[SEARCH-107] Switch to new cern oauth

1f9c09ab · Carina Antunes · 044facac · 1f9c09ab · 1f9c09ab · 1f9c09ab
Commit 1f9c09ab authored Dec 08, 2020 by Carina Antunes
--- a/.env
+++ b/.env
@@ -24,15 +24,15 @@ INVENIO_DEBUG=0
 FLOWER_PASS=password

 INVENIO_ACCOUNTS_SESSION_REDIS_URL=redis://redis:6379/1
-INVENIO_ADMIN_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
-INVENIO_ADMIN_USER=test@example.com
-INVENIO_ADMIN_VIEW_ACCESS_GROUPS=CernSearch-Administrators@cern.ch
+INVENIO_ADMIN_ACCESS_GROUPS=search-admin
+INVENIO_ADMIN_USER=search-admin
+INVENIO_ADMIN_VIEW_ACCESS_GROUPS=search-admin
 INVENIO_APP_ALLOWED_HOSTS=['localhost', 'nginx']
 INVENIO_BROKER_URL=amqp://guest:password@rabbitmq:5672
 INVENIO_CACHE_REDIS_HOST=redis
 INVENIO_CACHE_REDIS_URL=redis://redis:6379/0
-INVENIO_CERN_APP_CREDENTIALS={'consumer_key':'bah'}
-INVENIO_CERN_APP_CREDENTIALS_CONSUMER_KEY=xxx
+INVENIO_CERN_APP_OPENID_CREDENTIALS={'consumer_key':'bah'}
+INVENIO_CERN_APP_OPENID_CREDENTIALS_CONSUMER_KEY=xxx
 INVENIO_CELERY_BROKER_URL=amqp://guest:password@rabbitmq:5672
 INVENIO_CELERY_RESULT_BACKEND=redis://redis:6379/2
 INVENIO_COLLECT_STORAGE=flask_collect.storage.file
@@ -46,7 +46,7 @@ INVENIO_RATELIMIT_STORAGE_URL='redis://redis:6379/3'
 INVENIO_RATELIMIT_AUTHENTICATED_USER=100000/hour
 INVENIO_SEARCH_ELASTIC_HOSTS=elasticsearch
 INVENIO_SEARCH_INDEX_PREFIX=cernsearch-
-INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres/uservice
+INVENIO_SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://uservice:itsjust1234@postgres:5432/uservice
 INVENIO_THEME_FRONTPAGE_TITLE='CERN Search DEV'
 INVENIO_THEME_LOGO=/images/cernsearchicon.png
 INVENIO_THEME_LOGO_ADMIN=/images/cernsearchicon.png

--- a/.gitignore
+++ b/.gitignore
@@ -29,7 +29,7 @@ secrets/

 env/
 *.ini
-.env*.dev
+.env*.*

 # Debug and other logs


--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@
 # under the terms of the MIT License; see LICENSE file for more details.

 # Use CentOS7:
-FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:d7964b30051811d72629dd35a6175e28224589c8
+FROM gitlab-registry.cern.ch/webservices/cern-search/cern-search-rest-api/cern-search-rest-api-base:4cc14deb49f42c505062110461b96c12cda9b377
 ARG build_env

 # CERN Search installation
@@ -28,9 +28,6 @@ RUN pip install -e .
 RUN touch /${WORKING_DIR}/src/uwsgi.pid
 RUN chmod 666 /${WORKING_DIR}/src/uwsgi.pid

-# Patch auth
-RUN sh /${WORKING_DIR}/src/scripts/patch/oauth_patch.sh
-
 ENV LOGS_DIR=/var/log
 RUN mkdir -p ${LOGS_DIR}
 RUN chown -R invenio:root ${LOGS_DIR}

--- a/Pipfile
+++ b/Pipfile
@@ -27,10 +27,11 @@ invenio-db = {version = ">=1.0.5,<1.1.0",extras = ["postgresql", "versioning"]}
 invenio-files-processor = {extras = ["tika"],git = "https://github.com/carantunes/invenio-files-processor.git",ref = "1.0.2-alpha"}
 invenio-files-rest = ">=1.2.0,<1.3.0"
 invenio-indexer = ">=1.1.1,<1.2.0"
+invenio-i18n = "<1.3.0,>=1.2.0"
 invenio-jsonschemas = ">=1.1.0,<1.2.0"
 invenio-logging = {extras = ["sentry-sdk"],version = ">=1.3.0,<1.4.0"}
 invenio-oauth2server = ">=1.2.0,<1.3.0"
-invenio-oauthclient = ">=1.3.0,<1.4.0"
+invenio-oauthclient = "<1.4.0,>=1.3.5"
 invenio-records = {extras = ["postgresql"],version = ">=1.3.1,<1.4.0"}
 invenio-records-files = ">=1.2.1,<1.3.0"
 invenio-records-rest = ">=1.7.1,<1.8.0"
@@ -50,3 +51,6 @@ tika = "==1.24"

 [requires]
 python_version = "3.6"
+
+[pipenv]
+allow_prereleases = true
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/cern_search_rest_api/config.py
+++ b/cern_search_rest_api/config.py
@@ -24,7 +24,7 @@ from cern_search_rest_api.modules.cernsearch.permissions import (record_create_p
                                                                 record_update_permission_factory)
 from elasticsearch_dsl import A
 from flask import request
-from invenio_oauthclient.contrib import cern
+from invenio_oauthclient.contrib import cern_openid
 from invenio_records_rest import config as irr_config
 from invenio_records_rest.facets import terms_filter
 from kombu import Exchange, Queue
@@ -42,31 +42,27 @@ THEME_SEARCHBAR = False
 # OAuth Client
 # ============

