Add endpoint to get SAML providers for a user. #18237
Conversation
|
Thanks for the pull request, @jcdyer! I've created OSPR-2428 to keep track of it in JIRA. JIRA is a place for product owners to prioritize feature reviews by the engineering development teams. Feel free to add as much of the following information to the ticket:
All technical communication about the code itself will still be done via the GitHub pull request interface. As a reminder, our process documentation is here. |
03df339 to
fa52e35
Compare
|
@jcdyer Feel free to ping me once this passes all the tests. Thanks! |
|
@mduboseedx Thanks. I'm unable to find the diff quality report on the jenkins tests. Have those been removed or just relocated? It'd difficult to determine which issue is causing the quality build to fail without that information. |
|
I think I found the source of the errors, (.coffee files that shouldn't have ben included), but I'm not sure how to diagnose that from the jenkins reports anymore. |
|
@edx/testeng Do you know why these quality test is failing? We're having trouble finding the diff quality report. |
|
@mduboseedx It's the "diff_quality_pylint.html" artifact from the |
|
Thanks @jmbowman. |
|
@edx/platform-team Could you give this a review? |
|
Ping! Can somebody from @edx/platform-team give this a look. This is upstreamed from work we are doing on edx-solutions/edx-platform. |
|
@jmbowman Can you give this a review anytime soon, or find someone to do so? |
|
@jcdyer This is on my radar now. I gave it a quick once over and it looks fine. If you can get tests passing I'll take a closer look and merge. |
|
jenkins run bokchoy |
ddd0390 to
26227e5
Compare
|
jenkins run bokchoy |
|
@jcdyer Have you had a chance to look into the failed bokchoy test? |
|
jenkins run bokchoy |
1 similar comment
|
jenkins run bokchoy |
|
Looks like multiple failures in the bokchoy tests that are possibly legitimate. Those failures need to be addressed before this PR proceeds. |
|
Thanks @doctoryes. I should be able to look into this again the week after next. I'll ping you when it's ready for another review. |
26227e5 to
2db10f4
Compare
|
@doctoryes I just rebased onto the latest master. Whatever the issue was, it seems to be resolved now. |
|
Oh, sorry, I just realized I should at @macdiesel as well. This is ready for a full review now. |
There was a problem hiding this comment.
Code looks good, just a few questions.
There are now tests to at least verify that the throttling rate is set correctly or works. We should add something here.
@pwnage101 is our on open source on call this week and will also review this.
| """ | ||
| Maximum number of provider requests in a quick burst. | ||
| """ | ||
| rate = '10/min' |
There was a problem hiding this comment.
Why not make this and the ProviderSustainedThrottle configuration settings?
| if '@' in username: | ||
| user = User.objects.get(email=username) | ||
| else: | ||
| user = User.objects.get(username=username) |
There was a problem hiding this comment.
@pwnage101 Don't we have a method that does this?
There was a problem hiding this comment.
yes, use from student.models import get_user_by_username_or_email
| class UserView(APIView): | ||
| """ | ||
| List the third party auth accounts linked to the specified user account. | ||
|
|
||
| **Example Request** | ||
|
|
||
| GET /api/third_party_auth/v0/users/{username} | ||
| GET /api/third_party_auth/v0/users/{email@example.com} |
There was a problem hiding this comment.
Can you explain why the username identifier is made into an ambiguous identifier here? In general, I think we were trying to phase out ambiguous identifiers whenever possible, so I have to ask when we're adding new ones.
There was a problem hiding this comment.
Phase it out in favor of what?
Our client that we did the downstream work for had a requirement of allowing users to log in by either identifier.
Would you prefer to have different endpoints for each, or to use a query parameter to identify the type of identifier?
There was a problem hiding this comment.
Yes, basically, phase out in favor of the unambiguous identifiers you recommended in your last sentence. Our original motivation might be selfish, but we ran into issues with ambiguous identifiers (combined with some of our usernames containing @ symbols) causing email lookups to contain usernames, and vice versa, which would fail to find an existing user.
Obviously, we do not allow usernames with @ symbols, and we still don't understand how it happened, but it "should not" happen so your code "should" be safe. I was just pushing back a little bit to see if making your endpoint unambiguous would still be okay.
There was a problem hiding this comment.
Thanks @pwnage101. That's helpful information.
FYI @xitij2000 and @bradenmacdonald: This is related to the SSO provider lookup we did recently. This would require a minor change and the client side (having the api client choose an identifier type before making the request) and the server side (providing the argument as a query parameter) in the downstream code. Can we do that work to help edx move forward with unambiguous user identifiers?
There was a problem hiding this comment.
I think the bigger concern would be mobile apps here. I think it should be a pretty small change on the server side.
However, it just pushes the logic of email vs username to whatever calls the API. If the @ symbol is allowed in usernames, or has ended up in usernames somehow, then whetever calls this API should call it twice if the @ symbol is present just to be sure. Would it make more sense for the API to do this automatically? i.e. find users that have the provided id as either a username or email.
There was a problem hiding this comment.
We can't immediately change the API contract, because it would break the existing apps, but if we did want to push the "username vs. email" logic into the clients and make this API optionally unambiguous (by requiring a parameter/path to explicitly specify email vs. username), and later require it to be unambiguous, that would be fine.
There was a problem hiding this comment.
I'll chime in here in summary: For this PR to proceed, we'd very much like it to include functionality to allow clients to unambiguously state whether they're sending an email address or a username, whether it's by two different new URLs -or- optional parameters on this endpoint. The old ambiguous endpoint would remain functional for now until clients can be shifted to use the unambiguous endpoint. But there'd be no remaining blocker to shifting clients over to use the unambiguous endpoint.
After clients are shifted, we'd then remove the old ambiguous endpoint functionality - perhaps in a new API version, if needed. Thoughts?
There was a problem hiding this comment.
Sounds good to me. Here's how I'll implement that:
The proposed endpoint will remain. A new route will be added at /api/third_party_auth/v0/users/ (with no path segment for the ambiguous identifier), that takes one of ?username= or ?email=. If neither is provided, the endpoint will return a 400.
|
I will resolve review suggestions tonight or tomorrow morning. |
e195b14 to
c491229
Compare
|
@macdiesel, @pwnage101: Sorry for the delay. This is ready for another review now. I have added a new view with an explicit username / email query parameter, made throttles configurable via settings, and added tests for throttling. |
| @@ -14,6 +14,7 @@ | |||
| UserView.as_view(), | |||
There was a problem hiding this comment.
I vaguely recall even wrapping this deprecated url pattern behind a feature toggle/django setting, but that may have been part of conversations with my team. @doctoryes @macdiesel what are your thoughts about making this togglable?
There was a problem hiding this comment.
Oh, well we can't do that of course because it impacts an active endpoint. I'll just drop this concern for now.
| """ | ||
| List the third party auth accounts linked to the specified user account. | ||
|
|
||
| [DEPRECATED] |
There was a problem hiding this comment.
nit: add a sentence about renaming UserView2 to UserView after ripping this one out.
There was a problem hiding this comment.
Better yet, I'll rename now, and call the old one UserViewDeprecated
There was a problem hiding this comment.
On second thought, there could be extension libraries that are referring to this. Safer just to add the note.
|
|
||
| Params must be a dict that includes only one of 'username' or 'email' | ||
| """ | ||
| assert identifier.kind in {'username', 'email'} |
There was a problem hiding this comment.
Any reason not to use self.identifier_kinds here? Could you also change this to raise a ValueError instead of using an assert?
There was a problem hiding this comment.
Updated, rebased, and squashed. Thanks!
There was a problem hiding this comment.
@jcdyer I'm still seeing a conflict here. Can you take one more look?
There was a problem hiding this comment.
You are correct. The rebase didn't take properly. Sorry about that!
14dd717 to
1f838c4
Compare
|
Sorry. I rebased against the wrong branch, and then pushing didn't work. I'm resolving conflicts now. |
View is combined with user SSO views. Includes a new version of the view that takes explicit "username" or "email". OC-4285
1f838c4 to
b3521e0
Compare
|
Your PR has finished running tests. There were no failures. |
|
@jcdyer 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future. |
|
@jcdyer 🚢 thanks for your patience getting this through! |
|
EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production on Friday, October 19, 2018. |
|
EdX Release Notice: This PR has been deployed to the production environment. |
| } | ||
| for assoc in providers if assoc.has_account | ||
| ] | ||
| # TODO: When removing deprecated UserView, rename this view to UserView. |
There was a problem hiding this comment.
Do we have an schedule estimate for addressing this tech debt?
There was a problem hiding this comment.
I think our client would want to have at least one named release that includes the backwards-compatible code, and it could be removed any time after that.
Adds an endpoint to allow mobile apps to get SSO providers for a given user. Includes throttling to prevent the endpoint from being used to crawl for logins. Due to policy concerns around potential leakage of user info, this is hidden behind a feature flag.
Upstreamed from edx#1047 and edx#1080
JIRA tickets: Implements OC-4285.
Dependencies: None
Screenshots:
Sandbox URL: https://pr18237.sandbox.opencraft.hosting/
Merge deadline: None
Testing instructions:
Set ALLOW_UNPRIVILEGED_SSO_PROVIDER_QUERY to true in lms.env.json.
Verify that the SSO user endpoint can be accessed by non-logged in users. Example: https://pr18237.sandbox.opencraft.hosting/api/third_party_auth/v0/users/staff
Verify that provider information can be retrieved by providing an email address. Example: https://pr18237.sandbox.opencraft.hosting/api/third_party_auth/v0/users/staff@example.com
Author notes and concerns:
Reviewers
Settings
Set ALLOW_UNPRIVILEGED_SSO_PROVIDER_QUERY to true in lms.env.json.