async def test_invalid(config: Config, factory: ComponentFactory) -> None:
redis = await redis_dependency()
token_service = factory.create_token_service()
expires = int(timedelta(days=1).total_seconds())
# No such key.
token = Token()
assert await token_service.get_data(token) is None
# Invalid encrypted blob.
await redis.set(f"token:{token.key}", "foo", ex=expires)
assert await token_service.get_data(token) is None
# Malformed session.
fernet = Fernet(config.session_secret.encode())
raw_data = fernet.encrypt(b"malformed json")
await redis.set(f"token:{token.key}", raw_data, ex=expires)
assert await token_service.get_data(token) is None
# Mismatched token.
data = TokenData(
token=Token(),
username="******",
token_type=TokenType.session,
scopes=[],
created=int(current_datetime().timestamp()),
name="Some User",
uid=12345,
)
session = fernet.encrypt(data.json().encode())
await redis.set(f"token:{token.key}", session, ex=expires)
assert await token_service.get_data(token) is None
# Missing required fields.
json_data = {
"token": {
"key": token.key,
"secret": token.secret,
},
"token_type": "session",
"scopes": [],
"created": int(current_datetime().timestamp()),
"name": "Some User",
}
raw_data = fernet.encrypt(json.dumps(json_data).encode())
await redis.set(f"token:{token.key}", raw_data, ex=expires)
assert await token_service.get_data(token) is None
# Fix the session store and confirm we can retrieve the manually-stored
# session.
json_data["username"] = "******"
raw_data = fernet.encrypt(json.dumps(json_data).encode())
await redis.set(f"token:{token.key}", raw_data, ex=expires)
new_data = await token_service.get_data(token)
assert new_data == TokenData.parse_obj(json_data)
async def assert_kubernetes_secrets_are_correct(
factory: ComponentFactory, mock: MockKubernetesApi, is_fresh: bool = True
) -> None:
token_service = factory.create_token_service()
# Get all of the GafaelfawrServiceToken custom objects.
service_tokens = mock.get_all_objects_for_test("GafaelfawrServiceToken")
# Calculate the expected secrets.
expected = [
V1Secret(
api_version="v1",
kind="Secret",
data={"token": ANY},
metadata=V1ObjectMeta(
name=t["metadata"]["name"],
namespace=t["metadata"]["namespace"],
annotations=t["metadata"].get("annotations", {}),
labels=t["metadata"].get("labels", {}),
owner_references=[
V1OwnerReference(
api_version="gafaelfawr.lsst.io/v1alpha1",
block_owner_deletion=True,
controller=True,
kind="GafaelfawrServiceToken",
name=t["metadata"]["name"],
uid=t["metadata"]["uid"],
),
],
),
type="Opaque",
)
for t in service_tokens
]
expected = sorted(
expected, key=lambda o: (o.metadata.namespace, o.metadata.name)
)
assert mock.get_all_objects_for_test("Secret") == expected
# Now check that every token in those secrets is correct.
for service_token in service_tokens:
name = service_token["metadata"]["name"]
namespace = service_token["metadata"]["namespace"]
secret = await mock.read_namespaced_secret(name, namespace)
data = await token_data_from_secret(token_service, secret)
assert data == TokenData(
token=data.token,
username=service_token["spec"]["service"],
token_type=TokenType.service,
scopes=service_token["spec"]["scopes"],
created=data.created,
expires=None,
name=None,
uid=None,
groups=None,
)
if is_fresh:
now = current_datetime()
assert now - timedelta(seconds=5) <= data.created <= now
async def check_database() -> None:
async with ComponentFactory.standalone() as factory:
admin_service = factory.create_admin_service()
expected = [Admin(username=u) for u in config.initial_admins]
assert await admin_service.get_admins() == expected
token_service = factory.create_token_service()
bootstrap = TokenData.bootstrap_token()
assert await token_service.list_tokens(bootstrap) == []
async def create_session_token(self, user_info: TokenUserInfo, *,
scopes: List[str],
ip_address: str) -> Token:
"""Create a new session token.
Parameters
----------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information to associate with the token.
scopes : List[`str`]
The scopes of the token.
ip_address : `str`
The IP address from which the request came.
Returns
-------
token : `gafaelfawr.models.token.Token`
The newly-created token.
Raises
------
gafaelfawr.exceptions.PermissionDeniedError
If the provided username is invalid.
