otter-service-stdalone 0.1.21__tar.gz → 0.1.23__tar.gz

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: otter_service_stdalone
-Version: 0.1.21
+Version: 0.1.23
 Summary: Grading Service for Instructors using Otter Grader
 Home-page: https://github.com/sean-morris/otter-service-stdalone
 Author: Sean Morris

otter_service_stdalone-0.1.23/src/otter_service_stdalone/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.23"

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/src/otter_service_stdalone/app.py

@@ -14,7 +14,7 @@ __UPLOADS__ = "/tmp/uploads"
 log_debug = f'{os.environ.get("ENVIRONMENT")}-debug'
 log_error = f'{os.environ.get("ENVIRONMENT")}-logs'
 
-state = str(uuid.uuid4())  # used to protect against cross-site request forgery attacks.
+authorization_states = {}  # used to protect against cross-site request forgery attacks.
 
 
 class HealthHandler(tornado.web.RequestHandler):
@@ -34,6 +34,8 @@ class LoginHandler(tornado.web.RequestHandler):
         tornado (tornado.web.RequestHandler): The request handler
     """
     async def get(self):
+        state = str(uuid.uuid4())
+        authorization_states[state] = True
         await u_auth.handle_authorization(self, state)
 
 
@@ -49,12 +51,13 @@ class BaseHandler(tornado.web.RequestHandler):
 
     def write_error(self, status_code, **kwargs):
         log.write_logs("Http Error", f"{status_code} Error", "", "info", log_error)
+        self.clear_cookie("user")
         if status_code == 403:
             self.set_status(403)
-            self.render("static_templates/403.html")
+            self.render("static_templates/403.html", support=f'{os.environ.get("SUPPORT_EMAIL")}')
         else:
             self.set_status(500)
-            self.render("static_templates/500.html")
+            self.render("static_templates/500.html", support=f'{os.environ.get("SUPPORT_EMAIL")}')
 
 
 class GitHubOAuthHandler(BaseHandler):
@@ -66,18 +69,29 @@ class GitHubOAuthHandler(BaseHandler):
     async def get(self):
         code = self.get_argument('code', False)
         arg_state = self.get_argument('state', False)
-        access_token = await u_auth.get_acess_token(arg_state, state, code)
-        if access_token:
-            user = await u_auth.get_github_username(access_token)
-            is_org_member = await u_auth.handle_is_org_member(access_token, user)
-            if is_org_member:
-                self.set_secure_cookie("user", user, expires_days=7)
-                self.redirect("/")
-            else:
-                raise tornado.web.HTTPError(403)
-        else:
+        if arg_state not in authorization_states:
+            m = "UserAuth: GitHubOAuthHandler: Cross-Site Forgery possible - aborting"
+            log.write_logs("Auth Workflow", m, "", "info", log_error)
+            log.write_logs("Auth Workflow", m, "", "info", log_debug)
             raise tornado.web.HTTPError(500)
 
+        del authorization_states[arg_state]
+
+        access_token = await u_auth.get_acess_token(code)
+        if access_token is None:
+            raise tornado.web.HTTPError(403)
+
+        user = await u_auth.get_github_username(access_token)
+        if not user:
+            raise tornado.web.HTTPError(403)
+
+        is_org_member = await u_auth.handle_is_org_member(access_token, user)
+        if not is_org_member:
+            raise tornado.web.HTTPError(403)
+
+        self.set_secure_cookie("user", user, expires_days=7)
+        self.redirect("/")
+
 
 class MainHandler(BaseHandler):
     """This is the initial landing page for application

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/src/otter_service_stdalone/static_templates/403.html

@@ -12,9 +12,17 @@
                 <div class="container">
                     <h1 class="title">403 Forbidden</h1>
                     <p class="subtitle colored is-3">
-                        You do not have permission to access this resource or your authentication needs to be renewed. 
-                        Please <a style='color:#005b96' href="/login">login</a> to try again or 
-                        email sean.smorris@berkeley.edu for help.
+                        You do not have permission to access this resource or your authentication needs to be renewed.
+                        <br/>
+                        <br/>
+                        If you logged in with the incorrect GitHub username you will need to 
+                        <a target="_blank" style='color:#005b96' href="https://github.com/logout">logout</a> of GitHub first.
+                        <br/>
+                        <br/>
+                        After logging out of GitHub, you can return the application's <a style='color:#005b96' href="/login">login</a> to try again.
+                        <br/>
+                        <br/>
+                        If you need help, please email {{ support }}.
                     </p>
                 </div>
             </div>

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/src/otter_service_stdalone/static_templates/500.html

@@ -12,9 +12,17 @@
                 <div class="container">
                     <h1 class="title">500 Forbidden - Access Problem</h1>
                     <p class="subtitle colored is-3">
-                        We are unable to establish access for you.
-                        Please email: sean.smorris@berkeley.edu or try 
-                        <a style='color:#005b96' href="/login">logging</a> in again.
+                        We could not establish access to the application for you.
+                        <br/>
+                        <br/>
+                        If you logged in with the incorrect GitHub username you will need to 
+                        <a target="_blank" style='color:#005b96' href="https://github.com/logout">logout</a> of GitHub first.
+                        <br/>
+                        <br/>
+                        After logging out of GitHub, you can return the application's <a style='color:#005b96' href="/login">login</a> to try again.
+                        <br/>
+                        <br/>
+                        If you need help, please email {{ support }}.
                     </p>
                 </div>
             </div>

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/src/otter_service_stdalone/user_auth.py

@@ -6,7 +6,7 @@ import tornado
 import urllib.parse
 
 
-log_coll = f'{os.environ.get("ENVIRONMENT")}-debug'
+log_debug = f'{os.environ.get("ENVIRONMENT")}-debug'
 environment_name = os.environ.get("ENVIRONMENT").split("-")[-1]
 gh_key_path = os.path.join(os.path.dirname(__file__), f"secrets/gh_key.{environment_name}.yaml")
 github_id = access_sops_keys.get(None, "github_access_id", secrets_file=gh_key_path)
@@ -22,19 +22,15 @@ async def handle_authorization(form, state):
         - state (int): random uuid4 number generated to ensure communication between endpoints is
           not compromised
     """
-    log.write_logs("Auth Workflow", "UserAuth: Get: Authorizing", "", "info", log_coll)
+    log.write_logs("Auth Workflow", "UserAuth: Get: Authorizing", "", "info", log_debug)
     q_params = f"client_id={github_id}&state={state}&scope=read:org"
     form.redirect(f'https://github.com/login/oauth/authorize?{q_params}')
 
 
-async def get_acess_token(arg_state, state, code):
+async def get_acess_token(code):
     """requests and returns the access token or None
 
     Parameters:
-        - arg_state (int): the state argument being passed on the url string; this will be compared
-          to the state value generated in this file to ensure they are the same!
-        - state (int): random uuid4 number generated to ensure communication between endpoints is
-          not compromised
         - code (str): the code that is returned from the authorization request
 
     Returns:
@@ -48,7 +44,7 @@ async def get_acess_token(arg_state, state, code):
         'redirect_uri': f"{os.environ.get('GRADER_DNS')}/oauth_callback"
     }
     m = "UserAuth: GitHubOAuthHandler: Getting Access Token"
-    log.write_logs("Auth Workflow", m, "", "info", log_coll)
+    log.write_logs("Auth Workflow", m, "", "info", log_debug)
     response = await http_client.fetch(
         'https://github.com/login/oauth/access_token',
         method='POST',
@@ -56,14 +52,15 @@ async def get_acess_token(arg_state, state, code):
         body=urllib.parse.urlencode(params)
     )
     resp = json.loads(response.body.decode())
-    access_token = resp['access_token']
-    if arg_state != state:
-        access_token = None
-        m = "UserAuth: GitHubOAuthHandler: Cross-Site Forgery possible - aborting"
-        log.write_logs("Auth Workflow", m, "", "info", log_coll)
+    access_token = None
+    if "access_token" in resp:
+        access_token = resp["access_token"]
+    if access_token is None:
+        m = "UserAuth: GitHubOAuthHandler: Access Token NOT Granted - probably not member"
+        log.write_logs("Auth Workflow", m, "", "info", log_debug)
     else:
         m = "UserAuth: GitHubOAuthHandler: Access Token Granted"
-        log.write_logs("Auth Workflow", m, "", "info", log_coll)
+        log.write_logs("Auth Workflow", m, "", "info", log_debug)
     return access_token
 
 
@@ -78,18 +75,18 @@ async def handle_is_org_member(access_token, user):
     Returns:
         - boolean: True user is in the GH org, False otherwise
     """
-    log.write_logs("Auth Workflow", "UserAuth: Get: Check Membership", "", "info", log_coll)
-    if user:
-        org_name = os.environ.get("AUTH_ORG")
-        url = f'https://api.github.com/orgs/{org_name}/members/{user}'
-        headers = {
-            'Authorization': f'token {access_token}',
-            'Accept': 'application/vnd.github.v3+json',
-        }
-        response = requests.get(url, headers=headers)
-        return response.status_code == 204
-    else:
-        return False
+    log.write_logs("Auth Workflow", "UserAuth: Get: Check Membership", "", "info", log_debug)
+    org_name = os.environ.get("AUTH_ORG")
+    url = f'https://api.github.com/orgs/{org_name}/members/{user}'
+    headers = {
+        'Authorization': f'token {access_token}',
+        'Accept': 'application/vnd.github.v3+json',
+    }
+    response = requests.get(url, headers=headers)
+    is_member = response.status_code == 204
+    m = f"UserAuth: Get: Check Membership: {is_member}"
+    log.write_logs("Auth Workflow", m, "", "info", log_debug)
+    return is_member
 
 
 async def get_github_username(access_token):
@@ -103,18 +100,14 @@ async def get_github_username(access_token):
     - str: The username of the authenticated user, or None if not found.
     """
     url = 'https://api.github.com/user'
-    headers = {
-        'Authorization': f'token {access_token}',
-        'Accept': 'application/vnd.github.v3+json',
-    }
-
+    headers = {'Authorization': f'token {access_token}'}
     response = requests.get(url, headers=headers)
     if response.status_code == 200:
         m = "UserAuth: Get: UserName - Success"
-        log.write_logs("Auth Workflow", m, "", "info", log_coll)
+        log.write_logs("Auth Workflow", m, "", "info", log_debug)
         user_info = response.json()
         return user_info.get('login')
     else:
         m = f"UserAuth: Get: UserName - Fail:{response.status_code}"
-        log.write_logs("Auth Workflow", m, "", "info", log_coll)
+        log.write_logs("Auth Workflow", m, "", "info", log_debug)
         return None

{otter_service_stdalone-0.1.21 → otter_service_stdalone-0.1.23}/src/otter_service_stdalone.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: otter_service_stdalone
-Version: 0.1.21
+Version: 0.1.23
 Summary: Grading Service for Instructors using Otter Grader
 Home-page: https://github.com/sean-morris/otter-service-stdalone
 Author: Sean Morris

otter_service_stdalone-0.1.21/src/otter_service_stdalone/__init__.py

@@ -1 +0,0 @@
-__version__ = "0.1.21"