From c871b5019ebaf1c57e7c9666b741cfa6a5393942 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 23 May 2024 09:40:16 -0500
Subject: Bug: Compute numeric timestamp for the claims.

---
 gn2/wqflask/oauth2/toplevel.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 23965cc1..f0179250 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -47,7 +47,7 @@ def authorisation_code():
                     "iss": str(oauth2_clientid()),
                     "sub": request.args["user_id"],
                     "aud": urljoin(authserver_uri(), "auth/token"),
-                    "exp": (issued + datetime.timedelta(minutes=5)),
+                    "exp": (issued + datetime.timedelta(minutes=5)).timestamp(),
                     "nbf": int(issued.timestamp()),
                     "iat": int(issued.timestamp()),
                     "jti": str(uuid.uuid4())},
-- 
cgit v1.2.3


From 111593d7e1685db33188eb03685210db6656c0c8 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 3 Jun 2024 16:10:01 -0500
Subject: Ensure endpoint returns a response.

---
 gn2/wqflask/oauth2/users.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/users.py b/gn2/wqflask/oauth2/users.py
index 8a935170..ed88aaa4 100644
--- a/gn2/wqflask/oauth2/users.py
+++ b/gn2/wqflask/oauth2/users.py
@@ -84,7 +84,8 @@ def logout():
             f"{the_session['masquerading']['name']} "
             f"({the_session['masquerading']['email']})",
             "alert-success")
-        return redirect("/")
+
+    return redirect("/")
 
 @users.route("/register", methods=["GET", "POST"])
 def register_user():
-- 
cgit v1.2.3


From 67df44ac2df9f05da22634f04eaaf29393710e9f Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 4 Jun 2024 12:05:08 -0500
Subject: Provide client data used for user verification.

---
 gn2/wqflask/oauth2/users.py | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/users.py b/gn2/wqflask/oauth2/users.py
index ed88aaa4..520a13c5 100644
--- a/gn2/wqflask/oauth2/users.py
+++ b/gn2/wqflask/oauth2/users.py
@@ -1,6 +1,6 @@
 import requests
 from uuid import UUID
-from urllib.parse import urljoin
+from urllib.parse import urljoin, urlparse
 
 from authlib.integrations.base_client.errors import OAuthError
 from flask import (
@@ -11,10 +11,16 @@ from . import client
 from . import session
 from .ui import render_ui
 from .checks import require_oauth2
-from .client import (oauth2_get, oauth2_post, oauth2_client,
-                     authserver_uri, user_logged_in)
-from .request_utils import (
-    user_details, request_error, process_error, with_flash_error)
+from .client import (oauth2_get,
+                     oauth2_post,
+                     oauth2_client,
+                     authserver_uri,
+                     user_logged_in)
+from .request_utils import (user_details,
+                            request_error,
+                            process_error,
+                            with_flash_error,
+                            authserver_authorise_uri)
 
 users = Blueprint("user", __name__)
 
@@ -106,7 +112,10 @@ def register_user():
             "user_name": form.get("user_name"),
             "email": form.get("email_address"),
             "password": form.get("password"),
-            "confirm_password": form.get("confirm_password")})
+            "confirm_password": form.get("confirm_password"),
+            **dict(
+                item.split("=") for item in
+                urlparse(authserver_authorise_uri()).query.split("&"))})
     results = response.json()
     if "error" in results:
         error_messages = tuple(
-- 
cgit v1.2.3


From 2439a4a0af29a57adc55fec093e4231c7b320ff6 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 5 Jun 2024 16:12:35 -0500
Subject: Build phenotype results template URI on backend

Build the template URI on the backend to remove the need to remember
to update the javascript if the URI changes in the future.
---
 gn2/wqflask/oauth2/data.py                                  | 4 +++-
 gn2/wqflask/static/new/javascript/auth/search_phenotypes.js | 4 ++--
 gn2/wqflask/templates/oauth2/data-list-phenotype.html       | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/data.py b/gn2/wqflask/oauth2/data.py
index 29d68be0..b7c7800c 100644
--- a/gn2/wqflask/oauth2/data.py
+++ b/gn2/wqflask/oauth2/data.py
@@ -70,7 +70,9 @@ def __search_phenotypes__(query, template, **kwargs):
             selected_traits=selected_traits, search_results=search_results,
             search_endpoint=urljoin(
                 authserver_uri(), "auth/data/search"),
-            gn_server_url = authserver_uri(),
+            auth_server_url=authserver_uri(),
+            pheno_results_template=urljoin(
+                authserver_uri(), "auth/data/search/phenotype/<jobid>"),
             results_endpoint=urljoin(
                 authserver_uri(),
                 f"auth/data/search/phenotype/{job_id}"),
diff --git a/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js b/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
index 99ecb16e..e9ef2683 100644
--- a/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
+++ b/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
@@ -96,8 +96,8 @@ function display_search_results(data, textStatus, jqXHR) {
  * @param {UUID}: The job id to fetch data for
  */
 function fetch_search_results(job_id, success, error=default_error_fn) {
-    host = $("#frm-search-traits").attr("data-gn-server-url");
-    endpoint = host + "auth/data/search/phenotype/" + job_id
+    endpoint = $("#frm-search-traits").attr(
+        "data-pheno-results-template").replace("<jobid>", job_id);
     $("#txt-search").prop("disabled", true);
     $.ajax(
 	endpoint,
diff --git a/gn2/wqflask/templates/oauth2/data-list-phenotype.html b/gn2/wqflask/templates/oauth2/data-list-phenotype.html
index e5172c70..b23c16e2 100644
--- a/gn2/wqflask/templates/oauth2/data-list-phenotype.html
+++ b/gn2/wqflask/templates/oauth2/data-list-phenotype.html
@@ -113,7 +113,7 @@
     <form id="frm-search-traits"
 	  action="#"
 	  method="POST"
-	  data-gn-server-url="{{gn_server_url}}">
+          data-pheno-results-template="{{pheno_results_template}}">
       {%if dataset_type == "mrna"%}
       <legend>mRNA: Search</legend>
       {%else%}
-- 
cgit v1.2.3


From 16b9ccc56a99f1290825c36b3788590a585920a6 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 5 Jun 2024 16:37:12 -0500
Subject: Build search URI endpoint on server rather than on JS

To help with maintenance, build the search URI on the server rather
than in the javascript.
---
 gn2/wqflask/oauth2/data.py                                  | 2 +-
 gn2/wqflask/static/new/javascript/auth/search_phenotypes.js | 2 +-
 gn2/wqflask/templates/oauth2/data-list-phenotype.html       | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/data.py b/gn2/wqflask/oauth2/data.py
index b7c7800c..767de1a3 100644
--- a/gn2/wqflask/oauth2/data.py
+++ b/gn2/wqflask/oauth2/data.py
@@ -69,7 +69,7 @@ def __search_phenotypes__(query, template, **kwargs):
             template, traits=[], per_page=per_page, query=query,
             selected_traits=selected_traits, search_results=search_results,
             search_endpoint=urljoin(
-                authserver_uri(), "auth/data/search"),
+                request.host_url, "oauth2/data/phenotype/search"),
             auth_server_url=authserver_uri(),
             pheno_results_template=urljoin(
                 authserver_uri(), "auth/data/search/phenotype/<jobid>"),
diff --git a/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js b/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
index e9ef2683..8689af75 100644
--- a/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
+++ b/gn2/wqflask/static/new/javascript/auth/search_phenotypes.js
@@ -119,7 +119,7 @@ function search_phenotypes() {
     per_page = document.getElementById("txt-per-page").value
     search_table = new TableDataSource(
 	"#tbl-phenotypes", "data-traits", search_checkbox);
-    endpoint = "/auth/data/phenotype/search"
+    endpoint = endpoint = $("#frm-search-traits").attr("data-search-endpoint");
     $.ajax(
 	endpoint,
 	{
diff --git a/gn2/wqflask/templates/oauth2/data-list-phenotype.html b/gn2/wqflask/templates/oauth2/data-list-phenotype.html
index b23c16e2..d355f3f9 100644
--- a/gn2/wqflask/templates/oauth2/data-list-phenotype.html
+++ b/gn2/wqflask/templates/oauth2/data-list-phenotype.html
@@ -113,6 +113,7 @@
     <form id="frm-search-traits"
 	  action="#"
 	  method="POST"
+          data-search-endpoint="{{search_endpoint}}"
           data-pheno-results-template="{{pheno_results_template}}">
       {%if dataset_type == "mrna"%}
       <legend>mRNA: Search</legend>
-- 
cgit v1.2.3


From b22d5baffb236c522ff8469f3495b63912201094 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 5 Jun 2024 16:38:21 -0500
Subject: Bug: Add missing data to search query.

---
 gn2/wqflask/oauth2/data.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/data.py b/gn2/wqflask/oauth2/data.py
index 767de1a3..16e5f60c 100644
--- a/gn2/wqflask/oauth2/data.py
+++ b/gn2/wqflask/oauth2/data.py
@@ -124,6 +124,7 @@ def json_search_mrna() -> Response:
 @data.route("/phenotype/search", methods=["POST"])
 def json_search_phenotypes() -> Response:
     """Search for phenotypes."""
+    from gn2.utility.tools import GN_SERVER_URL
     form = request.json
     def __handle_error__(err):
         error = process_error(err)
@@ -138,6 +139,7 @@ def json_search_phenotypes() -> Response:
             "per_page": int(form.get("per_page", 50)),
             "page": int(form.get("page", 1)),
             "auth_server_uri": authserver_uri(),
+            "gn3_server_uri": GN_SERVER_URL,
             "selected_traits": form.get("selected_traits", [])
         }).either(__handle_error__, jsonify)
 
-- 
cgit v1.2.3


From 503795f16fbed1b5e6ea7ecffeb1a25cf3548d8e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 6 Jun 2024 10:10:38 -0500
Subject: Deactivate the "create_role" function

The `create_role` function could lead to privilege escalation. This
commit deactivates it completely to prevent the chance of that
happening.
---
 gn2/wqflask/oauth2/roles.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py
index 2fe35f9b..ee75475e 100644
--- a/gn2/wqflask/oauth2/roles.py
+++ b/gn2/wqflask/oauth2/roles.py
@@ -93,7 +93,12 @@ def create_role():
     def __create_success__(*args):
         flash("Role created successfully.", "alert-success")
         return redirect(url_for("oauth2.role.user_roles"))
-    return oauth2_post(
-        "auth/group/role/create",data={
-            "role_name": role_name, "privileges[]": privileges}).either(
-        __create_error__,__create_success__)
+
+    raise DeprecationWarning(
+        f"The `{__name__}.create_role(…)` function, as is currently, can "
+        "lead to unbounded privilege escalation. See "
+        "https://issues.genenetwork.org/issues/gn-auth/problems-with-roles")
+    # return oauth2_post(
+    #     "auth/group/role/create",data={
+    #         "role_name": role_name, "privileges[]": privileges}).either(
+    #     __create_error__,__create_success__)
-- 
cgit v1.2.3


From e4fc0eb4ed80931bbd36f3777b06d9343a2008d0 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 6 Jun 2024 10:14:02 -0500
Subject: Remove the "Roles" page.

---
 gn2/wqflask/oauth2/roles.py                   | 25 -------------------------
 gn2/wqflask/templates/oauth2/profile_nav.html |  7 -------
 2 files changed, 32 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py
index ee75475e..b0f990c7 100644
--- a/gn2/wqflask/oauth2/roles.py
+++ b/gn2/wqflask/oauth2/roles.py
@@ -10,31 +10,6 @@ from .request_utils import request_error, process_error
 
 roles = Blueprint("role", __name__)
 
-@roles.route("/user", methods=["GET"])
-@require_oauth2
-def user_roles():
-    def  __grerror__(roles, user_privileges, error):
-        return render_ui(
-            "oauth2/list_roles.html", roles=roles,
-            user_privileges=user_privileges,
-            group_roles_error=process_error(error))
-
-    def  __grsuccess__(roles, user_privileges, group_roles):
-        return render_ui(
-            "oauth2/list_roles.html", roles=roles,
-            user_privileges=user_privileges, group_roles=group_roles)
-
-    def __role_success__(roles):
-        uprivs = tuple(
-            privilege["privilege_id"] for role in roles
-            for privilege in role["privileges"])
-        return oauth2_get("auth/group/roles").either(
-            lambda err: __grerror__(roles, uprivs, err),
-            lambda groles: __grsuccess__(roles, uprivs, groles))
-
-    return oauth2_get("auth/system/roles").either(
-        request_error, __role_success__)
-
 @roles.route("/role/<uuid:role_id>", methods=["GET"])
 @require_oauth2
 def role(role_id: uuid.UUID):
diff --git a/gn2/wqflask/templates/oauth2/profile_nav.html b/gn2/wqflask/templates/oauth2/profile_nav.html
index aa752905..c79bccbc 100644
--- a/gn2/wqflask/templates/oauth2/profile_nav.html
+++ b/gn2/wqflask/templates/oauth2/profile_nav.html
@@ -16,13 +16,6 @@
     <a href="{{url_for('oauth2.group.user_group')}}">Group</a>
   </li>
 
-  <li role="presentation"
-      {%if calling_page == "roles"%}
-      class="active"
-      {%endif%}>
-    <a href="{{url_for('oauth2.role.user_roles')}}">Roles</a>
-  </li>
-
   <li role="presentation"
       {%if calling_page == "resources"%}
       class="active"
-- 
cgit v1.2.3


From f0e1c1305f9613f214b40da77de5bd9222f2359e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 6 Jun 2024 16:40:41 -0500
Subject: Fix displayed error message

---
 gn2/wqflask/oauth2/request_utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/request_utils.py b/gn2/wqflask/oauth2/request_utils.py
index 1cdc465f..456aba2b 100644
--- a/gn2/wqflask/oauth2/request_utils.py
+++ b/gn2/wqflask/oauth2/request_utils.py
@@ -36,7 +36,7 @@ def process_error(error: Response,
         try:
             err = error.json()
             msg = err.get(
-                "error", err.get("error_description", f"{error.reason}"))
+                "error_message", err.get("error_description", f"{error.reason}"))
         except simplejson.errors.JSONDecodeError as _jde:
             msg = message
         return {
-- 
cgit v1.2.3


From bc50d737fcf9ede661760a0dbeee124403962044 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 7 Jun 2024 12:34:35 -0500
Subject: Update UI: Use resource roles rather than obsolete group roles

In a fix to fix a privilege-escalation bug, the `…/group/roles`
endpoint was entirely removed and replaced with the less error-prone
`…/resource/…/roles` endpoint. This commit updates the code to use the
new endpoint's data as appropriate.

We also fix typos in some url_for routing arguments.
---
 gn2/wqflask/oauth2/resources.py                 | 29 +++++++++++++------------
 gn2/wqflask/templates/oauth2/view-resource.html | 18 +++++++--------
 2 files changed, 24 insertions(+), 23 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 32efbd2a..afba2526 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -67,39 +67,40 @@ def view_resource(resource_id: uuid.UUID):
                             int(request.args.get("page", "1"), base=10))
     count_per_page = int(request.args.get("count_per_page", "100"), base=10)
     def __users_success__(
-            resource, unlinked_data, users_n_roles, this_user, group_roles,
+            resource, unlinked_data, users_n_roles, this_user, resource_roles,
             users):
         return render_ui(
             "oauth2/view-resource.html", resource=resource,
             unlinked_data=unlinked_data, users_n_roles=users_n_roles,
-            this_user=this_user, group_roles=group_roles, users=users,
+            this_user=this_user, resource_roles=resource_roles, users=users,
             page=page, count_per_page=count_per_page)
 
-    def __group_roles_success__(
-            resource, unlinked_data, users_n_roles, this_user, group_roles):
+    def __resource_roles_success__(
+            resource, unlinked_data, users_n_roles, this_user, resource_roles):
         return oauth2_get("auth/user/list").either(
             lambda err: render_ui(
                 "oauth2/view-resource.html", resource=resource,
                 unlinked_data=unlinked_data, users_n_roles=users_n_roles,
-                this_user=this_user, group_roles=group_roles,
+                this_user=this_user, resource_roles=resource_roles,
                 users_error=process_error(err), count_per_page=count_per_page),
             lambda users: __users_success__(
-                resource, unlinked_data, users_n_roles, this_user, group_roles,
+                resource, unlinked_data, users_n_roles, this_user, resource_roles,
                 users))
 
     def __this_user_success__(resource, unlinked_data, users_n_roles, this_user):
-        return oauth2_get("auth/group/roles").either(
+        return oauth2_get(f"auth/resource/{resource_id}/roles").either(
             lambda err: render_ui(
-                "oauth2/view-resources.html", resource=resource,
+                "oauth2/view-resource.html", resource=resource,
                 unlinked_data=unlinked_data, users_n_roles=users_n_roles,
-                this_user=this_user, group_roles_error=process_error(err)),
-            lambda groles: __group_roles_success__(
-                resource, unlinked_data, users_n_roles, this_user, groles))
+                this_user=this_user, resource_roles_error=process_error(err),
+                count_per_page=count_per_page),
+            lambda rroles: __resource_roles_success__(
+                resource, unlinked_data, users_n_roles, this_user, rroles))
 
     def __users_n_roles_success__(resource, unlinked_data, users_n_roles):
         return oauth2_get("auth/user/").either(
             lambda err: render_ui(
-                "oauth2/view-resources.html",
+                "oauth2/view-resource.html",
                 this_user_error=process_error(err)),
             lambda usr_dets: __this_user_success__(
                 resource, unlinked_data, users_n_roles, usr_dets))
@@ -229,7 +230,7 @@ def assign_role(resource_id: uuid.UUID) -> Response:
             }).either(__assign_error__, __assign_success__)
     except AssertionError as aserr:
         flash(aserr.args[0], "alert-danger")
-        return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id))
+        return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id))
 
 @resources.route("<uuid:resource_id>/user/unassign", methods=["POST"])
 @require_oauth2
@@ -260,7 +261,7 @@ def unassign_role(resource_id: uuid.UUID) -> Response:
             }).either(__unassign_error__, __unassign_success__)
     except AssertionError as aserr:
         flash(aserr.args[0], "alert-danger")
-        return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id))
+        return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id))
 
 @resources.route("/toggle/<uuid:resource_id>", methods=["POST"])
 @require_oauth2
diff --git a/gn2/wqflask/templates/oauth2/view-resource.html b/gn2/wqflask/templates/oauth2/view-resource.html
index d17f1ddf..6ae5af56 100644
--- a/gn2/wqflask/templates/oauth2/view-resource.html
+++ b/gn2/wqflask/templates/oauth2/view-resource.html
@@ -309,8 +309,8 @@
 
     <div class="row">
       <h3>Assign</h3>
-      {%if group_roles_error is defined%}
-      {{display_error("Group Roles", group_roles_error)}}
+      {%if resource_roles_error is defined%}
+      {{display_error("Resource Roles", resource_roles_error)}}
       {%elif users_error is defined%}
       {{display_error("Users", users_error)}}
       {%else%}
@@ -320,13 +320,13 @@
 	    method="POST" autocomplete="off">
 	<input type="hidden" name="resource_id" value="{{resource_id}}" />
 	<div class="form-group">
-	  <label for="group_role_id" class="form-label">Role</label>
-	  <select class="form-control" name="group_role_id"
-		  id="group_role_id" required="required">
-	    <option value="">Select role</option>
-	    {%for grole in group_roles%}
-	    <option value="{{grole.group_role_id}}">
-	      {{grole.role.role_name}}
+	  <label for="role_id" class="form-label">Role</label>
+	  <select class="form-control" name="role_id"
+		  id="role_id" required="required">
+	    <option value="">Select role</option>>
+	    {%for rrole in resource_roles%}
+	    <option value="{{rrole.role_id}}">
+	      {{rrole.role_name}}
 	    </option>
 	    {%endfor%}
 	  </select>
-- 
cgit v1.2.3


From 53ab737c158fe1a8e87ee80d5b7fc6983c901115 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 12:29:51 -0500
Subject: Set default headers for OAuth2Client requests.

---
 gn2/wqflask/oauth2/client.py | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 75e438cc..876ecf6b 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -70,12 +70,18 @@ def __no_token__(_err) -> Left:
     resp.status_code = 400
     return Left(resp)
 
-def oauth2_get(uri_path: str, data: dict = {},
-               jsonify_p: bool = False, **kwargs) -> Either:
+def oauth2_get(
+        uri_path: str,
+        data: dict = {},
+        jsonify_p: bool = False,
+        headers: dict = {"Content-Type": "application/json"},
+        **kwargs
+) -> Either:
     def __get__(token) -> Either:
         resp = oauth2_client().get(
             urljoin(authserver_uri(), uri_path),
             data=data,
+            headers=headers,
             **kwargs)
         if resp.status_code == 200:
             if jsonify_p:
@@ -87,11 +93,18 @@ def oauth2_get(uri_path: str, data: dict = {},
     return session.user_token().either(__no_token__, __get__)
 
 def oauth2_post(
-        uri_path: str, data: Optional[dict] = None, json: Optional[dict] = None,
-        **kwargs) -> Either:
+        uri_path: str,
+        data: Optional[dict] = None,
+        json: Optional[dict] = None,
+        headers: dict = {"Content-Type": "application/json"},
+        **kwargs
+) -> Either:
     def __post__(token) -> Either:
         resp = oauth2_client().post(
-            urljoin(authserver_uri(), uri_path), data=data, json=json,
+            urljoin(authserver_uri(), uri_path),
+            data=data,
+            json=json,
+            headers=headers,
             **kwargs)
         if resp.status_code == 200:
             return Right(resp.json())
@@ -100,10 +113,14 @@ def oauth2_post(
 
     return session.user_token().either(__no_token__, __post__)
 
-def no_token_get(uri_path: str, **kwargs) -> Either:
+def no_token_get(
+        uri_path: str,
+        headers: dict = {"Content-Type": "application/json"},
+        **kwargs
+) -> Either:
     uri = urljoin(authserver_uri(), uri_path)
     try:
-        resp = requests.get(uri, **kwargs)
+        resp = requests.get(uri, headers=headers, **kwargs)
         if resp.status_code == 200:
             return Right(resp.json())
         return Left(resp)
-- 
cgit v1.2.3


From a4d148887f8618f4b21748d32c17109dcff95404 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 12:33:05 -0500
Subject: Generalise `render_ur` for the resources pages

---
 gn2/wqflask/oauth2/resources.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index afba2526..42fdae37 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -4,7 +4,7 @@ from flask import (
     flash, request, url_for, redirect, Response, Blueprint)
 
 from . import client
-from .ui import render_ui
+from .ui import render_ui as _render_ui
 from .checks import require_oauth2
 from .client import oauth2_get, oauth2_post
 from .request_utils import (
@@ -12,6 +12,9 @@ from .request_utils import (
 
 resources = Blueprint("resource", __name__)
 
+def render_ui(template, **kwargs):
+    return _render_ui(template, uipages="resources", **kwargs)
+
 @resources.route("/", methods=["GET"])
 @require_oauth2
 def user_resources():
-- 
cgit v1.2.3


From 8d25673a2256e1fb0a45d62e582865bcfd84ec35 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 12:34:12 -0500
Subject: Implement "Resource Role Page"

Show the page, providing all UI elements necessary, even if the
elements themselves are not active.
---
 gn2/wqflask/oauth2/resources.py                    | 35 ++++++++
 .../templates/oauth2/view-resource-role.html       | 98 ++++++++++++++++++++++
 gn2/wqflask/templates/oauth2/view-resource.html    |  6 +-
 3 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 gn2/wqflask/templates/oauth2/view-resource-role.html

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 42fdae37..70b49375 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -296,3 +296,38 @@ def edit_resource(resource_id: uuid.UUID):
 def delete_resource(resource_id: uuid.UUID):
     """Delete the given resource."""
     return "WOULD DELETE THE GIVEN RESOURCE"
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>", methods=["GET"])
+@require_oauth2
+def view_resource_role(resource_id: uuid.UUID, role_id: uuid.UUID):
+    """View resource role page."""
+    def __render_template__(**kwargs):
+        return render_ui("oauth2/view-resource-role.html", **kwargs)
+
+    def __fetch_all_roles__(resource, role):
+        return oauth2_get(f"auth/resource/{resource_id}/roles").either(
+            lambda error: __render_template__(
+                all_roles_error=process_error(error)),
+            lambda all_roles: __render_template__(
+                resource=resource,
+                role=role,
+                unassigned_privileges=[
+                    priv for role in all_roles
+                    for priv in role["privileges"]
+                    if priv not in role["privileges"]
+                ]))
+
+    def __fetch_resource_role__(resource):
+        return oauth2_get(
+        f"auth/resource/{resource_id}/role/{role_id}").either(
+            lambda error: __render_template__(
+                resource=resource,
+                role_id=role_id,
+                role_error=process_error(error)),
+            lambda role: __fetch_all_roles__(resource, role))
+
+    return oauth2_get(
+        f"auth/resource/view/{resource_id}").either(
+            lambda error: __render_template__(
+                resource_error=process_error(error)),
+            lambda resource: __fetch_resource_role__(resource=resource))
diff --git a/gn2/wqflask/templates/oauth2/view-resource-role.html b/gn2/wqflask/templates/oauth2/view-resource-role.html
new file mode 100644
index 00000000..05df41d6
--- /dev/null
+++ b/gn2/wqflask/templates/oauth2/view-resource-role.html
@@ -0,0 +1,98 @@
+{%extends "base.html"%}
+{%from "oauth2/profile_nav.html" import profile_nav%}
+{%from "oauth2/display_error.html" import display_error%}
+{%block title%}View User{%endblock%}
+{%block content%}
+
+{%macro unassign_button(resource_id, role_id, privilege_id)%}
+<form method="POST"
+      action="#"
+      id="frm_unlink_privilege_{{privilege_id}}">
+  <input type="hidden" name="resource_id" value="{{resource_id}}" />
+  <input type="hidden" name="role_id" value="{{role_id}}" />
+  <input type="hidden" name="privilege_id" value="{{privilege_id}}" />
+  <input type="submit" value="Unassign" class="btn btn-danger" />
+</form>
+{%endmacro%}
+
+<div class="container">
+  {{profile_nav(uipages, user_privileges)}}
+  {%if resource_error is defined%}
+  {{display_error("Resource", resource_error)}}
+  {%else%}
+  <h3>Role for Resource '{{resource.resource_name}}'</h3>
+  {%if role_error is defined%}
+  {{display_error("Role", role_error)}}
+  {%else%}
+  <table class="table">
+    <caption>Role '{{role.role_name}}' for resource '{{resource.resource_name}}'</caption>
+    <thead>
+      <tr>
+        <th>Role Name</th>
+        <th>Privilege</th>
+        <th>Action</th>
+      </tr>
+    </thead>
+
+    <tbody>
+      {%for priv in role.privileges%}
+      {%if loop.index0 == 0%}
+      <tr>
+        <td rowspan="{{role.privileges | length}}"
+            style="text-align: center;vertical-align: middle;">
+          {{role.role_name}}</td>
+        <td>{{priv.privilege_description}}</td>
+        <td>{{unassign_button(resource.resource_id, role.role_id, priv.privilege_id)}}</td>
+      </tr>
+      {%else%}
+      <tr>
+        <td>{{priv.privilege_description}}</td>
+        <td>{{unassign_button(resource.resource_id, role.role_id, priv.privilege_id)}}</td>
+      </tr>
+      {%endif%}
+      {%else%}
+      <tr>
+        <td colspan="3">
+          <p class="text-info">
+            <strong>{{title}}</strong>:
+            <span class="glyphicon glyphicon-info-sign text-info"></span>
+            &nbsp;
+            This role has no privileges.
+          </p>
+        </td>
+      </tr>
+      {%endfor%}
+    </tbody>
+  </table>
+
+  <form id="frm_assign_privileges" method="POST" action="#">
+    <input type="hidden" name="resource_id" value="{{resource_id}}" />
+    <input type="hidden" name="role_id" value="{{role_id}}" />
+    {%if unassigned_privileges | length == 0%}
+    <p class="text-info">
+      <strong>{{title}}</strong>:
+      <span class="glyphicon glyphicon-info-sign text-info"></span>
+      &nbsp;
+      There are no more privileges left to assign.
+    </p>
+    {%else%}
+    <fieldset>
+      <legend>Select privileges to assign to this role</legend>
+      {%for priv in unassigned_privileges%}
+      <div class="checkbox">
+        <label for="rdo_{{priv.privilege_id}}">
+          <input type="checkbox" value="{{priv.privilege_id}}" />
+          {{priv.privilege_description}}
+        </label>
+      </div>
+      {%endfor%}
+    </fieldset>
+
+    <input type="submit" class="btn btn-primary" value="Assign" />
+    {%endif%}
+  </form>
+  {%endif%}
+  {%endif%}
+</div>
+
+{%endblock%}
diff --git a/gn2/wqflask/templates/oauth2/view-resource.html b/gn2/wqflask/templates/oauth2/view-resource.html
index 451bfbd7..25cac6ff 100644
--- a/gn2/wqflask/templates/oauth2/view-resource.html
+++ b/gn2/wqflask/templates/oauth2/view-resource.html
@@ -237,7 +237,11 @@
       <h3>Available Resource Roles</h3>
       <div class="resource_roles">
         {%for role in resource_roles%}
-        <a class="pill" href="#" title="Role page for role named '{{role.role_name}}'">
+        <a class="pill"
+           href="{{url_for('oauth2.resource.view_resource_role',
+                 resource_id=resource.resource_id,
+                 role_id=role.role_id)}}"
+           title="Role page for role named '{{role.role_name}}'">
           {{role.role_name}}
         </a>
         {%endfor%}
-- 
cgit v1.2.3


From a22e30491d04aed31416b3e2edc40c9e2b0d348c Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 15:55:55 -0500
Subject: Import the UUID class directly.

---
 gn2/wqflask/oauth2/resources.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 70b49375..34b11235 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -1,4 +1,4 @@
-import uuid
+from uuid import UUID
 
 from flask import (
     flash, request, url_for, redirect, Response, Blueprint)
@@ -64,7 +64,7 @@ def __compute_page__(submit, current_page):
 
 @resources.route("/view/<uuid:resource_id>", methods=["GET"])
 @require_oauth2
-def view_resource(resource_id: uuid.UUID):
+def view_resource(resource_id: UUID):
     """View the given resource."""
     page = __compute_page__(request.args.get("submit"),
                             int(request.args.get("page", "1"), base=10))
@@ -206,7 +206,7 @@ def unlink_data_from_resource():
 
 @resources.route("<uuid:resource_id>/user/assign", methods=["POST"])
 @require_oauth2
-def assign_role(resource_id: uuid.UUID) -> Response:
+def assign_role(resource_id: UUID) -> Response:
     form = request.form
     group_role_id = form.get("group_role_id", "")
     user_email = form.get("user_email", "")
@@ -237,7 +237,7 @@ def assign_role(resource_id: uuid.UUID) -> Response:
 
 @resources.route("<uuid:resource_id>/user/unassign", methods=["POST"])
 @require_oauth2
-def unassign_role(resource_id: uuid.UUID) -> Response:
+def unassign_role(resource_id: UUID) -> Response:
     form = request.form
     group_role_id = form.get("group_role_id", "")
     user_id = form.get("user_id", "")
@@ -268,7 +268,7 @@ def unassign_role(resource_id: uuid.UUID) -> Response:
 
 @resources.route("/toggle/<uuid:resource_id>", methods=["POST"])
 @require_oauth2
-def toggle_public(resource_id: uuid.UUID):
+def toggle_public(resource_id: UUID):
     """Toggle the given resource's public status."""
     def __handle_error__(err):
         flash_error(process_error(err))
@@ -287,19 +287,19 @@ def toggle_public(resource_id: uuid.UUID):
 
 @resources.route("/edit/<uuid:resource_id>", methods=["GET"])
 @require_oauth2
-def edit_resource(resource_id: uuid.UUID):
+def edit_resource(resource_id: UUID):
     """Edit the given resource."""
     return "WOULD Edit THE GIVEN RESOURCE'S DETAILS"
 
 @resources.route("/delete/<uuid:resource_id>", methods=["GET"])
 @require_oauth2
-def delete_resource(resource_id: uuid.UUID):
+def delete_resource(resource_id: UUID):
     """Delete the given resource."""
     return "WOULD DELETE THE GIVEN RESOURCE"
 
 @resources.route("/<uuid:resource_id>/role/<uuid:role_id>", methods=["GET"])
 @require_oauth2
-def view_resource_role(resource_id: uuid.UUID, role_id: uuid.UUID):
+def view_resource_role(resource_id: UUID, role_id: UUID):
     """View resource role page."""
     def __render_template__(**kwargs):
         return render_ui("oauth2/view-resource-role.html", **kwargs)
-- 
cgit v1.2.3


From c63a898563cc6ddbdabf1ec84156e95ce373c21e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 15:56:47 -0500
Subject: Unassign privilege from resource role.

---
 gn2/wqflask/oauth2/resources.py                    | 56 +++++++++++++++++++++-
 .../confirm-resource-role-unassign-privilege.html  | 34 +++++++++++++
 .../templates/oauth2/view-resource-role.html       |  7 ++-
 3 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 34b11235..9ca057ab 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -7,8 +7,12 @@ from . import client
 from .ui import render_ui as _render_ui
 from .checks import require_oauth2
 from .client import oauth2_get, oauth2_post
-from .request_utils import (
-    flash_error, flash_success, request_error, process_error)
+from .request_utils import (flash_error,
+                            flash_success,
+                            request_error,
+                            process_error,
+                            with_flash_error,
+                            with_flash_success)
 
 resources = Blueprint("resource", __name__)
 
@@ -331,3 +335,51 @@ def view_resource_role(resource_id: UUID, role_id: UUID):
             lambda error: __render_template__(
                 resource_error=process_error(error)),
             lambda resource: __fetch_resource_role__(resource=resource))
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/unassign-privilege",
+                 methods=["GET", "POST"])
+@require_oauth2
+def unassign_privilege_from_resource_role(resource_id: UUID, role_id: UUID):
+    """Remove a privilege from a resource role."""
+    form = request.form
+    returnto = redirect(url_for("oauth2.resource.view_resource_role",
+                                resource_id=resource_id,
+                                role_id=role_id))
+    privilege_id = (request.args.get("privilege_id")
+                    or form.get("privilege_id"))
+    if not privilege_id:
+        flash("You need to specify a privilege to unassign.", "alert-danger")
+        return returnto
+
+    if request.method=="POST" and form.get("confirm") == "Unassign":
+        return oauth2_post(
+            f"auth/resource/{resource_id}/role/{role_id}/unassign-privilege",
+            json={
+                "privilege_id": form["privilege_id"]
+            }).either(with_flash_error(returnto), with_flash_success(returnto))
+
+    if form.get("confirm") == "Cancel":
+        flash("Cancelled the operation to unassign the privilege.",
+              "alert-info")
+        return returnto
+
+    def __fetch_privilege__(resource, role):
+        return oauth2_get(
+            f"auth/privileges/{privilege_id}/view").either(
+                with_flash_error(returnto),
+                lambda privilege: render_ui(
+                    "oauth2/confirm-resource-role-unassign-privilege.html",
+                    resource=resource,
+                    role=role,
+                    privilege=privilege))
+
+    def __fetch_resource_role__(resource):
+        return oauth2_get(
+            f"auth/resource/{resource_id}/role/{role_id}").either(
+                with_flash_error(returnto),
+                lambda role: __fetch_privilege__(resource, role))
+
+    return oauth2_get(
+        f"auth/resource/view/{resource_id}").either(
+            with_flash_error(returnto),
+            __fetch_resource_role__)
diff --git a/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html b/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html
new file mode 100644
index 00000000..988cf3b4
--- /dev/null
+++ b/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html
@@ -0,0 +1,34 @@
+{%extends "base.html"%}
+{%from "oauth2/profile_nav.html" import profile_nav%}
+{%from "oauth2/display_error.html" import display_error%}
+{%block title%}View User{%endblock%}
+{%block content%}
+<div class="container">
+  {{profile_nav(uipages, user_privileges)}}
+  {{flash_me()}}
+
+  <form id="frm_confirm_resource_role_unassign_privilege"
+        method="POST"
+        action="{{url_for('oauth2.resource.unassign_privilege_from_resource_role',
+                resource_id=resource.resource_id,
+                role_id=role.role_id)}}">
+    <p>
+      Are you sure you want to unassign the privilege to
+      '{{privilege.privilege_description}}' from the role '{{role.role_name}}'
+      on resource '{{resource.resource_name}}'?</p>
+    <input type="hidden"
+           name="privilege_id"
+           value="{{privilege.privilege_id}}" />
+    
+    <input type="submit"
+           name="confirm"
+           value="Cancel"
+           class="btn btn-success" />
+
+    <input type="submit"
+           name="confirm"
+           value="Unassign"
+           class="btn btn-danger" />
+  </form>
+</div>
+{%endblock%}
diff --git a/gn2/wqflask/templates/oauth2/view-resource-role.html b/gn2/wqflask/templates/oauth2/view-resource-role.html
index 05df41d6..a1aa8676 100644
--- a/gn2/wqflask/templates/oauth2/view-resource-role.html
+++ b/gn2/wqflask/templates/oauth2/view-resource-role.html
@@ -5,8 +5,10 @@
 {%block content%}
 
 {%macro unassign_button(resource_id, role_id, privilege_id)%}
-<form method="POST"
-      action="#"
+<form method="GET"
+      action="{{url_for('oauth2.resource.unassign_privilege_from_resource_role',
+              resource_id=resource_id,
+              role_id=role_id)}}"
       id="frm_unlink_privilege_{{privilege_id}}">
   <input type="hidden" name="resource_id" value="{{resource_id}}" />
   <input type="hidden" name="role_id" value="{{role_id}}" />
@@ -17,6 +19,7 @@
 
 <div class="container">
   {{profile_nav(uipages, user_privileges)}}
+  {{flash_me()}}
   {%if resource_error is defined%}
   {{display_error("Resource", resource_error)}}
   {%else%}
-- 
cgit v1.2.3


From f17ed0dc4aa43013142217ce85cb5711aa164ac9 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 11 Jun 2024 11:33:56 -0500
Subject: List user assigned role of interest.

---
 gn2/wqflask/oauth2/resources.py                    | 16 ++++++++++-
 .../templates/oauth2/view-resource-role.html       | 32 ++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 9ca057ab..58e02368 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -308,11 +308,25 @@ def view_resource_role(resource_id: UUID, role_id: UUID):
     def __render_template__(**kwargs):
         return render_ui("oauth2/view-resource-role.html", **kwargs)
 
+    def __fetch_users__(resource, role, unassigned_privileges):
+        return oauth2_get(
+            f"auth/resource/{resource_id}/role/{role_id}/users").either(
+            lambda error: __render_template__(
+                resource=resource,
+                role=role,
+                unassigned_privileges=unassigned_privileges,
+                user_error=process_error(error)),
+            lambda users: __render_template__(
+                resource=resource,
+                role=role,
+                unassigned_privileges=unassigned_privileges,
+                users=users))
+
     def __fetch_all_roles__(resource, role):
         return oauth2_get(f"auth/resource/{resource_id}/roles").either(
             lambda error: __render_template__(
                 all_roles_error=process_error(error)),
-            lambda all_roles: __render_template__(
+            lambda all_roles: __fetch_users__(
                 resource=resource,
                 role=role,
                 unassigned_privileges=[
diff --git a/gn2/wqflask/templates/oauth2/view-resource-role.html b/gn2/wqflask/templates/oauth2/view-resource-role.html
index c4c9d3fc..57008f44 100644
--- a/gn2/wqflask/templates/oauth2/view-resource-role.html
+++ b/gn2/wqflask/templates/oauth2/view-resource-role.html
@@ -98,6 +98,38 @@
     </form>
   </div>
 
+  {%if user_error is defined%}
+  {{display_error("Users", user_error)}}
+  {%endif%}
+
+  {%if users is defined and users | length > 0%}
+  <div class="row">
+    <h3>Users</h3>
+
+    <table class="table">
+      <caption>
+        Users assigned role '{{role.role_name}}' on resource
+        '{{resource.resource_name}}'
+      </caption>
+
+      <thead>
+        <tr>
+          <th>Email</th>
+          <th>Name</th>
+        </tr>
+      </thead>
+
+      <tbody>
+        {%for user in users%}
+        <tr>
+          <td>{{user.email}}</td>
+          <td>{{user.name}}</td>
+        </tr>
+        {%endfor%}
+        </tbody>
+    </table>
+  </div>
+  {%endif%}
       &nbsp;
     </p>
   {%endif%}
-- 
cgit v1.2.3


From d0ca2b1e0eccc05d70f2b83f061a36cebec98e4a Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 11:07:33 -0500
Subject: Use json for communication with gn-auth

---
 gn2/wqflask/oauth2/resources.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 58e02368..32d89b14 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -58,7 +58,7 @@ def create_resource():
         flash("Resource created successfully", "alert-success")
         return redirect(url_for("oauth2.resource.user_resources"))
     return oauth2_post(
-        "auth/resource/create", data=request.form).either(
+        "auth/resource/create", json=dict(request.form)).either(
             __perr__, __psuc__)
 
 def __compute_page__(submit, current_page):
@@ -231,7 +231,7 @@ def assign_role(resource_id: UUID) -> Response:
 
         return oauth2_post(
             f"auth/resource/{resource_id}/user/assign",
-            data={
+            json={
                 "group_role_id": group_role_id,
                 "user_email": user_email
             }).either(__assign_error__, __assign_success__)
@@ -262,7 +262,7 @@ def unassign_role(resource_id: UUID) -> Response:
 
         return oauth2_post(
             f"auth/resource/{resource_id}/user/unassign",
-            data={
+            json={
                 "group_role_id": group_role_id,
                 "user_id": user_id
             }).either(__unassign_error__, __unassign_success__)
@@ -285,7 +285,7 @@ def toggle_public(resource_id: UUID):
             "oauth2.resource.view_resource", resource_id=resource_id))
 
     return oauth2_post(
-        f"auth/resource/{resource_id}/toggle-public", data={}).either(
+        f"auth/resource/{resource_id}/toggle-public").either(
             lambda err: __handle_error__(err),
             lambda suc: __handle_success__(suc))
 
-- 
cgit v1.2.3


From 311a81d67d02b91652934ce0329adc4c4b3577be Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 11:08:08 -0500
Subject: Update URI forms

---
 gn2/wqflask/oauth2/resources.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 32d89b14..7a705856 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -66,7 +66,7 @@ def __compute_page__(submit, current_page):
         return current_page + 1
     return (current_page - 1) or 1
 
-@resources.route("/view/<uuid:resource_id>", methods=["GET"])
+@resources.route("/<uuid:resource_id>/view", methods=["GET"])
 @require_oauth2
 def view_resource(resource_id: UUID):
     """View the given resource."""
@@ -301,7 +301,7 @@ def delete_resource(resource_id: UUID):
     """Delete the given resource."""
     return "WOULD DELETE THE GIVEN RESOURCE"
 
-@resources.route("/<uuid:resource_id>/role/<uuid:role_id>", methods=["GET"])
+@resources.route("/<uuid:resource_id>/roles/<uuid:role_id>", methods=["GET"])
 @require_oauth2
 def view_resource_role(resource_id: UUID, role_id: UUID):
     """View resource role page."""
@@ -350,7 +350,7 @@ def view_resource_role(resource_id: UUID, role_id: UUID):
                 resource_error=process_error(error)),
             lambda resource: __fetch_resource_role__(resource=resource))
 
-@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/unassign-privilege",
+@resources.route("/<uuid:resource_id>/roles/<uuid:role_id>/unassign-privilege",
                  methods=["GET", "POST"])
 @require_oauth2
 def unassign_privilege_from_resource_role(resource_id: UUID, role_id: UUID):
-- 
cgit v1.2.3


From c1efb9f57be588137ae3093d3c4aa7badff63b5f Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 13:55:57 -0500
Subject: Create a new resource role.

---
 gn2/wqflask/oauth2/resources.py                 | 48 +++++++++++++++++++++++++
 gn2/wqflask/templates/oauth2/create-role.html   | 38 +++++++++++++-------
 gn2/wqflask/templates/oauth2/view-resource.html |  5 +++
 3 files changed, 78 insertions(+), 13 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 7a705856..cf600b51 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -397,3 +397,51 @@ def unassign_privilege_from_resource_role(resource_id: UUID, role_id: UUID):
         f"auth/resource/view/{resource_id}").either(
             with_flash_error(returnto),
             __fetch_resource_role__)
+
+
+@resources.route("/<uuid:resource_id>/roles/create-role",
+                 methods=["GET", "POST"])
+@require_oauth2
+def create_resource_role(resource_id: UUID):
+    """Create new role for the resource."""
+    def __render__(**kwargs):
+        return render_ui("oauth2/create-role.html", **kwargs)
+
+    def __fetch_resource_roles__(resource):
+        return oauth2_get(f"auth/resource/{resource_id}/roles").either(
+            lambda error: __render__(resource_role_error=error),
+            lambda roles: {"resource": resource, "roles": roles})
+
+    if request.method == "GET":
+        return oauth2_get(f"auth/resource/view/{resource_id}").map(
+            __fetch_resource_roles__).either(
+            lambda error: __render__(resource_error=error),
+            lambda kwargs: __render__(**kwargs))
+
+    formdata = request.form
+    privileges = formdata.getlist("privileges[]")
+    if not bool(privileges):
+        flash(
+            "You must provide at least one privilege for creation of the new "
+            "role.",
+            "alert-danger")
+        return redirect(url_for("oauth2.resource.create_resource_role",
+                                resource_id=resource_id))
+
+    def __handle_error__(error):
+        flash_error(process_error(error))
+        return redirect(url_for(
+            "oauth2.resource.create_resource_role", resource_id=resource_id))
+
+    def __handle_success__(success):
+        flash("Role successfully created.", "alert-success")
+        return redirect(url_for(
+            "oauth2.resource.view_resource", resource_id=resource_id))
+
+    return oauth2_post(
+        f"auth/resource/{resource_id}/roles/create",
+        json={
+            "role_name": formdata["role_name"],
+            "privileges": privileges
+        }).either(
+            __handle_error__, __handle_success__)
diff --git a/gn2/wqflask/templates/oauth2/create-role.html b/gn2/wqflask/templates/oauth2/create-role.html
index f2bff7b4..198eacdd 100644
--- a/gn2/wqflask/templates/oauth2/create-role.html
+++ b/gn2/wqflask/templates/oauth2/create-role.html
@@ -7,31 +7,43 @@
   {{profile_nav("roles", user_privileges)}}
   <h3>Create Role</h3>
 
-  {{flash_me()}}
+  <p>Create a new role to act on resource "{{resource.resource_name}}"</p>
 
   {%if group_privileges_error is defined%}
   {{display_error("Group Privileges", group_privileges_error)}}
   {%else%}
-  {%if "group:role:create-role" in user_privileges%}
-  <form method="POST" action="{{url_for('oauth2.role.create_role')}}">
-    <legend>Create Group Role</legend>
+  {%if "resource:role:create-role" in (user_privileges|map(attribute="privilege_id")) %}
+  <form method="POST" action="{{url_for('oauth2.resource.create_resource_role',
+                              resource_id=resource.resource_id)}}">
+    <legend>create resource role</legend>
+
+    {{flash_me()}}
+
     <div class="form-group">
       <label for="role_name" class="form-label">Name</label>
-      <input type="text" id="role_name" name="role_name" required="required"
-	     class="form-control"
-	     {%if prev_role_name is defined and prev_role_name is not none%}
-	     value="{{prev_role_name}}"
-	     {%endif%} />
+      <div class="input-group">
+        <span class="input-group-addon">
+          {{resource.resource_name|replace(" ", "_")}}::
+        </span>
+        <input type="text" id="role_name" name="role_name" required="required"
+	       class="form-control"
+	       {%if prev_role_name is defined and prev_role_name is not none%}
+	       value="{{prev_role_name}}"
+	       {%endif%} />
+      </div>
+      <span class="form-text text-muted">
+        The name of the role will have the resource's name appended.
+      </span>
     </div>
     <label class="form-label">Privileges</label>
-    {%for priv in group_privileges%}
+    {%for priv in user_privileges%}
     <div class="checkbox">
-      <label for="chk:{{priv.privilege_id}}">
-	<input type="checkbox" id="chk:{{priv.privilege_id}}"
+      <label for="chk-{{priv.privilege_id}}">
+	<input type="checkbox" id="chk-{{priv.privilege_id}}"
 	       name="privileges[]" value={{priv.privilege_id}} />
 	<span style="text-transform: capitalize;">
 	  {{priv.privilege_description}}
-	</span> ({{priv.privilege_id}})
+	</span>
       </label>
     </div>
     {%endfor%}
diff --git a/gn2/wqflask/templates/oauth2/view-resource.html b/gn2/wqflask/templates/oauth2/view-resource.html
index 25cac6ff..cfc769c4 100644
--- a/gn2/wqflask/templates/oauth2/view-resource.html
+++ b/gn2/wqflask/templates/oauth2/view-resource.html
@@ -246,6 +246,11 @@
         </a>
         {%endfor%}
       </div>
+      <hr />
+      <a title="create a new role for this resource"
+         href="{{url_for('oauth2.resource.create_resource_role',
+               resource_id=resource.resource_id)}}"
+         class="btn btn-info">New Role</a>
     </div>
 
     <div class="row">
-- 
cgit v1.2.3


From bb83fdde2cff7abd8571350966fa78545b1831ef Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 13:56:29 -0500
Subject: Delete request to obsoleted endpoint.

---
 gn2/wqflask/oauth2/ui.py | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/ui.py b/gn2/wqflask/oauth2/ui.py
index cf2e9af7..e31d87d9 100644
--- a/gn2/wqflask/oauth2/ui.py
+++ b/gn2/wqflask/oauth2/ui.py
@@ -7,12 +7,7 @@ from .request_utils import process_error
 
 def render_ui(templatepath: str, **kwargs):
     """Handle repetitive UI rendering stuff."""
-    roles = kwargs.get("roles", tuple()) # Get roles if already provided
-    if user_logged_in() and not bool(roles): # If not, try fetching them
-        roles_results = oauth2_get("auth/system/roles").either(
-            lambda err: {"roles_error": process_error(err)},
-            lambda roles: {"roles": roles})
-        kwargs = {**kwargs, **roles_results}
+    roles = kwargs.get("roles", tuple()) # Get roles
     user_privileges = tuple(
         privilege["privilege_id"] for role in roles
         for privilege in role["privileges"])
-- 
cgit v1.2.3


From 7ed51c24678d2b880081f81ad4439e7ebcb0d19d Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 13:58:13 -0500
Subject: Use privilege objects rather than IDS.

---
 gn2/wqflask/oauth2/ui.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/ui.py b/gn2/wqflask/oauth2/ui.py
index e31d87d9..90d65e0b 100644
--- a/gn2/wqflask/oauth2/ui.py
+++ b/gn2/wqflask/oauth2/ui.py
@@ -9,8 +9,7 @@ def render_ui(templatepath: str, **kwargs):
     """Handle repetitive UI rendering stuff."""
     roles = kwargs.get("roles", tuple()) # Get roles
     user_privileges = tuple(
-        privilege["privilege_id"] for role in roles
-        for privilege in role["privileges"])
+        privilege for role in roles for privilege in role["privileges"])
     kwargs = {
         **kwargs, "roles": roles, "user_privileges": user_privileges
     }
-- 
cgit v1.2.3


From 1484101101bbc3d1388fc351f44c494cb1b72540 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 15:45:39 -0500
Subject: Fetch the active user's roles on a particular resource.

---
 gn2/wqflask/oauth2/resources.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index cf600b51..0befac85 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -4,6 +4,7 @@ from flask import (
     flash, request, url_for, redirect, Response, Blueprint)
 
 from . import client
+from . import session
 from .ui import render_ui as _render_ui
 from .checks import require_oauth2
 from .client import oauth2_get, oauth2_post
@@ -408,9 +409,12 @@ def create_resource_role(resource_id: UUID):
         return render_ui("oauth2/create-role.html", **kwargs)
 
     def __fetch_resource_roles__(resource):
-        return oauth2_get(f"auth/resource/{resource_id}/roles").either(
             lambda error: __render__(resource_role_error=error),
-            lambda roles: {"resource": resource, "roles": roles})
+        user = session.session_info()["user"]
+        return oauth2_get(
+            f"auth/resource/{resource_id}/users/{user['user_id']}"
+            "/roles").either(
+                lambda roles: {"resource": resource, "roles": roles})
 
     if request.method == "GET":
         return oauth2_get(f"auth/resource/view/{resource_id}").map(
-- 
cgit v1.2.3


From 3ec7180cfe0fdd8dc7d7064d9a34e421efdac14e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 15:46:26 -0500
Subject: Fix error display logic

---
 gn2/wqflask/oauth2/resources.py               | 5 ++++-
 gn2/wqflask/templates/oauth2/create-role.html | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 0befac85..7ebb82ad 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -409,11 +409,14 @@ def create_resource_role(resource_id: UUID):
         return render_ui("oauth2/create-role.html", **kwargs)
 
     def __fetch_resource_roles__(resource):
-            lambda error: __render__(resource_role_error=error),
         user = session.session_info()["user"]
         return oauth2_get(
             f"auth/resource/{resource_id}/users/{user['user_id']}"
             "/roles").either(
+                lambda error: {
+                    "resource": resource,
+                    "resource_role_error": process_error(error)
+                },
                 lambda roles: {"resource": resource, "roles": roles})
 
     if request.method == "GET":
diff --git a/gn2/wqflask/templates/oauth2/create-role.html b/gn2/wqflask/templates/oauth2/create-role.html
index 198eacdd..6cf0bb78 100644
--- a/gn2/wqflask/templates/oauth2/create-role.html
+++ b/gn2/wqflask/templates/oauth2/create-role.html
@@ -9,8 +9,8 @@
 
   <p>Create a new role to act on resource "{{resource.resource_name}}"</p>
 
-  {%if group_privileges_error is defined%}
-  {{display_error("Group Privileges", group_privileges_error)}}
+  {%if resource_role_error is defined%}
+  {{display_error("Resource Role", resource_role_error)}}
   {%else%}
   {%if "resource:role:create-role" in (user_privileges|map(attribute="privilege_id")) %}
   <form method="POST" action="{{url_for('oauth2.resource.create_resource_role',
-- 
cgit v1.2.3


From 34cd7f95ded2eef66ed3b0367023b9a4529b7b1a Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 17 Jun 2024 15:52:23 -0500
Subject: Remove deprecated endpoints/views and templates

---
 gn2/wqflask/oauth2/groups.py                      |  24 -----
 gn2/wqflask/oauth2/roles.py                       |  56 ------------
 gn2/wqflask/templates/oauth2/view-group-role.html | 102 ----------------------
 3 files changed, 182 deletions(-)
 delete mode 100644 gn2/wqflask/templates/oauth2/view-group-role.html

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/groups.py b/gn2/wqflask/oauth2/groups.py
index 3bc4bcb2..e4028497 100644
--- a/gn2/wqflask/oauth2/groups.py
+++ b/gn2/wqflask/oauth2/groups.py
@@ -136,30 +136,6 @@ def reject_join_request():
             handle_error("oauth2.group.list_join_requests"),
             __success__)
 
-@groups.route("/role/<uuid:group_role_id>", methods=["GET"])
-@require_oauth2
-def group_role(group_role_id: uuid.UUID):
-    """View the details of a particular role."""
-    def __render_error__(**kwargs):
-        return render_ui("oauth2/view-group-role.html", **kwargs)
-
-    def __gprivs_success__(role, group_privileges):
-        return render_ui(
-            "oauth2/view-group-role.html", group_role=role,
-            group_privileges=tuple(
-                priv for priv in group_privileges
-                if priv not in role["role"]["privileges"]))
-
-    def __role_success__(role):
-        return oauth2_get("auth/group/privileges").either(
-            lambda err: __render_error__(
-                group_role=group_role,
-                group_privileges_error=process_error(err)),
-            lambda privileges: __gprivs_success__(role, privileges))
-
-    return oauth2_get(f"auth/group/role/{group_role_id}").either(
-        lambda err: __render_error__(group_role_error=process_error(err)),
-        __role_success__)
 
 def add_delete_privilege_to_role(
         group_role_id: uuid.UUID, direction: str) -> Response:
diff --git a/gn2/wqflask/oauth2/roles.py b/gn2/wqflask/oauth2/roles.py
index b0f990c7..2a21670e 100644
--- a/gn2/wqflask/oauth2/roles.py
+++ b/gn2/wqflask/oauth2/roles.py
@@ -21,59 +21,3 @@ def role(role_id: uuid.UUID):
     return oauth2_get(f"auth/role/view/{role_id}").either(
         request_error, __success__)
 
-@roles.route("/create", methods=["GET", "POST"])
-@require_oauth2
-def create_role():
-    """Create a new role."""
-    def __roles_error__(error):
-        return render_ui(
-            "oauth2/create-role.html", roles_error=process_error(error))
-
-    def __gprivs_error__(roles, error):
-        return render_ui(
-            "oauth2/create-role.html", roles=roles,
-            group_privileges_error=process_error(error))
-
-    def __success__(roles, gprivs):
-        uprivs = tuple(
-            privilege["privilege_id"] for role in roles
-            for privilege in role["privileges"])
-        return render_ui(
-            "oauth2/create-role.html", roles=roles, user_privileges=uprivs,
-            group_privileges=gprivs,
-            prev_role_name=request.args.get("role_name"))
-
-    def __fetch_gprivs__(roles):
-        return oauth2_get("auth/group/privileges").either(
-            lambda err: __gprivs_error__(roles, err),
-            lambda gprivs: __success__(roles, gprivs))
-
-    if request.method == "GET":
-        return oauth2_get("auth/user/roles").either(
-            __roles_error__, __fetch_gprivs__)
-
-    form = request.form
-    role_name = form.get("role_name")
-    privileges = form.getlist("privileges[]")
-    if len(privileges) == 0:
-        flash("You must assign at least one privilege to the role",
-              "alert-danger")
-        return redirect(url_for(
-            "oauth2.role.create_role", role_name=role_name))
-    def __create_error__(error):
-        err = process_error(error)
-        flash(f"{err['error']}: {err['error_description']}",
-              "alert-danger")
-        return redirect(url_for("oauth2.role.create_role"))
-    def __create_success__(*args):
-        flash("Role created successfully.", "alert-success")
-        return redirect(url_for("oauth2.role.user_roles"))
-
-    raise DeprecationWarning(
-        f"The `{__name__}.create_role(…)` function, as is currently, can "
-        "lead to unbounded privilege escalation. See "
-        "https://issues.genenetwork.org/issues/gn-auth/problems-with-roles")
-    # return oauth2_post(
-    #     "auth/group/role/create",data={
-    #         "role_name": role_name, "privileges[]": privileges}).either(
-    #     __create_error__,__create_success__)
diff --git a/gn2/wqflask/templates/oauth2/view-group-role.html b/gn2/wqflask/templates/oauth2/view-group-role.html
deleted file mode 100644
index 5da023bf..00000000
--- a/gn2/wqflask/templates/oauth2/view-group-role.html
+++ /dev/null
@@ -1,102 +0,0 @@
-{%extends "base.html"%}
-{%from "oauth2/profile_nav.html" import profile_nav%}
-{%from "oauth2/display_error.html" import display_error%}
-{%block title%}View User{%endblock%}
-{%block content%}
-<div class="container" style="min-width: 1250px;">
-  {{profile_nav("roles", user_privileges)}}
-  <h3>View Group Role</h3>
-
-  {{flash_me()}}
-
-  <div class="container-fluid">
-    <div class="row">
-      <h3>Role Details</h3>
-      {%if group_role_error is defined%}
-      {{display_error("Group Role", group_role_error)}}
-      {%else%}
-      <table class="table">
-	<caption>Details for '{{group_role.role.role_name}}' Role</caption>
-	<thead>
-	  <tr>
-	    <th>Privilege</th>
-	    <th>Description</th>
-	    <th>Action</th>
-	  </tr>
-	</thead>
-	<tbody>
-	  {%for privilege in group_role.role.privileges%}
-	  <tr>
-	    <td>{{privilege.privilege_id}}</td>
-	    <td>{{privilege.privilege_description}}</td>
-	    <td>
-	      <form action="{{url_for(
-			    'oauth2.group.delete_privilege_from_role',
-			    group_role_id=group_role.group_role_id)}}"
-		    method="POST">
-		<input type="hidden" name="privilege_id"
-		       value="{{privilege.privilege_id}}" />
-		<input type="submit" class="btn btn-danger"
-		       value="Remove"
-		       {%if not group_role.role.user_editable%}
-		       disabled="disabled"
-		       {%endif%} />
-	      </form>
-	    </td>
-	  </tr>
-	  {%endfor%}
-	</tbody>
-      </table>
-      {%endif%}
-    </div>
-
-    <div class="row">
-      <h3>Other Privileges</h3>
-      <table class="table">
-	<caption>Other Privileges not Assigned to this Role</caption>
-	<thead>
-	  <tr>
-	    <th>Privilege</th>
-	    <th>Description</th>
-	    <th>Action</th>
-	  </tr>
-	</thead>
-
-	<tbody>
-	  {%for priv in group_privileges%}
-	  <tr>
-	    <td>{{priv.privilege_id}}</td>
-	    <td>{{priv.privilege_description}}</td>
-	    <td>
-	      <form action="{{url_for(
-			    'oauth2.group.add_privilege_to_role',
-			    group_role_id=group_role.group_role_id)}}"
-		    method="POST">
-		<input type="hidden" name="privilege_id"
-		       value="{{priv.privilege_id}}" />
-		<input type="submit" class="btn btn-warning"
-		       value="Add to Role"
-		       {%if not group_role.role.user_editable%}
-		       disabled="disabled"
-		       {%endif%} />
-	      </form>
-	    </td>
-	  </tr>
-	  {%else%}
-	  <tr>
-	    <td colspan="3">
-	      <span class="glyphicon glyphicon-info-sign text-info">
-	      </span>
-	      &nbsp;
-	      <span class="text-info">All privileges assigned!</span>
-	    </td>
-	  </tr>
-	  {%endfor%}
-	</tbody>
-      </table>
-    </div>
-
-  </div>
-
-</div>
-{%endblock%}
-- 
cgit v1.2.3


From 0ca86869d8acaa8a820df45fc1debfbe1b7936df Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 25 Jun 2024 13:19:26 -0500
Subject: Remove flawed "group role" idea: use just "role".

---
 gn2/wqflask/oauth2/resources.py                 | 12 ++++++------
 gn2/wqflask/templates/oauth2/view-resource.html | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 7ebb82ad..66545802 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -213,10 +213,10 @@ def unlink_data_from_resource():
 @require_oauth2
 def assign_role(resource_id: UUID) -> Response:
     form = request.form
-    group_role_id = form.get("group_role_id", "")
+    role_id = form.get("role_id", "")
     user_email = form.get("user_email", "")
     try:
-        assert bool(group_role_id), "The role must be provided."
+        assert bool(role_id), "The role must be provided."
         assert bool(user_email), "The user email must be provided."
 
         def __assign_error__(error):
@@ -233,7 +233,7 @@ def assign_role(resource_id: UUID) -> Response:
         return oauth2_post(
             f"auth/resource/{resource_id}/user/assign",
             json={
-                "group_role_id": group_role_id,
+                "role_id": role_id,
                 "user_email": user_email
             }).either(__assign_error__, __assign_success__)
     except AssertionError as aserr:
@@ -244,10 +244,10 @@ def assign_role(resource_id: UUID) -> Response:
 @require_oauth2
 def unassign_role(resource_id: UUID) -> Response:
     form = request.form
-    group_role_id = form.get("group_role_id", "")
+    role_id = form.get("role_id", "")
     user_id = form.get("user_id", "")
     try:
-        assert bool(group_role_id), "The role must be provided."
+        assert bool(role_id), "The role must be provided."
         assert bool(user_id), "The user id must be provided."
 
         def __unassign_error__(error):
@@ -264,7 +264,7 @@ def unassign_role(resource_id: UUID) -> Response:
         return oauth2_post(
             f"auth/resource/{resource_id}/user/unassign",
             json={
-                "group_role_id": group_role_id,
+                "role_id": role_id,
                 "user_id": user_id
             }).either(__unassign_error__, __unassign_success__)
     except AssertionError as aserr:
diff --git a/gn2/wqflask/templates/oauth2/view-resource.html b/gn2/wqflask/templates/oauth2/view-resource.html
index cfc769c4..0788e30c 100644
--- a/gn2/wqflask/templates/oauth2/view-resource.html
+++ b/gn2/wqflask/templates/oauth2/view-resource.html
@@ -278,14 +278,14 @@
 	    <th>Role</th>
 	    <th>Action</th>
 	  </tr>
-	  {%for grole in user_row.roles%}
+	  {%for role in user_row.roles%}
 	  <tr>
 	    <td>
 	      <a href="{{url_for(
 		       'oauth2.role.role',
-		       role_id=grole.role_id)}}"
-		 title="Details for '{{grole.role_name}}' role">
-		{{grole.role_name}}
+		       role_id=role.role_id)}}"
+		 title="Details for '{{role.role_name}}' role">
+		{{role.role_name}}
 	      </a>
 	    </td>
 	    <td>
@@ -294,8 +294,8 @@
 		    method="POST">
 		<input type="hidden" name="user_id"
 		       value="{{user_row.user.user_id}}" />
-		<input type="hidden" name="group_role_id"
-		       value="{{grole.group_role_id}}">
+		<input type="hidden" name="role_id"
+		       value="{{role.role_id}}">
 		<input type="submit"
 		       value="Unassign"
 		       class="btn btn-danger"
-- 
cgit v1.2.3


From b2eaa6a66a3dc205382d06c81bfac4508bd415e7 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 17 Jul 2024 11:00:40 -0500
Subject: Remove token and user detail handling from @app.before_request

The token and user details information is handled in the
`gn2.wqflask.oauth2.session`. Other parts of the system should make
use of that.

It also helps avoid some weird "action-at-a-distance" interactions -
this forces the code to request what it needs when it needs it and not
rely on some global variables.
---
 gn2/wqflask/__init__.py      | 15 ---------------
 gn2/wqflask/oauth2/checks.py |  5 +----
 2 files changed, 1 insertion(+), 19 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/__init__.py b/gn2/wqflask/__init__.py
index ce42ce4e..f85454ba 100644
--- a/gn2/wqflask/__init__.py
+++ b/gn2/wqflask/__init__.py
@@ -158,21 +158,6 @@ def before_request():
     g.request_start_time = time.time()
     g.request_time = lambda: "%.5fs" % (time.time() - g.request_start_time)
 
-    token = session.get("oauth2_token", False)
-    if token and not bool(session.get("user_details", False)):
-        from gn2.wqflask.oauth2.client import oauth2_client
-        config = current_app.config
-        resp = oauth2_client().client.get(
-            urljoin(config["GN_SERVER_URL"], "oauth2/user"))
-        user_details = resp.json()
-        session["user_details"] = user_details
-
-        if user_details.get("error") == "invalid_token":
-            flash(user_details["error_description"], "alert-danger")
-            flash("You are now logged out.", "alert-info")
-            session.pop("user_details", None)
-            session.pop("oauth2_token", None)
-
 @app.context_processor
 def include_admin_role_class():
     return {'AdminRole': AdminRole}
diff --git a/gn2/wqflask/oauth2/checks.py b/gn2/wqflask/oauth2/checks.py
index 7f33348e..b8db6dc2 100644
--- a/gn2/wqflask/oauth2/checks.py
+++ b/gn2/wqflask/oauth2/checks.py
@@ -2,9 +2,8 @@
 from functools import wraps
 from urllib.parse import urljoin
 
+from flask import flash, request, redirect
 from authlib.integrations.requests_client import OAuth2Session
-from flask import (
-    flash, request, redirect, session as flask_session)
 
 from . import session
 from .session import clear_session_info
@@ -24,8 +23,6 @@ def require_oauth2(func):
 
         def __clear_session__(_no_token):
             session.clear_session_info()
-            flask_session.pop("oauth2_token", None)
-            flask_session.pop("user_details", None)
             flash("You need to be logged in.", "alert-warning")
             return redirect("/")
 
-- 
cgit v1.2.3


From fdf005f57e0dcbf8d2d1127f92977fe657c93d60 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 17 Jul 2024 11:36:17 -0500
Subject: Remove redundant import.

---
 gn2/wqflask/oauth2/checks.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/checks.py b/gn2/wqflask/oauth2/checks.py
index b8db6dc2..4a5a117f 100644
--- a/gn2/wqflask/oauth2/checks.py
+++ b/gn2/wqflask/oauth2/checks.py
@@ -6,7 +6,6 @@ from flask import flash, request, redirect
 from authlib.integrations.requests_client import OAuth2Session
 
 from . import session
-from .session import clear_session_info
 from .client import (
     oauth2_get,
     oauth2_client,
@@ -33,7 +32,7 @@ def require_oauth2(func):
             if not user_details.get("error", False):
                 return func(*args, **kwargs)
 
-            return clear_session_info(token)
+            return __clear_session__(token)
 
         return session.user_token().either(__clear_session__, __with_token__)
 
-- 
cgit v1.2.3


From a6b237f7473b16f0d90a09983d5ec4a58d87f4ac Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 17 Jul 2024 11:39:33 -0500
Subject: Fix premature session expiration

With the change to JWTs the time-to-live for each token is severely
curtailed to help with security in case of a token theft. We,
therefore, can no longer rely on the TTL for session expiration,
rather, we will rely of the token-refresh mechanism to expire a token
after a long while.
---
 gn2/wqflask/oauth2/client.py  | 7 +------
 gn2/wqflask/oauth2/session.py | 7 -------
 2 files changed, 1 insertion(+), 13 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 876ecf6b..770777b5 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -31,12 +31,7 @@ def oauth2_clientsecret():
 def user_logged_in():
     """Check whether the user has logged in."""
     suser = session.session_info()["user"]
-    if suser["logged_in"]:
-        if session.expired():
-            session.clear_session_info()
-            return False
-        return suser["token"].is_right()
-    return False
+    return suser["logged_in"] and suser["token"].is_right()
 
 
 def oauth2_client():
diff --git a/gn2/wqflask/oauth2/session.py b/gn2/wqflask/oauth2/session.py
index 2ef534e2..eec48a7f 100644
--- a/gn2/wqflask/oauth2/session.py
+++ b/gn2/wqflask/oauth2/session.py
@@ -64,13 +64,6 @@ def session_info() -> SessionInfo:
             "masquerading": None
         }))
 
-def expired():
-    the_session = session_info()
-    def __expired__(token):
-        return datetime.now() > datetime.fromtimestamp(token["expires_at"])
-    return the_session["user"]["token"].either(
-        lambda left: False,
-        __expired__)
 
 def set_user_token(token: str) -> SessionInfo:
     """Set the user's token."""
-- 
cgit v1.2.3


From 8a782ecdac0ca9b56c02a81f8978a05aa9c48be3 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 22 Jul 2024 14:23:10 -0500
Subject: Provide PoC public-jwks endpoint.

---
 gn2/wqflask/oauth2/toplevel.py | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index f0179250..47b83ccf 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -3,10 +3,15 @@ import uuid
 import datetime
 from urllib.parse import urljoin, urlparse, urlunparse
 
-from authlib.jose import jwt
-from flask import (
-    flash, request, Blueprint, url_for, redirect, render_template,
-    current_app as app)
+from authlib.jose import jwt, KeySet
+from flask import (flash,
+                   request,
+                   url_for,
+                   jsonify,
+                   redirect,
+                   Blueprint,
+                   render_template,
+                   current_app as app)
 
 from . import session
 from .checks import require_oauth2
@@ -80,3 +85,12 @@ def authorisation_code():
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
+
+
+@toplevel.route("/public-jwks", methods=["GET"])
+def public_jwks():
+    """Provide endpoint that returns the public keys."""
+    return jsonify({
+        "documentation": "Returns a static key for the time being. This will change.",
+        "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys")
+    })
-- 
cgit v1.2.3


From e11d8d1e1b11db7f40f0a23a3f393efb4793a401 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 26 Jul 2024 17:07:54 -0500
Subject: Use JSON rather than X-Form-URL-encoded data with auth server.

---
 gn2/wqflask/oauth2/groups.py    | 8 ++++----
 gn2/wqflask/oauth2/resources.py | 4 ++--
 gn2/wqflask/oauth2/toplevel.py  | 2 +-
 gn2/wqflask/oauth2/users.py     | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/groups.py b/gn2/wqflask/oauth2/groups.py
index e4028497..b3f1f54d 100644
--- a/gn2/wqflask/oauth2/groups.py
+++ b/gn2/wqflask/oauth2/groups.py
@@ -44,7 +44,7 @@ def create_group():
     def __setup_group__(response):
         session["user_details"]["group"] = response
 
-    resp = oauth2_post("auth/group/create", data=dict(request.form))
+    resp = oauth2_post("auth/group/create", json=dict(request.form))
     return resp.either(
         handle_error("oauth2.group.join_or_create"),
         handle_success(
@@ -116,7 +116,7 @@ def accept_join_request():
         return redirect(url_for("oauth2.group.list_join_requests"))
     return oauth2_post(
         "auth/group/requests/join/accept",
-        data=request.form).either(
+        json=dict(request.form)).either(
             handle_error("oauth2.group.list_join_requests"),
             __success__)
 
@@ -132,7 +132,7 @@ def reject_join_request():
         return redirect(url_for("oauth2.group.list_join_requests"))
     return oauth2_post(
         "auth/group/requests/join/reject",
-        data=request.form).either(
+        json=dict(request.form)).either(
             handle_error("oauth2.group.list_join_requests"),
             __success__)
 
@@ -163,7 +163,7 @@ def add_delete_privilege_to_role(
         }
         return oauth2_post(
             uris[direction],
-            data={
+            json={
                 "group_role_id": group_role_id,
                 "privilege_id": privilege_id
             }).either(__error__, __success__)
diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 66545802..b8d804f9 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -173,7 +173,7 @@ def link_data_to_resource():
             flash(f"Data linked to resource successfully", "alert-success")
             return redirect(url_for(
                 "oauth2.resource.view_resource", resource_id=resource_id))
-        return oauth2_post("auth/resource/data/link", data=dict(form)).either(
+        return oauth2_post("auth/resource/data/link", json=dict(form)).either(
             __error__,
             __success__)
     except AssertionError as aserr:
@@ -202,7 +202,7 @@ def unlink_data_from_resource():
             return redirect(url_for(
                 "oauth2.resource.view_resource", resource_id=resource_id))
         return oauth2_post(
-            "auth/resource/data/unlink", data=dict(form)).either(
+            "auth/resource/data/unlink", json=dict(form)).either(
             __error__, __success__)
     except AssertionError as aserr:
         flash(aserr.args[0], "alert-danger")
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 47b83ccf..210b0756 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -81,7 +81,7 @@ def authorisation_code():
             return redirect("/")
 
         return no_token_post(
-            "auth/token", data=request_data).either(
+            "auth/token", json=request_data).either(
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
diff --git a/gn2/wqflask/oauth2/users.py b/gn2/wqflask/oauth2/users.py
index 520a13c5..7d9186ab 100644
--- a/gn2/wqflask/oauth2/users.py
+++ b/gn2/wqflask/oauth2/users.py
@@ -67,7 +67,7 @@ def request_add_to_group() -> Response:
         return redirect(url_for("oauth2.user.user_profile"))
 
     return oauth2_post(f"auth/group/requests/join/{group_id}",
-                       data=form).either(__error__, __success__)
+                       json=form).either(__error__, __success__)
 
 
 @users.route("/logout", methods=["GET", "POST"])
@@ -108,7 +108,7 @@ def register_user():
     form = request.form
     response = requests.post(
         urljoin(authserver_uri(), "auth/user/register"),
-        data = {
+        json = {
             "user_name": form.get("user_name"),
             "email": form.get("email_address"),
             "password": form.get("password"),
-- 
cgit v1.2.3


From 2ff7cf9ff8640328c5849c5ff07bd0113a303856 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 31 Jul 2024 15:27:59 -0500
Subject: Synchronise token refreshes

The application can be run in a multi-threaded server, leading to a
situation where the multiple threads attempt to get a new JWT using
the exact same refresh token.

This synchronises the various threads ensuring only a single thread is
able to retrieve the new JWT that all the rest of the threads then
use.
---
 gn2/wqflask/oauth2/client.py  | 37 +++++++++++++++++++++++++++++++++----
 gn2/wqflask/oauth2/session.py | 24 +++++++++++++++++++++++-
 2 files changed, 56 insertions(+), 5 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 770777b5..0d4615e8 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -1,5 +1,7 @@
 """Common oauth2 client utilities."""
 import json
+import time
+import random
 import requests
 from typing import Optional
 from urllib.parse import urljoin
@@ -38,10 +40,36 @@ def oauth2_client():
     def __update_token__(token, refresh_token=None, access_token=None):
         """Update the token when refreshed."""
         session.set_user_token(token)
+        return token
 
-    def __client__(token) -> OAuth2Session:
+    def __validate_token__(token):
         _jwt = jwt.decode(token["access_token"],
                           app.config["AUTH_SERVER_SSL_PUBLIC_KEY"])
+        return token
+
+    def __delay__():
+        """Do a tiny delay."""
+        time.sleep(random.choice(tuple(i/1000.0 for i in range(0,100))))
+
+    def __refresh_token__(token):
+        """Synchronise token refresh."""
+        if session.is_token_expired():
+            __delay__()
+            if session.is_token_refreshing():
+                while session.is_token_refreshing():
+                    __delay__()
+                    _token = session.user_token().either(None, lambda _tok: _tok)
+                    return _token
+
+            session.toggle_token_refreshing()
+            _client = __client__(token)
+            _client.get(urljoin(authserver_uri(), "auth/user/"))
+            session.toggle_token_refreshing()
+            return _client.token
+
+        return token
+
+    def __client__(token) -> OAuth2Session:
         client = OAuth2Session(
             oauth2_clientid(),
             oauth2_clientsecret(),
@@ -51,9 +79,10 @@ def oauth2_client():
             token=token,
             update_token=__update_token__)
         return client
-    return session.user_token().either(
-        lambda _notok: __client__(None),
-        lambda token: __client__(token))
+    return session.user_token().then(__validate_token__).then(
+        __refresh_token__).either(
+            lambda _notok: __client__(None),
+            lambda token: __client__(token))
 
 def __no_token__(_err) -> Left:
     """Handle situation where request is attempted with no token."""
diff --git a/gn2/wqflask/oauth2/session.py b/gn2/wqflask/oauth2/session.py
index eec48a7f..92181ccf 100644
--- a/gn2/wqflask/oauth2/session.py
+++ b/gn2/wqflask/oauth2/session.py
@@ -22,6 +22,7 @@ class SessionInfo(TypedDict):
     user_agent: str
     ip_addr: str
     masquerade: Optional[UserDetails]
+    refreshing_token: bool
 
 __SESSION_KEY__ = "GN::2::session_info" # Do not use this outside this module!!
 
@@ -61,7 +62,8 @@ def session_info() -> SessionInfo:
             "user_agent": request.headers.get("User-Agent"),
             "ip_addr": request.environ.get("HTTP_X_FORWARDED_FOR",
                                            request.remote_addr),
-            "masquerading": None
+            "masquerading": None,
+            "token_refreshing": False
         }))
 
 
@@ -102,3 +104,23 @@ def unset_masquerading():
         "user": the_session["masquerading"],
         "masquerading": None
     })
+
+
+def toggle_token_refreshing():
+    """Toggle the state of the token_refreshing variable."""
+    _session = session_info()
+    return save_session_info({
+        **_session,
+        "token_refreshing": not _session.get("token_refreshing", False)})
+
+
+def is_token_expired():
+    """Check whether the token is expired."""
+    return user_token().either(
+        lambda _no_token: False,
+        lambda token: datetime.now().timestamp() > token["expires_at"])
+
+
+def is_token_refreshing():
+    """Returns whether the token is being refreshed or not."""
+    return session_info().get("token_refreshing", False)
-- 
cgit v1.2.3


From 9f4fa60a843ca764116286c77057824638b5c8d0 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 1 Aug 2024 12:17:24 -0500
Subject: Add module to help with rotation of JSON Web Keys.

