14886030889

Committed 07 May 2025 02:32PM UTC coverage: 74.898% (-0.009%) from 74.907%

Build # 14886030889

Build Type

Pull #1238

github

Committed by

web-flow

Commit Message

Merge branch 'master' into chore/fix_improper_certificate_validation_pps_1936

Pull Request Pull Request #1238: Replace AutoAddPolicy with RejectPolicy and load known hosts to prevent man in the middle attacks

Run Details

8095 of 10808 relevant lines covered (74.9%)

0.75 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

87.43

fence/resources/ga4gh/passports.py

import flask
import os
import collections
import hashlib
import time
import datetime
import jwt

# the whole fence_create module is imported to avoid issue with circular imports
import fence.scripting.fence_create

from authutils.errors import JWTError
from authutils.token.core import get_iss, get_kid
from cdislogging import get_logger
from flask import current_app

from fence.jwt.validate import validate_jwt
from fence.config import config
from fence.models import (
    create_user,
    query_for_user,
    query_for_user_by_id,
    GA4GHVisaV1,
    GA4GHPassportCache,
    IdentityProvider,
    IssSubPairToUser,
)

logger = get_logger(__name__)

# cache will be in following format
#   passport_hash: ([user_id_0, user_id_1, ...], expires_at)
PASSPORT_CACHE = {}


def sync_gen3_users_authz_from_ga4gh_passports(
    passports, pkey_cache=None, db_session=None, skip_google_updates=False
):
    """
    Validate passports and embedded visas, using each valid visa's identity
    established by <iss, sub> combination to possibly create and definitely
    determine a Fence user who is added to the list returned by this
    function. In the process of determining Fence users from visas, visa
    authorization information is also persisted in Fence and synced to
    Arborist.

    Args:
        passports (list): a list of raw encoded passport strings, each
                          including header, payload, and signature
        skip_google_updates (bool): True if google group updates should be skipped. False if otherwise.

    Return:
        list: a list of users, each corresponding to a valid visa identity
              embedded within the passports passed in
    """
    db_session = db_session or current_app.scoped_session()

    # {"username": user, "username2": user2}
    users_from_all_passports = {}
    for passport in passports:
        try:
            cached_usernames = get_gen3_usernames_for_passport_from_cache(
                passport=passport, db_session=db_session
            )
            if cached_usernames:
                # there's a chance a given username exists in the cache but no longer in
                # the database. if not all are in db, ignore the cache and actually parse
                # and validate the passport
                all_users_exist_in_db = True
                usernames_to_update = {}
                for username in cached_usernames:
                    user = query_for_user(session=db_session, username=username)
                    if not user:
                        all_users_exist_in_db = False
                        continue
                    usernames_to_update[user.username] = user

                if all_users_exist_in_db:
                    users_from_all_passports.update(usernames_to_update)
                    # existence in the cache and a user in db means that this passport
                    # was validated previously (expiration was also checked)
                    continue

            # below function also validates passport (or raises exception)
            raw_visas = get_unvalidated_visas_from_valid_passport(
                passport, pkey_cache=pkey_cache
            )
        except Exception as exc:
            logger.warning(f"Invalid passport provided, ignoring. Error: {exc}")
            continue

        # an empty raw_visas list means that either the current passport is
        # invalid or that it has no visas. in both cases, the current passport
        # is ignored and we move on to the next passport
        if not raw_visas:
            continue

        identity_to_visas = collections.defaultdict(list)
        min_visa_expiration = int(time.time()) + datetime.timedelta(hours=1).seconds
        for raw_visa in raw_visas:
            try:
                validated_decoded_visa = validate_visa(raw_visa, pkey_cache=pkey_cache)
                identity_to_visas[
                    (
                        validated_decoded_visa.get("iss"),
                        validated_decoded_visa.get("sub"),
                    )
                ].append((raw_visa, validated_decoded_visa))
                min_visa_expiration = min(
                    min_visa_expiration, validated_decoded_visa.get("exp")
                )
            except Exception as exc:
                logger.warning(f"Invalid visa provided, ignoring. Error: {exc}")
                continue

        expired_authz_removal_job_freq_in_seconds = config[
            "EXPIRED_AUTHZ_REMOVAL_JOB_FREQ_IN_SECONDS"
        ]
        min_visa_expiration -= expired_authz_removal_job_freq_in_seconds
        if min_visa_expiration <= int(time.time()):
            logger.warning(
                "The passport's earliest valid visa expiration time is set to "
                f"occur within {expired_authz_removal_job_freq_in_seconds} "
                "seconds from now, which is too soon an expiration to handle."
            )
            continue

        users_from_current_passport = []
        for (issuer, subject_id), visas in identity_to_visas.items():
            gen3_user = get_or_create_gen3_user_from_iss_sub(
                issuer, subject_id, db_session=db_session
            )