"""
self._validate_username(user_info.username)
scopes = sorted(scopes)
token = Token()
created = current_datetime()
expires = created + self._config.token_lifetime
data = TokenData(
token=token,
token_type=TokenType.session,
scopes=scopes,
created=created,
expires=expires,
**user_info.dict(),
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=scopes,
expires=expires,
actor=data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await self._token_redis_store.store_data(data)
with self._transaction_manager.transaction():
self._token_db_store.add(data)
self._token_change_store.add(history_entry)
return token
async def add_expired_session_token(
user_info: TokenUserInfo,
*,
scopes: List[str],
ip_address: str,
session: AsyncSession,
) -> None:
"""Add an expired session token to the database.
This requires going beneath the service layer, since the service layer
rejects creation of expired tokens (since apart from testing this isn't a
sensible thing to want to do).
This does not add the token to Redis, since Redis will refuse to add it
with a negative expiration time, so can only be used for tests that
exclusively use the database.
Parameters
----------
user_info : `gafaelfawr.models.token.TokenUserInfo`
The user information to associate with the token.
scopes : List[`str`]
The scopes of the token.
ip_address : `str`
The IP address from which the request came.
session : `sqlalchemy.ext.asyncio.AsyncSession`
The database session.
"""
token_db_store = TokenDatabaseStore(session)
token_change_store = TokenChangeHistoryStore(session)
token = Token()
created = current_datetime()
expires = created - timedelta(minutes=10)
data = TokenData(
token=token,
token_type=TokenType.session,
scopes=scopes,
created=created,
expires=expires,
**user_info.dict(),
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=scopes,
expires=expires,
actor=data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await token_db_store.add(data)
await token_change_store.add(history_entry)
async def _create_service_token(
self, service_secret: ServiceSecret
) -> Token:
request = AdminTokenRequest(
username=service_secret.service,
token_type=TokenType.service,
scopes=service_secret.scopes,
)
return await self._token_service.create_token_from_admin_request(
request, TokenData.internal_token(), ip_address=None
)
async def test_expiration(setup: SetupTest) -> None:
"""The cache is valid until half the lifetime of the child token."""
token_data = await setup.create_session_token(scopes=["read:all"])
lifetime = setup.config.token_lifetime
now = current_datetime()
storage = RedisStorage(TokenData, setup.config.session_secret, setup.redis)
token_store = TokenRedisStore(storage, setup.logger)
token_cache = setup.factory.create_token_cache()
# Store a token whose expiration is five seconds more than half the
# typical token lifetime in the future and cache that token as an internal
# token for our session token.
created = now - timedelta(seconds=lifetime.total_seconds() // 2)
expires = created + setup.config.token_lifetime + timedelta(seconds=5)
internal_token_data = TokenData(
token=Token(),
username=token_data.username,
token_type=TokenType.internal,
scopes=["read:all"],
created=created,
expires=expires,
)
await token_store.store_data(internal_token_data)
token_cache.store_internal_token(
internal_token_data.token, token_data, "some-service", ["read:all"]
)
# The cache should return this token.
assert internal_token_data.token == await token_cache.get_internal_token(
token_data, "some-service", ["read:all"]
)
# Now change the expiration to be ten seconds earlier, which should make
# the remaining lifetime less than half the total lifetime, and replace
# replace the stored token with that new version.
internal_token_data.expires = expires - timedelta(seconds=20)
await token_store.store_data(internal_token_data)
# The cache should now decline to return the token.
assert not await token_cache.get_internal_token(
token_data, "some-service", ["read:all"]
)
# Do the same test with a notebook token.
notebook_token_data = TokenData(
token=Token(),
username=token_data.username,
token_type=TokenType.notebook,
scopes=["read:all"],
created=created,
expires=expires,
)
await token_store.store_data(notebook_token_data)
token_cache.store_notebook_token(notebook_token_data.token, token_data)
token = notebook_token_data.token
assert token == await token_cache.get_notebook_token(token_data)
notebook_token_data.expires = expires - timedelta(seconds=20)
await token_store.store_data(notebook_token_data)
assert not await token_cache.get_notebook_token(token_data)
async def assert_kubernetes_secrets_match_config(
setup: SetupTest,
mock_kubernetes: MockCoreV1Api,
is_fresh: bool = True) -> None:
assert setup.config.kubernetes
token_service = setup.factory.create_token_service()
expected = [
V1Secret(
api_version="v1",
data={"token": ANY},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=s.secret_name,
namespace=s.secret_namespace,
),
type="Opaque",
) for s in setup.config.kubernetes.service_secrets
]
assert_kubernetes_objects_are(mock_kubernetes, expected)
for service_secret in setup.config.kubernetes.service_secrets:
secret = mock_kubernetes.read_namespaced_secret(
service_secret.secret_name, service_secret.secret_namespace)
data = await token_data_from_secret(token_service, secret)
assert data == TokenData(
token=data.token,
username=service_secret.service,
token_type=TokenType.service,
scopes=service_secret.scopes,
created=data.created,
expires=None,
name=None,
uid=None,
groups=None,
)
if is_fresh:
now = current_datetime()
assert now - timedelta(seconds=5) <= data.created <= now
async def test_internal_token(config: Config,
factory: ComponentFactory) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
async with factory.session.begin():
internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="2001:db8::45",
)
assert await token_service.get_user_info(internal_token) == user_info
info = await token_service.get_token_info_unchecked(internal_token.key)
assert info and info == TokenInfo(
token=internal_token.key,
username=user_info.username,
token_type=TokenType.internal,
service="some-service",
scopes=["read:all"],
created=info.created,
last_used=None,
expires=data.expires,
parent=session_token.key,
)
assert_is_now(info.created)
# Cannot request a scope that the parent token doesn't have.
with pytest.raises(InvalidScopesError):
await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:some"],
ip_address="127.0.0.1",
)
# Creating another internal token from the same parent token with the same
# parameters just returns the same internal token as before.
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token == new_internal_token
# Try again with the cache cleared to force a database lookup.
await token_service._token_cache.clear()
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token == new_internal_token
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=internal_token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=internal_token.key,
username=data.username,
token_type=TokenType.internal,
parent=data.token.key,
service="some-service",
scopes=["read:all"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="2001:db8::45",
event_time=info.created,
)
]
# It's possible we'll have a race condition where two workers both create
# an internal token at the same time with the same parameters. Gafaelfawr
# 3.0.2 had a regression where, once that had happened, it could not
# retrieve the internal token because it didn't expect multiple results
# from the query. Simulate this and make sure it's handled properly. The
# easiest way to do this is to use the internals of the token service.
second_internal_token = Token()
created = current_datetime()
expires = created + config.token_lifetime
internal_token_data = TokenData(
token=second_internal_token,
username=data.username,
token_type=TokenType.internal,
scopes=["read:all"],
created=created,
expires=expires,
name=data.name,
email=data.email,
uid=data.uid,
groups=data.groups,
)
await token_service._token_redis_store.store_data(internal_token_data)
async with factory.session.begin():
await token_service._token_db_store.add(internal_token_data,
service="some-service",
parent=data.token.key)
await token_service._token_cache.clear()
async with factory.session.begin():
dup_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert dup_internal_token in (internal_token, second_internal_token)
# A different scope or a different service results in a new token.
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="some-service",
scopes=["exec:admin"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data,
service="another-service",
scopes=["read:all"],
ip_address="127.0.0.1",
)
assert internal_token != new_internal_token
# Check that the expiration time is capped by creating a user token that
# doesn't expire and then creating a notebook token from it. Use this to
# test a token with empty scopes.
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some token",
scopes=["exec:admin"],
expires=None,
ip_address="127.0.0.1",
)
data = await token_service.get_data(user_token)
assert data
async with factory.session.begin():
new_internal_token = await token_service.get_internal_token(
data, service="some-service", scopes=[], ip_address="127.0.0.1")
assert new_internal_token != internal_token
info = await token_service.get_token_info_unchecked(
new_internal_token.key)
assert info and info.scopes == []
expires = info.created + timedelta(minutes=config.issuer.exp_minutes)
assert info.expires == expires
async def build_history(
setup: SetupTest,
) -> List[TokenChangeHistoryEntry]:
"""Perform a bunch of token manipulations and return the history entries.
Assume that all token manipulations generate the correct history entries,
since that's tested in other tests. The only point of this function is to
build enough history that we can make interesting paginated queries of it.
