def app_sessions(app):
app.url_map.strict_slashes = False
app.db = SQLAlchemyDriver(app.config["DB"])
migrate(app.db)
session = flask_scoped_session(app.db.Session, app) # noqa
app.storage_manager = StorageManager(
app.config["STORAGE_CREDENTIALS"], logger=app.logger
)
enabled_idp_ids = app.config["ENABLED_IDENTITY_PROVIDERS"]["providers"].keys()
# Add OIDC client for Google if configured.
configured_google = (
"OPENID_CONNECT" in app.config and "google" in app.config["OPENID_CONNECT"]
)
if configured_google:
app.google_client = GoogleClient(
app.config["OPENID_CONNECT"]["google"],
HTTP_PROXY=app.config.get("HTTP_PROXY"),
logger=app.logger,
)
# Add OIDC client for multi-tenant fence if configured.
configured_fence = (
"OPENID_CONNECT" in app.config
and "fence" in app.config["OPENID_CONNECT"]
and "fence" in enabled_idp_ids
)
if configured_fence:
app.fence_client = OAuthClient(**app.config["OPENID_CONNECT"]["fence"])
app.session_interface = UserSessionInterface()
if app.config.get("ARBORIST"):
app.arborist = ArboristClient(arborist_base_url=app.config["ARBORIST"])
def _setup_oidc_clients(app):
if config["LOGIN_OPTIONS"]:
enabled_idp_ids = [option["idp"] for option in config["LOGIN_OPTIONS"]]
else:
# fall back on "providers"
enabled_idp_ids = list(
config.get("ENABLED_IDENTITY_PROVIDERS", {}).get("providers",
{}).keys())
oidc = config.get("OPENID_CONNECT", {})
# Add OIDC client for Google if configured.
if "google" in oidc:
app.google_client = GoogleClient(
config["OPENID_CONNECT"]["google"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for ORCID if configured.
if "orcid" in oidc:
app.orcid_client = ORCIDClient(
config["OPENID_CONNECT"]["orcid"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for RAS if configured.
if "ras" in oidc:
app.ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for Synapse if configured.
if "synapse" in oidc:
app.synapse_client = SynapseClient(oidc["synapse"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger)
# Add OIDC client for Microsoft if configured.
if "microsoft" in oidc:
app.microsoft_client = MicrosoftClient(
config["OPENID_CONNECT"]["microsoft"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for Amazon Cognito if configured.
if "cognito" in oidc:
app.cognito_client = CognitoClient(oidc["cognito"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger)
# Add OIDC client for multi-tenant fence if configured.
configured_fence = "fence" in oidc and "fence" in enabled_idp_ids
if configured_fence:
app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def config_idp_in_client(app, db_session, kid_2, rsa_private_key_2,
rsa_public_key_2, restore_config):
"""
Set info about this fence's (client fence's) IDP in config.
Reset when done.
"""
saved_keypairs = app.keypairs
keypair = Keypair(kid=kid_2,
public_key=rsa_public_key_2,
private_key=rsa_private_key_2)
app.keypairs = [keypair]
saved_jwtpks = app.jwt_public_keys
app.jwt_public_keys["/"] = OrderedDict([(kid_2, rsa_public_key_2)])
saved_db_Session = app.db.Session
app.db.Session = lambda: db_session
config.update({
"BASE_URL":
"/",
"MOCK_AUTH":
False,
"DEFAULT_LOGIN_IDP":
"fence",
"LOGIN_OPTIONS": [{
"name": "InCommon login",
"idp": "fence",
"fence_idp": "shibboleth",
"shib_idps": ["some-incommon-entity-id"],
}],
"OPENID_CONNECT": {
"fence": {
"client_id": "other_fence_client_id",
"client_secret": "other_fence_client_secret",
"api_base_url": "http://other-fence",
"authorize_url": "http://other-fence/oauth2/authorize",
}
},
})
app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
yield Dict(
client_id=config["OPENID_CONNECT"]["fence"]["client_id"],
client_secret=config["OPENID_CONNECT"]["fence"]["client_secret"],
)
app.keypairs = saved_keypairs
app.jwt_public_keys = saved_jwtpks
app.db.Session = saved_db_Session
def _setup_oidc_clients(app):
oidc = config.get("OPENID_CONNECT", {})
# Add OIDC client for Google if configured.
if "google" in oidc:
app.google_client = GoogleClient(
config["OPENID_CONNECT"]["google"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for ORCID if configured.
if "orcid" in oidc:
app.orcid_client = ORCIDClient(
config["OPENID_CONNECT"]["orcid"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for RAS if configured.
if "ras" in oidc:
app.ras_client = RASClient(
oidc["ras"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for Synapse if configured.
if "synapse" in oidc:
app.synapse_client = SynapseClient(oidc["synapse"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger)
# Add OIDC client for Microsoft if configured.
if "microsoft" in oidc:
app.microsoft_client = MicrosoftClient(
config["OPENID_CONNECT"]["microsoft"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for Amazon Cognito if configured.
if "cognito" in oidc:
app.cognito_client = CognitoClient(oidc["cognito"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger)
# Add OIDC client for multi-tenant fence if configured.
if "fence" in oidc:
app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def _setup_oidc_clients(app):
enabled_idp_ids = list(
config["ENABLED_IDENTITY_PROVIDERS"]["providers"].keys())
oidc = config.get("OPENID_CONNECT", {})
# Add OIDC client for Google if configured.
configured_google = ("OPENID_CONNECT" in config
and "google" in config["OPENID_CONNECT"])
if configured_google:
app.google_client = GoogleClient(
config["OPENID_CONNECT"]["google"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for ORCID if configured.
configured_orcid = ("OPENID_CONNECT" in config
and "orcid" in config["OPENID_CONNECT"])
if configured_orcid:
app.orcid_client = ORCIDClient(
config["OPENID_CONNECT"]["orcid"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for Synapse if configured.
if "synapse" in oidc:
app.synapse_client = SynapseClient(oidc["synapse"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger)
# Add OIDC client for Microsoft if configured.
configured_microsoft = ("OPENID_CONNECT" in config
and "microsoft" in config["OPENID_CONNECT"])
if configured_microsoft:
app.microsoft_client = MicrosoftClient(
config["OPENID_CONNECT"]["microsoft"],
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
# Add OIDC client for multi-tenant fence if configured.
configured_fence = ("OPENID_CONNECT" in config
and "fence" in config["OPENID_CONNECT"]
and "fence" in enabled_idp_ids)
if configured_fence:
app.fence_client = OAuthClient(**config["OPENID_CONNECT"]["fence"])
def fence_client_app(
app,
fence_oauth_client,
fence_oauth_client_url,
db_session,
kid_2,
rsa_private_key_2,
rsa_public_key_2,
):
"""
A Flask application fixture which acts as a client of the original ``app``
in a multi-tenant configuration.
"""
root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
client_app = flask.Flask("client_app")
app_init(client_app, test_settings, root_dir=root_dir)
keypair = Keypair(kid=kid_2,
public_key=rsa_public_key_2,
private_key=rsa_private_key_2)
client_app.keypairs = [keypair]
client_app.jwt_public_keys["/"] = OrderedDict([(kid_2, rsa_public_key_2)])
client_app.config["BASE_URL"] = "/"
client_app.config["MOCK_AUTH"] = False
client_app.config["DEFAULT_LOGIN_URL"] = "/login/fence"
client_app.db.Session = lambda: db_session
client_app.config["OPENID_CONNECT"] = {
"fence": {
"client_id": fence_oauth_client.client_id,
"client_secret": fence_oauth_client.client_secret,
"api_base_url": "http://localhost:50000",
"authorize_url": "http://localhost:50000/oauth2/authorize",
"access_token_url": "http://localhost:50000/oauth2/token",
"refresh_token_url": "http://localhost:50000/oauth2/token",
"client_kwargs": {
"scope": "openid user",
"redirect_uri": fence_oauth_client_url,
},
}
}
client_app.fence_client = OAuthClient(
**client_app.config["OPENID_CONNECT"]["fence"])
return client_app
def fence_client_app(
app, fence_oauth_client, fence_oauth_client_url, db_session):
"""
A Flask application fixture which acts as a client of the original ``app``
in a multi-tenant configuration.