            ga4gh_visas = [
                GA4GHVisaV1(
                    user=gen3_user,
                    source=validated_decoded_visa["ga4gh_visa_v1"]["source"],
                    type=validated_decoded_visa["ga4gh_visa_v1"]["type"],
                    asserted=int(validated_decoded_visa["ga4gh_visa_v1"]["asserted"]),
                    expires=int(validated_decoded_visa["exp"]),
                    ga4gh_visa=raw_visa,
                )
                for raw_visa, validated_decoded_visa in visas
            ]
            # NOTE: does not validate, assumes validation occurs above.
            #       This adds the visas to the database session but doesn't commit until
            #       the end of this function
            _sync_validated_visa_authorization(
                gen3_user=gen3_user,
                ga4gh_visas=ga4gh_visas,
                expiration=min_visa_expiration,
                db_session=db_session,
                skip_google_updates=skip_google_updates,
            )
            users_from_current_passport.append(gen3_user)

        for user in users_from_current_passport:
            users_from_all_passports[user.username] = user

        put_gen3_usernames_for_passport_into_cache(
            passport=passport,
            user_ids_from_passports=list(users_from_all_passports.keys()),
            expires_at=min_visa_expiration,
            db_session=db_session,
        )

    db_session.commit()

    logger.info(
        f"Got Gen3 usernames from passport(s): {list(users_from_all_passports.keys())}"
    )
    return users_from_all_passports


def get_unvalidated_visas_from_valid_passport(passport, pkey_cache=None):
    """
    Return encoded visas after extracting and validating encoded passport

    Args:
        passport (string): encoded ga4gh passport
        pkey_cache (dict): app cache of public keys_dir

    Return:
        list: list of encoded GA4GH visas
    """
    decoded_passport = {}
    passport_issuer, passport_kid = None, None

    if not pkey_cache:
        pkey_cache = {}

    try:
        passport_issuer = get_iss(passport)
        passport_kid = get_kid(passport)
    except Exception as e:
        logger.error(
            "Could not get issuer or kid from passport: {}. Discarding passport.".format(
                e
            )
        )
        # ignore malformed/invalid passports
        return []

    public_key = pkey_cache.get(passport_issuer, {}).get(passport_kid)

    try:
        decoded_passport = validate_jwt(
            encoded_token=passport,
            public_key=public_key,
            attempt_refresh=True,
            require_purpose=False,
            scope={"openid"},
            issuers=config.get("GA4GH_VISA_ISSUER_ALLOWLIST", []),
            options={
                "require_iat": True,
                "require_exp": True,
                "verify_aud": False,
            },
        )

        if "sub" not in decoded_passport:
            raise JWTError(f"Passport is missing the 'sub' claim")
    except Exception as e:
        logger.error("Passport failed validation: {}. Discarding passport.".format(e))
        # ignore malformed/invalid passports
        return []

    return decoded_passport.get("ga4gh_passport_v1", [])


def validate_visa(raw_visa, pkey_cache=None):
    """
    Validate a raw visa in accordance with:
        - GA4GH AAI spec (https://github.com/ga4gh/data-security/blob/master/AAI/AAIConnectProfile.md)
        - GA4GH DURI spec (https://github.com/ga4gh-duri/ga4gh-duri.github.io/blob/master/researcher_ids/ga4gh_passport_v1.md)

    Args:
        raw_visa (str): a raw, encoded visa including header, payload, and signature

    Return:
        dict: the decoded payload if validation was successful. an exception
              is raised if validation was unsuccessful
    """
    if jwt.get_unverified_header(raw_visa).get("jku"):
        raise Exception(
            "Visa Document Tokens are not currently supported by passing "
            '"jku" in the header. Only Visa Access Tokens are supported.'
        )

    logger.info("Attempting to validate visa")

    decoded_visa = validate_jwt(
        raw_visa,
        attempt_refresh=True,
        scope={"openid", "ga4gh_passport_v1"},
        require_purpose=False,
        issuers=config["GA4GH_VISA_ISSUER_ALLOWLIST"],
        options={"require_iat": True, "require_exp": True, "verify_aud": False},
        pkey_cache=pkey_cache,
    )
    logger.info(f'Visa jti: "{decoded_visa.get("jti", "")}"')
    logger.info(f'Visa txn: "{decoded_visa.get("txn", "")}"')

    for claim in ["sub", "ga4gh_visa_v1"]:
        if claim not in decoded_visa:
            raise Exception(f'Visa does not contain REQUIRED "{claim}" claim')

    if "aud" in decoded_visa:
        raise Exception('Visa MUST NOT contain "aud" claim')

    field_to_allowed_values = config["GA4GH_VISA_V1_CLAIM_REQUIRED_FIELDS"]
    for field, allowed_values in field_to_allowed_values.items():
        if field not in decoded_visa["ga4gh_visa_v1"]:
            raise Exception(
                f'"ga4gh_visa_v1" claim does not contain REQUIRED "{field}" field'
            )
        if decoded_visa["ga4gh_visa_v1"][field] not in allowed_values:
            raise Exception(
                f'{field}={decoded_visa["ga4gh_visa_v1"][field]} field in "ga4gh_visa_v1" is not equal to one of the allowed_values: {allowed_values}'
            )

