Stop using env OAUTH2_INTROSPECTION_SUB_KEY and OAUTH2_INTROSPECTION_…

…USE_SUB_KEY_FROM_USER_PROFILE
LayerManager · Jan 15, 2024 · 1c34535 · 1c34535
1 parent 71392a1
commit 1c34535
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 24 deletions.
diff --git a/.env.dev b/.env.dev
@@ -91,8 +91,6 @@ OAUTH2_AUTH_URL=http://localhost:8083/o/authorize
 OAUTH2_TOKEN_URL=http://wagtail:8000/o/token/
 OAUTH2_CALLBACK_URL=http://localhost:3000/client/authn/oauth2-provider/callback
 OAUTH2_INTROSPECTION_URL=http://wagtail:8000/o/introspect/
-OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
-OAUTH2_INTROSPECTION_SUB_KEY=userId
 OAUTH2_USER_PROFILE_URL=http://wagtail:8000/profile
 
 

diff --git a/.env.test b/.env.test
@@ -88,6 +88,7 @@ OAUTH2_CLIENT_ID=VECGuQb00tWt8HZNkA4cxu6dnoQD5pF6Up3daAoK
 OAUTH2_CLIENT_SECRET=aY14rwkEKasNqBEZX8OnhpRk8lpHAfT7oKTlf4LriEK8oMZxhnGKcnt4bZ72pceNEl83B6LtBvhKr3BqBLFA80Pd6Ugav2rkc8bk7TE4LkaoB2qcBQmjiOiEpizsgZGx
 OAUTH2_CLIENT1_ID=test-id-for-client-with-pkce-flow
 OAUTH2_AUTH_URL=http://localhost:8083/o/authorize
+OAUTH2_USER_PROFILE_URL=http://layman_test_run_1:8030/rest/test-oauth2/user-profile
 
 
 ##############################################################################

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,14 +10,7 @@
 - Stop using environment variable `LAYMAN_GS_ROLE_SERVICE`, it has no effect to Layman anymore. Layman now uses [role service](doc/security.md#role-service) identified by new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI). The service is called `layman_role_service` on GeoServer.
 - Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
 - If you are using Wagtail as OAuth2 provider
-  - Set new environment variable [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](doc/env-settings.md#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE):
-    ```
-    OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
-    ```  
-  - Change environment variable [OAUTH2_INTROSPECTION_SUB_KEY](doc/env-settings.md#OAUTH2_INTROSPECTION_SUB_KEY):
-    ```
-    OAUTH2_INTROSPECTION_SUB_KEY=userId
-    ```
+  - Stop using environment variable `OAUTH2_INTROSPECTION_SUB_KEY`, it has no effect to Layman anymore. 
   - After running `make upgrade-demo` or `make-upgrade-demo-full`, run also script `v1_23_change_oauth2_sub_username_to_user_id.py`:
     ```bash
     docker compose -f docker-compose.deps.demo.yml -f docker-compose.demo.yml run --rm --no-deps -u root -e LAYMAN_WAGTAIL_DB_URI=<URI_of_Wagtail_db> layman bash -c "cd src && python3 -B v1_23_change_oauth2_sub_username_to_user_id.py"
@@ -53,7 +46,7 @@
   - GET Workspace [Layers](doc/rest.md#get-workspace-layers)/[Maps](doc/rest.md#get-workspace-maps)
   - GET [Layers](doc/rest.md#get-layers)/[Maps](doc/rest.md#get-maps)/[Publications](doc/rest.md#get-publications)
 - [#165](https://github.com/LayerManager/layman/issues/165) Name of [users](doc/models.md#username) and [public workspaces](doc/models.md#public-workspace) are from now on restricted to a maximum length of 59 characters.
-- [940](https://github.com/LayerManager/layman/issues/940) Enable to use `userId` as OAuth2 "sub" instead of `username`. This is recommended option for Wagtail. See [OAUTH2_INTROSPECTION_SUB_KEY](doc/env-settings.md#OAUTH2_INTROSPECTION_SUB_KEY) for more details.
+- [940](https://github.com/LayerManager/layman/issues/940) OAuth2 subject (also known as "sub") is taken from `userId` key of [OAUTH2_USER_PROFILE_URL](doc/env-settings.md#OAUTH2_USER_PROFILE_URL).
 - [941](https://github.com/LayerManager/layman/issues/941) Wagtail database is now persistent when restarting Layman or Wagtail.
 - All changes from [v1.22.1](#v1221), [v1.22.2](#v1222) and [v1.22.3](#v1223).
 - [#960](https://github.com/LayerManager/layman/issues/960) Handle WMS requests with HTTP error more efficiently in timgen.
@@ -385,7 +378,7 @@ make client-build
 - Maximum length of layer and map name is 210 characters.
 - [#606](https://github.com/LayerManager/layman/issues/606) Fix filtering and ordering publications by bounding box in case of publication with whole world bounding box in database.
 - New environment variable [OAUTH2_LIFERAY_SCOPE](doc/env-settings.md#oauth2_scope). Introduced in v1.16.2.
-- New environment variable [OAUTH2_LIFERAY_INTROSPECTION_SUB_KEY](doc/env-settings.md#oauth2_introspection_sub_key). Introduced in v1.16.1.
+- New environment variable [OAUTH2_LIFERAY_INTROSPECTION_SUB_KEY](https://github.com/LayerManager/layman/blob/v1.22.3/doc/env-settings.md#oauth2_introspection_sub_key). Introduced in v1.16.1.
 - [#599](https://github.com/LayerManager/layman/issues/599) Layman supports uploading data files with upper or mixed case extensions. Introduced in v1.16.1.
 - [#541](https://github.com/LayerManager/layman/issues/541) Vector layers are stored in DB table with name in form `layer_<UUID>`, e.g. `layer_96b918c6_d88c_42d8_b999_f3992b826958`, previously the name of the table was the same as name of the layer.
 
@@ -419,7 +412,7 @@ make client-build
 ### Changes
 - Fix infinity loop when generating map thumbnail. One of consequences was that such infinity loops consumed all celery workers and it was not possible to complete POST/PATCH map or layer.
 - Fix empty map thumbnail. In some cases, map thumbnail was generated as if anonymous user asks for the map. Now the thumbnail is generated as if user with writing rights asks for the map.
-- New environment variable [OAUTH2_LIFERAY_INTROSPECTION_SUB_KEY](doc/env-settings.md#oauth2_introspection_sub_key).
+- New environment variable [OAUTH2_LIFERAY_INTROSPECTION_SUB_KEY](https://github.com/LayerManager/layman/blob/v1.22.3/doc/env-settings.md#oauth2_introspection_sub_key).
 - [#599](https://github.com/LayerManager/layman/issues/599) Layman supports uploading data files with upper or mixed case extensions.
 
 ## v1.16.0

diff --git a/doc/env-settings.md b/doc/env-settings.md
@@ -84,12 +84,6 @@ URL of LTC OAuth2 callback endpoint to be called after successful OAuth2 authori
 ### OAUTH2_INTROSPECTION_URL
 URL of OAuth2 Introspection endpoint.
 
-### OAUTH2_INTROSPECTION_SUB_KEY
-Name of the key in OAuth2 introspection response whose value is OAuth2 subject (also known as "sub"). Value `userId` is suitable for Wagtail (together with setting [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE) to `true`). If not set or set to empty string, `sub` is used, that is suitable option for Liferay.
-
-### OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE
-Set to `true` if you want [OAUTH2_INTROSPECTION_SUB_KEY](#OAUTH2_INTROSPECTION_SUB_KEY) to be read from [OAUTH2_USER_PROFILE_URL](#OAUTH2_USER_PROFILE_URL) instead of [OAUTH2_INTROSPECTION_URL](#OAUTH2_INTROSPECTION_URL). Default value is `false`. Value `true` is suitable for Wagtail.
-
 ### OAUTH2_USER_PROFILE_URL
 URL of User Profile endpoint used to obtain user's ID, name, email, etc.
 

diff --git a/src/layman_settings.py b/src/layman_settings.py
@@ -214,9 +214,9 @@ class EnumWfsWmsStatus(Enum):
     if len(u) > 0
 ]
 OAUTH2_INTROSPECTION_URL = os.getenv('OAUTH2_INTROSPECTION_URL', None)
-OAUTH2_INTROSPECTION_SUB_KEY = os.getenv('OAUTH2_INTROSPECTION_SUB_KEY') or 'sub'
+OAUTH2_INTROSPECTION_SUB_KEY = 'userId'
 OAUTH2_USER_PROFILE_URL = os.getenv('OAUTH2_USER_PROFILE_URL', None)
-OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE = os.getenv('OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE', 'false') == 'true'
+OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE = True
 OAUTH2_CLIENTS = [
     d for d in read_clients_dict_from_env()
     if len(d['id']) > 0

diff --git a/test_tools/mock/oauth2_provider/app.py b/test_tools/mock/oauth2_provider/app.py
@@ -14,7 +14,7 @@ def create_app(app_config):
             tok2prof = {}
             tok2prof.update(token_2_profile)
             u_idx = 30000
-            for username, userdef in value.items():
+            for user_id, (username, userdef) in enumerate(value.items()):
                 sub = userdef.get('sub') if userdef and userdef.get('sub') else f'{u_idx}'
                 assert sub not in [
                     introsp['sub'] for introsp in tok2is.values()
@@ -28,7 +28,7 @@ def create_app(app_config):
                     "lastName": f"{username}",
                     "middleName": "",
                     "screenName": f"{username}",
-                    "userId": sub,
+                    "userId": user_id,
                 }
                 if userdef:
                     tok2prof[username].update(userdef)

diff --git a/test_tools/process.py b/test_tools/process.py
@@ -22,7 +22,7 @@
 AUTHN_SETTINGS = {
     'LAYMAN_AUTHN_MODULES': 'layman.authn.oauth2',
     'OAUTH2_INTROSPECTION_URL': AUTHN_INTROSPECTION_URL,
-    'OAUTH2_USER_PROFILE_URL': f"http://{settings.LAYMAN_SERVER_NAME.split(':')[0]}:{OAUTH2_PROVIDER_MOCK_PORT}/rest/test-oauth2/user-profile",
+    'OAUTH2_USER_PROFILE_URL': settings.OAUTH2_USER_PROFILE_URL,
 }
 
 LAYMAN_SETTING = layman_util.SimpleStorage()