-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'integration202006' of https://github.com/uc-cdis/fence …
…into stable
- Loading branch information
Showing
11 changed files
with
401 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,5 +2,5 @@ | |
|
||
@Library('cdis-jenkins-lib@master') _ | ||
|
||
testPipeline { | ||
testPipeline { | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
import flask | ||
|
||
from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback | ||
from fence.models import IdentityProvider | ||
|
||
|
||
class CognitoLogin(DefaultOAuth2Login): | ||
def __init__(self): | ||
super(CognitoLogin, self).__init__( | ||
idp_name=IdentityProvider.cognito, client=flask.current_app.cognito_client | ||
) | ||
|
||
|
||
class CognitoCallback(DefaultOAuth2Callback): | ||
def __init__(self): | ||
super(CognitoCallback, self).__init__( | ||
idp_name=IdentityProvider.cognito, client=flask.current_app.cognito_client | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
import json | ||
from .idp_oauth2 import Oauth2ClientBase | ||
|
||
|
||
class CognitoOauth2Client(Oauth2ClientBase): | ||
""" | ||
Amazon Cognito OIDC client | ||
https://docs.aws.amazon.com/cognito/index.html | ||
At time of writing, the Cognito issuer/auth/jwks/token endpoints and | ||
discovery url do not follow the standard OIDC patterns. Furthermore they | ||
depend on the user pool name/ID (and therefore cannot be hardcoded). | ||
So, just pass "" as default values to get_value_from_discovery_doc | ||
and log error when necessary. | ||
""" | ||
|
||
def __init__(self, settings, logger, HTTP_PROXY=None): | ||
super(CognitoOauth2Client, self).__init__( | ||
settings, | ||
logger, | ||
scope="openid email", | ||
discovery_url=settings["discovery_url"], | ||
idp="Amazon Cognito", | ||
HTTP_PROXY=HTTP_PROXY, | ||
) | ||
|
||
def get_auth_url(self): | ||
""" | ||
Get authorization endpoint from discovery doc | ||
and construct authorization url | ||
""" | ||
authorization_endpoint = self.get_value_from_discovery_doc( | ||
"authorization_endpoint", "" | ||
) | ||
uri, state = self.session.create_authorization_url( | ||
authorization_endpoint, prompt="login" | ||
) | ||
|
||
return uri | ||
|
||
def get_user_id(self, code): | ||
""" | ||
Exchange code for tokens, get email from id token claims. | ||
Return dict with "email" field on success OR "error" field on error. | ||
""" | ||
try: | ||
token_endpoint = self.get_value_from_discovery_doc("token_endpoint", "") | ||
jwks_endpoint = self.get_value_from_discovery_doc("jwks_uri", "") | ||
claims = self.get_jwt_claims_identity(token_endpoint, jwks_endpoint, code) | ||
|
||
self.logger.info( | ||
"Received id token from Cognito:\n{}".format( | ||
json.dumps(claims, indent=4) | ||
) | ||
) | ||
|
||
if claims["email"] and ( | ||
claims["email_verified"] or self.settings["assume_emails_verified"] | ||
): | ||
return {"email": claims["email"]} | ||
elif claims["email"]: | ||
return {"error": "Email is not verified"} | ||
else: | ||
return {"error": "Can't get email from claims"} | ||
|
||
except Exception as e: | ||
self.logger.exception("Can't get user info from Cognito") | ||
return {"error": "Can't get user info from Cognito: {}".format(e)} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.