Merge pull request #37 from arXiv/develop

Pre-release merge for v0.3.1

.travis.yml

@@ -13,7 +13,7 @@ before_install:
 - pip install pipenv
 - pipenv install --dev
 script:
-- pipenv install ./users
+- pipenv install ./users --skip-lock
 - "./lintstats.sh"
 - WITH_INTEGRATION=1 pipenv run pytest --cov=accounts --cov=users/arxiv --cov=registry
   --cov=authenticator --cov-report=term-missing accounts users/arxiv registry authenticator

DECISIONS.md

@@ -1,7 +1,20 @@
+# Decision log
+
 1. To minimize complexity, we'll start with a managed Redis cluster in AWS
    ElastiCache. In the future, we may consider running our own HA key-value
    store, and potentially evaluate performance of other backends.
 2. In NG session store, will need to attach auth scope information. For now we
    can decide what "admin", "moderator", etc means and inject the relevant
    scopes. Later on, we will have an RBAC system. We therefore screen off the
    scope-determination concern from the session-creation concern.
+
+## 2019-02-28 Rename ``request.session`` to ``request.auth``
+
+The auth middleware in ``arxiv.users`` package hands the authenticated session
+on ``flask.session``, which clobbers the built-in Flask session interface. This
+is a design flaw that's blocking other work. ARXIVNG-1920
+
+Starting with v0.3.1, set ``AUTH_UPDATED_SESSION_REF=True`` in your
+application config to rename ``request.session`` to ``request.auth``.
+``request.auth`` will be the default name for the authenticated session
+starting in v0.4.1.

Dockerfile-authenticator

@@ -11,7 +11,7 @@ ENV LC_ALL en_US.utf-8
 ENV LANG en_US.utf-8
 RUN pipenv install
 ADD users/ /opt/arxiv/users/
-RUN pipenv install /opt/arxiv/users/
+RUN pipenv install /opt/arxiv/users/ --skip-lock
 
 ENV PATH "/opt/arxiv:${PATH}"
 
@@ -25,9 +25,8 @@ CMD ["--http-socket", ":8000", \
      "-M", \
      "-t 3000", \
      "--manage-script-name", \
-     "--processes", "8", \
+     "--processes", "1", \
      "--threads", "1", \
-     "--async", "100", \
-     "--ugreen", \
+     "--queue", "0", \
      "--mount", "/=wsgi.py", \
      "--logformat", "%(addr) %(addr) - %(user_id)|%(session_id) [%(rtime)] [%(uagent)] \"%(method) %(uri) %(proto)\" %(status) %(size) %(micros) %(ttfb)"]

Dockerfile-registry

@@ -9,11 +9,11 @@ RUN pip install -U pip pipenv
 ENV LC_ALL en_US.utf-8
 ENV LANG en_US.utf-8
 
-ADD Pipfile /opt/arxiv/
+ADD Pipfile Pipfile.lock /opt/arxiv/
 RUN pipenv install
 
 ADD users/ /opt/arxiv/users/
-RUN pipenv install /opt/arxiv/users/
+RUN pipenv install /opt/arxiv/users/ --skip-lock
 
 ENV PATH "/opt/arxiv:${PATH}"
 
@@ -29,9 +29,8 @@ CMD ["uwsgi", "--http-socket", ":8000", \
      "-M", \
      "-t 3000", \
      "--manage-script-name", \
-     "--processes", "8", \
+     "--processes", "1", \
      "--threads", "1", \
-     "--async", "100", \
-     "--ugreen", \
-     "--mount", "/api=wsgi.py", \
+     "--queue", "0", \
+     "--mount", "/=wsgi.py", \
      "--logformat", "%(addr) %(addr) - %(user_id)|%(session_id) [%(rtime)] [%(uagent)] \"%(method) %(uri) %(proto)\" %(status) %(size) %(micros) %(ttfb)"]

Pipfile

@@ -18,24 +18,21 @@ requests = "==2.20.0"
 sqlalchemy = "*"
 uwsgi = "*"
 wtforms = "*"
-arxiv-base = "==0.12.1"
+arxiv-base = "==0.14.3"
 authlib = "*"
 openapi-spec-validator = "*"
-"4010dd8" = {path = "./users"}
 bleach = "*"
 
 [dev-packages]
 mimesis = "==2.1.0"
-mypy = "*"
-pydocstyle = "*"
+mypy = "==0.670"
+pydocstyle = "==2.1.1"
 pylint = "*"
-sphinx = "*"
-sphinx-autodoc-typehints = "*"
 coverage = "*"
 coveralls = "*"
+astroid = "<2.2"
 pytest = "*"
 pytest-cov = "*"
-"nose2" = "*"
 
 [requires]
 python_version = "3.6"

README.md

@@ -34,6 +34,13 @@ TLS is considered an infrastructure concern, and is therefore out of scope
 - Clean up and document authenticator service.
 - Fuzz testing registration?
 
+## Updates
+
+- Starting with v0.3.1, set ``AUTH_UPDATED_SESSION_REF=True`` in your
+  application config to rename ``request.session`` to ``request.auth``.
+  ``request.auth`` will be the default name for the authenticated session
+  starting in v0.4.1.
+
 ## Dependencies
 
 We use pipenv to manage dependencies. To install the dependencies for this

users/arxiv/users/auth/__init__.py

@@ -2,6 +2,7 @@
 
 from typing import Optional, Union
 from datetime import datetime
+import warnings
 from pytz import UTC
 from flask import Flask, request, Response, make_response, redirect, url_for
 from werkzeug.http import parse_cookie
@@ -121,7 +122,19 @@ def load_session(self) -> None:
 
         # Attach the session to the request so that other
         # components can access it easily.
-        request.session = session
+        if self.app.config.get('AUTH_UPDATED_SESSION_REF'):
+            request.auth = session
+        else:
+            # This clobbers the built-in Flask session interface. This is a
+            # design flaw that's blocking other work. This is deprecated and
+            # will be removed in 0.4.1.
+            warnings.warn(
+                "Accessing the authenticated session via request.session is"
+                " deprecated, and will be removed in 0.4.1. Use request.auth"
+                " instead. ARXIVNG-1920.",
+                DeprecationWarning
+            )
+            request.session = session
 
     def detect_and_clobber_dupe_cookies(self) -> Optional[Response]:
         """

users/arxiv/users/auth/tests/test_decorators.py

@@ -79,6 +79,29 @@ def protected():
         with self.assertRaises(Forbidden):
             protected()
 
+    @mock.patch(f'{decorators.__name__}.request')
+    def test_scope_is_present(self, mock_request):
+        """Session has required scope."""
+        mock_request.session = domain.Session(
+            session_id='fooid',
+            start_time=datetime.now(tz=UTC),
+            user=domain.User(
+                user_id='235678',
+                email='foo@foo.com',
+                username='foouser'
+            ),
+            authorizations=domain.Authorizations(
+                scopes=[scopes.VIEW_SUBMISSION, scopes.CREATE_SUBMISSION]
+            )
+        )
+
+        @decorators.scoped(scopes.CREATE_SUBMISSION)
+        def protected():
+            """A protected function."""
+
+        # with self.assertRaises(Forbidden):
+        protected()
+
     @mock.patch(f'{decorators.__name__}.request')
     def test_user_and_client_are_missing(self, mock_request):
         """Session does not user nor client information."""

users/arxiv/users/auth/tests/test_extension.py

@@ -57,10 +57,49 @@ def test_legacy_is_valid(self, mock_request, mock_legacy):
         mock_legacy.sessions.load.return_value = session
 
         inst = auth.Auth(mock_app)
-        inst.load_session()
+        # ARXIVNG-1920 using request.session is deprecated.
+        with self.assertWarns(DeprecationWarning):
+            inst.load_session()
         self.assertEqual(mock_request.session, session,
                          "Session is attached to the request")
 
+    @mock.patch(f'{auth.__name__}.legacy')
+    @mock.patch(f'{auth.__name__}.request')
+    def test_auth_session_rename(self, mock_request, mock_legacy):
+        """
+        The auth session is accessed via ``request.auth``.
+
+        Per ARXIVNG-1920 using ``request.session`` is deprecated.
+        """
+        mock_request.environ = {'session': None}
+        mock_request.cookies = {'foo_cookie': 'sessioncookie123'}
+        mock_app = mock.MagicMock(
+            config={'CLASSIC_COOKIE_NAME': 'foo_cookie',
+                    'AUTH_UPDATED_SESSION_REF': True}
+        )
+        mock_request.session = None
+        mock_request.auth = None
+        mock_legacy.is_configured.return_value = True
+        session = domain.Session(
+            session_id='fooid',
+            start_time=datetime.now(tz=UTC),
+            user=domain.User(
+                user_id='235678',
+                email='foo@foo.com',
+                username='foouser'
+            ),
+            authorizations=domain.Authorizations(
+                scopes=[auth.scopes.VIEW_SUBMISSION]
+            )
+        )
+        mock_legacy.sessions.load.return_value = session
+
+        inst = auth.Auth(mock_app)
+        inst.load_session()
+        self.assertEqual(mock_request.auth, session,
+                         "Session is attached to the request")
+        self.assertIsNone(mock_request.session, "request.session is not set")
+
     @mock.patch(f'{auth.__name__}.request')
     def test_middleware_exception(self, mock_request):
         """Middleware has passed an exception."""

users/arxiv/users/helpers.py

@@ -6,6 +6,7 @@
 import uuid
 from datetime import timedelta, datetime
 from arxiv.users import auth, domain
+from arxiv.base.globals import get_application_config
 
 
 def generate_token(user_id: str, email: str, username: str,
@@ -19,7 +20,8 @@ def generate_token(user_id: str, email: str, username: str,
                    ),
                    submission_groups: str = 'grp_physics',
                    endorsements: List[domain.Category] = [],
-                   scope: List[domain.Scope] = []) -> None:
+                   scope: List[domain.Scope] = [],
+                   verified: bool = False) -> None:
     """Generate an auth token for dev/testing purposes."""
     # Specify the validity period for the session.
     start = datetime.now(tz=timezone('US/Eastern'))
@@ -40,10 +42,11 @@ def generate_token(user_id: str, email: str, username: str,
                 country=country,
                 default_category=default_category,
                 submission_groups=submission_groups.split(',')
-            )
+            ),
+            verified=verified
         ),
-        authorizations=domain.Authorizations(scopes=scope,
+        authorizations=domain.Authorizations(scopes=[str(s) for s in scope],
                                              endorsements=endorsements)
     )
-    token = auth.tokens.encode(session, os.environ['JWT_SECRET'])
+    token = auth.tokens.encode(session, get_application_config()['JWT_SECRET'])
     return token

users/arxiv/users/tests/test_helpers.py

@@ -0,0 +1,43 @@
+"""Tests for :mod:`.helpers`."""
+
+from unittest import TestCase, mock
+import os
+from flask import Flask
+from arxiv import status
+from arxiv.base import Base
+from arxiv.base.middleware import wrap
+from .. import auth, helpers
+
+
+class TestGenerateToken(TestCase):
+    """Tests for :func:`.helpers.generate_token`."""
+
+    @mock.patch(f'{helpers.__name__}.get_application_config')
+    def test_token_is_usable(self, mock_get_config):
+        """Verify that :func:`.helpers.generate_token` makes usable tokens."""
+        mock_get_config.return_value = {'JWT_SECRET': 'thesecret'}
+        os.environ['JWT_SECRET'] = 'thesecret'
+        scope = [auth.scopes.VIEW_SUBMISSION, auth.scopes.EDIT_SUBMISSION,
+                 auth.scopes.CREATE_SUBMISSION]
+        token = helpers.generate_token("1234", "user@foo.com", "theuser",
+                                       scope=scope)
+
+        app = Flask('test')
+        app.config['JWT_SECRET'] = 'thesecret'
+        Base(app)
+        auth.Auth(app)    # <- Install the Auth extension.
+        wrap(app, [auth.middleware.AuthMiddleware])    # <- Install middleware.
+
+        @app.route('/')
+        @auth.decorators.scoped(auth.scopes.EDIT_SUBMISSION)
+        def protected():
+            return "this is protected"
+
+        client = app.test_client()
+        with app.app_context():
+            response = client.get('/')
+            self.assertEqual(response.status_code,
+                             status.HTTP_401_UNAUTHORIZED)
+
+            response = client.get('/', headers={'Authorization': token})
+            self.assertEqual(response.status_code, status.HTTP_200_OK)

users/setup.py

@@ -4,7 +4,7 @@
 
 setup(
     name='arxiv-auth',
-    version='0.2.7',
+    version='0.3.1',
     packages=[f'arxiv.{package}' for package
               in find_packages('./arxiv', exclude=['*test*'])],
     install_requires=[