Revert "(PXP-7565): User registration, plus CSRF changes (#906)"

This reverts commit 9dc8805.

.secrets.baseline

@@ -66,6 +66,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -96,6 +100,12 @@
     },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "poetry.lock"
+      ]
     }
   ],
   "results": {
@@ -182,26 +192,19 @@
       }
     ],
     "tests/conftest.py": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/conftest.py",
-        "hashed_secret": "9801ff058ba790388c9efc095cb3e89a819d5ed6",
-        "is_verified": false,
-        "line_number": 160
-      },
       {
         "type": "Private Key",
         "filename": "tests/conftest.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 1357
+        "line_number": 1174
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "tests/conftest.py",
         "hashed_secret": "227dea087477346785aefd575f91dd13ab86c108",
         "is_verified": false,
-        "line_number": 1380
+        "line_number": 1197
       }
     ],
     "tests/credentials/google/test_credentials.py": [
@@ -251,7 +254,7 @@
         "filename": "tests/ras/test_ras.py",
         "hashed_secret": "d9db6fe5c14dc55edd34115cdf3958845ac30882",
         "is_verified": false,
-        "line_number": 95
+        "line_number": 92
       }
     ],
     "tests/scripting/test_fence-create.py": [
@@ -260,7 +263,7 @@
         "filename": "tests/scripting/test_fence-create.py",
         "hashed_secret": "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4",
         "is_verified": false,
-        "line_number": 1122
+        "line_number": 1120
       }
     ],
     "tests/test-fence-config.yaml": [
@@ -280,5 +283,5 @@
       }
     ]
   },
-  "generated_at": "2021-08-18T02:36:18Z"
+  "generated_at": "2021-07-28T16:10:55Z"
 }

fence/__init__.py

@@ -9,7 +9,6 @@
 from authutils.oauth2.client import OAuthClient
 from cdislogging import get_logger
 from gen3authz.client.arborist.client import ArboristClient
-from flask_wtf.csrf import validate_csrf
 from userdatamodel.driver import SQLAlchemyDriver
 from werkzeug.middleware.dispatcher import DispatcherMiddleware
 
@@ -50,7 +49,6 @@
 import fence.blueprints.link
 import fence.blueprints.google
 import fence.blueprints.privacy
-import fence.blueprints.register
 
 
 # for some reason the temp dir does not get created properly if we move
@@ -136,8 +134,6 @@ def app_register_blueprints(app):
         fence.blueprints.privacy.blueprint, url_prefix="/privacy-policy"
     )
 
-    app.register_blueprint(fence.blueprints.register.blueprint, url_prefix="/register")
-
     fence.blueprints.misc.register_misc(app)
 
     @app.route("/")
@@ -473,24 +469,25 @@ def check_csrf():
         return
     if not config.get("ENABLE_CSRF_PROTECTION", True):
         return
+    # cookie based authentication
     if flask.request.method != "GET":
-        try:
-            csrf_header = flask.request.headers.get("x-csrf-token")
-            csrf_formfield = flask.request.form.get("csrf_token")
-            # validate_csrf checks the input (a signed token) against the raw
-            # token stored in session["csrf_token"].
-            # (session["csrf_token"] is managed by flask-wtf.)
-            # To pass CSRF check, there must exist EITHER an x-csrf-token header
-            # OR a csrf_token form field that matches the token in the session.
-            assert (
-                csrf_header
-                and validate_csrf(csrf_header) is None
-                or csrf_formfield
-                and validate_csrf(csrf_formfield) is None
-            )
+        csrf_header = flask.request.headers.get("x-csrf-token")
+        csrf_cookie = flask.request.cookies.get("csrftoken")
+        referer = flask.request.headers.get("referer")
+        logger.debug("HTTP REFERER " + str(referer))
+        if not all([csrf_cookie, csrf_header, csrf_cookie == csrf_header, referer]):
+            raise UserError("CSRF verification failed. Request aborted")
+
+
+@app.after_request
+def set_csrf(response):
+    """
+    Create a cookie for CSRF protection if one does not yet exist
+    """
+    if not flask.request.cookies.get("csrftoken"):
+        secure = config.get("SESSION_COOKIE_SECURE", True)
+        response.set_cookie("csrftoken", random_str(40), secure=secure, httponly=True)
 
-            referer = flask.request.headers.get("referer")
-            assert referer, "Referer header missing"
-            logger.debug("HTTP REFERER " + str(referer))
-        except Exception as e:
-            raise UserError("CSRF verification failed: {}. Request aborted".format(e))
+    if flask.request.method in ["POST", "PUT", "DELETE"]:
+        current_session.commit()
+    return response

fence/blueprints/admin.py

@@ -13,7 +13,6 @@
 
 from fence.auth import admin_login_required
 from fence.resources import admin
-from fence.models import User
 
 
 logger = get_logger(__name__)
@@ -466,22 +465,3 @@ def delete_cloud_provider(providername):
     """
     response = jsonify(admin.delete_provider(current_session, providername))
     return response
-
-
-@blueprint.route("/register", methods=["GET"])
-@admin_login_required
-def get_registered_users():
-    """
-    - List registration info for every user for which there exists registration info.
-    - Endpoint accessible to admins only.
-    - Response json structure is provisional.
-    """
-    registered_users = (
-        current_session.query(User)
-        .filter(User.additional_info["registration_info"] != "{}")
-        .all()
-    )
-    registration_info_list = {
-        u.username: u.additional_info["registration_info"] for u in registered_users
-    }
-    return registration_info_list

fence/blueprints/login/base.py

@@ -128,13 +128,6 @@ def _login(username, idp_name, email=None):
     redirect.
     """
     login_user(username, idp_name, email=email)
-
-    if config["REGISTER_USERS_ON"]:
-        if not flask.g.user.additional_info.get("registration_info"):
-            return flask.redirect(
-                config["BASE_URL"] + flask.url_for("register.register_user")
-            )
-
     if flask.session.get("redirect"):
         return flask.redirect(flask.session.get("redirect"))
     return flask.jsonify({"username": username})

fence/blueprints/login/fence_login.py

@@ -124,12 +124,6 @@ def get(self):
         )
         self.post_login()
 
-        if config["REGISTER_USERS_ON"]:
-            if not flask.g.user.additional_info.get("registration_info"):
-                return flask.redirect(
-                    config["BASE_URL"] + flask.url_for("register.register_user")
-                )
-
         if "redirect" in flask.session:
             return flask.redirect(flask.session.get("redirect"))
         return flask.jsonify({"username": username})

fence/config-default.yaml

@@ -72,9 +72,6 @@ SESSION_COOKIE_SECURE: true
 
 ENABLE_CSRF_PROTECTION: true
 
-# Signing key for WTForms to sign CSRF tokens with
-WTF_CSRF_SECRET_KEY: '{{ENCRYPTION_KEY}}'
-
 # fence (at the moment) attempts a migration on startup. setting this to false will disable that
 # WARNING: ONLY set to false if you do NOT want to automatically migrate your database.
 #          You should be careful about incompatible versions of your db schema with what
@@ -620,20 +617,6 @@ INDEXD_USERNAME: 'fence'
 # this is the password which fence uses to make authenticated requests to indexd
 INDEXD_PASSWORD: ''
 
-# //////////////////////////////////////////////////////////////////////////////////////
-# AZURE STORAGE BLOB CONFIGURATION
-#   - Support Azure Blob Data Access Methods
-# //////////////////////////////////////////////////////////////////////////////////////
-
-# https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal#view-account-access-keys
-# AZ_BLOB_CREDENTIALS: 'fake connection string'
-AZ_BLOB_CREDENTIALS:
-
-# AZ_BLOB_CONTAINER_URL: 'https://storageaccount.blob.core.windows.net/container/'
-# this is the container used for uploading, and should match the storage account
-# used in the connection string for AZ_BLOB_CREDENTIALS
-AZ_BLOB_CONTAINER_URL: 'https://myfakeblob.blob.core.windows.net/my-fake-container/'
-
 # url where authz microservice is running
 ARBORIST: null
 
@@ -851,11 +834,6 @@ SYNAPSE_AUTHZ_TTL: 86400
 MAX_ROLE_SESSION_INCREASE: false
 ASSUME_ROLE_CACHE_SECONDS: 1800
 
-# Optional user registration feature: Ask users to register (provide firstname/lastname/org/email) on login.
-# If user registers, add them to configured Arborist group; idea is that the Arborist group
-# will have access to download data.
-REGISTER_USERS_ON: false
-REGISTERED_USERS_GROUP: ''
 # RAS refresh_tokens expire in 15 days
 RAS_REFRESH_EXPIRATION: 1296000
 # List of JWT issuers from which Fence will accept GA4GH visas