def get_user_info(): user_info = {} set_current_token(validate_request(aud={"user"})) user_id = current_token["sub"] username = current_token["context"]["user"]["name"] if user_id is not None: user_info = {"user_id": str(user_id), "username": username} return user_info
def _get_user_info(): """ Attempt to parse the request for token to authenticate the user. fallback to populated information about an anonymous user. """ try: set_current_token(validate_request(aud={"user"})) user_id = str(current_token["sub"]) username = current_token["context"]["user"]["name"] except JWTError: # this is fine b/c it might be public data, sign with anonymous username/id user_id = ANONYMOUS_USER_ID username = ANONYMOUS_USERNAME return {"user_id": user_id, "username": username}
def _generate_google_storage_signed_url(self, http_verb, resource_path, expiration_time): set_current_token(validate_request(aud={"user"})) user_id = current_token["sub"] proxy_group_id = get_or_create_proxy_group_id() username = current_token.get("context", {}).get("user", {}).get("name") private_key, key_db_entry = get_or_create_primary_service_account_key( user_id=user_id, username=username, proxy_group_id=proxy_group_id) # Make sure the service account key expiration is later # than the expiration for the signed url. If it's not, we need to # provision a new service account key. # # NOTE: This should occur very rarely: only when the service account key # already exists and is very close to expiring. # # If our scheduled maintainence script removes the url-signing key # before the expiration of the url then the url will NOT work # (even though the url itself isn't expired) if key_db_entry and key_db_entry.expires < expiration_time: private_key = create_primary_service_account_key( user_id=user_id, username=username, proxy_group_id=proxy_group_id) final_url = cirrus.google_cloud.utils.get_signed_url( resource_path, http_verb, expiration_time, extension_headers=None, content_type="", md5_value="", service_account_creds=private_key, ) return final_url
def get(self): """ Link a user's Google account after AuthN. This is Google's callback that occurs after oauth2 flow and does the actual linkage/creation in our db. This will redirect with `error` and `error_description` query params if any issues arise. Raises: UserError: No redirect provided """ provided_redirect = flask.session.get("redirect") code = flask.request.args.get("code") if not config.get("MOCK_GOOGLE_AUTH", False): google_response = flask.current_app.google_client.get_user_id(code) email = google_response.get("email") else: # if we're mocking google auth, mock response to include the email # from the provided access token try: token = validate_request(scope={"user"}, audience=config.get("BASE_URL")) email = get_user_from_claims(token).username except Exception as exc: logger.info( "Unable to parse Google email from token, using default mock value. " "Error: {}".format(exc)) email = flask.request.cookies.get( config.get("DEV_LOGIN_COOKIE_NAME"), "*****@*****.**") error = "" error_description = "" # get info from session and then clear it user_id = flask.session.get("user_id") proxy_group = flask.session.get("google_proxy_group_id") expires_in = flask.session.get("google_link_expires_in") _clear_google_link_info_from_session() if not email: error = "g_acnt_auth_failure" error_description = google_response else: error, error_description = get_errors_update_user_google_account_dry_run( user_id, email, proxy_group, _already_authed=True) if not error: exp = _force_update_user_google_account( user_id, email, proxy_group, _allow_new=True, requested_expires_in=expires_in, ) # TODO: perhaps this is problematic?? # keep linked email in session so when session refreshes access # token, we don't have to hit db to see if user has linked acnt # NOTE: This only saves us from a db hit if they maintain their # session flask.session["linked_google_email"] = email # if we have a redirect, follow it and add any errors if provided_redirect: if error: redirect_with_params = append_query_params( provided_redirect, error=error, error_description=error_description) else: redirect_with_params = append_query_params(provided_redirect, linked_email=email, exp=exp) return flask.redirect(redirect_with_params) else: # we don't have a redirect, so the endpoint was probably hit # without the actual auth flow. Raise with error info if error: raise UserError({error: error_description}) else: raise UserError({"error": "No redirect provided."})