Merge branch 'fix/usersync-access' of github.com:uc-cdis/fence into f…

…ix/usersync-access
uc-cdis · Oct 14, 2019 · b47cd57 · b47cd57
2 parents 9869103 + f2341d0
commit b47cd57
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 13 deletions.
diff --git a/fence/blueprints/login/synapse.py b/fence/blueprints/login/synapse.py
@@ -19,20 +19,29 @@ def __init__(self):
 class SynapseCallback(DefaultOAuth2Callback):
     def __init__(self):
         super(SynapseCallback, self).__init__(
-            idp_name=IdentityProvider.synapse, client=flask.current_app.synapse_client
+            idp_name=IdentityProvider.synapse,
+            client=flask.current_app.synapse_client,
+            username_field="fence_username",
         )
 
     def post_login(self, user, token_result):
         user.id_from_idp = token_result["sub"]
+        user.email = token_result["email_verified"]
         user.display_name = "{given_name} {family_name}".format(**token_result)
-        if user.additional_info is None:
-            user.additional_info = {}
-        user.additional_info.update(token_result)
+        info = {}
+        if user.additional_info is not None:
+            info.update(user.additional_info)
+        info.update(token_result)
+        info.pop("fence_username", None)
+        info.pop("exp", None)
+        user.additional_info = info
         current_session.add(user)
         current_session.commit()
 
         with flask.current_app.arborist.context(authz_provider="synapse"):
             if config["DREAM_CHALLENGE_TEAM"] in token_result.get("team", []):
+                # make sure the user exists in Arborist
+                flask.current_app.arborist.create_user(dict(name=user.username))
                 flask.current_app.arborist.add_user_to_group(
                     user.username,
                     config["DREAM_CHALLENGE_GROUP"],

diff --git a/fence/resources/openid/synapse_oauth2.py b/fence/resources/openid/synapse_oauth2.py
@@ -17,18 +17,18 @@ class SynapseOauth2Client(Oauth2ClientBase):
 
     REQUIRED_CLAIMS = {"given_name", "family_name", "email", "email_verified"}
     OPTIONAL_CLAIMS = {
-        "company",
-        "userid",
-        "orcid",
-        "is_certified",
-        "is_validated",
+        # "company",
+        # "userid",
+        # "orcid",
+        # "is_certified",
+        # "is_validated",
         "validated_given_name",
         "validated_family_name",
-        "validated_location",
+        # "validated_location",
         "validated_email",
-        "validated_company",
-        "validated_orcid",
-        "validated_at",
+        # "validated_company",
+        # "validated_orcid",
+        # "validated_at",
     }
     SYSTEM_CLAIMS = {"sub", "exp"}
     CUSTOM_CLAIMS = {"team"}
@@ -125,6 +125,7 @@ def get_user_id(self, code):
                         return dict(error="Required claim {} not found".format(claim))
                 else:
                     rv[claim] = value
+            rv["fence_username"] = rv["email"] + " (via Synapse)"
             return rv
         except Exception as e:
             self.logger.exception("Can't get user info")

diff --git a/fence/resources/user/__init__.py b/fence/resources/user/__init__.py
@@ -95,12 +95,15 @@ def get_user_info(current_session, username):
             resources = flask.current_app.arborist.list_resources_for_user(
                 user.username
             )
+            auth_mapping = flask.current_app.arborist.auth_mapping(user.username)
         except ArboristError:
             logger.error(
                 "request to arborist for user's resources failed; going to list empty"
             )
             resources = []
+            auth_mapping = {}
         info["resources"] = resources
+        info["authz"] = auth_mapping
 
     if user.tags is not None and len(user.tags) > 0:
         info["tags"] = {tag.key: tag.value for tag in user.tags}