ls aai and idp integrated

beacon/request/handlers.py

@@ -1,7 +1,7 @@
 import json
 import asyncio
 import logging
-from aiohttp import web
+from aiohttp import ClientSession, web
 from aiohttp.web_request import Request
 from bson import json_util
 from beacon import conf
@@ -20,7 +20,7 @@
 )
 from beacon.utils.stream import json_stream
 from beacon.db.datasets import get_datasets
-from beacon.utils.auth import resolve_token
+from beacon.utils.auth import resolve_token, check_issuer
 
 LOG = logging.getLogger(__name__)
 
@@ -164,15 +164,30 @@ async def wrapper(request: Request):
 
 
         qparams = RequestParams(**json_body).from_request(request)
+        trust_issuers = ['https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon', 'https://login.elixir-czech.org/oidc/']
 
         if access_token != 'public':
             decoded = jwt.decode(access_token, options={"verify_signature": False})
             LOG.debug(decoded)
-            token_username = decoded['preferred_username']
+            user = await check_issuer(access_token)
+            LOG.debug(user)
+            token_username = user['preferred_username']
+            LOG.debug(token_username)
+            issuer = decoded['iss']
+
+            if issuer in trust_issuers:
+                pass
+            else:
+                raise web.HTTPUnauthorized('invalid token')
+
             with open("/beacon/beacon/request/response_type.yml", 'r') as response_type_file:
                 response_type_dict = yaml.safe_load(response_type_file)
 
-            response_type = response_type_dict[token_username]
+            try:
+                response_type = response_type_dict[token_username]
+            except Exception:
+                LOG.debug(Exception)
+                response_type = 'boolean'
             if response_type is not None:
                 for response_typed in response_type:    
                     LOG.debug(response_typed)        

beacon/request/response_type.yml

@@ -1,2 +1,2 @@
-new_user:
+dummy_user:
 - record

beacon/utils/auth.py

@@ -50,3 +50,38 @@ async def resolve_token(token, requested_datasets_ids):
                             auth_datasets.append(auth_dataset)
             LOG.debug(auth_datasets)
             return auth_datasets, True
+
+async def check_issuer(access_token):
+    user = None
+    idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
+    lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
+    async with ClientSession(trust_env=True) as session:
+        headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
+        LOG.debug('Contacting %s', idp_user_info)
+        async with session.get(idp_user_info, headers=headers) as resp:
+            LOG.debug('Response %s', resp)
+            if resp.status == 200:
+                user = await resp.json()
+                LOG.error(user)
+                return user
+            else:
+                content = await resp.text()
+                LOG.error('Not a Keycloak token')
+                #LOG.error('Content: %s', content)
+                user = 'public'
+
+    if user == 'public':
+        async with ClientSession(trust_env=True) as session:
+            headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
+            LOG.debug('Contacting %s', lsaai_user_info)
+            async with session.get(lsaai_user_info, headers=headers) as resp:
+                LOG.debug('Response %s', resp)
+                if resp.status == 200:
+                    user = await resp.json()
+                    return user
+                else:
+                    content = await resp.text()
+                    LOG.error('Not a LS AAI token')
+                    LOG.error('Content: %s', content)
+                    user = 'public'
+                    return user

permissions/auth.py

@@ -16,18 +16,16 @@
 from aiohttp import web
 
 
-
 LOG = logging.getLogger(__name__)
 
 
-
-idp_client_id     = 'beacon'
-idp_client_secret = 'b26ca0f9-1137-4bee-b453-ee51eefbe7ba'
+idp_user_info = 'https://beacon-network-demo2.ega-archive.org/auth/realms/Beacon/protocol/openid-connect/userinfo'
+lsaai_user_info = 'https://login.elixir-czech.org/oidc/userinfo'
 #idp_user_info = 'http://localhost:8080/oidc/userinfo'
 #idp_user_info = 'http://ls-aai-mock:8080/oidc/userinfo'
-idp_user_info  = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo'
+#idp_user_info  = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo'
 #idp_introspection = 'http://ls-aai-mock:8080/oidc/introspect'
-idp_introspection = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/token/introspect'
+#idp_introspection = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/token/introspect'
 #idp_user_info     = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/userinfo'
 #idp_introspection = 'http://idp:8080/auth/realms/Beacon/protocol/openid-connect/token/introspect'
 
@@ -45,7 +43,7 @@ async def get_user_info(access_token):
     LOG.debug('Token: %s', access_token)
 
     # Invalid access token
-
+    '''
     async with ClientSession() as session:
         headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
         payload = {'client_id': idp_client_id, 'client_secret': idp_client_secret, 'token': access_token }
@@ -63,22 +61,42 @@ async def get_user_info(access_token):
                 LOG.error('Invalid token')
                 user = 'public'
                 return user
+        '''
 
-        user = None
+    user = None
+    async with ClientSession(trust_env=True) as session:
+        headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
+        LOG.debug('Contacting %s', idp_user_info)
+        async with session.get(idp_user_info, headers=headers) as resp:
+            LOG.debug('Response %s', resp)
+            if resp.status == 200:
+                user = await resp.json()
+                LOG.error(user)
+                return user
+            else:
+                content = await resp.text()
+                LOG.error('Not a Keycloak token')
+                #LOG.error('Content: %s', content)
+                user = 'public'
+
+    if user == 'public':
         async with ClientSession(trust_env=True) as session:
             headers = { 'Accept': 'application/json', 'Authorization': 'Bearer ' + access_token }
-            LOG.debug('Contacting %s', idp_user_info)
-            async with session.get(idp_user_info, headers=headers) as resp:
+            LOG.debug('Contacting %s', lsaai_user_info)
+            async with session.get(lsaai_user_info, headers=headers) as resp:
                 LOG.debug('Response %s', resp)
                 if resp.status == 200:
                     user = await resp.json()
                     return user
                 else:
                     content = await resp.text()
+                    LOG.error('Not a LS AAI token')
                     LOG.error('Content: %s', content)
                     user = 'public'
                     return user
 
+
+
 
 
 

permissions/controlled_datasets.yml

@@ -1,4 +1,5 @@
 app-user3:
 - CINECA_synthetic_cohort_EUROPE_UK1
 - AV_Dataset
+costero-e: []
 hola: []

permissions/plugins.py

@@ -58,27 +58,27 @@ async def get(self, username, requested_datasets=None):
                 datasets = set(self.db.get(username))            
         else:
             try:
-                with open("/beacon/permissions/controlled_datasets.yml", 'r') as file:
-                    controlled_datasets = yaml.safe_load(file)
+                with open("/beacon/permissions/registered_datasets.yml", 'r') as file:
+                    registered_datasets = yaml.safe_load(file)
                 file.close()
                 with open("/beacon/permissions/public_datasets.yml", 'r') as pfile:
                     public_datasets = yaml.safe_load(pfile)
                 pfile.close()
-                list_controlled_datasets = controlled_datasets['controlled_datasets']
+                list_registered_datasets = registered_datasets['registered_datasets']
                 list_public_datasets = public_datasets['public_datasets']
                 datasets = []
                 for pdataset in list_public_datasets:
                     datasets.append(pdataset)
-                for cdataset in list_controlled_datasets:
-                    datasets.append(cdataset)
-                for rdataset in self.db.get(username):
+                for rdataset in list_registered_datasets:
                     datasets.append(rdataset)
+                for cdataset in self.db.get(username):
+                    datasets.append(cdataset)
                 datasets = set(datasets)
             except Exception:
-                with open("/beacon/permissions/registered_datasets.yml", 'r') as stream:
+                with open("/beacon/permissions/controlled_datasets.yml", 'r') as stream:
                     permissions_dict = yaml.safe_load(stream)
                 permissions_dict[username]=[]
-                with open("/beacon/permissions/registered_datasets.yml", 'w') as file:
+                with open("/beacon/permissions/controlled_datasets.yml", 'w') as file:
                     yaml.dump(permissions_dict, file)
                     self.db = permissions_dict
                 datasets = set(self.db.get(username))

permissions/public_datasets.yml

@@ -1,2 +1,2 @@
 public_datasets:
-  - CINECA_synthetic_cohort_EUROPE_UK1
+  - public

permissions/registered_datasets.yml

@@ -1 +1,3 @@
-registered_datasets: []
+dummy_user: []
+registered_datasets:
+- CINECA_synthetic_cohort_EUROPE_UK1