Merge pull request #3481 from matyasselmeci/pr/public-read-auth-write…

….SOFTWARE-5727 Support public read / auth write
opensciencegrid · Nov 20, 2023 · 2e3f600 · 2e3f600
2 parents e91c71d + 02a5294
commit 2e3f600
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 11 deletions.
diff --git a/src/stashcache.py b/src/stashcache.py
@@ -370,8 +370,6 @@ def generate_cache_scitokens(global_data: GlobalData, fqdn: str, suppress_errors
 
  for vo_name, stashcache_obj in vos_data.stashcache_by_vo_name.items():
  for namespace in stashcache_obj.namespaces.values(): # type: Namespace
- if namespace.is_public():
- continue
  if not namespace_allows_cache_resource(namespace, cache_resource):
  continue
  if not resource_allows_namespace(cache_resource, namespace):
@@ -486,8 +484,6 @@ def generate_origin_scitokens(global_data: GlobalData, fqdn: str, suppress_error
 
  for vo_name, stashcache_obj in vos_data.stashcache_by_vo_name.items():
  for namespace in stashcache_obj.namespaces.values():
- if namespace.is_public():
- continue
  if not namespace_allows_origin_resource(namespace, origin_resource):
  continue
  if not resource_allows_namespace(origin_resource, namespace):
@@ -562,7 +558,7 @@ def _namespace_dict(ns: Namespace):
  nsdict = {
  "path": ns.path,
  "readhttps": not ns.is_public(),
- "usetokenonread": any(isinstance(a, SciTokenAuth) for a in ns.authz_list),
+ "usetokenonread": not ns.is_public() and any(isinstance(a, SciTokenAuth) for a in ns.authz_list),
  "writebackhost": ns.writeback,
  "dirlisthost": ns.dirlist,
  "caches": [],

diff --git a/src/tests/data/testvo.yaml b/src/tests/data/testvo.yaml
@@ -45,13 +45,18 @@ DataFederations:
  - Path: /testvo/PUBLIC
  Authorizations:
  - PUBLIC
+ - SciTokens:
+ Issuer: https://test.wisc.edu
+ Base Path: /testvo
+ Map Subject: False
  AllowedOrigins:
  # sc-origin.test.wisc.edu
  - TEST_STASHCACHE_ORIGIN
  # sc-origin2000.test.wisc.edu
  - TEST_STASHCACHE_ORIGIN_2000
  AllowedCaches:
  - ANY
+ Writeback: "https://sc-origin.test.wisc.edu:1095"
 
  - Path: /testvo/itb/helm-origin/PUBLIC
  Authorizations:

diff --git a/src/tests/test_stashcache.py b/src/tests/test_stashcache.py
@@ -25,8 +25,9 @@
 EMPTY_LINE_REGEX = re.compile(r'^\s*(#|$)') # Empty or comment-only lines
 I2_TEST_CACHE = "osg-sunnyvale-stashcache.nrp.internet2.edu"
 # ^^ one of the Internet2 caches; these serve both public and LIGO data
+# fake origins in our test data:
 TEST_ITB_HELM_ORIGIN = "helm-origin.osgdev.test.io"
-# ^^ a fake origin that's in our test data
+TEST_SC_ORIGIN = "sc-origin.test.wisc.edu"
 
 
 # Some DNs I can use for testing and the hashes they map to.
@@ -127,6 +128,44 @@ def test_scitokens_issuer_sections(self, client: flask.Flask):
  print(f"Generated origin scitokens.conf text:\n{origin_scitokens_conf}\n", file=sys.stderr)
  raise
 
+ def test_scitokens_issuer_public_read_auth_write_namespaces_info(self, client: flask.Flask):
+ test_global_data = get_test_global_data(global_data)
+
+ namespaces_json = stashcache.get_namespaces_info(test_global_data)
+ namespaces = namespaces_json["namespaces"]
+ testvo_PUBLIC_namespace_list = [
+ ns for ns in namespaces if ns.get("path") == "/testvo/PUBLIC"
+ ]
+ assert testvo_PUBLIC_namespace_list, "/testvo/PUBLIC namespace not found"
+ ns = testvo_PUBLIC_namespace_list[0]
+ assert ns["usetokenonread"] is False, \
+ "usetokenonread is wrong for public namespace"
+ assert ns["readhttps"] is False, \
+ "readhttps is wrong for public namespace"
+ assert ns["writebackhost"] == f"https://{TEST_SC_ORIGIN}:1095", \
+ "writebackhost is wrong for namespace with auth write"
+
+ def test_scitokens_issuer_public_read_auth_write_scitokens_conf(self, client: flask.Flask):
+ test_global_data = get_test_global_data(global_data)
+
+ origin_scitokens_conf = stashcache.generate_origin_scitokens(
+ test_global_data, TEST_SC_ORIGIN)
+ assert origin_scitokens_conf.strip(), "Generated scitokens.conf empty"
+
+ cp = ConfigParser()
+ cp.read_string(origin_scitokens_conf, "origin_scitokens.conf")
+ try:
+ assert "Global" in cp, "Missing Global section"
+ assert "Issuer https://test.wisc.edu" in cp, \
+ "Expected issuer missing"
+ assert "base_path" in cp["Issuer https://test.wisc.edu"], \
+ "'Issuer https://test.wisc.edu' section missing expected attribute"
+ assert cp["Issuer https://test.wisc.edu"]["base_path"] == "/testvo", \
+ "'Issuer https://test.wisc.edu' section has wrong base path"
+ except AssertionError:
+ print(f"Generated origin scitokens.conf text:\n{origin_scitokens_conf}\n", file=sys.stderr)
+ raise
+
  def test_None_fdqn_isnt_error(self, client: flask.Flask):
  stashcache.generate_cache_authfile(global_data, None)
 

diff --git a/src/webapp/data_federation.py b/src/webapp/data_federation.py
@@ -196,7 +196,7 @@ def __init__(
  self.credential_generation = credential_generation
 
  def is_public(self) -> bool:
- return self.authz_list and self.authz_list[0].is_public
+ return any(x for x in self.authz_list if x.is_public)
 
 
 def _parse_authz_scitokens(attributes: Dict, authz: Dict) -> Tuple[AuthMethod, Optional[str]]:
@@ -392,8 +392,5 @@ def parse_authz_list(self, path: str, unparsed_authz_list: List[Union[str, Dict]
  if err:
  self.errors.add(f"Namespace {path}: {err}")
  continue
- if parsed_authz.is_public:
- return [parsed_authz]
- else:
- authz_list.append(parsed_authz)
+ authz_list.append(parsed_authz)
  return authz_list