Merge 6a71a24 into cd77029

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "poetry.lock",
     "lines": null
   },
-  "generated_at": "2021-05-25T15:36:55Z",
+  "generated_at": "2021-05-25T17:14:14Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -84,7 +84,7 @@
       {
         "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db",
         "is_verified": false,
-        "line_number": 545,
+        "line_number": 551,
         "type": "Secret Keyword"
       }
     ],

DockerfileShib

@@ -5,7 +5,7 @@
 # This Dockerfile is NOT compatible yet with the latest Fence (Python 3
 # and depdencency management via Poetry) - for now, use Fence 2.7.x.
 
-FROM ubuntu:16.04
+FROM quay.io/cdis/ubuntu:16.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -40,14 +40,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 COPY . /fence
 WORKDIR /fence
+
+# install poetry
+RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
+
+# cache so that poetry install will run if these files change
+COPY poetry.lock pyproject.toml /fence/
+
+# install Fence and dependencies via poetry
+RUN $HOME/.poetry/bin/poetry config virtualenvs.create false \
+    && $HOME/.poetry/bin/poetry install -vv --no-dev --no-interaction \
+    && $HOME/.poetry/bin/poetry show -v
+
 #
 # Custom apache24 logging - see http://www.loadbalancer.org/blog/apache-and-x-forwarded-for-headers/
 #
 RUN ln -s /fence/wsgi.py /var/www/fence/wsgi.py \
-    && pip install -r requirements.txt \
     && COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" >fence/version_data.py \
     && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >>fence/version_data.py \
-    && python setup.py develop \
     && echo '<VirtualHost *:80>\n\
     ServerName SERVERNAME \n\
     WSGIDaemonProcess /fence processes=2 threads=4 python-path=/var/www/fence/:/fence/:/usr/bin/python\n\

README.md

@@ -13,7 +13,7 @@ Fence is a core service of the Gen3 stack that has multiple capabilities:
 1. Act as an [auth broker](#auth-broker) to integrate with one or more [IdPs](#IdP) and provide downstream authentication and authorization for Gen3 services.
 2. [Manage tokens](#token-management).
 3. Act as an [OIDC provider](#oidc--oauth2) to support external applications to use Gen3 services.
-4. [Issue short lived, cloud native credentials to access data in various cloud storage services](#accessing-data)
+4. [Issue short lived, cloud native credentials to access data in various cloud storage services](#accessing-data).
 
 
 ## Contents

fence/auth.py

@@ -183,6 +183,16 @@ def wrapper(*args, **kwargs):
             if enable_shib and "SHIBBOLETH_HEADER" in config:
                 eppn = flask.request.headers.get(config["SHIBBOLETH_HEADER"])
 
+                # if unique ID not in normal header, try secondary header
+                if not eppn and config["SHIBBOLETH_HEADER_SECONDARY"]:
+                    logger.debug(
+                        f"No user ID found in SHIBBOLETH_HEADER {config['SHIBBOLETH_HEADER']}. "
+                        f"Trying secondary header: {config['SHIBBOLETH_HEADER_SECONDARY']}"
+                    )
+                    eppn = flask.request.headers.get(
+                        config["SHIBBOLETH_HEADER_SECONDARY"]
+                    )
+
             if config.get("MOCK_AUTH") is True:
                 eppn = "test"
             # if there is authorization header for oauth

fence/config-default.yaml

@@ -439,6 +439,12 @@ SUPPORT_EMAIL_FOR_ERRORS: null
 # //////////////////////////////////////////////////////////////////////////////////////
 # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
 SHIBBOLETH_HEADER: 'persistent_id'
+
+# secondary header for getting unique ID
+# NOTE: For NIH's Shibboleth setup, NIH-internal employees (NIH/CIT setup no longer
+#       shares a common attribute for both internal/external employees)
+SHIBBOLETH_HEADER_SECONDARY: 'eduPersonPrincipalName'
+
 SSO_URL: 'https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState='
 ITRUST_GLOBAL_LOGOUT: 'https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl='
 

tests/login/login_shib.py

@@ -11,13 +11,29 @@ def test_shib_login(app, client):
     assert r.status_code == 200
 
 
+def test_shib_login_secondary(app, client):
+    r = client.get(
+        "/login/shib/login", headers={config["SHIBBOLETH_HEADER_SECONDARY"]: "test"}
+    )
+    assert r.status_code == 200
+
+
 def test_shib_login_redirect(app, client):
     r = client.get("/login/shib?redirect=http://localhost")
     r = client.get("/login/shib/login", headers={config["SHIBBOLETH_HEADER"]: "test"})
     assert r.status_code == 302
     assert r.headers["Location"] == "http://localhost"
 
 
+def test_shib_login_redirect_secondary(app, client):
+    r = client.get("/login/shib?redirect=http://localhost")
+    r = client.get(
+        "/login/shib/login", headers={config["SHIBBOLETH_HEADER_SECONDARY"]: "test"}
+    )
+    assert r.status_code == 302
+    assert r.headers["Location"] == "http://localhost"
+
+
 def test_shib_login_fail(client):
     r = client.get("/login/shib/login")
     assert r.status_code == 401

tests/test-fence-config.yaml

@@ -300,6 +300,12 @@ SUPPORT_EMAIL_FOR_ERRORS: null
 # //////////////////////////////////////////////////////////////////////////////////////
 # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
 SHIBBOLETH_HEADER: 'persistent_id'
+
+# secondary header for getting unique ID
+# NOTE: For NIH's Shibboleth setup, NIH-internal employees (NIH/CIT setup no longer
+#       shares a common attribute for both internal/external employees)
+SHIBBOLETH_HEADER_SECONDARY: 'eduPersonPrincipalName'
+
 SSO_URL: 'https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState='
 ITRUST_GLOBAL_LOGOUT: 'https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl='