k8s-manifests/jupyter/base/values/values.yaml

hub:
  config:
    Authenticator:
      auto_login: true
      enable_auth_state: true
    JupyterHub:
      tornado_settings:
        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
  db:
    pvc:
      storageClassName: csi-sc-cinderplugin
  extraFiles:
    refresh-token.py: 
      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
      stringData: |
        """A token refresh service authenticating with the Hub.

        This service serves `/services/refresh-token/`,
        authenticated with the Hub,
        showing the user their own info.
        """
        import json
        import os
        from urllib.parse import urlparse

        from tornado.httpserver import HTTPServer
        from tornado.ioloop import IOLoop
        from tornado.web import Application, RequestHandler, authenticated

        from jupyterhub.services.auth import HubAuthenticated


        class RefreshHandler(HubAuthenticated, RequestHandler):
            @authenticated
            def get(self):
                user_model = self.get_current_user()
                self.set_header('content-type', 'application/json')
                self.write(json.dumps(user_model, indent=1, sort_keys=True))


        def main():
            app = Application(
                [
                    (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', RefreshHandler),
                    (r'.*', RefreshHandler),
                ]
            )

            http_server = HTTPServer(app)
            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])

            http_server.listen(url.port, url.hostname)

            IOLoop.current().start()
        if __name__ == '__main__':
            main()

  extraConfig:
    oauthCode: |
      import time
      import requests
      from datetime import datetime
      from oauthenticator.generic import GenericOAuthenticator
      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'

      def get_nextcloud_access_token(refresh_token):
        debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ
        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']

        code = refresh_token
        data = {
          'grant_type': 'refresh_token',
          'code': code,
          'refresh_token': refresh_token,
          'client_id': client_id,
          'client_secret': client_secret
        }
        response = requests.post(token_url, data=data)
        if debug:
          print(response.text)
        return response.json()

      def post_auth_hook(authenticator, handler, authentication):
        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
        auth_state = authentication['auth_state']
        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
        authentication['auth_state'] = auth_state
        return authentication

      class NextcloudOAuthenticator(GenericOAuthenticator):
        def __init__(self, *args, **kwargs):
          super().__init__(*args, **kwargs)
          self.user_dict = {}

        async def pre_spawn_start(self, user, spawner):
          super().pre_spawn_start(user, spawner)
          auth_state = await user.get_auth_state()
          if not auth_state:
            return
          access_token = auth_state['access_token']
          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token

        async def refresh_user(self, user, handler=None):
          debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ
          auth_state = await user.get_auth_state()
          if not auth_state:
            if debug:
              print(f'auth_state missing for {user}')
            return False
          access_token = auth_state['access_token']
          refresh_token = auth_state['refresh_token']
          token_response = auth_state['token_response']
          now = time.time()
          now_hr = datetime.fromtimestamp(now)
          expires = auth_state['token_expires']
          expires_hr = datetime.fromtimestamp(expires)
          expires = 0
          if debug:
            print(f'auth_state for {user}: {auth_state}')
          if now >= expires:
            if debug:
              print(f'Time is: {now_hr}, token expired: {expires_hr}')
              print(f'Refreshing token for {user}')
            try:
              token_response = get_nextcloud_access_token(refresh_token)
              auth_state['access_token'] = token_response['access_token']
              auth_state['refresh_token'] = token_response['refresh_token']
              auth_state['token_expires'] = now + token_response['expires_in']
              auth_state['token_response'] = token_response
              if debug:
                print(f'Successfully refreshed token for {user.name}')
                print(f'auth_state for {user.name}: {auth_state}')
              return {'name': user.name, 'auth_state': auth_state}
            except Exception as e:
              if debug:
                print(f'Failed to refresh token for {user}')
              return False
            return False
          if debug:
            print(f'Time is: {now_hr}, token expires: {expires_hr}')
          return True

      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
      c.NextcloudOAuthenticator.token_url = token_url
      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
      c.NextcloudOAuthenticator.allow_all = True
      c.NextcloudOAuthenticator.refresh_pre_spawn = True
      c.NextcloudOAuthenticator.enable_auth_state = True
      c.NextcloudOAuthenticator.auth_refresh_age = 3600
      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook

    serviceCode: |
      import sys
      c.JupyterHub.load_roles = [
          {
              "name": "refresh-token",
              "scopes": [
                "admin:auth_state"
              ]
          }
      ]
      c.JupyterHub.services = [
          {
              'name': 'refresh-token',
              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
          }
      ]

  extraEnv:
    NEXTCLOUD_DEBUG_OAUTH: "yes"
    NEXTCLOUD_HOST: sunet.drive.test.sunet.se
    JUPYTER_HOST: jupyter.drive.test.sunet.se
    JUPYTERHUB_CRYPT_KEY:
      valueFrom:
        secretKeyRef:
          name: jupyterhub-secrets
          key: crypt-key
    NEXTCLOUD_CLIENT_ID:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
          key: client-id
    NEXTCLOUD_CLIENT_SECRET:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
          key: client-secret
    networkPolicy:
      enabled: false

singleuser:
  image:
    name: docker.sunet.se/drive/jupyter-custom
    tag: lab-4.0.10
  storage:
    dynamic:
      storageClass: csi-sc-cinderplugin
  extraEnv:
    JUPYTER_ENABLE_LAB: "yes"
  extraFiles:
    jupyter_notebook_config:
      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
      stringData: |
        import os
        c = get_config()
        c.NotebookApp.allow_origin = '*'
        c.NotebookApp.tornado_settings = {
            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
        }
        os.system('/usr/local/bin/nc-sync')
      mode: 0644
JupyterHub code 2023-05-03 09:19:31 +00:00			`hub:`
			`config:`
			`Authenticator:`
			`auto_login: true`
			`enable_auth_state: true`
			`JupyterHub:`
			`tornado_settings:`
			`headers: { 'Content-Security-Policy': "frame-ancestors *;" }`
DB is supposed to be under hub 2023-09-28 06:36:09 +00:00			`db:`
			`pvc:`
			`storageClassName: csi-sc-cinderplugin`
Run service 2024-01-15 15:03:11 +00:00			`extraFiles:`
Syntax error 2024-01-15 15:06:46 +00:00			`refresh-token.py:`
			`mountPath: /usr/local/etc/jupyterhub/refresh-token.py`
			`stringData: \|`
			`"""A token refresh service authenticating with the Hub.`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			This service serves `/services/refresh-token/`,
			`authenticated with the Hub,`
			`showing the user their own info.`
			`"""`
			`import json`
			`import os`
			`from urllib.parse import urlparse`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			`from tornado.httpserver import HTTPServer`
			`from tornado.ioloop import IOLoop`
			`from tornado.web import Application, RequestHandler, authenticated`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			`from jupyterhub.services.auth import HubAuthenticated`
Run service 2024-01-15 15:03:11 +00:00

Syntax error 2024-01-15 15:06:46 +00:00			`class RefreshHandler(HubAuthenticated, RequestHandler):`
			`@authenticated`
			`def get(self):`
			`user_model = self.get_current_user()`
			`self.set_header('content-type', 'application/json')`
			`self.write(json.dumps(user_model, indent=1, sort_keys=True))`
Run service 2024-01-15 15:03:11 +00:00

Syntax error 2024-01-15 15:06:46 +00:00			`def main():`
			`app = Application(`
			`[`
			`(os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', RefreshHandler),`
			`(r'.*', RefreshHandler),`
			`]`
			`)`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			`http_server = HTTPServer(app)`
			`url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			`http_server.listen(url.port, url.hostname)`
Run service 2024-01-15 15:03:11 +00:00
Syntax error 2024-01-15 15:06:46 +00:00			`IOLoop.current().start()`
			`if __name__ == '__main__':`
			`main()`
Run service 2024-01-15 15:03:11 +00:00
JupyterHub code 2023-05-03 09:19:31 +00:00			`extraConfig:`
			`oauthCode: \|`
Add expiration check 2024-01-13 14:47:22 +00:00			`import time`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`import requests`
Cleaner debug 2024-01-15 09:14:07 +00:00			`from datetime import datetime`
Try old code again 2024-01-12 09:26:03 +00:00			`from oauthenticator.generic import GenericOAuthenticator`
Only define token_url once 2024-01-15 13:28:39 +00:00			`token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00
Add code to refresh token 2024-01-15 11:29:56 +00:00			`def get_nextcloud_access_token(refresh_token):`
More debug 2024-01-15 12:43:55 +00:00			`debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`client_id = os.environ['NEXTCLOUD_CLIENT_ID']`
			`client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']`

			`code = refresh_token`
			`data = {`
Typo 2024-01-15 13:25:57 +00:00			`'grant_type': 'refresh_token',`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`'code': code,`
Typo 2024-01-15 11:36:00 +00:00			`'refresh_token': refresh_token,`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`'client_id': client_id,`
			`'client_secret': client_secret`
			`}`
Only define token_url once 2024-01-15 13:28:39 +00:00			`response = requests.post(token_url, data=data)`
More debug 2024-01-15 12:43:55 +00:00			`if debug:`
			`print(response.text)`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`return response.json()`

Switch to custom class 2024-01-12 13:04:13 +00:00			`def post_auth_hook(authenticator, handler, authentication):`
Format 2024-01-13 14:30:12 +00:00			`user = authentication['auth_state']['oauth_user']['ocs']['data']['id']`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00			`auth_state = authentication['auth_state']`
			`auth_state['token_expires'] = time.time() + auth_state['token_response']['expires_in']`
			`authentication['auth_state'] = auth_state`
Format 2024-01-13 14:30:12 +00:00			`return authentication`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00
Switch to custom class 2024-01-12 13:04:13 +00:00			`class NextcloudOAuthenticator(GenericOAuthenticator):`
			`def __init__(self, args, *kwargs):`
Format 2024-01-13 14:30:12 +00:00			`super().__init__(args, *kwargs)`
			`self.user_dict = {}`

use persited auth_state 2024-01-13 15:20:19 +00:00			`async def pre_spawn_start(self, user, spawner):`
Format 2024-01-13 14:30:12 +00:00			`super().pre_spawn_start(user, spawner)`
use persited auth_state 2024-01-13 15:20:19 +00:00			`auth_state = await user.get_auth_state()`
			`if not auth_state:`
			`return`
			`access_token = auth_state['access_token']`
Format 2024-01-13 14:30:12 +00:00			`spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token`
Add refresh user function 2024-01-13 14:30:57 +00:00
			`async def refresh_user(self, user, handler=None):`
Cleaner debug 2024-01-15 09:14:07 +00:00			`debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ`
use persited auth_state 2024-01-13 15:20:19 +00:00			`auth_state = await user.get_auth_state()`
			`if not auth_state:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'auth_state missing for {user}')`
use persited auth_state 2024-01-13 15:20:19 +00:00			`return False`
			`access_token = auth_state['access_token']`
			`refresh_token = auth_state['refresh_token']`
Fix typo 2024-01-13 15:24:28 +00:00			`token_response = auth_state['token_response']`
Remove exception 2024-01-13 15:21:55 +00:00			`now = time.time()`
Cleaner debug 2024-01-15 09:14:07 +00:00			`now_hr = datetime.fromtimestamp(now)`
Fix typo 2024-01-13 15:24:28 +00:00			`expires = auth_state['token_expires']`
Cleaner debug 2024-01-15 09:14:07 +00:00			`expires_hr = datetime.fromtimestamp(expires)`
Allways refresh 2024-01-15 13:12:17 +00:00			`expires = 0`
Use access token again 2024-01-15 11:07:53 +00:00			`if debug:`
			`print(f'auth_state for {user}: {auth_state}')`
Remove exception 2024-01-13 15:21:55 +00:00			`if now >= expires:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'Time is: {now_hr}, token expired: {expires_hr}')`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`print(f'Refreshing token for {user}')`
			`try:`
			`token_response = get_nextcloud_access_token(refresh_token)`
			`auth_state['access_token'] = token_response['access_token']`
			`auth_state['refresh_token'] = token_response['refresh_token']`
			`auth_state['token_expires'] = now + token_response['expires_in']`
			`auth_state['token_response'] = token_response`
			`if debug:`
Return correct format 2024-01-15 13:44:33 +00:00			`print(f'Successfully refreshed token for {user.name}')`
			`print(f'auth_state for {user.name}: {auth_state}')`
			`return {'name': user.name, 'auth_state': auth_state}`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`except Exception as e:`
			`if debug:`
			`print(f'Failed to refresh token for {user}')`
			`return False`
Add expiration check 2024-01-13 14:47:22 +00:00			`return False`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'Time is: {now_hr}, token expires: {expires_hr}')`
Remove exception 2024-01-13 15:21:55 +00:00			`return True`
Add refresh user function 2024-01-13 14:30:57 +00:00
Switch to custom class 2024-01-12 13:04:13 +00:00			`c.JupyterHub.authenticator_class = NextcloudOAuthenticator`
			`c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']`
			`c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']`
			`c.NextcloudOAuthenticator.login_service = 'Sunet Drive'`
			`c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')`
			`c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'`
			`c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'`
Only define token_url once 2024-01-15 13:28:39 +00:00			`c.NextcloudOAuthenticator.token_url = token_url`
Switch to custom class 2024-01-12 13:04:13 +00:00			`c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'`
			`c.NextcloudOAuthenticator.allow_all = True`
			`c.NextcloudOAuthenticator.refresh_pre_spawn = True`
			`c.NextcloudOAuthenticator.enable_auth_state = True`
Add start of service 2024-01-15 14:03:35 +00:00			`c.NextcloudOAuthenticator.auth_refresh_age = 3600`
Switch to custom class 2024-01-12 13:04:13 +00:00			`c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook`

