Merge branch 'integration202112' of https://github.com/uc-cdis/fence …

…into stable
uc-cdis · Nov 26, 2021 · 2a173b3 · 2a173b3
2 parents 3af465f + 7880778
commit 2a173b3
Show file tree

Hide file tree

Showing 21 changed files with 375 additions and 279 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -66,6 +66,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -242,7 +246,7 @@
         "filename": "tests/login/test_fence_login.py",
         "hashed_secret": "d300421e208bfd0d432294de15169fd9b8975def",
         "is_verified": false,
-        "line_number": 41
+        "line_number": 48
       }
     ],
     "tests/ras/test_ras.py": [
@@ -276,9 +280,9 @@
         "filename": "tests/test-fence-config.yaml",
         "hashed_secret": "1627df13b5cd8b3521d02bd8eb2ca31334b3aef2",
         "is_verified": false,
-        "line_number": 472
+        "line_number": 471
       }
     ]
   },
-  "generated_at": "2021-08-18T02:36:18Z"
+  "generated_at": "2021-11-15T23:28:25Z"
 }
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,17 @@
 # To run: docker run --rm -d -v /path/to/fence-config.yaml:/var/www/fence/fence-config.yaml --name=fence -p 80:80 fence
-# To check running container: docker exec -it fence /bin/bash
+# To check running container do: docker exec -it fence /bin/bash
 
-FROM quay.io/cdis/python-nginx:pybase3-1.6.2
+FROM quay.io/cdis/python:python3.6-buster-pybase3-3.0.2
 
 ENV appname=fence
 
 RUN pip install --upgrade pip
-RUN apk add --update \
-    postgresql-libs postgresql-dev libffi-dev libressl-dev \
-    linux-headers musl-dev gcc g++ logrotate \
-    curl bash git vim make lftp \
-    openssh libmcrypt-dev
+RUN pip install --upgrade poetry
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl bash git \
+    libmcrypt4 libmhash2 mcrypt \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/
 
 RUN mkdir -p /var/www/$appname \
     && mkdir -p /var/www/.cache/Python-Eggs/ \
@@ -20,48 +21,28 @@ RUN mkdir -p /var/www/$appname \
     && chown nginx -R /var/www/.cache/Python-Eggs/ \
     && chown nginx /var/www/$appname
 
-#
-# libmhash is required by mcrypt - below - no apk package available
-#
-RUN (cd /tmp \
-  && wget -O mhash.tar.gz https://sourceforge.net/projects/mhash/files/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz/download \
-  && tar xvfz mhash.tar.gz \
-  && cd mhash-0.9.9.9 \
-  && ./configure && make && make install \
-  && /bin/rm -rf /tmp/*)
-
-#
-# mcrypt is required to decrypt dbgap user files - see fence/sync/sync_users.py
-#
-RUN (cd /tmp \
-  && wget -O mcrypt.tar.gz https://sourceforge.net/projects/mcrypt/files/MCrypt/Production/mcrypt-2.6.4.tar.gz/download \
-  && tar xvfz mcrypt.tar.gz \
-  && cd mcrypt-2.6.4 \
-  && ./configure && make && make install \
-  && /bin/rm -rf /tmp/*)
-EXPOSE 80
-
 # aws cli v2 - needed for storing files in s3 during usersync k8s job
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
     && unzip awscliv2.zip \
     && ./aws/install \
     && /bin/rm -rf awscliv2.zip ./aws
 
-# install poetry
-RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
+WORKDIR /$appname
 
+# copy ONLY poetry artifact and install
+# this will make sure than the dependencies is cached
+COPY poetry.lock pyproject.toml /$appname/
+RUN poetry config virtualenvs.create false \
+    && poetry install -vv --no-root --no-dev --no-interaction \
+    && poetry show -v
+
+# copy source code ONLY after installing dependencies
 COPY . /$appname
 COPY ./deployment/uwsgi/uwsgi.ini /etc/uwsgi/uwsgi.ini
 COPY ./deployment/uwsgi/wsgi.py /$appname/wsgi.py
 COPY clear_prometheus_multiproc /$appname/clear_prometheus_multiproc
-WORKDIR /$appname
-
-# cache so that poetry install will run if these files change
-COPY poetry.lock pyproject.toml /$appname/
 
-# install Fence and dependencies via poetry
-RUN source $HOME/.poetry/env \
-    && poetry config virtualenvs.create false \
+RUN poetry config virtualenvs.create false \
     && poetry install -vv --no-dev --no-interaction \
     && poetry show -v
 

diff --git a/fence/__init__.py b/fence/__init__.py
@@ -126,7 +126,7 @@ def app_register_blueprints(app):
         fence.blueprints.well_known.blueprint, url_prefix="/.well-known"
     )
 
-    login_blueprint = fence.blueprints.login.make_login_blueprint(app)
+    login_blueprint = fence.blueprints.login.make_login_blueprint()
     app.register_blueprint(login_blueprint, url_prefix="/login")
 
     link_blueprint = fence.blueprints.link.make_link_blueprint()

diff --git a/fence/auth.py b/fence/auth.py
@@ -57,7 +57,9 @@ def build_redirect_url(hostname, path):
     return redirect_base + path
 
 
-def login_user(username, provider, fence_idp=None, shib_idp=None, email=None):
+def login_user(
+    username, provider, fence_idp=None, shib_idp=None, email=None, id_from_idp=None
+):
     """
     Login a user with the given username and provider. Set values in Flask
     session to indicate the user being logged in. In addition, commit the user
@@ -70,6 +72,8 @@ def login_user(username, provider, fence_idp=None, shib_idp=None, email=None):
         shib_idp (str, optional): Downstreawm shibboleth IdP
         email (str, optional): email of user (may or may not match username depending
             on the IdP)
+        id_from_idp (str, optional): id from the IDP (which may be different than
+            the username)
     """
 
     def set_flask_session_values(user):
@@ -93,6 +97,7 @@ def set_flask_session_values(user):
     user = query_for_user(session=current_session, username=username)
     if user:
         _update_users_email(user, email)
+        _update_users_id_from_idp(user, id_from_idp)
 
         #  This expression is relevant to those users who already have user and
         #  idp info persisted to the database. We return early to avoid
@@ -101,11 +106,16 @@ def set_flask_session_values(user):
             set_flask_session_values(user)
             return
     else:
+        # we need a new user
+        user = User(username=username)
+
         if email:
-            user = User(username=username, email=email)
-        else:
-            user = User(username=username)
+            user.email = email
+
+        if id_from_idp:
+            user.id_from_idp = id_from_idp
 
+    # setup idp connection for new user (or existing user w/o it setup)
     idp = (
         current_session.query(IdentityProvider)
         .filter(IdentityProvider.name == provider)
@@ -271,3 +281,17 @@ def _update_users_email(user, email):
 
         current_session.add(user)
         current_session.commit()
+
+
+def _update_users_id_from_idp(user, id_from_idp):
+    """
+    Update id_from_idp if provided and doesn't match db entry.
+    """
+    if id_from_idp and user.id_from_idp != id_from_idp:
+        logger.info(
+            f"Updating username {user.username}'s id_from_idp from {user.id_from_idp} to {id_from_idp}"
+        )
+        user.id_from_idp = id_from_idp
+
+        current_session.add(user)
+        current_session.commit()