Make it possible to disable basic (or OIDC) auth endpoints

Open-EO · Oct 12, 2021 · bd35cdd · bd35cdd
1 parent 50deb55
commit bd35cdd
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 28 deletions.
diff --git a/openeo_driver/_version.py b/openeo_driver/_version.py
@@ -1 +1 @@
-__version__ = '0.14.3a1'
+__version__ = '0.14.4a1'
diff --git a/openeo_driver/backend.py b/openeo_driver/backend.py
@@ -491,6 +491,8 @@ class OpenEoBackendImplementation:
     """
     Simple container of all openEo "microservices"
     """
+    enable_basic_auth = True
+    enable_oidc_auth = True
 
     def __init__(
             self,

diff --git a/openeo_driver/views.py b/openeo_driver/views.py
@@ -472,27 +472,30 @@ def register_views_auth(
         blueprint: Blueprint, backend_implementation: OpenEoBackendImplementation, api_endpoint: EndpointRegistry,
         auth_handler: HttpAuthHandler
 ):
-    @api_endpoint
-    @blueprint.route("/credentials/basic", methods=["GET"])
-    @auth_handler.requires_http_basic_auth
-    def credentials_basic():
-        access_token, user_id = auth_handler.authenticate_basic(request)
-        resp = {"access_token": access_token}
-        if requested_api_version().below("1.0.0"):
-            resp["user_id"] = user_id
-        return jsonify(resp)
 
-    @api_endpoint
-    @blueprint.route("/credentials/oidc", methods=["GET"])
-    @auth_handler.public
-    def credentials_oidc():
-        providers = backend_implementation.oidc_providers()
-        if requested_api_version().at_least("1.0.0"):
-            return jsonify({
-                "providers": [p.prepare_for_json() for p in providers]
-            })
-        else:
-            return flask.redirect(providers[0].issuer + '/.well-known/openid-configuration', code=303)
+    if backend_implementation.enable_basic_auth:
+        @api_endpoint
+        @blueprint.route("/credentials/basic", methods=["GET"])
+        @auth_handler.requires_http_basic_auth
+        def credentials_basic():
+            access_token, user_id = auth_handler.authenticate_basic(request)
+            resp = {"access_token": access_token}
+            if requested_api_version().below("1.0.0"):
+                resp["user_id"] = user_id
+            return jsonify(resp)
+
+    if backend_implementation.enable_oidc_auth:
+        @api_endpoint
+        @blueprint.route("/credentials/oidc", methods=["GET"])
+        @auth_handler.public
+        def credentials_oidc():
+            providers = backend_implementation.oidc_providers()
+            if requested_api_version().at_least("1.0.0"):
+                return jsonify({
+                    "providers": [p.prepare_for_json() for p in providers]
+                })
+            else:
+                return flask.redirect(providers[0].issuer + '/.well-known/openid-configuration', code=303)
 
     @api_endpoint
     @blueprint.route("/me", methods=["GET"])

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -16,17 +16,20 @@ def udp_registry(backend_implementation) -> UserDefinedProcesses:
     return backend_implementation.user_defined_processes
 
 
+TEST_APP_CONFIG = dict(
+    OPENEO_TITLE="openEO Unit Test Dummy Backend",
+    TESTING=True,
+    SERVER_NAME='oeo.net'
+)
+
+
 @pytest.fixture(scope="module")
 def flask_app(backend_implementation) -> flask.Flask:
     app = build_app(
         backend_implementation=backend_implementation,
         # error_handling=False
     )
-    app.config.from_mapping(
-        OPENEO_TITLE="openEO Unit Test Dummy Backend",
-        TESTING=True,
-        SERVER_NAME='oeo.net'
-    )
+    app.config.from_mapping(TEST_APP_CONFIG)
     return app
 
 

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -7,14 +7,16 @@
 import flask
 import pytest
 
+from conftest import TEST_APP_CONFIG
 from openeo.capabilities import ComparableVersion
 from openeo_driver.ProcessGraphDeserializer import custom_process_from_process_graph
-from openeo_driver.backend import BatchJobMetadata, UserDefinedProcessMetadata, BatchJobs
+from openeo_driver.backend import BatchJobMetadata, UserDefinedProcessMetadata, BatchJobs, OpenEoBackendImplementation
 from openeo_driver.dummy import dummy_backend
+from openeo_driver.dummy.dummy_backend import DummyBackendImplementation
 from openeo_driver.testing import ApiTester, TEST_USER, ApiResponse, TEST_USER_AUTH_HEADER, \
     generate_unique_test_process_id, build_basic_http_auth_header
 from openeo_driver.users.auth import HttpAuthHandler
-from openeo_driver.views import EndpointRegistry, _normalize_collection_metadata
+from openeo_driver.views import EndpointRegistry, _normalize_collection_metadata, build_app
 from .data import TEST_DATA_ROOT
 
 
@@ -40,6 +42,17 @@ def api100(client) -> ApiTester:
     return ApiTester(api_version="1.0.0", client=client, data_root=TEST_DATA_ROOT)
 
 
+def api_from_backend_implementation(
+        backend_implementation: OpenEoBackendImplementation,
+        api_version="1.0.0", data_root=TEST_DATA_ROOT
+) -> ApiTester:
+    app: flask.Flask = build_app(backend_implementation)
+    app.config.from_mapping(TEST_APP_CONFIG)
+    client = app.test_client()
+    api = ApiTester(api_version=api_version, client=client, data_root=data_root)
+    return api
+
+
 class TestGeneral:
     """
     General tests (capabilities, collections, processes)
@@ -152,6 +165,36 @@ def test_capabilities_endpoints_issue_28_v100(self, api100):
         assert endpoints["/file_formats"] == ["GET"]
         assert "/output_formats" not in endpoints
 
+    def test_capabilities_no_basic_auth(self):
+        backend_implementation = DummyBackendImplementation()
+        api100 = api_from_backend_implementation(backend_implementation)
+        capabilities = api100.get("/").assert_status_code(200).json
+        endpoints = {e["path"] for e in capabilities["endpoints"]}
+        assert "/credentials/basic" in endpoints
+        api100.get("/credentials/basic").assert_error(401, "AuthenticationRequired")
+
+        backend_implementation.enable_basic_auth = False
+        api100 = api_from_backend_implementation(backend_implementation)
+        capabilities = api100.get("/").assert_status_code(200).json
+        endpoints = {e["path"] for e in capabilities["endpoints"]}
+        assert "/credentials/basic" not in endpoints
+        api100.get("/credentials/basic").assert_error(404, "NotFound")
+
+    def test_capabilities_no_oidc_auth(self):
+        backend_implementation = DummyBackendImplementation()
+        api100 = api_from_backend_implementation(backend_implementation)
+        capabilities = api100.get("/").assert_status_code(200).json
+        endpoints = {e["path"] for e in capabilities["endpoints"]}
+        assert "/credentials/oidc" in endpoints
+        api100.get("/credentials/oidc").assert_status_code(200)
+
+        backend_implementation.enable_oidc_auth = False
+        api100 = api_from_backend_implementation(backend_implementation)
+        capabilities = api100.get("/").assert_status_code(200).json
+        endpoints = {e["path"] for e in capabilities["endpoints"]}
+        assert "/credentials/oidc" not in endpoints
+        api100.get("/credentials/oidc").assert_error(404, "NotFound")
+
     def test_conformance(self, api100):
         res = api100.get('/conformance').assert_status_code(200).json
         assert "conformsTo" in res