RAS Authentication Updates

.github/workflows/main.yml

@@ -44,7 +44,7 @@ jobs:
           node-version: ${{ matrix.node_version }}
           check-latest: false
 
-      - name: Install/Link Postgres
+      - name: Install/Link Postgres and Redis
         if: ${{ matrix.test_type == 'NPM' || matrix.test_type == 'UNIT' }}
         run: |
           sudo apt-get install curl ca-certificates gnupg
@@ -54,6 +54,9 @@ jobs:
           sudo apt-get install postgresql-14 postgresql-client-14
           echo "/usr/lib/postgresql/14/bin" >> $GITHUB_PATH
           sudo ln -s /usr/lib/postgresql/14/bin/initdb /usr/local/bin/initdb
+          sudo apt install redis-server
+          sudo ln -s /usr/bin/redis-server /usr/local/bin/redis-server
+          sudo ln -s /usr/bin/redis-cli /usr/local/bin/redis-cli
       - name: Install Deps
         if: ${{ matrix.test_type == 'NPM' || matrix.test_type == 'UNIT' }}
         run: |

.gitignore

@@ -1,6 +1,7 @@
 .coverage
 coverage.xml
 beanstalk.cfg
+dump.rdb
 /coverage
 /.installed.cfg
 /.mr.developer.cfg

CHANGELOG.rst

@@ -6,6 +6,14 @@ fourfront
 Change Log
 ----------
 
+9.0.0
+=====
+
+* RAS integration branch (ras_integration)
+* 2024-10-29: merged in master branch (and ran poetry updte).
+* 2024-12-03: merged in master branch.
+
+
 8.4.5
 =====
 

Makefile

@@ -111,8 +111,9 @@ kibana-stop:
 
 kill:  # kills back-end processes associated with the application. Use with care.
 	pkill -f postgres &
-	pkill -f elasticsearch &
+	pkill -f opensearch &
 	pkill -f moto_server &
+	pkill -f redis-server &
 
 clean-python:
 	@echo -n "Are you sure? This will wipe all libraries installed on this virtualenv [y/N] " && read ans && [ $${ans:-N} = y ]

base.ini

@@ -30,9 +30,9 @@ multiauth.policy.remoteuser.use = encoded.authentication.NamespacedAuthenticatio
 multiauth.policy.remoteuser.base = pyramid.authentication.RemoteUserAuthenticationPolicy
 
 multiauth.policy.accesskey.namespace = accesskey
-multiauth.policy.accesskey.use = encoded.authentication.NamespacedAuthenticationPolicy
-multiauth.policy.accesskey.base = encoded.authentication.BasicAuthAuthenticationPolicy
-multiauth.policy.accesskey.check = encoded.authentication.basic_auth_check
+multiauth.policy.accesskey.use = snovault.authentication.NamespacedAuthenticationPolicy
+multiauth.policy.accesskey.base = snovault.authentication.BasicAuthAuthenticationPolicy
+multiauth.policy.accesskey.check = snovault.authentication.basic_auth_check
 
 multiauth.policy.auth0.use = encoded.authentication.NamespacedAuthenticationPolicy
 multiauth.policy.auth0.namespace = auth0

deploy/docker/production/fourfront_any_alpha.ini

@@ -1,6 +1,7 @@
 [app:app]
 use = config:base.ini#app
 session.secret = %(here)s/session-secret.b64
+auth0.domain = ${AUTH0_DOMAIN}
 auth0.client = ${AUTH0_CLIENT}
 auth0.secret = ${AUTH0_SECRET}
 file_upload_bucket = ${FILE_UPLOAD_BUCKET}
@@ -31,6 +32,9 @@ elasticsearch.aws_auth = true
 production = true
 load_test_data = snovault.loadxl:load_${DATA_SET}_data
 sqlalchemy.url = postgresql://${RDS_USERNAME}:${RDS_PASSWORD}@${RDS_HOSTNAME}:${RDS_PORT}/${RDS_DB_NAME}
+redis.server = ${REDIS_SERVER}
+g.recaptcha.key = ${g.recaptcha.key}
+g.recaptcha.secret = ${g.recaptcha.secret}
 
