This is the web application for Open Science Pool token registration
The web app is a Flask app.
The core app is created in an
"application factory"
in registry/app.py
,
and it hooks together
blueprints
found in some of the subdirectories of registry/
.
Blueprints:
index
- landing page, "about" page, etc.account
- handles user accounts. We don't quite have registration because we use CILogon, but this is where you can go to see (for example) your contact email.signup
- handles forms for users to register themselves and their resources.connect
- provides instructions for users to install and connect their resources.token
- handles the server side of the token workflow when connecting a new data source.
Each blueprint has its own static
and templates
directories, and there
are also "global" static
and templates
directories that sit next to
app.py
. These directories are for:
static
- for static assets like.css
files, images, etc.templates
- for Jinja HTML templates.
This repository also includes register.py
, the client-side script for
getting a token for a new data source.
It's stored here because it talks to the token
blueprint, and therefore
needs to stay in sync with it.
To run the registration server locally, build and run the testing container image:
-
Build the container image:
docker build -t os-registry-test -f Dockerfile.testing .
-
Copy example configuration required by the registry server:
cp examples/config.py examples/humans.ini .
-
Start the local registry:
docker run --rm --name my-registry -it -v ${PWD}:/srv -p 8443:443 os-registry-test
-
Access the local registry in your browser by accessing https://localhost:8443
-
For a login shell to the registry, run the following:
docker exec -it my-registry /bin/bash
Helpful log files can be found in
/var/log/httpd/
and/var/log/condor/registration.log
.
Note that changes to files copied into the container image (e.g. COPY
lines in Dockerfile.testing
) will require
a rebuild of the container image.
Clone the repository to wherever you would like to serve the application from
(e.g., /var/www/registration
).
Example/template Apache configuration:
<VirtualHost *:443>
ServerName htpheno-cm.chtc.wisc.edu
ServerAdmin htcondor-inf@cs.wisc.edu
# This is the OIDC callback path
<Location "/callback">
<RequireAny>
Require valid-user
</RequireAny>
AuthType openid-connect
</Location>
## Logging
ErrorLog "/var/log/httpd/local_default_ssl_error_ssl.log"
LogLevel info
ServerSignature Off
CustomLog "/var/log/httpd/local_default_ssl_access_ssl.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/var/www/hostcert.pem"
SSLCertificateKeyFile "/var/www/hostkey.pem"
SSLCertificateChainFile "/var/www/hostcert.pem"
## WSGI configuration
WSGIDaemonProcess Registration display-name=Registration group=condor processes=2 threads=25 user=condor
WSGIProcessGroup Registration
WSGIScriptAlias / "/var/www/registration/wsgi.py"
## OIDC configuration
OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID cilogon:/client_id/<secret>
OIDCClientSecret <secret>
OIDCRedirectURI https://htpheno-cm.chtc.wisc.edu/callback
# Used to encrypt the session cookie and the local cache.
OIDCCryptoPassphrase <secret>
# Control the information in the returned token.
OIDCScope "openid email org.cilogon.userinfo"
# The value of this scope is used as the username in the environment
# variables provided to WSGI.
OIDCRemoteUserClaim eppn
</VirtualHost>
By default we "protect" everything under /
with OIDC.
Some pages should be "public", i.e., unprotected
(right now, these are the
"index" and "about" pages, and anything under /static
,
so that static assets can always be served).
This is managed by Apache, not the webapp.
Example configuration below:
<Location "/">
<RequireAny>
Require valid-user
</RequireAny>
AuthType openid-connect
</Location>
<LocationMatch "^/$">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</LocationMatch>
<Location "/about">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</Location>
<Location "/static">
<RequireAny>
Require all granted
</RequireAny>
AuthType none
</Location>
Configuration options will be read out of a file named config.py
, placed at the
root of the repository, next to this README.md
. The file should contain
global variables with names matching the configuration options described below,
like
USER_ID_ENV_VAR = "REMOTE_USER"
These configuration options must be set. They do not have defaults.
COLLECTOR
- The Open Science pool collector hostname.SERVER_NAME
- The hostname of the host server.OIDC_REDIRECT_URI
- The URI for the OIDC redirect.USER_ID_ENV_VAR
- The request environment variable that holds the user's identity.HUMANS_FILE
- The path to the file that contains information on humans.ADMIN_EMAILS
- The email addresses that will receive mail when users sign up, likeADMIN_EMAILS = "Foo Bar <foobar@university.edu>, Wiz Bang <wizbang@organization.org>"
.SUPPORT_EMAIL
- The email address to display for users to send support questions to.
CONDOR_TOKEN_REQUEST_LIST
- The path to thecondor_token_request_list
executable. By default, discover it on$PATH
.CONDOR_TOKEN_REQUEST_APPROVE
- The path to thecondor_token_request_approve
executable. By default, discover it on$PATH
.