Commit 1f9c09ab authored by Carina Antunes's avatar Carina Antunes
Browse files

[SEARCH-107] Switch to new cern oauth

parent 044facac
......@@ -24,15 +24,15 @@ INVENIO_DEBUG=0
FLOWER_PASS=password
INVENIO_ACCOUNTS_SESSION_REDIS_URL=redis://redis:6379/1
INVENIO_ADMIN_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
INVENIO_ADMIN_USER=test@example.com
INVENIO_ADMIN_VIEW_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
INVENIO_ADMIN_ACCESS_GROUPS=search-admin
INVENIO_ADMIN_USER=search-admin
INVENIO_ADMIN_VIEW_ACCESS_GROUPS=search-admin
INVENIO_APP_ALLOWED_HOSTS=['localhost', 'nginx']
INVENIO_BROKER_URL=amqp://guest:password@rabbitmq:5672
INVENIO_CACHE_REDIS_HOST=redis
INVENIO_CACHE_REDIS_URL=redis://redis:6379/0
INVENIO_CERN_APP_CREDENTIALS={'consumer_key':'bah'}
INVENIO_CERN_APP_CREDENTIALS_CONSUMER_KEY=xxx
INVENIO_CERN_APP_OPENID_CREDENTIALS={'consumer_key':'bah'}
INVENIO_CERN_APP_OPENID_CREDENTIALS_CONSUMER_KEY=xxx
INVENIO_CELERY_BROKER_URL=amqp://guest:password@rabbitmq:5672
INVENIO_CELERY_RESULT_BACKEND=redis://redis:6379/2
INVENIO_COLLECT_STORAGE=flask_collect.storage.file
......@@ -46,7 +46,7 @@ INVENIO_RATELIMIT_STORAGE_URL='redis://redis:6379/3'
INVENIO_RATELIMIT_AUTHENTICATED_USER=100000/hour
INVENIO_SEARCH_ELASTIC_HOSTS=elasticsearch
INVENIO_SEARCH_INDEX_PREFIX=cernsearch-
INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres/uservice
INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres:5432/uservice
INVENIO_THEME_FRONTPAGE_TITLE='CERN Search DEV'
INVENIO_THEME_LOGO=/images/cernsearchicon.png
INVENIO_THEME_LOGO_ADMIN=/images/cernsearchicon.png
......
......@@ -29,7 +29,7 @@ secrets/
env/
*.ini
.env*.dev
.env*.*
# Debug and other logs
......
......@@ -7,7 +7,7 @@
# under the terms of the MIT License; see LICENSE file for more details.
# Use CentOS7:
FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:d7964b30051811d72629dd35a6175e28224589c8
FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:4cc14deb49f42c505062110461b96c12cda9b377
ARG build_env
# CERN Search installation
......@@ -28,9 +28,6 @@ RUN pip install -e .
RUN touch /${WORKING_DIR}/src/uwsgi.pid
RUN chmod 666 /${WORKING_DIR}/src/uwsgi.pid
# Patch auth
RUN sh /${WORKING_DIR}/src/scripts/patch/oauth_patch.sh
ENV LOGS_DIR=/var/log
RUN mkdir -p ${LOGS_DIR}
RUN chown -R invenio:root ${LOGS_DIR}
......
......@@ -27,10 +27,11 @@ invenio-db = {version = ">=1.0.5,<1.1.0",extras = ["postgresql", "versioning"]}
invenio-files-processor = {extras = ["tika"],git = "https://github.com/carantunes/invenio-files-processor.git",ref = "1.0.2-alpha"}
invenio-files-rest = ">=1.2.0,<1.3.0"
invenio-indexer = ">=1.1.1,<1.2.0"
invenio-i18n = "<1.3.0,>=1.2.0"
invenio-jsonschemas = ">=1.1.0,<1.2.0"
invenio-logging = {extras = ["sentry-sdk"],version = ">=1.3.0,<1.4.0"}
invenio-oauth2server = ">=1.2.0,<1.3.0"
invenio-oauthclient = ">=1.3.0,<1.4.0"
invenio-oauthclient = "<1.4.0,>=1.3.5"
invenio-records = {extras = ["postgresql"],version = ">=1.3.1,<1.4.0"}
invenio-records-files = ">=1.2.1,<1.3.0"
invenio-records-rest = ">=1.7.1,<1.8.0"
......@@ -50,3 +51,6 @@ tika = "==1.24"
[requires]
python_version = "3.6"
[pipenv]
allow_prereleases = true
This diff is collapsed.
