Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
webservices
cern-search
cern-search-rest-api
Commits
1f9c09ab
Commit
1f9c09ab
authored
Dec 08, 2020
by
Carina Antunes
Browse files
[
SEARCH-107
] Switch to new cern oauth
parent
044facac
Changes
15
Expand all
Hide whitespace changes
Inline
Side-by-side
.env
View file @
1f9c09ab
...
...
@@ -24,15 +24,15 @@ INVENIO_DEBUG=0
FLOWER_PASS=password
INVENIO_ACCOUNTS_SESSION_REDIS_URL=redis://redis:6379/1
INVENIO_ADMIN_ACCESS_GROUPS=
CernS
earch-
A
dmin
istrators@cern.ch
INVENIO_ADMIN_USER=
test@example.com
INVENIO_ADMIN_VIEW_ACCESS_GROUPS=
CernS
earch-
A
dmin
istrators@cern.ch
INVENIO_ADMIN_ACCESS_GROUPS=
s
earch-
a
dmin
INVENIO_ADMIN_USER=
search-admin
INVENIO_ADMIN_VIEW_ACCESS_GROUPS=
s
earch-
a
dmin
INVENIO_APP_ALLOWED_HOSTS=['localhost', 'nginx']
INVENIO_BROKER_URL=amqp://guest:password@rabbitmq:5672
INVENIO_CACHE_REDIS_HOST=redis
INVENIO_CACHE_REDIS_URL=redis://redis:6379/0
INVENIO_CERN_APP_CREDENTIALS={'consumer_key':'bah'}
INVENIO_CERN_APP_CREDENTIALS_CONSUMER_KEY=xxx
INVENIO_CERN_APP_
OPENID_
CREDENTIALS={'consumer_key':'bah'}
INVENIO_CERN_APP_
OPENID_
CREDENTIALS_CONSUMER_KEY=xxx
INVENIO_CELERY_BROKER_URL=amqp://guest:password@rabbitmq:5672
INVENIO_CELERY_RESULT_BACKEND=redis://redis:6379/2
INVENIO_COLLECT_STORAGE=flask_collect.storage.file
...
...
@@ -46,7 +46,7 @@ INVENIO_RATELIMIT_STORAGE_URL='redis://redis:6379/3'
INVENIO_RATELIMIT_AUTHENTICATED_USER=100000/hour
INVENIO_SEARCH_ELASTIC_HOSTS=elasticsearch
INVENIO_SEARCH_INDEX_PREFIX=cernsearch-
INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres/uservice
INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres
:5432
/uservice
INVENIO_THEME_FRONTPAGE_TITLE='CERN Search DEV'
INVENIO_THEME_LOGO=/images/cernsearchicon.png
INVENIO_THEME_LOGO_ADMIN=/images/cernsearchicon.png
...
...
.gitignore
View file @
1f9c09ab
...
...
@@ -29,7 +29,7 @@ secrets/
env/
*.ini
.env*.
dev
.env*.
*
# Debug and other logs
...
...
Dockerfile
View file @
1f9c09ab
...
...
@@ -7,7 +7,7 @@
# under the terms of the MIT License; see LICENSE file for more details.
# Use CentOS7:
FROM
gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:
d7964b30051811d72629dd35a6175e28224589c8
FROM
gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:
4cc14deb49f42c505062110461b96c12cda9b377
ARG
build_env
# CERN Search installation
...
...
@@ -28,9 +28,6 @@ RUN pip install -e .
RUN
touch
/
${
WORKING_DIR
}
/src/uwsgi.pid
RUN
chmod
666 /
${
WORKING_DIR
}
/src/uwsgi.pid
# Patch auth
RUN
sh /
${
WORKING_DIR
}
/src/scripts/patch/oauth_patch.sh
ENV
LOGS_DIR=/var/log
RUN
mkdir
-p
${
LOGS_DIR
}
RUN
chown
-R
invenio:root
${
LOGS_DIR
}
...
...
Pipfile
View file @
1f9c09ab
...
...
@@ -27,10 +27,11 @@ invenio-db = {version = ">=1.0.5,<1.1.0",extras = ["postgresql", "versioning"]}
invenio-files-processor
=
{
extras
=
["tika"]
,git
=
"https://github.com/carantunes/invenio-files-processor.git",ref
=
"1.0.2-alpha"
}
invenio-files-rest
=
">
=
1.2
.
0
,
<
1.3
.
0
"
invenio-indexer
=
">
=
1.1
.
1
,
<
1.2
.
