Protect jupyterhub behind twitcher authentication (#358)

## Overview

Sets magpie cookies whenever a user logs in or out through jupyterhub so
that they are automatically logged in or out through magpie as well.
Ensures that the user has permission to access jupyterhub according to
magpie when logging in.

## Changes

**Non-breaking changes**
- adds jupyterhub as a provider in magpie so that admin users can set
api permissions in magpie for jupyterhub

**Breaking changes**

## Related Issue / Discussion

- implements step 1 from this comment:
#334 (comment)

## Additional Information

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.35.2
+current_version = 1.36.0
 commit = True
 tag = False
 tag_name = {new_version}
@@ -30,11 +30,11 @@ search = {current_version}
 replace = {new_version}
 
 [bumpversion:file:RELEASE.txt]
-search = {current_version} 2023-10-24T21:05:12Z
+search = {current_version} 2023-10-31T17:20:38Z
 replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ}
 
 [bumpversion:part:releaseTime]
-values = 2023-10-24T21:05:12Z
+values = 2023-10-31T17:20:38Z
 
 [bumpversion:file(version):birdhouse/config/canarie-api/docker_configuration.py.template]
 search = 'version': '{current_version}'

CHANGES.md

@@ -17,6 +17,17 @@
 
 [//]: # (list changes here, using '-' for each new entry, remove this when items are added)
 
+[1.36.0](https://github.com/bird-house/birdhouse-deploy/tree/1.36.0) (2023-10-31)
+------------------------------------------------------------------------------------------------------------------
+
+## Changes
+
+- Protect jupyterhub behind twitcher authentication
+
+  - Sets magpie cookies whenever a user logs in or out through jupyterhub so that they are automatically logged in 
+    or out through magpie as well.
+  - Ensures that the user has permission to access jupyterhub according to magpie when logging in.
+
 [1.35.2](https://github.com/bird-house/birdhouse-deploy/tree/1.35.2) (2023-10-24)
 ------------------------------------------------------------------------------------------------------------------
 
@@ -125,7 +136,6 @@
 ------------------------------------------------------------------------------------------------------------------
 
 ## Changes
-
 - Add public WPS outputs directory to Cowbird and add corresponding volume mount to JupyterHub.
 - Update `cowbird` service from [1.2.0](https://github.com/Ouranosinc/cowbird/tree/1.2.0)
   to [2.1.0](https://github.com/Ouranosinc/cowbird/tree/2.1.0).

Makefile

@@ -1,7 +1,7 @@
 # Generic variables
 override SHELL       := bash
 override APP_NAME    := birdhouse-deploy
-override APP_VERSION := 1.35.2
+override APP_VERSION := 1.36.0
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")

README.rst

@@ -14,13 +14,13 @@ for a full-fledged production platform.
     * - releases
       - | |latest-version| |commits-since|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.35.2.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/1.36.0.svg
     :alt: Commits since latest release
-    :target: https://github.com/bird-house/birdhouse-deploy/compare/1.35.2...master
+    :target: https://github.com/bird-house/birdhouse-deploy/compare/1.36.0...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-1.35.2-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-1.36.0-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/bird-house/birdhouse-deploy/tree/1.35.2
+    :target: https://github.com/bird-house/birdhouse-deploy/tree/1.36.0
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
     :alt: ReadTheDocs Build Status (latest version)

RELEASE.txt

@@ -1 +1 @@
-1.35.2 2023-10-24T21:05:12Z
+1.36.0 2023-10-31T17:20:38Z

birdhouse/config/canarie-api/docker_configuration.py.template

@@ -109,8 +109,8 @@ SERVICES = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '1.35.2',
-            'releaseTime': '2023-10-24T21:05:12Z',
+            'version': '1.36.0',
+            'releaseTime': '2023-10-31T17:20:38Z',
             'institution': 'Ouranos',
             'researchSubject': 'Climatology',
             'supportEmail': '${SUPPORT_EMAIL}',
@@ -142,8 +142,8 @@ PLATFORMS = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '1.35.2',
-            'releaseTime': '2023-10-24T21:05:12Z',
+            'version': '1.36.0',
+            'releaseTime': '2023-10-31T17:20:38Z',
             'institution': 'Ouranos',
             'researchSubject': 'Climatology',
             'supportEmail': '${SUPPORT_EMAIL}',

birdhouse/config/jupyterhub/.gitignore

@@ -2,6 +2,7 @@ custom_templates/login.html
 jupyterhub_config.py
 config/proxy/conf.extra-service.d/jupyterhub.conf
 config/canarie-api/canarie_api_monitoring.py
+config/magpie/providers.cfg
 service-config.json
 
 # Old paths. Keep these so that old config files remain uncommittable after updates.

birdhouse/config/jupyterhub/config/magpie/docker-compose-extra.yml

@@ -0,0 +1,5 @@
+version: "3.4"
+services:
+  magpie:
+    volumes:
+    - ./config/jupyterhub/config/magpie/providers.cfg:${MAGPIE_PROVIDERS_CONFIG_PATH}/jupyter.cfg:ro

birdhouse/config/jupyterhub/config/magpie/providers.cfg.template

@@ -0,0 +1,10 @@
+providers:
+  jupyterhub:
+    # below URL is only used to fill in the required location in Magpie
+    # actual auth validation is performed with Twitcher 'verify' endpoint without accessing this proxied URL
+    url: http://proxy:80
+    title: Jupyter
+    public: true
+    c4i: false
+    type: api
+    sync_type: api

birdhouse/config/jupyterhub/default.env

@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 export JUPYTERHUB_DOCKER=pavics/jupyterhub
-export JUPYTERHUB_VERSION=4.0.2-20230816
+export JUPYTERHUB_VERSION=4.0.2-20231002
 
 # Jupyter single-user server images, can be overriden in env.local to have a space separated list of multiple images
 export DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:230601"
@@ -59,6 +59,11 @@ export JUPYTER_IDLE_KERNEL_CULL_INTERVAL=0
 # config/jupyterhub/jupyterhub_config.py.template.
 export JUPYTERHUB_CONFIG_OVERRIDE=""
 
+# URL used to verify that a logged in user has permission to access Jupyterhub
+# To disable this feature, unset this variable. However, disabling this feature is NOT
+# recommended as it may permit unauthorized users from accessing jupyterhub.
+export JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL='http://twitcher:8000/ows/verify/jupyterhub'
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   JUPYTERHUB_USER_DATA_DIR
@@ -80,6 +85,7 @@ OPTIONAL_VARS="
   \$JUPYTERHUB_CONFIG_OVERRIDE
   \$JUPYTERHUB_DOCKER
   \$JUPYTERHUB_VERSION
+  \$JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL
   \$JUPYTER_IDLE_SERVER_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_TIMEOUT
   \$JUPYTER_IDLE_KERNEL_CULL_INTERVAL

birdhouse/config/jupyterhub/jupyterhub_config.py.template

@@ -16,6 +16,8 @@ c.JupyterHub.hub_ip = 'jupyterhub'
 
 c.JupyterHub.authenticator_class = 'jupyterhub_magpie_authenticator.MagpieAuthenticator'
 c.MagpieAuthenticator.magpie_url = "http://magpie:2001"
+c.MagpieAuthenticator.public_fqdn = "${PAVICS_FQDN_PUBLIC}"
+c.MagpieAuthenticator.authorization_url = "${JUPYTERHUB_AUTHENTICATOR_AUTHORIZATION_URL}"
 
 c.JupyterHub.cookie_secret_file = '/persist/jupyterhub_cookie_secret'
 c.JupyterHub.db_url = '/persist/jupyterhub.sqlite'

birdhouse/optional-components/all-public-access/config/jupyterhub/docker-compose-extra.yml

@@ -0,0 +1,5 @@
+version: "3.4"
+services:
+  magpie:
+    volumes:
+      - ./optional-components/all-public-access/config/jupyterhub/permissions.cfg:${MAGPIE_PERMISSIONS_CONFIG_PATH}/all-public-access-jupyterhub-permissions.cfg:ro

birdhouse/optional-components/all-public-access/config/jupyterhub/permissions.cfg

@@ -0,0 +1,9 @@
+permissions:
+  - service: jupyterhub
+    permission: read
+    group: anonymous
+    action: create
+  - service: jupyterhub
+    permission: write
+    group: anonymous
+    action: create

docs/source/conf.py

@@ -69,9 +69,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '1.35.2'
+version = '1.36.0'
 # The full version, including alpha/beta/rc tags.
-release = '1.35.2'
+release = '1.36.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

tests/test_read_configs_include.py

@@ -209,6 +209,7 @@ class TestCreateComposeConfList:
         "./config/twitcher/config/proxy/docker-compose-extra.yml",
         "./config/jupyterhub/docker-compose-extra.yml",
         "./config/jupyterhub/config/canarie-api/docker-compose-extra.yml",
+        "./config/jupyterhub/config/magpie/docker-compose-extra.yml",
         "./config/jupyterhub/config/proxy/docker-compose-extra.yml",
     ]