Feat/awg integration

bin/fence-create

@@ -97,6 +97,7 @@ def main():
     # get database information
     sys.path.append(args.path)
 
+
     if os.environ.get('FENCE_DB'):
         DB = os.environ['FENCE_DB']
     else:

fence/__init__.py

@@ -4,7 +4,7 @@
 from authutils.oauth2.client import OAuthClient
 import flask
 from flask.ext.cors import CORS
-from flask_sqlalchemy_session import flask_scoped_session
+from flask_sqlalchemy_session import flask_scoped_session, current_session
 import urlparse
 from userdatamodel.driver import SQLAlchemyDriver
 
@@ -109,9 +109,14 @@ def root():
     @app.route('/logout')
     def logout_endpoint():
         root = app.config.get('APPLICATION_ROOT', '')
-        next_url = build_redirect_url(app.config.get('ROOT_URL', ''), flask.request.args.get('next', root))
+        request_next = flask.request.args.get('next', root)
+        if request_next.startswith('https') or request_next.startswith('http'):
+            next_url = request_next
+        else:
+            next_url = build_redirect_url(app.config.get('ROOT_URL', ''), request_next)
         return logout(next_url=next_url)
 
+
     @app.route('/jwt/keys')
     def public_keys():
         """
@@ -140,10 +145,10 @@ def app_sessions(app):
     app.db = SQLAlchemyDriver(app.config['DB'])
     migrate(app.db)
     session = flask_scoped_session(app.db.Session, app)  # noqa
-    # app.storage_manager = StorageManager(
-    #     app.config['STORAGE_CREDENTIALS'],
-    #     logger=app.logger
-    # )
+    app.storage_manager = StorageManager(
+        app.config['STORAGE_CREDENTIALS'],
+        logger=app.logger
+    )
     enabled_idp_ids = (
         app.config['ENABLED_IDENTITY_PROVIDERS']['providers'].keys()
     )
@@ -177,6 +182,7 @@ def app_init(app, settings='fence.settings', root_dir=None):
     server.init_app(app)
 
 
+
 @app.errorhandler(Exception)
 def user_error(error):
     """
@@ -195,9 +201,11 @@ def check_csrf():
         return
     # cookie based authentication
     if flask.request.method != 'GET':
-        csrf_cookie = flask.request.headers.get('x-csrf-token')
-        csrf_header = flask.request.cookies.get('csrftoken')
-        if not csrf_cookie or not csrf_header or csrf_cookie != csrf_header:
+        csrf_header = flask.request.headers.get('x-csrf-token')
+        csrf_cookie = flask.request.cookies.get('csrftoken')
+        referer = flask.request.headers.get('referer')
+        flask.current_app.logger.debug('HTTP REFERER ' + referer)         
+        if not all([csrf_cookie, csrf_header, csrf_cookie == csrf_header, referer]):
             raise UserError("CSRF verification failed. Request aborted")
 
 
@@ -209,4 +217,8 @@ def set_csrf(response):
     if not flask.request.cookies.get('csrftoken'):
         secure = app.config.get('SESSION_COOKIE_SECURE', True)
         response.set_cookie('csrftoken', random_str(40), secure=secure)
+
+    if flask.request.method in ['POST', 'PUT', 'DELETE']:
+        current_session.commit()
     return response
+

fence/auth.py

@@ -58,13 +58,15 @@ def logout(next_url=None):
     # Call get_current_user (but ignore the result) just to check that either
     # the user is logged in or that authorization is mocked.
     user = get_current_user()
+    flask.current_app.logger.debug("IN AUTH LOGOUT, next_url = {0}".format(next_url))
     if not user:
         raise Unauthorized("You are not logged in")
+    itrust_next_url = None
     if flask.session.get('provider') == IdentityProvider.itrust:
-        next_url = flask.current_app.config['ITRUST_GLOBAL_LOGOUT'] + next_url
+        itrust_next_url = flask.current_app.config['ITRUST_GLOBAL_LOGOUT'] + next_url
     flask.session.clear()
     redirect_response = flask.make_response(
-        flask.redirect(next_url)
+        flask.redirect(itrust_next_url or next_url)
     )
     clear_cookies(redirect_response)
     return redirect_response
@@ -84,6 +86,7 @@ def check_scope_and_call(*args, **kwargs):
     return wrapper
 
 
+
 def login_required(scope=None):
     """
     Create decorator to require a user session in shibboleth.
@@ -184,3 +187,16 @@ def get_user_from_claims(claims):
         .filter(User.id == claims['sub'])
         .first()
     )
+
+def admin_required(f):
+    """
+    Require user to be an admin user. 
+    """
+    @wraps(f)
+    def wrapper(*args, **kwargs):
+        if not flask.g.user:
+            raise Unauthorized("Require login")
+        if flask.g.user.is_admin is not True:
+            raise Unauthorized("Require admin user")
+        return f(*args, **kwargs)
+    return wrapper