fix #4106: proprietary oauth #4224
Conversation
87ea297 to
632cefb
Compare
632cefb to
c0eebbb
Compare
6653108 to
9ad66cf
Compare
9ad66cf to
20574b9
Compare
20574b9 to
f3b2cd9
Compare
f3b2cd9 to
ebcd13a
Compare
e084efd to
7b63eaa
Compare
|
Blocked waiting on flash center to allow our non-tls secured dev endpoint to get a response. Then need to finish https://github.com/radiasoft/sirepo/pull/4224/files#diff-6872e86bbaf9783b9521a2d7bc8efbc06219ec4d6e34d64031682626e3a13ac7R24 |
135a288 to
60bd851
Compare
|
@robnagler this is working. I'd like another review because of the security impact. One decision we made along the way was to not refresh tokens. Instead just have users log in again once expired. For flash the tokens expire after one hour so this will lead to an annoying ui (need to log in to flash center every hour). Should we implement using refresh tokens or go with just re-login? |
|
Yes implement refresh tokens. It's unfortunately that they didn't set the default to something higher. First find out how many refreshes you get. Also, a refresh only works, I believe, if the user is active. Therefore, even if we implement refreshes, if they close their window and open it again, it might require a relogin |
|
Sent an email asking for a bump to 24hour expiry. Will implement refresh if the expiry can't be increased. |
|
Entering invalid credentials and clicking the "deny access" button on the flash login page leads to what looks like an approved authentication response (I would expect the ui to say username/password incorrect or at the very least a response with a payload saying the request was not approved). I've reached out to the flash folks and I'm waiting on a response. This blocks the release. |
60bd851 to
e96f1e3
Compare
aafc872 to
16129a9
Compare
|
@robnagler I think this is ready to merge. Please give it another review. |
16129a9 to
62f2668
Compare
sirepo/auth/__init__.py
Outdated
| t = sirepo.template.assert_sim_type(sim_type) | ||
| if t not in sirepo.feature_config.auth_controlled_sim_types(): | ||
| return | ||
| #QUESTION(robnagler) I think this is sufficient, that is, the tests can be reversed |
There was a problem hiding this comment.
This is the only thing I'm concerned about. LMK what you think.
There was a problem hiding this comment.
That doesn't workin in the api_checkAuthJupyterhub case. That API is allow_visitor which means that this check is always True and we return when we should really be prompting to moderate.
Thoughts ccaa8f6 ? I don't love adding another api_perm and I struggled to find a name for it...
…api_perm for it because visitor is a SIM_TYPELESS_PERMS
| @@ -12,7 +12,7 @@ | |||
| description='accelerator code gui', | |||
| install_requires=[ | |||
| 'Flask==2.0.3', | |||
| 'SQLAlchemy', | |||
| 'SQLAlchemy>=1.4', | |||
There was a problem hiding this comment.
Should we put a test in for why we have to pin versions? Someday we'll want to upgrade and it would be helpful to know why we pinned it in the first place
sirepo/auth/__init__.py
Outdated
| t = sirepo.template.assert_sim_type(sim_type) | ||
| if t not in sirepo.feature_config.auth_controlled_sim_types(): | ||
| return | ||
| #QUESTION(robnagler) I think this is sufficient, that is, the tests can be reversed |
There was a problem hiding this comment.
That doesn't workin in the api_checkAuthJupyterhub case. That API is allow_visitor which means that this check is always True and we return when we should really be prompting to moderate.
Thoughts ccaa8f6 ? I don't love adding another api_perm and I struggled to find a name for it...
sirepo/sim_api/jupyterhublogin.py
Outdated
| @@ -33,15 +34,15 @@ | |||
|
|
|||
|
|
|||
| class API(sirepo.api.Base): | |||
| @sirepo.api_perm.allow_visitor | |||
| @sirepo.api_perm.manual_permission_check | |||
There was a problem hiding this comment.
What I think is going on is that this function is doing too much. It should be @sirepo.api_perm.require_user which will throw an exception, and then the code in sirepo.jupyterhub would do the parsing of the response. It's all inside the sirepo repo. Then you wouldn't have to catch anything in this module. All the exceptions would cause a Response to go back to the sirepo.jupyterhub.authenticate. The fall through case (creating the juptyerhub user) would also do the right thing.
There was a problem hiding this comment.
How will sirepo.jupyterhub build the urls? We have access to self.sirepo_uri but all the methods like uri_for_api and local_route access the flask object directly which we can't do because we are outside the flask context.
There was a problem hiding this comment.
The schema is available, but not quite. It's what's necessary to map URIs from APIs. For now, these mappings could be hardwired in sirepo.jupyterhub, since we need to get this PR out.
I don't like adding the new API permission. Another approach is to use self.call_api and have a "hidden" api that api_checkAuthJupyterhub calls and wraps in a proper response. One things we could do to fix the SRException mess is to include a header in the response (X-Sirepo-SRException) that contains a serialized version of the exception so the HTML doesn't need to be parsed (which isn't terrible, and could be better encapsulated).
Anyway, I prefer the first approach and to get to work pulling apart the request dependent (external) from the static stuff (schema and args).
There was a problem hiding this comment.
Thoughts on adding sirepo_uri? Then we can re-use the code without adding another place where we handle creation of uris
sirepo/jupyterhub.py
Outdated
|
|
||
| def _maybe_html_redirect(response): | ||
| m = re.search(r'window.location = "(.*)"', pkcompat.from_bytes(response.content)) | ||
| m and self._redirect(handler, f'{self.sirepo_uri}{m.group(1)}') |
There was a problem hiding this comment.
Does there need to be a sirepo_uri? Doesn't the redirect just work on / without http://....?
There was a problem hiding this comment.
You're right, it isn't needed. I removed it from everywhere and made the uri building code external=False and to just use '/' in that case (not call into flask) 579a421
|
@e-carlin I'll let you merge |
This branch is based on 3654-moderate-jupyterhub-user-creations. Please review and merge #4211 first.