Merge pull request #113 from ssi-dk/feat/workspace-data-endpoint

feat: avoid PII data on disk

Caddyfile

@@ -1,9 +1,13 @@
 {
     auto_https off
+    log {
+        format json
+    }
 }
 
 {$SOFI_HOSTNAME} {
     tls /etc/sofi.crt /etc/sofi.pem
+    log
 
     @localrequest {
         remote_ip 127.0.0.1 172.18.0.0/24
@@ -30,6 +34,7 @@
 
 dev2.sofi-platform.dk {
     tls /etc/sofi.crt /etc/sofi.pem
+    log
 
     route /* {
         reverse_proxy microreact:3000

app/src/sap-client/apis/WorkspacesApi.ts

@@ -53,6 +53,10 @@ export interface GetWorkspaceRequest {
     workspaceId: string;
 }
 
+export interface GetWorkspaceDataRequest {
+    workspaceId: string;
+}
+
 export interface PostWorkspaceRequest {
     workspaceId: string;
     updateWorkspace?: UpdateWorkspace;
@@ -286,6 +290,52 @@ export function getWorkspace<T>(requestParameters: GetWorkspaceRequest, requestC
     return getWorkspaceRaw(requestParameters, requestConfig);
 }
 
+/**
+ * Get an workspace data
+ */
+function getWorkspaceDataRaw<T>(requestParameters: GetWorkspaceDataRequest, requestConfig: runtime.TypedQueryConfig<T, Array<Array<any>>> = {}): QueryConfig<T> {
+    if (requestParameters.workspaceId === null || requestParameters.workspaceId === undefined) {
+        throw new runtime.RequiredError('workspaceId','Required parameter requestParameters.workspaceId was null or undefined when calling getWorkspaceData.');
+    }
+
+    let queryParameters = null;
+
+
+    const headerParameters : runtime.HttpHeaders = {};
+
+
+    const { meta = {} } = requestConfig;
+
+    meta.authType = ['bearer'];
+    const config: QueryConfig<T> = {
+        url: `${runtime.Configuration.basePath}/workspaces/{workspace_id}/data`.replace(`{${"workspace_id"}}`, encodeURIComponent(String(requestParameters.workspaceId))),
+        meta,
+        update: requestConfig.update,
+        queryKey: requestConfig.queryKey,
+        optimisticUpdate: requestConfig.optimisticUpdate,
+        force: requestConfig.force,
+        rollback: requestConfig.rollback,
+        options: {
+            method: 'GET',
+            headers: headerParameters,
+        },
+        body: queryParameters,
+    };
+
+    const { transform: requestTransform } = requestConfig;
+    if (requestTransform) {
+    }
+
+    return config;
+}
+
+/**
+* Get an workspace data
+*/
+export function getWorkspaceData<T>(requestParameters: GetWorkspaceDataRequest, requestConfig?: runtime.TypedQueryConfig<T, Array<Array<any>>>): QueryConfig<T> {
+    return getWorkspaceDataRaw(requestParameters, requestConfig);
+}
+
 /**
  * Gets workspaces
  */

microreact_defaults.js

@@ -1,4 +1,7 @@
 module.exports = {
+  externalRequests: {
+      secret: process.env.MICROREACT_ENCRYPTION_SECRET
+    },
   auth: {
     openidconnect: {
       id: "keycloak",

openapi_specs/SOFI/SOFI.yaml

@@ -81,6 +81,33 @@ paths:
         '204':
           description: Sample removed from workspace successfully.
 
