Initial implementation using Perun dumps and capabilities #2
Conversation
| ======= | ||
|
|
||
| CESNET OIDC Auth backend for OARepo | ||
|
|
There was a problem hiding this comment.
Forgot to add yourself to authors :)
|
|
||
| 4. Add the e-infra public key to your invenio.cfg or environment variables: | ||
| ```python | ||
| EINFRA_RSA_KEY=b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmho5h/lz6USUUazQaVT3\nPHloIk/Ljs2vZl/RAaitkXDx6aqpl1kGpS44eYJOaer4oWc6/QNaMtynvlSlnkuW\nrG765adNKT9sgAWSrPb81xkojsQabrSNv4nIOWUQi0Tjh0WxXQmbV+bMxkVaElhd\nHNFzUfHv+XqI8Hkc82mIGtyeMQn+VAuZbYkVXnjyCwwa9RmPOSH+O4N4epDXKk1V\nK9dUxf/rEYbjMNZGDva30do0mrBkU8W3O1mDVJSSgHn4ejKdGNYMm0JKPAgCWyPW\nJDoL092ctPCFlUMBBZ/OP3omvgnw0GaWZXxqSqaSvxFJkqCHqLMwpxmWTTAgEvAb\nnwIDAQAB\n-----END PUBLIC KEY-----\n' |
There was a problem hiding this comment.
From where this public key is obtained? (to update it if it ever changes)
| EINFRA_SYNC_SERVICE_ID = 0 | ||
| """Internal ID of the service in the E-INFRA Perun that is responsible for synchronization |
There was a problem hiding this comment.
What is the difference between SYNC_SERVICE and SERVICE here?
| from marshmallow import ValidationError | ||
| from sqlalchemy import select | ||
|
|
||
| CommunityRole = namedtuple("CommunityRole", ["community_id", "role"]) |
There was a problem hiding this comment.
Shouldn't be part of oarepo-communities?
| pass | ||
|
|
||
| @cached_property | ||
| def slug_to_id(self) -> Dict[str, str]: |
There was a problem hiding this comment.
Shouldn't be part of oarepo-communities? Nothing related to perun oidc
| EINFRA_ENTITLEMENT_COMMUNITIES_GROUP_PARTS = [["cesnet.cz", "res", "communities"]] | ||
| """Parts of the entitlement URN name that represent communities.""" | ||
|
|
||
| EINFRA_DUMP_DATA_URL = "s3://einfra-dump-bucket" |
There was a problem hiding this comment.
How do we access that bucket? Which credentials are used?
|
|
||
| This component is responsible for synchronizing the community to the E-INFRA Perun. | ||
| """ | ||
| communities_components = app.config.get("COMMUNITIES_SERVICE_COMPONENTS", None) |
There was a problem hiding this comment.
Check for EINFRA_COMMUNITY_SYNCHRONIZATION = True here? We shouldn't register this if that is disabled
|
|
||
| # If there is no user identity for this user and group, create it | ||
| ui = UserIdentity.query.filter_by( | ||
| user=user, method="e-infra", id=decoded_token["sub"] |
| user=user, method="e-infra", id=decoded_token["sub"] | ||
| ).one_or_none() | ||
| if not ui: | ||
| UserIdentity.create(user, "e-infra", decoded_token["sub"]) |
There was a problem hiding this comment.
use remote.name for method? to keep consistent with auccount_info_serializer
| def autocreate_user(remote, token=None, response=None, account_info=None): | ||
| assert account_info is not None | ||
|
|
||
| email = account_info["user"]["email"].lower() |
There was a problem hiding this comment.
Why is e-mail lowercase trasnformation needed?
| The caller must have the permission to upload the dump (upload-oidc-einfra-dump action | ||
| that can be assigned via invenio access commandline tool). | ||
| """ | ||
| if not Permission(upload_dump_action).allows(g.identity): |
There was a problem hiding this comment.
Consider stronger verification (cert-based? whitelist, signature checking) of the request
| return { | ||
| "status": "error", | ||
| "message": "Content-Type must be application/json", | ||
| }, 400 |
There was a problem hiding this comment.
This should be http 415 unsupportedMediaType error
| route("POST", routes["upload-dump"], self.upload_dump), | ||
| ] | ||
|
|
||
| def upload_dump(self): |
There was a problem hiding this comment.
Configure rate-limit for this endpoint to prevent flooding of target location with dumps in case of a mistake or bad intention on requestor side
No description provided.