async def get_auth_token(Authorization: str = Header(...)):
if Authorization == "":
raise HTTPException(status_code=400, detail="Authorization Token Required")
async def list_services(
# pylint: disable=too-many-arguments
user_id: PositiveInt,
details: Optional[bool] = True,
director_client: DirectorApi = Depends(get_director_api),
groups_repository: GroupsRepository = Depends(
get_repository(GroupsRepository)),
services_repo: ServicesRepository = Depends(
get_repository(ServicesRepository)),
x_simcore_products_name: str = Header(...),
):
# get user groups
user_groups = await groups_repository.list_user_groups(user_id)
if not user_groups:
# deny access
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You have unsufficient rights to access the services",
)
# now get the executable services
executable_services: Set[Tuple[str, str]] = {
(service.key, service.version)
for service in await services_repo.list_services(
gids=[group.gid for group in user_groups],
execute_access=True,
product_name=x_simcore_products_name,
)
}
# get the writable services
_services = await services_repo.list_services(
gids=[group.gid for group in user_groups],
write_access=True,
product_name=x_simcore_products_name,
)
writable_services: Set[Tuple[str, str]] = {(service.key, service.version)
for service in _services}
visible_services = executable_services | writable_services
if not details:
# only return a stripped down version
services = [
ServiceOut(
key=key,
version=version,
name="nodetails",
description="nodetails",
type=ServiceType.COMPUTATIONAL,
authors=[{
"name": "nodetails",
"email": "*****@*****.**"
}],
contact="*****@*****.**",
inputs={},
outputs={},
) for key, version in visible_services
]
return services
# get the services from the registry and filter them out
frontend_services = [
s.dict(by_alias=True) for s in get_frontend_services()
]
registry_services = await director_client.get("/services")
data = frontend_services + registry_services
services: List[ServiceOut] = []
for x in data:
try:
service = ServiceOut.parse_obj(x)
if not (service.key, service.version) in visible_services:
# no access to that service
continue
# we have write access for that service, fill in the service rights
access_rights: List[
ServiceAccessRightsAtDB] = await services_repo.get_service_access_rights(
service.key,
service.version,
product_name=x_simcore_products_name)
service.access_rights = {
rights.gid: rights
for rights in access_rights
}
# access is allowed, override some of the values with what is in the db
service_in_db: Optional[
ServiceMetaDataAtDB] = await services_repo.get_service(
service.key, service.version)
if not service_in_db:
logger.error(
"The service %s:%s is not in the database",
service.key,
service.version,
)
continue
service = service.copy(update=service_in_db.dict(
exclude_unset=True, exclude={"owner"}))
# the owner shall be converted to an email address
if service_in_db.owner:
service.owner = await groups_repository.get_user_email_from_gid(
service_in_db.owner)
services.append(service)
# services = parse_obj_as(List[ServiceOut], data) this does not work since if one service has an issue it fails
except ValidationError as exc:
logger.warning(
"skip service %s:%s that has invalid fields\n%s",
x["key"],
x["version"],
exc,
)
return services
def stream(filename: Optional[str] = '', folder: Optional[str] = '', id: Optional[str] = None, range: str = Header('bytes=0-')):
try:
def iterfile(file, chunk_size, start, size):
bytes_read = 0
file.seek(start)
while bytes_read < size:
bytes_to_read = min(chunk_size, size - bytes_read)
yield file.read(bytes_to_read)
bytes_read += bytes_to_read
if id:
media = Media.objects.get(id=id)
else:
media = Media.objects.get(folder=folder, filename=filename)
if not media.file:
raise DoesNotExist
start_byte = int(range.split('=')[-1].split('-')[0])
chunk_size = FileSettings.MAX_STREAM_CHUNK_SIZE
size = media.file.length
if start_byte + chunk_size > size:
chunk_size = size - 1 - start_byte
return StreamingResponse(
content=iterfile(
#media.file.read(),
media.file,
chunk_size,
start_byte,
size
),
status_code=206,
headers={
'Accept-Ranges': 'bytes',
'Content-Range': f'bytes {start_byte}-{start_byte+chunk_size}/{size - 1}',
'Content-Type': media.file.content_type,
'Content-Disposition': f'inline; filename="{media.filename.rsplit(".", 1)[0]}"'
},
media_type=media.file.content_type
)
except DoesNotExist:
raise NotFoundError().http_exception
except SchemaValidationError:
raise SchemaValidationError().http_exception
except Exception as e:
raise e
async def verify_key(x_key: str = Header(...)):
if x_key != "fake-super-secret-key":
raise HTTPException(status_code=400, detail="X-Key header invalid")
return x_key
async def get_service(
# pylint: disable=too-many-arguments
user_id: int,
service_key: constr(regex=KEY_RE),
service_version: constr(regex=VERSION_RE),
director_client: DirectorApi = Depends(get_director_api),
groups_repository: GroupsRepository = Depends(
get_repository(GroupsRepository)),
services_repo: ServicesRepository = Depends(
get_repository(ServicesRepository)),
x_simcore_products_name: str = Header(None),
):
# check the service exists
services_in_registry = await director_client.get(
f"/services/{urllib.parse.quote_plus(service_key)}/{service_version}")
service = ServiceOut.parse_obj(services_in_registry[0])
# the director client already raises an exception if not found
# get the user groups
user_groups = await groups_repository.list_user_groups(user_id)
if not user_groups:
# deny access
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You have unsufficient rights to access the service",
)
# check the user has access to this service and to which extent
service_in_db = await services_repo.get_service(
service_key,
service_version,
gids=[group.gid for group in user_groups],
write_access=True,
product_name=x_simcore_products_name,
)
if service_in_db:
# we have full access, let's add the access to the output
service_access_rights: List[
ServiceAccessRightsAtDB] = await services_repo.get_service_access_rights(
service.key,
service.version,
product_name=x_simcore_products_name)
service.access_rights = {
rights.gid: rights
for rights in service_access_rights
}
else:
# check if we have executable rights
service_in_db = await services_repo.get_service(
service_key,
service_version,
gids=[group.gid for group in user_groups],
execute_access=True,
product_name=x_simcore_products_name,
)
if not service_in_db:
# we have no access here
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You have insufficient rights to access the service",
)
# access is allowed, override some of the values with what is in the db
service = service.copy(
update=service_in_db.dict(exclude_unset=True, exclude={"owner"}))
# the owner shall be converted to an email address
if service_in_db.owner:
service.owner = await groups_repository.get_user_email_from_gid(
service_in_db.owner)
return service
async def get_user(user_id: int,
db_session: Session = Depends(get_db_session),
content_type: Optional[str] = Header(None),
user_agent: Optional[str] = Header(None),
host: Optional[str] = Header(None)):
return db_session.query(User).get(user_id)
async def user_logout(x_token: List[str] = Header(None)) -> Any:
print(x_token)
# TODO 这里配置一个销毁方法,暂时把token放到临时表中,如果下次有这个token登录则阻拦
return {'code': 20000, 'message': '退出成功!'}
def ingest_feature_set(
project: str,
name: str,
reference: str,
ingest_parameters: Optional[
schemas.FeatureSetIngestInput
] = schemas.FeatureSetIngestInput(),
username: str = Header(None, alias="x-remote-user"),
auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
db_session: Session = Depends(deps.get_db_session),
):
mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
mlrun.api.schemas.AuthorizationResourceTypes.feature_set,
project,
name,
mlrun.api.schemas.AuthorizationAction.update,
auth_verifier.auth_info,
)
mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
mlrun.api.schemas.AuthorizationResourceTypes.run,
project,
"",
mlrun.api.schemas.AuthorizationAction.create,
auth_verifier.auth_info,
)
data_source = data_targets = None
if ingest_parameters.source:
data_source = DataSource.from_dict(ingest_parameters.source.dict())
if data_source.schedule:
mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
mlrun.api.schemas.AuthorizationResourceTypes.schedule,
project,
"",
mlrun.api.schemas.AuthorizationAction.create,
auth_verifier.auth_info,
)
tag, uid = parse_reference(reference)
feature_set_record = mlrun.api.crud.FeatureStore().get_feature_set(
db_session, project, name, tag, uid
)
feature_set = mlrun.feature_store.FeatureSet.from_dict(feature_set_record.dict())
if feature_set.spec.function and feature_set.spec.function.function_object:
function = feature_set.spec.function.function_object
mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
mlrun.api.schemas.AuthorizationResourceTypes.function,
function.metadata.project,
function.metadata.name,
mlrun.api.schemas.AuthorizationAction.read,
auth_verifier.auth_info,
)
