def app_sessions(app): app.url_map.strict_slashes = False app.db = SQLAlchemyDriver(app.config["DB"]) migrate(app.db) session = flask_scoped_session(app.db.Session, app) # noqa app.storage_manager = StorageManager( app.config["STORAGE_CREDENTIALS"], logger=app.logger ) enabled_idp_ids = app.config["ENABLED_IDENTITY_PROVIDERS"]["providers"].keys() # Add OIDC client for Google if configured. configured_google = ( "OPENID_CONNECT" in app.config and "google" in app.config["OPENID_CONNECT"] ) if configured_google: app.google_client = GoogleClient( app.config["OPENID_CONNECT"]["google"], HTTP_PROXY=app.config.get("HTTP_PROXY"), logger=app.logger, ) # Add OIDC client for multi-tenant fence if configured. configured_fence = ( "OPENID_CONNECT" in app.config and "fence" in app.config["OPENID_CONNECT"] and "fence" in enabled_idp_ids ) if configured_fence: app.fence_client = OAuthClient(**app.config["OPENID_CONNECT"]["fence"]) app.session_interface = UserSessionInterface() if app.config.get("ARBORIST"): app.arborist = ArboristClient(arborist_base_url=app.config["ARBORIST"])
def _setup_oidc_clients(app): if config["LOGIN_OPTIONS"]: enabled_idp_ids = [option["idp"] for option in config["LOGIN_OPTIONS"]] else: # fall back on "providers" enabled_idp_ids = list( config.get("ENABLED_IDENTITY_PROVIDERS", {}).get("providers", {}).keys()) oidc = config.get("OPENID_CONNECT", {}) # Add OIDC client for Google if configured. if "google" in oidc: app.google_client = GoogleClient( config["OPENID_CONNECT"]["google"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for ORCID if configured. if "orcid" in oidc: app.orcid_client = ORCIDClient( config["OPENID_CONNECT"]["orcid"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for RAS if configured. if "ras" in oidc: app.ras_client = RASClient( oidc["ras"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for Synapse if configured. if "synapse" in oidc: app.synapse_client = SynapseClient(oidc["synapse"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger) # Add OIDC client for Microsoft if configured. if "microsoft" in oidc: app.microsoft_client = MicrosoftClient( config["OPENID_CONNECT"]["microsoft"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for Amazon Cognito if configured. if "cognito" in oidc: app.cognito_client = CognitoClient(oidc["cognito"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger) # Add OIDC client for multi-tenant fence if configured. configured_fence = "fence" in oidc and "fence" in enabled_idp_ids if configured_fence: app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def config_idp_in_client(app, db_session, kid_2, rsa_private_key_2, rsa_public_key_2, restore_config): """ Set info about this fence's (client fence's) IDP in config. Reset when done. """ saved_keypairs = app.keypairs keypair = Keypair(kid=kid_2, public_key=rsa_public_key_2, private_key=rsa_private_key_2) app.keypairs = [keypair] saved_jwtpks = app.jwt_public_keys app.jwt_public_keys["/"] = OrderedDict([(kid_2, rsa_public_key_2)]) saved_db_Session = app.db.Session app.db.Session = lambda: db_session config.update({ "BASE_URL": "/", "MOCK_AUTH": False, "DEFAULT_LOGIN_IDP": "fence", "LOGIN_OPTIONS": [{ "name": "InCommon login", "idp": "fence", "fence_idp": "shibboleth", "shib_idps": ["some-incommon-entity-id"], }], "OPENID_CONNECT": { "fence": { "client_id": "other_fence_client_id", "client_secret": "other_fence_client_secret", "api_base_url": "http://other-fence", "authorize_url": "http://other-fence/oauth2/authorize", } }, }) app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"]) yield Dict( client_id=config["OPENID_CONNECT"]["fence"]["client_id"], client_secret=config["OPENID_CONNECT"]["fence"]["client_secret"], ) app.keypairs = saved_keypairs app.jwt_public_keys = saved_jwtpks app.db.Session = saved_db_Session
def _setup_oidc_clients(app): oidc = config.get("OPENID_CONNECT", {}) # Add OIDC client for Google if configured. if "google" in oidc: app.google_client = GoogleClient( config["OPENID_CONNECT"]["google"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for ORCID if configured. if "orcid" in oidc: app.orcid_client = ORCIDClient( config["OPENID_CONNECT"]["orcid"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for RAS if configured. if "ras" in oidc: app.ras_client = RASClient( oidc["ras"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for Synapse if configured. if "synapse" in oidc: app.synapse_client = SynapseClient(oidc["synapse"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger) # Add OIDC client for Microsoft if configured. if "microsoft" in oidc: app.microsoft_client = MicrosoftClient( config["OPENID_CONNECT"]["microsoft"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for Amazon Cognito if configured. if "cognito" in oidc: app.cognito_client = CognitoClient(oidc["cognito"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger) # Add OIDC client for multi-tenant fence if configured. if "fence" in oidc: app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def _setup_oidc_clients(app): enabled_idp_ids = list( config["ENABLED_IDENTITY_PROVIDERS"]["providers"].keys()) oidc = config.get("OPENID_CONNECT", {}) # Add OIDC client for Google if configured. configured_google = ("OPENID_CONNECT" in config and "google" in config["OPENID_CONNECT"]) if configured_google: app.google_client = GoogleClient( config["OPENID_CONNECT"]["google"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for ORCID if configured. configured_orcid = ("OPENID_CONNECT" in config and "orcid" in config["OPENID_CONNECT"]) if configured_orcid: app.orcid_client = ORCIDClient( config["OPENID_CONNECT"]["orcid"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for Synapse if configured. if "synapse" in oidc: app.synapse_client = SynapseClient(oidc["synapse"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger) # Add OIDC client for Microsoft if configured. configured_microsoft = ("OPENID_CONNECT" in config and "microsoft" in config["OPENID_CONNECT"]) if configured_microsoft: app.microsoft_client = MicrosoftClient( config["OPENID_CONNECT"]["microsoft"], HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) # Add OIDC client for multi-tenant fence if configured. configured_fence = ("OPENID_CONNECT" in config and "fence" in config["OPENID_CONNECT"] and "fence" in enabled_idp_ids) if configured_fence: app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def fence_client_app( app, fence_oauth_client, fence_oauth_client_url, db_session, kid_2, rsa_private_key_2, rsa_public_key_2, ): """ A Flask application fixture which acts as a client of the original ``app`` in a multi-tenant configuration. """ root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) client_app = flask.Flask("client_app") app_init(client_app, test_settings, root_dir=root_dir) keypair = Keypair(kid=kid_2, public_key=rsa_public_key_2, private_key=rsa_private_key_2) client_app.keypairs = [keypair] client_app.jwt_public_keys["/"] = OrderedDict([(kid_2, rsa_public_key_2)]) client_app.config["BASE_URL"] = "/" client_app.config["MOCK_AUTH"] = False client_app.config["DEFAULT_LOGIN_URL"] = "/login/fence" client_app.db.Session = lambda: db_session client_app.config["OPENID_CONNECT"] = { "fence": { "client_id": fence_oauth_client.client_id, "client_secret": fence_oauth_client.client_secret, "api_base_url": "http://localhost:50000", "authorize_url": "http://localhost:50000/oauth2/authorize", "access_token_url": "http://localhost:50000/oauth2/token", "refresh_token_url": "http://localhost:50000/oauth2/token", "client_kwargs": { "scope": "openid user", "redirect_uri": fence_oauth_client_url, }, } } client_app.fence_client = OAuthClient( **client_app.config["OPENID_CONNECT"]["fence"]) return client_app