    if "asserted" not in decoded_visa["ga4gh_visa_v1"]:
        raise Exception(
            '"ga4gh_visa_v1" claim does not contain REQUIRED "asserted" field'
        )
    asserted = decoded_visa["ga4gh_visa_v1"]["asserted"]
    if type(asserted) not in (int, float):
        raise Exception(
            '"ga4gh_visa_v1" claim object\'s "asserted" field\'s type is not '
            "JSON numeric"
        )
    if decoded_visa["iat"] < asserted:
        raise Exception(
            "The Passport Visa Assertion Source made the claim after the visa "
            'was minted (i.e. "ga4gh_visa_v1" claim object\'s "asserted" '
            'field is greater than the visa\'s "iat" claim)'
        )

    if "conditions" in decoded_visa["ga4gh_visa_v1"]:
        logger.warning(
            'Condition checking is not yet supported, but a visa was received that contained the "conditions" field'
        )
        if decoded_visa["ga4gh_visa_v1"]["conditions"]:
            raise Exception('"conditions" field in "ga4gh_visa_v1" is not empty')

    logger.info("Visa was successfully validated")
    return decoded_visa


def get_or_create_gen3_user_from_iss_sub(issuer, subject_id, db_session=None):
    """
    Get a user from the Fence database corresponding to the visa identity
    indicated by the <issuer, subject_id> combination. If a Fence user has
    not yet been created for the given <issuer, subject_id> combination,
    create and return such a user.

    Args:
        issuer (str): the issuer of a given visa
        subject_id (str): the subject of a given visa

    Return:
        userdatamodel.user.User: the Fence user corresponding to issuer and subject_id
    """
    db_session = db_session or current_app.scoped_session()
    logger.debug(
        f"get_or_create_gen3_user_from_iss_sub: issuer: {issuer} & subject_id: {subject_id}"
    )
    iss_sub_pair_to_user = db_session.query(IssSubPairToUser).get((issuer, subject_id))
    if not iss_sub_pair_to_user:
        username = subject_id + issuer[len("https://") :]
        gen3_user = query_for_user(session=db_session, username=username)
        idp_name = IssSubPairToUser.ISSUER_TO_IDP.get(issuer)
        logger.debug(f"issuer_to_idp: {IssSubPairToUser.ISSUER_TO_IDP}")
        if not gen3_user:
            gen3_user = create_user(db_session, logger, username, idp_name=idp_name)
            if not idp_name:
                logger.info(
                    f"The user (id:{gen3_user.id}) was created without a linked identity "
                    f"provider since it could not be determined based on "
                    f"the issuer {issuer}"
                )

        # ensure user has an associated identity provider
        if not gen3_user.identity_provider:
            idp = (
                db_session.query(IdentityProvider)
                .filter(IdentityProvider.name == idp_name)
                .first()
            )
            if not idp:
                idp = IdentityProvider(name=idp_name)
            gen3_user.identity_provider = idp

        logger.info(
            f'Mapping subject id ("{subject_id}") and issuer '
            f'("{issuer}") combination to Fence user '
            f'"{gen3_user.username}" with IdP = "{idp_name}"'
        )
        iss_sub_pair_to_user = IssSubPairToUser(iss=issuer, sub=subject_id)
        iss_sub_pair_to_user.user = gen3_user

        db_session.add(iss_sub_pair_to_user)
        db_session.commit()

    return iss_sub_pair_to_user.user


def _sync_validated_visa_authorization(
    gen3_user, ga4gh_visas, expiration, db_session=None, skip_google_updates=False
):
    """
    Wrapper around UserSyncer.sync_single_user_visas method, which parses
    authorization information from the provided visas, persists it in Fence,
    and syncs it to Arborist.

    IMPORTANT NOTE: THIS DOES NOT VALIDATE THE VISAS. ENSURE THIS IS DONE
                    BEFORE THIS.

    Args:
        gen3_user (userdatamodel.user.User): the Fence user whose visas'
                                             authz info is being synced
        ga4gh_visas (list): a list of fence.models.GA4GHVisaV1 objects
                            that are parsed
        expiration (int): time at which synced Arborist policies and
                          inclusion in any GBAG are set to expire
        skip_google_updates (bool): True if google group updates should be skipped. False if otherwise.
    Return:
        None
    """
    db_session = db_session or current_app.scoped_session()
    default_args = fence.scripting.fence_create.get_default_init_syncer_inputs(
        authz_provider="GA4GH"
    )
    syncer = fence.scripting.fence_create.init_syncer(**default_args)

    synced_visas = syncer.sync_single_user_visas(
        gen3_user,
        ga4gh_visas,
        db_session,
        expires=expiration,
        skip_google_updates=skip_google_updates,
    )

    # after syncing authorization, persist the visas that were parsed successfully.
    for visa in ga4gh_visas:
        if visa not in synced_visas:
            logger.debug(f"deleting visa with id={visa.id} from db session")
            db_session.delete(visa)
        else:
            logger.debug(f"adding visa with id={visa.id} to db session")
            db_session.add(visa)


def get_gen3_usernames_for_passport_from_cache(passport, db_session=None):
    """
    Attempt to retrieve a cached list of users ids for a previously validated and
    non-expired passport.

