Skip to content

Commit

Permalink
handle if default site admin not present (#820)
Browse files Browse the repository at this point in the history
  • Loading branch information
daisieh authored Oct 18, 2024
1 parent f0cc5a3 commit a92c414
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 31 deletions.
16 changes: 16 additions & 0 deletions docs/production-candig.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,22 @@ export TOKEN=$(echo $CURL_OUTPUT | grep -Eo 'access_token":"[a-zA-Z0-9._\-]+' |
curl -X DELETE $CANDIG_URL'/ingest/site-role/admin/email/site_admin@test.ca' -H 'Authorization: Bearer '$TOKEN
```

Comment out or remove the value of DEFAULT_SITE_ADMIN_USER in your .env file:
```
# default name for built-in site admin
#DEFAULT_SITE_ADMIN_USER=site_admin@test.ca
```

Run `python settings.py; source env.sh` again to reset your environment variables.

Test that the default user has been removed successfully:
Remove the cached refresh token:
```
rm tmp/site-admin-refresh-token
```

Run `python site_admin_token.py`. You should be prompted for your actual site admin username and password.

Keep the site admin user and password secure at all times.

### Adding a site curator
Expand Down
54 changes: 33 additions & 21 deletions settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,20 @@

# Python-dotenv doesn't interpolate quite correctly, so get_env_value interpolates manually
def get_env_value(key):
raw_value = CANDIGV2_ENV[key]
try:
raw_value = CANDIGV2_ENV[key]

while True:
var_match = re.match(r"^(.*)\$\{(.+?)\}(.*)$", raw_value, re.DOTALL)
if var_match is not None:
raw_value = var_match.group(1) + CANDIGV2_ENV[var_match.group(2)] + var_match.group(3)
else:
break
while True:
var_match = re.match(r"^(.*)\$\{(.+?)\}(.*)$", raw_value, re.DOTALL)
if var_match is not None:
raw_value = var_match.group(1) + CANDIGV2_ENV[var_match.group(2)] + var_match.group(3)
else:
break

CANDIGV2_ENV[key] = raw_value
return raw_value
CANDIGV2_ENV[key] = raw_value
return raw_value
except KeyError:
return None


def get_env():
Expand All @@ -51,22 +54,10 @@ def get_env():
vars["CANDIG_DEBUG_MODE"] = get_env_value("CANDIG_DEBUG_MODE")
vars["CANDIG_USER_KEY"] = get_env_value("CANDIG_USER_KEY")
vars["VAULT_SERVICE_PUBLIC_URL"] = get_env_value("VAULT_SERVICE_PUBLIC_URL")
vars["CANDIG_SITE_ADMIN_USER"] = get_env_value("DEFAULT_SITE_ADMIN_USER")
vars["CANDIG_NOT_ADMIN_USER"] = get_env_value("TEST_USER_1")
vars["CANDIG_NOT_ADMIN2_USER"] = get_env_value("TEST_USER_2")
# vars that come from files:
if os.path.isfile("tmp/keycloak/client-secret"):
with open("tmp/keycloak/client-secret") as f:
vars["CANDIG_CLIENT_SECRET"] = f.read().splitlines().pop()
if os.path.isfile("tmp/keycloak/test-site-admin-password"):
with open("tmp/keycloak/test-site-admin-password") as f:
vars["CANDIG_SITE_ADMIN_PASSWORD"] = f.read().splitlines().pop()
if os.path.isfile("tmp/keycloak/test-user-password"):
with open("tmp/keycloak/test-user-password") as f:
vars["CANDIG_NOT_ADMIN_PASSWORD"] = f.read().splitlines().pop()
if os.path.isfile("tmp/keycloak/test-user2-password"):
with open("tmp/keycloak/test-user2-password") as f:
vars["CANDIG_NOT_ADMIN2_PASSWORD"] = f.read().splitlines().pop()
if os.path.isfile("tmp/vault/keys.txt"):
with open("tmp/vault/keys.txt") as f:
vars["VAULT_ROOT_TOKEN"] = f.read().splitlines().pop(-1)
Expand All @@ -76,6 +67,27 @@ def get_env():
vars["POSTGRES_PASSWORD_FILE"] = f"tmp/postgres/db-secret"
vars["CANDIG_ENV"] = INTERPOLATED_ENV
vars["DB_PATH"] = "postgres-db"

# test users:
if get_env_value("DEFAULT_SITE_ADMIN_USER") is not None:
vars["CANDIG_SITE_ADMIN_USER"] = get_env_value("DEFAULT_SITE_ADMIN_USER")
if os.path.isfile("tmp/keycloak/test-site-admin-password"):
with open("tmp/keycloak/test-site-admin-password") as f:
vars["CANDIG_SITE_ADMIN_PASSWORD"] = f.read().splitlines().pop()
else:
vars["CANDIG_SITE_ADMIN_USER"] = ""
vars["CANDIG_SITE_ADMIN_PASSWORD"] = ""

vars["CANDIG_NOT_ADMIN_USER"] = get_env_value("TEST_USER_1")
if os.path.isfile("tmp/keycloak/test-user-password"):
with open("tmp/keycloak/test-user-password") as f:
vars["CANDIG_NOT_ADMIN_PASSWORD"] = f.read().splitlines().pop()

vars["CANDIG_NOT_ADMIN2_USER"] = get_env_value("TEST_USER_2")
if os.path.isfile("tmp/keycloak/test-user2-password"):
with open("tmp/keycloak/test-user2-password") as f:
vars["CANDIG_NOT_ADMIN2_PASSWORD"] = f.read().splitlines().pop()

return vars


Expand Down
20 changes: 10 additions & 10 deletions site_admin_token.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import authx.auth
import os
import getpass
from settings import get_env

ENV = get_env()
Expand All @@ -15,16 +16,11 @@ def get_site_admin_token(username=None, password=None, refresh_token=None):
# if no refresh token, get one:
# check for default site admin user: if not present, check env vars
username = os.getenv("CANDIG_SITE_ADMIN_USER")
if os.path.isfile("tmp/keycloak/test-site-admin-password"):
with open(f"tmp/keycloak/test-site-admin-password") as f:
password = f.read().splitlines().pop()
else:
password = os.getenv("CANDIG_SITE_ADMIN_PASSWORD")

password = os.getenv("CANDIG_SITE_ADMIN_PASSWORD")
# site admin user/password need to be inputted on stdin if not default:
if password is None:
if password is None or password == "":
username = input("Enter username: ")
password = input("Enter password: ")
password = getpass.getpass("Enter password: ")

try:
credentials = authx.auth.get_oauth_response(
Expand All @@ -39,8 +35,11 @@ def get_site_admin_token(username=None, password=None, refresh_token=None):
if "error" in credentials:
try:
os.remove("tmp/site-admin-refresh-token")
except:
except FileNotFoundError:
pass
except Exception as e:
print(str(e))
print(type(e))
return get_site_admin_token()

with open(f"tmp/site-admin-refresh-token", "w") as f:
Expand All @@ -55,4 +54,5 @@ def get_site_admin_token(username=None, password=None, refresh_token=None):
raise authx.auth.CandigAuthError(f"Error obtaining response from keycloak server: {e}")

if __name__ == "__main__":
print(get_site_admin_token())
result = get_site_admin_token()
print(result)

0 comments on commit a92c414

Please sign in to comment.