From a3119ac1eac57870c75e3be94e787359da95cca5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oriol=20L=C3=B3pez-Doriga?= <orildsaga@gmail.com>
Date: Wed, 27 Mar 2024 16:52:01 +0100
Subject: [PATCH] checking env file in permissions

---
 .gitignore          |  4 ++-
 README.md           | 12 +++++--
 beacon/conf.py      |  3 +-
 deploy/conf.py      |  3 +-
 permissions/auth.py | 87 +++++++++++++++++----------------------------
 requirements.txt    |  1 +
 6 files changed, 49 insertions(+), 61 deletions(-)

diff --git a/.gitignore b/.gitignore
index 50af0980..f0f49958 100644
--- a/.gitignore
+++ b/.gitignore
@@ -136,4 +136,6 @@ node_modules
 
 genomicVariations_full.json
 genomicVariations_id.json
-deploy/cancer_dataset
\ No newline at end of file
+deploy/cancer_dataset
+
+.env
\ No newline at end of file
diff --git a/README.md b/README.md
index 77a8d0b6..d46d82e1 100644
--- a/README.md
+++ b/README.md
@@ -22,13 +22,19 @@ docker exec beacon-permissions bash permissions/permissions-ui/start.sh
 Please, bear in mind that the name of the user has to be the same that you used when creating the user in LS or in IDP, whatever the AAI method you are working with.
 To give a user a certain type of response for their queries, please modify this file [response_type.yml](https://github.com/EGA-archive/beacon2-ri-api/blob/master/beacon/request/response_type.yml) adding the maximum type of response you want to allow every user.
 
-Also, you will need to edit the file [conf.py](beacon/conf.py) and introduce the domain where your keycloak is being hosted inside **ldp_user_info** and the issuers you trust for your token inside **trusted_issuers**. In case you want to run your local container, use this configuration:
+Also, you will need to edit the file [conf.py](beacon/conf.py) and introduce the domain where your keycloak is being hosted inside **idp_user_info** and the issuer you trust for your token inside **idp_issuer**. In case you want to run your local container, use this configuration:
 ```bash
-idp_user_info = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo'
+idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
+idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
+lsaai_issuer='https://login.elixir-czech.org/oidc/'
 lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
-trusted_issuers = ['http://idp:8080/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']
 ```
 
+Also, inside the folder permissions, before building your permissions container, you will need to create an .env file and add the CLIENT_ID for your LSAAI or Keycloak or both, with these same variable names:
+```bash
+LSAAI_CLIENT_ID='your_lsaai_client_id'
+KEYCLOAK_CLIENT_ID='your_keycloak_client_id'
+```
 When you have your access token, pass it in a header with **Authorization: Bearer** in your POST request to get your answers. This token works coming from either from LS AAI or from keycloak (idp container).
 
 ### Beacon security system
diff --git a/beacon/conf.py b/beacon/conf.py
index 2df5b48c..e5ed4ec7 100644
--- a/beacon/conf.py
+++ b/beacon/conf.py
@@ -110,9 +110,10 @@
 #
 # or use Elixir AAI (see https://elixir-europe.org/services/compute/aai)
 #
+idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
 idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
+lsaai_issuer='https://login.elixir-czech.org/oidc/'
 lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
-trusted_issuers = ['https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']
 
 
 #
diff --git a/deploy/conf.py b/deploy/conf.py
index b982e4f3..07b10e24 100644
--- a/deploy/conf.py
+++ b/deploy/conf.py
@@ -106,9 +106,10 @@
 #
 # or use Elixir AAI (see https://elixir-europe.org/services/compute/aai)
 #
+idp_issuer='https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon'
 idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
+lsaai_issuer='https://login.elixir-czech.org/oidc/'
 lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
-trusted_issuers = ['https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']
 
 
 #
diff --git a/permissions/auth.py b/permissions/auth.py
index 450bf6f1..129ee652 100644
--- a/permissions/auth.py
+++ b/permissions/auth.py
@@ -16,6 +16,13 @@
 from aiohttp import ClientSession, BasicAuth, FormData
 from aiohttp import web
 from beacon import conf
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+LSAAI_CLIENT_ID = os.getenv('LSAAI_CLIENT_ID')
+KEYCLOAK_CLIENT_ID = os.getenv('KEYCLOAK_CLIENT_ID')
 
