diff --git a/auth-api/src/auth_api/services/gcp_queue/gcp_auth.py b/auth-api/src/auth_api/services/gcp_queue/gcp_auth.py deleted file mode 100644 index 30caab28c..000000000 --- a/auth-api/src/auth_api/services/gcp_queue/gcp_auth.py +++ /dev/null @@ -1,41 +0,0 @@ -# pylint: skip-file -# flake8: noqa -# This will get moved to an external library, which is linted by black (different than our rules) -"""Move this to external library.""" -import functools -from http import HTTPStatus - -import google.oauth2.id_token as id_token -from cachecontrol import CacheControl -from flask import abort, current_app, request -from google.auth.transport.requests import Request -from requests.sessions import Session - - -def verify_jwt(session): - """Check token is valid with the correct audience and email claims for configured email address.""" - try: - jwt_token = request.headers.get("Authorization", "").split()[1] - claims = id_token.verify_oauth2_token( - jwt_token, Request(session=session), audience=current_app.config.get("AUTH_AUDIENCE_SUB") - ) - required_emails = current_app.config.get("VERIFY_PUBSUB_EMAILS") - if claims.get("email_verified") and claims.get("email") in required_emails: - return None - else: - return "Email not verified or does not match", 401 - except Exception as e: - return f"Invalid token: {e}", 400 - - -def ensure_authorized_queue_user(f): - """Ensures the user is authorized to use the queue.""" - - @functools.wraps(f) - def decorated_function(*args, **kwargs): - # Use CacheControl to avoid re-fetching certificates for every request. - if verify_jwt(CacheControl(Session())): - abort(HTTPStatus.UNAUTHORIZED) - return f(*args, **kwargs) - - return decorated_function diff --git a/queue_services/account-mailer/devops/vaults.gcp.env b/queue_services/account-mailer/devops/vaults.gcp.env index a7fb4e246..5d8fb0d9a 100644 --- a/queue_services/account-mailer/devops/vaults.gcp.env +++ b/queue_services/account-mailer/devops/vaults.gcp.env @@ -16,8 +16,6 @@ NOTIFY_API_VERSION="op://API/$APP_ENV/notify-api/NOTIFY_API_VERSION" REPORT_API_URL="op://API/$APP_ENV/report-api/REPORT_API_URL" REPORT_API_VERSION="op://API/$APP_ENV/report-api/REPORT_API_VERSION" VPC_CONNECTOR="op://CD/$APP_ENV/account-mailer/VPC_CONNECTOR" -ACCOUNT_MAILER_AUDIENCE_SUB="op://gcp-queue/$APP_ENV/authpay/ACCOUNT_MAILER_AUDIENCE_SUB" -AUTHPAY_SERVICE_ACCOUNT="op://gcp-queue/$APP_ENV/gtksf3/AUTHPAY_SERVICE_ACCOUNT" MINIO_ENDPOINT="op://minio/$APP_ENV/base/MINIO_ENDPOINT" MINIO_ACCESS_KEY="op://minio/$APP_ENV/base/MINIO_ACCESS_KEY" MINIO_ACCESS_SECRET="op://minio/$APP_ENV/base/MINIO_ACCESS_SECRET" diff --git a/queue_services/account-mailer/src/account_mailer/config.py b/queue_services/account-mailer/src/account_mailer/config.py index 59b94da2f..d418e07d2 100644 --- a/queue_services/account-mailer/src/account_mailer/config.py +++ b/queue_services/account-mailer/src/account_mailer/config.py @@ -102,11 +102,6 @@ class _Config(): # pylint: disable=too-few-public-methods REPORT_API_URL = REPORT_API_URL + REPORT_API_VERSION REPORT_API_BASE_URL = f'{REPORT_API_URL}/reports' - # PUB/SUB - SUB: account-mailer-dev - # If blank in PUB/SUB, this should match the https endpoint the subscription is pushing to. - AUTH_AUDIENCE_SUB = os.getenv('ACCOUNT_MAILER_AUDIENCE_SUB') - VERIFY_PUBSUB_EMAILS = os.getenv('AUTHPAY_SERVICE_ACCOUNT', 'email1,email2').split(',') - # Minio configuration values MINIO_ENDPOINT = os.getenv('MINIO_ENDPOINT') MINIO_ACCESS_KEY = os.getenv('MINIO_ACCESS_KEY') diff --git a/queue_services/account-mailer/src/account_mailer/resources/worker.py b/queue_services/account-mailer/src/account_mailer/resources/worker.py index b944c1d5f..f838424cf 100644 --- a/queue_services/account-mailer/src/account_mailer/resources/worker.py +++ b/queue_services/account-mailer/src/account_mailer/resources/worker.py @@ -20,7 +20,6 @@ from auth_api.models import db from auth_api.models.pubsub_message_processing import PubSubMessageProcessing from auth_api.services.gcp_queue import queue -from auth_api.services.gcp_queue.gcp_auth import ensure_authorized_queue_user from auth_api.services.rest_service import RestService from auth_api.utils.roles import ADMIN, COORDINATOR from flask import Blueprint, request @@ -42,7 +41,6 @@ @bp.route('/', methods=('POST',)) -@ensure_authorized_queue_user def worker(): """Worker to handle incoming queue pushes.""" if not (event_message := queue.get_simple_cloud_event(request, wrapped=True)): diff --git a/queue_services/auth-queue/devops/vaults.gcp.env b/queue_services/auth-queue/devops/vaults.gcp.env index ec6777ca3..8bfb7b4fe 100644 --- a/queue_services/auth-queue/devops/vaults.gcp.env +++ b/queue_services/auth-queue/devops/vaults.gcp.env @@ -12,6 +12,4 @@ JWT_OIDC_ISSUER="op://keycloak/$APP_ENV/jwt-base/JWT_OIDC_ISSUER" SBC_AUTH_ADMIN_CLIENT_ID="op://keycloak/$APP_ENV/sbc-auth-admin/SBC_AUTH_ADMIN_CLIENT_ID" SBC_AUTH_ADMIN_CLIENT_SECRET="op://keycloak/$APP_ENV/sbc-auth-admin/SBC_AUTH_ADMIN_CLIENT_SECRET" BUSINESS_SERVICE_ACCOUNT="op://gcp-queue/$APP_ENV/a083gt/BUSINESS_SERVICE_ACCOUNT" -AUTHPAY_SERVICE_ACCOUNT="op://gcp-queue/$APP_ENV/gtksf3/AUTHPAY_SERVICE_ACCOUNT" VPC_CONNECTOR="op://CD/$APP_ENV/auth-queue/VPC_CONNECTOR" -AUTH_QUEUE_AUDIENCE_SUB="op://gcp-queue/$APP_ENV/authpay/AUTH_QUEUE_AUDIENCE_SUB" diff --git a/queue_services/auth-queue/src/auth_queue/config.py b/queue_services/auth-queue/src/auth_queue/config.py index f9fab2fa6..907671780 100644 --- a/queue_services/auth-queue/src/auth_queue/config.py +++ b/queue_services/auth-queue/src/auth_queue/config.py @@ -79,9 +79,7 @@ class _Config: # pylint: disable=too-few-public-methods # PUB/SUB - PUB: account-mailer-dev, SUB: auth-event-dev and namex-nr-state-dev ACCOUNT_MAILER_TOPIC = os.getenv('ACCOUNT_MAILER_TOPIC', 'account-mailer-dev') # If blank in PUB/SUB, this should match the https endpoint the subscription is pushing to. - AUTH_AUDIENCE_SUB = os.getenv('AUTH_QUEUE_AUDIENCE_SUB') GCP_AUTH_KEY = os.getenv('AUTHPAY_GCP_AUTH_KEY', None) - VERIFY_PUBSUB_EMAILS = f'{os.getenv("AUTHPAY_SERVICE_ACCOUNT")},{os.getenv("BUSINESS_SERVICE_ACCOUNT")}'.split(',') # noqa: E231, E501 PAY_API_URL = os.getenv('PAY_API_URL') + os.getenv('PAY_API_VERSION') diff --git a/queue_services/auth-queue/src/auth_queue/resources/worker.py b/queue_services/auth-queue/src/auth_queue/resources/worker.py index fea9b37ca..18dbab18a 100644 --- a/queue_services/auth-queue/src/auth_queue/resources/worker.py +++ b/queue_services/auth-queue/src/auth_queue/resources/worker.py @@ -24,7 +24,6 @@ from auth_api.models import db from auth_api.models.pubsub_message_processing import PubSubMessageProcessing from auth_api.services.gcp_queue import queue -from auth_api.services.gcp_queue.gcp_auth import ensure_authorized_queue_user from auth_api.services.rest_service import RestService from auth_api.utils.account_mailer import publish_to_mailer from auth_api.utils.enums import AccessType, ActivityAction, CorpType, OrgStatus, QueueSources @@ -41,7 +40,6 @@ @bp.route('/', methods=('POST',)) -@ensure_authorized_queue_user def worker(): """Worker to handle incoming queue pushes.""" if not (event_message := queue.get_simple_cloud_event(request, wrapped=True)): diff --git a/queue_services/auth-queue/tests/conftest.py b/queue_services/auth-queue/tests/conftest.py index 891733a5a..92092f2ba 100644 --- a/queue_services/auth-queue/tests/conftest.py +++ b/queue_services/auth-queue/tests/conftest.py @@ -146,12 +146,6 @@ def restart_savepoint(sess2, trans): # pylint: disable=unused-variable conn.close() -@pytest.fixture(autouse=True) -def mock_queue_auth(mocker): - """Mock queue authorization.""" - mocker.patch('auth_api.services.gcp_queue.gcp_auth.verify_jwt', return_value='') - - @pytest.fixture(autouse=True) def mock_pub_sub_call(mocker): """Mock pub sub call."""