def fence_client_app( app, fence_oauth_client, fence_oauth_client_url, db_session): """ A Flask application fixture which acts as a client of the original ``app`` in a multi-tenant configuration. """ root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) client_app = flask.Flask('client_app') app_init(client_app, test_settings, root_dir=root_dir) client_app.register_blueprint( fence.blueprints.oauth2.blueprint, url_prefix='/oauth2' ) client_app.register_blueprint( fence.blueprints.login.blueprint, url_prefix='/login' ) client_app.jwt_public_keys['/'] = client_app.jwt_public_keys.pop( client_app.config['BASE_URL'] ) client_app.config['BASE_URL'] = '/' client_app.config['MOCK_AUTH'] = False client_app.config['DEFAULT_LOGIN_URL'] = '/login/fence' client_app.config['DEFAULT_LOGIN_URL_REDIRECT_PARAM'] = 'redirect_uri' client_app.db.Session = lambda: db_session client_app.config['OPENID_CONNECT'] = { 'fence': { 'client_id': fence_oauth_client.client_id, 'client_secret': fence_oauth_client.client_secret, 'api_base_url': 'http://localhost:50000', 'authorize_url': 'http://localhost:50000/oauth2/authorize', 'access_token_url': 'http://localhost:50000/oauth2/token', 'refresh_token_url': 'http://localhost:50000/oauth2/token', 'client_kwargs': { 'scope': 'openid user', 'redirect_uri': fence_oauth_client_url, } } } client_app.fence_client = OAuthClient( **client_app.config['OPENID_CONNECT']['fence'] ) return client_app
def app_sessions(app): app.url_map.strict_slashes = False app.db = SQLAlchemyDriver(app.config['DB']) migrate(app.db) session = flask_scoped_session(app.db.Session, app) # noqa app.jinja_env.globals['csrf_token'] = generate_csrf_token app.storage_manager = StorageManager( app.config['STORAGE_CREDENTIALS'], logger=app.logger ) enabled_idp_ids = ( fence.settings .ENABLED_IDENTITY_PROVIDERS['providers'] .keys() ) # Add OIDC client for Google if configured. configured_google = ( 'OPENID_CONNECT' in app.config and 'google' in app.config['OPENID_CONNECT'] and 'google' in enabled_idp_ids ) if configured_google: app.google_client = GoogleClient( app.config['OPENID_CONNECT']['google'], HTTP_PROXY=app.config.get('HTTP_PROXY'), logger=app.logger ) # Add OIDC client for multi-tenant fence if configured. configured_fence = ( 'OPENID_CONNECT' in app.config and 'fence' in app.config['OPENID_CONNECT'] and 'fence' in enabled_idp_ids ) if configured_fence: app.fence_client = OAuthClient(**app.config['OPENID_CONNECT']['fence']) app.session_interface = UserSessionInterface()
def _setup_oidc_clients(app): configured_idps = config.get("OPENID_CONNECT", {}) clean_idps = [idp.lower().replace(" ", "") for idp in configured_idps] if len(clean_idps) != len(set(clean_idps)): raise ValueError( f"Some IDPs configured in OPENID_CONNECT are not unique once they are lowercased and spaces are removed: {clean_idps}" ) for idp in set(configured_idps.keys()): logger.info(f"Setting up OIDC client for {idp}") settings = configured_idps[idp] if idp == "google": app.google_client = GoogleOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "orcid": app.orcid_client = OrcidOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "ras": app.ras_client = RASOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "synapse": app.synapse_client = SynapseOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger ) elif idp == "microsoft": app.microsoft_client = MicrosoftOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "okta": app.okta_client = OktaOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "cognito": app.cognito_client = CognitoOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger ) elif idp == "cilogon": app.cilogon_client = CilogonOauth2Client( settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger, ) elif idp == "fence": app.fence_client = OAuthClient(**settings) else: # generic OIDC implementation client = Oauth2ClientBase( settings=settings, logger=logger, HTTP_PROXY=config.get("HTTP_PROXY"), idp=settings.get("name") or idp.title(), ) clean_idp = idp.lower().replace(" ", "") setattr(app, f"{clean_idp}_client", client)