Merge pull request #860 from uc-cdis/feat/visa_parse

(PXP-7167) Parse Visas

bin/fence_create.py

@@ -405,6 +405,9 @@ def main():
     STORAGE_CREDENTIALS = os.environ.get("STORAGE_CREDENTIALS") or config.get(
         "STORAGE_CREDENTIALS"
     )
+    usersync = config.get("USERSYNC", {})
+    sync_from_visas = usersync.get("sync_from_visas", False)
+    fallback_to_dbgap_sftp = usersync.get("fallback_to_dbgap_sftp", False)
 
     arborist = None
     if args.arborist:
@@ -467,6 +470,8 @@ def main():
             sync_from_local_yaml_file=args.yaml,
             folder=args.folder,
             arborist=arborist,
+            sync_from_visas=sync_from_visas,
+            fallback_to_dbgap_sftp=fallback_to_dbgap_sftp,
         )
     elif args.action == "dbgap-download-access-files":
         download_dbgap_files(

fence/blueprints/login/ras.py

@@ -2,7 +2,7 @@
 import jwt
 from flask_sqlalchemy_session import current_session
 
-from fence.models import GA4GHVisaV1, IdentityProvider, User
+from fence.models import GA4GHVisaV1, IdentityProvider
 
 from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback
 
@@ -57,7 +57,6 @@ def post_login(self, user, token_result):
                 expires=int(decoded_visa["exp"]),
                 ga4gh_visa=encoded_visa,
             )
-
             current_session.add(visa)
             current_session.commit()
 

fence/config-default.yaml

@@ -460,7 +460,6 @@ dbGaP:
       # 'studyX': ['/orgA/', '/orgB/']
       # 'studyX.c2': ['/orgB/', '/orgC/']
       # 'studyZ': ['/orgD/']
-
 # Regex to match an assession number that has consent information in forms like:
 #   phs00301123.c999
 #   phs000123.v3.p1.c3
@@ -770,6 +769,10 @@ SYNAPSE_AUTHZ_TTL: 86400
 RAS_REFRESH_EXPIRATION: 1296000
 # Number of projects that can be registered to a Google Service Accont
 SERVICE_ACCOUNT_LIMIT: 6
+# Settings for usersync with visas
 USERSYNC:
+  sync_from_visas: false
+  # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed
+  fallback_to_dbgap_sftp: false 
   visa_types:
-    ras: [https://ras.nih.gov/visas/v1, https://ras.nih.gov/visas/v1.1]
+    ras: [https://ras.nih.gov/visas/v1, https://ras.nih.gov/visas/v1.1]

fence/job/visa_update_cronjob.py

@@ -171,7 +171,7 @@ def _pick_client(self, visa):
             )
         if not client:
             raise Exception(
-                "Visa Client not set up or not avaialable for type {}".format(visa.type)
+                "Visa Client not set up or not available for type {}".format(visa.type)
             )
         return client
 

fence/scripting/fence_create.py

@@ -210,6 +210,8 @@ def init_syncer(
     sync_from_local_yaml_file=None,
     arborist=None,
     folder=None,
+    sync_from_visas=False,
+    fallback_to_dbgap_sftp=False,
 ):
     """
     sync ACL files from dbGap to auth db and storage backends
@@ -268,6 +270,8 @@ def init_syncer(
         sync_from_local_yaml_file=sync_from_local_yaml_file,
         arborist=arborist,
         folder=folder,
+        sync_from_visas=sync_from_visas,
+        fallback_to_dbgap_sftp=fallback_to_dbgap_sftp,
     )
 
 
@@ -309,6 +313,8 @@ def sync_users(
     sync_from_local_yaml_file=None,
     arborist=None,
     folder=None,
+    sync_from_visas=False,
+    fallback_to_dbgap_sftp=False,
 ):
     syncer = init_syncer(
         dbGaP,
@@ -320,10 +326,15 @@ def sync_users(
         sync_from_local_yaml_file,
         arborist,
         folder,
+        sync_from_visas,
+        fallback_to_dbgap_sftp,
     )
     if not syncer:
         exit(1)
-    syncer.sync()
+    if sync_from_visas:
+        syncer.sync_visas()
+    else:
+        syncer.sync()
 
 
 def create_sample_data(DB, yaml_file_path):

fence/sync/passport_sync/base_sync.py

@@ -0,0 +1,14 @@
+class DefaultVisa(object):
+    """
+    Base class for representation of information in a GA4GH passport describing user, project, and ABAC
+    information for access control
+    """
+
+    def __init__(
+        self,
+        logger=None,
+    ):
+        self.logger = logger
+
+    def _parse_single_visa(self, user, visa):
+        pass

fence/sync/passport_sync/ras_sync.py

@@ -0,0 +1,54 @@
+import jwt
+import time
+
+from fence.sync.passport_sync.base_sync import DefaultVisa
+
+
+class RASVisa(DefaultVisa):
+    """
+    Class representing RAS visas
+    """
+
+    def _init__(self, logger):
+        super(RASVisa, self).__init__(
+            logger=logger,
+        )
+
+    def _parse_single_visa(
+        self, user, encoded_visa, expires, parse_consent_code, db_session
+    ):
+        decoded_visa = {}
+        try:
+            decoded_visa = jwt.decode(encoded_visa, verify=False)
+        except Exception as e:
+            self.logger.warning("Couldn't decode visa {}".format(e))
+            # Remove visas if its invalid or expired
+            user.ga4gh_visas_v1 = []
+            db_session.commit()
+        finally:
+            ras_dbgap_permissions = decoded_visa.get("ras_dbgap_permissions", [])
+        project = {}
+        info = {}
+        info["tags"] = {}
+
+        if time.time() < expires:
+            for permission in ras_dbgap_permissions:
+                phsid = permission.get("phs_id", "")
+                version = permission.get("version", "")
+                participant_set = permission.get("participant_set", "")
+                consent_group = permission.get("consent_group", "")
+                full_phsid = phsid
+                if parse_consent_code and consent_group:
+                    full_phsid += "." + consent_group
+                privileges = {"read-storage", "read"}
+                project[full_phsid] = privileges
+                info["tags"] = {"dbgap_role": permission.get("role", "")}
+        else:
+            # Remove visas if its invalid or expired
+            user.ga4gh_visas_v1 = []
+            db_session.commit()
+
+        info["email"] = user.email or ""
+        info["display_name"] = user.display_name or ""
+        info["phone_number"] = user.phone_number or ""
+        return project, info