From 9f8304f6349703d610eb02d39660378d0d56219d Mon Sep 17 00:00:00 2001
From: Thomas Pfau <github@thomaspfau.de>
Date: Mon, 11 Mar 2024 12:42:08 +0200
Subject: [PATCH] Make difference between debug and deploy

---
 app/saml/saml_router.py  | 12 +++++++++---
 app/security/saml.py     |  6 +++++-
 k8s_gateway_ingress.yaml |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/app/saml/saml_router.py b/app/saml/saml_router.py
index 31738bc..502b6dd 100644
--- a/app/saml/saml_router.py
+++ b/app/saml/saml_router.py
@@ -15,6 +15,7 @@
 from security.auth import clean_session, get_request_source
 
 import logging
+import os 
 
 logger = logging.getLogger(__name__)
 
@@ -51,9 +52,12 @@ async def saml_callback(request: Request):
         else:
             sessionData = {}
             sessionData["samlUserdata"] = auth.get_attributes()
+            logger.info(sessionData["samlUserdata"])
             # Now, we check, whether the user is an employee, and thus eligible to use the service
-            try:
-                if (
+            debug = int(os.environ.get("GATEWAY_DEBUG", 0)) == 1        
+            logger.info(debug)
+            try:                
+                if (not debug) and (
                     not "employee"
                     in sessionData["samlUser"]["urn:oid:1.3.6.1.4.1.5923.1.1.1.1"]
                 ):
@@ -61,7 +65,9 @@ async def saml_callback(request: Request):
                         status.HTTP_403_FORBIDDEN,
                         "Only staff can use this self service",
                     )
-            except:
+            except Exception as e:
+                logger.error(e)
+                logger.info(sessionData)
                 raise HTTPException(status.HTTP_403_FORBIDDEN, "Authentication invalid")
             sessionData["samlNameId"] = auth.get_nameid()
             sessionData["samlNameIdFormat"] = auth.get_nameid_format()
diff --git a/app/security/saml.py b/app/security/saml.py
index 1d5d9d3..9e8ea4f 100644
--- a/app/security/saml.py
+++ b/app/security/saml.py
@@ -79,12 +79,16 @@ async def prepare_from_fastapi_request(request: Request, debug=False):
         "post_data": {},
         "get_data": dict(request.query_params),
         # Advanced request options
-        "https": "",  # Uncomment if you are running a server using https!
+        #"https": "",  # Uncomment if you are running a server using https!
         # "request_uri": "",
         "query_string": request.url.query,
         # "validate_signature_from_qs": False,
         # "lowercase_urlencoding": False
     }
+    # On debug, this is 0
+    saml_logger.debug(os.environ.get("GATEWAY_DEBUG", 0))
+    if not int(os.environ.get("GATEWAY_DEBUG", 0)) == 1:
+        rv["https"] = "on"
     form_data = await request.form()
     if "SAMLResponse" in form_data:
         SAMLResponse = form_data["SAMLResponse"]
diff --git a/k8s_gateway_ingress.yaml b/k8s_gateway_ingress.yaml
index ee02ae3..c3e41a9 100644
--- a/k8s_gateway_ingress.yaml
+++ b/k8s_gateway_ingress.yaml
@@ -22,7 +22,7 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
     nginx.ingress.kubernetes.io/upstream-vhost: llm-gateway.k8s-test.cs.aalto.fi
     # Comment out during dev
-    # nginx.ingress.kubernetes.io/whitelist-source-range: 130.233.0.0/16
+    nginx.ingress.kubernetes.io/whitelist-source-range: 130.233.0.0/16
 
 # Spec tells the actual parameters: hosts to listen on, path prefixes.
 spec: