Merge b18941e into 27c6598

.secrets.baseline

@@ -130,7 +130,7 @@
         "filename": "fence/blueprints/storage_creds/google.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 139
+        "line_number": 141
       }
     ],
     "fence/blueprints/storage_creds/other.py": [
@@ -180,7 +180,7 @@
         "filename": "fence/resources/google/utils.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 132
+        "line_number": 134
       }
     ],
     "fence/utils.py": [
@@ -334,5 +334,5 @@
       }
     ]
   },
-  "generated_at": "2022-08-12T15:25:33Z"
+  "generated_at": "2022-08-26T21:25:15Z"
 }

.travis.yml

@@ -1,7 +1,7 @@
 language: python
 
 python:
-  - "3.6"
+  - "3.9"
 
 sudo: false
 

Dockerfile

@@ -1,7 +1,7 @@
 # To run: docker run --rm -d -v /path/to/fence-config.yaml:/var/www/fence/fence-config.yaml --name=fence -p 80:80 fence
 # To check running container do: docker exec -it fence /bin/bash
 
-FROM quay.io/cdis/python:python3.6-buster-pybase3-3.0.2
+FROM quay.io/cdis/python:python3.9-buster-2.0.0
 
 ENV appname=fence
 

fence/__init__.py

@@ -4,7 +4,9 @@
 from urllib.parse import urljoin
 import flask
 from flask_cors import CORS
-from flask_sqlalchemy_session import flask_scoped_session, current_session
+from sqlalchemy.orm import scoped_session
+from flask import _app_ctx_stack, current_app
+from werkzeug.local import LocalProxy
 
 from authutils.oauth2.client import OAuthClient
 from cdislogging import get_logger
@@ -112,7 +114,9 @@ def app_sessions(app):
     SQLAlchemyDriver.setup_db = lambda _: None
     app.db = SQLAlchemyDriver(config["DB"])
 
-    session = flask_scoped_session(app.db.Session, app)  # noqa
+    # Not passing in a scoping funtction as argument, assuming that request will be handled by 1 thread
+    # and the default thread-local db session will work
+    app.scoped_session = scoped_session(app.db.session)
     app.session_interface = UserSessionInterface()
 
 
@@ -366,6 +370,7 @@ def _setup_data_endpoint_and_boto(app):
     if "AWS_CREDENTIALS" in config and len(config["AWS_CREDENTIALS"]) > 0:
         value = list(config["AWS_CREDENTIALS"].values())[0]
         app.boto = BotoManager(value, logger=logger)
+        # import pdb;pdb.set_trace();
         app.register_blueprint(fence.blueprints.data.blueprint, url_prefix="/data")
 
 
@@ -558,3 +563,10 @@ def check_csrf():
             logger.debug("HTTP REFERER " + str(referer))
         except Exception as e:
             raise UserError("CSRF verification failed: {}. Request aborted".format(e))
+
+
+@app.teardown_appcontext
+def remove_scoped_session(*args, **kwargs):
+    # pylint: disable=missing-docstring,unused-argument,unused-variable
+    if hasattr(app, "scoped_session"):
+        app.scoped_session.remove()

fence/auth.py

@@ -1,5 +1,7 @@
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 from functools import wraps
 import urllib.request, urllib.parse, urllib.error
 

fence/blueprints/admin.py

@@ -7,7 +7,9 @@
 import functools
 
 from flask import request, jsonify, Blueprint, current_app
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from cdislogging import get_logger
 

fence/blueprints/data/blueprint.py

@@ -1,6 +1,7 @@
 import flask
 
 from cdislogging import get_logger
+from pkg_resources import require
 
 from fence.auth import login_required, require_auth_header, current_token, get_jwt
 from fence.authz.auth import check_arborist_auth

fence/blueprints/data/indexd.py

@@ -51,6 +51,8 @@
 from . import multipart_upload
 from ...models import AssumeRoleCacheAWS, query_for_user, query_for_user_by_id
 from ...models import AssumeRoleCacheGCP
+import traceback
+import sys
 
 logger = get_logger(__name__)
 

fence/blueprints/google.py

@@ -39,7 +39,9 @@
 )
 from fence.models import UserServiceAccount
 from fence.utils import get_valid_expiration_from_request
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 
 class ValidationErrors(str, Enum):

fence/blueprints/link.py

@@ -2,7 +2,9 @@
 
 import flask
 from flask_restful import Resource
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from cdislogging import get_logger
 

fence/blueprints/login/ras.py

@@ -87,7 +87,7 @@ def post_login(self, user=None, token_result=None, id_from_idp=None):
         refresh_token = flask.g.tokens["refresh_token"]
         assert "id_token" in flask.g.tokens, "No id_token in user tokens"
         id_token = flask.g.tokens["id_token"]
-        decoded_id = jwt.decode(id_token, verify=False)
+        decoded_id = jwt.decode(id_token, options={"verify_signature": False})
 
         # Add 15 days to iat to calculate refresh token expiration time
         # TODO do they really not provide exp?

fence/blueprints/register.py

@@ -5,7 +5,9 @@
 """
 
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 from flask_wtf import FlaskForm
 from wtforms import StringField
 from wtforms.validators import DataRequired, Email, StopValidation, ValidationError

fence/blueprints/storage_creds/__init__.py

@@ -1,5 +1,7 @@
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from fence.auth import require_auth_header
 from fence.blueprints.storage_creds.api import AccessKey, ApiKey, ApiKeyList

fence/blueprints/storage_creds/google.py

@@ -4,7 +4,9 @@
 import time
 from distutils.util import strtobool
 from flask_restful import Resource
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from cirrus import GoogleCloudManager
 from cirrus.config import config as cirrus_config

fence/blueprints/user.py

@@ -1,5 +1,7 @@
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from fence.auth import login_required, current_token
 from fence.errors import Unauthorized, UserError, NotFound

fence/blueprints/well_known.py

@@ -10,7 +10,7 @@
 from fence.config import config
 
 
-blueprint = flask.Blueprint(".well-known", __name__)
+blueprint = flask.Blueprint("well-known", __name__)
 
 
 @blueprint.route("/jwks", methods=["GET"])

fence/dbSession.py

@@ -0,0 +1,21 @@
+from flask import _app_ctx_stack, current_app
+from werkzeug.local import LocalProxy
+
+
+def _get_session():
+    # pylint: disable=missing-docstring, protected-access
+    context = _app_ctx_stack.top
+    if context is None:
+        raise RuntimeError(
+            "Cannot access current_session when outside of an application " "context."
+        )
+    app = current_app._get_current_object()
+    if not hasattr(app, "scoped_session"):
+        raise AttributeError(
+            "{0} has no 'scoped_session' attribute. You need to initialize it "
+            "with a flask_scoped_session.".format(app)
+        )
+    return app.scoped_session
+
+
+current_session = LocalProxy(_get_session)

fence/jwt/token.py

@@ -114,7 +114,7 @@ def from_signed_and_encoded_token(
             encoded_token,
             public_key,
             algorithms="RS256",
-            verify=verify,
+            options={"verify_signature": verify},
             audience=client_id,
         )
         headers = {}

fence/jwt/validate.py

@@ -104,7 +104,9 @@ def validate_jwt(
         if oidc_iss:
             issuers.append(oidc_iss)
     try:
-        token_iss = jwt.decode(encoded_token, verify=False).get("iss")
+        token_iss = jwt.decode(encoded_token, options={"verify_signature": False}).get(
+            "iss"
+        )
     except jwt.InvalidTokenError as e:
         raise JWTError(e)
     attempt_refresh = attempt_refresh and (token_iss != iss)
@@ -133,7 +135,9 @@ def validate_jwt(
         # remove patch in next tag. Refresh tokens and API keys have default TTL of 30 days.
         from authutils.errors import JWTAudienceError
 
-        unverified_claims = jwt.decode(encoded_token, verify=False)
+        unverified_claims = jwt.decode(
+            encoded_token, options={"verify_signature": False}
+        )
         if unverified_claims.get("pur") == "refresh" and isinstance(
             e, JWTAudienceError
         ):
@@ -171,7 +175,9 @@ def validate_jwt(
         else:
             ##### end refresh token, API key patch block #####
             msg = "Invalid token : {}".format(str(e))
-            unverified_claims = jwt.decode(encoded_token, verify=False)
+            unverified_claims = jwt.decode(
+                encoded_token, options={"verify_signature": False}
+            )
             if not unverified_claims.get("scope") or "" in unverified_claims["scope"]:
                 msg += "; was OIDC client configured with scopes?"
             raise JWTError(msg)

fence/oidc/jwt_generator.py

@@ -1,5 +1,7 @@
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from fence.jwt.token import (
     AuthFlowTypes,

fence/resources/audit/utils.py

@@ -99,6 +99,7 @@ def create_audit_log_for_request_decorator(response):
             # functions directly, because `is_audit_enabled` depends on
             # the config being loaded
             flask.after_this_request(create_audit_log_for_request_decorator)
+
         return f(*args, **kwargs)
 
     return wrapper

fence/resources/google/utils.py

@@ -3,7 +3,9 @@
 import os
 from cryptography.fernet import Fernet
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 from sqlalchemy import desc, func
 
 from cdislogging import get_logger

fence/resources/user/__init__.py

@@ -160,7 +160,9 @@ def get_user_info(current_session, username):
         encoded_access_token = None
 
     if encoded_access_token:
-        at_scopes = jwt.decode(encoded_access_token, verify=False).get("scope", "")
+        at_scopes = jwt.decode(
+            encoded_access_token, options={"verify_signature": False}
+        ).get("scope", "")
         if "ga4gh_passport_v1" in at_scopes:
             info["ga4gh_passport_v1"] = []
 

fence/user.py

@@ -1,5 +1,7 @@
 import flask
-from flask_sqlalchemy_session import current_session
+
+# from flask_sqlalchemy_session import current_session
+from fence.dbSession import current_session
 
 from fence.errors import Unauthorized
 from fence.models import query_for_user