866 readonly user (#974)

* adding readonly user initial commit

* adding read only boolean to profile

* access checks read only user

* place holder need to make sure read only users can only be viewers

* can only add user as viewer but front end does not get the error

* throws error but says added

* adding a todo

* shows success if user was added

* remove console logs

* dataset roles do not update after we add user, not sure what is wrong

* formatting

* add the read only users separately

* other auth for read only users

* return viewer for user in group that is readonly

* routes for enable/disable read only user

* ran codegen

* button toggle does not curently work

* fixing the logic to handle the action for enable/disable readonly users and update the users in store

* backend - prevent read only user from being an admin

* fix exception raise

* formatting

* Fixed test.
Problem was that the user_id was being removed from auth.user_ids when the user_ids was empty. Added a check to only try to remove user_id if user_id was in the list.

* disable read only user if user is an admin

* add set read only user method
to replace the enable and disable methods

* formatting

* adding new method

* using old action

* fixing using imported as name

* wrong backend method was being called for disable readonly

* using helper method now for chaning read only
unused back end methods removed from backend and corresponding front end

* fix package lock file

* ran codegen

* cannot make an admin a read only user

* read only user cannot create new dataset
read only user cannot add metadata definition or delete

* read only user cannot delete metadata definition

* cannot make admins read only, only need to check for admin

* wrong function call in service
can now make read only user regular user again

* fix problem with making a user read only ,then admin and it freezes
eliminate console log

* formatting

---------

Co-authored-by: Dipannita Dey <[email protected]>

Author: tcnichol

backend/app/deps/authorization_deps.py

@@ -1,4 +1,7 @@
-from app.keycloak_auth import get_current_username
+from beanie import PydanticObjectId
+from beanie.operators import Or
+from fastapi import Depends, HTTPException
+from app.keycloak_auth import get_current_username, get_read_only_user
 from app.models.authorization import AuthorizationDB, RoleType
 from app.models.datasets import DatasetDB, DatasetStatus
 from app.models.files import FileDB, FileStatus
@@ -196,6 +199,7 @@ async def __call__(
         current_user: str = Depends(get_current_username),
         admin_mode: bool = Depends(get_admin_mode),
         admin: bool = Depends(get_admin),
+        readonly: bool = Depends(get_read_only_user),
     ):
         # TODO: Make sure we enforce only one role per user per dataset, or find_one could yield wrong answer here.
 
@@ -476,20 +480,34 @@ def access(
     role_required: RoleType,
     admin_mode: bool = Depends(get_admin_mode),
     admin: bool = Depends(get_admin),
+    read_only_user: bool = Depends(get_read_only_user),
 ) -> bool:
+    # check for read only user first
+    if read_only_user and role_required == RoleType.VIEWER:
+        return True
     """Enforce implied role hierarchy ADMIN = OWNER > EDITOR > UPLOADER > VIEWER"""
     if user_role == RoleType.OWNER or (admin and admin_mode):
         return True
-    elif user_role == RoleType.EDITOR and role_required in [
-        RoleType.EDITOR,
-        RoleType.UPLOADER,
-        RoleType.VIEWER,
-    ]:
+    elif (
+        user_role == RoleType.EDITOR
+        and role_required
+        in [
+            RoleType.EDITOR,
+            RoleType.UPLOADER,
+            RoleType.VIEWER,
+        ]
+        and not read_only_user
+    ):
         return True
-    elif user_role == RoleType.UPLOADER and role_required in [
-        RoleType.UPLOADER,
-        RoleType.VIEWER,
-    ]:
+    elif (
+        user_role == RoleType.UPLOADER
+        and role_required
+        in [
+            RoleType.UPLOADER,
+            RoleType.VIEWER,
+        ]
+        and not read_only_user
+    ):
         return True
     elif user_role == RoleType.VIEWER and role_required == RoleType.VIEWER:
         return True

backend/app/keycloak_auth.py

@@ -312,6 +312,91 @@ async def get_current_username(
     )
 