    Args:
        passport (str): ga4gh encoded passport JWT
        db_session (None, sqlalchemy session): optional database session to use

    Returns:
        list[str]: list of usernames for users referred to by the previously validated
                   and non-expired passport
    """
    db_session = db_session or current_app.scoped_session()
    user_ids_from_passports = None
    current_time = int(time.time())

    passport_hash = hashlib.sha256(passport.encode("utf-8")).hexdigest()

    # try to retrieve from local in-memory cache
    if passport_hash in PASSPORT_CACHE:
        user_ids_from_passports, expires = PASSPORT_CACHE[passport_hash]
        if expires > current_time:
            logger.debug(
                f"Got users {user_ids_from_passports} for provided passport from in-memory cache. "
                f"Expires: {expires}, Current Time: {current_time}"
            )
            return user_ids_from_passports
        else:
            # expired, so remove it
            del PASSPORT_CACHE[passport_hash]

    # try to retrieve from database cache
    cached_passport = (
        db_session.query(GA4GHPassportCache)
        .filter(GA4GHPassportCache.passport_hash == passport_hash)
        .first()
    )
    if cached_passport:
        if cached_passport.expires_at > current_time:
            user_ids_from_passports = cached_passport.user_ids

            # update local cache
            PASSPORT_CACHE[passport_hash] = (
                user_ids_from_passports,
                cached_passport.expires_at,
            )

            logger.debug(
                f"Got users {user_ids_from_passports} for provided passport from "
                f"database cache and placed in in-memory cache. "
                f"Expires: {cached_passport.expires_at}, Current Time: {current_time}"
            )
            return user_ids_from_passports
        else:
            # expired, so delete it
            db_session.delete(cached_passport)
            db_session.commit()

    return user_ids_from_passports


def put_gen3_usernames_for_passport_into_cache(
    passport, user_ids_from_passports, expires_at, db_session=None
):
    """
    Cache a validated and non-expired passport and map to the user_ids referenced
    by the content.

    Args:
        passport (str): ga4gh encoded passport JWT
        db_session (None, sqlalchemy session): optional database session to use
        user_ids_from_passports (list[str]): list of user identifiers referred to by
            the previously validated and non-expired passport
        expires_at (int): expiration time in unix time
    """
    db_session = db_session or current_app.scoped_session()

    passport_hash = hashlib.sha256(passport.encode("utf-8")).hexdigest()

    # stores back to cache and db
    PASSPORT_CACHE[passport_hash] = user_ids_from_passports, expires_at

    db_session.execute(
        """\
        INSERT INTO ga4gh_passport_cache (
            passport_hash,
            expires_at,
            user_ids
        ) VALUES (
            :passport_hash,
            :expires_at,
            :user_ids
        ) ON CONFLICT (passport_hash) DO UPDATE SET
            expires_at = EXCLUDED.expires_at,
            user_ids = EXCLUDED.user_ids;""",
        dict(
            passport_hash=passport_hash,
            expires_at=expires_at,
            user_ids=user_ids_from_passports,
        ),
    )

    logger.debug(
        f"Cached {user_ids_from_passports} passport in "
        f"database. "
        f"Expires: {expires_at}"
    )


# TODO to be called after login
def map_gen3_iss_sub_pair_to_user(gen3_issuer, gen3_subject_id, gen3_user):
    pass

1	import flask	1✔
2	import os	1✔
3	import collections	1✔
4	import hashlib	1✔
5	import time	1✔
6	import datetime	1✔
7	import jwt	1✔
8
9	# the whole fence_create module is imported to avoid issue with circular imports
10	import fence.scripting.fence_create	1✔
11
12	from authutils.errors import JWTError	1✔
13	from authutils.token.core import get_iss, get_kid	1✔
14	from cdislogging import get_logger	1✔
15	from flask import current_app	1✔
16
17	from fence.jwt.validate import validate_jwt	1✔
18	from fence.config import config	1✔
19	from fence.models import (	1✔
20	create_user,
21	query_for_user,
22	query_for_user_by_id,
23	GA4GHVisaV1,
24	GA4GHPassportCache,
25	IdentityProvider,
26	IssSubPairToUser,
27	)
28
29	logger = get_logger(__name__)	1✔
30
31	# cache will be in following format
32	# passport_hash: ([user_id_0, user_id_1, ...], expires_at)
33	PASSPORT_CACHE = {}	1✔
34
35
36	def sync_gen3_users_authz_from_ga4gh_passports(	1✔
37	passports, pkey_cache=None, db_session=None, skip_google_updates=False
38	):
39	"""
40	Validate passports and embedded visas, using each valid visa's identity
41	established by <iss, sub> combination to possibly create and definitely
42	determine a Fence user who is added to the list returned by this
43	function. In the process of determining Fence users from visas, visa
44	authorization information is also persisted in Fence and synced to
45	Arborist.
46
47	Args:
48	passports (list): a list of raw encoded passport strings, each
49	including header, payload, and signature
50	skip_google_updates (bool): True if google group updates should be skipped. False if otherwise.
51
52	Return:
53	list: a list of users, each corresponding to a valid visa identity
54	embedded within the passports passed in
55	"""
56	db_session = db_session or current_app.scoped_session()	1✔
57
58	# {"username": user, "username2": user2}
59	users_from_all_passports = {}	1✔
60	for passport in passports:	1✔
61	try:	1✔
62	cached_usernames = get_gen3_usernames_for_passport_from_cache(	1✔
63	passport=passport, db_session=db_session
64	)
65	if cached_usernames:	1✔
66	# there's a chance a given username exists in the cache but no longer in
67	# the database. if not all are in db, ignore the cache and actually parse
68	# and validate the passport
69	all_users_exist_in_db = True	1✔
70	usernames_to_update = {}	1✔
71	for username in cached_usernames:	1✔
72	user = query_for_user(session=db_session, username=username)	1✔
73	if not user:	1✔
74	all_users_exist_in_db = False	1✔
75	continue	1✔
76	usernames_to_update[user.username] = user	1✔
77
78	if all_users_exist_in_db:	1✔
79	users_from_all_passports.update(usernames_to_update)	1✔
80	# existence in the cache and a user in db means that this passport
81	# was validated previously (expiration was also checked)
82	continue	1✔
83
84	# below function also validates passport (or raises exception)
85	raw_visas = get_unvalidated_visas_from_valid_passport(	1✔
86	passport, pkey_cache=pkey_cache
87	)
88	except Exception as exc:	×
89	logger.warning(f"Invalid passport provided, ignoring. Error: {exc}")	×
90	continue	×
91
92	# an empty raw_visas list means that either the current passport is
93	# invalid or that it has no visas. in both cases, the current passport
94	# is ignored and we move on to the next passport
95	if not raw_visas:	1✔
96	continue	1✔
97
98	identity_to_visas = collections.defaultdict(list)	1✔
99	min_visa_expiration = int(time.time()) + datetime.timedelta(hours=1).seconds	1✔
100	for raw_visa in raw_visas:	1✔
101	try:	1✔
102	validated_decoded_visa = validate_visa(raw_visa, pkey_cache=pkey_cache)	1✔
103	identity_to_visas[	1✔
104	(
105	validated_decoded_visa.get("iss"),
106	validated_decoded_visa.get("sub"),
107	)
108	].append((raw_visa, validated_decoded_visa))
109	min_visa_expiration = min(	1✔
110	min_visa_expiration, validated_decoded_visa.get("exp")
111	)
112	except Exception as exc:	1✔
113	logger.warning(f"Invalid visa provided, ignoring. Error: {exc}")	1✔
114	continue	1✔
115
116	expired_authz_removal_job_freq_in_seconds = config[	1✔
117	"EXPIRED_AUTHZ_REMOVAL_JOB_FREQ_IN_SECONDS"
118	]
119	min_visa_expiration -= expired_authz_removal_job_freq_in_seconds	1✔
120	if min_visa_expiration <= int(time.time()):	1✔
121	logger.warning(	1✔
122	"The passport's earliest valid visa expiration time is set to "
123	f"occur within {expired_authz_removal_job_freq_in_seconds} "
124	"seconds from now, which is too soon an expiration to handle."
125	)
126	continue	1✔
127
