updated the configurations and added method to check the allowed groups

NASA-IMPACT · Aug 26, 2024 · babfce3 · babfce3
1 parent f241781
commit babfce3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/veda-app-samples/jupyterhub/docker-compose.yaml b/veda-app-samples/jupyterhub/docker-compose.yaml
@@ -8,6 +8,7 @@ services:
     environment:
       OAUTH_CLIENT_ID: "veda-xxxxx-10000000"
       OAUTH_CLIENT_SECRET: "xxxxxx"
+      JUPYTERHUB_CRYPT_KEY: "a99323294a5d6f9b1d0e7e33450dff44db664264231b985e069c6eba8f9a3e09"
     volumes:
       - ./jupyterhub_config.py:/srv/jupyterhub/jupyterhub_config.py
       - /var/run/docker.sock:/var/run/docker.sock

diff --git a/veda-app-samples/jupyterhub/jupyterhub_config.py b/veda-app-samples/jupyterhub/jupyterhub_config.py
@@ -11,9 +11,11 @@
 c.VedaOAuthenticator.authorize_url = 'https://api.veda.usecustos.org/api/v1/identity-management/authorize'
 c.VedaOAuthenticator.token_url = 'https://api.veda.usecustos.org/api/v1/identity-management/token'
 c.VedaOAuthenticator.userdata_url = 'https://api.veda.usecustos.org/api/v1/user-management/userinfo'
-c.VedaOAuthenticator.userdata_method = 'GET'
+c.VedaOAuthenticator.userdata_token_method = 'GET'
 c.VedaOAuthenticator.userdata_params = {"scope": "openid profile email"}
-c.VedaOAuthenticator.username_key = 'email'
+c.VedaOAuthenticator.username_claim = 'email'
+c.Authenticator.enable_auth_state = True
+c.VedaOAuthenticator.allow_all= True
 
 # Set the required OAuth2 scopes
 c.VedaOAuthenticator.scope = ['openid', 'profile', 'email']

diff --git a/veda-app-samples/jupyterhub/veda_authenticator.py b/veda-app-samples/jupyterhub/veda_authenticator.py
@@ -25,6 +25,7 @@ class VedaOAuthenticator(OAuthenticator):
     token_url = Unicode(config=True)
     oauth_callback_url = Unicode(config=True)
     scope = List(Unicode(), default_value=['openid', 'email', 'org.cilogon.userinfo'], config=True)
+    allowed_groups = List(Unicode(), default_value=['VedaHubAdmin', 'VedaHubEditor'], config=True)
 
     @default("authorize_url")
     def _authorize_url_default(self):
@@ -86,6 +87,12 @@ async def authenticate(self, handler, data=None):
             app_log.error("Failed to decode JWT token: %s", str(e))
             raise HTTPError(500, "Invalid token")
 
+        # Check user groups against allowed groups
+        user_groups = payload.get('groups', [])
+        if not any(group in self.allowed_groups for group in user_groups):
+            app_log.error("User %s is not in an allowed group", payload.get('preferred_username'))
+            raise HTTPError(403, f"User is not authorized to use this hub.")
+
         userdict = {
             "name": payload.get('preferred_username'),
             "auth_state": {