 
+async def get_read_only_user(
+    token: str = Security(oauth2_scheme),
+    api_key: str = Security(api_key_header),
+    token_cookie: str = Security(jwt_header),
+) -> bool:
+    """Retrieve the user object from Mongo by first getting user id from JWT and then querying Mongo.
+    Potentially expensive. Use `get_current_username` if all you need is user name.
+    """
+
+    if token:
+        try:
+            userinfo = keycloak_openid.userinfo(token)
+            user = await UserDB.find_one(UserDB.email == userinfo["email"])
+            return user.read_only_user
+        except KeycloakAuthenticationError as e:
+            raise HTTPException(
+                status_code=e.response_code,
+                detail=json.loads(e.error_message),
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+    if token_cookie:
+        try:
+            userinfo = keycloak_openid.userinfo(token_cookie.removeprefix("Bearer%20"))
+            user = await UserDB.find_one(UserDB.email == userinfo["email"])
+            return user.read_only_user
+        # expired token
+        except KeycloakAuthenticationError as e:
+            raise HTTPException(
+                status_code=e.response_code,
+                detail=json.loads(e.error_message),
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+    if api_key:
+        serializer = URLSafeSerializer(settings.local_auth_secret, salt="api_key")
+        try:
+            payload = serializer.loads(api_key)
+            # Key is valid, check expiration date in database
+            if (
+                key := await ListenerAPIKeyDB.find_one(
+                    ListenerAPIKeyDB.user == payload["user"],
+                    ListenerAPIKeyDB.key == payload["key"],
+                )
+            ) is not None:
+                user = await UserDB.find_one(UserDB.email == key.user)
+                return user.read_only_user
+            elif (
+                key := await UserAPIKeyDB.find_one(
+                    UserAPIKeyDB.user == payload["user"],
+                    UserAPIKeyDB.key == payload["key"],
+                )
+            ) is not None:
+                current_time = datetime.utcnow()
+
+                if key.expires is not None and current_time >= key.expires:
+                    # Expired key, delete it first
+                    await key.delete()
+                    raise HTTPException(
+                        status_code=401,
+                        detail={"error": "Key is expired."},
+                        headers={"WWW-Authenticate": "Bearer"},
+                    )
+                else:
+                    user = await UserDB.find_one(UserDB.email == key.user)
+                    return user.read_only_user
+            else:
+                raise HTTPException(
+                    status_code=401,
+                    detail={"error": "Key is invalid."},
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+        except BadSignature as e:
+            raise HTTPException(
+                status_code=401,
+                detail={"error": "Key is invalid."},
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+    raise HTTPException(
+        status_code=401,
+        detail="Not authenticated.",  # "token expired",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+
 async def get_current_user_id(identity: Json = Depends(get_token)) -> str:
     """Retrieve internal Keycloak id. Does not query MongoDB."""
     keycloak_id = identity["sub"]

backend/app/models/users.py

@@ -26,6 +26,7 @@ class UserLogin(BaseModel):
 class UserDoc(Document, UserBase):
     admin: bool = False
     admin_mode: bool = False
+    read_only_user: bool = False
 
     class Settings:
         name = "users"

backend/app/routers/authentication.py

@@ -206,6 +206,54 @@ async def revoke_admin(
         )
 
 
+@router.post("/users/enable_readonly/{useremail}", response_model=UserOut)
+async def enable_readonly_user(
+    useremail: str, current_username=Depends(get_current_user), admin=Depends(get_admin)
+):
+    if admin:
+        if (user := await UserDB.find_one(UserDB.email == useremail)) is not None:
+            if not user.admin:
+                user.read_only_user = True
+                await user.replace()
+                return user.dict()
+            else:
+                raise HTTPException(
+                    status_code=403,
+                    detail=f"User {useremail} is admin cannot be read only",
+                )
+        else:
+            raise HTTPException(status_code=404, detail=f"User {useremail} not found")
+    else:
+        raise HTTPException(
+            status_code=403,
+            detail=f"User {current_username.email} is not an admin. Only admin can make others admin.",
+        )
+
+
+@router.post("/users/disable_readonly/{useremail}", response_model=UserOut)
+async def disable_readonly_user(
+    useremail: str, current_username=Depends(get_current_user), admin=Depends(get_admin)
+):
+    if admin:
+        if (user := await UserDB.find_one(UserDB.email == useremail)) is not None:
+            if not user.admin:
+                user.read_only_user = False
+                await user.replace()
+                return user.dict()
+            else:
+                raise HTTPException(
+                    status_code=403,
+                    detail=f"User {useremail} is admin cannot be read only",
+                )
+        else:
+            raise HTTPException(status_code=404, detail=f"User {useremail} not found")
+    else:
+        raise HTTPException(
+            status_code=403,
+            detail=f"User {current_username.email} is not an admin. Only admin can make others admin.",
+        )
+
+
 @router.post("/users/enable/{useremail}", response_model=UserOut)
 async def user_enable(
     useremail: str, current_username=Depends(get_current_user), admin=Depends(get_admin)

backend/app/routers/authorization.py

@@ -158,7 +158,12 @@ async def get_group_role(
     role: RoleType = Depends(get_role_by_group),
 ):
     """Retrieve role of user on a particular group (i.e. whether they can change group memberships)."""
-    return role
+    if (user := await UserDB.find_one(UserDB.email == current_user)) is not None:
+        # return viewer if read only user
+        if user.read_only_user:
+            return RoleType.VIEWER
+        else:
+            return role
 
 
 @router.post(
@@ -186,25 +191,60 @@ async def set_dataset_group_role(
             ) is not None:
                 if group_id not in auth_db.group_ids:
                     auth_db.group_ids.append(group_id)
+                    readonly_user_ids = []
                     for u in group.users:
-                        auth_db.user_ids.append(u.user.email)
+                        if u.user.read_only_user:
+                            readonly_user_ids.append(u.user.email)
+                        else:
+                            auth_db.user_ids.append(u.user.email)
                     await auth_db.replace()
-                await index_dataset(es, DatasetOut(**dataset.dict()), auth_db.user_ids)
+                    await index_dataset(
+                        es, DatasetOut(**dataset.dict()), auth_db.user_ids
+                    )
+                    if len(readonly_user_ids) > 0:
+                        readonly_auth_db = AuthorizationDB(
+                            creator=user_id,
+                            dataset_id=PydanticObjectId(dataset_id),
+                            role=RoleType.VIEWER,
+                            group_ids=[PydanticObjectId(group_id)],
+                            user_ids=readonly_user_ids,
+                        )
+                        await readonly_auth_db.insert()
+                        await index_dataset(
+                            es, DatasetOut(**dataset.dict()), readonly_auth_db.user_ids
+                        )
                 return auth_db.dict()
             else:
                 # Create new role entry for this dataset
                 user_ids = []
+                readonly_user_ids = []
                 for u in group.users:
-                    user_ids.append(u.user.email)
+                    if u.user.read_only_user:
+                        readonly_user_ids.append(u.user.email)
+                    else:
+                        user_ids.append(u.user.email)
+                # add the users who get the role
                 auth_db = AuthorizationDB(
                     creator=user_id,
                     dataset_id=PydanticObjectId(dataset_id),
                     role=role,
                     group_ids=[PydanticObjectId(group_id)],
                     user_ids=user_ids,
                 )
+                readonly_auth_db = AuthorizationDB(
+                    creator=user_id,
+                    dataset_id=PydanticObjectId(dataset_id),
+                    role=RoleType.VIEWER,
+                    group_ids=[PydanticObjectId(group_id)],
+                    user_ids=readonly_user_ids,
+                )
+                # if there are read only users add them with the role of viewer
                 await auth_db.insert()
                 await index_dataset(es, DatasetOut(**dataset.dict()), auth_db.user_ids)
+                await readonly_auth_db.insert()
+                await index_dataset(
+                    es, DatasetOut(**dataset.dict()), readonly_auth_db.user_ids
+                )
                 return auth_db.dict()
         else:
             raise HTTPException(status_code=404, detail=f"Group {group_id} not found")
@@ -227,13 +267,18 @@ async def set_dataset_user_role(
     """Assign a single user a specific role for a dataset."""
 
     if (dataset := await DatasetDB.get(PydanticObjectId(dataset_id))) is not None:
-        if (await UserDB.find_one(UserDB.email == username)) is not None:
+        if (user := await UserDB.find_one(UserDB.email == username)) is not None:
             # First, remove any existing role the user has on the dataset
             await remove_dataset_user_role(dataset_id, username, es, user_id, allow)
             auth_db = await AuthorizationDB.find_one(
                 AuthorizationDB.dataset_id == PydanticObjectId(dataset_id),
                 AuthorizationDB.role == role,
             )
+            rolename = role.name
+            if user.read_only_user and role.name is not RoleType.VIEWER.name:
+                raise HTTPException(
+                    status_code=405, detail=f"User {username} is read only"
+                )
             if auth_db is not None and username not in auth_db.user_ids:
                 auth_db.user_ids.append(username)
                 await auth_db.save()

backend/app/routers/groups.py

@@ -271,8 +271,9 @@ async def remove_member(
         # Remove user from all affected Authorization entries
         # TODO not sure if this is right
         async for auth in AuthorizationDB.find({"group_ids": ObjectId(group_id)}):
-            auth.user_ids.remove(username)
-            await auth.replace()
+            if username in auth.user_ids:
+                auth.user_ids.remove(username)
+                await auth.replace()
 
         # Update group itself
         group.users.remove(found_user)

frontend/src/actions/user.js

@@ -303,3 +303,40 @@ export function revokeAdmin(email) {
 			});
 	};
 }
+
+
+export const ENABLE_READONLY = "ENABLE_READONLY";
+
+export function enableReadOnly(email) {
+	return (dispatch) => {
+		return V2.LoginService.enableReadonlyUserApiV2UsersEnableReadonlyUseremailPost(email)
+			.then((json) => {
+				dispatch({
+					type: ENABLE_READONLY,
+					profile: json,
+					receivedAt: Date.now(),
+				});
+			})
+			.catch((reason) => {
+				dispatch(handleErrors(reason, enableReadOnly(email)));
+			});
+	};
+}
+
+export const DISABLE_READONLY = "DISABLE_READONLY";
+
+export function disableReadOnly(email) {
+	return (dispatch) => {
+		return V2.LoginService.disableReadonlyUserApiV2UsersDisableReadonlyUseremailPost(email)
+			.then((json) => {
+				dispatch({
+					type: DISABLE_READONLY,
+					profile: json,
+					receivedAt: Date.now(),
+				});
+			})
+			.catch((reason) => {
+				dispatch(handleErrors(reason, disableReadOnly(email)));
+			});
+	};
+}