Upgrade python #10
Closed
Upgrade python #10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When creating a users, we first attempt to fetch up to date information from Keycloak. However, when that succeeds, the API returns 500 because the dictionary returned contains an extra key. TypeError: create_user() got an unexpeTypeError: create_user() got an unexpected keyword argument 'source'. This fixes the above error by passing only the required keys to create_user.
…keycloak Fixes 500 when user info fetched from Keycloak
…IM implementation
…plemented by django_scim, as well as the root view. The application namespace 'scim' is also defined, based on the requirements of the django_scim module.
The adapter is needed to provide a conversion between Django's User model and a SCIM User dict, which is critical for any interactions with the SCIM API. The adapter overrides 3 methods - which are self-explanatory - and the "id_field" attribute, which specifies the name of the SQL field from which to query the user id. Because we currently use the user's username as the user id, it is set to "username".
django_scim uses a the scim2_filter_parser module to translate SCIM filter queries (i.e "emails eq ...") into raw SQL queries before sending those queries to the database The filter_parser module needs a attribute map that maps SCIM attributes (i.e name.familyName) into table column names in order to perform the translation. Another config option is a 'joins' table that is not needed now. More information can be found in the scim2_filter_parser github page. I've subclassed from the UserFilterQuery class in django_scim, which is the access point to the filter_parser module, and overrode the attr_map to add the correct mapping for emails. This child class must be specified in the SCIM_SERVICE_PROVIDER config variable in 'local_settings.py' as a custom filter_parser class.
…indexing and pagination into the SCIM user list response Also added a test for filter functionality
…to only allow admin users to use SCIM user endpoint
Added django_scim as a Django SCIM implementation, enabling queries on SCIM Users
Also linted all files.
Added pre-commit-config.yaml and pre-commit Github action.
Allows filtering of groups by user membership
More information on how to use the filtering API is found in the docstring in urls.py
- Added a small 0.5 seconds wait between students. - Added reauthentication every 50 students to prevent session expiration. - Added error logging and exit on error. - Used the click library and updated help. - Added a --add-to-rhods-notebooks-namespace flag for when registering TAs.
Improvements to reliability
…name This change is intended to make it easier for invoice scripts to find the PI's institution
Modified /api/allocations endpoint to return PI email instead of user…
This allows django_scim to be proper configured when the plugin is imported into another project
…rror Moved django_scim settings into config.py
Added filtering of allocations by several attributes
Modified user registration script to use the device authorization grant flow
This workaround uses a keycloak admin account to impersonate a keycloak user and simulate a browser flow authentication to ColdFront, fetching the cookies and using Session for authentication instead.
Temporary workaround for broken OAuth2 authentication
Previously, the Coldfront SCIM endpoints could not perform OIDC authentication, preventing usage of the client credentials and device authorization flows. A authentication middleware which subclasses from the one provided by `django_scim` has been added, which will perform OIDC authentication given an access token in the "Authorization" HTTP request header. The SCIM endpoint is now available to Coldfront users with "staff" or "superuser" status. It will perform OIDC authentication if the `PLUGIN_AUTH_OIDC` env var is set to True.
A new CI job has been added to test the OIDC authentication for the API endpoints. This CI starts Keycloak in a container, installs coldfront then runs the API functional tests. A few code decisions to note: - The functional tests subclassed the keycloak client provided by `CCI-MOC/onboarding-tools`. Subclassing was needed because the original client class contained code which is out-of-date with the current version of Keycloak - The `is_user_superuser()` function in `utils.py` now also checks if `user.is_superuser`, to account for edge case where a superuser is created but their `is_staff` attribute is not set.
Fixed OIDC authentication for SCIM endpoints
Fixed unit and functional tests
QuanMPhm
force-pushed
the
upgrade_python
branch
from
3a3669f to
05b4211
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.