| Age | Commit message (Collapse) | Author |
|
|
|
While we do not actually use the password-flow for authentication on
the system, it is useful for getting tokens when running (integration)
tests against the system. This commit allows the test harness to make
use of the simpler password-flow authentication to get tokens.
|
|
|
|
|
|
|
|
On CI/CD, the tests are run under a different user that the one that
runs the gn-auth service, therefore we need the generated files to be
readable by more than just the user running the gn-auth service.
|
|
|
|
ever allowing them
This commit allows the auth system to handle Temp traits (by just treating them as public traits)
|
|
|
|
Add delete-test-users which reads the credentials file produced by
create-test-users and deletes all listed users unconditionally via
delete_users_by_id, bypassing policy checks. Intended for CI teardown.
|
|
Add delete-oauth2-client which reads a credentials file produced
by create-oauth2-client or create-test-oauth2-client and removes the
client and its associated tokens from the database.
|
|
Add create-test-oauth2-client which reads the users-file produced
by create-test-users to find the client owner, auto-generates the client
name with the session timestamp, and delegates to __create_one_client__.
|
|
Add a __create_one_client__ helper that constructs an OAuth2Client,
hashes the secret, persists it via save_client, and returns a credential
record dict. Add create-oauth2-client CLI command that exposes all client
parameters explicitly. Preparation for reuse by create-test-oauth2-client.
|
|
Add create_test_users which auto-generates timestamped emails and random
passwords for ephemeral test accounts, delegating DB creation to the
__create_one_user__ helper introduced in the previous commit.
|
|
Refactor create_users to delegate per-user DB creation to a shared
__create_one_user__ helper. No behaviour change — preparation for
reuse by the forthcoming create_test_users command.
|
|
Add a delete-users command that removes one or more users by UUID,
unconditionally bypassing the policy checks in the HTTP endpoint.
Delegates to delete_users_by_id from the authorisation users models.
|
|
|
|
Add a low-level delete_users_by_id function that removes users and all
their dependent data unconditionally, bypassing the policy checks in the
'/auth/users/delete' HTTP endpoint (which refuses to delete privileged
users).
This is intended for use by CLI test-teardown commands and the
sudo-wrapped CI cleanup script. It might also find utility in other
places where we do actually need to delete a user and their data
unconditionally.
Co-authored-by: Frederick Muriuki Muriithi <fredmanglis@gmail.com>
|
|
Add a general-purpose `create-users` command that creates one or more
users with explicitly specified name, email, password and role.
Supported roles: system-admin (assigns default roles plus
grant_sysadmin_role), none (assigns default roles only).
Output is written as JSON to a file (with 0600 permissions) or stdout.
Helper functions __parse_user_spec__ and __write_output__ are factored
out for reuse by the forthcoming create-test-users command.
|
|
The startup checks should be used sparingly, if at all, and they
override every other setting.
|
|
|
|
In preparation for migrating to pyproject.toml (from setup.py and
friends) we need to have only one top-level package. This will also
help in improving testing and checks down the line, since everything
will be relative to one single top-level directory.
|
|
In preparation for migrating to pyproject.toml (from setup.py and
friends) we need to have only one top-level package. This will also
help in improving testing and checks down the line, since everything
will be relative to one single top-level directory.
|
|
The `gn_auth.auth.authorisation.resources.checks.can_[edit/delete]`
functions duplicate the utility provided by similar named functions in
the `gn_libs.privileges.resources` package. These ones are, thus,
deprecated in favour of the gn-libs ones.
|
|
The `gn_auth.auth.authorisation.resources.checks.can_view` function is
no longer used in this code base. It can be safely removed.
|
|
|
|
|
|
To avoid failures later due to missing keys, we initialise the initial
value used in reduce to a dict with empty tuples for every key.
|
|
Fetch resources using the dataset names (and trait names where
relevant) to simplify the code, and make it clearer what the endpoint
actually does.
|
|
|
|
|
|
|
|
|
|
Replace the functions and classes in `gn_auth.auth.db.sqlite3` with
those in `gn_libs.sqlite3` to reduce duplications.
Deprecate the `gn_auth.auth.db.sqlite3` module and the remaining
function(s) within in preparation for removal.
|
|
|
|
To help with debugging and traceability, both in development and
production, we need to be able to turn individual module loggers on or
off in a flexible way. This commit enables that.
|
|
|
|
|
|
|
|
|
|
|
|
The default system-level privilege is the "public-view", i.e. the
users can view basic details about the Genenetwork system. If no
authorisation is provided when accessing the /auth/system/roles
endpoint, return the default role/privilege.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Return a count of the total number of resources that the user has
access to even if we are only interested in a few of the records.
|
|
|