+  /workspaces/{workspace_id}/data:
+    get:
+      description: Get an workspace data
+      operationId: get_workspace_data
+      tags:
+        - workspaces
+      x-openapi-router-controller: web.src.SAP.generated.controllers.workspaces_controller
+      parameters:
+        - name: workspace_id
+          in: path
+          required: true
+          schema:
+            type: string
+          description: Id of workspace to get
+      responses:
+        '200':
+          description: Data
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: array
+                  items: {}
+      security: 
+        - microreactjwt: []
+
   /workspaces/{workspace_id}:
     get:
       description: Get an existing workspace
@@ -1660,3 +1687,8 @@ components:
       scheme: bearer
       bearerFormat: JWT
       x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_jwt
+    microreactjwt:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_microreactjwt

openapi_specs/SOFI/templates/security_controller_.mustache

@@ -1,5 +1,5 @@
 from typing import List
-from flask_jwt_extended import decode_token
+from ...src.security.permission_check import decode_sofi_token
 
 {{#authMethods}}
 {{#isOAuth}}
@@ -72,7 +72,6 @@ def info_from_{{name}}(username, password, required_scopes):
 
 {{/isBasicBasic}}
 {{#isBasicBearer}}
-
 def info_from_{{name}}(token):
     """
     Check and retrieve authentication information from custom bearer token.
@@ -85,10 +84,11 @@ def info_from_{{name}}(token):
     :rtype: dict | None
     """
     if token:
-        return decode_token(token)
+        return decode_sofi_token(token, "{{name}}")
 
     return None
 
 {{/isBasicBearer}}
 {{/authMethods}}
 
+

web/openapi_specs/SOFI/SOFI.yaml

@@ -81,6 +81,33 @@ paths:
         '204':
           description: Sample removed from workspace successfully.
 
+  /workspaces/{workspace_id}/data:
+    get:
+      description: Get an workspace data
+      operationId: get_workspace_data
+      tags:
+        - workspaces
+      x-openapi-router-controller: web.src.SAP.generated.controllers.workspaces_controller
+      parameters:
+        - name: workspace_id
+          in: path
+          required: true
+          schema:
+            type: string
+          description: Id of workspace to get
+      responses:
+        '200':
+          description: Data
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: array
+                  items: {}
+      security: 
+        - microreactjwt: []
+
   /workspaces/{workspace_id}:
     get:
       description: Get an existing workspace
@@ -1660,3 +1687,8 @@ components:
       scheme: bearer
       bearerFormat: JWT
       x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_jwt
+    microreactjwt:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+      x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_microreactjwt

web/openapi_specs/SOFI/templates/security_controller_.mustache

@@ -1,5 +1,5 @@
 from typing import List
-from flask_jwt_extended import decode_token
+from ...src.security.permission_check import decode_sofi_token
 
 {{#authMethods}}
 {{#isOAuth}}
@@ -72,7 +72,6 @@ def info_from_{{name}}(username, password, required_scopes):
 
 {{/isBasicBasic}}
 {{#isBasicBearer}}
-
 def info_from_{{name}}(token):
     """
     Check and retrieve authentication information from custom bearer token.
@@ -85,10 +84,11 @@ def info_from_{{name}}(token):
     :rtype: dict | None
     """
     if token:
-        return decode_token(token)
+        return decode_sofi_token(token, "{{name}}")
 
     return None
 
 {{/isBasicBearer}}
 {{/authMethods}}
 
+

web/requirements.txt

@@ -9,16 +9,19 @@ werkzeug == 0.16.1; python_version=="3.5" or python_version=="3.4"
 swagger-ui-bundle >= 0.0.2
 python_dateutil >= 2.6.0
 setuptools >= 21.0.0
-urllib3==1.25.10
+urllib3>=1.26.2
 certifi==2020.6.20
 python-dotenv==0.15.0
 pymongo==3.11.0
 pymongocrypt==1.1.0
 commentjson==0.9.0
-cryptography==3.3.1
-python-jose[cryptography]
+cryptography>=3.3.1
+python-jose[cryptography]==3.3.0
 six>=1.9
 jwcrypto >= 0.8
 Flask-JWT-Extended >= 3.25.1
 openapi-spec-validator==0.2.9
-pydantic==2.8.2
+pydantic==2.8.2
+hkdf
+python-keycloak
+flask-cors

web/src/SAP/__init__.py

@@ -1,13 +1,17 @@
 from pathlib import Path
 from urllib.parse import urljoin
-from jsonschema import RefResolver
+
 import connexion
 import openapi_spec_validator
-from .generated import encoder
+from flask_cors import CORS
+from jsonschema import RefResolver
+
 from .common.database import get_connection
+from .generated import encoder
 
 SPECIFICATION_DIR = "/app/openapi_specs/SOFI/"
 
+
 # connexion tries to validate the spec before it bothers to resolve any refs.
 # openapi_spec_validator does not recognize relative $refs, and needs them realized AOT.
 # With those two issues combined, there's no way our multiple file schema can validate.
@@ -23,6 +27,7 @@ def noop(anything):
 def create_app():
     app = connexion.App(__name__, specification_dir=SPECIFICATION_DIR)
     app.app.json_encoder = encoder.JSONEncoder
+    CORS(app.app)
     app.add_api("SOFI.yaml", arguments={"title": "SOFI"}, pythonic_params=True)
 
     ## Start the encrypted connection instance on app boot

web/src/SAP/generated/controllers/security_controller_.py

@@ -1,6 +1,5 @@
 from typing import List
-from flask_jwt_extended import decode_token
-
+from ...src.security.permission_check import decode_sofi_token
 
 def info_from_jwt(token):
     """
@@ -14,8 +13,25 @@ def info_from_jwt(token):
     :rtype: dict | None
     """
     if token:
-        return decode_token(token)
+        return decode_sofi_token(token, "jwt")
+
+    return None
+
+def info_from_microreactjwt(token):
+    """
+    Check and retrieve authentication information from custom bearer token.
+    Returned value will be passed in 'token_info' parameter of your operation function, if there is one.
+    'sub' or 'uid' will be set in 'user' parameter of your operation function, if there is one.
+
+    :param token Token provided by Authorization header
+    :type token: str
+    :return: Decoded token information or None if token is invalid
+    :rtype: dict | None
+    """
+    if token:
+        return decode_sofi_token(token, "microreactjwt")
 
     return None
 
 
+

web/src/SAP/generated/controllers/workspaces_controller.py

@@ -72,6 +72,18 @@ def get_workspace(user, token_info, workspace_id):  # noqa: E501
     """
     return WorkspacesController.get_workspace(user, token_info, workspace_id)
 
+def get_workspace_data(user, token_info, workspace_id):  # noqa: E501
+    """get_workspace_data
+
+    Get an workspace data # noqa: E501
+
+    :param workspace_id: Id of workspace to get
+    :type workspace_id: str
+
+    :rtype: List[List[AnyType]]
+    """
+    return WorkspacesController.get_workspace_data(user, token_info, workspace_id)
+
 def get_workspaces(user, token_info):  # noqa: E501
     """get_workspaces
 

web/src/SAP/generated/openapi/openapi.yaml

@@ -723,6 +723,34 @@ paths:
       tags:
       - workspaces
       x-openapi-router-controller: web.src.SAP.generated.controllers.workspaces_controller
+  /workspaces/{workspace_id}/data:
+    get:
+      description: Get an workspace data
+      operationId: get_workspace_data
+      parameters:
+      - description: Id of workspace to get
+        explode: false
+        in: path
+        name: workspace_id
+        required: true
+        schema:
+          type: string
+        style: simple
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                items:
+                  items: {}
+                  type: array
+                type: array
+          description: Data
+      security:
+      - microreactjwt: []
+      tags:
+      - workspaces
+      x-openapi-router-controller: web.src.SAP.generated.controllers.workspaces_controller
 components:
   schemas:
     Organization:
@@ -2043,3 +2071,8 @@ components:
       scheme: bearer
       type: http
       x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_jwt
+    microreactjwt:
+      bearerFormat: JWT
+      scheme: bearer
+      type: http
+      x-bearerInfoFunc: web.src.SAP.generated.controllers.security_controller_.info_from_microreactjwt