From 223ac5fffb041ca267f125de4d1d65055107e98d Mon Sep 17 00:00:00 2001
From: Duncan Meacher <duncan.meacher@ligo.org>
Date: Tue, 20 Feb 2024 15:50:10 +0000
Subject: [PATCH] Scitoken multi issuer support

---
 config/settings/base.py            |  2 +-
 gracedb/api/backends.py            | 12 +++++++++++-
 gracedb/api/tests/test_backends.py |  2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/config/settings/base.py b/config/settings/base.py
index 223b58a25..8dab418ca 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -358,7 +358,7 @@ X509_INFOS_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS'
 CAPATH = '/etc/grid-security/certificates'
 
 # SciTokens claims settings
-SCITOKEN_ISSUER = "https://cilogon.org/igwn"
+SCITOKEN_ISSUER = ['https://cilogon.org/igwn', 'https://test.cilogon.org/igwn', 'https://osdf.igwn.org/cit']
 SCITOKEN_AUDIENCE = ["ANY"]
 SCITOKEN_SCOPE = "gracedb.read"
 
diff --git a/gracedb/api/backends.py b/gracedb/api/backends.py
index 22d45a53f..7fd288dd6 100644
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -71,6 +71,16 @@ class GraceDbBasicAuthentication(authentication.BasicAuthentication):
 
 class GraceDbSciTokenAuthentication(authentication.BasicAuthentication):
 
+    class MultiIssuerEnforcer(scitokens.Enforcer):
+        def __init__(self, issuer, **kwargs):
+            if not isinstance(issuer, (tuple, list)):
+                issuer = [issuer]
+            super().__init__(issuer, **kwargs)
+
+        def _validate_iss(self, value):
+            return value in self._issuer
+
+
     def authenticate(self, request, public_key=None):
         # Get token from header
         try:
@@ -93,7 +103,7 @@ class GraceDbSciTokenAuthentication(authentication.BasicAuthentication):
             return None
 
         # Enforce scitoken logic
-        enforcer = scitokens.Enforcer(
+        enforcer = self.MultiIssuerEnforcer(
             settings.SCITOKEN_ISSUER,
             audience = settings.SCITOKEN_AUDIENCE,
         )
diff --git a/gracedb/api/tests/test_backends.py b/gracedb/api/tests/test_backends.py
index 59071c267..fd9fa5a5f 100644
--- a/gracedb/api/tests/test_backends.py
+++ b/gracedb/api/tests/test_backends.py
@@ -145,7 +145,7 @@ class TestGraceDbBasicAuthentication(GraceDbApiTestBase):
 class TestGraceDbSciTokenAuthentication(GraceDbTestBase):
     """Test SciToken auth backend for API"""
 
-    TEST_ISSUER = "local"
+    TEST_ISSUER = ['local', 'local2']
     TEST_AUDIENCE = ["TEST"]
     TEST_SCOPE = "gracedb.read"
 
-- 
GitLab