Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

await auth; check firestore on creation #27

Merged
merged 1 commit into from
Jan 3, 2024
Merged

Conversation

simonjmendelsohn
Copy link
Collaborator

No description provided.

@broadbot
Copy link
Collaborator

broadbot commented Jan 3, 2024

Pushed image: us-central1-docker.pkg.dev/dsp-artifact-registry/sfkit/sfkit-website:v0.0.9-9686902

@simonjmendelsohn simonjmendelsohn merged commit 123c389 into dev Jan 3, 2024
8 checks passed
@simonjmendelsohn simonjmendelsohn deleted the small-auth-fix branch January 3, 2024 15:32
simonjmendelsohn added a commit that referenced this pull request Feb 15, 2024
* first commit for backend-only flask api

* Switch to Quart, use async/await

* add signaling server

* uuid for study_id

* minor updates

* try updating cloudbuild and other files to fix dev deployment

* add missing awaits

* set url for usage in dev in sfkit cli

* Split runtime and dev dependencies

* Add Dockerfile with a dummy test

* Add GitHub workflow to build the image with Dockerfile

* Fix Docker tag/label handling in GitHub workflow

* Fix pr event tag

* Set GitHub workflow trigger paths

* Fix Docker repo name using GitHub repo name

* Add missing *.py and hypercorn to Docker image

* remove multiprocessing where it is not longer usable

* Add image name+tag according to Terra guidelines

* first pass at image build

* fix image repo name

* fix PR comment step

* forgot a dollar sign

* how about this?

* empty commit to trigger ci

* updates for unusual branching strategies

* Fix signaling server for testing

* [DDO-3243] Remove Github workflow file from PR trigger paths

* Partially revert #d0d0847f

* Freeze dependencies

* don't wait on cp0 for proxy, as cp0 may not use proxy

* update startup-script to use sfkit-proxy

* small fixes to startup script

* add more error logging for signaling server

* take 2 at fixing signalling messages

* take 3 at fixing signalling messages

* take 4

* take 5

* take 6

* take 7

* take 8

* take 9

* take 10

* take 11

* update signalling server according to fixes in sfkit-proxy

* Improve GCP auth in the Terra GH workflow

* [github] Add Cron trigger for Terra workflow

* [github] Auto-cancel previous build_push_terra workflow runs

* add formatting check for study_id for extra protection against path-injection, as per CodeQL

* use simplified startup-script with docker for cp0

* add some configurations to startup-script

* minor improvement to startup script

* work on startup script

* try sudo to debug startup script

* automatically stop cp0 when user-configured study finishes

* Set APP_VERSION at Terra image build time

* Rename APP_VERSION to BUILD_VERSION

* Add APP_VERSION to Docker build

* update to allow proper version reporting and auto deploy to terra dev environment on merge

* only try to deploy commits to dev branch to dev

* Set default Websocket port to 8080

* Rename WebSocket Origin var

* Return firebaseProjectId from /createCustomToken

* Turn on FLASK_DEBUG only in Cloud Run development by default

* Restore Broadbot token

* add status and version endpoints

* separate appVersion and buildVersion

* Parse allowed CORS origin from SFKIT_API_URL (#15)

* Parse allowed CORS origin from SFKIT_API_URL

* Set frontend origins via CORS_ORIGINS env var

* Use * by default in CORS_ORIGINS

* [sfkit] Fix Failure upon autodeploy to terra dev environments (#16)

* fix outputs

* only auto deploy on merge to dev

* no server header for hypercorn (#17)

* Fix Hypercorn config copy and add Curl to Dockerfile (#18)

* Fix Hypercorn config copy in Dockerfile

* Add Curl to Dockerfile for development

* Add localhost dev origin (#19)

* Add localhost dev origin (attempt 2) (#20)

* Add localhost dev origin

* Fix comma split for Cloud Run set-env-vars

* Add localhost dev origin (attempt 3) (#21)

* Add localhost dev origin

* Fix comma split for Cloud Run set-env-vars

* Fix comma split for Cloud Run set-env-vars once again

* Fix commas once again

* Add localhost dev origin (attempt 4) (#22)

* Add localhost dev origin

* Fix comma split for Cloud Run set-env-vars

* Fix comma split for Cloud Run set-env-vars once again

* Fix commas once again

* Fix set-env-vars once again

* Fix cloudbuild commas (#23)

* Add localhost dev origin

* Fix comma split for Cloud Run set-env-vars

* Fix comma split for Cloud Run set-env-vars once again

* Fix commas once again

* Fix set-env-vars once again

* Fix set-env-vars once again...

* Remove extra quote

* Fix CORS origin list conversion (#24)

* modify auth to allow terra login (#25)

* Use FIREBASE_PROJECT_ID for Firestore database (#26)

* Use FIREBASE_PROJECT_ID for Firestore database

* Use project keyword for AsyncClient

* await auth; check firestore on creation (#27)

* Set Firebase App project ID (#28)

* Fix FIREBASE_PROJECT_ID constant import (#29)

* Use custom FIRESTORE_DATABASE name (#30)

* Bump cryptography from 41.0.5 to 41.0.6 (#31)

Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.5 to 41.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.5...41.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Set Firebase app for custom Firebase token creation (#32)

* Detect service account email for Firebase App (#33)

* Detect service account email for Firebase App

* Add logging message for Firebase app options

* Use optional TARGET_SERVICE_ACCOUNT impersonation (#34)

* Use optional TARGET_SERVICE_ACCOUNT impersonation

* Revert to Firebase app reference

* Fix Google Auth import (#35)

* Fix Google Auth import

* Fix Firebase credential object

* Attempt to fix Google impersonated_credentials import (#36)

* Set serviceAccountId for TARGET_SERVICE_ACCOUNT (#37)

* Always reference FIREBASE_PROJECT_ID when setting up Firebase and Firestore (#38)

* Log impersonated Firebase token without signature (#39)

* Log impersonated Firebase token without signature

* Add more logging

* Disable TARGET_SERVICE_ACCOUNT for now (#40)

* Re-enable impersonation (#41)

* Re-enable impersonation

* Add extra logging

* Remove and cleanup impersonation (#42)

* Remove and cleanup impersonation

* Don't set Firestore database if FIRESTORE_DATABASE isn't set

* Revert to using FIREBASE_PROJECT_ID (#43)

* Revert Firebase project ID assignment (#44)

* Unrevert project ID setting and return database name from /createCustomToken (#45)

* Return database name from /createCustomToken

* Unrevert 8614d7f

* Fix Firestore database name returned from /createCustomToken (#46)

* Fix Firestore database name returned from /createCustomToken

* Rename Firestore database key in return result

* Parse user ID universally and improve Auth header validation (#47)

* Parse user ID universally and improve Auth header validation

* Fix auth header verification

* Consolidate user db lookup

* Cache user IDs to speed up lookup

* Consolidate user ID parsing and use userSubjectId for Terra

* Streamline verification of auth header for Signaling and CLI APIs

* Fix missing db ref

* Move verify_auth_key and AUTH_HEADER into auth.py

* Populate PUBLIC_KEYS only in non-Terra env

* Guard against possible confusion of user_id with auth_keys

* Put Bearer token prefix into a constant

* Put AZURE_B2C_JWKS_URL and AZURE_B2C_CLIENT_ID into env vars

* Add comment about Azure vars vs Terra

* Use id instead of userSubjectId for the new Sam API

* Pass Terra auth header as-is without parsing to Sam

* Rename Terra and B2C user verification functions

* Rename verify_auth_key -> get_auth_key_user

* Add support for CLI auth with Terra (#48)

* Add support for CLI auth with Terra

* Improve error message for missing auth header

* Fix default Firestore database ID (#49)

* Fix default Firestore database ID

* Fix await for _get_terra_user

* Set log level via LOG_LEVEL env var and add auth user debug logging (#50)

* Add more logging (#51)

* Externalize all env vars into constants.py (#52)

* Externalize all env vars into constants.py

* Optimize imports

* Add back deepcopy import

* Fix log format and level for Terra/Kubernetes (#53)

* Step up DEBUG logging level to avoid too much verbosity (#54)

* Step up DEBUG logging level to avoid too much verbosity

* Return an instance of Logger subclass

* Improve debug logging (#55)

* Add separate database for non-terra dev (#56)

* Get CLI username from user ID and study_id from query param for Terra (#57)

* Get CLI username from user ID and study_id from query param for Terra

* Organize imports

* Restore previous formatting

* Fix whitespace

* Refactor study access checks

* Add global HttpException error handler

* Raise HTTP errors from authentication

* Refactor cli.py to remove boilerplate and improve input validation

* Validate msg before retrieving study

* Simplify msg parsing

* Remove redundant auth checks

* Remove redundant logging message

* Always raise Unauthrized in auth.py

* Launch terra cp0 (#60)

