MAAP-Project · bsatoriu · Sep 26, 2024 · Jun 26, 2024 · Jul 2, 2024 · Jul 2, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v4.1.0] - 2024-09-10
+- [pull/131](https://github.com/MAAP-Project/maap-api-nasa/pull/131) - Added query params to job list endpoint 
+- [pull/135](https://github.com/MAAP-Project/maap-api-nasa/pull/135) - User secret management 
+- [pull/137](https://github.com/MAAP-Project/maap-api-nasa/pull/137) - Organizations & job queues management
+- [pull/136](https://github.com/MAAP-Project/maap-api-nasa/pull/136) - Add support for DPS sandbox queue
+- [pull/132](https://github.com/MAAP-Project/maap-api-nasa/pull/132) - Remove {username} param from DPS job list endpoint 
+
 ## [v4.0.0] - 2024-06-26
 - [issues/111](https://github.com/MAAP-Project/maap-api-nasa/issues/111) - Implement github actions CICD and convert to poetry based build
 - [pull/110](https://github.com/MAAP-Project/maap-api-nasa/pull/110) - Remove postgres from docker-compose
@@ -16,4 +23,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 [unreleased]: https://github.com/MAAP-Project/maap-api-nasa/v4.0.0...HEAD
-[v4.0.0]: https://github.com/MAAP-Project/maap-api-nasa/compare/v3.1.5...v4.0.0
+[v4.1.0]: https://github.com/MAAP-Project/maap-api-nasa/compare/v4.0.0...v4.1.0
+[v4.0.0]: https://github.com/MAAP-Project/maap-api-nasa/compare/v3.1.5...v4.0.0
diff --git a/api/cas/__init__.py → api/auth/__init__.py b/api/cas/__init__.py → api/auth/__init__.py
diff --git a/api/cas/cas_auth.py → api/auth/cas_auth.py b/api/cas/cas_auth.py → api/auth/cas_auth.py
@@ -2,17 +2,15 @@
 
 import flask
 import requests
-from flask import abort, request, Response, json
+from flask import request, json
 from flask_api import status
 from xmltodict import parse
 from flask import current_app
 from .cas_urls import create_cas_proxy_url, create_cas_validate_url, create_cas_proxy_validate_url
 from api.maap_database import db
 from api.models.member import Member
 from api.models.member_session import MemberSession
-from api.models.member_job import MemberJob
 from api import settings
-from functools import wraps
 from Crypto.PublicKey import RSA
 from Crypto.Cipher import PKCS1_v1_5
 from Crypto import Random
@@ -21,7 +19,6 @@
 from api.utils.url_util import proxied_url
 import ast
 
-
 try:
     from urllib import urlopen
 except ImportError:
@@ -31,7 +28,6 @@
 
 PROXY_TICKET_PREFIX = "PGT-"
 
-
 def validate(service, ticket):
     """
     Will attempt to validate the ticket. If validation fails False
@@ -132,15 +128,6 @@ def validate_bearer(token):
     return None
 
 
-def validate_cas_request(token):
-    """
-    Will attempt to validate a CAS machine token. Return True if validation succeeds.
-    """
-
-    current_app.logger.debug("validating cas request token {0}".format(token))
-    return token == settings.CAS_SECRET_KEY
-
-
 def validate_cas_request(cas_url):
 
     xml_from_dict = {}
@@ -214,82 +201,3 @@ def decrypt_proxy_ticket(ticket):
             return ''
 
 
-def get_authorized_user():
-    if 'proxy-ticket' in request.headers:
-        member_session = validate_proxy(request.headers['proxy-ticket'])
-
-        if member_session is not None:
-            return member_session.member
-
-    if 'Authorization' in request.headers:
-        bearer = request.headers.get('Authorization')
-        token = bearer.split()[1]
-        authorized = validate_bearer(token)
-
-        if authorized is not None:
-            return authorized
-
-    return None
-
-
-def login_required(wrapped_function):
-    @wraps(wrapped_function)
-    def wrap(*args, **kwargs):
-
-        if 'proxy-ticket' in request.headers:
-            authorized = validate_proxy(request.headers['proxy-ticket'])
-
-            if authorized is not None:
-                return wrapped_function(*args, **kwargs)
-
-        if 'cpticket' in request.headers:
-            authorized = validate_proxy(request.headers['cpticket'])
-
-            if authorized is not None:
-                return wrapped_function(*args, **kwargs)
-
-        if 'Authorization' in request.headers:
-            bearer = request.headers.get('Authorization')
-            token = bearer.split()[1]
-            authorized = validate_bearer(token)
-
-            if authorized is not None:
-                return wrapped_function(*args, **kwargs)
-
-        if 'cas-authorization' in request.headers:
-            authorized = validate_cas_request(request.headers['cas-authorization'])
-
-            if authorized:
-                return wrapped_function(*args, **kwargs)
-
-        if 'dps-token' in request.headers and valid_dps_request():
-            return wrapped_function(*args, **kwargs)
-
-        abort(status.HTTP_403_FORBIDDEN, description="Not authorized.")
-
-    return wrap
-
-
-def valid_dps_request():
-    if 'dps-token' in request.headers:
-        return settings.DPS_MACHINE_TOKEN == request.headers['dps-token']
-    return False
-
-
-def edl_federated_request(url, stream_response=False):
-    s = requests.Session()
-    response = s.get(url, stream=stream_response)
-
-    if response.status_code == status.HTTP_401_UNAUTHORIZED:
-        maap_user = get_authorized_user()
-
-        if maap_user is not None:
-            urs_token = db.session.query(Member).filter_by(id=maap_user.id).first().urs_token
-            s.headers.update({'Authorization': f'Bearer {urs_token},Basic {settings.MAAP_EDL_CREDS}',
-                              'Connection': 'close'})
-
-            response = s.get(url=response.url, stream=stream_response)
-
-    return response
-
-
diff --git a/api/cas/cas_urls.py → api/auth/cas_urls.py b/api/cas/cas_urls.py → api/auth/cas_urls.py
diff --git a/api/auth/security.py b/api/auth/security.py
@@ -0,0 +1,105 @@
+from functools import wraps
+import requests
+from flask import request, abort
+from flask_api import status
+from api import settings
+from api.auth.cas_auth import validate_proxy, validate_bearer, validate_cas_request
+from api.maap_database import db
+from api.models.member import Member
+from api.models.role import Role
+
+HEADER_PROXY_TICKET = "proxy-ticket"
+HEADER_CP_TICKET = "cpticket"
+HEADER_AUTHORIZATION = "Authorization"
+HEADER_CAS_AUTHORIZATION = "cas-authorization"
+HEADER_DPS_TOKEN = "dps-token"
+MEMBER_STATUS_ACTIVE = "active"
+MEMBER_STATUS_SUSPENDED = "suspended"
+
+
+def get_authorized_user():
+    auth = get_auth_header()
+
+    if auth == HEADER_PROXY_TICKET or auth == HEADER_CP_TICKET:
+        member_session = validate_proxy(request.headers[auth])
+
+        if member_session is not None:
+            return member_session.member
+
+    if auth == HEADER_AUTHORIZATION:
+        bearer = request.headers.get(auth)
+        token = bearer.split()[1]
+        authorized = validate_bearer(token)
+
+        if authorized is not None:
+            return authorized
+
+    return None
+
+
+def login_required(role=Role.ROLE_GUEST):
+    def login_required_outer(wrapped_function):
+        @wraps(wrapped_function)
+        def wrap(*args, **kwargs):
+            auth = get_auth_header()
+
+            if auth == HEADER_PROXY_TICKET or auth == HEADER_CP_TICKET:
+                member_session = validate_proxy(request.headers[auth])
+
+                if member_session is not None and member_session.member.role_id >= role:
+                    return wrapped_function(*args, **kwargs)
+
+            if auth == HEADER_AUTHORIZATION:
+                bearer = request.headers.get(auth)
+                token = bearer.split()[1]
+                authorized = validate_bearer(token)
+
+                if authorized is not None:
+                    return wrapped_function(*args, **kwargs)
+
+            if auth == HEADER_CAS_AUTHORIZATION and validate_cas_request(request.headers[auth]) is not None:
+                return wrapped_function(*args, **kwargs)
+
+            if auth == HEADER_DPS_TOKEN and valid_dps_request():
+                return wrapped_function(*args, **kwargs)
+
+            abort(status.HTTP_403_FORBIDDEN, description="Not authorized.")
+
+        return wrap
+    return login_required_outer
+
+def valid_dps_request():
+    if HEADER_DPS_TOKEN in request.headers:
+        return settings.DPS_MACHINE_TOKEN == request.headers[HEADER_DPS_TOKEN]
+    return False
+
+
+def get_auth_header():
+    if HEADER_PROXY_TICKET in request.headers:
+        return HEADER_PROXY_TICKET
+    if HEADER_CP_TICKET in request.headers:
+        return HEADER_CP_TICKET
+    if HEADER_AUTHORIZATION in request.headers:
+        return HEADER_AUTHORIZATION
+    if HEADER_CAS_AUTHORIZATION in request.headers:
+        return HEADER_CAS_AUTHORIZATION
+    if HEADER_DPS_TOKEN in request.headers:
+        return HEADER_DPS_TOKEN
+    return None
+
+
+def edl_federated_request(url, stream_response=False):
+    s = requests.Session()
+    response = s.get(url, stream=stream_response)
+
+    if response.status_code == status.HTTP_401_UNAUTHORIZED:
+        maap_user = get_authorized_user()
+
+        if maap_user is not None:
+            urs_token = db.session.query(Member).filter_by(id=maap_user.id).first().urs_token
+            s.headers.update({'Authorization': f'Bearer {urs_token},Basic {settings.MAAP_EDL_CREDS}',
+                              'Connection': 'close'})
+
+            response = s.get(url=response.url, stream=stream_response)
+
+    return response