@HttpCode(201)
async createOidcAccount(@Req() req) {
try {
return await this.legacyServiceOidc.createAccount(req.headers['email']);
return await this.legacyServiceOidc.createAccount(req.headers.token);
} catch (error) {
if (error instanceof HttpException) {
throw error;
......@@ -273,7 +268,8 @@ export class LegacyController {
try {
let userServices;
if (token.authzKey == null) { // is OIDC token
userServices = await this.legacyServiceOidc.getUserResources(token, req.headers['apis_access_token']);
const access_token = await this.tokenService.getAccessToken(token)
userServices = await this.legacyServiceOidc.getUserResources(token, access_token);
} else {
userServices = await this.legacyService.getUserResources(token);
}
......@@ -303,7 +299,8 @@ export class LegacyController {
const token: JWTToken = req.headers.token;
try {
if (token.authzKey == null) { // is OIDC token
return await this.legacyServiceOidc.addUserResource(token, body);
const access_token = await this.tokenService.getAccessToken(token)
return await this.legacyServiceOidc.addUserResource(token, body, access_token);
} else {
return await this.legacyService.addUserResource(token, body);
}
......
......@@ -33,11 +33,12 @@ export class LegacyServiceOIDC extends LegacyService {
super(configService);
}
async createAccount(email): Promise<void> {
async createAccount(token): Promise<void> {
this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
try {
this.logger.log('token ', email);
const email = token.email;
this.logger.log(' [*] user', email);
if(email) {
var tokenInfos= await this.tokenService.getTokenInfos(email);
......@@ -58,12 +59,12 @@ export class LegacyServiceOIDC extends LegacyService {
this.logger.log(`OIDC user account validation for : ${token_data['http://wso2.org/claims/emailaddress']}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
let res = await request.post(options).catch((error) => {
this.logger.error(`Couldn\'t create user (socle answer): ${error}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
const inres = JSON.parse(error.error);
// Normal use case
if (inres.message === 'Account already exists') {
return;
}
this.logger.error(`Couldn\'t create user (socle answer): ${error}`, `${LegacyServiceOIDC.name} - ${this.createAccount.name}`);
throw new InternalServerErrorException({ error, message: 'Couldn\'t create user.' });
});
......@@ -97,11 +98,12 @@ export class LegacyServiceOIDC extends LegacyService {
}
}
async getUserResources(token: JWTToken, access_token: string=""): Promise<Resource[]> {
const username = token.username;
async getUserResources(token: JWTToken): Promise<Resource[]> {
this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.getUserResources.name}`);
try {
const username = token.email;
const access_token = await this.tokenService.getAccessToken(token)
let options = {
//method: 'POST',
headers:{
......@@ -141,7 +143,7 @@ export class LegacyServiceOIDC extends LegacyService {
}
}
async addUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRequestResponse> {
async addUserResource(token: JWTToken, accessRequests: AccessRequest[], access_token:string = ""): Promise<AccessRequestResponse> {
this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.addUserResource.name}`);
try {
......@@ -156,8 +158,16 @@ export class LegacyServiceOIDC extends LegacyService {
for (const accessRequest of accessRequests) {
// Request access the the specified service and the specified modes
this.logger.log('got data', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
let res = await request.post(`${this.conf.legacyAuthOidcUrl}/add_user_service/`).form(
this.logger.log('got data', `${LegacyServiceOIDC.name} - ${this.addUserResource.name}`);
let options = {
method: 'POST',
headers:{
'Authorization': 'Bearer ' + access_token,
},
url: `${this.conf.legacyAuthOidcUrl}/add_user_service/`,
};
let res = await request(options).form(
{
username: token.email,
service_id: accessRequest.id,
......@@ -237,10 +247,11 @@ export class LegacyServiceOIDC extends LegacyService {
}
}
async renewUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRenewalResponse> {
async renewUserResource(token: JWTToken, accessRequests: AccessRequest[], access_token:string = ""): Promise<AccessRenewalResponse> {
this.logger.log('Entering function', `${LegacyServiceOIDC.name} - ${this.renewUserResource.name}`);
try {
// Get the list of user access
const access_token = await this.tokenService.getAccessToken(token);
const userAccess = await this.getUserResources(token);
// Get the list of datasets
const datasets = await this.getRestrictedAccessDatasets();
......
