Merge branch 'integration202103' of https://github.com/uc-cdis/fence …

…into stable
uc-cdis · Mar 1, 2021 · 79ab7fb · 79ab7fb
2 parents ab80edf + d0fe6fc
commit 79ab7fb
Show file tree

Hide file tree

Showing 12 changed files with 736 additions and 859 deletions.
diff --git a/fence/__init__.py b/fence/__init__.py
@@ -412,7 +412,7 @@ def set_csrf(response):
     """
     if not flask.request.cookies.get("csrftoken"):
         secure = config.get("SESSION_COOKIE_SECURE", True)
-        response.set_cookie("csrftoken", random_str(40), secure=secure)
+        response.set_cookie("csrftoken", random_str(40), secure=secure, httponly=True)
 
     if flask.request.method in ["POST", "PUT", "DELETE"]:
         current_session.commit()

diff --git a/fence/scripting/fence_create.py b/fence/scripting/fence_create.py
@@ -543,6 +543,7 @@ def remove_expired_google_service_account_keys(db):
 
             # handle service accounts with custom expiration
             for expired_user_key in expired_sa_keys_for_users:
+                logger.info("expired_user_key: {}\n".format(expired_user_key))
                 sa = (
                     current_session.query(GoogleServiceAccount)
                     .filter(
@@ -555,6 +556,9 @@ def remove_expired_google_service_account_keys(db):
                     account=sa.email, key_name=expired_user_key.key_id
                 )
                 response_error_code = response.get("error", {}).get("code")
+                response_error_status = response.get("error", {}).get("status")
+                logger.info("response_error_code: {}\n".format(response_error_code))
+                logger.info("response_error_status: {}\n".format(response_error_status))
 
                 if not response_error_code:
                     current_session.delete(expired_user_key)
@@ -564,7 +568,10 @@ def remove_expired_google_service_account_keys(db):
                             expired_user_key.key_id, sa.email, sa.user_id
                         )
                     )
-                elif response_error_code == 404:
+                elif (
+                    response_error_code == 404
+                    or response_error_status == "FAILED_PRECONDITION"
+                ):
                     logger.info(
                         "INFO: Service account key {} for service account {} "
                         "(owned by user with id {}) does not exist in Google. "

diff --git a/fence/sync/sync_users.py b/fence/sync/sync_users.py
@@ -1502,9 +1502,7 @@ def _update_authz_in_arborist(self, session, user_projects, user_yaml=None):
         # from authorization sources get policies revoked
         arborist_user_projects = {}
         try:
-            arborist_users = self.arborist_client.get(
-                url=self.arborist_client._user_url
-            ).json["users"]
+            arborist_users = self.arborist_client.get_users().json["users"]
 
             # construct user information, NOTE the lowering of the username. when adding/
             # removing access, the case in the Fence db is used. For combining access, it is

diff --git a/fence/utils.py b/fence/utils.py
@@ -191,7 +191,7 @@ def clear_cookies(response):
     Set all cookies to empty and expired.
     """
     for cookie_name in list(flask.request.cookies.keys()):
-        response.set_cookie(cookie_name, "", expires=0)
+        response.set_cookie(cookie_name, "", expires=0, httponly=True)
 
 
 def get_error_params(error, description):