Merge pull request #599 from scitran/ldap

Add basic support for jwt LDAP auth

Merge pull request #599 from scitran/ldap
0167a40a · Megan Henning · GitHub · b61e9006 · 4356fdf1 · 0167a40a
Commit 0167a40a authored 8 years ago by Megan Henning Committed by GitHub 8 years ago
--- a/api/base.py
+++ b/api/base.py
@@ -133,7 +133,12 @@ class RequestHandler(webapp2.RequestHandler):
            self.request.logger.debug('looked up remote token in %dms', ((datetime.datetime.utcnow() - timestamp).total_seconds() * 1000.))

            # Cache the token for future requests
-            config.db.authtokens.replace_one({'_id': access_token}, {'uid': uid, 'timestamp': timestamp}, upsert=True)
+            update = {
+                'uid': uid,
+                'timestamp': timestamp,
+                'auth_type': config.get_item('auth', 'auth_type')
+            }
+            config.db.authtokens.replace_one({'_id': access_token}, update, upsert=True)

        return uid

@@ -144,7 +149,17 @@ class RequestHandler(webapp2.RequestHandler):
        Returns the user's UID.
        """

-        r = requests.get(config.get_item('auth', 'id_endpoint'), headers={'Authorization': 'Bearer ' + access_token})
+        id_endpoint = config.get_item('auth', 'id_endpoint')
+        auth_type = config.get_item('auth', 'auth_type')
+
+        # If we start supporting more than google and ldap, break into classes inherited from abstract class
+        if auth_type == 'google':
+            r = requests.get(id_endpoint, headers={'Authorization': 'Bearer ' + access_token})
+        elif auth_type == 'ldap':
+            p = {'token': access_token}
+            r = requests.post(id_endpoint, data=p)
+        else:
+            raise self.abort(401, 'Auth not configured.')

        if not r.ok:
            # Oauth authN failed; for now assume it was an invalid token. Could be more accurate in the future.
@@ -155,7 +170,8 @@ class RequestHandler(webapp2.RequestHandler):
            self.abort(401, err_msg, headers=headers)

        identity = json.loads(r.content)
-        uid = identity.get('email')
+        email_key = 'email' if auth_type == 'google' else 'mail'
+        uid = identity.get(email_key)

        if not uid:
            self.abort(400, 'OAuth2 token resolution did not return email address')
@@ -168,7 +184,7 @@ class RequestHandler(webapp2.RequestHandler):

        # Set user's auth provider avatar
        # TODO: switch on auth.provider rather than manually comparing endpoint URL.
-        if config.get_item('auth', 'id_endpoint') == 'https://www.googleapis.com/plus/v1/people/me/openIdConnect':
+        if auth_type == 'google':
            # A google-specific avatar URL is provided in the identity return.
            provider_avatar = identity.get('picture', '')


--- a/api/config.py
+++ b/api/config.py
@@ -42,6 +42,7 @@ DEFAULT_CONFIG = {
        'prefetch': False
    },
    'auth': {
+        'auth_type': 'google',
        'client_id': '1052740023071-n20pk8h5uepdua3r8971pc6jrf25lvee.apps.googleusercontent.com',
        'id_endpoint': 'https://www.googleapis.com/plus/v1/people/me/openIdConnect',
        'auth_endpoint': 'https://accounts.google.com/o/oauth2/auth',

--- a/sample.config
+++ b/sample.config
@@ -32,6 +32,7 @@
 #SCITRAN_PERSISTENT_DB_CONNECT_TIMEOUT=2000
 #SCITRAN_PERSISTENT_DB_SERVER_SELECTION_TIMEOUT=3000

+#SCITRAN_AUTH_AUTH_TYPE=""
 #SCITRAN_AUTH_AUTH_ENDPOINT=""
 #SCITRAN_AUTH_CLIENT_ID=""
 #SCITRAN_AUTH_ID_ENDPOINT=""