From 3a5a3240643018315ec867da907849b56538c029 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oriol=20L=C3=B3pez-Doriga?= Date: Mon, 30 Oct 2023 15:48:25 +0100 Subject: [PATCH] introspect implemented --- beacon/request/handlers.py | 14 ++++++------- permissions/auth.py | 41 ++++++++++++++++++-------------------- requirements.txt | 1 + 3 files changed, 27 insertions(+), 29 deletions(-) diff --git a/beacon/request/handlers.py b/beacon/request/handlers.py index 01f38e8b..a5c622e6 100644 --- a/beacon/request/handlers.py +++ b/beacon/request/handlers.py @@ -6,7 +6,7 @@ from bson import json_util from beacon import conf import yaml -import base64 +import jwt from beacon.request import ontologies from beacon.request.model import Granularity, RequestParams @@ -184,9 +184,9 @@ async def wrapper(request: Request): qparams = RequestParams(**json_body).from_request(request) if access_token is not None: - tokenSplit = access_token.split(".") - payload_token = json.loads((base64.b64decode(tokenSplit[1])).decode("utf-8")) - token_username = payload_token['preferred_username'] + decoded = jwt.decode(access_token, options={"verify_signature": False}) + LOG.debug(decoded) + token_username = decoded['preferred_username'] with open("/beacon/beacon/request/response_type.yml", 'r') as response_type_file: response_type_dict = yaml.safe_load(response_type_file) @@ -268,9 +268,9 @@ async def wrapper(request: Request): access_token = access_token[7:] # cut out 7 characters: len('Bearer ') - tokenSplit = access_token.split(".") - payload_token = json.loads((base64.b64decode(tokenSplit[1])).decode("utf-8")) - LOG.debug(payload_token) + decoded = jwt.decode(access_token, options={"verify_signature": False}) + LOG.debug(decoded) + token_username = decoded['preferred_username'] authorized_datasets, authenticated = await resolve_token(access_token, search_datasets) LOG.debug(authorized_datasets) diff --git a/permissions/auth.py b/permissions/auth.py index 7044fc75..1d38c970 100644 --- a/permissions/auth.py +++ b/permissions/auth.py @@ -9,7 +9,7 @@ For this implementation, we only implement contacting the userinfo endpoint. No JWT signature verification. """ - +import json import logging from aiohttp import ClientSession, BasicAuth, FormData @@ -21,8 +21,8 @@ -idp_client_id = 'permissions' -idp_client_secret = 'bcFFbN3N8bVDTStnyeTIszusq7pSoBrn' +idp_client_id = 'beacon' +idp_client_secret = 'b26ca0f9-1137-4bee-b453-ee51eefbe7ba' #idp_user_info = 'http://localhost:8080/oidc/userinfo' #idp_user_info = 'http://ls-aai-mock:8080/oidc/userinfo' idp_user_info = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo' @@ -44,31 +44,28 @@ async def get_user_info(access_token): ''' LOG.debug('Token: %s', access_token) - user = None - async with ClientSession(trust_env=True) as session: + # Invalid access token + + async with ClientSession() as session: headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token } - LOG.debug('Contacting %s', idp_user_info) - async with session.get(idp_user_info, headers=headers) as resp: - LOG.debug('Response %s', resp) + payload = {'client_id': idp_client_id, 'client_secret': idp_client_secret, 'token': access_token } + async with session.post(idp_introspection, headers=headers, + data=payload + ) as resp: + LOG.debug('Response %s', resp.status) + #LOG.debug('Response %s', resp) if resp.status == 200: - user = await resp.json() + content = await resp.text() + dict_content = json.loads(content) + user = dict_content return user else: - content = await resp.text() LOG.error('Content: %s', content) + LOG.error('Invalid token') + raise web.HTTPUnauthorized() + + - # Invalid access token - LOG.error('Invalid token') - async with ClientSession() as session: - async with session.post(idp_introspection, - auth=BasicAuth(idp_client_id, password=idp_client_secret), - data=FormData({ 'token': access_token, 'token_type_hint': 'access_token' }, charset='UTF-8') - ) as resp: - LOG.debug('Response %s', resp.status) - #LOG.debug('Response %s', resp) - content = await resp.text() - LOG.debug('Content: %s', content) - raise web.HTTPUnauthorized() diff --git a/requirements.txt b/requirements.txt index 40d655f5..8b4b7542 100644 --- a/requirements.txt +++ b/requirements.txt @@ -32,4 +32,5 @@ urllib3==1.26.13 #torch==1.11.0 obonet==0.3.1 networkx==2.8.8 +PyJWT==2.7.0