"""
root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
client_app = flask.Flask('client_app')
app_init(client_app, test_settings, root_dir=root_dir)
client_app.register_blueprint(
fence.blueprints.oauth2.blueprint, url_prefix='/oauth2'
)
client_app.register_blueprint(
fence.blueprints.login.blueprint, url_prefix='/login'
)
client_app.jwt_public_keys['/'] = client_app.jwt_public_keys.pop(
client_app.config['BASE_URL']
)
client_app.config['BASE_URL'] = '/'
client_app.config['MOCK_AUTH'] = False
client_app.config['DEFAULT_LOGIN_URL'] = '/login/fence'
client_app.config['DEFAULT_LOGIN_URL_REDIRECT_PARAM'] = 'redirect_uri'
client_app.db.Session = lambda: db_session
client_app.config['OPENID_CONNECT'] = {
'fence': {
'client_id': fence_oauth_client.client_id,
'client_secret': fence_oauth_client.client_secret,
'api_base_url': 'http://localhost:50000',
'authorize_url': 'http://localhost:50000/oauth2/authorize',
'access_token_url': 'http://localhost:50000/oauth2/token',
'refresh_token_url': 'http://localhost:50000/oauth2/token',
'client_kwargs': {
'scope': 'openid user',
'redirect_uri': fence_oauth_client_url,
}
}
}
client_app.fence_client = OAuthClient(
**client_app.config['OPENID_CONNECT']['fence']
)
return client_app
def app_sessions(app):
app.url_map.strict_slashes = False
app.db = SQLAlchemyDriver(app.config['DB'])
migrate(app.db)
session = flask_scoped_session(app.db.Session, app) # noqa
app.jinja_env.globals['csrf_token'] = generate_csrf_token
app.storage_manager = StorageManager(
app.config['STORAGE_CREDENTIALS'],
logger=app.logger
)
enabled_idp_ids = (
fence.settings
.ENABLED_IDENTITY_PROVIDERS['providers']
.keys()
)
# Add OIDC client for Google if configured.
configured_google = (
'OPENID_CONNECT' in app.config
and 'google' in app.config['OPENID_CONNECT']
and 'google' in enabled_idp_ids
)
if configured_google:
app.google_client = GoogleClient(
app.config['OPENID_CONNECT']['google'],
HTTP_PROXY=app.config.get('HTTP_PROXY'),
logger=app.logger
)
# Add OIDC client for multi-tenant fence if configured.
configured_fence = (
'OPENID_CONNECT' in app.config
and 'fence' in app.config['OPENID_CONNECT']
and 'fence' in enabled_idp_ids
)
if configured_fence:
app.fence_client = OAuthClient(**app.config['OPENID_CONNECT']['fence'])
app.session_interface = UserSessionInterface()
def _setup_oidc_clients(app):
configured_idps = config.get("OPENID_CONNECT", {})
clean_idps = [idp.lower().replace(" ", "") for idp in configured_idps]
if len(clean_idps) != len(set(clean_idps)):
raise ValueError(
f"Some IDPs configured in OPENID_CONNECT are not unique once they are lowercased and spaces are removed: {clean_idps}"
)
for idp in set(configured_idps.keys()):
logger.info(f"Setting up OIDC client for {idp}")
settings = configured_idps[idp]
if idp == "google":
app.google_client = GoogleOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "orcid":
app.orcid_client = OrcidOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "ras":
app.ras_client = RASOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "synapse":
app.synapse_client = SynapseOauth2Client(
settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger
)
elif idp == "microsoft":
app.microsoft_client = MicrosoftOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "okta":
app.okta_client = OktaOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "cognito":
app.cognito_client = CognitoOauth2Client(
settings, HTTP_PROXY=config.get("HTTP_PROXY"), logger=logger
)
elif idp == "cilogon":
app.cilogon_client = CilogonOauth2Client(
settings,
HTTP_PROXY=config.get("HTTP_PROXY"),
logger=logger,
)
elif idp == "fence":
app.fence_client = OAuthClient(**settings)
else: # generic OIDC implementation
client = Oauth2ClientBase(
settings=settings,
logger=logger,
HTTP_PROXY=config.get("HTTP_PROXY"),
idp=settings.get("name") or idp.title(),
)
clean_idp = idp.lower().replace(" ", "")
setattr(app, f"{clean_idp}_client", client)
