genenetwork3/gn3, branch auth/implement-authorization-code-flow

genenetwork3/gn3, branch auth/implement-authorization-code-flow GeneNetwork3 REST API for data science and machine learning http://git.genenetwork.org/genenetwork3/atom?h=auth%2Fimplement-authorization-code-flow 2023-05-09T10:15:47+00:00 auth: Implement "Authorization Code Flow" 2023-05-09T10:15:47+00:00 Frederick Muriuki Muriithi 2023-05-08T13:31:38+00:00 urn:sha1:5526f0316c2714d30e47a90f81e0ff686a29042f Implement the "Authorization Code Flow" for the authentication of users. * gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and save the authorisation code. * gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the `AuthorisationCode` model * gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo * gn3/auth/authentication/oauth2/server.py: Register the `AuthorisationCodeGrant` grant with the server. * gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint * gn3/templates/base.html: New HTML Templates of authorisation UI * gn3/templates/common-macros.html: New HTML Templates of authorisation UI * gn3/templates/oauth2/authorise-user.html: New HTML Templates of authorisation UI * main.py: Allow both "code" and "token" response types. auth: Retrieve `system:*` privileges from resource roles 2023-04-27T03:46:48+00:00 Frederick Muriuki Muriithi 2023-04-27T03:33:34+00:00 urn:sha1:f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 With the assignment of `system:*` privileges to roles, we need to check for their existence when doing authorisation. This commit provides a hack for that, seeing as user groups (and the system itself) are not treated as resources, and therefore the way to fetch the privileges is not entirely consistent. auth: List also the non-resource privileges the user has 2023-04-27T03:46:48+00:00 Frederick Muriuki Muriithi 2023-04-27T03:30:46+00:00 urn:sha1:12e9f87753d5ef0d3343a2a92a824f2ace696e4e While creating new group roles, enable the listing of non-resource privileges, e.g. `system:group:*` and `system:user:*` that the user has to allow for them to be used in role creation. auth: Add authorisation checks for role editting. 2023-04-27T02:43:52+00:00 Frederick Muriuki Muriithi 2023-04-27T02:43:52+00:00 urn:sha1:0e96276a56e3a3fdf61d9f409eaac37072bdd292 oauth2: Provide missing `user_editable` argument. 2023-04-27T02:36:06+00:00 Frederick Muriuki Muriithi 2023-04-27T02:36:06+00:00 urn:sha1:53b054787bc2adb679fe6cbf46ee9c20fbbc91ff auth: bug: Provide missing `user_editable` argument. 2023-04-25T07:00:40+00:00 Frederick Muriuki Muriithi 2023-04-25T07:00:40+00:00 urn:sha1:9556a73c3b0a9419cc20f3beb26ae9260ec64d88 auth: provide `user_editable` flag in dictified output 2023-04-25T06:53:30+00:00 Frederick Muriuki Muriithi 2023-04-25T06:53:30+00:00 urn:sha1:27ab5b141e3cdb6ca83c551c163cd9fd3008ad3c auth: Roles: Check for editability 2023-04-25T06:42:36+00:00 Frederick Muriuki Muriithi 2023-04-25T06:42:36+00:00 urn:sha1:8471ed1187a8abc5e28207776c5f49a59ba24b92 Some roles should not be user-editable, and as such, we need to check before allowing any edits on such roles. This commit makes that possible. auth: Return the actual privileges for the user 2023-04-24T08:45:45+00:00 Frederick Muriuki Muriithi 2023-04-24T08:45:45+00:00 urn:sha1:3e2198e39bc229553d118f367fbd2f9932a9a76b Previously, the `oauth2/data/authorisation` endpoint was returning hard-coded values for the privileges assigned to the user for each resource. In this change, we rework to return the actual privileges for the user. logging: Set LOG LEVEL on root logger to enable logs 2023-04-21T07:27:59+00:00 Frederick Muriuki Muriithi 2023-04-21T07:27:59+00:00 urn:sha1:993420e616e143684deb1c11565b6a8286cde37f