-CERN_REMOTE_APP = copy.deepcopy(cern.REMOTE_APP)
+OAUTHCLIENT_CERN_OPENID_ALLOWED_ROLES = ["search-user", "search-admin"]
+
+CERN_REMOTE_APP = copy.deepcopy(cern_openid.REMOTE_APP)
 CERN_REMOTE_APP["params"].update(dict(request_token_params={
-    "resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
-    "scope": "Name Email Bio Groups",
+    "scope": "openid",
 }))

-CERN_REMOTE_APP["authorized_handler"] = \
-    'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
-
 OAUTHCLIENT_REMOTE_APPS = dict(
-    cern=CERN_REMOTE_APP,
+    cern_openid=CERN_REMOTE_APP,
 )

 # OAuth REST Client
 # ============

-OAUTH_REMOTE_APP = copy.deepcopy(cern.REMOTE_REST_APP)
-OAUTH_REMOTE_APP["params"].update(dict(request_token_params={
-    "resource": os.getenv('CERN_SEARCH_REMOTE_APP_RESOURCE', 'test-cern-search.cern.ch'),
-    "scope": "Name Email Bio Groups Group",
+OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
+OAUTH_REMOTE_REST_APP["params"].update(dict(request_token_params={
+    "scope": "openid",
 }))
-OAUTH_REMOTE_APP["authorized_handler"] = \
-    'cern_search_rest_api.modules.cernsearch.handlers:cern_authorized_signup_handler'
+
 OAUTHCLIENT_REST_REMOTE_APPS = dict(
-    cern=OAUTH_REMOTE_APP,
+    cern_openid=OAUTH_REMOTE_REST_APP,
 )

 # Accounts

--- a/cern_search_rest_api/modules/cernsearch/permissions.py
+++ b/cern_search_rest_api/modules/cernsearch/permissions.py
@@ -141,6 +141,12 @@ class FilePermission(RecordPermission):

 def _granted(provides, needs):
    """Check if user provided permissions and necessary permissions match."""
+
+    current_app.logger.debug('Provides {provides} and needs: {needs}'.format(
+        provides=provides,
+        needs=needs
+    ))
+
    return provides and not set(provides).isdisjoint(set(needs))



--- a/docker-compose.full.yml
+++ b/docker-compose.full.yml
@@ -50,7 +50,7 @@ services:
    command: [
      "/bin/bash",
      "-c",
-      "celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
+      "celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
    ]
    healthcheck:
      test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]

--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -53,7 +53,7 @@ services:
    command: [
      "/bin/bash",
      "-c",
-      "celery worker -A ${WORKER_APP} -l DEBUG --autoscale=10,1"
+      "celery -A ${WORKER_APP} worker -l DEBUG --autoscale=10,1"
    ]
    healthcheck:
      test: ["CMD", "celery inspect ping -A ${WORKER_APP} -d celery@$$(hostname)"]
@@ -76,7 +76,7 @@ services:
      test: ["CMD", "curl", "-f", "localhost:9200/_cluster/health?wait_for_status=yellow"]
      interval: 30s
      timeout: 10s
-      retries: 5
+      retries: 10

  kibana:
    image: docker.elastic.co/kibana/kibana-oss:7.1.1

--- a/scripts/create-test-user.sh
+++ b/scripts/create-test-user.sh
@@ -7,8 +7,8 @@
 # CERN Search is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.

-invenio users create test@example.com --password test1234 --active
-invenio roles create CernSearch-Administrators@cern.ch
-invenio roles add test@example.com CernSearch-Administrators@cern.ch
+invenio users create test@example.com --password password --active
+invenio roles create search-admin
+invenio roles add test@example.com search-admin
 invenio tokens create -n test -u test@example.com > .api_token
 echo TOKEN: $(<.api_token)
--- a/scripts/patch.sh
+++ b/scripts/patch.sh
+# Utility for debug purposes: Replace which package/module you want to replace
+readonly LOCATION=$(pip show invenio-records-rest | grep Location | awk '{print $2}')
+readonly SCRIPT_PATH=$(dirname $0)
+
+rm -f ${LOCATION}/invenio_records_rest/views.py
+cp ${SCRIPT_PATH}/views.py ${LOCATION}/invenio_records_rest/views.py
--- a/scripts/patch/cern.py
+++ b/scripts/patch/cern.py
--- a/scripts/patch/oauth_patch.sh
+++ b/scripts/patch/oauth_patch.sh
-#!/usr/bin/env bash
-# -*- coding: utf-8 -*-
-#
-# This file is part of CERN Search.
-# Copyright (C) 2018-2019 CERN.
-#
-# CERN Search is free software; you can redistribute it and/or modify it
-# under the terms of the MIT License; see LICENSE file for more details.
-
-readonly LOCATION=$(pip show invenio-oauthclient | grep Location | awk '{print $2}')
-readonly SCRIPT_PATH=$(dirname $0)
-
-rm -f ${LOCATION}/invenio_oauthclient/contrib/cern.py
-cp ${SCRIPT_PATH}/cern.py ${LOCATION}/invenio_oauthclient/contrib/cern.py
--- a/scripts/pipenv/bootstrap
+++ b/scripts/pipenv/bootstrap
@@ -18,9 +18,6 @@ pipenv install --dev --skip-lock
 # Install application code and entrypoints from 'setup.py'
 pip install -e $SCRIPT_PATH/../..

-# Patch auth
-sh $SCRIPT_PATH/../patch/oauth_patch.sh
-
 # Build assets
 invenio collect -v
 invenio webpack buildall

--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -33,7 +33,7 @@ def user(db, app):
    user = User(email='test@example.com', active=True)
    db.session.add(user)

-    role = Role(name='CernSearch-Administrators@cern.ch')
+    role = Role(name='search-admin')
    role.users.append(user)
    db.session.add(role)