# Need to override the default rundb since we're in the server.
feature_set._override_run_db(db_session)
if ingest_parameters.targets:
data_targets = [
DataTargetBase.from_dict(data_target.dict())
for data_target in ingest_parameters.targets
]
run_config = RunConfig(owner=username)
# Try to deduce whether the ingest job will need v3io mount, by analyzing the paths to the source and
# targets. If it needs it, apply v3io mount to the run_config. Note that the access-key and username are
# user-context parameters, we cannot use the api context.
if _has_v3io_path(data_source, data_targets, feature_set):
access_key = auth_verifier.auth_info.data_session
if not access_key or not username:
log_and_raise(
HTTPStatus.BAD_REQUEST.value,
reason="Request needs v3io access key and username in header",
)
run_config = run_config.apply(v3io_cred(access_key=access_key, user=username))
infer_options = ingest_parameters.infer_options or InferOptions.default()
run_params = ingest(
feature_set,
data_source,
data_targets,
infer_options=infer_options,
return_df=False,
run_config=run_config,
)
# ingest may modify the feature-set contents, so returning the updated feature-set.
result_feature_set = schemas.FeatureSet(**feature_set.to_dict())
return schemas.FeatureSetIngestOutput(
feature_set=result_feature_set, run_object=run_params.to_dict()
)
async def get_token_header(api_key: str = Header(...)):
if api_key != "complete-web-developer-bootcamp-2020":
raise HTTPException(status_code=400, detail="api-key header invalid")
async def read_items(*, user_agent: str = Header(None)): ## Optional
return {"User-Agent": user_agent}
async def read_items(
*, strange_header: str = Header(None, convert_underscores=False)
): ## By default it converts the underscores to hyphen,But now it will not
return {"strange_header": strange_header}
async def read_items(*, ads_id: str = Header("abc")): ## Default Value
return {"ads_id": ads_id}
async def read_items(*,
user_agent: str = Header(None),
x_token: List[str] = Header(None)):
return {"User-Agent": user_agent}
def have_access_key(x_access_key=Header(None)):
if x_access_key not in settings.PRIVATE_ACCESS_KEYS:
raise HTTPException(status_code=401, detail="You can not access to this resource")
return x_access_key
def get_current_user(token: str = Header(...),
description="user auth token (user_id") -> User:
if token not in USER_BY_TOKEN:
raise exceptions.HTTPException(404, f"user token {token!r} not found")
user = USER_BY_TOKEN[token]
return user
async def get_kong_request_id(kong_request_id: Optional[str] = Header(None)):
return {"Kong-Request-ID": kong_request_id}
async def read_items(user_agent: Union[str, None] = Header(default=None)):
return {"User-Agent": user_agent}
def _get_authorization_token_optional(authorization: str = Header(None)):
if authorization:
return _get_authorization_token(authorization)
return ""
async def token_is_true(token: str = Header(..., description="token验证")):
uid = redis.get(token)
if not uid:
raise HTTPException(status_code=401, detail='Authorization Failed')
user = db.user.find_one({'_id': ObjectId(uid)})
return user
def introspect_token(Authorization: str = Header(None)):
if Authorization == None:
return {"message": "Token not provided."}
token_info = keycloak_openid.introspect(Authorization[7:])
return {"token_info": token_info}
async def get_token_header(x_token: str = Header(...)):
if x_token != 'my-secret-token':
raise HTTPException(status_code=400, detail='X-Token header invalid')
async def verify_tocken(x_tocken: str = Header(...)):
if x_tocken != "fake-super-secret-token":
raise HTTPException(status_code=400, detail="x-token header invalid")
def weather_metric(request, vendor: str, auth_header: str = Header(...)):
return {"customRoute": ""}
def internal_only(internal_header: str = Header(None)):
logger.info("ROLE = %s", internal_header)
if internal_header != 'service':
raise HTTPException(HTTP_403_FORBIDDEN, detail="Access denied")
async def modify_service(
# pylint: disable=too-many-arguments
user_id: int,
service_key: constr(regex=KEY_RE),
service_version: constr(regex=VERSION_RE),
updated_service: ServiceUpdate,
director_client: DirectorApi = Depends(get_director_api),
groups_repository: GroupsRepository = Depends(
get_repository(GroupsRepository)),
services_repo: ServicesRepository = Depends(
get_repository(ServicesRepository)),
x_simcore_products_name: str = Header(None),
):
# check the service exists
await director_client.get(
f"/services/{urllib.parse.quote_plus(service_key)}/{service_version}")
# the director client already raises an exception if not found
# get the user groups
user_groups = await groups_repository.list_user_groups(user_id)
if not user_groups:
# deny access
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You have unsufficient rights to access the service",
)
# check the user has write access to this service
writable_service = await services_repo.get_service(
service_key,
service_version,
gids=[group.gid for group in user_groups],
write_access=True,
product_name=x_simcore_products_name,
)
if not writable_service:
# deny access
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You have unsufficient rights to modify the service",
)
# let's modify the service then
await services_repo.update_service(
ServiceMetaDataAtDB(
key=service_key,
version=service_version,
**updated_service.dict(exclude_unset=True),
))
# let's modify the service access rights (they can be added/removed/modified)
current_gids_in_db = [
r.gid for r in await services_repo.get_service_access_rights(
service_key, service_version, product_name=x_simcore_products_name)
]
if updated_service.access_rights:
# start by updating/inserting new entries
new_access_rights = [
ServiceAccessRightsAtDB(
key=service_key,
version=service_version,
gid=gid,
execute_access=rights.execute_access,
write_access=rights.write_access,
product_name=x_simcore_products_name,
) for gid, rights in updated_service.access_rights.items()
]
await services_repo.upsert_service_access_rights(new_access_rights)
# then delete the ones that were removed
removed_gids = [
gid for gid in current_gids_in_db
if gid not in updated_service.access_rights
]
deleted_access_rights = [
ServiceAccessRightsAtDB(
key=service_key,
version=service_version,
gid=gid,
product_name=x_simcore_products_name,
) for gid in removed_gids
]
await services_repo.delete_service_access_rights(deleted_access_rights)
# now return the service
return await get_service(
user_id,
service_key,
service_version,
director_client,
groups_repository,
services_repo,
x_simcore_products_name,
)
def get_user_agent(user_agent: str = Header("User-Agent")) -> str:
return user_agent
def get_status(repository: str, authorization: str = Header(None)):
user_detail = users.get_user_data_from_token(authorization)
if not user_detail:
raise HTTPException(status_code=403,
detail="Invalid Authentication Token")
return deploy.get_status(repository)
async def get_token_header(api_token: str = Header(...)):
if api_token != API_KEY:
raise HTTPException(status_code=400, detail="API-Token header invalid")
async def get_token_header(x_token: str = Header(...)):
if x_token != "fake-super-secret-token":
raise HTTPException(status_code=400, detail="X-Token header invalid")
def header_example(data: Union[str,
None] = Header(
default=None,
example="header1",
), ):
return data
