Add authorization url that checks if the user is authorized to access…

… jupyterhub (#19) Add an optional setting that can be used to check whether a user has permission to log in to juptyerhub. After a user is logged in to Magpie, the `MagpieAuthenticator` will make a request to the provided URL and will allow the login if the response is "OK" (ie. < 400) This should be used in combination with a jupyterhub provider setting in Magpie that can be queried through the `/twitcher/ows/verify/` endpoints to enable/disable access to log in to jupyterhub for a specific user or group. Example set up: - Configure Magpie so that when a user logs in to Magpie, the url `http://my.domain.com//twitcher/ows/verify/jupyterhub` will return a 200 response code when the user is allowed to log in to juptyerhub - set `MagpieAuthenticator.authorization_url = "http://my.domain.com//twitcher/ows/verify/jupyterhub"`
Ouranosinc · Oct 2, 2023 · 8f8d0d0 · 8f8d0d0
2 parents fb54772 + a993769
commit 8f8d0d0
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py b/jupyterhub_magpie_authenticator/jupyterhub_magpie_authenticator.py
@@ -24,6 +24,10 @@ class MagpieAuthenticator(Authenticator):
      - c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator'
      - c.MagpieAuthenticator.magpie_url = "magpie:2000" # url where magpie is running (does not need to be public)
      - c.MagpieAuthenticator.public_fqdn = "www.example.com"  # fqdn of server where magpie is running
+
+    You may also optionally choose to set an `authorization_url` which is a URL that can be used to check whether the
+    user logged in to Magpie has permission to access jupyterhub:
+     - c.MagpieAuthenticator.authorization_url = "http://twitcher:8000/ows/verify/jupyterhub"
     """
     default_provider = "ziggurat"
     magpie_url = Unicode(
@@ -35,6 +39,12 @@ class MagpieAuthenticator(Authenticator):
         config=True,
         help="Public fully qualified domain name. Used to set the magpie login cookie."
     )
+    authorization_url = Unicode(
+        default=None,
+        config=True,
+        help="optional URL that can be used to check whether the user logged in to Magpie has permission to access "
+             "jupyterhub"
+    )
 
     def get_handlers(self, app):
         return [
@@ -52,6 +62,10 @@ async def authenticate(self, handler, data):
         response = requests.post(signin_url, data=post_data)
 
         if response.ok:
+            if self.authorization_url:
+                auth_response = requests.get(self.authorization_url, cookies=response.cookies.get_dict())
+                if not auth_response.ok:
+                    return None
             for cookie in response.cookies:
                 handler.set_cookie(name=cookie.name,
                                    value=cookie.value,