[SEARCH-107] Switch to new cern oauth

.env

@@ -24,15 +24,15 @@ INVENIO_DEBUG=0
 FLOWER_PASS=password
 
 INVENIO_ACCOUNTS_SESSION_REDIS_URL=redis://redis:6379/1
-INVENIO_ADMIN_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
-INVENIO_ADMIN_USER=test@example.com
-INVENIO_ADMIN_VIEW_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
+INVENIO_ADMIN_ACCESS_GROUPS=search-admin
+INVENIO_ADMIN_USER=search-admin
+INVENIO_ADMIN_VIEW_ACCESS_GROUPS=search-admin
 INVENIO_APP_ALLOWED_HOSTS=['localhost', 'nginx']
 INVENIO_BROKER_URL=amqp://guest:password@rabbitmq:5672
 INVENIO_CACHE_REDIS_HOST=redis
 INVENIO_CACHE_REDIS_URL=redis://redis:6379/0
-INVENIO_CERN_APP_CREDENTIALS={'consumer_key':'bah'}
-INVENIO_CERN_APP_CREDENTIALS_CONSUMER_KEY=xxx
+INVENIO_CERN_APP_OPENID_CREDENTIALS={'consumer_key':'bah'}
+INVENIO_CERN_APP_OPENID_CREDENTIALS_CONSUMER_KEY=xxx
 INVENIO_CELERY_BROKER_URL=amqp://guest:password@rabbitmq:5672
 INVENIO_CELERY_RESULT_BACKEND=redis://redis:6379/2
 INVENIO_COLLECT_STORAGE=flask_collect.storage.file
@@ -46,7 +46,7 @@ INVENIO_RATELIMIT_STORAGE_URL='redis://redis:6379/3'
 INVENIO_RATELIMIT_AUTHENTICATED_USER=100000/hour
 INVENIO_SEARCH_ELASTIC_HOSTS=elasticsearch
 INVENIO_SEARCH_INDEX_PREFIX=cernsearch-
-INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres/uservice
+INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres:5432/uservice
 INVENIO_THEME_FRONTPAGE_TITLE='CERN Search DEV'
 INVENIO_THEME_LOGO=/images/cernsearchicon.png
 INVENIO_THEME_LOGO_ADMIN=/images/cernsearchicon.png

.gitignore

@@ -29,7 +29,7 @@ secrets/
 
 env/
 *.ini
-.env*.dev
+.env*.*
 
 # Debug and other logs
 

Dockerfile

@@ -7,7 +7,7 @@
 # under the terms of the MIT License; see LICENSE file for more details.
 
 # Use CentOS7:
-FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:d7964b30051811d72629dd35a6175e28224589c8
+FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:4cc14deb49f42c505062110461b96c12cda9b377
 ARG build_env
 
 # CERN Search installation
@@ -28,9 +28,6 @@ RUN pip install -e .
 RUN touch /${WORKING_DIR}/src/uwsgi.pid
 RUN chmod 666 /${WORKING_DIR}/src/uwsgi.pid
 
-# Patch auth
-RUN sh /${WORKING_DIR}/src/scripts/patch/oauth_patch.sh
-
 ENV LOGS_DIR=/var/log
 RUN mkdir -p ${LOGS_DIR}
 RUN chown -R invenio:root ${LOGS_DIR}

Pipfile

@@ -27,10 +27,11 @@ invenio-db = {version = ">=1.0.5,<1.1.0",extras = ["postgresql", "versioning"]}
 invenio-files-processor = {extras = ["tika"],git = "https://github.com/carantunes/invenio-files-processor.git",ref = "1.0.2-alpha"}
 invenio-files-rest = ">=1.2.0,<1.3.0"
 invenio-indexer = ">=1.1.1,<1.2.0"
+invenio-i18n = "<1.3.0,>=1.2.0"
 invenio-jsonschemas = ">=1.1.0,<1.2.0"
 invenio-logging = {extras = ["sentry-sdk"],version = ">=1.3.0,<1.4.0"}
 invenio-oauth2server = ">=1.2.0,<1.3.0"
-invenio-oauthclient = ">=1.3.0,<1.4.0"
+invenio-oauthclient = "<1.4.0,>=1.3.5"
 invenio-records = {extras = ["postgresql"],version = ">=1.3.1,<1.4.0"}
 invenio-records-files = ">=1.2.1,<1.3.0"
 invenio-records-rest = ">=1.7.1,<1.8.0"
@@ -50,3 +51,6 @@ tika = "==1.24"
 
 [requires]
 python_version = "3.6"
+
+[pipenv]
+allow_prereleases = true

cern_search_rest_api/config.py

@@ -24,7 +24,7 @@ from cern_search_rest_api.modules.cernsearch.permissions import (record_create_p
                                                                  record_update_permission_factory)
 from elasticsearch_dsl import A
 from flask import request
-from invenio_oauthclient.contrib import cern
+from invenio_oauthclient.contrib import cern_openid
 from invenio_records_rest import config as irr_config
 from invenio_records_rest.facets import terms_filter
 from kombu import Exchange, Queue
@@ -42,31 +42,27 @@ THEME_SEARCHBAR = False
 # OAuth Client
 # ============
 