 
 LOG = logging.getLogger(__name__)
@@ -39,69 +46,37 @@ async def get_user_info(access_token):
     '''
     LOG.debug('Token: %s', access_token)
 
-    # Invalid access token
-    '''
-    async with ClientSession() as session:
-        headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
-        payload = {'client_id': idp_client_id, 'client_secret': idp_client_secret, 'token': access_token }
-        async with session.post(idp_introspection, headers=headers,
-                                data=payload
-        ) as resp:
-            LOG.debug('Response %s', resp.status)
-            #LOG.debug('Response %s', resp)
-            if resp.status == 200:
-                content = await resp.text()
-                dict_content = json.loads(content)
-                user = dict_content
-            else:
-                #LOG.error('Content: %s', content)
-                LOG.error('Invalid token')
-                user = 'public'
-                return user
-        '''
     try:
         decoded = jwt.decode(access_token, options={"verify_signature": False})
         LOG.error(decoded)
         issuer = decoded['iss']
+        audience = decoded['aud']
         list_visa_datasets=[]
         visa_datasets=None
     except Exception:
         user = 'public'
         return user
-
-    if issuer in conf.trusted_issuers:
-        pass
+    LOG.error(issuer)
+    user_info=''
+    if issuer == conf.lsaai_issuer and audience == LSAAI_CLIENT_ID:
+        user_info = lsaai_user_info
+    elif issuer == conf.idp_issuer and audience == KEYCLOAK_CLIENT_ID:
+        user_info = idp_user_info
     else:
         raise web.HTTPUnauthorized('invalid token')
-            
+    
+    LOG.error(user_info)
     user = None
+                
     async with ClientSession(trust_env=True) as session:
         headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
-        LOG.debug('Contacting %s', idp_user_info)
-        async with session.get(idp_user_info, headers=headers) as resp:
-            LOG.debug('Response %s', resp)
+        LOG.error('Contacting %s', user_info)
+        async with session.get(user_info, headers=headers) as resp:
+            LOG.error('Response %s', resp)
             if resp.status == 200:
                 user = await resp.json()
-                LOG.error(user)
-                return user, list_visa_datasets
-            else:
-                content = await resp.text()
-                LOG.error('Not a Keycloak token')
-                #LOG.error('Content: %s', content)
-                user = 'public'
-                
-    if user == 'public':
-        async with ClientSession(trust_env=True) as session:
-            headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
-            LOG.debug('Contacting %s', lsaai_user_info)
-            async with session.get(lsaai_user_info, headers=headers) as resp:
-                LOG.debug('Response %s', resp)
-                if resp.status == 200:
-                    user = await resp.json()
-                    try:
-                        visa_datasets = user['ga4gh_passport_v1']
-                    except Exception:
-                        pass
+                try:
+                    visa_datasets = user['ga4gh_passport_v1']
                     if visa_datasets is not None:
                         for visa_dataset in visa_datasets:
                             try:
@@ -112,14 +87,16 @@ async def get_user_info(access_token):
                                 list_visa_datasets.append(visa_dataset)
                             except Exception:
                                 visa_dataset = None
-                    LOG.error('list_visa: {}'.format(list_visa_datasets))
-                    return user, list_visa_datasets
-                else:
-                    content = await resp.text()
-                    LOG.error('Not a LS AAI token')
-                    LOG.error('Content: %s', content)
-                    user = 'public'
-                    return user, list_visa_datasets
+                except Exception:
+                    pass
+                LOG.error('list_visa: {}'.format(list_visa_datasets))
+                return user, list_visa_datasets
+            else:
+                content = await resp.text()
+                LOG.error('Invalid token')
+                LOG.error('Content: %s', content)
+                user = 'public'
+                return user, list_visa_datasets
 
 
 def bearer_required(func):
diff --git a/requirements.txt b/requirements.txt
index 205a8b81..00a0cd5a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -38,4 +38,5 @@ mozilla-django-oidc==3.0.0
 pytest==7.4.4
 pytest-aiohttp==1.0.5
 pytest-asyncio==0.23.4
+python-dotenv==1.0.1