Add auth_fief plugin, register auth via entry point

Author: davidbrochart

README.md

@@ -94,7 +94,7 @@ You can currently authenticate as an anonymous user, or
 ## With collaborative editing
 
 ```bash
-jupyverse --open-browser --auth.collaborative
+jupyverse --open-browser --lab.collaborative
 ```
 
 This is especially interesting if you are "user-authenticated", since your will appear as the

binder/jupyter_notebook_config.py

@@ -3,7 +3,7 @@
         "jupyverse",
         "--no-open-browser",
         "--auth.mode=noauth",
-        "--auth.collaborative",
+        "--lab.collaborative",
         "--RetroLab.enabled=false",
         "--Lab.base_url={base_url}jupyverse-jlab/",
         "--port={port}",
@@ -17,7 +17,7 @@
         "jupyverse",
         "--no-open-browser",
         "--auth.mode=noauth",
-        "--auth.collaborative",
+        "--lab.collaborative",
         "--JupyterLab.enabled=false",
         "--Lab.base_url={base_url}jupyverse-rlab/",
         "--port={port}",

jupyverse/__init__.py

@@ -1 +1,9 @@
+import pkg_resources
+
 __version__ = "0.0.35"
+
+auth = {ep.name: ep.load() for ep in pkg_resources.iter_entry_points(group="jupyverse_auth")}
+User = auth["User"]
+current_user = auth["current_user"]
+update_user = auth["update_user"]
+websocket_auth = auth["websocket_auth"]

plugins/auth/fps_auth/backends.py

@@ -1,5 +1,5 @@
 import uuid
-from typing import Generic, Optional
+from typing import Any, Dict, Generic, List, Optional
 
 import httpx
 from fastapi import Depends, HTTPException, Response, WebSocket, status
@@ -19,12 +19,13 @@
 from fastapi_users.db import SQLAlchemyUserDatabase
 from fps.exceptions import RedirectException  # type: ignore
 from fps.logging import get_configured_logger  # type: ignore
+from fps_lab.config import get_lab_config
 from httpx_oauth.clients.github import GitHubOAuth2  # type: ignore
 from starlette.requests import Request
 
 from .config import get_auth_config
 from .db import User, get_user_db, secret
-from .models import UserCreate
+from .models import UserCreate, UserRead
 
 logger = get_configured_logger("auth")
 
@@ -106,8 +107,10 @@ async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db
     yield UserManager(user_db)
 
 
-async def get_enabled_backends(auth_config=Depends(get_auth_config)):
-    if auth_config.mode == "noauth" and not auth_config.collaborative:
+async def get_enabled_backends(
+    auth_config=Depends(get_auth_config), lab_config=Depends(get_lab_config)
+):
+    if auth_config.mode == "noauth" and not lab_config.collaborative:
         return [noauth_authentication, github_cookie_authentication]
     else:
         return [cookie_authentication, github_cookie_authentication]
@@ -131,35 +134,33 @@ async def create_guest(user_manager, auth_config):
         password="",
         workspace=global_user.workspace,
         settings=global_user.settings,
+        permissions={},
     )
     return await user_manager.create(UserCreate(**guest))
 
 
-def current_user(resource: Optional[str] = None):
+def current_user(permissions: Optional[Dict[str, List[str]]] = None):
     async def _(
-        request: Request,
         response: Response,
         token: Optional[str] = None,
         user: Optional[User] = Depends(
             fapi_users.current_user(optional=True, get_enabled_backends=get_enabled_backends)
         ),
         user_manager: UserManager = Depends(get_user_manager),
         auth_config=Depends(get_auth_config),
+        lab_config=Depends(get_lab_config),
     ):
         if auth_config.mode == "user":
             # "user" authentication: check authorization
-            if user and resource:
-                # check if allowed to access the resource
-                permissions = user.permissions.get(resource, [])
-                if request.method in ("GET", "HEAD"):
-                    if "read" not in permissions:
-                        user = None
-                elif request.method in ("POST", "PUT", "PATCH", "DELETE"):
-                    if "write" not in permissions:
+            if user and permissions:
+                for resource, actions in permissions.items():
+                    user_actions_for_resource = user.permissions.get(resource, [])
+                    if not all([a in user_actions_for_resource for a in actions]):
                         user = None
+                        break
         else:
             # "noauth" or "token" authentication
-            if auth_config.collaborative:
+            if lab_config.collaborative:
                 if not user and auth_config.mode == "noauth":
                     user = await create_guest(user_manager, auth_config)
                     await cookie_authentication.login(get_jwt_strategy(), user, response)
@@ -188,7 +189,7 @@ async def _(
     return _
 
 
-def websocket_for_current_user(resource: str):
+def websocket_auth(permissions: Optional[Dict[str, List[str]]] = None):
     async def _(
         websocket: WebSocket,
         auth_config=Depends(get_auth_config),
@@ -202,8 +203,15 @@ async def _(
             user = await get_jwt_strategy().read_token(token, user_manager)
             if user:
                 if auth_config.mode == "user":
-                    if "execute" in user.permissions.get(resource, []):
+                    # "user" authentication: check authorization
+                    if permissions is None:
                         accept_websocket = True
+                    else:
+                        for resource, actions in permissions.items():
+                            user_actions_for_resource = user.permissions.get(resource, [])
+                            if any([a in user_actions_for_resource for a in actions]):
+                                accept_websocket = True
+                                break
                 else:
                     accept_websocket = True
         if accept_websocket:
@@ -213,3 +221,13 @@ async def _(
             return None
 
     return _
+
+
+async def update_user(
+    user: UserRead = Depends(current_user()), user_db: SQLAlchemyUserDatabase = Depends(get_user_db)
+):
+    async def _(data: Dict[str, Any]) -> UserRead:
+        await user_db.update(user, data)
+        return user
+
+    return _

plugins/auth/fps_auth/config.py

@@ -13,7 +13,6 @@ class AuthConfig(PluginModel, BaseSettings):
     # mode: Literal["noauth", "token", "user"] = "token"
     mode: str = "token"
     token: str = str(uuid4())
-    collaborative: bool = False
     global_email: str = "guest@jupyter.com"
     cookie_secure: bool = False  # FIXME: should default to True, and set to False for tests
     clear_users: bool = False

plugins/auth/setup.cfg

@@ -21,6 +21,7 @@ python_requires = >=3.7
 
 install_requires =
   fps >=0.0.8
+  fps-lab
   aiosqlite
   fastapi-users[sqlalchemy,oauth] >=10.1.4,<11
 
@@ -29,3 +30,8 @@ fps_router =
     fps-auth = fps_auth.routes
 fps_config =
     fps-auth = fps_auth.config
+jupyverse_auth =
+    User = fps_auth.models:UserRead
+    current_user = fps_auth.backends:current_user
+    update_user = fps_auth.backends:update_user
+    websocket_auth = fps_auth.backends:websocket_auth

plugins/auth_fief/fps_auth_fief/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.0.35"

plugins/auth_fief/fps_auth_fief/config.py

@@ -0,0 +1,21 @@
+from fps.config import PluginModel, get_config
+from fps.hooks import register_config
+from pydantic import BaseSettings, SecretStr
+
+
+class AuthFiefConfig(PluginModel, BaseSettings):
+    base_url: str  # Base URL of Fief tenant
+    client_id: str  # ID of Fief client
+    client_secret: SecretStr  # Secret of Fief client
+
+    class Config(PluginModel.Config):
+        env_prefix = "fps_auth_fief_"
+        # config can be set with environment variables, e.g.:
+        # export FPS_AUTH_FIEF_BASE_URL=https://jupyverse.fief.dev
+
+
+def get_auth_fief_config():
+    return get_config(AuthFiefConfig)
+
+
+c = register_config(AuthFiefConfig)

plugins/auth_fief/fps_auth_fief/routes.py

@@ -0,0 +1,108 @@
+from typing import Any, Dict, List, Optional
+
+from fastapi import (
+    APIRouter,
+    Depends,
+    HTTPException,
+    Query,
+    Request,
+    Response,
+    WebSocket,
+    status,
+)
+from fastapi.responses import RedirectResponse
+from fastapi.security import APIKeyCookie
+from fief_client import FiefAccessTokenInfo, FiefAsync, FiefUserInfo
+from fief_client.integrations.fastapi import FiefAuth
+from fps.hooks import register_router
+from pydantic import BaseModel
+
+from .config import get_auth_fief_config
+
+
+class CustomFiefAuth(FiefAuth):
+    client: FiefAsync
+
+    async def get_unauthorized_response(self, request: Request, response: Response):
+        redirect_uri = request.url_for("auth_callback")
+        auth_url = await self.client.auth_url(redirect_uri, scope=["openid"])
+        raise HTTPException(
+            status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+            headers={"Location": auth_url},
+        )
+
+
+auth_fief_config = get_auth_fief_config()
+
+fief = FiefAsync(
+    auth_fief_config.base_url,
+    auth_fief_config.client_id,
+    auth_fief_config.client_secret.get_secret_value(),
+)
+
+SESSION_COOKIE_NAME = "user_session"
+scheme = APIKeyCookie(name=SESSION_COOKIE_NAME, auto_error=False)
+auth = CustomFiefAuth(fief, scheme)
+
+
+router = APIRouter()
+
+
+@router.get("/auth-callback", name="auth_callback")
+async def auth_callback(request: Request, response: Response, code: str = Query(...)):
+    redirect_uri = request.url_for("auth_callback")
+    tokens, _ = await fief.auth_callback(code, redirect_uri)
+
+    response = RedirectResponse(request.url_for("root"))
+    response.set_cookie(
+        SESSION_COOKIE_NAME,
+        tokens["access_token"],
+        max_age=tokens["expires_in"],
+        httponly=True,
+        secure=False,
+    )
+
+    return response
+
+
+async def update_user(
+    user: FiefUserInfo = Depends(auth.current_user()),
+    access_token_info: FiefAccessTokenInfo = Depends(auth.authenticated()),
+):
+    async def _(data: Dict[str, Any]) -> FiefUserInfo:
+        user = await fief.update_profile(access_token_info["access_token"], {"fields": data})
+        print(f"{user=}")
+        return user
+
+    return _
+
+
+def websocket_auth(permissions: Optional[Dict[str, List[str]]] = None):
+    async def _(
+        websocket: WebSocket,
+    ) -> Optional[WebSocket]:
+        return websocket
+
+    return _
+
+
+r = register_router(router)
+
+
+class UserRead(BaseModel):
+    workspace: str = "{}"
+    settings: str = "{}"
+
+
+def current_user(permissions=None):
+    if permissions is not None:
+        permissions = [
+            f"{resource}:{action}"
+            for resource, actions in permissions.items()
+            for action in actions
+        ]
+
+    async def _(user: FiefUserInfo = Depends(auth.current_user(permissions=permissions))):
+        return UserRead(**user["fields"])
+
+    return _

plugins/auth_fief/setup.cfg

@@ -0,0 +1,35 @@
+[metadata]
+name = fps_auth_fief
+version = attr: fps_auth_fief.__version__
+description = An FPS plugin for the authentication API, using Fief
+long_description = file: README.md
+long_description_content_type = text/markdown
+license = BSD 3-Clause License
+author = Jupyter Development Team
+author_email = jupyter@googlegroups.com
+url = https://jupyter.org
+platforms = Windows, Linux, Mac OS X
+keywords = jupyter, server, fastapi, pluggy, plugins
+
+[bdist_wheel]
+universal = 1
+
+[options]
+include_package_data = True
+packages = find:
+python_requires = >=3.7
+
+install_requires =
+  fps >=0.0.8
+  fief-client[fastapi]
+
+[options.entry_points]
+fps_config =
+    fps-auth-fief = fps_auth_fief.config
+fps_router =
+    fps-auth-fief = fps_auth_fief.routes
+jupyverse_auth =
+    User = fps_auth_fief.routes:UserRead
+    current_user = fps_auth_fief.routes:current_user
+    update_user = fps_auth_fief.routes:update_user
+    websocket_auth = fps_auth_fief.routes:websocket_auth