128	users_from_current_passport = []	1✔
129	for (issuer, subject_id), visas in identity_to_visas.items():	1✔
130	gen3_user = get_or_create_gen3_user_from_iss_sub(	1✔
131	issuer, subject_id, db_session=db_session
132	)
133
134	ga4gh_visas = [	1✔
135	GA4GHVisaV1(
136	user=gen3_user,
137	source=validated_decoded_visa["ga4gh_visa_v1"]["source"],
138	type=validated_decoded_visa["ga4gh_visa_v1"]["type"],
139	asserted=int(validated_decoded_visa["ga4gh_visa_v1"]["asserted"]),
140	expires=int(validated_decoded_visa["exp"]),
141	ga4gh_visa=raw_visa,
142	)
143	for raw_visa, validated_decoded_visa in visas
144	]
145	# NOTE: does not validate, assumes validation occurs above.
146	# This adds the visas to the database session but doesn't commit until
147	# the end of this function
148	_sync_validated_visa_authorization(	1✔
149	gen3_user=gen3_user,
150	ga4gh_visas=ga4gh_visas,
151	expiration=min_visa_expiration,
152	db_session=db_session,
153	skip_google_updates=skip_google_updates,
154	)
155	users_from_current_passport.append(gen3_user)	1✔
156
157	for user in users_from_current_passport:	1✔
158	users_from_all_passports[user.username] = user	1✔
159
160	put_gen3_usernames_for_passport_into_cache(	1✔
161	passport=passport,
162	user_ids_from_passports=list(users_from_all_passports.keys()),
163	expires_at=min_visa_expiration,
164	db_session=db_session,
165	)
166
167	db_session.commit()	1✔
168
169	logger.info(	1✔
170	f"Got Gen3 usernames from passport(s): {list(users_from_all_passports.keys())}"
171	)
172	return users_from_all_passports	1✔
173
174
175	def get_unvalidated_visas_from_valid_passport(passport, pkey_cache=None):	1✔
176	"""
177	Return encoded visas after extracting and validating encoded passport
178
179	Args:
180	passport (string): encoded ga4gh passport
181	pkey_cache (dict): app cache of public keys_dir
182
183	Return:
184	list: list of encoded GA4GH visas
185	"""
186	decoded_passport = {}	1✔
187	passport_issuer, passport_kid = None, None	1✔
188
189	if not pkey_cache:	1✔
190	pkey_cache = {}	1✔
191
192	try:	1✔
193	passport_issuer = get_iss(passport)	1✔
194	passport_kid = get_kid(passport)	1✔
195	except Exception as e:	1✔
196	logger.error(	1✔
197	"Could not get issuer or kid from passport: {}. Discarding passport.".format(
198	e
199	)
200	)
201	# ignore malformed/invalid passports
202	return []	1✔
203
204	public_key = pkey_cache.get(passport_issuer, {}).get(passport_kid)	1✔
205
206	try:	1✔
207	decoded_passport = validate_jwt(	1✔
208	encoded_token=passport,
209	public_key=public_key,
210	attempt_refresh=True,
211	require_purpose=False,
212	scope={"openid"},
213	issuers=config.get("GA4GH_VISA_ISSUER_ALLOWLIST", []),
214	options={
215	"require_iat": True,
216	"require_exp": True,
217	"verify_aud": False,
218	},
219	)
220
221	if "sub" not in decoded_passport:	1✔
222	raise JWTError(f"Passport is missing the 'sub' claim")	×
223	except Exception as e:	×
224	logger.error("Passport failed validation: {}. Discarding passport.".format(e))	×
225	# ignore malformed/invalid passports
226	return []	×
227
228	return decoded_passport.get("ga4gh_passport_v1", [])	1✔
229
230
231	def validate_visa(raw_visa, pkey_cache=None):	1✔
232	"""
233	Validate a raw visa in accordance with:
234	- GA4GH AAI spec (https://github.com/ga4gh/data-security/blob/master/AAI/AAIConnectProfile.md)
235	- GA4GH DURI spec (https://github.com/ga4gh-duri/ga4gh-duri.github.io/blob/master/researcher_ids/ga4gh_passport_v1.md)
236
237	Args:
238	raw_visa (str): a raw, encoded visa including header, payload, and signature
239
240	Return:
241	dict: the decoded payload if validation was successful. an exception
242	is raised if validation was unsuccessful
243	"""
244	if jwt.get_unverified_header(raw_visa).get("jku"):	1✔
245	raise Exception(	×
246	"Visa Document Tokens are not currently supported by passing "
247	'"jku" in the header. Only Visa Access Tokens are supported.'
248	)
249
250	logger.info("Attempting to validate visa")	1✔
251
252	decoded_visa = validate_jwt(	1✔
253	raw_visa,
254	attempt_refresh=True,
255	scope={"openid", "ga4gh_passport_v1"},
256	require_purpose=False,
257	issuers=config["GA4GH_VISA_ISSUER_ALLOWLIST"],
258	options={"require_iat": True, "require_exp": True, "verify_aud": False},
259	pkey_cache=pkey_cache,
260	)
261	logger.info(f'Visa jti: "{decoded_visa.get("jti", "")}"')	1✔
262	logger.info(f'Visa txn: "{decoded_visa.get("txn", "")}"')	1✔
263
264	for claim in ["sub", "ga4gh_visa_v1"]:	1✔
265	if claim not in decoded_visa:	1✔
266	raise Exception(f'Visa does not contain REQUIRED "{claim}" claim')	×
267
268	if "aud" in decoded_visa:	1✔
269	raise Exception('Visa MUST NOT contain "aud" claim')	×
270
271	field_to_allowed_values = config["GA4GH_VISA_V1_CLAIM_REQUIRED_FIELDS"]	1✔
272	for field, allowed_values in field_to_allowed_values.items():	1✔
273	if field not in decoded_visa["ga4gh_visa_v1"]:	1✔
274	raise Exception(	×
275	f'"ga4gh_visa_v1" claim does not contain REQUIRED "{field}" field'
276	)
277	if decoded_visa["ga4gh_visa_v1"][field] not in allowed_values:	1✔
278	raise Exception(	×
279	f'{field}={decoded_visa["ga4gh_visa_v1"][field]} field in "ga4gh_visa_v1" is not equal to one of the allowed_values: {allowed_values}'
280	)
281
282	if "asserted" not in decoded_visa["ga4gh_visa_v1"]:	1✔
283	raise Exception(	×
284	'"ga4gh_visa_v1" claim does not contain REQUIRED "asserted" field'
285	)
286	asserted = decoded_visa["ga4gh_visa_v1"]["asserted"]	1✔
287	if type(asserted) not in (int, float):	1✔
288	raise Exception(	×
289	'"ga4gh_visa_v1" claim object\'s "asserted" field\'s type is not '
290	"JSON numeric"
291	)
292	if decoded_visa["iat"] < asserted:	1✔
293	raise Exception(	×
294	"The Passport Visa Assertion Source made the claim after the visa "
295	'was minted (i.e. "ga4gh_visa_v1" claim object\'s "asserted" '
296	'field is greater than the visa\'s "iat" claim)'
297	)
298
299	if "conditions" in decoded_visa["ga4gh_visa_v1"]:	1✔
300	logger.warning(	×
301	'Condition checking is not yet supported, but a visa was received that contained the "conditions" field'
302	)
303	if decoded_visa["ga4gh_visa_v1"]["conditions"]:	×
304	raise Exception('"conditions" field in "ga4gh_visa_v1" is not empty')	×
305
306	logger.info("Visa was successfully validated")	1✔
307	return decoded_visa	1✔
308
309
310	def get_or_create_gen3_user_from_iss_sub(issuer, subject_id, db_session=None):	1✔
311	"""
312	Get a user from the Fence database corresponding to the visa identity
313	indicated by the <issuer, subject_id> combination. If a Fence user has
314	not yet been created for the given <issuer, subject_id> combination,
315	create and return such a user.
316
317	Args:
318	issuer (str): the issuer of a given visa
319	subject_id (str): the subject of a given visa
320
321	Return:
322	userdatamodel.user.User: the Fence user corresponding to issuer and subject_id
323	"""
324	db_session = db_session or current_app.scoped_session()	1✔
325	logger.debug(	1✔
326	f"get_or_create_gen3_user_from_iss_sub: issuer: {issuer} & subject_id: {subject_id}"
327	)
328	iss_sub_pair_to_user = db_session.query(IssSubPairToUser).get((issuer, subject_id))	1✔
329	if not iss_sub_pair_to_user:	1✔
330	username = subject_id + issuer[len("https://") :]	1✔
331	gen3_user = query_for_user(session=db_session, username=username)	1✔
332	idp_name = IssSubPairToUser.ISSUER_TO_IDP.get(issuer)	1✔
333	logger.debug(f"issuer_to_idp: {IssSubPairToUser.ISSUER_TO_IDP}")	1✔
334	if not gen3_user:	1✔
335	gen3_user = create_user(db_session, logger, username, idp_name=idp_name)	1✔
336	if not idp_name:	1✔
337	logger.info(	1✔
338	f"The user (id:{gen3_user.id}) was created without a linked identity "
339	f"provider since it could not be determined based on "
340	f"the issuer {issuer}"
341	)
342
343	# ensure user has an associated identity provider
344	if not gen3_user.identity_provider:	1✔
345	idp = (	1✔
346	db_session.query(IdentityProvider)
347	.filter(IdentityProvider.name == idp_name)
348	.first()
349	)
350	if not idp:	1✔
351	idp = IdentityProvider(name=idp_name)	1✔
352	gen3_user.identity_provider = idp	1✔
353
354	logger.info(	1✔
355	f'Mapping subject id ("{subject_id}") and issuer '
356	f'("{issuer}") combination to Fence user '
357	f'"{gen3_user.username}" with IdP = "{idp_name}"'
358	)
359	iss_sub_pair_to_user = IssSubPairToUser(iss=issuer, sub=subject_id)	1✔
360	iss_sub_pair_to_user.user = gen3_user	1✔
361
362	db_session.add(iss_sub_pair_to_user)	1✔
363	db_session.commit()	1✔
364
365	return iss_sub_pair_to_user.user	1✔
366
367
368	def _sync_validated_visa_authorization(	1✔
369	gen3_user, ga4gh_visas, expiration, db_session=None, skip_google_updates=False
370	):
371	"""
372	Wrapper around UserSyncer.sync_single_user_visas method, which parses
373	authorization information from the provided visas, persists it in Fence,
374	and syncs it to Arborist.
375
376	IMPORTANT NOTE: THIS DOES NOT VALIDATE THE VISAS. ENSURE THIS IS DONE
377	BEFORE THIS.
378
379	Args:
380	gen3_user (userdatamodel.user.User): the Fence user whose visas'
381	authz info is being synced
382	ga4gh_visas (list): a list of fence.models.GA4GHVisaV1 objects
383	that are parsed
384	expiration (int): time at which synced Arborist policies and
385	inclusion in any GBAG are set to expire
