Merge branch 'master' into fix/no_force_sign

uc-cdis · Feb 23, 2021 · 5b74841 · 5b74841
2 parents d4c6edf + 3fef376
commit 5b74841
Show file tree

Hide file tree

Showing 7 changed files with 246 additions and 106 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "poetry.lock",
     "lines": null
   },
-  "generated_at": "2020-10-22T16:33:03Z",
+  "generated_at": "2021-02-19T16:52:13Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -92,7 +92,7 @@
       {
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_verified": false,
-        "line_number": 510,
+        "line_number": 511,
         "type": "Secret Keyword"
       }
     ],
@@ -200,7 +200,7 @@
       {
         "hashed_secret": "d9db6fe5c14dc55edd34115cdf3958845ac30882",
         "is_verified": false,
-        "line_number": 271,
+        "line_number": 327,
         "type": "Hex High Entropy String"
       }
     ],

diff --git a/fence/blueprints/login/ras.py b/fence/blueprints/login/ras.py
@@ -1,12 +1,14 @@
 import flask
 import jwt
+import os
 from flask_sqlalchemy_session import current_session
 
 from fence.models import GA4GHVisaV1, IdentityProvider
 
 from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback
 
 from fence.config import config
+from fence.scripting.fence_create import init_syncer
 
 
 class RASLogin(DefaultOAuth2Login):
@@ -69,3 +71,26 @@ def post_login(self, user, token_result):
         flask.current_app.ras_client.store_refresh_token(
             user=user, refresh_token=refresh_token, expires=expires
         )
+
+        # Check if user has any project_access from a previous session or from usersync
+        # if not do an on-the-fly usersync for this user to give them instant access after logging in through RAS
+        if not user.project_access:
+            # Close previous db sessions. Leaving it open causes a race condition where we're viewing user.project_access while trying to update it in usersync
+            # not closing leads to partially updated records
+            current_session.close()
+            DB = os.environ.get("FENCE_DB") or config.get("DB")
+            if DB is None:
+                try:
+                    from fence.settings import DB
+                except ImportError:
+                    pass
+            dbGaP = os.environ.get("dbGaP") or config.get("dbGaP")
+            if not isinstance(dbGaP, list):
+                dbGaP = [dbGaP]
+
+            sync = init_syncer(
+                dbGaP,
+                None,
+                DB,
+            )
+            sync.sync_single_user_visas(user, current_session)
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
@@ -380,6 +380,8 @@ MAX_ACCESS_TOKEN_TTL: 3600
 # auth checks against Arborist, and no longer check the token.
 TOKEN_PROJECTS_CUTOFF: 10
 
+# If set to true, will generate an new access token each time when a browser session update happens
+RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false
 
 ########################################################################################
 #                               OPTIONAL CONFIGURATIONS                                #
@@ -773,6 +775,6 @@ SERVICE_ACCOUNT_LIMIT: 6
 USERSYNC:
   sync_from_visas: false
   # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed
-  fallback_to_dbgap_sftp: false 
+  fallback_to_dbgap_sftp: false
   visa_types:
     ras: [https://ras.nih.gov/visas/v1, https://ras.nih.gov/visas/v1.1]
diff --git a/fence/config.py b/fence/config.py
@@ -37,6 +37,7 @@ def post_process(self):
             "REFRESH_TOKEN_EXPIRES_IN",
             "SESSION_TIMEOUT",
             "SESSION_LIFETIME",
+            "RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION",
             "GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN",
             "GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN",
             "GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN",

diff --git a/fence/resources/user/user_session.py b/fence/resources/user/user_session.py
@@ -215,9 +215,14 @@ def save_session(self, app, session, response):
                     domain=domain,
                 )
 
-            # if a user is logged in and doesn't have an access token, let's
-            # generate one
-            if user and not flask.g.access_token:
+            # generate an access token and set in cookie if
+            # user is logged in AND one of the following:
+            # 1. RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION = true in config
+            # 2. current access token has expired (no access_token)
+            if user and (
+                config.get("RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION")
+                or not flask.g.access_token
+            ):
                 _create_access_token_cookie(app, session, response, user)
         else:
             # If there isn't a session token, we should set