......@@ -570,6 +570,7 @@ export class LegacyService {
async renewUserResource(token: JWTToken, accessRequests: AccessRequest[]): Promise<AccessRenewalResponse> {
this.logger.log('Entering function', `${LegacyService.name} - ${this.renewUserResource.name}`);
this.logger.log(this, `${LegacyService.name} - ${this.renewUserResource.name}`);
try {
// Decrypt the password
const password = decrypt(token.authzKey, await this.configService.getPrivateKey());
......
......@@ -11,6 +11,7 @@ requests = "*"
config = "*"
python-decouple = "*"
pyjwt = "*"
redis = "*"
[requires]
python_version = "3.7"
{
"_meta": {
"hash": {
"sha256": "7558fd0f4c1afd71486dbc6f357b245b60c51edb176dc75d4f5013aae57ba783"
"sha256": "4ff476b96982764e5a2b0b4002d086299a9c47370979361d2e8d8c9c47008a23"
},
"pipfile-spec": 6,
"requires": {
......@@ -18,11 +18,11 @@
"default": {
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
},
"certifi": {
"hashes": [
......@@ -96,11 +96,11 @@
},
"pyjwt": {
"hashes": [
"sha256:a5c70a06e1f33d81ef25eecd50d50bd30e34de1ca8b2b9fa3fe0daaabcf69bf7",
"sha256:b70b15f89dc69b993d8a8d32c299032d5355c82f9b5b7e851d1a6d706dffe847"
"sha256:934d73fbba91b0483d3857d1aff50e96b2a892384ee2c17417ed3203f173fca1",
"sha256:fba44e7898bbca160a2b2b501f492824fc8382485d3a6f11ba5d0c1937ce6130"
],
"index": "pypi",
"version": "==2.0.1"
"version": "==2.1.0"
},
"pyparsing": {
"hashes": [
......@@ -112,11 +112,11 @@
},
"pytest": {
"hashes": [
"sha256:671238a46e4df0f3498d1c3270e5deb9b32d25134c99b7d75370a68cfbe9b634",
"sha256:6ad9c7bdf517a808242b998ac20063c41532a570d088d77eec1ee12b0b5574bc"
"sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b",
"sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890"
],
"index": "pypi",
"version": "==6.2.3"
"version": "==6.2.4"
},
"python-decouple": {
"hashes": [
......@@ -126,6 +126,14 @@
"index": "pypi",
"version": "==3.4"
},
"redis": {
"hashes": [
"sha256:0e7e0cfca8660dea8b7d5cd8c4f6c5e29e11f31158c0b0ae91a397f00e5a05a2",
"sha256:432b788c4530cfe16d8d943a09d40ca6c16149727e4afe8c2c9d5580c59d9f24"
],
"index": "pypi",
"version": "==3.5.3"
},
"requests": {
"hashes": [
"sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
......@@ -144,12 +152,12 @@
},
"typing-extensions": {
"hashes": [
"sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
"sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
"sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"markers": "python_version < '3.8'",
"version": "==3.7.4.3"
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
......