0
"
invenio-i18n
=
"<1.3.0,>
=
1.2
.
0
"
invenio-jsonschemas
=
">
=
1.1
.
0
,
<
1.2
.
0
"
invenio-logging
=
{
extras
=
["sentry-sdk"]
,version
=
">
=
1.3
.
0
,
<
1.4
.
0
"}
invenio-oauth2server
=
">
=
1.2
.
0
,
<
1.3
.
0
"
invenio-oauthclient
=
"
>
=
1.
3
.
0
,
<
1.4
.
0
"
invenio-oauthclient
=
"
<
1.
4
.0,
>
=
1.3
.
5
"
invenio-records
=
{
extras
=
["postgresql"]
,version
=
">
=
1.3
.
1
,
<
1.4
.
0
"}
invenio-records-files
=
">
=
1.2
.
1
,
<
1.3
.
0
"
invenio-records-rest
=
">
=
1.7
.
1
,
<
1.8
.
0
"
...
...
@@ -50,3 +51,6 @@ tika = "==1.24"
[requires]
python_version
=
"3.6"
[pipenv]
allow_prereleases
=
true
Pipfile.lock
View file @
1f9c09ab
This diff is collapsed.
Click to expand it.
cern_search_rest_api/config.py
View file @
1f9c09ab
...
...
@@ -24,7 +24,7 @@ from cern_search_rest_api.modules.cernsearch.permissions import (record_create_p
record_update_permission_factory
)
from
elasticsearch_dsl
import
A
from
flask
import
request
from
invenio_oauthclient.contrib
import
cern
from
invenio_oauthclient.contrib
import
cern
_openid
from
invenio_records_rest
import
config
as
irr_config
from
invenio_records_rest.facets
import
terms_filter
from
kombu
import
Exchange
,
Queue
...
...
@@ -42,31 +42,27 @@ THEME_SEARCHBAR = False
# OAuth Client
# ============
CERN_REMOTE_APP
=
copy
.
deepcopy
(
cern
.
REMOTE_APP
)
OAUTHCLIENT_CERN_OPENID_ALLOWED_ROLES
=
[
"search-user"
,
"search-admin"
]
CERN_REMOTE_APP
=
copy
.
deepcopy
(
cern_openid
.
REMOTE_APP
)
CERN_REMOTE_APP
[
"params"
].
update
(
dict
(
request_token_params
=
{
"resource"
:
os
.
getenv
(
'CERN_SEARCH_REMOTE_APP_RESOURCE'
,
'test-cern-search.cern.ch'
),
"scope"
:
"Name Email Bio Groups"
,
"scope"
:
"openid"
,
}))
CERN_REMOTE_APP
[
"authorized_handler"
]
=
\
'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
OAUTHCLIENT_REMOTE_APPS
=
dict
(
cern
=
CERN_REMOTE_APP
,
cern
_openid
=
CERN_REMOTE_APP
,
)
# OAuth REST Client
# ============
OAUTH_REMOTE_APP
=
copy
.
deepcopy
(
cern
.
REMOTE_REST_APP
)
OAUTH_REMOTE_APP
[
"params"
].
update
(
dict
(
request_token_params
=
{
"resource"
:
os
.
getenv
(
'CERN_SEARCH_REMOTE_APP_RESOURCE'
,
'test-cern-search.cern.ch'
),
"scope"
:
"Name Email Bio Groups Group"
,
OAUTH_REMOTE_REST_APP
=
copy
.
deepcopy
(
cern_openid
.
REMOTE_REST_APP
)
OAUTH_REMOTE_REST_APP
[
"params"
].
update
(
dict
(
request_token_params
=
{
"scope"
:
"openid"
,
}))
OAUTH_REMOTE_APP
[
"authorized_handler"
]
=
\
'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
OAUTHCLIENT_REST_REMOTE_APPS
=
dict
(
cern
=
OAUTH_REMOTE_APP
,
cern
_openid
=
OAUTH_REMOTE_
REST_
APP
,
)
# Accounts
...
...
cern_search_rest_api/modules/cernsearch/permissions.py
View file @
1f9c09ab
...
...
@@ -141,6 +141,12 @@ class FilePermission(RecordPermission):
def
_granted
(
provides
,
needs
):
"""Check if user provided permissions and necessary permissions match."""
current_app
.
logger
.
debug
(
'Provides {provides} and needs: {needs}'
.
format
(
provides
=
provides
,
needs
=
needs
))
return
provides
and
not
set
(
provides
).
isdisjoint
(
set
(
needs
))
...
