From 0c6ccca5fac44ab40671627fd3181e9b138672fa Mon Sep 17 00:00:00 2001
From: Fabian Mastenbroek <mail.fabianm@gmail.com>
Date: Fri, 14 May 2021 15:17:49 +0200
Subject: api: Migrate to Auth0 for API authorization

This change updates the OpenDC API to use Auth0 for API authorization.
This removes the hard dependency on Google for logging into OpenDC and
simplifies implementation as we do not have to store user information
anymore, other than the user identifier.
---
 .../opendc/api/v2/portfolios/portfolioId/endpoint.py              | 6 +++---
 .../opendc/api/v2/portfolios/portfolioId/scenarios/endpoint.py    | 4 ++--
 .../opendc/api/v2/prefabs/authorizations/endpoint.py              | 2 +-
 opendc-web/opendc-web-api/opendc/api/v2/prefabs/endpoint.py       | 2 +-
 .../opendc-web-api/opendc/api/v2/prefabs/prefabId/endpoint.py     | 6 +++---
 opendc-web/opendc-web-api/opendc/api/v2/projects/endpoint.py      | 2 +-
 .../opendc/api/v2/projects/projectId/authorizations/endpoint.py   | 2 +-
 .../opendc-web-api/opendc/api/v2/projects/projectId/endpoint.py   | 8 ++++----
 .../opendc/api/v2/projects/projectId/portfolios/endpoint.py       | 2 +-
 .../opendc/api/v2/projects/projectId/topologies/endpoint.py       | 2 +-
 .../opendc-web-api/opendc/api/v2/scenarios/scenarioId/endpoint.py | 6 +++---
 .../opendc/api/v2/topologies/topologyId/endpoint.py               | 6 +++---
 opendc-web/opendc-web-api/opendc/api/v2/users/endpoint.py         | 2 +-
 opendc-web/opendc-web-api/opendc/api/v2/users/userId/endpoint.py  | 4 ++--
 14 files changed, 27 insertions(+), 27 deletions(-)

(limited to 'opendc-web/opendc-web-api/opendc/api')

diff --git a/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/endpoint.py
index 0ba61a13..c856f4ce 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/endpoint.py
@@ -11,7 +11,7 @@ def GET(request):
     portfolio = Portfolio.from_id(request.params_path['portfolioId'])
 
     portfolio.check_exists()
-    portfolio.check_user_access(request.google_id, False)
+    portfolio.check_user_access(request.current_user['sub'], False)
 
     return Response(200, 'Successfully retrieved portfolio.', portfolio.obj)
 
@@ -30,7 +30,7 @@ def PUT(request):
     portfolio = Portfolio.from_id(request.params_path['portfolioId'])
 
     portfolio.check_exists()
-    portfolio.check_user_access(request.google_id, True)
+    portfolio.check_user_access(request.current_user['sub'], True)
 
     portfolio.set_property('name',
                            request.params_body['portfolio']['name'])
@@ -52,7 +52,7 @@ def DELETE(request):
     portfolio = Portfolio.from_id(request.params_path['portfolioId'])
 
     portfolio.check_exists()
-    portfolio.check_user_access(request.google_id, True)
+    portfolio.check_user_access(request.current_user['sub'], True)
 
     portfolio_id = portfolio.get_id()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/scenarios/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/scenarios/endpoint.py
index 2f042e06..b12afce3 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/scenarios/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/portfolios/portfolioId/scenarios/endpoint.py
@@ -29,13 +29,13 @@ def POST(request):
     portfolio = Portfolio.from_id(request.params_path['portfolioId'])
 
     portfolio.check_exists()
-    portfolio.check_user_access(request.google_id, True)
+    portfolio.check_user_access(request.current_user['sub'], True)
 
     scenario = Scenario(request.params_body['scenario'])
 
     topology = Topology.from_id(scenario.obj['topology']['topologyId'])
     topology.check_exists()
-    topology.check_user_access(request.google_id, True)
+    topology.check_user_access(request.current_user['sub'], True)
 
     scenario.set_property('portfolioId', portfolio.get_id())
     scenario.set_property('simulation', {'state': 'QUEUED'})
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/authorizations/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/authorizations/endpoint.py
index 0d9ad5cd..0de50851 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/authorizations/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/authorizations/endpoint.py
@@ -7,7 +7,7 @@ from opendc.util.rest import Response
 def GET(request):
     """Return all prefabs the user is authorized to access"""
 
-    user = User.from_google_id(request.google_id)
+    user = User.from_google_id(request.current_user['sub'])
 
     user.check_exists()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/endpoint.py
index 723a2f0d..e77c7150 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/endpoint.py
@@ -15,7 +15,7 @@ def POST(request):
     prefab.set_property('datetimeCreated', Database.datetime_to_string(datetime.now()))
     prefab.set_property('datetimeLastEdited', Database.datetime_to_string(datetime.now()))
 
-    user = User.from_google_id(request.google_id)
+    user = User.from_google_id(request.current_user['sub'])
     prefab.set_property('authorId', user.get_id())
 
     prefab.insert()
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/prefabId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/prefabId/endpoint.py
index 7b81f546..f1cf1fcd 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/prefabs/prefabId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/prefabs/prefabId/endpoint.py
@@ -12,7 +12,7 @@ def GET(request):
 
     prefab = Prefab.from_id(request.params_path['prefabId'])
     prefab.check_exists()
-    prefab.check_user_access(request.google_id)
+    prefab.check_user_access(request.current_user['sub'])
 
     return Response(200, 'Successfully retrieved prefab', prefab.obj)
 
@@ -25,7 +25,7 @@ def PUT(request):
     prefab = Prefab.from_id(request.params_path['prefabId'])
 
     prefab.check_exists()
-    prefab.check_user_access(request.google_id)
+    prefab.check_user_access(request.current_user['sub'])
 
     prefab.set_property('name', request.params_body['prefab']['name'])
     prefab.set_property('rack', request.params_body['prefab']['rack'])
@@ -43,7 +43,7 @@ def DELETE(request):
     prefab = Prefab.from_id(request.params_path['prefabId'])
 
     prefab.check_exists()
-    prefab.check_user_access(request.google_id)
+    prefab.check_user_access(request.current_user['sub'])
 
     old_object = prefab.delete()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/projects/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/projects/endpoint.py
index bf031382..dacbe6a4 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/projects/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/projects/endpoint.py
@@ -25,7 +25,7 @@ def POST(request):
     topology.set_property('projectId', project.get_id())
     topology.update()
 
-    user = User.from_google_id(request.google_id)
+    user = User.from_google_id(request.current_user['sub'])
     user.obj['authorizations'].append({'projectId': project.get_id(), 'authorizationLevel': 'OWN'})
     user.update()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/authorizations/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/authorizations/endpoint.py
index 9f6a60ec..1b229122 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/authorizations/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/authorizations/endpoint.py
@@ -10,7 +10,7 @@ def GET(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, False)
+    project.check_user_access(request.current_user['sub'], False)
 
     authorizations = project.get_all_authorizations()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/endpoint.py
index caac37ca..37cf1860 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/endpoint.py
@@ -16,7 +16,7 @@ def GET(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, False)
+    project.check_user_access(request.current_user['sub'], False)
 
     return Response(200, 'Successfully retrieved project', project.obj)
 
@@ -29,7 +29,7 @@ def PUT(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, True)
+    project.check_user_access(request.current_user['sub'], True)
 
     project.set_property('name', request.params_body['project']['name'])
     project.set_property('datetime_last_edited', Database.datetime_to_string(datetime.now()))
@@ -46,7 +46,7 @@ def DELETE(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, True)
+    project.check_user_access(request.current_user['sub'], True)
 
     for topology_id in project.obj['topologyIds']:
         topology = Topology.from_id(topology_id)
@@ -56,7 +56,7 @@ def DELETE(request):
         portfolio = Portfolio.from_id(portfolio_id)
         portfolio.delete()
 
-    user = User.from_google_id(request.google_id)
+    user = User.from_google_id(request.current_user['sub'])
     user.obj['authorizations'] = list(
         filter(lambda x: x['projectId'] != project.get_id(), user.obj['authorizations']))
     user.update()
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/portfolios/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/portfolios/endpoint.py
index 2cdb1194..18b4d007 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/portfolios/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/portfolios/endpoint.py
@@ -20,7 +20,7 @@ def POST(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, True)
+    project.check_user_access(request.current_user['sub'], True)
 
     portfolio = Portfolio(request.params_body['portfolio'])
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/topologies/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/topologies/endpoint.py
index 44a0d575..47f2a207 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/topologies/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/projects/projectId/topologies/endpoint.py
@@ -14,7 +14,7 @@ def POST(request):
     project = Project.from_id(request.params_path['projectId'])
 
     project.check_exists()
-    project.check_user_access(request.google_id, True)
+    project.check_user_access(request.current_user['sub'], True)
 
     topology = Topology({
         'projectId': project.get_id(),
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/scenarios/scenarioId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/scenarios/scenarioId/endpoint.py
index 88a74e9c..7399f98c 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/scenarios/scenarioId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/scenarios/scenarioId/endpoint.py
@@ -11,7 +11,7 @@ def GET(request):
     scenario = Scenario.from_id(request.params_path['scenarioId'])
 
     scenario.check_exists()
-    scenario.check_user_access(request.google_id, False)
+    scenario.check_user_access(request.current_user['sub'], False)
 
     return Response(200, 'Successfully retrieved scenario.', scenario.obj)
 
@@ -26,7 +26,7 @@ def PUT(request):
     scenario = Scenario.from_id(request.params_path['scenarioId'])
 
     scenario.check_exists()
-    scenario.check_user_access(request.google_id, True)
+    scenario.check_user_access(request.current_user['sub'], True)
 
     scenario.set_property('name',
                           request.params_body['scenario']['name'])
@@ -44,7 +44,7 @@ def DELETE(request):
     scenario = Scenario.from_id(request.params_path['scenarioId'])
 
     scenario.check_exists()
-    scenario.check_user_access(request.google_id, True)
+    scenario.check_user_access(request.current_user['sub'], True)
 
     scenario_id = scenario.get_id()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/topologies/topologyId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/topologies/topologyId/endpoint.py
index ea82b2e2..80618190 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/topologies/topologyId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/topologies/topologyId/endpoint.py
@@ -14,7 +14,7 @@ def GET(request):
     topology = Topology.from_id(request.params_path['topologyId'])
 
     topology.check_exists()
-    topology.check_user_access(request.google_id, False)
+    topology.check_user_access(request.current_user['sub'], False)
 
     return Response(200, 'Successfully retrieved topology.', topology.obj)
 
@@ -25,7 +25,7 @@ def PUT(request):
     topology = Topology.from_id(request.params_path['topologyId'])
 
     topology.check_exists()
-    topology.check_user_access(request.google_id, True)
+    topology.check_user_access(request.current_user['sub'], True)
 
     topology.set_property('name', request.params_body['topology']['name'])
     topology.set_property('rooms', request.params_body['topology']['rooms'])
@@ -43,7 +43,7 @@ def DELETE(request):
     topology = Topology.from_id(request.params_path['topologyId'])
 
     topology.check_exists()
-    topology.check_user_access(request.google_id, True)
+    topology.check_user_access(request.current_user['sub'], True)
 
     topology_id = topology.get_id()
 
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/users/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/users/endpoint.py
index 0dcf2463..fe61ce25 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/users/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/users/endpoint.py
@@ -20,7 +20,7 @@ def POST(request):
     request.check_required_parameters(body={'user': {'email': 'string'}})
 
     user = User(request.params_body['user'])
-    user.set_property('googleId', request.google_id)
+    user.set_property('googleId', request.current_user['sub'])
     user.set_property('authorizations', [])
 
     user.check_already_exists()
diff --git a/opendc-web/opendc-web-api/opendc/api/v2/users/userId/endpoint.py b/opendc-web/opendc-web-api/opendc/api/v2/users/userId/endpoint.py
index be3462c0..26ff7717 100644
--- a/opendc-web/opendc-web-api/opendc/api/v2/users/userId/endpoint.py
+++ b/opendc-web/opendc-web-api/opendc/api/v2/users/userId/endpoint.py
@@ -27,7 +27,7 @@ def PUT(request):
     user = User.from_id(request.params_path['userId'])
 
     user.check_exists()
-    user.check_correct_user(request.google_id)
+    user.check_correct_user(request.current_user['sub'])
 
     user.set_property('givenName', request.params_body['user']['givenName'])
     user.set_property('familyName', request.params_body['user']['familyName'])
@@ -45,7 +45,7 @@ def DELETE(request):
     user = User.from_id(request.params_path['userId'])
 
     user.check_exists()
-    user.check_correct_user(request.google_id)
+    user.check_correct_user(request.current_user['sub'])
 
     for authorization in user.obj['authorizations']:
         if authorization['authorizationLevel'] != 'OWN':
-- 
cgit v1.2.3