auth: use invenio session cookie to retrieve user

Addresses #153

Signed-off-by: Leticia Farias Wanderley <leticia.farias.wanderley@cern.ch>

reana_server/rest/ping.py

@@ -10,7 +10,7 @@
 
 from flask import Blueprint, jsonify
 
-blueprint = Blueprint('ping', __name__)
+blueprint = Blueprint('ping', __name__, url_prefix='/reana-api')
 
 
 @blueprint.route('/ping', methods=['GET'])

reana_server/rest/secrets.py

@@ -20,7 +20,7 @@
 from reana_commons.k8s.secrets import REANAUserSecretsStore
 from reana_server.utils import get_user_from_token
 
-blueprint = Blueprint('secrets', __name__)
+blueprint = Blueprint('secrets', __name__, url_prefix='/reana-api')
 
 
 @blueprint.route('/secrets/', methods=['POST'])
@@ -112,7 +112,10 @@ def add_secrets():  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get("access_token"))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         secrets_store = REANAUserSecretsStore(str(user.id_))
         overwrite = json.loads(request.args.get('overwrite'))
         secrets_store.add_secrets(request.json, overwrite=overwrite)
@@ -194,7 +197,10 @@ def get_secrets():  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get("access_token"))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         secrets_store = REANAUserSecretsStore(str(user.id_))
         user_secrets = secrets_store.get_secrets()
         return jsonify(user_secrets), 200
@@ -283,7 +289,10 @@ def delete_secrets():  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get("access_token"))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         secrets_store = REANAUserSecretsStore(str(user.id_))
         deleted_secrets_list = secrets_store.delete_secrets(request.json)
         return jsonify(deleted_secrets_list), 200

reana_server/rest/users.py

@@ -15,7 +15,7 @@
 
 from reana_server.utils import _create_user, _get_users
 
-blueprint = Blueprint('users', __name__)
+blueprint = Blueprint('users', __name__, url_prefix='/reana-api')
 
 
 @blueprint.route('/users', methods=['GET'])

reana_server/rest/workflows.py

@@ -17,6 +17,7 @@
 from flask import Blueprint
 from flask import current_app as app
 from flask import jsonify, request, send_file
+from flask_login import current_user
 from reana_commons.config import INTERACTIVE_SESSION_TYPES
 from reana_commons.utils import get_workspace_disk_usage
 from reana_db.database import Session
@@ -26,9 +27,10 @@
 from reana_server.api_client import current_rwc_api_client, \
     current_workflow_submission_publisher
 from reana_server.config import SHARED_VOLUME_PATH
-from reana_server.utils import get_user_from_token, is_uuid_v4
+from reana_server.utils import get_user_from_token, is_uuid_v4, \
+    _get_user_from_invenio_user
 
-blueprint = Blueprint('workflows', __name__)
+blueprint = Blueprint('workflows', __name__, url_prefix='/reana-api')
 
 
 @blueprint.route('/workflows', methods=['GET'])
@@ -148,7 +150,10 @@ def get_workflows():  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         type = request.args.get('type', 'batch')
         verbose = request.args.get('verbose', False)
         response, http_response = current_rwc_api_client.api.\
@@ -260,7 +265,10 @@ def create_workflow():  # noqa
             Request failed. Not implemented.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         if request.json:
             # validate against schema
             reana_spec_file = request.json
@@ -384,7 +392,10 @@ def get_workflow_logs(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -503,7 +514,10 @@ def get_workflow_status(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -635,7 +649,10 @@ def start_workflow(workflow_id_or_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -783,7 +800,10 @@ def set_workflow_status(workflow_id_or_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -886,7 +906,10 @@ def upload_file(workflow_id_or_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -982,7 +1005,10 @@ def download_file(workflow_id_or_name, file_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -1073,7 +1099,10 @@ def delete_file(workflow_id_or_name, file_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -1168,7 +1197,10 @@ def get_files(workflow_id_or_name):  # noqa
               }
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -1274,7 +1306,10 @@ def get_workflow_parameters(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -1391,7 +1426,11 @@ def get_workflow_diff(workflow_id_or_name_a, workflow_id_or_name_b):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
+
         brief = request.args.get('brief', False)
         brief = True if brief == 'true' else False
         context_lines = request.args.get('context_lines', 5)
@@ -1510,7 +1549,11 @@ def open_interactive_session(workflow_id_or_name,
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
+
         if interactive_session_type not in INTERACTIVE_SESSION_TYPES:
             return jsonify({
                 "message": "Interactive session type {0} not found, try "
@@ -1614,7 +1657,10 @@ def close_interactive_session(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         if not workflow_id_or_name:
             raise KeyError("workflow_id_or_name is not supplied")
         response, http_response = current_rwc_api_client.api.\
@@ -1726,7 +1772,10 @@ def move_files(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
 
         if not workflow_id_or_name:
             raise ValueError("workflow_id_or_name is not supplied")
@@ -1848,7 +1897,10 @@ def get_workflow_disk_usage(workflow_id_or_name):  # noqa
             Request failed. Internal controller error.
     """
     try:
-        user = get_user_from_token(request.args.get('access_token'))
+        if current_user.is_authenticated:
+            user = _get_user_from_invenio_user(current_user.email)
+        else:
+            user = get_user_from_token(request.args.get('access_token'))
         parameters = request.json or {}
 
         if not workflow_id_or_name:

reana_server/utils.py

@@ -142,3 +142,10 @@ def _create_and_associate_reana_user(sender, token=None,
     except Exception:
         raise ValueError('Could not create user')
     return user
+
+
+def _get_user_from_invenio_user(id):
+    user = Session.query(User).filter_by(email=id).one_or_none()
+    if not user:
+        raise ValueError('No users registered with this id')
+    return user

setup.py

@@ -68,7 +68,7 @@
     'invenio-mail>=1.0.2,<1.1.0',
     'invenio-rest>=1.0.0,<1.1.0',
     # From auth bundle
-    'invenio-accounts-rest>=1.0.0a4',
+    'invenio-accounts>=1.1.1',
     'invenio-oauth2server>=1.0.3,<1.1.0',
     'invenio-oauthclient>=1.1.2,<1.2.0',
     'invenio-userprofiles>=1.0.1,<1.1.0',
@@ -113,7 +113,7 @@
         'invenio_config.module': [
             'reana_server = reana_server.config',
         ],
-        "invenio_base.api_blueprints": [
+        "invenio_base.blueprints": [
             "reana_server_ping = reana_server.rest.ping:blueprint",
             "reana_server_workflows = reana_server.rest.workflows:blueprint",
             "reana_server_users = reana_server.rest.users:blueprint",