Skip to content

Commit

Permalink
checking env file in permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@costero-e
costero-e committed Mar 27, 2024
1 parent 410de6e commit a3119ac
Show file tree
Hide file tree
Showing 6 changed files with 49 additions and 61 deletions.
4 changes: 3 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,4 +136,6 @@ node_modules

genomicVariations_full.json
genomicVariations_id.json
deploy/cancer_dataset
deploy/cancer_dataset

.env
12 changes: 9 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,19 @@ docker exec beacon-permissions bash permissions/permissions-ui/start.sh
Please, bear in mind that the name of the user has to be the same that you used when creating the user in LS or in IDP, whatever the AAI method you are working with.
To give a user a certain type of response for their queries, please modify this file [response_type.yml](https://github.com/EGA-archive/beacon2-ri-api/blob/master/beacon/request/response_type.yml) adding the maximum type of response you want to allow every user.

Also, you will need to edit the file [conf.py](beacon/conf.py) and introduce the domain where your keycloak is being hosted inside **ldp_user_info** and the issuers you trust for your token inside **trusted_issuers**. In case you want to run your local container, use this configuration:
Also, you will need to edit the file [conf.py](beacon/conf.py) and introduce the domain where your keycloak is being hosted inside **idp_user_info** and the issuer you trust for your token inside **idp_issuer**. In case you want to run your local container, use this configuration:
```bash
idp_user_info = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo'
idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
lsaai_issuer='https://login.elixir-czech.org/oidc/'
lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
trusted_issuers = ['http://idp:8080/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']
```

Also, inside the folder permissions, before building your permissions container, you will need to create an .env file and add the CLIENT_ID for your LSAAI or Keycloak or both, with these same variable names:
```bash
LSAAI_CLIENT_ID='your_lsaai_client_id'
KEYCLOAK_CLIENT_ID='your_keycloak_client_id'
```
When you have your access token, pass it in a header with **Authorization: Bearer** in your POST request to get your answers. This token works coming from either from LS AAI or from keycloak (idp container).

### Beacon security system
Expand Down
3 changes: 2 additions & 1 deletion beacon/conf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,10 @@
#
# or use Elixir AAI (see https://elixir-europe.org/services/compute/aai)
#
idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
lsaai_issuer='https://login.elixir-czech.org/oidc/'
lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
trusted_issuers = ['https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']


#
Expand Down
3 changes: 2 additions & 1 deletion deploy/conf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,10 @@
#
# or use Elixir AAI (see https://elixir-europe.org/services/compute/aai)
#
idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
lsaai_issuer='https://login.elixir-czech.org/oidc/'
lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
trusted_issuers = ['https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']


#
Expand Down
87 changes: 32 additions & 55 deletions permissions/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@
from aiohttp import ClientSession, BasicAuth, FormData
from aiohttp import web
from beacon import conf
import os
from dotenv import load_dotenv

load_dotenv()

LSAAI_CLIENT_ID = os.getenv('LSAAI_CLIENT_ID')
KEYCLOAK_CLIENT_ID = os.getenv('KEYCLOAK_CLIENT_ID')


LOG = logging.getLogger(__name__)
Expand All @@ -39,69 +46,37 @@ async def get_user_info(access_token):
'''
LOG.debug('Token: %s', access_token)

# Invalid access token
'''
async with ClientSession() as session:
headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
payload = {'client_id': idp_client_id, 'client_secret': idp_client_secret, 'token': access_token }
async with session.post(idp_introspection, headers=headers,
data=payload
) as resp:
LOG.debug('Response %s', resp.status)
#LOG.debug('Response %s', resp)
if resp.status == 200:
content = await resp.text()
dict_content = json.loads(content)
user = dict_content
else:
#LOG.error('Content: %s', content)
LOG.error('Invalid token')
user = 'public'
return user
'''
try:
decoded = jwt.decode(access_token, options={"verify_signature": False})
LOG.error(decoded)
issuer = decoded['iss']
audience = decoded['aud']
list_visa_datasets=[]
visa_datasets=None
except Exception:
user = 'public'
return user

if issuer in conf.trusted_issuers:
pass
LOG.error(issuer)
user_info=''
if issuer == conf.lsaai_issuer and audience == LSAAI_CLIENT_ID:
user_info = lsaai_user_info
elif issuer == conf.idp_issuer and audience == KEYCLOAK_CLIENT_ID:
user_info = idp_user_info
else:
raise web.HTTPUnauthorized('invalid token')


LOG.error(user_info)
user = None

async with ClientSession(trust_env=True) as session:
headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
LOG.debug('Contacting %s', idp_user_info)
async with session.get(idp_user_info, headers=headers) as resp:
LOG.debug('Response %s', resp)
LOG.error('Contacting %s', user_info)
async with session.get(user_info, headers=headers) as resp:
LOG.error('Response %s', resp)
if resp.status == 200:
user = await resp.json()
LOG.error(user)
return user, list_visa_datasets
else:
content = await resp.text()
LOG.error('Not a Keycloak token')
#LOG.error('Content: %s', content)
user = 'public'

if user == 'public':
async with ClientSession(trust_env=True) as session:
headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
LOG.debug('Contacting %s', lsaai_user_info)
async with session.get(lsaai_user_info, headers=headers) as resp:
LOG.debug('Response %s', resp)
if resp.status == 200:
user = await resp.json()
try:
visa_datasets = user['ga4gh_passport_v1']
except Exception:
pass
try:
visa_datasets = user['ga4gh_passport_v1']
if visa_datasets is not None:
for visa_dataset in visa_datasets:
try:
Expand All @@ -112,14 +87,16 @@ async def get_user_info(access_token):
list_visa_datasets.append(visa_dataset)
except Exception:
visa_dataset = None
LOG.error('list_visa: {}'.format(list_visa_datasets))
return user, list_visa_datasets
else:
content = await resp.text()
LOG.error('Not a LS AAI token')
LOG.error('Content: %s', content)
user = 'public'
return user, list_visa_datasets
except Exception:
pass
LOG.error('list_visa: {}'.format(list_visa_datasets))
return user, list_visa_datasets
else:
content = await resp.text()
LOG.error('Invalid token')
LOG.error('Content: %s', content)
user = 'public'
return user, list_visa_datasets


def bearer_required(func):
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,5 @@ mozilla-django-oidc==3.0.0
pytest==7.4.4
pytest-aiohttp==1.0.5
pytest-asyncio==0.23.4
python-dotenv==1.0.1

0 comments on commit a3119ac

Please sign in to comment.