kbase / auth2 Goto Github PK

View Code? Open in Web Editor NEW

1.0 1.0 9.0 3.79 MB

KBase authentication server MKII

License: MIT License

Java 99.06% Shell 0.01% Dockerfile 0.08% Mustache 0.86%

auth2's Introduction

KBase Developer Documentation

KBase SDK Documentation

Core Service Docs

Workspace: release, develop
- Release KIDL spec, Develop KIDL spec
Narrative UI
KBase UI (non-narrative UI): release, develop
Relation Engine: API, Specifications
Search Engine: API, Indexer, Config
Auth server
File Caching Service
ID mapping API
Assembly homology API
Service Wizard: KIDL spec
Catalog: KIDL spec

Relation Engine and Search codebases

The Relation Engine (using ArangoDB) can be found here: https://github.com/kbase/relation_engine
The Search API (using Elasticsearch) is found here: github.com/kbase/search_api2/
The Index Runner (which listens to Kafka events and imports data into Elasticsearch and ArangoDB) can be found here: https://github.com/kbase/index_runner

User help

auth2's People

Contributors

Stargazers

Watchers

Forkers

mrcreosote kkellerlbl msneddon threeswords arfathpasha sychan briehl viching aldler

auth2's Issues

Implement OAuth2 PKCE

Additional security for the OAuth2 code flow

https://oauth.net/2/pkce/

Document how to set up alternate environments more clearly

Currently have to figure it out by looking at deploy.cfg comments and the config section of the UI. Also need to be familiar with configuring OAuth2 identity providers. Add a section in the readme that lays it all out.

If one user in a set of users for validation is an illegal user name, the entire call fails

Instead allow skipping invalid user names in the same way non-existent user names are skipped.

auth2/src/us/kbase/auth2/service/api/Users.java

Lines 64 to 73 in a9939a9

    
           for (final String u: usersplt) { 
        
           	try { 
        
           		uns.add(new UserName(u.trim())); 
        
           	} catch (MissingParameterException | IllegalParameterException e) { 
        
           		//TODO CODE this exception could use some clean up 
        
           		throw new IllegalParameterException(ErrorType.ILLEGAL_USER_NAME, String.format( 
        
           				"Illegal user name [%s]: %s", u, e.getMessage())); 
        
           	} 
        
           } 
        
           return uns;

Investigate suggestname speed

The suggestname endpoint is taking about 300ms to return in prod, which is too long to use in a typeahead CLI. There's not much going on here, so it's odd that it's that slow. Investigate slowness and improve if possible

Fix test failure due to timing issues

     [junit] Testcase: globusToken took 0.389 sec
    [junit] 	FAILED
    [junit] incorrect token
    [junit] Expected: is <{access_token=ETRK25S3P6YBD66DYAX6IWR5QMX564E6, refresh_token=, token_id=2f967910-61b1-4d0a-974c-3cb408f73315, user_name=foo, lifetime=3600, issued_on=1664576823, expiry=1664580423, scopes=[], token_type=Bearer, expires_in=3600, client_id=foo}>
    [junit]      but: was <{access_token=ETRK25S3P6YBD66DYAX6IWR5QMX564E6, refresh_token=, token_id=2f967910-61b1-4d0a-974c-3cb408f73315, user_name=foo, lifetime=3600, issued_on=1664576823, expiry=1664580423, scopes=[], token_type=Bearer, expires_in=3599, client_id=foo}>
    [junit] junit.framework.AssertionFailedError: incorrect token
    [junit] Expected: is <{access_token=ETRK25S3P6YBD66DYAX6IWR5QMX564E6, refresh_token=, token_id=2f967910-61b1-4d0a-974c-3cb408f73315, user_name=foo, lifetime=3600, issued_on=1664576823, expiry=1664580423, scopes=[], token_type=Bearer, expires_in=3600, client_id=foo}>
    [junit]      but: was <{access_token=ETRK25S3P6YBD66DYAX6IWR5QMX564E6, refresh_token=, token_id=2f967910-61b1-4d0a-974c-3cb408f73315, user_name=foo, lifetime=3600, issued_on=1664576823, expiry=1664580423, scopes=[], token_type=Bearer, expires_in=3599, client_id=foo}>
    [junit] 	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
    [junit] 	at us.kbase.test.auth2.service.api.TestModeIntegrationTest.globusToken(TestModeIntegrationTest.java:456)
    [junit] 
    [junit] Testcase: me took 0.393 sec
    [junit] Testcase: clear took 0.416 sec
    [junit] Testcase: setRoles took 0.382 sec
    [junit] Testcase: createAndGetTestUser took 0.396 sec
    [junit] Test us.kbase.test.auth2.service.api.TestModeIntegrationTest FAILED

Fix searching for users with more than one input token

If more than one token is used to search for a user, for example Zaphod B, search returns no results.

Even a trailing space causes search to fail in the crappy HTML admin UI.

Switch from ant to gradle

Unify the deploy.cfg.example file and the deployment template, switch to jinja or some other templating engine

Will need some changes when we switch from dockerize to an environment driven config like Collections anyway. Use Collections as a model and just have one deployment file with defaults and documentation in one place, preferably in the root of the repo

In CI, prefix search for `test_narrative` doesn't find the `test_narrative` user

test narrative does work.

Add option to disable user agent parsing in test mode

Loading the parser rules takes several seconds, which slows down tests, and 99% of the time tests don't care about the user agent information

Move OAuth2 state info into DB

Precursor issue explains the task: #354

Remove env1 section from deployment template

Can just use the additional_config section and reduce complexity, rather than having one special case.

E.g. remove these lines:

https://github.com/kbase/auth2/blob/master/deployment/conf/.templates/deployment.cfg.templ#L23-L24
https://github.com/kbase/auth2/blob/master/deployment/conf/.templates/deployment.cfg.templ#L33-L34
https://github.com/kbase/auth2/blob/master/deployment/conf/.templates/deployment.cfg.templ#L43-L44

Need to coordinate with devops before this happens as they'll need to change their config in lockstep.

Make the manage auth script easier to access

Build it in the docker file. Currently only the war is built. This might mean the source / class files need to be copied across as well or the script needs to be modified to use the war or jar file.
Explicitly mention the ant script target in the admin section when talking about the manage script.

log to stdout/err vs syslog

https://github.com/kbase/workspace_deluxe mostly did this, take a look there for the PR to copy

User names with underscores don't show up in search if the search term contains an underscore

other than trailing underscores

Switch Gradle to Kotlin DSL and use task configuration avoidance

Kotlin is now the default

https://docs.gradle.org/current/userguide/task_configuration_avoidance.html

Fully document all the UI endpoints

Currently only the endpoints for the start of a user flow are documented in the readme, and furthermore their signatures are not documented. Further endpoints and their signatures are discoverable by traversing the user flow from the starting endpoint, but should also be fully documented.

Switch tests from Travis to Github Actions

Might need to update how image is built and pushed as well if that's happening in travis

Redo the docker file

kb_jre is super old, try to use off the shelf images vs. KBase custom images.

Might need to do this at the same time as gradleization to get java 11 in at the same time - some of the jars didn't agree with 11 IIRC. It'll be much easier to update the dependencies if gradleized.

Update index creation before upgrading to Mongo 4.2

Mongo 4.2 change how indexes are built and it appears as though the default behavior is background creation. It's not clear if the client blocks while the index is created. If not, the service could start while the necessary indexes aren't in place which could cause corrupt data and index build fails.

Equivalent of kbase/workspace_deluxe#472

	for (final String u: usersplt) {
	try {
	uns.add(new UserName(u.trim()));
	} catch (MissingParameterException \| IllegalParameterException e) {
	//TODO CODE this exception could use some clean up
	throw new IllegalParameterException(ErrorType.ILLEGAL_USER_NAME, String.format(
	"Illegal user name [%s]: %s", u, e.getMessage()));
	}
	}
	return uns;