From 22ae182ac3ac8ea652f21ae15d649ca683910c6b Mon Sep 17 00:00:00 2001 From: Matheus Tosta Date: Thu, 20 Jun 2024 09:09:01 -0300 Subject: [PATCH 1/2] PENG-2230 remove the audience setting from the API project --- jobbergate-api/CHANGELOG.md | 2 ++ jobbergate-api/jobbergate_api/config.py | 2 -- jobbergate-api/jobbergate_api/security.py | 3 --- jobbergate-api/tests/test_security.py | 8 -------- 4 files changed, 2 insertions(+), 13 deletions(-) diff --git a/jobbergate-api/CHANGELOG.md b/jobbergate-api/CHANGELOG.md index 711a6feff..4e200a019 100644 --- a/jobbergate-api/CHANGELOG.md +++ b/jobbergate-api/CHANGELOG.md @@ -4,8 +4,10 @@ This file keeps track of all notable changes to jobbergate-api ## Unreleased +- Remove the audience setting [[PENG-2230](https://sharing.clickup.com/t/h/c/18022949/PENG-2230/O40JANAF6KCBE9R)] ## 5.2.0 -- 2024-07-01 + - Fixed issue when retrieving large files on get routes after upgrading to FastAPI 0.111 - Change pydantic.BaseSettings config to use `extra=ignore` - Migrated to Pydantic version 2 [PENG-2277] diff --git a/jobbergate-api/jobbergate_api/config.py b/jobbergate-api/jobbergate_api/config.py index af1f46146..20aa9f170 100644 --- a/jobbergate-api/jobbergate_api/config.py +++ b/jobbergate-api/jobbergate_api/config.py @@ -79,10 +79,8 @@ class Settings(BaseSettings): # Security Settings. For details, see https://github.com/omnivector-solutions/armasec ARMASEC_DOMAIN: str ARMASEC_USE_HTTPS: bool = Field(True) - ARMASEC_AUDIENCE: Optional[str] = None ARMASEC_DEBUG: bool = Field(False) ARMASEC_ADMIN_DOMAIN: Optional[str] = None - ARMASEC_ADMIN_AUDIENCE: Optional[str] = None ARMASEC_ADMIN_MATCH_KEY: Optional[str] = None ARMASEC_ADMIN_MATCH_VALUE: Optional[str] = None diff --git a/jobbergate-api/jobbergate_api/security.py b/jobbergate-api/jobbergate_api/security.py index 6d7b463bf..8f7584021 100644 --- a/jobbergate-api/jobbergate_api/security.py +++ b/jobbergate-api/jobbergate_api/security.py @@ -25,14 +25,12 @@ def get_domain_configs() -> list[DomainConfig]: domain_configs = [ DomainConfig( domain=settings.ARMASEC_DOMAIN, - audience=settings.ARMASEC_AUDIENCE, use_https=settings.ARMASEC_USE_HTTPS, ) ] if all( [ settings.ARMASEC_ADMIN_DOMAIN, - settings.ARMASEC_ADMIN_AUDIENCE, settings.ARMASEC_ADMIN_MATCH_KEY, settings.ARMASEC_ADMIN_MATCH_VALUE, ] @@ -45,7 +43,6 @@ def get_domain_configs() -> list[DomainConfig]: domain_configs.append( DomainConfig( domain=settings.ARMASEC_ADMIN_DOMAIN, - audience=settings.ARMASEC_ADMIN_AUDIENCE, use_https=settings.ARMASEC_USE_HTTPS, match_keys={settings.ARMASEC_ADMIN_MATCH_KEY: settings.ARMASEC_ADMIN_MATCH_VALUE}, ) diff --git a/jobbergate-api/tests/test_security.py b/jobbergate-api/tests/test_security.py index 35c5013f5..f1721bbf1 100644 --- a/jobbergate-api/tests/test_security.py +++ b/jobbergate-api/tests/test_security.py @@ -20,21 +20,18 @@ def test_get_domain_configs__loads_only_base_settings(): """Check if the correct domain configuration is loaded when only one domain is provided.""" with ( patch.object(settings, "ARMASEC_DOMAIN", new="foo.io"), - patch.object(settings, "ARMASEC_AUDIENCE", new="https://bar.dev"), ): domain_configs = get_domain_configs() assert len(domain_configs) == 1 first_config = domain_configs.pop() assert first_config.domain == "foo.io" - assert first_config.audience == "https://bar.dev" def test_get_domain_configs__loads_admin_settings_if_all_are_present(): """Check if the correct domain configuration is loaded when two domains are provided.""" with ( patch.object(settings, "ARMASEC_DOMAIN", new="foo.io"), - patch.object(settings, "ARMASEC_AUDIENCE", new="https://bar.dev"), patch.object(settings, "ARMASEC_ADMIN_DOMAIN", new="admin.io"), ): domain_configs = get_domain_configs() @@ -42,13 +39,10 @@ def test_get_domain_configs__loads_admin_settings_if_all_are_present(): assert len(domain_configs) == 1 first_config = domain_configs.pop() assert first_config.domain == "foo.io" - assert first_config.audience == "https://bar.dev" with ( patch.object(settings, "ARMASEC_DOMAIN", new="foo.io"), - patch.object(settings, "ARMASEC_AUDIENCE", new="https://bar.dev"), patch.object(settings, "ARMASEC_ADMIN_DOMAIN", new="admin.io"), - patch.object(settings, "ARMASEC_ADMIN_AUDIENCE", new="https://admin.dev"), patch.object(settings, "ARMASEC_ADMIN_MATCH_KEY", new="foo"), patch.object(settings, "ARMASEC_ADMIN_MATCH_VALUE", new="bar"), ): @@ -57,9 +51,7 @@ def test_get_domain_configs__loads_admin_settings_if_all_are_present(): assert len(domain_configs) == 2 (first_config, second_config) = domain_configs assert first_config.domain == "foo.io" - assert first_config.audience == "https://bar.dev" assert second_config.domain == "admin.io" - assert second_config.audience == "https://admin.dev" assert second_config.match_keys == dict(foo="bar") From 7bcdd3cf4daf99cd7e0093c405920990d7cf6323 Mon Sep 17 00:00:00 2001 From: Matheus Tosta Date: Thu, 20 Jun 2024 09:12:35 -0300 Subject: [PATCH 2/2] PENG-2230 remove all mentions to audience setup in the documentation --- .../docs/source/developer_guide/dev_tools.md | 4 +--- .../docs/source/developer_guide/keycloak_setup.md | 14 +------------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/jobbergate-docs/docs/source/developer_guide/dev_tools.md b/jobbergate-docs/docs/source/developer_guide/dev_tools.md index a774ade3d..a54966350 100644 --- a/jobbergate-docs/docs/source/developer_guide/dev_tools.md +++ b/jobbergate-docs/docs/source/developer_guide/dev_tools.md @@ -173,10 +173,8 @@ Jobbergate settings: S3_ENDPOINT_URL: None ARMASEC_DOMAIN: localhost:9080/realms/master/protocol/openid-connect ARMASEC_USE_HTTPS: True - ARMASEC_AUDIENCE: https://local.omnivector.solutions ARMASEC_DEBUG: True ARMASEC_ADMIN_DOMAIN: None - ARMASEC_ADMIN_AUDIENCE: None ARMASEC_ADMIN_MATCH_KEY: None ARMASEC_ADMIN_MATCH_VALUE: None IDENTITY_CLAIMS_KEY: https://omnivector.solutions @@ -196,7 +194,7 @@ poetry run dev-tools show-env --json The JSON output will look something like: ```json -{"DEPLOY_ENV": "LOCAL", "LOG_LEVEL": "DEBUG", "DATABASE_HOST": "localhost", "DATABASE_USER": "compose-db-user", "DATABASE_PSWD": "compose-db-pswd", "DATABASE_NAME": "compose-db-name", "DATABASE_PORT": 5432, "TEST_DATABASE_HOST": "localhost", "TEST_DATABASE_USER": "test-user", "TEST_DATABASE_PSWD": "test-pswd", "TEST_DATABASE_NAME": "test-db", "TEST_DATABASE_PORT": 5433, "S3_BUCKET_NAME": "jobbergate-k8s-staging", "S3_ENDPOINT_URL": null, "ARMASEC_DOMAIN": "localhost:9080/realms/master/protocol/openid-connect", "ARMASEC_USE_HTTPS": true, "ARMASEC_AUDIENCE": "https://local.omnivector.solutions", "ARMASEC_DEBUG": true, "ARMASEC_ADMIN_DOMAIN": null, "ARMASEC_ADMIN_AUDIENCE": null, "ARMASEC_ADMIN_MATCH_KEY": null, "ARMASEC_ADMIN_MATCH_VALUE": null, "IDENTITY_CLAIMS_KEY": "https://omnivector.solutions", "SENTRY_DSN": null, "SENTRY_SAMPLE_RATE": 1.0, "MAX_UPLOAD_FILE_SIZE": 104857600, "SENDGRID_FROM_EMAIL": null, "SENDGRID_API_KEY": null} +{"DEPLOY_ENV": "LOCAL", "LOG_LEVEL": "DEBUG", "DATABASE_HOST": "localhost", "DATABASE_USER": "compose-db-user", "DATABASE_PSWD": "compose-db-pswd", "DATABASE_NAME": "compose-db-name", "DATABASE_PORT": 5432, "TEST_DATABASE_HOST": "localhost", "TEST_DATABASE_USER": "test-user", "TEST_DATABASE_PSWD": "test-pswd", "TEST_DATABASE_NAME": "test-db", "TEST_DATABASE_PORT": 5433, "S3_BUCKET_NAME": "jobbergate-k8s-staging", "S3_ENDPOINT_URL": null, "ARMASEC_DOMAIN": "localhost:9080/realms/master/protocol/openid-connect", "ARMASEC_USE_HTTPS": true, "ARMASEC_DEBUG": true, "ARMASEC_ADMIN_DOMAIN": null, "ARMASEC_ADMIN_MATCH_KEY": null, "ARMASEC_ADMIN_MATCH_VALUE": null, "IDENTITY_CLAIMS_KEY": "https://omnivector.solutions", "SENTRY_DSN": null, "SENTRY_SAMPLE_RATE": 1.0, "MAX_UPLOAD_FILE_SIZE": 104857600, "SENDGRID_FROM_EMAIL": null, "SENDGRID_API_KEY": null} ``` ## The `dev-server` subcommand diff --git a/jobbergate-docs/docs/source/developer_guide/keycloak_setup.md b/jobbergate-docs/docs/source/developer_guide/keycloak_setup.md index da9072f4d..43f64bcf7 100644 --- a/jobbergate-docs/docs/source/developer_guide/keycloak_setup.md +++ b/jobbergate-docs/docs/source/developer_guide/keycloak_setup.md @@ -83,12 +83,6 @@ Jobbergate requires two claims that are not available by default. We will add th Click the `Mappers` tab at the top, and then click the `Create` button to add a new Mapper. -#### Audience - -First, we need to add an "audience" mapper. Select "audience" for the `Name` field. Next, select "Audience" for the -`Mapper Type`. The `Included Custom Audience` value may be whatever you like. The local deploy, by default, uses -. Make sure to enable the `Add to ID token` setting. - #### Permissions The `Armasec` package expects to find "permissions" in a claim at the root @@ -127,16 +121,10 @@ Click on the `Roles` tab, and click the `Add Role` button. Add all the following ### Add Mappers -Like the CLI client, the Agent's client also requires the "Audience" and "Permissions" mappers. +Like the CLI client, the Agent's client also requires the "Permissions" mapper. Click the `Mappers` tab at the top, and then click the `Create` button to add a new Mapper. -#### Audience - -First, we need to add an "audience" mapper. Select "audience" for the `Name` field. Next, select "Audience" for the -`Mapper Type`. The `Included Custom Audience` value may be whatever you like. The local deploy, by default, uses -"". Make sure to enable the `Add to ID token` setting. - #### Permissions Next, add a "permissions" mapper. The `Armasec` package expects to find a "permissions" claims under a claim at the root