* Improve study access checks

* Override error description only when present

* Refactor Sam request and auth header handling

* Automatically register service account when running on Terra

* Implement submit_terra_workflow() through Rawls

* Fix auth header handling and generate SA token properly (#61)

* Fix auth header handling and generate SA token properly

* Fix Rawls submissions path

* Fix HeaderTypes -> Headers (#62)

* remove jinja dependency; simplify email invitation logic (#59)

* remove jinja dependency; simplify email invitation logic

* fix accept_invitation logic

* Fix register_service_account() invocation (#63)

* Fix Terra Service Account registration (#64)

* Fix register_service_account() invocation

* Fix Terra Service Account registration

* Remove async def

* Fix get_service_account_headers() implementation (#65)

* Add error description to register_terra_service_account() (#66)

* Fix Sam status check for existing Terra SA

* Revert and provide error description

* Temp log SA on error (#67)

* Fix Sam registration body (#68)

* Fix Sam registration request body

* Log successful response from Sam

* minor bug fixes and security improvements; fix accepting invitation to study (#69)

* Fix Terra request headers assignment (#70)

* Improve API exception reporting (#71)

* Refactor API exception handling through HTTPException (#72)

* Refactor API exception handling through HTTPException

* Move HTTPException handler into api_utils

* Cosmetic fix

* Remove redundant async

* Revert to using dedicated APIException class (#73)

* Revert "Refactor API exception handling through HTTPException (#72)"

This reverts commit 3c9809c.

* Parse out error message in APIException

* Fix parameters and error handling for Terra workflow submission (#74)

* Fix parameters and error handling for Terra workflow submission

* Add status code to APIException

* Await Terra workflow submission before returning response

* Fix response type conversion in APIException (#75)

* Fix APIException semantics (#76)

* prevent repeat study titles; minor formatting (#77)

* add endpoint to get_study_options for terra cli (#78)

* fix bug in previous commit (#79)

* fix wrong parameter in function (#80)

* Make auth key automatically (#81)

* fix wrong parameter in function

* make auth_key automatically on study creation or joining

* Auto-detect CP0 id on Terra (#82)

* Auto-detect CP0 id on Terra

* Formalize user ID keys and fix /get_study_options user_id for non-Terra

* Fix ID key imports (#83)

* Fix user_id detection in /get_study_options (#84)

* Fix user_id detection in /get_study_options

* Fix user_id setting without study_id

* lots of reformatting and some small bug fixes (#85)

* try to fix transactions (#86)

* try to fix transactions again (#87)

* fix awaiting for file (#88)

* Improve signaling logging (#89)

* Improve signaling logging

* Use warning for party disconnect

* fix task initialization for users (#90)

* set HOME env variable; handle SENDGRID_API_KEY env variable (#91)

* improve cloud run logging (#92)

* improve cloud run logging

* use source instead of bash so that env variable changes are maintained

* fix task resetting when restarting study

* source profile to fix startup scripts (#93)

* add logging for errors in signaling server (#94)

* Fix SFKIT_API_URL for Cloud Run and remove extra logging (#95)

* add debug logging for signaling server

* Log Signaling server origin

* Remove extra error logging in /ice

* Use manual Websocket origin check

* Add dummy websocket connection message

* Set SFKIT_API_URL for Cloud Run deployment

* Use SFKIT_API_URL in google_cloud_compute

* Add more pointed logging

* Add test /ice_status endpoint

* Use the same route for HTTP ICE status

* Rename ice status route

* Cleanup

* Cleanup

---------

Co-authored-by: Denis Loginov <denis@broadinstitute.org>

* Fix WebSocket connection issues due to CORS (#96)

* Fix WebSocket connection issues due to CORS

* Log allowed origins (#97)

* Log allowed origins

* Remove comma

* allow anonymous users to create studies (on non-terra) (#98)

* Bump cryptography from 41.0.6 to 42.0.0 (#99)

Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.6 to 42.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.6...42.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add sf-relate; minor bug fixes (#100)

* don't hardcode SFKIT_API_URL as much; minor formatting (#102)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Denis Loginov <denis@broadinstitute.org>
Co-authored-by: mflinn-broad <mflinn@broadinstitute.org>
Co-authored-by: dinvlad <137337+dinvlad@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants