Merge pull request #4667 from communitybridge/unicron-impersonation-investigation

Adding APIs: /v2/user-from-session, /v4/user-from-token

Author: mlehotskylf

cla-backend-go/cmd/server.go

@@ -4,6 +4,7 @@
 package cmd
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -97,6 +98,7 @@ import (
 	"github.com/communitybridge/easycla/cla-backend-go/user"
 	v2ClaManager "github.com/communitybridge/easycla/cla-backend-go/v2/cla_manager"
 	v2Company "github.com/communitybridge/easycla/cla-backend-go/v2/company"
+	v2CurrentUser "github.com/communitybridge/easycla/cla-backend-go/v2/current_user"
 	v2Health "github.com/communitybridge/easycla/cla-backend-go/v2/health"
 	"github.com/communitybridge/easycla/cla-backend-go/v2/store"
 	v2Template "github.com/communitybridge/easycla/cla-backend-go/v2/template"
@@ -296,6 +298,7 @@ func server(localMode bool) http.Handler {
 	v2ProjectService := v2Project.NewService(v1ProjectService, v1CLAGroupRepo, v1ProjectClaGroupRepo)
 	v1CompanyService := v1Company.NewService(v1CompanyRepo, configFile.CorporateConsoleV1URL, userRepo, usersService)
 	v2CompanyService := v2Company.NewService(v1CompanyService, signaturesRepo, v1CLAGroupRepo, usersRepo, v1CompanyRepo, v1ProjectClaGroupRepo, eventsService)
+	v2CurrentUserService := v2CurrentUser.NewService()
 
 	v1RepositoriesService := v1Repositories.NewService(gitV1Repository, githubOrganizationsRepo, v1ProjectClaGroupRepo)
 	v2RepositoriesService := v2Repositories.NewService(gitV1Repository, gitV2Repository, v1ProjectClaGroupRepo, githubOrganizationsRepo, gitlabOrganizationRepo, eventsService)
@@ -358,6 +361,7 @@ func server(localMode bool) http.Handler {
 	gerrits.Configure(api, gerritService, v1ProjectService, eventsService)
 	v2Gerrits.Configure(v2API, gerritService, v1ProjectService, eventsService, v1ProjectClaGroupRepo)
 	v2Company.Configure(v2API, v2CompanyService, v1ProjectClaGroupRepo, configFile.LFXPortalURL, configFile.CorporateConsoleV1URL)
+	v2CurrentUser.Configure(v2API, v2CurrentUserService)
 	cla_manager.Configure(api, v1ClaManagerService, v1CompanyService, v1ProjectService, usersService, v1SignaturesService, eventsService, emailTemplateService)
 	v2ClaManager.Configure(v2API, v2ClaManagerService, v1CompanyService, configFile.LFXPortalURL, configFile.CorporateConsoleV2URL, v1ProjectClaGroupRepo, userRepo)
 	cla_groups.Configure(v2API, v2ClaGroupService, v1ProjectService, v1ProjectClaGroupRepo, eventsService)
@@ -371,7 +375,7 @@ func server(localMode bool) http.Handler {
 
 	userCreaterMiddleware := func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			createUserFromRequest(authorizer, usersService, eventsService, r)
+			r = createUserFromRequest(authorizer, usersService, eventsService, r)
 			next.ServeHTTP(w, r)
 		})
 	}
@@ -610,46 +614,53 @@ func responseLoggingMiddleware(next http.Handler) http.Handler {
 
 // create user form http authorization token
 // this function creates user if user does not exist and token is valid
-func createUserFromRequest(authorizer auth.Authorizer, usersService users.Service, eventsService events.Service, r *http.Request) {
+func createUserFromRequest(authorizer auth.Authorizer, usersService users.Service, eventsService events.Service, r *http.Request) *http.Request {
 	f := logrus.Fields{
 		"functionName": "cmd.createUserFromRequest",
 	}
 
 	bToken := r.Header.Get("Authorization")
 	if bToken == "" {
-		return
+		return r
 	}
 	t := strings.Split(bToken, " ")
 	if len(t) != 2 {
 		log.WithFields(f).Warn("parsing of authorization header failed - expected two values separated by a space")
-		return
+		return r
 	}
 
 	// parse user from the auth token
 	claUser, err := authorizer.SecurityAuth(t[1], []string{})
 	if err != nil {
 		log.WithFields(f).WithError(err).Warn("parsing failed")
-		return
+		return r
 	}
 	f["claUserName"] = claUser.Name
 	f["claUserID"] = claUser.UserID
 	f["claUserLFUsername"] = claUser.LFUsername
 	f["claUserLFEmail"] = claUser.LFEmail
 	f["claUserEmails"] = strings.Join(claUser.Emails, ",")
 
+	// only needed if API called is /v4/user-from-token
+	needToStoreUser := r.URL.Path == "/v4/user-from-token"
+
 	// search if user exist in database by username
 	userModel, err := usersService.GetUserByLFUserName(claUser.LFUsername)
 	if err != nil {
 		if _, ok := err.(*utils.UserNotFound); ok {
 			log.WithFields(f).Debug("unable to locate user by lf-email")
 		} else {
 			log.WithFields(f).WithError(err).Warn("searching user by lf-username failed")
-			return
+			return r
 		}
 	}
 	// If found - just return
 	if userModel != nil {
-		return
+		if !needToStoreUser {
+			return r
+		}
+		ctx := context.WithValue(r.Context(), "user", userModel) // nolint
+		return r.WithContext(ctx)
 	}
 
 	// search if user exist in database by username
@@ -659,12 +670,16 @@ func createUserFromRequest(authorizer auth.Authorizer, usersService users.Servic
 			log.WithFields(f).Debug("unable to locate user by lf-email")
 		} else {
 			log.WithFields(f).WithError(err).Warn("searching user by lf-email failed")
-			return
+			return r
 		}
 	}
 	// If found - just return
 	if userModel != nil {
-		return
+		if !needToStoreUser {
+			return r
+		}
+		ctx := context.WithValue(r.Context(), "user", userModel) // nolint
+		return r.WithContext(ctx)
 	}
 
 	// Attempt to create the user
@@ -677,7 +692,7 @@ func createUserFromRequest(authorizer auth.Authorizer, usersService users.Servic
 	userModel, err = usersService.CreateUser(newUser, nil)
 	if err != nil {
 		log.WithFields(f).WithField("user", newUser).WithError(err).Warn("creating new user failed")
-		return
+		return r
 	}
 
 	// Log the event
@@ -687,4 +702,9 @@ func createUserFromRequest(authorizer auth.Authorizer, usersService users.Servic
 		UserModel: userModel,
 		EventData: &events.UserCreatedEventData{},
 	})
+	if !needToStoreUser {
+		return r
+	}
+	ctx := context.WithValue(r.Context(), "user", userModel) // nolint
+	return r.WithContext(ctx)
 }

cla-backend-go/swagger/cla.v2.yaml

@@ -2652,6 +2652,32 @@ paths:
       tags:
         - cla-manager
 
+  /user-from-token:
+    get:
+      summary: Get user object from current bearer token
+      description: Get user object from current bearer token
+      operationId: getUserFromToken
+      parameters:
+        - $ref: "#/parameters/x-request-id"
+        - $ref: "#/parameters/x-acl"
+        - $ref: "#/parameters/x-username"
+        - $ref: "#/parameters/x-email"
+      responses:
+        '200':
+          description: 'Success'
+          headers:
+            x-request-id:
+              type: string
+              description: The unique request ID value - assigned/set by the API Gateway based on the session
+          schema:
+            $ref: '#/definitions/user'
+        '400':
+          $ref: '#/responses/invalid-request'
+        '404':
+          $ref: '#/responses/not-found'
+      tags:
+        - current_user
+
   /user/{userID}/request-company-admin:
     post:
       summary: Request Manager

cla-backend-go/v2/current_user/handlers.go

@@ -0,0 +1,42 @@
+// Copyright The Linux Foundation and each contributor to CommunityBridge.
+// SPDX-License-Identifier: MIT
+
+package current_user
+
+import (
+	"context"
+
+	log "github.com/communitybridge/easycla/cla-backend-go/logging"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/LF-Engineering/lfx-kit/auth"
+	"github.com/communitybridge/easycla/cla-backend-go/gen/v2/restapi/operations"
+	"github.com/communitybridge/easycla/cla-backend-go/gen/v2/restapi/operations/current_user"
+	"github.com/communitybridge/easycla/cla-backend-go/utils"
+	"github.com/go-openapi/runtime/middleware"
+)
+
+// Configure sets up the middleware handlers
+func Configure(api *operations.EasyclaAPI, service Service) { // nolint
+	api.CurrentUserGetUserFromTokenHandler = current_user.GetUserFromTokenHandlerFunc(
+		func(params current_user.GetUserFromTokenParams, authUser *auth.User) middleware.Responder {
+			reqID := utils.GetRequestID(params.XREQUESTID)
+			ctx := context.WithValue(params.HTTPRequest.Context(), utils.XREQUESTID, reqID) // nolint
+			utils.SetAuthUserProperties(authUser, params.XUSERNAME, params.XEMAIL)
+			f := logrus.Fields{
+				"functionName":   "v2.current_user.handlers.GetUserFromToken",
+				utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+				"authUserName":   utils.StringValue(params.XUSERNAME),
+				"authUserEmail":  utils.StringValue(params.XEMAIL),
+			}
+			log.WithFields(f).Debugf("looking for user from bearer token")
+			userModel, err := service.UserFromContext(ctx)
+			if err != nil {
+				msg := "unable to lookup user from token"
+				log.WithFields(f).WithError(err).Warn(msg)
+				return current_user.NewGetUserFromTokenNotFound().WithXRequestID(reqID).WithPayload(utils.ErrorResponseNotFound(reqID, msg))
+			}
+			return current_user.NewGetUserFromTokenOK().WithXRequestID(reqID).WithPayload(userModel)
+		})
+}

cla-backend-go/v2/current_user/service.go

@@ -0,0 +1,51 @@
+// Copyright The Linux Foundation and each contributor to CommunityBridge.
+// SPDX-License-Identifier: MIT
+
+package current_user
+
+import (
+	"context"
+	"fmt"
+
+	v1Models "github.com/communitybridge/easycla/cla-backend-go/gen/v1/models"
+	v2Models "github.com/communitybridge/easycla/cla-backend-go/gen/v2/models"
+	log "github.com/communitybridge/easycla/cla-backend-go/logging"
+	"github.com/communitybridge/easycla/cla-backend-go/utils"
+	"github.com/jinzhu/copier"
+	"github.com/sirupsen/logrus"
+)
+
+type service struct{}
+
+// Service functions for current_user
+type Service interface {
+	UserFromContext(ctx context.Context) (*v2Models.User, error)
+}
+
+// NewService returns instance of current_user service
+func NewService() Service {
+	return &service{}
+}
+
+func (s *service) UserFromContext(ctx context.Context) (*v2Models.User, error) {
+	f := logrus.Fields{
+		"functionName":   "v2.current_user.service.UserFromContext",
+		utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+	}
+
+	ctxUserModel, ok := ctx.Value("user").(*v1Models.User)
+	if !ok || ctxUserModel == nil {
+		msg := "unable to lookup user from context"
+		log.WithFields(f).Warn(msg)
+		return nil, fmt.Errorf("cannot find user data in context")
+	}
+
+	var v2UserModel v2Models.User
+	copyErr := copier.Copy(&v2UserModel, &ctxUserModel)
+	if copyErr != nil {
+		log.WithFields(f).Warnf("problem converting DB user model to a v2 user model, error: %+v", copyErr)
+		return nil, copyErr
+	}
+
+	return &v2UserModel, nil
+}

cla-backend/cla/controllers/repository_service.py

@@ -33,3 +33,17 @@ def sign_request(provider, installation_id, github_repository_id, change_request
     """
     service = cla.utils.get_repository_service(provider)
     return service.sign_request(installation_id, github_repository_id, change_request_id, request)
+
+def user_from_session(request, response=None):
+    """
+    Return user from OAuth2 session
+    """
+    # LG: to test using MockGitHub class
+    # import os
+    # from cla.models.github_models import MockGitHub
+    # user = MockGitHub(os.environ["GITHUB_OAUTH_TOKEN"]).user_from_session(request)
+    user = cla.utils.get_repository_service('github').user_from_session(request)
+    if user is None:
+        response.status = HTTP_404
+        return {"errors": "Cannot find user from session"}
+    return user.to_dict()

cla-backend/cla/models/github_models.py

@@ -96,6 +96,23 @@ def received_activity(self, data):
         else:
             cla.log.debug("github_models.received_activity - Ignoring unsupported action: {}".format(data["action"]))
 
+    def user_from_session(self, request):
+        fn = "github_models.user_from_session"  # function name
+        cla.log.debug(f"{fn} - Loading session from request: {request}...")
+        session = self._get_request_session(request)
+        if "github_oauth2_token" in session:
+            cla.log.debug(f"{fn} - Using existing session GitHub OAuth2 token")
+            user = self.get_or_create_user(request)
+            cla.log.debug(f"{fn} - loaded user {user.to_dict()}")
+            return user
+        else:
+            cla.log.debug(f"{fn} - No existing GitHub OAuth2 token - building authorization url and state")
+            authorization_url, state = self.get_authorization_url_and_state(None, None, None, ["user:email"])
+            cla.log.debug(f"{fn} - Obtained GitHub OAuth2 state from authorization - storing state in the session...")
+            session["github_oauth2_state"] = state
+            cla.log.debug(f"{fn} - GitHub OAuth2 request with state {state} - sending user to {authorization_url}")
+            raise falcon.HTTPFound(authorization_url)
+
     def sign_request(self, installation_id, github_repository_id, change_request_id, request):
         """
         This method gets called when the OAuth2 app (NOT the GitHub App) needs to get info on the
@@ -1836,10 +1853,12 @@ def _get_request_session(self, request) -> dict:
         return {}
 
     def get_user_data(self, session, client_id) -> dict:
-        return {"email": "[email protected]", "name": "Test User", "id": 123}
+        return {"email": "[email protected]", "name": "Test User", "login": "testuser", "id": 123}
 
     def get_user_emails(self, session, client_id):
-        return [{"email": "[email protected]", "verified": True, "primary": True, "visibility": "public"}]
+        # LG: updated MockGitHub to return emails in the same way as GitHub class
+        return ["[email protected]"]
+        # return [{"email": "[email protected]", "verified": True, "primary": True, "visibility": "public"}]
 
     def get_pull_request(self, github_repository_id, pull_request_number, installation_id):
         return MockGitHubPullRequest(pull_request_number)

cla-backend/cla/routes.py

@@ -1804,6 +1804,37 @@ def get_event(event_id: hug.types.text, response):
     """
     return cla.controllers.event.get_event(event_id=event_id, response=response)
 
+@hug.get("/user-from-session", versions=2)
+def user_from_session(request, response):
+    """
+    GET: /user-from-session
+    Example: https://api.dev.lfcla.com/v2/user-from-session
+    Returns user object from OAuth2 session
+    Example user returned:
+    {
+      "date_created": "2025-05-21T08:05:19.221609+0000",
+      "date_modified": "2025-05-21T08:09:19.943455+0000",
+      "lf_email": null,
+      "lf_sub": null,
+      "lf_username": null,
+      "note": null,
+      "user_company_id": null,
+      "user_emails": [
+        "[email protected]"
+      ],
+      "user_external_id": null,
+      "user_github_id": "123",
+      "user_github_username": "testuser",
+      "user_gitlab_id": null,
+      "user_gitlab_username": null,
+      "user_id": "78bb15eb-8cbf-44e6-8b64-c713db6ee51b",
+      "user_ldap_id": null,
+      "user_name": "Test User",
+      "version": "v1"
+    }
+    """
+    return cla.controllers.repository_service.user_from_session(request, response)
+
 
 @hug.post("/events", versions=1)
 def create_event(

utils/active_signature_py.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# user_id='9dcf5bbc-2492-11ed-97c7-3e2a23ea20b5'
+# select key, data:expire from fivetran_ingest.dynamodb_product_us_east1_dev.cla_dev_store where key like 'active_signature:%' order by data:expire desc limit 1;
+# select key, data:expire from fivetran_ingest.dynamodb_product_us_east_1.cla_prod_store where key like 'active_signature:%' order by data:expire desc limit 1;
+# API_URL=https://api.lfcla.dev.platform.linuxfoundation.org DEBUG=1 ./utils/active_signature_py.sh '4b344ac4-f8d9-11ed-ac9b-b29c4ace74e9'
+# API_URL=https://api.lfcla.dev.platform.linuxfoundation.org DEBUG=1 ./utils/active_signature_py.sh '4b344ac4-f8d9-11ed-ac9b-b29c4ace74e9'
+# API_URL=https://api.easycla.lfx.linuxfoundation.org DEBUG='' ./utils/active_signature_py.sh '564e571e-12d7-4857-abd4-898939accdd7'
+
+if [ -z "$1" ]
+then
+  echo "$0: you need to specify user_id as a 1st parameter"
+  exit 1
+fi
+export user_id="$1"
+
+if [ -z "$API_URL" ]
+then
+  export API_URL="http://localhost:5000"
+fi
+
+if [ ! -z "$DEBUG" ]
+then
+  echo "curl -s -XGET -H 'Content-Type: application/json' \"${API_URL}/v2/user/${user_id}/active-signature\""
+  curl -s -XGET -H "Content-Type: application/json" "${API_URL}/v2/user/${user_id}/active-signature"
+else
+  curl -s -XGET -H "Content-Type: application/json" "${API_URL}/v2/user/${user_id}/active-signature" | jq -r '.'
+fi

utils/check_prepare_employee_signature_py.sh

@@ -3,7 +3,7 @@
 # user_id='9dcf5bbc-2492-11ed-97c7-3e2a23ea20b5'
 # company_id='862ff296-6508-4f10-9147-2bc2dd7bfe80'
 # project_id='88ee12de-122b-4c46-9046-19422054ed8d'
-# DEBUG=1 ./utils/check_prepare_employee_signature_py 9dcf5bbc-2492-11ed-97c7-3e2a23ea20b5 862ff296-6508-4f10-9147-2bc2dd7bfe80 88ee12de-122b-4c46-9046-19422054ed8d github 'http://localhost'
+# DEBUG=1 ./utils/check_prepare_employee_signature_py 9dcf5bbc-2492-11ed-97c7-3e2a23ea20b5 862ff296-6508-4f10-9147-2bc2dd7bfe80 88ee12de-122b-4c46-9046-19422054ed8d
 # DEBUG=1 ./utils/check_prepare_employee_signature_py.sh 65d22813-1ac0-4292-bb68-fdcb278473a5 4930fe6e-e023-4f56-9767-6f1996a7b730 43c546ff-bc79-4a32-9454-77dabd6afaee
 
 if [ -z "$1" ]