Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make anitya use authlib instead of social_auth #1220

Merged
merged 7 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions Containerfile.dev
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,4 @@ RUN pushd anitya/static && npm install && popd
RUN poetry build
RUN pip install dist/*.whl

# Hotfix for social_auth-sqlalchemy
# Should be removed when we switch to something else
RUN sed -i 's/base64.encodestring/base64.encodebytes/g' /usr/local/lib/python3.12/site-packages/social_sqlalchemy/storage.py

CMD ["sh","-c", "poetry build && pip install dist/*.whl && eval '$START_COMMAND'"]
8 changes: 0 additions & 8 deletions anitya/admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@

import flask
from dateutil import parser
from social_flask_sqlalchemy import models as social_models
from sqlalchemy.orm.exc import NoResultFound

import anitya
Expand Down Expand Up @@ -678,13 +677,6 @@ def delete_user(user_id):

if form.validate_on_submit():
if confirm:
social_auth_records = (
Session.query(social_models.UserSocialAuth)
.filter_by(user_id=user_id)
.all()
)
for record in social_auth_records:
Session.delete(record)
Session.delete(user)
Session.commit()
flask.flash(f"User {user_name} has been removed", "success")
Expand Down
107 changes: 10 additions & 97 deletions anitya/app.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,18 @@
import logging.handlers

import flask
from flask_login import LoginManager, current_user, user_logged_in
from social_core.backends.utils import load_backends
from social_core.exceptions import AuthException
from social_flask.routes import social_auth
from social_flask_sqlalchemy import models as social_models
from authlib.integrations.flask_client import OAuth
from flask_login import LoginManager, current_user
from sqlalchemy.exc import IntegrityError
from sqlalchemy.orm.exc import NoResultFound

import anitya.lib
import anitya.mail_logging
from anitya import __version__
from anitya import __version__, admin, api, api_v2, auth, authentication, ui
from anitya.config import config as anitya_config
from anitya.db import Session
from anitya.db import initialize as initialize_db
from anitya.db import models
from anitya.lib import utilities

from . import admin, api, api_v2, authentication, ui


def create(config=None):
"""
Expand All @@ -54,19 +47,6 @@ def create(config=None):
app.config.update(config)
initialize_db(config)

app.register_blueprint(social_auth)
if len(social_models.UserSocialAuth.__table_args__) == 0:
# This is a bit of a hack - this initialization call sets up the SQLAlchemy
# models with our own models and multiple calls to this function will cause
# SQLAlchemy to fail with sqlalchemy.exc.InvalidRequestError. Only calling it
# when there are no table arguments should ensure we only call it one time.
#
# Be aware that altering the configuration values this function uses, namely
# the SOCIAL_AUTH_USER_MODEL, after the first time ``create`` has been called
# will *not* cause the new configuration to be used for subsequent calls to
# ``create``.
social_models.init_social(app, Session)

login_manager = LoginManager()
login_manager.user_loader(authentication.load_user_from_session)
login_manager.request_loader(authentication.load_user_from_request)
Expand All @@ -91,16 +71,18 @@ def create(config=None):
app.register_blueprint(ui.ui_blueprint)
app.register_blueprint(api.api_blueprint)

oauth = OAuth(app)
for auth_backend in app.config.get("AUTHLIB_ENABLED_BACKENDS", []):
oauth.register(auth_backend.lower())

app.register_blueprint(auth.create_auth_blueprint(oauth))

app.before_request(global_user)
app.teardown_request(shutdown_session)
app.register_error_handler(IntegrityError, integrity_error_handler)
app.register_error_handler(AuthException, auth_error_handler)

app.context_processor(inject_variable)

# subscribe to signals
user_logged_in.connect(when_user_log_in, app)

if app.config.get("EMAIL_ERRORS"):
# If email logging is configured, set up the anitya logger with an email
# handler for any ERROR-level logs.
Expand Down Expand Up @@ -141,9 +123,7 @@ def inject_variable():
justedit=justedit,
cron_status=cron_status,
user=current_user,
available_backends=load_backends(
anitya_config["SOCIAL_AUTH_AUTHENTICATION_BACKENDS"]
),
available_backends=anitya_config["AUTHLIB_ENABLED_BACKENDS"],
)


Expand All @@ -157,71 +137,4 @@ def integrity_error_handler(error):
Returns:
tuple: A tuple of (message, HTTP error code).
"""
# Because social auth provides the route and raises the exception, this is
# the simplest way to turn the error into a nicely formatted error message
# for the user.
if "email" in error.params:
Session.rollback()
other_user = models.User.query.filter_by(email=error.params["email"]).one()
try:
social_auth_user = other_user.social_auth.filter_by(
user_id=other_user.id
).one()
msg = (
"Error: There's already an account associated with your email, "
f"authenticate with {social_auth_user.provider}."
)
return msg, 400
# This error happens only if there is account without provider info
except NoResultFound:
Session.delete(other_user)
Session.commit()
msg = (
"Error: There was already an existing account with missing provider. "
"So we removed it. "
"Please try to log in again."
)
return msg, 500

return "The server encountered an unexpected error", 500


def auth_error_handler(error):
"""
Flask error handler for unhandled AuthException errors.

Args:
error (AuthException): The exception to be handled.

Returns:
tuple: A tuple of (message, HTTP error code).
"""
# Because social auth openId backend provides route and raises the exceptions,
# this is the simplest way to turn error into nicely formatted error message.
msg = (
f"Error: There was an error during authentication '{error}', "
"please check the provided url."
)
return msg, 400


def when_user_log_in(sender, user):
"""
This catches the signal when user is logged in.
It checks if the user has associated entry in user_social_auth.

Args:
sender (flask.Flask): Current app object that emitted signal.
Not used by this method.
user (models.User): User that is logging in.

Raises:
sqlalchemy.exc.IntegrityError: When user_social_auth table entry is
missing.
"""
if user.social_auth.count() == 0:
raise IntegrityError(
"Missing social_auth table",
{"social_auth": None, "email": user.email},
None,
)
64 changes: 64 additions & 0 deletions anitya/auth.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
"""
This module handles the authentication using authlib.

It provides login route as well as callback for OAuth2 calls.
"""

import flask
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file deserves some comments. :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw that the social_auth stuff was registered as flask blueprint in the app.py, so I was trying to make it similar.
The rest is from authlib examples. The def oauthlogin is usually named login in the authlib documentation. I renamed it because there already is login function in ui.py.
Then I created the tokens in github and google for the anitya app and since both parties send a different user_info, so it is processed differently.
I will add docstrings and comments.

import flask_login

from anitya.db import Session, User


def create_auth_blueprint(oauth):
"""
Create authentication blueprint.
"""
auth_blueprint = flask.Blueprint(
"anitya_auth", __name__, static_folder="static", template_folder="templates"
)

@auth_blueprint.route("/login/<name>")
def login(name):
"""
Login function for OAuth backends.

Params:
name: Name of the authentication backend to login with
"""
client = oauth.create_client(name)
if client is None:
flask.abort(404)
redirect_uri = flask.url_for(".auth", name=name, _external=True)
return client.authorize_redirect(redirect_uri)

@auth_blueprint.route("/auth/<name>")
def auth(name): # pragma: no cover
"""
Callback function for OAuth backends.

Params:
name: Name of the authentication backend to login with
"""
client = oauth.create_client(name)
if client is None:
flask.abort(404)
token = client.authorize_access_token()
user_info = token.get("userinfo")
if not user_info:
user_info = client.userinfo()

# Check if the user exists
user = User.query.filter(User.email == user_info["email"]).first()
if not user:
new_user = User(email=user_info["email"], username=user_info["email"])
Session.add(new_user)
Session.commit()
user = new_user
flask_login.login_user(user)

if flask.session["next_url"]:
return flask.redirect(flask.session["next_url"])
return flask.redirect("/")

return auth_blueprint
5 changes: 2 additions & 3 deletions anitya/authentication.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,12 @@
Anitya uses `Flask-Login`_ for user session management. It handles logging in,
logging out, and remembering users’ sessions over extended periods of time.

In addition, Anitya uses `Python Social Auth`_ to authenticate users from various
In addition, Anitya uses `Authlib`_ to authenticate users from various
third-party identity providers. It handles logging the user in and creating
:class:`anitya.db.models.User` objects as necessary.

.. _Flask-Login: https://flask-login.readthedocs.io/en/latest/
.. _Python Social Auth:
https://python-social-auth.readthedocs.io/en/latest/
.. _Authlib: https://docs.authlib.org/en/latest/
"""
import logging
import uuid
Expand Down
36 changes: 22 additions & 14 deletions anitya/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,20 +65,6 @@
EMAIL_ERRORS=False,
BLACKLISTED_USERS=[],
SESSION_PROTECTION="strong",
SOCIAL_AUTH_AUTHENTICATION_BACKENDS=(
"social_core.backends.fedora.FedoraOpenId",
"social_core.backends.gitlab.GitLabOAuth2",
"social_core.backends.github.GithubOAuth2",
"social_core.backends.google.GoogleOAuth2",
"social_core.backends.open_id.OpenIdAuth",
),
SOCIAL_AUTH_STORAGE="social_flask_sqlalchemy.models.FlaskStorage",
SOCIAL_AUTH_USER_MODEL="anitya.db.models.User",
# Force the application to require HTTPS on authentication redirects.
SOCIAL_AUTH_REDIRECT_IS_HTTPS=True,
SOCIAL_AUTH_LOGIN_URL="/login/",
SOCIAL_AUTH_LOGIN_REDIRECT_URL="/",
SOCIAL_AUTH_LOGIN_ERROR_URL="/login-error/",
DEFAULT_REGEX=r"(?i)%(name)s(?:[-_]?(?:minsrc|src|source))?[-_]([^-/_\s]+?(?:[-_]"
r"(?:rc|devel|dev|alpha|beta)\d+)?)(?:[-_](?:minsrc|src|source|asc|release))?"
r"\.(?:tar|t[bglx]z|tbz2|zip)",
Expand All @@ -90,6 +76,28 @@
# project will be automatically removed, if no version was retrieved yet
CHECK_ERROR_THRESHOLD=100,
DISTRO_MAPPING_LINKS={},
# Enabled authentication backends
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be also done in the example config and config for vagrant and container setup.

AUTHLIB_ENABLED_BACKENDS=["Fedora", "GitHub", "Google"],
# Github oauth backend variables
GITHUB_CLIENT_ID="",
GITHUB_CLIENT_SECRET="",
GITHUB_ACCESS_TOKEN_URL="https://github.com/login/oauth/access_token",
GITHUB_AUTHORIZE_URL="https://github.com/login/oauth/authorize",
GITHUB_API_BASE_URL="https://api.github.com/",
GITHUB_CLIENT_KWARGS={"scope": "user:email"},
# Fedora oauth backend variables
FEDORA_CLIENT_ID="",
FEDORA_CLIENT_SECRET="",
FEDORA_CLIENT_KWARGS={
"scope": "email",
"token_endpoint_auth_method": "client_secret_post",
},
FEDORA_SERVER_METADATA_URL="https://id.fedoraproject.org/.well-known/openid-configuration",
# Google oauth backend variables
GOOGLE_CLIENT_ID="",
GOOGLE_CLIENT_SECRET="",
GOOGLE_CLIENT_KWARGS={"scope": "email"},
GOOGLE_SERVER_METADATA_URL="https://accounts.google.com/.well-known/openid-configuration",
)

# Start with a basic logging configuration, which will be replaced by any user-
Expand Down
Loading
Loading