def get_user_info():
user_info = {}
set_current_token(validate_request(aud={"user"}))
user_id = current_token["sub"]
username = current_token["context"]["user"]["name"]
if user_id is not None:
user_info = {"user_id": str(user_id), "username": username}
return user_info
def _get_user_info():
"""
Attempt to parse the request for token to authenticate the user. fallback to
populated information about an anonymous user.
"""
try:
set_current_token(validate_request(aud={"user"}))
user_id = str(current_token["sub"])
username = current_token["context"]["user"]["name"]
except JWTError:
# this is fine b/c it might be public data, sign with anonymous username/id
user_id = ANONYMOUS_USER_ID
username = ANONYMOUS_USERNAME
return {"user_id": user_id, "username": username}
def _generate_google_storage_signed_url(self, http_verb, resource_path,
expiration_time):
set_current_token(validate_request(aud={"user"}))
user_id = current_token["sub"]
proxy_group_id = get_or_create_proxy_group_id()
username = current_token.get("context", {}).get("user", {}).get("name")
private_key, key_db_entry = get_or_create_primary_service_account_key(
user_id=user_id, username=username, proxy_group_id=proxy_group_id)
# Make sure the service account key expiration is later
# than the expiration for the signed url. If it's not, we need to
# provision a new service account key.
#
# NOTE: This should occur very rarely: only when the service account key
# already exists and is very close to expiring.
#
# If our scheduled maintainence script removes the url-signing key
# before the expiration of the url then the url will NOT work
# (even though the url itself isn't expired)
if key_db_entry and key_db_entry.expires < expiration_time:
private_key = create_primary_service_account_key(
user_id=user_id,
username=username,
proxy_group_id=proxy_group_id)
final_url = cirrus.google_cloud.utils.get_signed_url(
resource_path,
http_verb,
expiration_time,
extension_headers=None,
content_type="",
md5_value="",
service_account_creds=private_key,
)
return final_url
def get(self):
"""
Link a user's Google account after AuthN.
This is Google's callback that occurs after oauth2 flow and does
the actual linkage/creation in our db.
This will redirect with `error` and `error_description` query params
if any issues arise.
Raises:
UserError: No redirect provided
"""
provided_redirect = flask.session.get("redirect")
code = flask.request.args.get("code")
if not config.get("MOCK_GOOGLE_AUTH", False):
google_response = flask.current_app.google_client.get_user_id(code)
email = google_response.get("email")
else:
# if we're mocking google auth, mock response to include the email
# from the provided access token
try:
token = validate_request(scope={"user"},
audience=config.get("BASE_URL"))
email = get_user_from_claims(token).username
except Exception as exc:
logger.info(
"Unable to parse Google email from token, using default mock value. "
"Error: {}".format(exc))
email = flask.request.cookies.get(
config.get("DEV_LOGIN_COOKIE_NAME"), "*****@*****.**")
error = ""
error_description = ""
# get info from session and then clear it
user_id = flask.session.get("user_id")
proxy_group = flask.session.get("google_proxy_group_id")
expires_in = flask.session.get("google_link_expires_in")
_clear_google_link_info_from_session()
if not email:
error = "g_acnt_auth_failure"
error_description = google_response
else:
error, error_description = get_errors_update_user_google_account_dry_run(
user_id, email, proxy_group, _already_authed=True)
if not error:
exp = _force_update_user_google_account(
user_id,
email,
proxy_group,
_allow_new=True,
requested_expires_in=expires_in,
)
# TODO: perhaps this is problematic??
# keep linked email in session so when session refreshes access
# token, we don't have to hit db to see if user has linked acnt
# NOTE: This only saves us from a db hit if they maintain their
# session
flask.session["linked_google_email"] = email
# if we have a redirect, follow it and add any errors
if provided_redirect:
if error:
redirect_with_params = append_query_params(
provided_redirect,
error=error,
error_description=error_description)
else:
redirect_with_params = append_query_params(provided_redirect,
linked_email=email,
exp=exp)
return flask.redirect(redirect_with_params)
else:
# we don't have a redirect, so the endpoint was probably hit
# without the actual auth flow. Raise with error info
if error:
raise UserError({error: error_description})
else:
raise UserError({"error": "No redirect provided."})