 [composite:indexer]
 use = config:base.ini#indexer

development.ini.template

@@ -6,6 +6,7 @@
 [app:app]
 use = config:base.ini#app
 sqlalchemy.url = postgresql://postgres@localhost:5441/postgres?host=/tmp/snovault/pgdata
+redis.server = redis://localhost:6379
 blob_bucket = encoded-4dn-blobs
 metadata_bundles_bucket = metadata-bundles-fourfront-local-test
 load_test_only = true

docs/source/index.rst

@@ -54,7 +54,7 @@ Install or update dependencies::
     $ brew install libevent libmagic libxml2 libxslt openssl postgresql graphviz nginx python3
     $ brew install freetype libjpeg libtiff littlecms webp  # Required by Pillow
     $ brew cask install adoptopenjdk8
-    $ brew install opensearch node@20
+    $ brew install opensearch node@20 redis
 
 NOTES:
 

pyproject.toml

@@ -1,7 +1,7 @@
 [tool.poetry]
 # Note: Various modules refer to this system as "encoded", not "fourfront".
 name = "encoded"
-version = "8.4.5"
+version = "9.0.0"
 description = "4DN-DCIC Fourfront"
 authors = ["4DN-DCIC Team <[email protected]>"]
 license = "MIT"
@@ -151,6 +151,7 @@ pytest = "^7.2.1"
 pytest-cov = ">=2.2.1"
 pytest-instafail = ">=0.3.0"
 pytest-mock = ">=0.11.0"
+pytest-redis = "^2.0.0"
 pytest-timeout = ">=1.0.0"
 pytest-xdist = ">=1.14"
 "repoze.debug" = ">=1.0.2"

pytest.ini

@@ -1,6 +1,8 @@
 [pytest]
 timeout_func_only = true
+redis_exec = /usr/local/bin/redis-server
 addopts =
+    --basetemp=/tmp/pytest
    -p encoded.tests.datafixtures
    -p snovault.tests.serverfixtures
     --instafail

src/encoded/__init__.py

@@ -1,14 +1,19 @@
 import encoded.project_defs
+import base64
 import hashlib
 import logging
 import json  # used only in Fourfront, not CGAP
 import mimetypes
 import netaddr
 import os
 import pkg_resources
+import requests
 import sentry_sdk
 import subprocess
-
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+from dcicutils.misc_utils import PRINT
 from codeguru_profiler_agent import Profiler
 from dcicutils.ecs_utils import ECSUtils
 from dcicutils.env_utils import EnvUtils, get_mirror_env_from_context
@@ -148,6 +153,58 @@ def init_code_guru(*, group_name, region=ECSUtils.REGION):
     Profiler(profiling_group_name=group_name, region_name=region).start()
 
 
+def jwk_to_pem(jwk):
+    """Converts JSON Web Key (JWK) to PEM format.
+
+    A JSON Web Key (JWK) contains various fields depending on the key type ('kty').
+    For an RSA key ('kty': 'RSA'), it must include:
+        - 'n': Base64url encoding of the RSA modulus (often called 'n' in mathematical terms).
+        - 'e': Base64url encoding of the RSA public exponent (often called 'e' in mathematical terms).
+
+    Args:
+        jwk (dict): JSON Web Key in dictionary format.
+
+    Returns:
+        bytes: PEM encoded key.
+
+    Raises:
+        ValueError: If the 'kty' field is missing or if the key type is unsupported.
+        ValueError: If the 'n' or 'e' fields are missing in the JWK for an RSA key.
+    """
+
+    # Example usage:
+    # jwk = {
+    #     "kty": "RSA",
+    #     "n": "base64_encoded_value_of_n",
+    #     "e": "base64_encoded_value_of_e"
+    # }
+    # pem_key = jwk_to_pem(jwk)
+    # print(pem_key.decode())
+
+    #TODO Move it into snovault for possible RAS integration of CGAP or SMaHT 
+
+    if 'kty' not in jwk:
+        raise ValueError("JWK must have a 'kty' field")
+    kty = jwk['kty']
+
+    if kty == 'RSA':
+        if 'n' not in jwk or 'e' not in jwk:
+            raise ValueError("JWK RSA key must have 'n' and 'e' fields")
+
+        n = int.from_bytes(base64.urlsafe_b64decode(jwk['n'] + '=='), byteorder='big')
+        e = int.from_bytes(base64.urlsafe_b64decode(jwk['e'] + '=='), byteorder='big')
+
+        public_key = rsa.RSAPublicNumbers(e, n).public_key(default_backend())
+        pem = public_key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+        return pem
+
+    # You can add more cases for other key types (e.g., 'EC' for elliptic curve keys)
+    raise ValueError("Unsupported 'kty': {}".format(kty))
+
 def main(global_config, **local_config):
     """
     This function returns a Pyramid WSGI application.
@@ -180,20 +237,42 @@ def main(global_config, **local_config):
     settings['auth0.domain'] = settings.get('auth0.domain', os.environ.get('Auth0Domain', DEFAULT_AUTH0_DOMAIN))
     settings['auth0.client'] = settings.get('auth0.client', os.environ.get('Auth0Client'))
     settings['auth0.secret'] = settings.get('auth0.secret', os.environ.get('Auth0Secret'))
-    settings['auth0.options'] = {
-        'auth': {
-            'sso': False,
-            'redirect': False,
-            'responseType': 'token',
-            'params': {
-                'scope': 'openid email',
-                'prompt': 'select_account'
+
+    #options
+    if 'auth0' in settings['auth0.domain']: # Auth0     
+        settings['auth0.options'] = {
+            'auth': {
+                'sso': False,
+                'redirect': False,
+                'responseType': 'token',
+                'params': {
+                    'scope': 'openid email',
+                    'prompt': 'select_account'
+                }
+            },
+            'allowedConnections': ['github', 'google-oauth2'] # TODO: make at least this part configurable
+        }
+    elif 'nih.gov' in settings['auth0.domain']: # RAS    
+        # we are still keeping the Auth0 structure for compatibility (SPC)
+        settings['auth0.options'] = {
+            'auth': {
+                'responseType': 'code',
+                'params': {
+                    'scope': 'openid profile email ga4gh_passport_v1',
+                    'prompt': 'login consent'
+                }
             }
-        },
-        'allowedConnections': [  # TODO: make at least this part configurable
-            'github', 'google-oauth2'
-        ]
-    }
+        }
+        auth0Domain = settings['auth0.domain']
+         # get public key from jwks uri
+        response = requests.get(url=f'https://{auth0Domain}/openid/connect/jwks.json')
+        jwks = response.json()
+        # gives the set of jwks keys.the keys has to be passed as it is to jwt.decode() for signature verification.
+        settings['auth0.public.key'] = jwk_to_pem(jwks['keys'][0])
+    else:
+        # Unknown
+        settings['auth0.options'] = {}
+
     # ga4 api secret
     if 'IDENTITY' in os.environ:
         identity = assume_identity()
@@ -203,8 +282,8 @@ def main(global_config, **local_config):
         settings['ga4.secret'] = settings.get('ga4.secret', os.environ.get('GA4Secret'))
     # set google reCAPTCHA keys
     # TODO propagate from GAC
-    settings['g.recaptcha.key'] = os.environ.get('reCaptchaKey')
-    settings['g.recaptcha.secret'] = os.environ.get('reCaptchaSecret')
+    settings['g.recaptcha.key'] = settings.get('g.recaptcha.key', os.environ.get('reCaptchaKey'))
+    settings['g.recaptcha.secret'] = settings.get('g.recaptcha.secret', os.environ.get('reCaptchaSecret'))
     # enable invalidation scope
     settings[INVALIDATION_SCOPE_ENABLED] = True
 
@@ -223,6 +302,8 @@ def main(global_config, **local_config):
     config.include('pyramid_multiauth')  # must be before calling set_authorization_policy
     # Override default authz policy set by pyramid_multiauth
     config.set_authorization_policy(LocalRolesAuthorizationPolicy())
+
+    # This creates a session factory (from definition in Snovault/app.py)
     config.include(session)
 
     # must include, as tm.attempts was removed from pyramid_tm
@@ -253,6 +334,9 @@ def main(global_config, **local_config):
         config.include('snovault.elasticsearch')
         config.include('.search')
 
+    if 'redis.server' in config.registry.settings:
+        config.include('snovault.redis')
+
     # this contains fall back url, so make sure it comes just before static_resoruces
     config.include('.types.page')
     config.include(static_resources)