import json
import requests
from decouple import config
import jwt
from redis import Redis
TOKEN = ""
TOKEN = config("TOKEN")
PORT = config("PORT", 3000)
ACCESS_TOKEN_COOKIE_KEY = config("ACCESS_TOKEN_COOKIE_KEY")
BASE_URL = f"http://localhost:{PORT}"
def test_user_createOidcAccount():
endpoint = "user/createOidcAccount"
def send_request(endpoint, method="GET", data=None):
# Store OIDC token in Redis
oidc_token = jwt.decode(TOKEN, options={"verify_signature": False}, algorithms=["RS256"])
email = oidc_token["http://wso2.org/claims/emailaddress"]
tokens = json.dumps({"access_token": TOKEN})
client = Redis(config('REDIS_MASTER_HOST'))
client.set(email, tokens)
# Forge Kong Token + XSRF protection
encoded_jwt = None
cookies = None
headers = dict()
encoded_jwt = jwt.encode(
{
"email": email,
"some": "payload",
"xsrfToken": "x-xsrf-token_secret",
},
......@@ -25,87 +41,98 @@ def test_user_createOidcAccount():
headers = {
"x-anonymous-consumer": "false",
"x-xsrf-token": "x-xsrf-token_secret",
"apis_access_token": TOKEN,
}
resp = requests.post(
if email:
headers["email"] = email
return requests.request(
method,
f"{BASE_URL}/{endpoint}",
#json=data_input,
#data = form,
json=data,
cookies=cookies,
headers=headers,
#files=files
)
resp.raise_for_status()
def test_user_createOidcAccount():
endpoint = "user/createOidcAccount"
resp_json = resp.json()
resp = send_request(endpoint,
method="POST",
)
#resp.raise_for_status()
assert resp.status_code == 201
assert not resp.content
def test_user_resources():
endpoint = "user/resources"
encoded_jwt = jwt.encode(
{
"some": "payload",
"xsrfToken": "x-xsrf-token_secret",
},
"secret",
algorithm="HS256",
)
cookies = {ACCESS_TOKEN_COOKIE_KEY: encoded_jwt}
headers = {
"x-anonymous-consumer": "false",
"x-xsrf-token": "x-xsrf-token_secret",
"apis_access_token": TOKEN,
}
resp = requests.get(
f"{BASE_URL}/{endpoint}",
cookies=cookies,
headers=headers,
)
resp = send_request(endpoint)
resp.raise_for_status()
#resp.raise_for_status()
assert resp.status_code == 200
resp_json = resp.json()
assert resp_json == [
{
'datasetId': 3,
'datasetName': 'Rdata',
'geonetUuid': None,
'serviceName': 'wms',
'status': 'opened',
'urlPattern': 'rdata',
'validUntil': 'Tue Dec 31 2030 00:00:00 GMT+0000',
}
]
def test_user_addUserResource():
endpoint = "user/resources/add"
data_input = {
"id": 55,
"servicesId": [
1,
2,
5,
]
}
data_input = [
{
"id": 55,
"servicesId": [
1,
2,
5,
]
}
]
encoded_jwt = jwt.encode(
resp = send_request(endpoint, method="POST", data=data_input)
#resp.raise_for_status()
assert resp.status_code == 201
resp_json = resp.json()
assert {
'successfullyRequested': ['Rdata / Confluence - Etat du trafic temps réel (wms,wfs,files)'],
'unsuccessfullyRequested': []
} == resp_json
def test_user_renewUserResource():
endpoint = "user/resources/renew"
data_input = [
{
"some": "payload",
"xsrfToken": "x-xsrf-token_secret",
},
"secret",
algorithm="HS256",
)
cookies = {ACCESS_TOKEN_COOKIE_KEY: encoded_jwt}
headers = {
"x-anonymous-consumer": "false",
"x-xsrf-token": "x-xsrf-token_secret",
"apis_access_token": TOKEN,
}
resp = requests.post(
f"{BASE_URL}/{endpoint}",
json=data_input,
#data = form,
cookies=cookies,
headers=headers,
#files=files
)
"id": 55,
"servicesId": [
1,
2,
5,
]
}
]
resp = send_request(endpoint, method="POST", data=data_input)
resp.raise_for_status()
#resp.raise_for_status()
assert resp.status_code == 201
resp_json = resp.json()
assert {'successfullyRenewalRequested': [], 'unsuccessfullyRenewalRequested': ['Rdata / Confluence - Etat du trafic temps réel (wms,wfs,files)']} == resp_json
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment