Merge branch 'loganbertram/BB2-3321-oauth-revoke-endpoint' of github.com:CMSgov/bluebutton-web-server into loganbertram/BB2-3321-oauth-revoke-endpoint

Author: loganbertram

Dockerfile

@@ -1,5 +1,6 @@
-FROM --platform=linux/amd64 python:3.8
+FROM --platform=linux/amd64 python:3.11
 ENV PYTHONUNBUFFERED 1
+ENV PYDEVD_DISABLE_FILE_VALIDATION 1
 RUN useradd -m -s /bin/bash DEV
 USER DEV
 ADD . /code

Dockerfile.selenium

@@ -2,7 +2,7 @@ FROM seleniarm/standalone-chromium
 
 ENV PYTHONUNBUFFERED 1
 USER root
-RUN apt-get update ; apt-get install -yq git curl libpq-dev libffi-dev
+#RUN apt-get update ; apt-get install -yq git curl libpq-dev libffi-dev
 RUN apt-get update ; apt-get install -yq python3 python3-venv
 RUN ln -s /usr/bin/python3 /usr/local/bin/python
 RUN useradd -m -s /bin/bash DEV

Dockerfiles/Dockerfile.selenium-jenkins-python311

@@ -0,0 +1,18 @@
+FROM --platform=linux/amd64 python:3.11
+# For build CBC Jenkins job ECR image
+ENV PYTHONUNBUFFERED 1
+
+RUN mkdir /code
+ADD . /code/
+WORKDIR /code
+
+RUN pip install --upgrade pip
+RUN apt-get update && apt-get install -yq git unzip curl
+# Install Chrome for Selenium
+RUN curl https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /chrome.deb \
+    && dpkg -i /chrome.deb || apt-get install -yf \
+    && rm /chrome.deb
+# Install chromedriver for Selenium
+RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip \
+    && unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ \
+    && chmod +x /usr/local/bin/chromedriver

Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium

@@ -1,13 +1,13 @@
 pipeline {
   agent {
     kubernetes {
-      defaultContainer "bb2-cbc-build-selenium-python38"
-      yamlFile "Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p38.yaml"
+      defaultContainer "bb2-cbc-build-selenium-python311"
+      yamlFile "Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311.yaml"
     }
   }
 
   environment {
-    USE_MSLSX = false
+    USE_MSLSX = true
     DJANGO_LOG_JSON_FORMAT_PRETTY = true
     DJANGO_SETTINGS_MODULE = "hhs_oauth_server.settings.logging_it"
     OAUTHLIB_INSECURE_TRANSPORT = true
@@ -55,6 +55,7 @@ pipeline {
         sh """
           python -m venv venv
           . venv/bin/activate
+          python -m pip install --upgrade pip setuptools wheel cryptography
           make reqs-download
           make reqs-install-dev
         """

Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+spec:
+  containers:
+    - name: bb2-cbc-build-selenium-python311
+      image: "public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium-python311:latest"
+      tty: true
+      command: ["tail", "-f"]
+      imagePullPolicy: Always
+  nodeSelector:
+      Agents: true

Makefile

@@ -4,11 +4,11 @@ reqs-compile:
 
 # Note: requirements.dev.txt includes packages from requirements.txt also.
 reqs-download:
-	pip download -r requirements/requirements.dev.txt --dest vendor --platform manylinux2014_x86_64 --abi cp38 --no-deps
+	pip download -r requirements/requirements.dev.txt --dest vendor --platform manylinux2014_x86_64 --abi cp311 --no-deps
 
 #Note: Only installs prod requirements NOT RECOMMENDED FOR DEVELOPMENT.
 reqs-download-prod:
-	pip download -r requirements/requirements.txt --dest vendor --platform manylinux2014_x86_64 --abi cp38 --no-deps	
+	pip download -r requirements/requirements.txt --dest vendor --platform manylinux2014_x86_64 --abi cp311 --no-deps
 
 reqs-install:
 	pip install -r requirements/requirements.txt --no-index --find-links ./vendor/

apps/docs/templates/openapi.html

@@ -40,12 +40,14 @@
 
   <body>
     <div id="swagger-ui"></div>
+    <button id="custom-logout-button">Logout</button>
 
     <script src="{% static 'swagger-ui-4.15.5-dist/swagger-ui-bundle.js' %}" charset="UTF-8"> </script>
     <script src="{% static 'swagger-ui-4.15.5-dist/swagger-ui-standalone-preset.js' %}" charset="UTF-8"> </script>
     <script>
     window.onload = function() {
-      const ui = SwaggerUIBundle({
+      let ui;
+      ui = SwaggerUIBundle({
         urls: [
             {
                 url: "{% static 'openapi.yaml' %}",
@@ -60,13 +62,20 @@
         ],
         layout: "StandaloneLayout",
         requestInterceptor: (request) => {
-            const accessToken = localStorage.getItem('access_token');
-            if (accessToken) {
-                request.headers['Authorization'] = `Bearer ${accessToken}`;
+            if (ui) {
+              const serverUrl = ui.specSelectors.specJson().toJS().servers[0].url;
+              const accessToken = localStorage.getItem('access_token');
+              if (accessToken && request.url.startsWith(serverUrl)) {
+                  request.headers['Authorization'] = `Bearer ${accessToken}`;
+              }
             }
-
+            
             return request;
         },
+        onComplete: function() {
+          initializeOauthData()
+          addLogoutButton();
+        },
 
         oauth2RedirectUrl: window.location.origin + "/docs/oauth2-redirect"
       });
@@ -83,14 +92,14 @@
           // Save OAuth2 details to localStorage
           const serializedData = serializeObject(window.swaggerUIRedirectOauth2)
           /**
-           *  swaggerUIRedirectOauth2 contains information regarding oauth2 clientId, clientSecret etc.
+           * swaggerUIRedirectOauth2 contains information regarding oauth2 clientId, clientSecret etc.
            * This will be required by static/oauth2-redirect.html and will be deserialized there
            */
           localStorage.setItem('swaggerUIRedirectOauth2', serializedData);
           window.dispatchEvent(new Event('storage'));
-        }
+      }
 
-        function serializeObject(obj) {
+      function serializeObject(obj) {
           const serializedObj = { ...obj };
           for (const key in serializedObj) {
               if (typeof serializedObj[key] === 'function') {
@@ -100,13 +109,77 @@
           return JSON.stringify(serializedObj);
       }
 
+      function deserializeObject(serialized) {
+          const parsedObj = JSON.parse(serialized);
+          for (const key in parsedObj) {
+              if (typeof parsedObj[key] === 'string' && parsedObj[key].startsWith('function')) {
+                  parsedObj[key] = new Function('return ' + parsedObj[key])();
+              }
+          }
+          return parsedObj;
+      }
+
       // Event listener for authorize button click
       document.addEventListener('click', (event) => {
           if (event.target && event.target.matches('button.btn.modal-btn.auth.authorize.button')) {
               waitForSwaggerUIRedirectOauth2();
           }
       });
 
+      function initializeOauthData() {
+          const oauth2Data = localStorage.getItem('swaggerUIRedirectOauth2');
+          if (!oauth2Data) {
+            return;
+          }
+          const oauth2 = deserializeObject(oauth2Data)
+          const tokenUrl = oauth2.auth.schema.tokenUrl;
+          const clientId = oauth2.auth.clientId
+          const clientSecret = oauth2.auth.clientSecret;
+          const redirectUri = oauth2.redirectUrl
+          const scopes = oauth2.auth.scopes.join(" ");
+          ui.initOAuth({
+              clientId: clientId,
+              clientSecret: clientSecret,
+              scopeSeparator: " ",
+              scopes: scopes
+          })
+      }
+
+      function addLogoutButton() {
+          const accessToken = localStorage.getItem('access_token');
+          if (!accessToken) {
+            return;
+          }
+
+          const authWrapper = document.querySelector('.auth-wrapper');
+          if (!authWrapper) {
+              return;
+          }
+
+          const customButtonsWrapper = document.createElement('div');
+          customButtonsWrapper.id = 'custom-buttons';
+          customButtonsWrapper.style.display = 'flex';
+          customButtonsWrapper.style.alignItems = 'center';
+          customButtonsWrapper.style.marginLeft = '20px';
+
+          const classNames = ['btn', 'modal-btn', 'auth', 'button'];
+          const logoutButton = document.createElement('button');
+
+          logoutButton.id = 'logoutButton';
+          logoutButton.classList.add(...classNames);
+          logoutButton.textContent = 'Logout';
+          logoutButton.style.marginLeft = '10px';
+
+          logoutButton.addEventListener('click', function() {
+              localStorage.removeItem('access_token');
+              localStorage.removeItem('swaggerUIRedirectOauth2');
+              logoutButton.style.display = 'none';
+           });
+          
+          customButtonsWrapper.appendChild(logoutButton);
+          authWrapper.parentElement.insertBefore(customButtonsWrapper, authWrapper.nextSibling);
+      }
+
     };
 
   </script>

apps/integration_tests/selenium_generic.py

@@ -65,7 +65,6 @@ def setup_method(self, method):
         opt.add_argument("--disable-popup-blocking")
         opt.add_argument("--enable-javascript")
         opt.add_argument('--allow-insecure-localhost')
-        # opt.add_argument('--window-size=1920,1080')
         opt.add_argument("--whitelisted-ips=''")
 
         self.driver = webdriver.Remote(

apps/logging/request_logger.py

@@ -132,11 +132,15 @@ def extract_request_data(self, request):
             self.standard_log_data["auth_pkce_method"] = request.session["auth_pkce_method"]
         except Exception:
             self.standard_log_data["auth_pkce_method"] = None
-
         try:
             self.standard_log_data["auth_language"] = request.session["auth_language"]
         except Exception:
             pass
+        try:
+            request_headers = getattr(request, "headers")
+            self.standard_log_data["data_facilitator_end_user"] = request_headers["data_facilitator_end_user"]
+        except Exception:
+            pass
 
         self.standard_log_data.update(get_session_auth_flow_trace(request))
 

apps/logging/tests/test_audit_loggers.py

@@ -532,6 +532,46 @@ def _request_logger_app_not_exist(self, v2=False):
         self.assertEqual(json_rec.get("req_app_name"), "")
         self.assertEqual(json_rec.get("req_app_id"), "")
 
+    def test_request_logger_data_facilitator_end_user(self):
+        self._request_logger_data_facilitator_end_user(False)
+
+    def test_request_logger_data_facilitator_end_user_v2(self):
+        self._request_logger_data_facilitator_end_user(True)
+
+    def _request_logger_data_facilitator_end_user(self, v2=False):
+        redirect_uri = "http://localhost"
+        self._create_user("anna", "123456")
+        capability_a = self._create_capability("Capability A", [])
+        capability_b = self._create_capability("Capability B", [])
+        application = self._create_application(
+            "an app",
+            grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            redirect_uris=redirect_uri,
+        )
+
+        application.scope.add(capability_a, capability_b)
+        api_ver = "v1" if not v2 else "v2"
+
+        request = HttpRequest()
+        self.client.login(request=request, username="anna", password="123456")
+
+        payload = {
+            "client_id": application.id,
+            "response_type": "code",
+            "redirect_uri": redirect_uri,
+        }
+
+        headers = {"DATA-END-USER": "End User App"}
+
+        response = self.client.get("/{}/o/authorize/".format(api_ver), data=payload, headers=headers)
+
+        self.assertNotEqual(response.status_code, 500)
+        # assert request logger record exist and app name, app id has expected value ""
+        request_log_content = get_log_content(self.logger_registry, logging.AUDIT_HHS_AUTH_SERVER_REQ_LOGGER)
+        self.assertIsNotNone(request_log_content)
+        json_rec = json.loads(request_log_content)
+        self.assertEqual(json_rec.get("data_facilitator_end_user"), "End User App")
+
     def test_auth_flow_lang_logger(self, v2=False):
         # copy and adapted to test auth flow logger
         redirect_uri = "http://localhost"