---
 gn2/wqflask/oauth2/jwks.py | 86 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 gn2/wqflask/oauth2/jwks.py

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/jwks.py b/gn2/wqflask/oauth2/jwks.py
new file mode 100644
index 00000000..efd04997
--- /dev/null
+++ b/gn2/wqflask/oauth2/jwks.py
@@ -0,0 +1,86 @@
+"""Utilities dealing with JSON Web Keys (JWK)"""
+import os
+from pathlib import Path
+from typing import Any, Union
+from datetime import datetime, timedelta
+
+from flask import Flask
+from authlib.jose import JsonWebKey
+from pymonad.either import Left, Right, Either
+
+def jwks_directory(app: Flask, configname: str) -> Path:
+    """Compute the directory where the JWKs are stored."""
+    appsecretsdir = Path(app.config[configname]).parent
+    if appsecretsdir.exists() and appsecretsdir.is_dir():
+        jwksdir = Path(appsecretsdir, "jwks/")
+        if not jwksdir.exists():
+            jwksdir.mkdir()
+        return jwksdir
+    raise ValueError(
+        "The `appsecretsdir` value should be a directory that actually exists.")
+
+
+def generate_and_save_private_key(
+        storagedir: Path,
+        kty: str = "RSA",
+        crv_or_size: Union[str, int] = 2048,
+        options: tuple[tuple[str, Any]] = (("iat", datetime.now().timestamp()),)
+) -> JsonWebKey:
+    """Generate a private key and save to `storagedir`."""
+    privatejwk = JsonWebKey.generate_key(
+        kty, crv_or_size, dict(options), is_private=True)
+    keyname = f"{privatejwk.thumbprint()}.private.pem"
+    with open(Path(storagedir, keyname), "wb") as pemfile:
+        pemfile.write(privatejwk.as_pem(is_private=True))
+
+    return privatejwk
+
+
+def pem_to_jwk(filepath: Path) -> JsonWebKey:
+    """Parse a PEM file into a JWK object."""
+    with open(filepath, "rb") as pemfile:
+        return JsonWebKey.import_key(pemfile.read())
+
+
+def __sorted_jwks_paths__(storagedir: Path) -> tuple[tuple[float, Path], ...]:
+    """A sorted list of the JWK file paths with their creation timestamps."""
+    return tuple(sorted(((os.stat(keypath).st_ctime, keypath)
+                         for keypath in (Path(storagedir, keyfile)
+                                         for keyfile in os.listdir(storagedir)
+                                         if keyfile.endswith(".pem"))),
+                        key=lambda tpl: tpl[0]))
+
+
+def list_jwks(storagedir: Path) -> tuple[JsonWebKey, ...]:
+    """
+    List all the JWKs in a particular directory in the order they were created.
+    """
+    return tuple(pem_to_jwk(keypath) for ctime,keypath in
+                 __sorted_jwks_paths__(storagedir))
+
+
+def newest_jwk(storagedir: Path) -> Either:
+    """
+    Return an Either monad with the newest JWK or a message if none exists.
+    """
+    existingkeys = __sorted_jwks_paths__(storagedir)
+    if len(existingkeys) > 0:
+        return Right(pem_to_jwk(existingkeys[-1][1]))
+    return Left("No JWKs exist")
+
+
+def newest_jwk_with_rotation(jwksdir: Path, keyage: int) -> JsonWebKey:
+    """
+    Retrieve the latests JWK, creating a new one if older than `keyage` days.
+    """
+    def newer_than_days(jwkey):
+        filestat = os.stat(Path(
+            jwksdir, f"{jwkey.as_dict()['kid']}.private.pem"))
+        oldesttimeallowed = (datetime.now() - timedelta(days=keyage))
+        if filestat.st_ctime < (oldesttimeallowed.timestamp()):
+            return Left("JWK is too old!")
+        return jwkey
+
+    return newest_jwk(jwksdir).then(newer_than_days).either(
+        lambda _errmsg: generate_and_save_private_key(jwksdir),
+        lambda key: key)
-- 
cgit v1.2.3


From a9a8ef79a10c58a514d5aac0b2b1c9000a57f9f8 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 1 Aug 2024 12:19:34 -0500
Subject: Use JWKs from auth server public endpoint

* Fetch keys from auth server
* Validate token is signed with one of the keys from server
* Ensure refreshing of token is still synchronised
---
 gn2/wqflask/app_errors.py     |  2 +-
 gn2/wqflask/oauth2/client.py  | 95 +++++++++++++++++++++++++++++++++++++------
 gn2/wqflask/oauth2/session.py |  8 +---
 3 files changed, 84 insertions(+), 21 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/app_errors.py b/gn2/wqflask/app_errors.py
index 7c07fde6..bafe773b 100644
--- a/gn2/wqflask/app_errors.py
+++ b/gn2/wqflask/app_errors.py
@@ -51,7 +51,7 @@ def handle_invalid_token_error(exc: InvalidTokenError):
     flash("An invalid session token was detected. "
           "You have been logged out of the system.",
           "alert-danger")
-    current_app.logger.error("Invalit token detected. %s", request.url, exc_info=True)
+    current_app.logger.error("Invalid token detected. %s", request.url, exc_info=True)
     session.clear_session_info()
     return redirect("/")
 
diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 0d4615e8..6f137f52 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -5,10 +5,12 @@ import random
 import requests
 from typing import Optional
 from urllib.parse import urljoin
+from datetime import datetime, timedelta
 
 from flask import current_app as app
 from pymonad.either import Left, Right, Either
-from authlib.jose import jwt
+from authlib.jose import KeySet, JsonWebKey, JsonWebToken
+from authlib.jose.errors import BadSignatureError
 from authlib.integrations.requests_client import OAuth2Session
 
 from gn2.wqflask.oauth2 import session
@@ -36,30 +38,96 @@ def user_logged_in():
     return suser["logged_in"] and suser["token"].is_right()
 
 
+def __make_token_validator__(keys: KeySet):
+    """Make a token validator function."""
+    def __validator__(token: dict):
+        for key in keys.keys:
+            try:
+                # Fixes CVE-2016-10555. See
+                # https://docs.authlib.org/en/latest/jose/jwt.html
+                jwt = JsonWebToken(["RS256"])
+                jwt.decode(token["access_token"], key)
+                return Right(token)
+            except BadSignatureError:
+                pass
+
+        return Left("INVALID-TOKEN")
+
+    return __validator__
+
+
+def auth_server_jwks() -> Optional[KeySet]:
+    """Fetch the auth-server JSON Web Keys information."""
+    _jwks = session.session_info().get("auth_server_jwks")
+    if bool(_jwks):
+        return {
+            "last-updated": _jwks["last-updated"],
+            "jwks": KeySet([
+                JsonWebKey.import_key(key) for key in _jwks.get(
+                    "auth_server_jwks", {}).get(
+                        "jwks", {"keys": []})["keys"]])}
+
+
+def __validate_token__(keys):
+    """Validate that the token is really from the auth server."""
+    def __index__(_sess):
+        return _sess
+    return session.user_token().then(__make_token_validator__(keys)).then(
+        session.set_user_token).either(__index__, __index__)
+
+
+def __update_auth_server_jwks__():
+    """Updates the JWKs every 2 hours or so."""
+    jwks = auth_server_jwks()
+    if bool(jwks):
+        last_updated = jwks.get("last-updated")
+        now = datetime.now().timestamp()
+        if bool(last_updated) and (now - last_updated) < timedelta(hours=2).seconds:
+            return __validate_token__(jwks["jwks"])
+
+    jwksuri = urljoin(authserver_uri(), "auth/public-jwks")
+    jwks = KeySet([
+        JsonWebKey.import_key(key)
+        for key in requests.get(jwksuri).json()["jwks"]])
+    return __validate_token__(jwks)
+
+
+def is_token_expired(token):
+    """Check whether the token has expired."""
+    __update_auth_server_jwks__()
+    jwks = auth_server_jwks()
+    if bool(jwks):
+        for jwk in jwks["jwks"].keys:
+            try:
+                jwt = JsonWebToken(["RS256"]).decode(
+                    token["access_token"], key=jwk)
+                return datetime.now().timestamp() > jwt["exp"]
+            except BadSignatureError as _bse:
+                pass
+
+    return False
+
+
 def oauth2_client():
     def __update_token__(token, refresh_token=None, access_token=None):
         """Update the token when refreshed."""
         session.set_user_token(token)
         return token
 
-    def __validate_token__(token):
-        _jwt = jwt.decode(token["access_token"],
-                          app.config["AUTH_SERVER_SSL_PUBLIC_KEY"])
-        return token
-
     def __delay__():
         """Do a tiny delay."""
         time.sleep(random.choice(tuple(i/1000.0 for i in range(0,100))))
 
     def __refresh_token__(token):
         """Synchronise token refresh."""
-        if session.is_token_expired():
+        if is_token_expired(token):
             __delay__()
             if session.is_token_refreshing():
                 while session.is_token_refreshing():
                     __delay__()
-                    _token = session.user_token().either(None, lambda _tok: _tok)
-                    return _token
+
+                _token = session.user_token().either(None, lambda _tok: _tok)
+                return _token
 
             session.toggle_token_refreshing()
             _client = __client__(token)
@@ -79,10 +147,11 @@ def oauth2_client():
             token=token,
             update_token=__update_token__)
         return client
-    return session.user_token().then(__validate_token__).then(
-        __refresh_token__).either(
-            lambda _notok: __client__(None),
-            lambda token: __client__(token))
+
+    __update_auth_server_jwks__()
+    return session.user_token().then(__refresh_token__).either(
+        lambda _notok: __client__(None),
+        lambda token: __client__(token))
 
 def __no_token__(_err) -> Left:
     """Handle situation where request is attempted with no token."""
diff --git a/gn2/wqflask/oauth2/session.py b/gn2/wqflask/oauth2/session.py
index 92181ccf..b91534b0 100644
--- a/gn2/wqflask/oauth2/session.py
+++ b/gn2/wqflask/oauth2/session.py
@@ -23,6 +23,7 @@ class SessionInfo(TypedDict):
     ip_addr: str
     masquerade: Optional[UserDetails]
     refreshing_token: bool
+    auth_server_jwks: Optional[dict[str, Any]]
 
 __SESSION_KEY__ = "GN::2::session_info" # Do not use this outside this module!!
 
@@ -114,13 +115,6 @@ def toggle_token_refreshing():
         "token_refreshing": not _session.get("token_refreshing", False)})
 
 
-def is_token_expired():
-    """Check whether the token is expired."""
-    return user_token().either(
-        lambda _no_token: False,
-        lambda token: datetime.now().timestamp() > token["expires_at"])
-
-
 def is_token_refreshing():
     """Returns whether the token is being refreshed or not."""
     return session_info().get("token_refreshing", False)
-- 
cgit v1.2.3


From de69de2d6570837ea47dba5d11308c56c8cd86fb Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 1 Aug 2024 12:33:12 -0500
Subject: Use auto-created and auto-rotated JSON Web Keys

Use auto-created JWKs for better security.
---
 gn2/default_settings.py        |  6 ++++++
 gn2/wqflask/oauth2/toplevel.py | 10 +++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/default_settings.py b/gn2/default_settings.py
index e781f196..ab15dbe9 100644
--- a/gn2/default_settings.py
+++ b/gn2/default_settings.py
@@ -120,3 +120,9 @@ OAUTH2_CLIENT_SECRET="yadabadaboo"
 SESSION_TYPE = "redis"
 SESSION_PERMANENT = True
 SESSION_USE_SIGNER = True
+
+
+# BEGIN: JSON WEB KEYS #####
+JWKS_ROTATION_AGE_DAYS = 7 # Days (from creation) to keep a JWK in use.
+JWKS_DELETION_AGE_DAYS = 14 # Days (from creation) to keep a JWK around before deleting it.
+# END: JSON WEB KEYS #####
diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 210b0756..7ee0773d 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -13,6 +13,7 @@ from flask import (flash,
                    render_template,
                    current_app as app)
 
+from . import jwks
 from . import session
 from .checks import require_oauth2
 from .request_utils import user_details, process_error
@@ -34,7 +35,9 @@ def authorisation_code():
     code = request.args.get("code", "")
     if bool(code):
         base_url = urlparse(request.base_url, scheme=request.scheme)
-        jwtkey = app.config["SSL_PRIVATE_KEY"]
+        jwtkey = jwks.newest_jwk_with_rotation(
+            jwks.jwks_directory(app, "GN2_SECRETS"),
+            int(app.config["JWKS_ROTATION_AGE_DAYS"]))
         issued = datetime.datetime.now()
         request_data = {
             "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
@@ -81,7 +84,7 @@ def authorisation_code():
             return redirect("/")
 
         return no_token_post(
-            "auth/token", json=request_data).either(
+            "auth/token", data=request_data).either(
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
@@ -92,5 +95,6 @@ def public_jwks():
     """Provide endpoint that returns the public keys."""
     return jsonify({
         "documentation": "Returns a static key for the time being. This will change.",
-        "jwks": KeySet([app.config["SSL_PRIVATE_KEY"]]).as_dict().get("keys")
+        "jwks": KeySet(jwks.list_jwks(
+            jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys")
     })
-- 
cgit v1.2.3


From 249dc7110f3f20865e89462f080c6684fc7356af Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 1 Aug 2024 15:03:14 -0500
Subject: bug: add missing `count_per_page` variable.

---
 gn2/wqflask/oauth2/resources.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index b8d804f9..7ea7fe38 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -129,8 +129,10 @@ def view_resource(resource_id: UUID):
         dataset_type = resource["resource_category"]["resource_category_key"]
         return oauth2_get(f"auth/group/{dataset_type}/unlinked-data").either(
             lambda err: render_ui(
-                "oauth2/view-resource.html", resource=resource,
-                unlinked_error=process_error(err)),
+                "oauth2/view-resource.html",
+                resource=resource,
+                unlinked_error=process_error(err),
+                count_per_page=count_per_page),
             lambda unlinked: __unlinked_success__(resource, unlinked))
 
     def __fetch_resource_data__(resource):
-- 
cgit v1.2.3


From b3f1bb33177dbccbdf564506e367c4315e8803fc Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 2 Aug 2024 16:26:19 -0500
Subject: Consistently use JSON for all endpoints.

---
 gn2/wqflask/oauth2/toplevel.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index 7ee0773d..bc40a924 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -84,7 +84,7 @@ def authorisation_code():
             return redirect("/")
 
         return no_token_post(
-            "auth/token", data=request_data).either(
+            "auth/token", json=request_data).either(
                 lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
-- 
cgit v1.2.3


From c2c8d8298e3f10492cc26f76fe9d8e3053bcd4ef Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 5 Aug 2024 17:19:34 -0500
Subject: Override 'client_secret_post' auth with a JSON equivalent

In order to use JSON consistently across the board, we make even the
authentication method use JSON rather than FORMDATA.
---
 gn2/wqflask/oauth2/client.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 6f137f52..89d8a57e 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -9,8 +9,9 @@ from datetime import datetime, timedelta
 
 from flask import current_app as app
 from pymonad.either import Left, Right, Either
-from authlib.jose import KeySet, JsonWebKey, JsonWebToken
+from authlib.common.urls import url_decode
 from authlib.jose.errors import BadSignatureError
+from authlib.jose import KeySet, JsonWebKey, JsonWebToken
 from authlib.integrations.requests_client import OAuth2Session
 
 from gn2.wqflask.oauth2 import session
@@ -137,6 +138,16 @@ def oauth2_client():
 
         return token
 
+    def __json_auth__(client, method, uri, headers, body):
+        return (
+            uri,
+            {**headers, "Content-Type": "application/json"},
+            json.dumps({
+                **dict(url_decode(body)),
+                "client_id": oauth2_clientid(),
+                "client_secret": oauth2_clientsecret()
+            }))
+
     def __client__(token) -> OAuth2Session:
         client = OAuth2Session(
             oauth2_clientid(),
@@ -146,6 +157,8 @@ def oauth2_client():
             token_endpoint_auth_method="client_secret_post",
             token=token,
             update_token=__update_token__)
+        client.register_client_auth_method(
+            ("client_secret_post", __json_auth__))
         return client
 
     __update_auth_server_jwks__()
-- 
cgit v1.2.3


From 1a4f0b1195cc7351589460487fc867935ba22aac Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 5 Aug 2024 17:20:42 -0500
Subject: Fix URL

---
 gn2/wqflask/oauth2/client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/client.py b/gn2/wqflask/oauth2/client.py
index 89d8a57e..a7d20f6b 100644
--- a/gn2/wqflask/oauth2/client.py
+++ b/gn2/wqflask/oauth2/client.py
@@ -153,7 +153,7 @@ def oauth2_client():
             oauth2_clientid(),
             oauth2_clientsecret(),
             scope=SCOPE,
-            token_endpoint=urljoin(authserver_uri(), "/auth/token"),
+            token_endpoint=urljoin(authserver_uri(), "auth/token"),
             token_endpoint_auth_method="client_secret_post",
             token=token,
             update_token=__update_token__)
-- 
cgit v1.2.3


From c8ed49cecb2cc15b1f24c825b3b600e06b329109 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 5 Aug 2024 17:21:20 -0500
Subject: Update JWKs endpoint documentation.

---
 gn2/wqflask/oauth2/toplevel.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index bc40a924..c6b789aa 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -94,7 +94,7 @@ def authorisation_code():
 def public_jwks():
     """Provide endpoint that returns the public keys."""
     return jsonify({
-        "documentation": "Returns a static key for the time being. This will change.",
+        "documentation": "The keys are listed in order of creation.",
         "jwks": KeySet(jwks.list_jwks(
             jwks.jwks_directory(app, "GN2_SECRETS"))).as_dict().get("keys")
     })
-- 
cgit v1.2.3


From 1e5d99454d3df1944f9d2b023ede7664576f278e Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 5 Aug 2024 17:21:50 -0500
Subject: minor code formatting.

---
 gn2/wqflask/oauth2/toplevel.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/toplevel.py b/gn2/wqflask/oauth2/toplevel.py
index c6b789aa..24d60311 100644
--- a/gn2/wqflask/oauth2/toplevel.py
+++ b/gn2/wqflask/oauth2/toplevel.py
@@ -83,9 +83,8 @@ def authorisation_code():
             })
             return redirect("/")
 
-        return no_token_post(
-            "auth/token", json=request_data).either(
-                lambda err: __error__(process_error(err)), __success__)
+        return no_token_post("auth/token", json=request_data).either(
+            lambda err: __error__(process_error(err)), __success__)
     flash("AuthorisationError: No code was provided.", "alert-danger")
     return redirect("/")
 
-- 
cgit v1.2.3


From 6d39ea99231aa0d07726a013c9a17c89a72e407a Mon Sep 17 00:00:00 2001
From: John Nduli
Date: Tue, 6 Aug 2024 08:10:04 +0300
Subject: fix: pass in proper list of priviledge_ids

---
 gn2/wqflask/oauth2/ui.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/ui.py b/gn2/wqflask/oauth2/ui.py
index 90d65e0b..d70a13ec 100644
--- a/gn2/wqflask/oauth2/ui.py
+++ b/gn2/wqflask/oauth2/ui.py
@@ -8,8 +8,11 @@ from .request_utils import process_error
 def render_ui(templatepath: str, **kwargs):
     """Handle repetitive UI rendering stuff."""
     roles = kwargs.get("roles", tuple()) # Get roles
+    if not roles:
+        roles = oauth2_get("auth/system/roles").either(
+                lambda _err: roles, lambda auth_roles: auth_roles)
     user_privileges = tuple(
-        privilege for role in roles for privilege in role["privileges"])
+        privilege["privilege_id"] for role in roles for privilege in role["privileges"])
     kwargs = {
         **kwargs, "roles": roles, "user_privileges": user_privileges
     }
-- 
cgit v1.2.3


From 4aa2d88b2915323398c5b14a64e10f822df9a93e Mon Sep 17 00:00:00 2001
From: John Nduli
Date: Tue, 6 Aug 2024 08:36:28 +0300
Subject: fix: use bearer token to query auth server

---
 gn2/wqflask/oauth2/ui.py                              | 5 ++++-
 gn2/wqflask/static/new/javascript/auth/search_mrna.js | 5 +++++
 gn2/wqflask/templates/oauth2/data-list-mrna.html      | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/ui.py b/gn2/wqflask/oauth2/ui.py
index d70a13ec..89739fe3 100644
--- a/gn2/wqflask/oauth2/ui.py
+++ b/gn2/wqflask/oauth2/ui.py
@@ -1,6 +1,8 @@
 """UI utilities"""
 from flask import session, render_template
 
+from gn2.wqflask.oauth2 import session
+
 from .client import oauth2_get
 from .client import user_logged_in
 from .request_utils import process_error
@@ -13,7 +15,8 @@ def render_ui(templatepath: str, **kwargs):
                 lambda _err: roles, lambda auth_roles: auth_roles)
     user_privileges = tuple(
         privilege["privilege_id"] for role in roles for privilege in role["privileges"])
+    user_token = session.user_token().either(lambda _err: "", lambda token: token["access_token"])
     kwargs = {
-        **kwargs, "roles": roles, "user_privileges": user_privileges
+            **kwargs, "roles": roles, "user_privileges": user_privileges, "bearer_token": user_token
     }
     return render_template(templatepath, **kwargs)
diff --git a/gn2/wqflask/static/new/javascript/auth/search_mrna.js b/gn2/wqflask/static/new/javascript/auth/search_mrna.js
index 76b2dc6b..ed264bb4 100644
--- a/gn2/wqflask/static/new/javascript/auth/search_mrna.js
+++ b/gn2/wqflask/static/new/javascript/auth/search_mrna.js
@@ -15,12 +15,17 @@ function search_mrna() {
     selected = JSON.parse(document.getElementById(
 	"tbl-link").getAttribute("data-datasets"));
     species_name = document.getElementById("txt-species-name").value
+    bearer_token = document.getElementById("bearer_token").value
     search_endpoint = "/auth/data/mrna/search"
     search_table = new TableDataSource(
 	"#tbl-search", "data-datasets", search_checkbox);
     $.ajax(
 	form.action,
 	{
+
+	    "beforeSend": function (xhr) {
+		xhr.setRequestHeader('Authorization', 'Bearer ' + bearer_token);
+	    },
 	    "method": "POST",
 	    "contentType": "application/json; charset=utf-8",
 	    "dataType": "json",
diff --git a/gn2/wqflask/templates/oauth2/data-list-mrna.html b/gn2/wqflask/templates/oauth2/data-list-mrna.html
index 728e95d4..0ee9d27e 100644
--- a/gn2/wqflask/templates/oauth2/data-list-mrna.html
+++ b/gn2/wqflask/templates/oauth2/data-list-mrna.html
@@ -95,6 +95,8 @@
 	  action="{{search_uri}}"
 	  method="POST">
       <legend>Search: mRNA Assay</legend>
+
+      <input type="hidden" id="bearer_token" name="bearer_token" value="{{bearer_token}}" />
       <input type="hidden" value="{{species_name}}" name="species"
 	     id="txt-species-name" />
       <input type="hidden" value="{{dataset_type}}" name="dataset_type"
-- 
cgit v1.2.3


From 960de55dd1f835bb11887647243c2c65c27f7d08 Mon Sep 17 00:00:00 2001
From: John Nduli
Date: Wed, 7 Aug 2024 09:32:16 +0300
Subject: chore: remove passing bearer token to end user

---
 gn2/wqflask/oauth2/ui.py | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

(limited to 'gn2/wqflask/oauth2')

diff --git a/gn2/wqflask/oauth2/ui.py b/gn2/wqflask/oauth2/ui.py
index 89739fe3..04095420 100644
--- a/gn2/wqflask/oauth2/ui.py
+++ b/gn2/wqflask/oauth2/ui.py
@@ -1,11 +1,7 @@
 """UI utilities"""
-from flask import session, render_template
-
-from gn2.wqflask.oauth2 import session
+from flask import render_template
 
 from .client import oauth2_get
-from .client import user_logged_in
-from .request_utils import process_error
 
 def render_ui(templatepath: str, **kwargs):
     """Handle repetitive UI rendering stuff."""
@@ -15,8 +11,7 @@ def render_ui(templatepath: str, **kwargs):
                 lambda _err: roles, lambda auth_roles: auth_roles)
     user_privileges = tuple(
         privilege["privilege_id"] for role in roles for privilege in role["privileges"])
-    user_token = session.user_token().either(lambda _err: "", lambda token: token["access_token"])
     kwargs = {
-            **kwargs, "roles": roles, "user_privileges": user_privileges, "bearer_token": user_token
+            **kwargs, "roles": roles, "user_privileges": user_privileges,
     }
     return render_template(templatepath, **kwargs)
-- 
cgit v1.2.3