Handle Malformed Tokens

[pattisdr]

Fixes #1542

Code Changes

• remove unused ctl/deps.py in favor of identical code in ops/util/oauth_util.py
• Added logic to handle malformed tokens in verify_oauth_client

Steps to Confirm

• Bad token steps outlined in this separate issue Unable to logout from Admin UI with an expired/invalid token fidesops#1257

Pre-Merge Checklist

• All CI Pipelines Succeeded
• Documentation Updated:
  • documentation complete, or draft/outline provided (tag docs-team to complete/review on this branch)
  • documentation issue created (tag docs-team to complete issue separately)
• Issue Requirements are Met
• Relevant Follow-Up Issues Created
• Update CHANGELOG.md

Description Of Changes

It still sounds like we're having issues with bad API tokens. fideslib has handling for this but its method is not usable as-is.

I ended up copying over the same logic introduced in fideslib ethyca/fideslib#71 instead of using the verify_oauth_client method in fideslib since we can't use it without modification. It is missing some root client handling logic.

---

My original fix was trying to import and override the correct verify_oauth_client function in fideslib (because there are two of them) and we were overriding the wrong one, not taking advantage of new fideslib logic.

fideslib.oauth.api.deps.verify_oauth_client takes the Config and passes it to fideslib.oauth.oauth_util.verify_oauth_client.

However on closer inspection, it looks like fideslib doesn't have a way to receive root client scopes out of the box, so we'd have to update fideslib to be able to use its verify_oauth_client method. As of now, I don't think anyone has ever been using the fideslib verify_oauth_client. I thought we were in fidesops but it looks like we never sorted that out.

[NevilleS]

I tried testing this out with the following:

1. Checkout your branch
2. nox -s test_env

During the setup of that test environment, it runs a script that attempts to authenticate an oauth client and it fails:

nox > Running example setup scripts for DSR Automation tests... (scripts/load_examples.py)
nox > docker compose run --no-deps --rm -e FIDES__CLI__ANALYTICS_ID --user=root fides python /fides/scripts/load_examples.py
WARN[0000] Found orphan containers ([fides-postgres-test-1 fides-mongodb-test-1 fides-mysql-test-1 fides-sqlserver-test-1]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. 
Generating example data for local Fides test environment...
INFO:setup.authentication:Completed fides oauth login via http://fides:8080/api/v1/oauth/token
Traceback (most recent call last):
  File "/fides/scripts/load_examples.py", line 32, in <module>
    auth_header = get_auth_header()
  File "/fides/scripts/setup/authentication.py", line 82, in get_auth_header
    client_id, client_secret = create_oauth_client(auth_token=root_token)
  File "/fides/scripts/setup/authentication.py", line 63, in create_oauth_client
    raise RuntimeError(
RuntimeError: fides oauth client creation failed! response.status_code=403, response.json()={'detail': 'Not Authorized for this action'}
nox > Command docker compose run --no-deps --rm -e FIDES__CLI__ANALYTICS_ID --user=root fides python /fides/scripts/load_examples.py failed with exit code 1

That used to work, which makes me think there's something not quite right with the oauth verification here. The server logs aren't very helpful:

2022-10-24 01:35:21.983 [INFO] (main:log_request:270): Request received | {'method': 'POST', 'status_code': 403, 'handler_time': '3.3240000000000003ms', 'path': '/api/v1/oauth/client'}

Sorry, not sure what more to poke at to help troubleshoot...

[pattisdr]

Thank you for testing @NevilleS I'll just work on getting unified fides setup this morning and sort it out!

[pattisdr]

OK we didn't have a unit test for the scenario @NevilleS pointed out - which is a "root client" trying to create another client. This highlights that we can't use the fideslib version of verify_oauth_client as-is.

We'd need to update the fideslib version to be able to pass in the scope registry to use as the root client's scopes where applicable. So after refreshing my memory https://github.com/ethyca/fidesops/pull/830/files#r916919886 it looks like no one was ever using the fideslib version of verify_oauth_client to begin with.

My vote is to add the proper logic to fides then and scrap trying to use the fideslib version altogether.

[ThomasLaPiana]

Great catch and nice fix here! LGTM 😃

Test env works for me locally

[pattisdr]

Thanks for your review @ThomasLaPiana!