......@@ -24,7 +24,7 @@ from cern_search_rest_api.modules.cernsearch.permissions import (record_create_p
record_update_permission_factory)
from elasticsearch_dsl import A
from flask import request
from invenio_oauthclient.contrib import cern
from invenio_oauthclient.contrib import cern_openid
from invenio_records_rest import config as irr_config
from invenio_records_rest.facets import terms_filter
from kombu import Exchange, Queue
......@@ -42,31 +42,27 @@ THEME_SEARCHBAR = False
# OAuth Client
# ============
CERN_REMOTE_APP = copy.deepcopy(cern.REMOTE_APP)
OAUTHCLIENT_CERN_OPENID_ALLOWED_ROLES = ["search-user", "search-admin"]
CERN_REMOTE_APP = copy.deepcopy(cern_openid.REMOTE_APP)
CERN_REMOTE_APP["params"].update(dict(request_token_params={
"resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
"scope": "Name Email Bio Groups",
"scope": "openid",
}))
CERN_REMOTE_APP["authorized_handler"] = \
'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
OAUTHCLIENT_REMOTE_APPS = dict(
cern=CERN_REMOTE_APP,
cern_openid=CERN_REMOTE_APP,
)
# OAuth REST Client
# ============
OAUTH_REMOTE_APP = copy.deepcopy(cern.REMOTE_REST_APP)
OAUTH_REMOTE_APP["params"].update(dict(request_token_params={
"resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
"scope": "Name Email Bio Groups Group",
OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
OAUTH_REMOTE_REST_APP["params"].update(dict(request_token_params={
"scope": "openid",
}))
OAUTH_REMOTE_APP["authorized_handler"] = \
'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
OAUTHCLIENT_REST_REMOTE_APPS = dict(
cern=OAUTH_REMOTE_APP,
cern_openid=OAUTH_REMOTE_REST_APP,
)
# Accounts
......
......@@ -141,6 +141,12 @@ class FilePermission(RecordPermission):
def _granted(provides, needs):
"""Check if user provided permissions and necessary permissions match."""
current_app.logger.debug('Provides {provides} and needs: {needs}'.format(
provides=provides,
needs=needs
))
return provides and not set(provides).isdisjoint(set(needs))
......
......@@ -50,7 +50,7 @@ services:
command: [
"/bin/bash",
"-c",
"celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
"celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
]
healthcheck:
test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]
......
......@@ -53,7 +53,7 @@ services:
command: [
"/bin/bash",
"-c",
"celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
"celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
]
healthcheck:
test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]
......@@ -76,7 +76,7 @@ services:
test: ["CMD", "curl", "-f", "localhost:9200/_cluster/health?wait_for_status=yellow"]
interval: 30s
timeout: 10s
retries: 5
retries: 10
kibana:
image: docker.elastic.co/kibana/kibana-oss:7.1.1
......
......@@ -7,8 +7,8 @@
# CERN Search is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
invenio users create test@example.com --password test1234 --active
invenio roles create CernSearch-Administrators@cern.ch
invenio roles add test@example.com CernSearch-Administrators@cern.ch
invenio users create test@example.com --password password --active
invenio roles create search-admin
invenio roles add test@example.com search-admin
invenio tokens create -n test -u test@example.com > .api_token
echo TOKEN: $(<.api_token)
# Utility for debug purposes: Replace which package/module you want to replace
readonly LOCATION=$(pip show invenio-records-rest | grep Location | awk '{print $2}')
readonly SCRIPT_PATH=$(dirname $0)
rm -f ${LOCATION}/invenio_records_rest/views.py
cp ${SCRIPT_PATH}/views.py ${LOCATION}/invenio_records_rest/views.py
This diff is collapsed.
#!/usr/bin/env bash
# -*- coding: utf-8 -*-
#
# This file is part of CERN Search.
# Copyright (C) 2018-2019 CERN.
#
# CERN Search is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
readonly LOCATION=$(pip show invenio-oauthclient | grep Location | awk '{print $2}')
readonly SCRIPT_PATH=$(dirname $0)
rm -f ${LOCATION}/invenio_oauthclient/contrib/cern.py
cp ${SCRIPT_PATH}/cern.py ${LOCATION}/invenio_oauthclient/contrib/cern.py
......@@ -18,9 +18,6 @@ pipenv install --dev --skip-lock
# Install application code and entrypoints from 'setup.py'
pip install -e $SCRIPT_PATH/../..
# Patch auth
sh $SCRIPT_PATH/../patch/oauth_patch.sh
# Build assets
invenio collect -v
invenio webpack buildall
......
......@@ -33,7 +33,7 @@ def user(db, app):
user = User(email='test@example.com', active=True)
db.session.add(user)
role = Role(name='CernSearch-Administrators@cern.ch')
role = Role(name='search-admin')
role.users.append(user)
db.session.add(role)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment