Merge pull request #883 from uc-cdis/feat/ras_expiration_parameter

(PXP-7846): Visa refresh token expiration parameter
uc-cdis · Mar 12, 2021 · cc12808 · cc12808
2 parents c8a3786 + cc4de53
commit cc12808
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/fence/blueprints/login/ras.py b/fence/blueprints/login/ras.py
@@ -2,13 +2,15 @@
 import jwt
 import os
 from flask_sqlalchemy_session import current_session
+import urllib.request, urllib.parse, urllib.error
 
 from fence.models import GA4GHVisaV1, IdentityProvider
 
 from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback
 
 from fence.config import config
 from fence.scripting.fence_create import init_syncer
+from fence.utils import get_valid_expiration
 
 
 class RASLogin(DefaultOAuth2Login):
@@ -66,10 +68,23 @@ def post_login(self, user, token_result):
         refresh_token = flask.g.tokens.get("refresh_token")
         id_token = flask.g.tokens.get("id_token")
         decoded_id = jwt.decode(id_token, verify=False)
+
         # Add 15 days to iat to calculate refresh token expiration time
-        expires = int(decoded_id.get("iat")) + config["RAS_REFRESH_EXPIRATION"]
+        issued_time = int(decoded_id.get("iat"))
+        expires = config["RAS_REFRESH_EXPIRATION"]
+
+        # User definied RAS refresh token expiration time
+        parsed_url = urllib.parse.parse_qs(flask.redirect_url)
+        if parsed_url.get("upstream_expires_in"):
+            custom_refresh_expiration = parsed_url.get("upstream_expires_in")[0]
+            expires = get_valid_expiration(
+                custom_refresh_expiration,
+                expires,
+                expires,
+            )
+
         flask.current_app.ras_client.store_refresh_token(
-            user=user, refresh_token=refresh_token, expires=expires
+            user=user, refresh_token=refresh_token, expires=expires + issued_time
         )
 
         # Check if user has any project_access from a previous session or from usersync

diff --git a/fence/job/visa_update_cronjob.py b/fence/job/visa_update_cronjob.py
@@ -152,6 +152,11 @@ async def updater(self, name, updater_queue, db_session):
                     )
                     client.update_user_visas(user, db_session)
             else:
+                # clear expired refresh tokens
+                if user.upstream_refresh_tokens:
+                    user.upstream_refresh_tokens = []
+                    db_session.commit()
+
                 self.logger.info(
                     "User {} doesnt have visa. Skipping . . .".format(user.username)
                 )

diff --git a/fence/resources/openid/idp_oauth2.py b/fence/resources/openid/idp_oauth2.py
@@ -156,11 +156,11 @@ def get_access_token(self, user, token_endpoint, db_session=None):
             proxies=self.get_proxies(),
             refresh_token=refresh_token,
         )
-        new_refresh_token = token_response["refresh_token"]
+        refresh_token = token_response["refresh_token"]
 
         self.store_refresh_token(
             user,
-            refresh_token=new_refresh_token,
+            refresh_token=refresh_token,
             expires=expires,
             db_session=db_session,
         )