auth via oauth with zimfarm

docker-compose-dev.yml

@@ -154,12 +154,21 @@ services:
       JWT_SECRET: DH8kSxcflUVfNRdkEiJJCn2dOOKI3qfw
       POSTGRES_URI: postgresql+psycopg://zimfarm:zimpass@zimfarm-db:5432/zimfarm
       ALEMBIC_UPGRADE_HEAD_ON_START: true
+      DEBUG: true
       INIT_USERNAME: admin
       INIT_PASSWORD: admin
       ALLOWED_ORIGINS: http://localhost:8003
       ARTIFACTS_UPLOAD_URI: s3+http://minio:9000/?keyId=minio_key&secretAccessKey=minio_secret&bucketName=org-kiwix-dev-artifacts
       LOGS_UPLOAD_URI: s3+http://minio:9000/?keyId=minio_key&secretAccessKey=minio_secret&bucketName=org-kiwix-dev-logs
       ZIM_UPLOAD_URI: s3+http://minio:9000/?keyId=minio_key&secretAccessKey=minio_secret&bucketName=org-kiwix-dev-zims
+      OAUTH_JWKS_URI: https://ory.login-staging.kiwix.org/.well-known/jwks.json
+      OAUTH_ISSUER: https://ory.login-staging.kiwix.org
+      OAUTH_OIDC_CLIENT_ID: 38302485-7f3d-4e88-b1b3-ec02fb92ec8c
+      OAUTH_OIDC_LOGIN_REQUIRE_2FA: true
+      OAUTH_SESSION_AUDIENCE_ID: 309693e7-ad5e-4379-bf93-ba89314230fd
+      OAUTH_SESSION_LOGIN_REQUIRE_2FA: true
+      CREATE_NEW_OAUTH_ACCOUNT: false
+      AUTH_MODES: local,oauth-session
     networks:
       - wp1bot-dev
     depends_on:

docker/zimfarm/zimfarm_ui_dev/config.json

@@ -1,3 +1,6 @@
 {
-  "ZIMFARM_WEBAPI": "http://localhost:8004/v2"
+  "ZIMFARM_WEBAPI": "http://localhost:8004/v2",
+  "OAUTH_BASE_URL": "https://ory.login-staging.kiwix.org",
+  "OAUTH_MODE": "session",
+  "LOGIN_MODES": ["local"]
 }

wp1/credentials.py.dev.e2e

@@ -40,12 +40,24 @@ CREDENTIALS = {
             'secret': '',
             'bucket': 'org-kiwix-dev-wp1',
         },
-        
+
         'MAILGUN': {
             'url': 'https://api.eu.mailgun.net/v3/mg.wp1.openzim.org/messages',
             'api_key': 'INSERT_YOUR_MAILGUN_API_KEY_HERE',
         },
-
+        "ZIMFARM": {
+            "auth_mode": "local",
+            "url": "https://fake.farm/v2",
+            "s3_url": "https://fake.wasabisys.com/org-kiwix-zimit",
+            "user": "farmuser",
+            "password": "farmpass",
+            "hook_token": "hook-token-abc",
+            # if auth_mode is set to "oauth", then, uncomment these
+            # "oauth_issuer": "https://ory.login-staging.kiwix.org",
+            # "oauth_client_id": "oauth-client-id",
+            # "oauth_client_secret": "oauth-client-secret",
+            # "oauth_audience_id": "oauth-audience-id",
+        },
         'FILE_PATH': {
             # Path where pageviews.bz2 file (~3GB) will be downloaded.
             'pageviews': '/tmp/pageviews',

wp1/credentials.py.dev.example

@@ -101,6 +101,7 @@ CREDENTIALS = {
         # Server URL and credentials for the Zim Farm that will be used to create
         # ZIM files from materialized selections.
         'ZIMFARM': {
+            'auth_mode': 'local',
             'url': 'http://zimfarm-api/v2',
             's3_url': 'http://localhost:9000/org-kiwix-dev-zims', # if using minio
             'user': 'admin',
@@ -111,6 +112,11 @@ CREDENTIALS = {
             # Update this to the latest version at the time of your deployment.
             'image': 'ghcr.io/openzim/mwoffliner:1.17.2',
             'definition_version': '1.17.2',
+            # if auth_mode is set to "oauth", then, uncomment these
+            # "oauth_issuer": "https://ory.login-staging.kiwix.org",
+            # "oauth_client_id": "oauth-client-id",
+            # "oauth_client_secret": "oauth-client-secret",
+            # "oauth_audience_id": "oauth-audience-id",
         },
 
         # Logging directives. Keys are the names of the loggers, values are dictionaries

wp1/credentials.py.e2e

@@ -76,11 +76,17 @@ CREDENTIALS = {
             'backend': 'http://test.server.fake'
         },
         'ZIMFARM': {
+	    'auth_mode': 'local',
             'url': 'https://fake.farm/v2',
             's3_url': 'https://fake.wasabisys.com/org-kiwix-zimit',
             'user': 'farmuser',
             'password': 'farmpass',
             'hook_token': 'hook-token-abc',
+            # if auth_mode is set to "oauth", then, uncomment these
+            # "oauth_issuer": "https://ory.login-staging.kiwix.org",
+            # "oauth_client_id": "oauth-client-id",
+            # "oauth_client_secret": "oauth-client-secret",
+            # "oauth_audience_id": "oauth-audience-id",
         },
         'MAILGUN': {
             'url': 'https://api.eu.mailgun.net/v3/mg.wp1.openzim.org/messages',

wp1/credentials.py.example

@@ -129,6 +129,7 @@ CREDENTIALS = {
         # Server URL and credentials for the Zim Farm that will be used to create
         # ZIM files from materialized selections.
         'ZIMFARM': {
+	    'auth_mode': 'local',
             'url': 'http://zimfarm-api/v2',
             's3_url': 'https://localhost:9000/org-kiwix-dev-zims', # if using minio
             'user': 'admin',
@@ -139,6 +140,11 @@ CREDENTIALS = {
             # Update this to the latest version at the time of your deployment.
             'image': 'ghcr.io/openzim/mwoffliner:1.17.2',
             'definition_version': '1.17.2',
+            # if auth_mode is set to "oauth", then, uncomment these
+            # "oauth_issuer": "https://ory.login-staging.kiwix.org",
+            # "oauth_client_id": "oauth-client-id",
+            # "oauth_client_secret": "oauth-client-secret",
+            # "oauth_audience_id": "oauth-audience-id",
         },
 
         # Credentials for the Mailgun service, used to send emails. This is not

wp1/logic/builder_test.py

@@ -1115,7 +1115,7 @@ def test_handle_zim_generation(
         "wp1.logic.builder.utcnow",
         return_value=datetime.datetime(2022, 12, 25, 0, 1, 2),
     )
-    @patch("wp1.logic.builder.zimfarm.get_zimfarm_token", return_value="test_token")
+    @patch("wp1.logic.builder.zimfarm.token_provider", return_value="test_token")
     def test_handle_zim_generation_long_title(
         self, mock_utcnow, mock_get_zimfarm_token
     ):

wp1/timestamp.py

@@ -1,5 +1,10 @@
-from datetime import datetime, timezone
+from datetime import datetime, timezone, UTC
 
 
 def utcnow() -> datetime:
     return datetime.now(timezone.utc)
+
+
+def naive_utcnow():
+    """naive UTC now"""
+    return datetime.now(UTC).replace(tzinfo=None)

wp1/web/builders_test.py

@@ -587,7 +587,7 @@ def test_create_zim_file_for_builder(
         patched_request_zimfarm_task.assert_called_once()
         with self.wp10db.cursor() as cursor:
             cursor.execute(
-                "SELECT z_task_id, z_status FROM zim_tasks " "WHERE z_selection_id = 3"
+                "SELECT z_task_id, z_status FROM zim_tasks WHERE z_selection_id = 3"
             )
             data = cursor.fetchone()
 
@@ -665,7 +665,7 @@ def test_create_zim_file_for_builder_400(self, patched_request_zimfarm_task):
     @patch("wp1.zimfarm.request_zimfarm_task")
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_no_title(
         self, mock_get_token, mock_requests, mock_request_zimfarm_task
     ):
@@ -685,7 +685,7 @@ def test_create_zim_file_for_builder_no_title(
     @patch("wp1.zimfarm.request_zimfarm_task")
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_too_long_title(
         self, mock_get_token, mock_requests, mock_request_zimfarm_task
     ):
@@ -706,7 +706,7 @@ def test_create_zim_file_for_builder_too_long_title(
     @patch("wp1.zimfarm.request_zimfarm_task")
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_too_long_description(
         self, mock_get_token, mock_requests, mock_request_zimfarm_task
     ):
@@ -727,7 +727,7 @@ def test_create_zim_file_for_builder_too_long_description(
     @patch("wp1.zimfarm.request_zimfarm_task")
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_too_long_long_description(
         self, mock_get_token, mock_requests, mock_request_zimfarm_task
     ):
@@ -752,7 +752,7 @@ def test_create_zim_file_for_builder_too_long_long_description(
     @patch("wp1.zimfarm.request_zimfarm_task")
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_too_short_long_description(
         self, mock_get_token, mock_requests, mock_request_zimfarm_task
     ):
@@ -775,7 +775,7 @@ def test_create_zim_file_for_builder_too_short_long_description(
 
     # Mock requests to avoid actual HTTP calls
     @patch("wp1.zimfarm.requests")
-    @patch("wp1.zimfarm.get_zimfarm_token")
+    @patch("wp1.zimfarm.token_provider.get_access_token")
     def test_create_zim_file_for_builder_too_many_articles(
         self, token_mock, requests_mock
     ):