From 03c255416efc5f287e559288af01898e4a43b48b Mon Sep 17 00:00:00 2001 From: briri Date: Thu, 23 May 2024 15:01:10 -0700 Subject: [PATCH 1/5] added template and config for adding api clients --- .../regional/api-clients/uc-riverside.yaml | 24 ++++ templates/cognito-app-client.yaml | 114 ++++++++++++++++++ 2 files changed, 138 insertions(+) create mode 100644 config/prd/regional/api-clients/uc-riverside.yaml create mode 100644 templates/cognito-app-client.yaml diff --git a/config/prd/regional/api-clients/uc-riverside.yaml b/config/prd/regional/api-clients/uc-riverside.yaml new file mode 100644 index 00000000..b1198a4a --- /dev/null +++ b/config/prd/regional/api-clients/uc-riverside.yaml @@ -0,0 +1,24 @@ +template: + path: 'cognito-app-client.yaml' + type: 'file' + +parameters: + UserPoolId: !stack_output prd/regional/cognito.yaml::UserPoolId + + Domain: !stack_attr sceptre_user_data.domain + Subdomain: 'auth' + Env: !stack_attr sceptre_user_data.env + + ClientName: 'uc-riverside' + + ClientCallbackUri: 'https://localhost:3000/callback' + + OnlyAllowAdminsToCreateUsers: 'false' + UnusedAccountValidityDays: '14' + MinimumPasswordLength: '8' + + TokenValidityUnits: 'minutes' + AccessTokenValidity: '10' + AuthSessionValidatyMinutes: '3' + IdTokenValidity: '7' + RefreshTokenValidity: '10080' diff --git a/templates/cognito-app-client.yaml b/templates/cognito-app-client.yaml new file mode 100644 index 00000000..7e471422 --- /dev/null +++ b/templates/cognito-app-client.yaml @@ -0,0 +1,114 @@ +AWSTemplateFormatVersion: '2010-09-09' + +Description: 'Cognito user pool app integration' + +Parameters: + UserPoolId: + Type: 'String' + + Env: + Type: 'String' + Default: 'dev' + + Domain: + Type: 'String' + + Subdomain: + Type: 'String' + + ClientName: + Type: 'String' + + ClientCallbackUri: + Type: 'String' + + OnlyAllowAdminsToCreateUsers: + Type: 'String' + Default: 'false' + AllowedValues: + - 'true' + - 'false' + + UnusedAccountValidityDays: + Type: 'Number' + Default: 14 + + MinimumPasswordLength: + Type: 'Number' + Default: 8 + + TokenValidityUnits: + Type: 'String' + Default: 'minutes' + AllowedValues: + - 'seconds' + - 'minutes' + - 'hours' + - 'days' + + AccessTokenValidity: + Type: 'Number' + Default: 10 + + AuthSessionValidatyMinutes: + Type: 'Number' + Default: 3 + + IdTokenValidity: + Type: 'Number' + Default: 7 + + RefreshTokenValidity: + Type: 'Number' + Default: 10080 # 7 days + +Resources: + # -------------------------------------------------------------- + # Cognito UserPool application clients + # See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html + # -------------------------------------------------------------- + UserPoolClient: + Type: 'AWS::Cognito::UserPoolClient' + DeletionPolicy: Retain + Properties: + ClientName: !Ref ClientName + UserPoolId: !Ref UserPoolId + ExplicitAuthFlows: + - 'ALLOW_ADMIN_USER_PASSWORD_AUTH' + - 'ALLOW_CUSTOM_AUTH' + - 'ALLOW_USER_SRP_AUTH' + - 'ALLOW_REFRESH_TOKEN_AUTH' + AllowedOAuthFlowsUserPoolClient: true + AllowedOAuthFlows: + - 'client_credentials' + AllowedOAuthScopes: + - !Sub 'https://${Subdomain}.${Domain}/${Env}.read' + # - !Sub 'https://${Subdomain}.${Domain}/${Env}.write' + EnableTokenRevocation: true + PreventUserExistenceErrors: 'ENABLED' + GenerateSecret: true + SupportedIdentityProviders: + - 'COGNITO' + # The CF docs indicate that this is not required but I am unable to get a token from Cognito without it + CallbackURLs: + # - 'http://localhost:3000/callback' + - !Ref ClientCallbackUri + TokenValidityUnits: + AccessToken: !Ref TokenValidityUnits + IdToken: !Ref TokenValidityUnits + RefreshToken: !Ref TokenValidityUnits + # The token issued after the user signs in + AccessTokenValidity: !Ref AccessTokenValidity + # The length (minutes) that a session token for each API request in an authentication flow lasts + AuthSessionValidity: !Ref AuthSessionValidatyMinutes + # The token used during user authentication + IdTokenValidity: !Ref IdTokenValidity + # The length of time the user can refresh their token + RefreshTokenValidity: !Ref RefreshTokenValidity + +Outputs: + LogicalClientId: + Value: !Ref UserPoolClient + + ClientId: + Value: !GetAtt UserPoolClient.ClientId \ No newline at end of file From a9c705fc16c1a9ccfd9e519df020a060bbfb7157 Mon Sep 17 00:00:00 2001 From: briri Date: Thu, 20 Jun 2024 10:15:44 -0700 Subject: [PATCH 2/5] added stanford api-client --- config/prd/regional/api-clients/stanford.yaml | 30 +++++++++++++++++++ src/scripts/add-api-client.sh | 27 +++++++++++++++++ templates/cognito-app-client.yaml | 22 +++++++++++--- 3 files changed, 75 insertions(+), 4 deletions(-) create mode 100644 config/prd/regional/api-clients/stanford.yaml create mode 100755 src/scripts/add-api-client.sh diff --git a/config/prd/regional/api-clients/stanford.yaml b/config/prd/regional/api-clients/stanford.yaml new file mode 100644 index 00000000..2b6a827c --- /dev/null +++ b/config/prd/regional/api-clients/stanford.yaml @@ -0,0 +1,30 @@ +template: + path: 'cognito-app-client.yaml' + type: 'file' + +parameters: + UserPoolId: !stack_output prd/regional/cognito.yaml::UserPoolId + + Domain: !stack_attr sceptre_user_data.domain + Subdomain: 'auth' + Env: !stack_attr sceptre_user_data.env + + ClientName: 'stanford' + + ClientCallbackUri: 'https://localhost:3000/callback' + + AllowWrite: 'yes' + + OnlyAllowAdminsToCreateUsers: 'false' + UnusedAccountValidityDays: '14' + MinimumPasswordLength: '8' + + TokenValidityUnits: 'minutes' + AccessTokenValidity: '10' + AuthSessionValidatyMinutes: '3' + IdTokenValidity: '7' + RefreshTokenValidity: '10080' + +# hooks: +# after_create: +# cmd: 'src/scripts/add-api-client.sh prd stanford http://localhost:3000/callback' diff --git a/src/scripts/add-api-client.sh b/src/scripts/add-api-client.sh new file mode 100755 index 00000000..0c860af4 --- /dev/null +++ b/src/scripts/add-api-client.sh @@ -0,0 +1,27 @@ + +if [ $# -ne 3 ]; then + echo 'Wrong number of arguments. Expecting 2:' + echo ' - The `env` for the Dynamo Table (e.g. dev)' + echo ' - The Name of the external system (e.g. Foo)' + echo ' - The Domain of the external system (e.g. example.com)' + exit 1 +fi + +KEY=$(echo $2 | tr '[:upper:]' '[:lower:]') +SSM_PATH_DYNAMO="/uc3/dmp/hub/$1/DynamoTableName" +SSM_PATH_EMAIL="/uc3/dmp/hub/$1/AdminEmail" + +echo "Looking for Dynamo Table name at $SSM_PATH_DYNAMO" +echo "----------------------------------------------------------------------------" +DYNAMO_TABLE=$(echo `aws ssm get-parameter --name $SSM_PATH_DYNAMO | jq .Parameter.Value | sed -e "s/\"//g"`) +ADMIN_EMAIL=$(echo `aws ssm get-parameter --name $SSM_PATH_EMAIL | jq .Parameter.Value | sed -e "s/\"//g"`) + +if [ -z $DYNAMO_TABLE ]; then echo "No Dynamo Table name found in SSM!"; exit 1; fi + +echo "Seeding $DYNAMO_TABLE ..." +echo "----------------------------------------------------------------------------" +echo "Creating Provenance item for $2 -> {\"PK\": \"PROVENANCE#$KEY\", \"SK\": \"PROFILE\"}" +# Insert the Provenance record for the DMPTool application +aws dynamodb put-item --table-name $DYNAMO_TABLE \ + --item \ + "{\"PK\":{\"S\":\"PROVENANCE#$KEY\"},\"SK\":{\"S\":\"PROFILE\"},\"contact\":{\"M\":{\"email\":{\"S\":\"$ADMIN_EMAIL\"},\"name\":{\"S\":\"Administrator\"}}},\"description\":{\"S\":\"The $2 $1 system\"},\"downloadUri\":{\"S\":\"https://$3/api/v2/plans/\"},\"homepage\":{\"S\":\"https://$3\"},\"name\":{\"S\":\"$2\"},\"redirectUri\":{\"S\":\"https://$3/callback\"},\"tokenUri\":{\"S\":\"https://$3/oauth/token\"}}" diff --git a/templates/cognito-app-client.yaml b/templates/cognito-app-client.yaml index 7e471422..c6ea1253 100644 --- a/templates/cognito-app-client.yaml +++ b/templates/cognito-app-client.yaml @@ -62,6 +62,17 @@ Parameters: Type: 'Number' Default: 10080 # 7 days + AllowWrite: + Type: 'String' + Default: 'no' + AllowedValues: + - 'yes' + - 'no' + +Conditions: + WriteAllowed: + !Equals [!Ref AllowWrite, 'yes'] + Resources: # -------------------------------------------------------------- # Cognito UserPool application clients @@ -81,9 +92,13 @@ Resources: AllowedOAuthFlowsUserPoolClient: true AllowedOAuthFlows: - 'client_credentials' - AllowedOAuthScopes: - - !Sub 'https://${Subdomain}.${Domain}/${Env}.read' - # - !Sub 'https://${Subdomain}.${Domain}/${Env}.write' + AllowedOAuthScopes: !If + - WriteAllowed + # Allow both read and write + - - !Sub 'https://${Subdomain}.${Domain}/${Env}.read' + - !Sub 'https://${Subdomain}.${Domain}/${Env}.write' + # Only allow read + - - !Sub 'https://${Subdomain}.${Domain}/${Env}.read' EnableTokenRevocation: true PreventUserExistenceErrors: 'ENABLED' GenerateSecret: true @@ -91,7 +106,6 @@ Resources: - 'COGNITO' # The CF docs indicate that this is not required but I am unable to get a token from Cognito without it CallbackURLs: - # - 'http://localhost:3000/callback' - !Ref ClientCallbackUri TokenValidityUnits: AccessToken: !Ref TokenValidityUnits From 7911ff8f8c33c69236236720320070c285e6b311 Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 9 Jul 2024 15:48:55 -0700 Subject: [PATCH 3/5] added cognito client for uc-boulder --- .../prd/regional/api-clients/uc-boulder.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 config/prd/regional/api-clients/uc-boulder.yaml diff --git a/config/prd/regional/api-clients/uc-boulder.yaml b/config/prd/regional/api-clients/uc-boulder.yaml new file mode 100644 index 00000000..ce4484ec --- /dev/null +++ b/config/prd/regional/api-clients/uc-boulder.yaml @@ -0,0 +1,24 @@ +template: + path: 'cognito-app-client.yaml' + type: 'file' + +parameters: + UserPoolId: !stack_output prd/regional/cognito.yaml::UserPoolId + + Domain: !stack_attr sceptre_user_data.domain + Subdomain: 'auth' + Env: !stack_attr sceptre_user_data.env + + ClientName: 'uc-boulder' + + ClientCallbackUri: 'https://localhost:3000/callback' + + OnlyAllowAdminsToCreateUsers: 'false' + UnusedAccountValidityDays: '14' + MinimumPasswordLength: '8' + + TokenValidityUnits: 'minutes' + AccessTokenValidity: '10' + AuthSessionValidatyMinutes: '3' + IdTokenValidity: '7' + RefreshTokenValidity: '10080' From fe8c1a0a5ffaab1ca666b5867a5a83c09f0d28b8 Mon Sep 17 00:00:00 2001 From: briri Date: Wed, 17 Jul 2024 13:14:14 -0700 Subject: [PATCH 4/5] updated api-clients so that their provenance records have a org_access_level attribute in Dynamo. Also added a step to add their RORs to SSM --- config/prd/regional/api-clients/stanford.yaml | 7 ++++--- config/prd/regional/api-clients/uc-boulder.yaml | 5 +++++ config/prd/regional/api-clients/uc-riverside.yaml | 5 +++++ src/scripts/add-api-client.sh | 2 +- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/config/prd/regional/api-clients/stanford.yaml b/config/prd/regional/api-clients/stanford.yaml index 2b6a827c..ee6e6173 100644 --- a/config/prd/regional/api-clients/stanford.yaml +++ b/config/prd/regional/api-clients/stanford.yaml @@ -25,6 +25,7 @@ parameters: IdTokenValidity: '7' RefreshTokenValidity: '10080' -# hooks: -# after_create: -# cmd: 'src/scripts/add-api-client.sh prd stanford http://localhost:3000/callback' +hooks: + after_update: + cmd: 'src/scripts/add-api-client.sh prd stanford http://localhost:3000/callback' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/stanford/ror_list --type String --value \'["https://ror.org/03mtd9a03","https://ror.org/00f54p054","https://ror.org/014qe3j22","https://ror.org/0551gkb08"]\'' diff --git a/config/prd/regional/api-clients/uc-boulder.yaml b/config/prd/regional/api-clients/uc-boulder.yaml index ce4484ec..8a47cac8 100644 --- a/config/prd/regional/api-clients/uc-boulder.yaml +++ b/config/prd/regional/api-clients/uc-boulder.yaml @@ -22,3 +22,8 @@ parameters: AuthSessionValidatyMinutes: '3' IdTokenValidity: '7' RefreshTokenValidity: '10080' + +hooks: + after_update: + cmd: 'src/scripts/add-api-client.sh prd uc-boulder http://localhost:3000/callback' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-boulder/ror_list --type String --value \'["https://ror.org/02ttsq026"]\'' diff --git a/config/prd/regional/api-clients/uc-riverside.yaml b/config/prd/regional/api-clients/uc-riverside.yaml index b1198a4a..5a335b55 100644 --- a/config/prd/regional/api-clients/uc-riverside.yaml +++ b/config/prd/regional/api-clients/uc-riverside.yaml @@ -22,3 +22,8 @@ parameters: AuthSessionValidatyMinutes: '3' IdTokenValidity: '7' RefreshTokenValidity: '10080' + +hooks: + after_update: + cmd: 'src/scripts/add-api-client.sh prd uc-riverside http://localhost:3000/callback' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-riverside/ror_list --type String --value \'["https://ror.org/03nawhv43"]\'' diff --git a/src/scripts/add-api-client.sh b/src/scripts/add-api-client.sh index 0c860af4..28438f91 100755 --- a/src/scripts/add-api-client.sh +++ b/src/scripts/add-api-client.sh @@ -24,4 +24,4 @@ echo "Creating Provenance item for $2 -> {\"PK\": \"PROVENANCE#$KEY\", \"SK\": \ # Insert the Provenance record for the DMPTool application aws dynamodb put-item --table-name $DYNAMO_TABLE \ --item \ - "{\"PK\":{\"S\":\"PROVENANCE#$KEY\"},\"SK\":{\"S\":\"PROFILE\"},\"contact\":{\"M\":{\"email\":{\"S\":\"$ADMIN_EMAIL\"},\"name\":{\"S\":\"Administrator\"}}},\"description\":{\"S\":\"The $2 $1 system\"},\"downloadUri\":{\"S\":\"https://$3/api/v2/plans/\"},\"homepage\":{\"S\":\"https://$3\"},\"name\":{\"S\":\"$2\"},\"redirectUri\":{\"S\":\"https://$3/callback\"},\"tokenUri\":{\"S\":\"https://$3/oauth/token\"}}" + "{\"PK\":{\"S\":\"PROVENANCE#$KEY\"},\"SK\":{\"S\":\"PROFILE\"},\"contact\":{\"M\":{\"email\":{\"S\":\"$ADMIN_EMAIL\"},\"name\":{\"S\":\"Administrator\"}}},\"description\":{\"S\":\"The $2 $1 system\"},\"downloadUri\":{\"S\":\"https://$3/api/v2/plans/\"},\"homepage\":{\"S\":\"https://$3\"},\"name\":{\"S\":\"$2\"},\"redirectUri\":{\"S\":\"https://$3/callback\"},\"tokenUri\":{\"S\":\"https://$3/oauth/token\"},\"org_access_level\":{\"S\":\"restricted\"}}" From 04c2b7bbeb55279dcd3d0c9616aa6c9cc5a93b1f Mon Sep 17 00:00:00 2001 From: briri Date: Wed, 17 Jul 2024 13:26:52 -0700 Subject: [PATCH 5/5] fix some single vs double quote issues in sceptre configs for api-clients --- config/prd/regional/api-clients/stanford.yaml | 2 +- config/prd/regional/api-clients/uc-boulder.yaml | 2 +- config/prd/regional/api-clients/uc-riverside.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/prd/regional/api-clients/stanford.yaml b/config/prd/regional/api-clients/stanford.yaml index ee6e6173..94c9a284 100644 --- a/config/prd/regional/api-clients/stanford.yaml +++ b/config/prd/regional/api-clients/stanford.yaml @@ -28,4 +28,4 @@ parameters: hooks: after_update: cmd: 'src/scripts/add-api-client.sh prd stanford http://localhost:3000/callback' - cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/stanford/ror_list --type String --value \'["https://ror.org/03mtd9a03","https://ror.org/00f54p054","https://ror.org/014qe3j22","https://ror.org/0551gkb08"]\'' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/stanford/ror_list --type String --value "[\"https://ror.org/03mtd9a03\",\"https://ror.org/00f54p054\",\"https://ror.org/014qe3j22\",\"https://ror.org/0551gkb08\"]"' diff --git a/config/prd/regional/api-clients/uc-boulder.yaml b/config/prd/regional/api-clients/uc-boulder.yaml index 8a47cac8..fa3270ba 100644 --- a/config/prd/regional/api-clients/uc-boulder.yaml +++ b/config/prd/regional/api-clients/uc-boulder.yaml @@ -26,4 +26,4 @@ parameters: hooks: after_update: cmd: 'src/scripts/add-api-client.sh prd uc-boulder http://localhost:3000/callback' - cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-boulder/ror_list --type String --value \'["https://ror.org/02ttsq026"]\'' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-boulder/ror_list --type String --value "[\"https://ror.org/02ttsq026\"]"' diff --git a/config/prd/regional/api-clients/uc-riverside.yaml b/config/prd/regional/api-clients/uc-riverside.yaml index 5a335b55..643f84e3 100644 --- a/config/prd/regional/api-clients/uc-riverside.yaml +++ b/config/prd/regional/api-clients/uc-riverside.yaml @@ -26,4 +26,4 @@ parameters: hooks: after_update: cmd: 'src/scripts/add-api-client.sh prd uc-riverside http://localhost:3000/callback' - cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-riverside/ror_list --type String --value \'["https://ror.org/03nawhv43"]\'' + cmd: 'aws ssm put-parameter --overwrite --name /uc3/dmp/tool/provenance/uc-riverside/ror_list --type String --value "[\"https://ror.org/03nawhv43\"]"'