Shortcut EDL bearer token authentication of token is a JWT

asfadmin · Jan 10, 2025 · b7394ce · b7394ce
1 parent c4e4285
commit b7394ce
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 5 deletions.
diff --git a/requirements/requirements.in b/requirements/requirements.in
@@ -2,5 +2,6 @@
 cachetools
 cfnresponse
 chalice
-git+https://github.com/asfadmin/rain-api-core.git@1be67560f7c41b50afbd2ca20473ffbdc7efae68
+git+https://github.com/asfadmin/rain-api-core.git@8d241610b50299198aa0cc210852259fef9e482b
 netaddr
+pyjwt
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
@@ -41,14 +41,16 @@ netaddr==1.3.0
 pycparser==2.22
     # via cffi
 pyjwt[crypto]==2.10.1
-    # via rain-api-core
+    # via
+    #   -r requirements/requirements.in
+    #   rain-api-core
 python-dateutil==2.9.0.post0
     # via botocore
 pyyaml==6.0.2
     # via
     #   chalice
     #   rain-api-core
-rain-api-core @ git+https://github.com/asfadmin/rain-api-core.git@1be67560f7c41b50afbd2ca20473ffbdc7efae68
+rain-api-core @ git+https://github.com/asfadmin/rain-api-core.git@8d241610b50299198aa0cc210852259fef9e482b
     # via -r requirements/requirements.in
 readchar==4.2.1
     # via inquirer

diff --git a/thin_egress_app/app.py b/thin_egress_app/app.py
@@ -11,6 +11,7 @@
 import boto3
 import cachetools
 import chalice
+import jwt
 from botocore.config import Config as bc_Config
 from botocore.exceptions import ClientError
 from cachetools.func import ttl_cache
@@ -47,6 +48,7 @@ def inject(obj):
 from rain_api_core.urs_util import (
     do_login,
     get_new_token_and_profile,
+    get_profile,
     get_urs_creds,
     get_urs_url,
     user_in_group,
@@ -209,12 +211,18 @@ def get_profile(self) -> Optional[UserProfile]:
     )
     def _get_profile_and_response_from_bearer(self, token):
         """
-        Will handle the output from get_user_from_token in context of a chalice function. If user_id is determined,
-        returns it. If user_id is not determined returns data to be returned
+        Will handle the output from get_user_from_token in context of a chalice
+        function. If user_id is determined, returns it. If user_id is not
+        determined returns data to be returned.
 
         :param token:
         :return: action, data
         """
+        profile = get_profile_with_jwt_bearer(token)
+        if profile is not None:
+            log.debug("Shortcut profile fetching by using the users bearer token directly")
+            return profile
+
         user_profile = None
         response = None
         try:
@@ -298,6 +306,32 @@ def check_for_browser(hdrs):
     return "user-agent" in hdrs and hdrs["user-agent"].lower().startswith("mozilla")
 
 
+@with_trace()
+def get_profile_with_jwt_bearer(token):
+    try:
+        # TODO(reweeden): We could verify with the EDL pub key here to
+        # potentially save an extra call to EDL on expired or invalid tokens.
+
+        # We don't need to verify the signature as EDL will do this for us
+        # anyway in the call to `get_profile`.
+        claims = jwt.decode(token, options={"verify_signature": False})
+    except jwt.DecodeError as e:
+        log.error("Unable to verify jwt bearer token: %s", e)
+        return None
+
+    user_id = claims.get("uid")
+
+    if user_id is None:
+        return None
+
+    log_context(user_id=user_id)
+    aux_headers = get_aux_request_headers()
+    params = {
+        "client_id": get_urs_creds()["UrsId"],
+    }
+    return get_profile(user_id, "fake-token", token, aux_headers, params)
+
+
 @with_trace()
 def get_user_from_token(token):
     """