386	skip_google_updates (bool): True if google group updates should be skipped. False if otherwise.
387	Return:
388	None
389	"""
390	db_session = db_session or current_app.scoped_session()	1✔
391	default_args = fence.scripting.fence_create.get_default_init_syncer_inputs(	1✔
392	authz_provider="GA4GH"
393	)
394	syncer = fence.scripting.fence_create.init_syncer(**default_args)	1✔
395
396	synced_visas = syncer.sync_single_user_visas(	1✔
397	gen3_user,
398	ga4gh_visas,
399	db_session,
400	expires=expiration,
401	skip_google_updates=skip_google_updates,
402	)
403
404	# after syncing authorization, persist the visas that were parsed successfully.
405	for visa in ga4gh_visas:	1✔
406	if visa not in synced_visas:	1✔
407	logger.debug(f"deleting visa with id={visa.id} from db session")	×
408	db_session.delete(visa)	×
409	else:
410	logger.debug(f"adding visa with id={visa.id} to db session")	1✔
411	db_session.add(visa)	1✔
412
413
414	def get_gen3_usernames_for_passport_from_cache(passport, db_session=None):	1✔
415	"""
416	Attempt to retrieve a cached list of users ids for a previously validated and
417	non-expired passport.
418
419	Args:
420	passport (str): ga4gh encoded passport JWT
421	db_session (None, sqlalchemy session): optional database session to use
422
423	Returns:
424	list[str]: list of usernames for users referred to by the previously validated
425	and non-expired passport
426	"""
427	db_session = db_session or current_app.scoped_session()	1✔
428	user_ids_from_passports = None	1✔
429	current_time = int(time.time())	1✔
430
431	passport_hash = hashlib.sha256(passport.encode("utf-8")).hexdigest()	1✔
432
433	# try to retrieve from local in-memory cache
434	if passport_hash in PASSPORT_CACHE:	1✔
435	user_ids_from_passports, expires = PASSPORT_CACHE[passport_hash]	1✔
436	if expires > current_time:	1✔
437	logger.debug(	1✔
438	f"Got users {user_ids_from_passports} for provided passport from in-memory cache. "
439	f"Expires: {expires}, Current Time: {current_time}"
440	)
441	return user_ids_from_passports	1✔
442	else:
443	# expired, so remove it
444	del PASSPORT_CACHE[passport_hash]	1✔
445
446	# try to retrieve from database cache
447	cached_passport = (	1✔
448	db_session.query(GA4GHPassportCache)
449	.filter(GA4GHPassportCache.passport_hash == passport_hash)
450	.first()
451	)
452	if cached_passport:	1✔
453	if cached_passport.expires_at > current_time:	1✔
454	user_ids_from_passports = cached_passport.user_ids	1✔
455
456	# update local cache
457	PASSPORT_CACHE[passport_hash] = (	1✔
458	user_ids_from_passports,
459	cached_passport.expires_at,
460	)
461
462	logger.debug(	1✔
463	f"Got users {user_ids_from_passports} for provided passport from "
464	f"database cache and placed in in-memory cache. "
465	f"Expires: {cached_passport.expires_at}, Current Time: {current_time}"
466	)
467	return user_ids_from_passports	1✔
468	else:
469	# expired, so delete it
470	db_session.delete(cached_passport)	×
471	db_session.commit()	×
472
473	return user_ids_from_passports	1✔
474
475
476	def put_gen3_usernames_for_passport_into_cache(	1✔
477	passport, user_ids_from_passports, expires_at, db_session=None
478	):
479	"""
480	Cache a validated and non-expired passport and map to the user_ids referenced
481	by the content.
482
483	Args:
484	passport (str): ga4gh encoded passport JWT
485	db_session (None, sqlalchemy session): optional database session to use
486	user_ids_from_passports (list[str]): list of user identifiers referred to by
487	the previously validated and non-expired passport
488	expires_at (int): expiration time in unix time
489	"""
490	db_session = db_session or current_app.scoped_session()	1✔
491
492	passport_hash = hashlib.sha256(passport.encode("utf-8")).hexdigest()	1✔
493
494	# stores back to cache and db
495	PASSPORT_CACHE[passport_hash] = user_ids_from_passports, expires_at	1✔
496
497	db_session.execute(	1✔
498	"""\
499	INSERT INTO ga4gh_passport_cache (
500	passport_hash,
501	expires_at,
502	user_ids
503	) VALUES (
504	:passport_hash,
505	:expires_at,
506	:user_ids
507	) ON CONFLICT (passport_hash) DO UPDATE SET
508	expires_at = EXCLUDED.expires_at,
509	user_ids = EXCLUDED.user_ids;""",
510	dict(
511	passport_hash=passport_hash,
512	expires_at=expires_at,
513	user_ids=user_ids_from_passports,
514	),
515	)
516
517	logger.debug(	1✔
518	f"Cached {user_ids_from_passports} passport in "
519	f"database. "
520	f"Expires: {expires_at}"
521	)
522
523
524	# TODO to be called after login
525	def map_gen3_iss_sub_pair_to_user(gen3_issuer, gen3_subject_id, gen3_user):	1✔
526	pass	×

uc-cdis / fence / 14886030889

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous