Merge pull request #12 from brighthive/secure-endpoints

Secure endpoints

.coveragec

@@ -1,2 +1,2 @@
 [run]
-omit = */.local/*, migrations/*, */tests/*, */__init__.py, */responses.py
+omit = */.local/*, migrations/*, */tests/*, */__init__.py, */responses.py, */.virtualenvs/*

Pipfile

@@ -20,6 +20,7 @@ sqlalchemy = "*"
 psycopg2-binary = "*"
 requests = "*"
 gevent = "*"
+brighthive-authlib = "*"
 
 [requires]
 python_version = "3.8"

data_trust_logger/api/health.py

@@ -5,6 +5,7 @@
 """
 import json
 
+from brighthive_authlib import token_required
 from flask import Blueprint, request
 from flask_restful import Api, Resource
 from sqlalchemy import create_engine
@@ -22,6 +23,7 @@ class HealthAuditResource(Resource):
     def __init__(self):
         self.response = resp.ResponseBody()
 
+    @token_required(config.oauth2_provider)
     def get(self):
         metrics_data = {}
 
@@ -31,6 +33,7 @@ def get(self):
         return self.response.get_one_response(metrics_data)
 
 
+
 health_bp = Blueprint('health_ep', __name__)
 health_api = Api(health_bp)
 health_api.add_resource(HealthAuditResource, '/health')

data_trust_logger/api/logger.py

@@ -5,13 +5,18 @@
 
 """
 
-import logging
 import json
+import logging
 import sys
+
+from brighthive_authlib import token_required
 from flask import Blueprint, request
-from flask_restful import Resource, Api
+from flask_restful import Api, Resource
 
 import data_trust_logger.utilities.responses as resp
+from data_trust_logger.config import ConfigurationFactory
+
+config = ConfigurationFactory.from_env()
 
 
 class LogResource(Resource):
@@ -28,6 +33,7 @@ def __init__(self):
 
         self.log.addHandler(log_handler)
 
+    @token_required(config.oauth2_provider)
     def post(self):
         try:
             data = request.get_json(force=True)

data_trust_logger/app/app.py

@@ -1,10 +1,25 @@
 """Data Trust Logger Application."""
-from flask import Flask
+import brighthive_authlib
+from brighthive_authlib import OAuth2ProviderError
+from flask import Flask, jsonify
 from flask_cors import CORS
+from flask_restful import Api
+
+from flask import Blueprint
 
 from data_trust_logger.api import health_bp, log_bp
 
 
+def handle_errors(e):
+    if isinstance(e, OAuth2ProviderError):
+        response = jsonify({'message': 'Access Denied'})
+        response.status_code = 401
+        return response
+    else:
+        response = jsonify({'error': 'An unknown error occurred'})
+        response.status_code = 400
+        return response
+
 def create_app(environment: str = None):
     """Create the Flask application.
 
@@ -19,4 +34,6 @@ def create_app(environment: str = None):
     app.register_blueprint(health_bp)
     app.register_blueprint(log_bp)
 
+    app.register_error_handler(Exception, handle_errors)
+
     return app

data_trust_logger/config/config.example.json

@@ -23,11 +23,11 @@
                 "ethnicity_race": "ethnicity"
             }
         },
-        "auth_access": {
-            "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx", 
-            "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-            "audience": "http://localhost:8000",
-            "oauth2_url": "https://<url_to_authserver>/oauth/token"
+        "oauth2": {
+            "client_id": "xxxxxxxxxx", 
+            "client_secret": "xxxxxxxxxx",
+            "oauth2_url": "",
+            "oauth2_provider": ""
         }
     },
     "development_testing": { },

data_trust_logger/config/config.py

@@ -1,5 +1,8 @@
-import os
 import json
+import os
+
+from brighthive_authlib import AuthLibConfiguration, OAuth2ProviderFactory
+
 
 class ConfigurationError(Exception):
     pass
@@ -77,11 +80,15 @@ def from_json(self, environment='local'):
                 self.mci_psql_database = fields['master_client_index']['mci_psql_database']
                 self.mci_mappings = fields['master_client_index']['table_to_ep_mappings']
 
-                self.client_id = fields['auth_access']['client_id']
-                self.client_secret = fields['auth_access']['client_secret']
-                self.audience = fields['auth_access']['audience']
-                self.oauth2_url = fields['auth_access']['oauth2_url']
-
+                self.client_id = fields['oauth2']['client_id']
+                self.client_secret = fields['oauth2']['client_secret']
+
+                self.oauth2_url_base = fields['oauth2']['oauth2_url']
+                self.oauth2_url = f"{self.oauth2_url_base}/oauth/token"
+                self.oauth2_audience = fields["oauth2"]["oauth2_audience"]
+                self.brighthive_auth_url = fields['brighthive_auth']['brighthive_auth_url']
+                self.brighthive_auth_provider = fields["brighthive_auth"]["brighthive_auth_provider"]
+
                 self.environment = environment
                 self.debug = True
                 self.testing = True
@@ -105,9 +112,26 @@ def from_json(self, environment='local'):
                     self.mci_psql_database
                 )
 
+                self.oauth2_provider = self.get_oauth2_provider()
+
         else:
             raise ConfigurationError(
                 'Cannot find environment \'{}\' in JSON configuration.')
+
+    def get_oauth2_provider(self):
+        """Retrieve the OAuth 2.0 Provider.
+        Return:
+            object: The OAuth 2.0 Provider.
+        """
+        auth_config = AuthLibConfiguration(
+            provider=self.brighthive_auth_provider, 
+            base_url=self.brighthive_auth_url)
+
+        oauth2_provider = OAuth2ProviderFactory.get_provider(
+            self.brighthive_auth_provider, auth_config)
+
+        return oauth2_provider
+
 
 class LocalConfiguration(Configuration):
     """Configuration class for local development."""
@@ -152,4 +176,4 @@ def from_env():
         """
         environment = os.getenv('APP_ENV', 'LOCAL')
 
-        return ConfigurationFactory.get_config(environment)
+        return ConfigurationFactory.get_config(environment)

data_trust_logger/utilities/secure_requests.py

@@ -24,7 +24,7 @@ def get_access_token():
     data = {
         'client_id': config.client_id, 
         'client_secret': config.client_secret,
-        'audience': config.audience, 
+        'audience': config.oauth2_audience, 
         'grant_type': 'client_credentials'
     }
 

docker-compose.yml

@@ -1,8 +1,8 @@
 version: '3'
 services: 
     data-trust-logger: 
-      image: brighthive/data-trust-logger:1.0.1-beta
+      image: brighthive/data-trust-logger:local
       environment:
         - APP_ENV=LOCAL
       ports:
-        - 8002:8000
+        - 8002:8002

tests/test_health_resource.py

@@ -6,6 +6,7 @@
 
 
 def _healthcheck_response(client, metrics_blob, mocker):
+    mocker.patch('brighthive_authlib.providers.BrightHiveProvider.validate_token', return_value=True)
     mocker.patch("json.load", return_value=metrics_blob)
 
     response = client.get('/health')