-CERN_REMOTE_APP = copy.deepcopy(cern.REMOTE_APP)
+OAUTHCLIENT_CERN_OPENID_ALLOWED_ROLES = ["search-user", "search-admin"]
+
+CERN_REMOTE_APP = copy.deepcopy(cern_openid.REMOTE_APP)
 CERN_REMOTE_APP["params"].update(dict(request_token_params={
-    "resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
-    "scope": "Name Email Bio Groups",
+    "scope": "openid",
 }))
 
-CERN_REMOTE_APP["authorized_handler"] = \
-    'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
-
 OAUTHCLIENT_REMOTE_APPS = dict(
-    cern=CERN_REMOTE_APP,
+    cern_openid=CERN_REMOTE_APP,
 )
 
 # OAuth REST Client
 # ============
 
-OAUTH_REMOTE_APP = copy.deepcopy(cern.REMOTE_REST_APP)
-OAUTH_REMOTE_APP["params"].update(dict(request_token_params={
-    "resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
-    "scope": "Name Email Bio Groups Group",
+OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
+OAUTH_REMOTE_REST_APP["params"].update(dict(request_token_params={
+    "scope": "openid",
 }))
-OAUTH_REMOTE_APP["authorized_handler"] = \
-    'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
+
 OAUTHCLIENT_REST_REMOTE_APPS = dict(
-    cern=OAUTH_REMOTE_APP,
+    cern_openid=OAUTH_REMOTE_REST_APP,
 )
 
 # Accounts

cern_search_rest_api/modules/cernsearch/permissions.py

@@ -141,6 +141,12 @@ class FilePermission(RecordPermission):
 
 def _granted(provides, needs):
     """Check if user provided permissions and necessary permissions match."""
+
+    current_app.logger.debug('Provides {provides} and needs: {needs}'.format(
+        provides=provides,
+        needs=needs
+    ))
+
     return provides and not set(provides).isdisjoint(set(needs))
 
 

docker-compose.full.yml

@@ -50,7 +50,7 @@ services:
     command: [
       "/bin/bash",
       "-c",
-      "celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
+      "celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
     ]
     healthcheck:
       test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]

docker-compose.test.yml

@@ -53,7 +53,7 @@ services:
     command: [
       "/bin/bash",
       "-c",
-      "celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
+      "celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
     ]
     healthcheck:
       test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]
@@ -76,7 +76,7 @@ services:
       test: ["CMD", "curl", "-f", "localhost:9200/_cluster/health?wait_for_status=yellow"]
       interval: 30s
       timeout: 10s
-      retries: 5
+      retries: 10
 
   kibana:
     image: docker.elastic.co/kibana/kibana-oss:7.1.1

scripts/create-test-user.sh

@@ -7,8 +7,8 @@
 # CERN Search is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
 
-invenio users create test@example.com --password test1234 --active
-invenio roles create CernSearch-Administrators@cern.ch
-invenio roles add test@example.com CernSearch-Administrators@cern.ch
+invenio users create test@example.com --password password --active
+invenio roles create search-admin
+invenio roles add test@example.com search-admin
 invenio tokens create -n test -u test@example.com > .api_token
 echo TOKEN: $(<.api_token)

scripts/patch.sh

+# Utility for debug purposes: Replace which package/module you want to replace
+readonly LOCATION=$(pip show invenio-records-rest | grep Location | awk '{print $2}')
+readonly SCRIPT_PATH=$(dirname $0)
+
+rm -f ${LOCATION}/invenio_records_rest/views.py
+cp ${SCRIPT_PATH}/views.py ${LOCATION}/invenio_records_rest/views.py

scripts/patch/oauth_patch.sh

-#!/usr/bin/env bash
-# -*- coding: utf-8 -*-
-#
-# This file is part of CERN Search.
-# Copyright (C) 2018-2019 CERN.
-#
-# CERN Search is free software; you can redistribute it and/or modify it
-# under the terms of the MIT License; see LICENSE file for more details.
-
-readonly LOCATION=$(pip show invenio-oauthclient | grep Location | awk '{print $2}')
-readonly SCRIPT_PATH=$(dirname $0)
-
-rm -f ${LOCATION}/invenio_oauthclient/contrib/cern.py
-cp ${SCRIPT_PATH}/cern.py ${LOCATION}/invenio_oauthclient/contrib/cern.py

scripts/pipenv/bootstrap

@@ -18,9 +18,6 @@ pipenv install --dev --skip-lock
 # Install application code and entrypoints from 'setup.py'
 pip install -e $SCRIPT_PATH/../..
 
-# Patch auth
-sh $SCRIPT_PATH/../patch/oauth_patch.sh
-
 # Build assets
 invenio collect -v
 invenio webpack buildall

tests/conftest.py

@@ -33,7 +33,7 @@ def user(db, app):
     user = User(email='test@example.com', active=True)
     db.session.add(user)
 
-    role = Role(name='CernSearch-Administrators@cern.ch')
+    role = Role(name='search-admin')
     role.users.append(user)
     db.session.add(role)