Add start of service 2024-01-15 14:03:35 +00:00			`serviceCode: \|`
Run service 2024-01-15 15:03:11 +00:00			`import sys`
			`c.JupyterHub.load_roles = [`
			`{`
			`"name": "refresh-token",`
			`"scopes": [`
			`"admin:auth_state"`
			`]`
			`}`
			`]`
			`c.JupyterHub.services = [`
			`{`
			`'name': 'refresh-token',`
Syntax error 2024-01-15 15:06:46 +00:00			`'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']`
Run service 2024-01-15 15:03:11 +00:00			`}`
			`]`
Add start of service 2024-01-15 14:03:35 +00:00
JupyterHub code 2023-05-03 09:19:31 +00:00			`extraEnv:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`NEXTCLOUD_DEBUG_OAUTH: "yes"`
JupyterHub code 2023-05-03 09:19:31 +00:00			`NEXTCLOUD_HOST: sunet.drive.test.sunet.se`
			`JUPYTER_HOST: jupyter.drive.test.sunet.se`
Allow authstate to be persisted 2024-01-13 15:09:47 +00:00			`JUPYTERHUB_CRYPT_KEY:`
			`valueFrom:`
			`secretKeyRef:`
			`name: jupyterhub-secrets`
			`key: crypt-key`
JupyterHub code 2023-05-03 09:19:31 +00:00			`NEXTCLOUD_CLIENT_ID:`
			`valueFrom:`
			`secretKeyRef:`
			`name: nextcloud-oauth-secrets`
			`key: client-id`
			`NEXTCLOUD_CLIENT_SECRET:`
			`valueFrom:`
			`secretKeyRef:`
			`name: nextcloud-oauth-secrets`
			`key: client-secret`
Update charts to 3.2.1 and make values.yaml match docs 2024-01-11 08:27:05 +00:00			`networkPolicy:`
			`enabled: false`
Simplify Signed-off-by: Micke Nordin <kano@sunet.se> 2024-01-10 12:45:44 +00:00
JupyterHub code 2023-05-03 09:19:31 +00:00			`singleuser:`
			`image:`
			`name: docker.sunet.se/drive/jupyter-custom`
Upgrade lab to lab-4.0.10 2024-01-12 15:07:42 +00:00			`tag: lab-4.0.10`
JupyterHub code 2023-05-03 09:19:31 +00:00			`storage:`
Try persistant storage 2024-01-12 15:12:57 +00:00			`dynamic:`
			`storageClass: csi-sc-cinderplugin`
JupyterHub code 2023-05-03 09:19:31 +00:00			`extraEnv:`
			`JUPYTER_ENABLE_LAB: "yes"`
			`extraFiles:`
			`jupyter_notebook_config:`
			`mountPath: /home/jovyan/.jupyter/jupyter_server_config.py`
			`stringData: \|`
			`import os`
			`c = get_config()`
			`c.NotebookApp.allow_origin = '*'`
			`c.NotebookApp.tornado_settings = {`
			`'headers': { 'Content-Security-Policy': "frame-ancestors *;" }`
			`}`
			`os.system('/usr/local/bin/nc-sync')`
			`mode: 0644`