"""
token_service = setup.factory.create_token_service()
user_info_one = TokenUserInfo(username="******")
token_one = await token_service.create_session_token(
user_info_one,
scopes=["exec:test", "read:all", "user:token"],
ip_address="192.0.2.3",
)
token_data_one = await token_service.get_data(token_one)
assert token_data_one
await token_service.get_internal_token(
token_data_one,
"foo",
scopes=["exec:test", "read:all"],
ip_address="192.0.2.4",
)
internal_token_one_bar = await token_service.get_internal_token(
token_data_one, "bar", scopes=["read:all"], ip_address="192.0.2.3"
)
token_data_internal_one_bar = await token_service.get_data(
internal_token_one_bar
)
assert token_data_internal_one_bar
await token_service.get_internal_token(
token_data_internal_one_bar, "baz", scopes=[], ip_address="10.10.10.10"
)
notebook_token_one = await token_service.get_notebook_token(
token_data_one, ip_address="198.51.100.5"
)
token_data_notebook_one = await token_service.get_data(notebook_token_one)
assert token_data_notebook_one
await token_service.get_internal_token(
token_data_notebook_one,
"foo",
scopes=["exec:test"],
ip_address="10.10.10.20",
)
user_info_two = TokenUserInfo(username="******")
token_two = await token_service.create_session_token(
user_info_two,
scopes=["read:some", "user:token"],
ip_address="192.0.2.20",
)
token_data_two = await token_service.get_data(token_two)
assert token_data_two
user_token_two = await token_service.create_user_token(
token_data_two,
token_data_two.username,
token_name="some token",
scopes=["read:some", "user:token"],
ip_address="192.0.2.20",
)
token_data_user_two = await token_service.get_data(user_token_two)
assert token_data_user_two
await token_service.get_internal_token(
token_data_user_two,
"foo",
scopes=["read:some"],
ip_address="10.10.10.10",
)
assert await token_service.modify_token(
user_token_two.key,
token_data_user_two,
token_data_user_two.username,
ip_address="192.0.2.20",
token_name="happy token",
)
request = AdminTokenRequest(
username="******",
token_type=TokenType.service,
scopes=["admin:token"],
)
service_token = await token_service.create_token_from_admin_request(
request,
TokenData.bootstrap_token(),
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
)
service_token_data = await token_service.get_data(service_token)
assert service_token_data
assert await token_service.modify_token(
user_token_two.key,
service_token_data,
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
scopes=["admin:token", "read:all"],
)
assert await token_service.modify_token(
user_token_two.key,
service_token_data,
ip_address="2001:db8:034a:ea78:4278:4562:6578:af42",
token_name="other name",
expires=current_datetime() + timedelta(days=30),
scopes=["read:all"],
)
assert await token_service.delete_token(
token_one.key,
service_token_data,
username=token_data_one.username,
ip_address="2001:db8:034a:ea78:4278:4562:6578:9876",
)
# Spread out the timestamps so that we can test date range queries. Every
# other entry has the same timestamp as the previous entry to test that
# queries handle entries with the same timestamp.
entries = (
setup.session.query(TokenChangeHistory)
.order_by(TokenChangeHistory.id)
.all()
)
event_time = current_datetime() - timedelta(seconds=len(entries) * 5)
with setup.transaction():
for i, entry in enumerate(entries):
entry.event_time = event_time
if i % 2 != 0:
event_time += timedelta(seconds=5)
history = token_service.get_change_history(service_token_data)
assert history.count == 20
assert len(history.entries) == 20
return history.entries
async def test_expiration(config: Config, factory: ComponentFactory) -> None:
"""The cache is valid until half the lifetime of the child token."""
token_data = await create_session_token(factory, scopes=["read:all"])
lifetime = config.token_lifetime
now = current_datetime()
redis = await redis_dependency()
logger = structlog.get_logger(config.safir.logger_name)
storage = RedisStorage(TokenData, config.session_secret, redis)
token_store = TokenRedisStore(storage, logger)
token_cache = factory.create_token_cache_service()
# Store a token whose expiration is five seconds more than half the
# typical token lifetime in the future and cache that token as an internal
# token for our session token.
created = now - timedelta(seconds=lifetime.total_seconds() // 2)
expires = created + lifetime + timedelta(seconds=5)
internal_token_data = TokenData(
token=Token(),
username=token_data.username,
token_type=TokenType.internal,
scopes=["read:all"],
created=created,
expires=expires,
)
await token_store.store_data(internal_token_data)
token_cache.store_internal_token(internal_token_data.token, token_data,
"some-service", ["read:all"])
