Fix Authentication with JupyterHub

jwindgassen · jwindgassen · commit 0d4e701f815c · 2024-12-06T13:45:00.000+01:00
diff --git a/jupyter_server_proxy/standalone/__init__.py b/jupyter_server_proxy/standalone/__init__.py
@@ -4,32 +4,32 @@
 
 from tornado import ioloop
 from tornado.httpserver import HTTPServer
-from tornado.log import app_log
+from tornado.log import app_log as log
 
 from .activity import start_activity_update
 from .proxy import configure_http_client, get_port_from_env, get_ssl_options, make_app
 
 
 def run(
-    command: list[str],
-    port=None,
-    destport=0,
-    ip="localhost",
-    debug=False,
-    logs=True,
-    authtype="oauth",
-    timeout=60,
-    activity_interval=300,
-    progressive=False,
-    websocket_max_message_size=0,
+    command,
+    port,
+    destport,
+    ip,
+    debug,
+    logs,
+    overwrite_authentication,
+    timeout,
+    activity_interval,
+    progressive,
+    websocket_max_message_size,
 ):
     if port is None:
         get_port_from_env()
 
     if debug:
-        app_log.setLevel(logging.DEBUG)
+        log.setLevel(logging.DEBUG)
     elif logs:
-        app_log.setLevel(logging.INFO)
+        log.setLevel(logging.INFO)
 
     prefix = os.environ.get("JUPYTERHUB_SERVICE_PREFIX", "/")
 
@@ -42,7 +42,7 @@ def run(
         destport,
         prefix,
         list(command),
-        authtype,
+        overwrite_authentication,
         timeout,
         debug,
         logs,
@@ -56,12 +56,11 @@ def run(
 
     http_server.listen(port or get_port_from_env(), ip)
 
-    print(
-        f"Starting jhsingle-native-proxy server on address {ip} port {port}, proxying to port {destport}"
+    log.info(
+        f"Starting standaloneproxy on {ip}:{port}, server is started on Port {destport}"
     )
-    print(f"URL Prefix: {prefix}")
-    print(f"Auth Type: {authtype}")
-    print(f"Command: {command}")
+    log.info(f"URL Prefix: {prefix}")
+    log.info(f"Command: {command}")
 
     if activity_interval > 0:
         start_activity_update(activity_interval)
@@ -99,10 +98,9 @@ def main():
         help="Display logs generated by the subprocess.",
     )
     parser.add_argument(
-        "--authtype",
-        choices=["oauth", "none"],
-        default="oauth",
-        help="Authentication Metod.",
+        "--overwrite-authentication",
+        default=None,
+        help="Forcefully enable/disable authentication with JupyterHub.",
     )
     parser.add_argument(
         "--timeout",
@@ -133,6 +131,8 @@ def main():
     )
 
     args = parser.parse_args()
+    log.debug(args)
+
     run(**vars(args))
 
 
diff --git a/jupyter_server_proxy/standalone/proxy.py b/jupyter_server_proxy/standalone/proxy.py
@@ -3,13 +3,13 @@
 from urllib.parse import urlparse
 
 from jupyterhub import __version__ as __jh_version__
-from jupyterhub.services.auth import HubOAuthCallbackHandler
+from jupyterhub.services.auth import HubOAuthCallbackHandler, HubOAuthenticated
 from jupyterhub.utils import make_ssl_context
 from tornado import httpclient
-from tornado.web import Application, RedirectHandler, RequestHandler
+from tornado.web import Application, RedirectHandler
 from tornado.websocket import WebSocketHandler
 
-from ..handlers import SuperviseAndProxyHandler
+from ..handlers import ProxyHandler, SuperviseAndProxyHandler
 
 
 def configure_http_client():
@@ -24,19 +24,18 @@ def configure_http_client():
     httpclient.AsyncHTTPClient.configure(None, defaults={"ssl_options": ssl_context})
 
 
-class StandaloneHubProxyHandler(SuperviseAndProxyHandler):
+class StandaloneProxyHandler(SuperviseAndProxyHandler):
+    """
+    Base class for standalone proxies. Will not ensure any authentication!
+    """
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.authtype = "oauth"
         self.environment = {}
         self.timeout = 60
 
     def prepare(self, *args, **kwargs):
-        # ToDo: Automatically disable if not spawned by JupyterHub
-        if self.authtype == "oauth":
-            return super().prepare(*args, **kwargs)
-        else:
-            pass
+        pass
 
     def check_origin(self, origin: str = None):
         # Skip JupyterHandler.check_origin
@@ -49,38 +48,70 @@ def get_timeout(self):
         return self.timeout
 
 
-def _make_native_proxy_handler(command, port, mappath, authtype, environment, timeout):
+class StandaloneHubProxyHandler(StandaloneProxyHandler, HubOAuthenticated):
+    """
+    Standalone Proxy used when spawned by a JupyterHub.
+    Will restrict access to the application by authentication with the JupyterHub API.
+    """
+
+    @property
+    def hub_users(self):
+        return {self.settings["user"]}
+
+    @property
+    def hub_groups(self):
+        if self.settings["group"]:
+            return {self.settings["group"]}
+        return set()
+
+    @property
+    def allow_all(self):
+        if "anyone" in self.settings:
+            return self.settings["anyone"] == "1"
+        return super().allow_all
+
+    def prepare(self, *args, **kwargs):
+        # Enable Authentication Check
+        return ProxyHandler.prepare(self, *args, **kwargs)
+
+    def set_default_headers(self):
+        self.set_header("X-JupyterHub-Version", __jh_version__)
+
+
+def _make_native_proxy_handler(
+    command, port, mappath, overwrite_authentication, environment, timeout
+):
     """
     Create a StandaloneHubProxyHandler subclass with given parameters
     """
 
-    class _Proxy(StandaloneHubProxyHandler):
+    # Try to determine if we are launched by a JupyterHub via environment variables.
+    # See jupyterhub/spawner.py#L1035
+    if overwrite_authentication is not None:
+        base = (
+            StandaloneHubProxyHandler
+            if overwrite_authentication is True
+            else StandaloneProxyHandler
+        )
+    elif "JUPYTERHUB_API_TOKEN" in os.environ and "JUPYTERHUB_API_URL" in os.environ:
+        base = StandaloneHubProxyHandler
+    else:
+        base = StandaloneProxyHandler
+
+    class _Proxy(base):
         def __init__(self, *args, **kwargs):
             super().__init__(*args, **kwargs)
             self.name = command[0]
             self.proxy_base = command[0]
             self.requested_port = port
             self.mappath = mappath
             self.command = command
-            self.authtype = authtype
             self.environment = environment
             self.timeout = timeout
 
     return _Proxy
 
 
-def patch_default_headers():
-    if hasattr(RequestHandler, "_orig_set_default_headers"):
-        return
-    RequestHandler._orig_set_default_headers = RequestHandler.set_default_headers
-
-    def set_jupyterhub_header(self):
-        self._orig_set_default_headers()
-        self.set_header("X-JupyterHub-Version", __jh_version__)
-
-    RequestHandler.set_default_headers = set_jupyterhub_header
-
-
 def make_app(
     destport,
     prefix,
@@ -92,8 +123,6 @@ def make_app(
     progressive,
     websocket_max_message_size,
 ):
-    patch_default_headers()
-
     # ToDo: Environment
     proxy_handler = _make_native_proxy_handler(
         command, destport, {}, authtype, {}, timeout
