about summary refs log tree commit diff
path: root/gn_auth
AgeCommit message (Collapse)Author
2026-06-25Clear any related JWT tokens when deleting a client. HEAD mainFrederick Muriuki Muriithi
2026-06-25Generate JWTs for password auth flow too.Frederick Muriuki Muriithi
While we do not actually use the password-flow for authentication on the system, it is useful for getting tokens when running (integration) tests against the system. This commit allows the test harness to make use of the simpler password-flow authentication to get tokens.
2026-06-22Bugfix: Provide missing `redirect_uris` required argument.Frederick Muriuki Muriithi
2026-06-22Delete the credentials files since they are no longer needed.Frederick Muriuki Muriithi
2026-06-22Specify scopes when creating a client.Frederick Muriuki Muriithi
2026-06-15Allow generated files to be readable by other users.Frederick Muriuki Muriithi
On CI/CD, the tests are run under a different user that the one that runs the gn-auth service, therefore we need the generated files to be readable by more than just the user running the gn-auth service.
2026-06-15Deactivate lint check for now.Frederick Muriuki Muriithi
2026-06-08Fix: Temp traits were broken by some recent changes that prevents auth from ↵zsloan
ever allowing them This commit allows the auth system to handle Temp traits (by just treating them as public traits)
2026-06-08Fix some minor linting errors.Frederick Muriuki Muriithi
2026-06-03wsgi: add delete-test-users commandClaude Sonnet 4.6
Add delete-test-users which reads the credentials file produced by create-test-users and deletes all listed users unconditionally via delete_users_by_id, bypassing policy checks. Intended for CI teardown.
2026-06-03wsgi: add delete-oauth2-client commandClaude Sonnet 4.6
Add delete-oauth2-client which reads a credentials file produced by create-oauth2-client or create-test-oauth2-client and removes the client and its associated tokens from the database.
2026-06-03wsgi: add create-test-oauth2-client commandClaude Sonnet 4.6
Add create-test-oauth2-client which reads the users-file produced by create-test-users to find the client owner, auto-generates the client name with the session timestamp, and delegates to __create_one_client__.
2026-06-03wsgi: add __create_one_client__ helper and create-oauth2-clientClaude Sonnet 4.6
Add a __create_one_client__ helper that constructs an OAuth2Client, hashes the secret, persists it via save_client, and returns a credential record dict. Add create-oauth2-client CLI command that exposes all client parameters explicitly. Preparation for reuse by create-test-oauth2-client.
2026-06-03wsgi: add create-test-users commandClaude Sonnet 4.6
Add create_test_users which auto-generates timestamped emails and random passwords for ephemeral test accounts, delegating DB creation to the __create_one_user__ helper introduced in the previous commit.
2026-06-03wsgi: extract __create_one_user__ helper from create_usersClaude Sonnet 4.6
Refactor create_users to delegate per-user DB creation to a shared __create_one_user__ helper. No behaviour change — preparation for reuse by the forthcoming create_test_users command.
2026-06-03wsgi: add delete-users CLI commandClaude Sonnet 4.6
Add a delete-users command that removes one or more users by UUID, unconditionally bypassing the policy checks in the HTTP endpoint. Delegates to delete_users_by_id from the authorisation users models.
2026-06-03Only grant system-administration role against the system resource.Frederick Muriuki Muriithi
2026-06-02users/models: add delete_users_by_id functionClaude Sonnet 4.6
Add a low-level delete_users_by_id function that removes users and all their dependent data unconditionally, bypassing the policy checks in the '/auth/users/delete' HTTP endpoint (which refuses to delete privileged users). This is intended for use by CLI test-teardown commands and the sudo-wrapped CI cleanup script. It might also find utility in other places where we do actually need to delete a user and their data unconditionally. Co-authored-by: Frederick Muriuki Muriithi <fredmanglis@gmail.com>
2026-06-02wsgi: add create-users CLI commandClaude Sonnet 4.6
Add a general-purpose `create-users` command that creates one or more users with explicitly specified name, email, password and role. Supported roles: system-admin (assigns default roles plus grant_sysadmin_role), none (assigns default roles only). Output is written as JSON to a file (with 0600 permissions) or stdout. Helper functions __parse_user_spec__ and __write_output__ are factored out for reuse by the forthcoming create-test-users command.
2026-05-21Override all settings with the startup settings before doing checks.Frederick Muriuki Muriithi
The startup checks should be used sparingly, if at all, and they override every other setting.
2026-05-21Remove dead code caught by vulture.Frederick Muriuki Muriithi
2026-05-21Move scripts to top-level gn_auth package.Frederick Muriuki Muriithi
In preparation for migrating to pyproject.toml (from setup.py and friends) we need to have only one top-level package. This will also help in improving testing and checks down the line, since everything will be relative to one single top-level directory.
2026-05-21Move migrations to top-level gn_auth package.Frederick Muriuki Muriithi
In preparation for migrating to pyproject.toml (from setup.py and friends) we need to have only one top-level package. This will also help in improving testing and checks down the line, since everything will be relative to one single top-level directory.
2026-05-21Deprecate functions which duplicate those in gn-libs.Frederick Muriuki Muriithi
The `gn_auth.auth.authorisation.resources.checks.can_[edit/delete]` functions duplicate the utility provided by similar named functions in the `gn_libs.privileges.resources` package. These ones are, thus, deprecated in favour of the gn-libs ones.
2026-05-21Delete unused function.Frederick Muriuki Muriithi
The `gn_auth.auth.authorisation.resources.checks.can_view` function is no longer used in this code base. It can be safely removed.
2026-05-21Remove unused argument/parameter from function.Frederick Muriuki Muriithi
2026-05-20Raise a NotFoundError if not a single resource is found.Frederick Muriuki Muriithi
2026-05-20Initialise initial value used in reduce.Frederick Muriuki Muriithi
To avoid failures later due to missing keys, we initialise the initial value used in reduce to a dict with empty tuples for every key.
2026-05-18Refactor authorisation-by-datasets-and-traits endpoint.Frederick Muriuki Muriithi
Fetch resources using the dataset names (and trait names where relevant) to simplify the code, and make it clearer what the endpoint actually does.
2026-05-18Fetch genotype resources by dataset.Frederick Muriuki Muriithi
2026-05-18Fetch mRNA resources by dataset name.Frederick Muriuki Muriithi
2026-05-18Fetch phenotype resources by dataset name and trait name.Frederick Muriuki Muriithi
2026-05-18Update call to `can_edit` to separate resource and system privilegesFrederick Muriuki Muriithi
2026-05-18Replace objects with gn_libs alternatives and deprecate the module.Frederick Muriuki Muriithi
Replace the functions and classes in `gn_auth.auth.db.sqlite3` with those in `gn_libs.sqlite3` to reduce duplications. Deprecate the `gn_auth.auth.db.sqlite3` module and the remaining function(s) within in preparation for removal.
2026-05-01Use module-level logging rather than the app's logger.Frederick Muriuki Muriithi
2026-05-01Enable turning logging on/off by module.Frederick Muriuki Muriithi
To help with debugging and traceability, both in development and production, we need to be able to turn individual module loggers on or off in a flexible way. This commit enables that.
2026-05-01Ensure ALL users with access to the resource are actually listed.Frederick Muriuki Muriithi
2026-04-23Remove debug artifact.Frederick Muriuki Muriithi
2026-04-23Improve error messages.Frederick Muriuki Muriithi
2026-04-23Fix minor linting bugs.Frederick Muriuki Muriithi
2026-04-23AuthorisationError is HTTP status code 401.Frederick Muriuki Muriithi
2026-04-23Allow anonymous users "public-view" privileges.Frederick Muriuki Muriithi
The default system-level privilege is the "public-view", i.e. the users can view basic details about the Genenetwork system. If no authorisation is provided when accessing the /auth/system/roles endpoint, return the default role/privilege.
2026-04-20Implement editing resource name.Frederick Muriuki Muriithi
2026-04-20Use module-level logger rather than application's logger.Frederick Muriuki Muriithi
2026-04-15Do not grant sysadmins direct access at resource creation.Frederick Muriuki Muriithi
2026-04-08user resources: Add a text filter for further filtering.Frederick Muriuki Muriithi
2026-04-08user resources: Enable filtering using only the limit and offset.Frederick Muriuki Muriithi
2026-04-08Use module-level logger.Frederick Muriuki Muriithi
2026-04-08user resources: return total with filtered records.Frederick Muriuki Muriithi
Return a count of the total number of resources that the user has access to even if we are only interested in a few of the records.
2026-04-07Handle minor bug.Frederick Muriuki Muriithi