# The cache should return this token.
assert internal_token_data.token == await token_cache.get_internal_token(
token_data, "some-service", ["read:all"], "127.0.0.1")
# Now change the expiration to be ten seconds earlier, which should make
# the remaining lifetime less than half the total lifetime, and replace
# replace the stored token with that new version.
internal_token_data.expires = expires - timedelta(seconds=20)
await token_store.store_data(internal_token_data)
# The cache should now decline to return the token and generate a new one.
old_token = internal_token_data.token
async with factory.session.begin():
assert old_token != await token_cache.get_internal_token(
token_data, "some-service", ["read:all"], "127.0.0.1")
# Do the same test with a notebook token.
notebook_token_data = TokenData(
token=Token(),
username=token_data.username,
token_type=TokenType.notebook,
scopes=["read:all"],
created=created,
expires=expires,
)
await token_store.store_data(notebook_token_data)
token_cache.store_notebook_token(notebook_token_data.token, token_data)
assert notebook_token_data.token == await token_cache.get_notebook_token(
token_data, "127.0.0.1")
notebook_token_data.expires = expires - timedelta(seconds=20)
await token_store.store_data(notebook_token_data)
old_token = notebook_token_data.token
async with factory.session.begin():
assert old_token != await token_cache.get_notebook_token(
token_data, "127.0.0.1")
async def test_modify(
factory: ComponentFactory,
mock_kubernetes: MockKubernetesApi,
caplog: LogCaptureFixture,
) -> None:
await create_test_service_tokens(mock_kubernetes)
kubernetes_service = factory.create_kubernetes_service(MagicMock())
token_service = factory.create_token_service()
# Valid secret but with a bogus token.
secret = V1Secret(
api_version="v1",
kind="Secret",
data={"token": "bogus"},
metadata=V1ObjectMeta(name="gafaelfawr-secret", namespace="mobu"),
type="Opaque",
)
await mock_kubernetes.create_namespaced_secret("mobu", secret)
# Valid secret but with a nonexistent token.
secret = V1Secret(
api_version="v1",
kind="Secret",
data={"token": token_as_base64(Token())},
metadata=V1ObjectMeta(
name="gafaelfawr",
namespace="nublado2",
labels={
"foo": "bar",
"other": "blah",
},
annotations={
"argocd.argoproj.io/compare-options": "IgnoreExtraneous",
"argocd.argoproj.io/sync-options": "Prune=false",
},
),
type="Opaque",
)
await mock_kubernetes.create_namespaced_secret("nublado2", secret)
# Update the secrets. This should replace both with fresh secrets.
await kubernetes_service.update_service_tokens()
await assert_kubernetes_secrets_are_correct(factory, mock_kubernetes)
# Check the logging.
assert parse_log(caplog) == [
{
"event": "Created new service token",
"key": ANY,
"severity": "info",
"token_scope": "admin:token",
"token_username": "******",
},
{
"event": "Updated mobu/gafaelfawr-secret secret",
"scopes": ["admin:token"],
"severity": "info",
"service": "mobu",
},
{
"event": "Created new service token",
"key": ANY,
"severity": "info",
"token_scope": "",
"token_username": "******",
},
{
"event": "Updated nublado2/gafaelfawr secret",
"scopes": [],
"severity": "info",
"service": "nublado-hub",
},
]
# Replace one secret with a valid token for the wrong service.
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
AdminTokenRequest(
username="******",
token_type=TokenType.service,
scopes=["admin:token"],
),
TokenData.internal_token(),
ip_address=None,
)
secret = V1Secret(
api_version="v1",
kind="Secret",
data={"token": token_as_base64(token)},
metadata=V1ObjectMeta(name="gafaelfawr-secret", namespace="mobu"),
type="Opaque",
)
await mock_kubernetes.replace_namespaced_secret(
"gafaelfawr-secret", "mobu", secret
)
