From a17003d55dc61e542821118ee799d7f56799e69b Mon Sep 17 00:00:00 2001
From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com>
Date: Tue, 18 Apr 2023 10:21:04 -0500
Subject: [PATCH] GPE-891 Add ENABLE_VISA_UPDATE_CRON setting (#1087)

---
 fence/blueprints/login/ras.py | 12 ++++++++----
 fence/config-default.yaml     | 16 ++++++++++++----
 fence/config.py               |  8 ++++++++
 migrations/env.py             |  1 -
 tests/test-fence-config.yaml  |  4 +++-
 5 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/fence/blueprints/login/ras.py b/fence/blueprints/login/ras.py
index 9bdd0a788..f807ce44d 100644
--- a/fence/blueprints/login/ras.py
+++ b/fence/blueprints/login/ras.py
@@ -7,15 +7,13 @@
 from distutils.util import strtobool
 from urllib.parse import urlparse, parse_qs
 
-from authutils.errors import JWTError
 from cdislogging import get_logger
 from flask_sqlalchemy_session import current_session
-from gen3authz.client.arborist.client import ArboristClient
 
 from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback
 from fence.config import config
-from fence.jwt.validate import validate_jwt
-from fence.models import GA4GHVisaV1, IdentityProvider
+from fence.errors import InternalError
+from fence.models import IdentityProvider
 from fence.utils import get_valid_expiration
 import fence.resources.ga4gh.passports
 
@@ -54,6 +52,12 @@ def post_login(self, user=None, token_result=None, id_from_idp=None):
                 else False
             )
         )
+        if parse_visas and not config["ENABLE_VISA_UPDATE_CRON"]:
+            # Note: this should not happen because the configuration is checked on app startup
+            msg = "Trying to parse visas but `ENABLE_VISA_UPDATE_CRON` is disabled!"
+            logger.error(msg)
+            raise InternalError(msg)
+
         # do an on-the-fly usersync for this user to give them instant access after logging in through RAS
         # if GLOBAL_PARSE_VISAS_ON_LOGIN is true then we want to run it regardless of whether or not the client sent parse_visas on request
         if parse_visas:
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 6026dd7ae..03213253e 100755
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -940,11 +940,19 @@ GA4GH_VISA_V1_CLAIM_REQUIRED_FIELDS:
   source:
     - 'https://ncbi.nlm.nih.gov/gap'
 EXPIRED_AUTHZ_REMOVAL_JOB_FREQ_IN_SECONDS: 300
+
 # Global sync visas during login
-# None(Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with parse_visas param in /authorization endpoint
-# True: Parse for all clients i.e. a fence client will always sync their visas during login
-# False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with parse_visas param
-GLOBAL_PARSE_VISAS_ON_LOGIN:
+# - None (Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with `parse_visas` param in /authorization endpoint
+# - True: Parse for all clients i.e. a fence client will always sync their visas during login
+# - False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with `parse_visas` param
+GLOBAL_PARSE_VISAS_ON_LOGIN: false
+
+# whether or not to enable the `fence-visa-update` cronjob which updates users' visas.
+# Note: this cronjob lives outstide of fence
+# /!\ if `ENABLE_VISA_UPDATE_CRON` is false, `GLOBAL_PARSE_VISAS_ON_LOGIN` CANNOT be none/true and
+# `parse_visas` CANNOT be used
+ENABLE_VISA_UPDATE_CRON: false
+
 # Settings for usersync with visas
 USERSYNC:
   visa_types:
diff --git a/fence/config.py b/fence/config.py
index 9551a8418..1c7ff15b9 100644
--- a/fence/config.py
+++ b/fence/config.py
@@ -123,5 +123,13 @@ def post_process(self):
                 )
                 self._configs["SESSION_ALLOWED_SCOPES"].remove("google_credentials")
 
+        if (
+            not self._configs["ENABLE_VISA_UPDATE_CRON"]
+            and self._configs["GLOBAL_PARSE_VISAS_ON_LOGIN"] != False
+        ):
+            raise Exception(
+                "Visa parsing on login is enabled but `ENABLE_VISA_UPDATE_CRON` is disabled!"
+            )
+
 
 config = FenceConfig(DEFAULT_CFG_PATH)
diff --git a/migrations/env.py b/migrations/env.py
index b7a4f5b85..fe5dcd7e3 100644
--- a/migrations/env.py
+++ b/migrations/env.py
@@ -14,7 +14,6 @@
 import os
 from sqlalchemy import engine_from_config, pool
 
-from cdislogging import get_logger
 from userdatamodel import Base
 
 from fence.config import config as fence_config
diff --git a/tests/test-fence-config.yaml b/tests/test-fence-config.yaml
index a43205a67..92938f9c6 100755
--- a/tests/test-fence-config.yaml
+++ b/tests/test-fence-config.yaml
@@ -675,11 +675,13 @@ GA4GH_VISA_V1_CLAIM_REQUIRED_FIELDS:
   source:
     - "https://ncbi.nlm.nih.gov/gap"
 EXPIRED_AUTHZ_REMOVAL_JOB_FREQ_IN_SECONDS: 1
+
 # Global sync visas during login
 # None(Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with parse_visas param in /authorization endpoint
 # True: Parse for all clients i.e. a fence client will always sync their visas during login
 # False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with parse_visas param
-GLOBAL_PARSE_VISAS_ON_LOGIN:
+GLOBAL_PARSE_VISAS_ON_LOGIN: false
+
 # Settings for usersync with visas
 USERSYNC:
   visa_types: