Merge 3780b80 into 15edba7

uc-cdis · Sep 8, 2021 · 1df1168 · 1df1168
2 parents 15edba7 + 3780b80
commit 1df1168
Show file tree

Hide file tree

Showing 3 changed files with 467 additions and 534 deletions.
diff --git a/fence/jwt/token.py b/fence/jwt/token.py
@@ -365,7 +365,6 @@ def generate_signed_access_token(
     forced_exp_time=None,
     client_id=None,
     linked_google_email=None,
-    include_project_access=True,
 ):
     """
     Generate a JWT access token and output a UTF-8
@@ -422,31 +421,6 @@ def generate_signed_access_token(
     if scopes:
         claims["aud"] += scopes
 
-    if include_project_access:
-        # NOTE: "THIS IS A TERRIBLE STOP-GAP SOLUTION SO THAT USERS WITH
-        #       MINIMAL ACCESS CAN STILL USE LATEST VERSION OF FENCE
-        #       WITH VERSIONS OF PEREGRINE/SHEEPDOG THAT DO NOT CURENTLY
-        #       SUPPORT AUTHORIZATION CHECKS AGAINST ARBORIST (AND INSTEAD
-        #       RELY ON THE PROJECTS IN THE TOKEN). If the token is too large
-        #       everything breaks. I'm sorry" --See PXP-3717
-        if len(dict(user.project_access)) < config["TOKEN_PROJECTS_CUTOFF"]:
-            claims["context"]["user"]["projects"] = dict(user.project_access)
-        else:
-            # truncate to configured number of projects in token
-            projects = dict(user.project_access)
-            for key in list(projects)[config["TOKEN_PROJECTS_CUTOFF"] :]:
-                del projects[key]
-            claims["context"]["user"]["projects"] = projects
-            logger.warning(
-                "NOT including project_access = {} in claims for user {} because there are too many projects for the token\n".format(
-                    {
-                        k: dict(user.project_access)[k]
-                        for k in set(dict(user.project_access)) - set(projects)
-                    },
-                    user.username,
-                )
-            )
-
     # only add google linkage information if provided
     if linked_google_email:
         claims["context"]["user"]["google"][

diff --git a/fence/oidc/jwt_generator.py b/fence/oidc/jwt_generator.py
@@ -102,7 +102,6 @@ def generate_implicit_response(
             scopes=scope,
             client_id=client.client_id,
             linked_google_email=linked_google_email,
-            include_project_access=False,
         ).token
         response["access_token"] = access_token
 
@@ -196,6 +195,7 @@ def generate_token_response(
         nonce=nonce,
         linked_google_email=linked_google_email,
         linked_google_account_exp=linked_google_account_exp,
+        include_project_access=False,
         auth_flow_type=AuthFlowTypes.CODE,
         access_token=access_token,
     ).token