...
docker-compose.full.yml
View file @
1f9c09ab
...
...
@@ -50,7 +50,7 @@ services:
command
:
[
"
/bin/bash"
,
"
-c"
,
"
celery
worker
-A
${WORKER_APP}
-l
DEBUG
--autoscale=10,1"
"
celery
-A
${WORKER_APP}
worker
-l
DEBUG
--autoscale=10,1"
]
healthcheck
:
test
:
[
"
CMD"
,
"
celery
inspect
ping
-A
${WORKER_APP}
-d
celery@$$(hostname)"
]
...
...
docker-compose.test.yml
View file @
1f9c09ab
...
...
@@ -53,7 +53,7 @@ services:
command
:
[
"
/bin/bash"
,
"
-c"
,
"
celery
worker
-A
${WORKER_APP}
-l
DEBUG
--autoscale=10,1"
"
celery
-A
${WORKER_APP}
worker
-l
DEBUG
--autoscale=10,1"
]
healthcheck
:
test
:
[
"
CMD"
,
"
celery
inspect
ping
-A
${WORKER_APP}
-d
celery@$$(hostname)"
]
...
...
@@ -76,7 +76,7 @@ services:
test
:
[
"
CMD"
,
"
curl"
,
"
-f"
,
"
localhost:9200/_cluster/health?wait_for_status=yellow"
]
interval
:
30s
timeout
:
10s
retries
:
5
retries
:
10
kibana
:
image
:
docker.elastic.co/kibana/kibana-oss:7.1.1
...
...
scripts/create-test-user.sh
View file @
1f9c09ab
...
...
@@ -7,8 +7,8 @@
# CERN Search is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
invenio
users
create
test
@example.com
--password
test1234
--active
invenio roles create
CernS
earch-
A
dmin
istrators@cern.ch
invenio roles add
test
@example.com
CernS
earch-
A
dmin
istrators@cern.ch
invenio
users
create
test
@example.com
--password
password
--active
invenio roles create
s
earch-
a
dmin
invenio roles add
test
@example.com
s
earch-
a
dmin
invenio tokens create
-n
test
-u
test
@example.com
>
.api_token
echo
TOKEN:
$(
<.api_token
)
scripts/patch.sh
0 → 100644
View file @
1f9c09ab
# Utility for debug purposes: Replace which package/module you want to replace
readonly
LOCATION
=
$(
pip show invenio-records-rest |
grep
Location |
awk
'{print $2}'
)
readonly
SCRIPT_PATH
=
$(
dirname
$0
)
rm
-f
${
LOCATION
}
/invenio_records_rest/views.py
cp
${
SCRIPT_PATH
}
/views.py
${
LOCATION
}
/invenio_records_rest/views.py
scripts/patch/cern.py
deleted
100644 → 0
View file @
044facac
This diff is collapsed.
Click to expand it.
scripts/patch/oauth_patch.sh
deleted
100644 → 0
View file @
044facac
#!/usr/bin/env bash
# -*- coding: utf-8 -*-
#
# This file is part of CERN Search.
# Copyright (C) 2018-2019 CERN.
#
# CERN Search is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
readonly
LOCATION
=
$(
pip show invenio-oauthclient |
grep
Location |
awk
'{print $2}'
)
readonly
SCRIPT_PATH
=
$(
dirname
$0
)
rm
-f
${
LOCATION
}
/invenio_oauthclient/contrib/cern.py
cp
${
SCRIPT_PATH
}
/cern.py
${
LOCATION
}
/invenio_oauthclient/contrib/cern.py
scripts/pipenv/bootstrap
View file @
1f9c09ab
...
...
@@ -18,9 +18,6 @@ pipenv install --dev --skip-lock
# Install application code and entrypoints from 'setup.py'
pip
install
-e
$SCRIPT_PATH
/../..
# Patch auth
sh
$SCRIPT_PATH
/../patch/oauth_patch.sh
# Build assets
invenio collect
-v
invenio webpack buildall
...
...
tests/conftest.py
View file @
1f9c09ab
...
...
@@ -33,7 +33,7 @@ def user(db, app):
user
=
User
(
email
=
'test@example.com'
,
active
=
True
)
db
.
session
.
add
(
user
)
role
=
Role
(
name
=
'
CernS
earch-
A
dmin
istrators@cern.ch
'
)
role
=
Role
(
name
=
'
s
earch-
a
dmin'
)
role
.
users
.
append
(
user
)
db
.
session
.
add
(
role
)
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment