Manually merge PR113 to adjust apache conf to handle Jupyter access restrictions in the way that fits the active authenticed login sessions. Namely, require a valid OpenID Connect user when already authenticated with that method and only require a valid OpenID 2.0 user when authenticated with that method. Includes unit tests of related functions.

git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6129 b75ad72c-e7d7-11dd-a971-7dbc132099af

Author: jonasbardino

mig/install/apache-MiG-jupyter-oidc-template.conf

@@ -0,0 +1 @@
+__JUPYTER_OIDCS__

mig/install/apache-MiG-template.conf

@@ -1854,7 +1854,7 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
+    # Jupyter OpenID 2.0 auth
     __JUPYTER_COMMENTED__ Include __APACHE_ETC__/conf.extras.d/MiG-jupyter-openid.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
@@ -2456,7 +2456,7 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
+    # Jupyter OpenID 2.0 auth
     __JUPYTER_COMMENTED__ Include __APACHE_ETC__/conf.extras.d/MiG-jupyter-openid.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
@@ -3368,8 +3368,8 @@ __IS_VERIFYCERTS_COMMENTED__ <VirtualHost *:${PUBLIC_HTTP_PORT}>
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
-    __JUPYTER_COMMENTED__ Include __APACHE_ETC__/conf.extras.d/MiG-jupyter-openid.conf
+    # Jupyter OpenID Connect auth
+    __JUPYTER_COMMENTED__ Include __APACHE_ETC__/conf.extras.d/MiG-jupyter-oidc.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
     ### they can override any settings explicitly

mig/shared/install.py

@@ -851,6 +851,7 @@ def _generate_confs_prepare(
     user_dict['__JUPYTER_SERVICES__'] = jupyter_services
     user_dict['__JUPYTER_DEFS__'] = ''
     user_dict['__JUPYTER_OPENIDS__'] = ''
+    user_dict['__JUPYTER_OIDCS__'] = ''
     user_dict['__JUPYTER_REWRITES__'] = ''
     user_dict['__JUPYTER_PROXIES__'] = ''
     user_dict['__JUPYTER_SECTIONS__'] = ''
@@ -1462,8 +1463,8 @@ def _generate_confs_prepare(
         user_dict['__WEBSOCKETS_COMMENTED__'] = ''
 
         # Dynamic apache configuration replacement lists
-        jupyter_sections, jupyter_proxies, jupyter_defs, \
-            jupyter_openids, jupyter_rewrites = [], [], [], [], []
+        jupyter_sections, jupyter_proxies, jupyter_defs = [], [], []
+        jupyter_openids, jupyter_oidcs, jupyter_rewrites = [], [], []
         services = user_dict['__JUPYTER_SERVICES__'].split()
 
         try:
@@ -1542,9 +1543,13 @@ def _generate_confs_prepare(
                 if u_k not in user_dict:
                     user_dict[u_k] = u_v
 
-            # Setup apache openid template
-            openid_template = gen_openid_template(url, def_name)
+            # Setup apache openid 2.0 and openid connect template
+            openid_template = gen_openid_template(url, def_name,
+                                                  auth_type="OpenID")
             jupyter_openids.append(openid_template)
+            oidc_template = gen_openid_template(url, def_name,
+                                                auth_type="openid-connect")
+            jupyter_oidcs.append(oidc_template)
 
             # Setup apache rewrite template
             rewrite_template = gen_rewrite_template(url, def_name, name)
@@ -1590,6 +1595,7 @@ def _generate_confs_prepare(
 
         user_dict['__JUPYTER_DEFS__'] = '\n'.join(jupyter_defs)
         user_dict['__JUPYTER_OPENIDS__'] = '\n'.join(jupyter_openids)
+        user_dict['__JUPYTER_OIDCS__'] = '\n'.join(jupyter_oidcs)
         user_dict['__JUPYTER_REWRITES__'] = '\n'.join(jupyter_rewrites)
         user_dict['__JUPYTER_PROXIES__'] = '\n'.join(jupyter_proxies)
         user_dict['__JUPYTER_SECTIONS__'] = ''.join(jupyter_sections)
@@ -2214,6 +2220,7 @@ def _generate_confs_writefiles(options, user_dict, insert_list=[], cleanup_list=
         ("apache-service-template.conf", "apache2.service"),
         ("apache-MiG-jupyter-def-template.conf", "MiG-jupyter-def.conf"),
         ("apache-MiG-jupyter-openid-template.conf", "MiG-jupyter-openid.conf"),
+        ("apache-MiG-jupyter-oidc-template.conf", "MiG-jupyter-oidc.conf"),
         ("apache-MiG-jupyter-proxy-template.conf", "MiG-jupyter-proxy.conf"),
         ("apache-MiG-jupyter-rewrite-template.conf",
          "MiG-jupyter-rewrite.conf"),
@@ -2337,6 +2344,7 @@ def _generate_confs_instructions(options, user_dict):
 sudo mkdir -p %(apache_etc)s/conf.extras.d
 sudo cp %(destination)s/MiG-jupyter-def.conf %(apache_etc)s/conf.extras.d
 sudo cp %(destination)s/MiG-jupyter-openid.conf %(apache_etc)s/conf.extras.d
+sudo cp %(destination)s/MiG-jupyter-oidc.conf %(apache_etc)s/conf.extras.d
 sudo cp %(destination)s/MiG-jupyter-proxy.conf %(apache_etc)s/conf.extras.d
 sudo cp %(destination)s/MiG-jupyter-rewrite.conf %(apache_etc)s/conf.extras.d
 
@@ -2808,6 +2816,7 @@ def create_user(
     apache_mig_conf = os.path.join(dst, 'MiG.conf')
     apache_jupyter_def = os.path.join(dst, 'MiG-jupyter-def.conf')
     apache_jupyter_openid = os.path.join(dst, 'MiG-jupyter-openid.conf')
+    apache_jupyter_oidc = os.path.join(dst, 'MiG-jupyter-oidc.conf')
     apache_jupyter_proxy = os.path.join(dst, 'MiG-jupyter-proxy.conf')
     apache_jupyter_rewrite = os.path.join(dst, 'MiG-jupyter-rewrite.conf')
     server_conf = os.path.join(dst, 'MiGserver.conf')
@@ -2838,6 +2847,8 @@ def create_user(
         apache_jupyter_def, apache_dir))
     print('sudo cp -f -d %s %s/conf.extras.d/' % (apache_jupyter_openid,
                                                   apache_dir))
+    print('sudo cp -f -d %s %s/conf.extras.d/' % (apache_jupyter_oidc,
+                                                  apache_dir))
     print('sudo cp -f -d %s %s/conf.extras.d/' % (apache_jupyter_proxy,
                                                   apache_dir))
     print('sudo cp -f -d %s %s/conf.extras.d/' % (apache_jupyter_rewrite,

mig/shared/jupyter.py

@@ -1,11 +1,10 @@
-
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
 # --- BEGIN_HEADER ---
 #
 # jupyter - Helper functions for the jupyter service
-# Copyright (C) 2003-2019  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -28,6 +27,10 @@
 
 """ Jupyter service helper functions """
 
+from __future__ import print_function
+from __future__ import absolute_import
+from past.builtins import basestring
+
 
 def gen_balancer_proxy_template(url, define, name, member_hosts,
                                 ws_member_hosts, timeout=600):
@@ -70,7 +73,8 @@ def gen_balancer_proxy_template(url, define, name, member_hosts,
 
     for ws_host in ws_member_hosts:
         fill_helpers['ws_hosts'] += ''.join(['        ', ws_host])
-    print("filling in jupyter gen_balancer_proxy_template with helper: (%s)" % fill_helpers)
+    print("filling in jupyter gen_balancer_proxy_template with helper: (%s)" %
+          fill_helpers)
 
     template = """
 <IfDefine %(define)s>
@@ -101,19 +105,24 @@ def gen_balancer_proxy_template(url, define, name, member_hosts,
 </IfDefine>""" % fill_helpers
     return template
 
-def gen_openid_template(url, define):
-    """ Generates an openid apache configuration section template
-     for a particular jupyter service.
+
+def gen_openid_template(url, define, auth_type):
+    """Generates an openid 2.0 or connect apache configuration section template
+    for a particular jupyter service.
     url: Setting the url_path to where the jupyter service is to be located.
     define: The name of the apache variable containing the 'url' value.
+    auth_type: the apache AuthType for this section (OpenID or openid-connect).
     """
 
     assert isinstance(url, basestring)
     assert isinstance(define, basestring)
+    assert isinstance(auth_type, basestring)
+    assert auth_type in ("OpenID", "openid-connect")
 
     fill_helpers = {
         'url': url,
-        'define': define
+        'define': define,
+        'auth_type': auth_type
     }
     print("filling in jupyter gen_openid_template with helper: (%s)" % fill_helpers)
 
@@ -122,7 +131,7 @@ def gen_openid_template(url, define):
     <Location %(url)s>
         # Pass SSL variables on
         SSLOptions +StdEnvVars
-        AuthType OpenID
+        AuthType %(auth_type)s
         require valid-user
     </Location>
 </IfDefine>

tests/fixture/confs-stdlocal/MiG-jupyter-oidc.conf

@@ -0,0 +1 @@
+

tests/fixture/confs-stdlocal/MiG.conf

@@ -1854,7 +1854,7 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
+    # Jupyter OpenID 2.0 auth
     #Include /etc/apache2/conf.extras.d/MiG-jupyter-openid.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
@@ -2456,7 +2456,7 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
+    # Jupyter OpenID 2.0 auth
     #Include /etc/apache2/conf.extras.d/MiG-jupyter-openid.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
@@ -3368,8 +3368,8 @@ Alias /.well-known/security.txt "/home/mig/state/wwwpublic/.well-known/security.
         SSLOptions +StdEnvVars
     </Directory>
 
-    # Jupyter OpenID auth
-    #Include /etc/apache2/conf.extras.d/MiG-jupyter-openid.conf
+    # Jupyter OpenID Connect auth
+    #Include /etc/apache2/conf.extras.d/MiG-jupyter-oidc.conf
 
     ### The rest are sub-dirs that inherit the general conf above and
     ### they can override any settings explicitly

tests/test_mig_shared_jupyter.py

@@ -0,0 +1,114 @@
+# -*- coding: utf-8 -*-
+#
+# --- BEGIN_HEADER ---
+#
+# test_mig_shared_jupyter - unit test of the corresponding mig shared module
+# Copyright (C) 2003-2024  The MiG Project by the Science HPC Center at UCPH
+#
+# This file is part of MiG.
+#
+# MiG is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# MiG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+# USA.
+#
+# --- END_HEADER ---
+#
+
+"""Unit tests for the migrid module pointed to in the filename"""
+
+import os
+import sys
+import time
+import unittest
+
+sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__))))
+
+from tests.support import TEST_OUTPUT_DIR, MigTestCase, FakeConfiguration, \
+    cleanpath, testmain
+from mig.shared.jupyter import gen_openid_template
+
+
+class MigSharedJupyter(MigTestCase):
+    """Wrap unit tests for the corresponding module"""
+
+    def test_jupyter_gen_openid_template_openid_auth(self):
+        filled = gen_openid_template("/some-jupyter-url", "MyDefine", "OpenID")
+        expected = """
+<IfDefine MyDefine>
+    <Location /some-jupyter-url>
+        # Pass SSL variables on
+        SSLOptions +StdEnvVars
+        AuthType OpenID
+        require valid-user
+    </Location>
+</IfDefine>
+"""
+        self.assertEqual(filled, expected)
+
+    def test_jupyter_gen_openid_template_oidc_auth(self):
+        filled = gen_openid_template("/some-jupyter-url", "MyDefine",
+                                     "openid-connect")
+        expected = """
+<IfDefine MyDefine>
+    <Location /some-jupyter-url>
+        # Pass SSL variables on
+        SSLOptions +StdEnvVars
+        AuthType openid-connect
+        require valid-user
+    </Location>
+</IfDefine>
+"""
+        self.assertEqual(filled, expected)
+
+    def test_jupyter_gen_openid_template_invalid_url_type(self):
+        rejected = False
+        try:
+            filled = gen_openid_template(None, "MyDefine",
+                                         "no-such-auth-type")
+        except AssertionError as err:
+            rejected = True
+        self.assertTrue(rejected)
+
+    def test_jupyter_gen_openid_template_invalid_define_type(self):
+        rejected = False
+        try:
+            filled = gen_openid_template("/some-jupyter-url", None,
+                                         "no-such-auth-type")
+        except AssertionError as err:
+            rejected = True
+        self.assertTrue(rejected)
+
+    def test_jupyter_gen_openid_template_invalid_auth_type(self):
+        rejected = False
+        try:
+            filled = gen_openid_template("/some-jupyter-url", "MyDefine",
+                                         None)
+        except AssertionError as err:
+            rejected = True
+        self.assertTrue(rejected)
+
+    def test_jupyter_gen_openid_template_invalid_auth_val(self):
+        rejected = False
+        try:
+            filled = gen_openid_template("/some-jupyter-url", "MyDefine",
+                                         "no-such-auth-type")
+        except AssertionError as err:
+            rejected = True
+        self.assertTrue(rejected)
+
+    # TODO: add more coverage of module
+
+
+if __name__ == '__main__':
+    testmain()