Merge pull request #1089 from GeorgianaElena/cilogon-admin

Full Cilogon integration
2i2c-org · Mar 25, 2022 · dc43c6e · dc43c6e
2 parents 70b07c5 + 939a91c
commit dc43c6e
Show file tree

Hide file tree

Showing 10 changed files with 663 additions and 24 deletions.
diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml
@@ -31,24 +31,24 @@ hubs:
     auth0:
       # connection update? Also ensure the basehub Helm chart is provided a
       # matching value for jupyterhub.custom.2i2c.add_staff_user_ids_of_type!
-      connection: google-oauth2
+      enabled: false
     helm_chart_values_files:
       # The order in which you list files here is the order the will be passed
       # to the helm upgrade command in, and that has meaning. Please check
       # that you intend for these files to be applied in this order.
+      - enc-dask-staging.secret.values.yaml
       - dask-staging.values.yaml
   - name: demo
     display_name: "2i2c demo"
     domain: demo.2i2c.cloud
     helm_chart: basehub
     auth0:
-      # connection update? Also ensure the basehub Helm chart is provided a
-      # matching value for jupyterhub.custom.2i2c.add_staff_user_ids_of_type!
-      connection: CILogon
+      enabled: false
     helm_chart_values_files:
       # The order in which you list files here is the order the will be passed
       # to the helm upgrade command in, and that has meaning. Please check
       # that you intend for these files to be applied in this order.
+      - enc-demo.secret.values.yaml
       - demo.values.yaml
   - name: ohw
     display_name: "Ocean Hack Week"

diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml
@@ -31,7 +31,10 @@ basehub:
         tag: 2021.02.19
     hub:
       config:
-        Authenticator:
-          allowed_users: &dask_staging_users
-            - [email protected]
-          admin_users: *dask_staging_users
+        JupyterHub:
+          authenticator_class: cilogon
+        CILogonOAuthenticator:
+          username_claim: "email"
+          oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback"
+          allowed_idps:
+            - "2i2c.org"
diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml
@@ -20,7 +20,12 @@ jupyterhub:
           url: https://2i2c.org
   hub:
     config:
+      JupyterHub:
+        authenticator_class: cilogon
       Authenticator:
         # We do not define allowed_users here since only usernames matching this regex will be allowed to login into the hub.
         # Ref: https://jupyterhub.readthedocs.io/en/stable/api/auth.html#jupyterhub.auth.Authenticator.username_pattern
         username_pattern: '^(.+@2i2c\.org|.+@rmbl\.org|deployment-service-check)$'
+      CILogonOAuthenticator:
+        oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback
+        username_claim: email
diff --git a/config/clusters/2i2c/enc-dask-staging.secret.values.yaml b/config/clusters/2i2c/enc-dask-staging.secret.values.yaml
@@ -0,0 +1,20 @@
+basehub:
+    jupyterhub:
+        hub:
+            config:
+                CILogonOAuthenticator:
+                    client_id: ENC[AES256_GCM,data:U2tPwhzJNuPaVhZh2+l/x06yu2qIgBPBaQQ+DAIHbTmKoRDGWMtrNWQddmbwKEootGiz,iv:sX1r0qjT6B8qCCEjHA31xwHpQdOJdLyAy8wdig+5CBk=,tag:Ns276qpjnejuv9Ui8yNgSQ==,type:str]
+                    client_secret: ENC[AES256_GCM,data:pMoD+NYq1IEjnl7TZkkJRYVmsAuz0NIbEkbANUTFFtt1FWXxjs2993AnRzNBanL9G7G48udurnpZsRt3Nze2bJIBUulB0AA4pnmKQz1fpERbk2Gi2Yo=,iv:tg5ZUw+N9mxvqw/E8SMyTONjWA8MtBcytKvoOj1ByDg=,tag:/kPamEhUtYUamzk8YrMPTQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+    -   resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+        created_at: '2022-03-21T13:32:55Z'
+        enc: CiQA4OM7eILHin2dVwbBCzUPzS05fF4t5RZBAE0JfP6atdLuO38SSQDm5XgWkZe3tUEj+YR1BIfS+/loNOIei+7DK1t/wzTd3306YjyW44g7pZdxKgQqw9V26HGR4jpUf/Xnj9fnslwR2yCkt2KPUjs=
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2022-03-21T13:32:56Z'
+    mac: ENC[AES256_GCM,data:2TB3w10yWfkFC0rIwDnHkDhEZJtC7FClfEQzjFsHnFS6cNcIPZf+mAOMgfipq/PosGNAdGOaTMH95cNXJt4z5sMAoRzFINu5seef3llpax6HtbJ2D4AAcCx7QNq4RGVD1fH2abqZ6P9TxG9VEsHZb0NsaYEA/mhI5kXxrA1fB5s=,iv:4mebKvZWxV1vRW/7f+xRPAU092pb94+0vTfehoNGytw=,tag:nEPCTLbJLPD2D9xGuyW+vQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/config/clusters/2i2c/enc-demo.secret.values.yaml b/config/clusters/2i2c/enc-demo.secret.values.yaml
@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            CILogonOAuthenticator:
+                client_id: ENC[AES256_GCM,data:I2OU6vxq+1MH1xjk5Zy4sVjFtMdgsOgG7lYa0UKJRAaG8csBnXIUi69yHJkkBojvGHBQ,iv:LV8iaQFVBr/iotKhFpilLIM1biVQlDLDJrZuV9IQDA8=,tag:ztZxAQZY+25qmUFfvN5w7A==,type:str]
+                client_secret: ENC[AES256_GCM,data:+fI/SCEsygTP6sQDcybSrpd4IO6KhpiKzNI59+C/mFRF4TNas7+zejRuzYVzJAKTjkEL1NIOek7DNLj47OcBL9Mm5iYyJM3f4gSImUo0QYLf0hnWMOA=,iv:GS2I3kv0IvOVDZht87oTT7LaWswXWwot95R2XWAbKBk=,tag:gI8fVcfLku52wYRHq9/kqQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2022-03-23T22:30:17Z"
+          enc: CiQA4OM7eIjffZKhqikREKUP2NJFoQ430IThTbFbNkrkPcPA++USSQDm5XgW0KL4+aPX+H0Xg0g9Y293y/8SEpifqE1T8On8Na0Phf6AMlg99x35lF1Sc9rTmnuBftzMaZ6YfsW3IVOwj+7fIbMuNWw=
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-03-23T22:30:18Z"
+    mac: ENC[AES256_GCM,data:KipPDtFhkpA1DR+T2tEwqsRb2rAxg5woOLbl4tB75DWhQ4cSr2ne7EoHuNRs7GCJh0KZ19Sh5wu5ujpUQp3BlhUW/dj5h1W8f00e+T5RoroNU2VIWoG+C5Utgb84h6XLjz0IqPY9Z7TgWJcY6TTYJMF59DxUdyjhfWM3oSUGf2I=,iv:eGdldOja6bMbqrLEh/i6aaE20KOJ/Im626Ht22BOtT8=,tag:82paRer+fGTIqrJdjJEOWg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/config/clusters/2i2c/enc-staging.secret.values.yaml b/config/clusters/2i2c/enc-staging.secret.values.yaml
@@ -0,0 +1,19 @@
+jupyterhub:
+    hub:
+        config:
+            CILogonOAuthenticator:
+                client_id: ENC[AES256_GCM,data:UH/edYPBsi2V7VvwjNraqePF0j33QdAzByz14+cOVrzaJUhh8uHJI6UGby7/T6JK8WYm,iv:8NMi6r5McwCreuf3pRhsu3ET6cBm6HjNySGnFeiFYy0=,tag:yiIHk+vVw9qpuSClIir1hg==,type:str]
+                client_secret: ENC[AES256_GCM,data:tFYiFGunRWRzN7u/qalkfL6L+jARTNT42Bollopo6tsG3QFxoGy1Ww4v15Lye/UysVImyirgFT4C6tQXZR462wZdEaEj9o9+1SiUqf0UGAhJFcvoiPI=,iv:6RNRBv9szFszPg4FWyisdZkTTT4pcNixJDoufeOIz7A=,tag:REMhCsHlZPAdiNPWOseIbg==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+    -   resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+        created_at: '2022-03-21T10:38:36Z'
+        enc: CiQA4OM7eJn+A9b0ulwu64MnqKfDM1EwtoKzj7Utg4iXOccLCroSSQDm5XgWCwOR2/FDqBIOrVVltPV7nASpq8h+fiHw5dYTSaPUyAMYwQ62iytA2kwTGQcOMmtxZVhn4dpGt2b0VlEvdiHP02Cgzvo=
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2022-03-21T10:38:36Z'
+    mac: ENC[AES256_GCM,data:D50ijsF6YmlX/El96nrIgxEcEmfbJabVvKIO33zi8PfjqkQZj7L9XdGMz9FzNRvtSu2+PwhZRr+98pqWb4N2SvuVjqPfskJwigVVQifNxOtI2P3V2LvnA/rnYvvTkpfzrcwBJPHsUL8VCAeY8OjxdEpamqFsrlyFG4z2HQ0dAQg=,iv:uDkxaW/3dZZTer1iuqhfIHtZ8vvOY7TCKfFnaI2pcZM=,tag:XjF32PtqZifGwW0LsKa/8Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/deployer/auth.py b/deployer/auth.py
@@ -33,14 +33,14 @@ def auth0(self):
             self._auth0 = Auth0(self.domain, creds["access_token"])
         return self._auth0
 
-    def get_clients(self):
+    def _get_clients(self):
         return {
             client["name"]: client
             # Our account is limited to 100 clients, and we want it all in one go
             for client in self.auth0.clients.all(per_page=100)
         }
 
-    def get_connections(self):
+    def _get_connections(self):
         return {
             connection["name"]: connection
             for connection in self.auth0.connections.all()
@@ -89,9 +89,14 @@ def _ensure_client_logout_url(self, client, logout_url):
             )
 
     def ensure_client(
-        self, name, callback_url, logout_url, connection_name, connection_config
+        self,
+        name,
+        callback_url,
+        logout_url,
+        connection_name,
+        connection_config,
     ):
-        current_clients = self.get_clients()
+        current_clients = self._get_clients()
         if name not in current_clients:
             # Create the client, all good
             client = self.create_client(name, callback_url, logout_url)
@@ -100,7 +105,7 @@ def ensure_client(
             self._ensure_client_callback(client, callback_url)
             self._ensure_client_logout_url(client, logout_url)
 
-        current_connections = self.get_connections()
+        current_connections = self._get_connections()
 
         if connection_name == "password":
             # Users should not be shared between hubs - each hub
@@ -148,7 +153,6 @@ def get_client_creds(self, client, connection_name):
         """
         Return z2jh config for auth0 authentication for this JupyterHub
         """
-
         logout_redirect_params = {
             "client_id": client["client_id"],
             "returnTo": client["allowed_logout_urls"][0],