Add DISABLE_USER_MGMT config value to allow opt-out of ServiceX user management system

AndrewEckart · AndrewEckart · commit c877a8b30ea4 · 2021-05-04T10:48:33.000-05:00
diff --git a/README.rst b/README.rst
@@ -15,11 +15,16 @@ services:
 
 User Management
 ---------------
-If ``ENABLE_AUTH`` is set to True, an identity management system will be
-enabled. Users will need to create accounts in order to make requests.
+If ``ENABLE_AUTH`` is set to True and `DISABLE_USER_MGMT` is False,
+an identity management system will be enabled.
+Users will need to create accounts in order to make requests.
 The system consists of two components: authentication (verification of each
 user's identity) and authorization (control of access to API resources).
 
+If ``ENABLE_AUTH`` and ``DISABLE_USER_MGMT`` are both set to True, then you
+will need to generate your own JWT refresh tokens externally using
+``JWT_SECRET_KEY``, and provide them to end users.
+
 Authentication
 **************
 Authentication is currently implemented via `Globus <https://www.globus.org/>`_,
diff --git a/app.conf.template b/app.conf.template
@@ -10,6 +10,11 @@ DOCS_BASE_URL = 'https://servicex.readthedocs.io/en/latest/'
 # Enable JWT auth on public endpoints
 ENABLE_AUTH=False
 
+# Disable built-in ServiceX user management system (OAuth via Globus)
+# If set to True while ENABLE_AUTH is also True, then you must generate your
+# own JWT refresh tokens with identity claims using the JWT_SECRET_KEY
+DISABLE_USER_MGMT = False
+
 # Globus configuration - obtained at https://auth.globus.org/v2/web/developers
 GLOBUS_CLIENT_ID='globus-client-id'
 GLOBUS_CLIENT_SECRET='globus-client-secret'
diff --git a/servicex/resources/servicex_resource.py b/servicex/resources/servicex_resource.py
@@ -43,14 +43,15 @@ def _generate_advertised_endpoint(cls, endpoint):
     @staticmethod
     def get_requesting_user() -> Optional[UserModel]:
         """
-        :return: User who submitted request for resource.
-        If auth is enabled, this cannot be None for JWT-protected resources
-        which are decorated with @auth_required or @admin_required.
+        :return: ServiceX user who submitted request for resource.
+        Returns None if auth or user management is disabled.
         """
-        user = None
-        if current_app.config.get('ENABLE_AUTH'):
-            user = UserModel.find_by_sub(get_jwt_identity())
-        return user
+        config = current_app.config
+        if not config.get('ENABLE_AUTH') or config.get('DISABLE_USER_MGMT'):
+            return None
+        sub = get_jwt_identity()
+        if sub is not None:
+            return UserModel.find_by_sub(sub)
 
     @classmethod
     def _get_app_version(cls):
diff --git a/servicex/resources/users/token_refresh.py b/servicex/resources/users/token_refresh.py
@@ -26,6 +26,7 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+from flask import current_app
 from flask_restful import Resource
 from flask_jwt_extended import (create_access_token, get_raw_jwt, decode_token,
                                 jwt_refresh_token_required, get_jwt_identity)
@@ -35,11 +36,12 @@
 class TokenRefresh(Resource):
     @jwt_refresh_token_required
     def post(self):
-        user = UserModel.find_by_sub(get_jwt_identity())
-        claims = get_raw_jwt()
-        decoded = decode_token(user.refresh_token)
-        if not claims['jti'] == decoded['jti']:
-            return {'message': 'Invalid or outdated refresh token'}, 401
+        if not current_app.config.get('DISABLE_USER_MGMT'):
+            user = UserModel.find_by_sub(get_jwt_identity())
+            claims = get_raw_jwt()
+            decoded = decode_token(user.refresh_token)
+            if not claims['jti'] == decoded['jti']:
+                return {'message': 'Invalid or outdated refresh token'}, 401
         current_user = get_jwt_identity()
         access_token = create_access_token(identity=current_user)
         return {'access_token': access_token}
diff --git a/servicex/templates/base.html b/servicex/templates/base.html
@@ -39,7 +39,7 @@
         {% endif %}
         </div>
         <!-- Navbar Right Side -->
-        {% if config['ENABLE_AUTH'] %}
+        {% if config['ENABLE_AUTH'] and not config['DISABLE_USER_MGMT'] %}
           <div class="navbar-nav">
           {% if not session['is_authenticated'] %}
             <a href="{{ url_for('sign_in') }}" class="nav-item nav-link">Sign In</a>
diff --git a/tests/resource_test_base.py b/tests/resource_test_base.py
@@ -145,7 +145,10 @@ def mock_requesting_user(self, mocker):
         mock_user.admin = False
         mock_user.pending = False
         mocker.patch(
-            'servicex.resources.servicex_resource.UserModel.find_by_sub',
+            'servicex.decorators.UserModel.find_by_sub', return_value=mock_user
+        )
+        mocker.patch(
+            'servicex.resources.servicex_resource.ServiceXResource.get_requesting_user',
             return_value=mock_user)
         return mock_user
 
