LDBDWAuth: support multiple scitoken issuers

and add igwn-test and CIT local issuer to list of supported issuers

LDBDWAuth: support multiple scitoken issuers
0b7d7070 · Duncan Macleod · 2f449cef · 0b7d7070 · 0b7d7070
Unverified Commit 0b7d7070 authored 1 year ago by Duncan Macleod
--- a/src/Constants.py
+++ b/src/Constants.py
@@ -65,7 +65,11 @@ class ConstantsHandle():
    ########################
    # SciTokens constants #
    ######################
-    scitokens_issuer = 'https://cilogon.org/igwn'
+    scitokens_issuer = [
+        'https://cilogon.org/igwn',
+        'https://test.cilogon.org/igwn',
+        'https://osdf.igwn.org/cit',
+    ]
    scitokens_audience = 'https://segments.ligo.org'
    scitokens_cache_dir = '/var/cache/httpd'


--- a/src/LDBDWAuth.py
+++ b/src/LDBDWAuth.py
@@ -219,12 +219,23 @@ class GridmapAuthorization:
        # Return.
        return r

+
+class MultiIssuerEnforcer(scitokens.Enforcer):
+    def __init__(self, issuer, **kwargs):
+        if not isinstance(issuer, (tuple, list)):
+            issuer = [issuer]
+        super().__init__(issuer, **kwargs)
+
+    def _validate_iss(self, value):
+        return value in self._issuer
+
+
 class SciTokensAuthorization():
    def __init__(self):
        self.admin = Admin.AdminHandle()
        self.constant = Constants.ConstantsHandle()
        os.environ['XDG_CACHE_HOME'] = self.constant.scitokens_cache_dir
-        self.token_enforcer = scitokens.Enforcer(self.constant.scitokens_issuer, audience=self.constant.scitokens_audience)
+        self.token_enforcer = MultiIssuerEnforcer(self.constant.scitokens_issuer, audience=self.constant.scitokens_audience)

    def check_authorization_scitoken(self, environ, req_method, full_uri, authorise):
        """Check authorization with a Bearer token.