# Replace the other token with a valid token with the wrong scopes.
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
AdminTokenRequest(
username="******",
token_type=TokenType.service,
scopes=["read:all"],
),
TokenData.internal_token(),
ip_address=None,
)
secret = V1Secret(
api_version="v1",
kind="Secret",
data={"token": token_as_base64(token)},
metadata=V1ObjectMeta(name="gafaelfawr", namespace="nublado2"),
type="Opaque",
)
await mock_kubernetes.replace_namespaced_secret(
"gafaelfawr", "nublado2", secret
)
# Update the secrets. This should create new tokens for both.
await kubernetes_service.update_service_tokens()
await assert_kubernetes_secrets_are_correct(factory, mock_kubernetes)
nublado_secret = await mock_kubernetes.read_namespaced_secret(
"gafaelfawr", "nublado2"
)
# Finally, replace a secret with one with no token.
secret = V1Secret(
api_version="v1",
data={},
metadata=V1ObjectMeta(name="gafaelfawr-secret", namespace="mobu"),
type="Opaque",
)
await mock_kubernetes.replace_namespaced_secret(
"gafaelfawr-secret", "mobu", secret
)
# Update the secrets. This should create a new token for the first secret
# but not for the second.
await kubernetes_service.update_service_tokens()
await assert_kubernetes_secrets_are_correct(
factory, mock_kubernetes, is_fresh=False
)
assert nublado_secret == await mock_kubernetes.read_namespaced_secret(
"gafaelfawr", "nublado2"
)
async def get_notebook_token(self, token_data: TokenData,
ip_address: str) -> Token:
"""Get or create a new notebook token.
The new token will have the same expiration time as the existing token
on which it's based unless that expiration time is longer than the
expiration time of normal interactive tokens, in which case it will be
capped at the interactive token expiration time.
Parameters
----------
token_data : `gafaelfawr.models.token.TokenData`
The authentication data on which to base the new token.
ip_address : `str`
The IP address from which the request came.
Returns
-------
token : `gafaelfawr.models.token.Token`
The newly-created token.
Raises
------
gafaelfawr.exceptions.PermissionDeniedError
If the username is invalid.
"""
self._validate_username(token_data.username)
# See if there is a cached token.
token = await self._token_cache.get_notebook_token(token_data)
if token:
return token
# See if there's already a matching notebook token.
key = self._token_db_store.get_notebook_token_key(
token_data, self._minimum_expiration(token_data))
if key:
data = await self._token_redis_store.get_data_by_key(key)
if data:
self._token_cache.store_notebook_token(data.token, token_data)
return data.token
# There is not, so we need to create a new one.
token = Token()
created = current_datetime()
expires = created + self._config.token_lifetime
if token_data.expires and token_data.expires < expires:
expires = token_data.expires
data = TokenData(
token=token,
username=token_data.username,
token_type=TokenType.notebook,
scopes=token_data.scopes,
created=created,
expires=expires,
name=token_data.name,
email=token_data.email,
uid=token_data.uid,
groups=token_data.groups,
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.notebook,
parent=token_data.token.key,
scopes=data.scopes,
expires=expires,
actor=token_data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await self._token_redis_store.store_data(data)
with self._transaction_manager.transaction():
self._token_db_store.add(data, parent=token_data.token.key)
self._token_change_store.add(history_entry)
# Cache the token and return it.
self._logger.info("Created new notebook token", key=token.key)
self._token_cache.store_notebook_token(token, token_data)
return token
async def create_token_from_admin_request(
self,
request: AdminTokenRequest,
auth_data: TokenData,
*,
ip_address: Optional[str],
) -> Token:
"""Create a new service or user token from an admin request.
Parameters
----------
request : `gafaelfawr.models.token.AdminTokenRequest`
The incoming request.
auth_data : `gafaelfawr.models.token.TokenData`
The data for the authenticated user making the request.
ip_address : `str` or `None`
The IP address from which the request came, or `None` for internal
requests by Gafaelfawr.
Returns
-------
token : `gafaelfawr.models.token.Token`
The newly-created token.
Raises
------
gafaelfawr.exceptions.PermissionDeniedError
If the provided username is invalid.
"""
self._check_authorization(request.username,
auth_data,
require_admin=True)
self._validate_username(request.username)
self._validate_scopes(request.scopes)
self._validate_expires(request.expires)
token = Token()
created = current_datetime()
data = TokenData(
token=token,
username=request.username,
token_type=request.token_type,
scopes=request.scopes,
created=created,
expires=request.expires,
name=request.name,
email=request.email,
uid=request.uid,
groups=request.groups,
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=data.token_type,
token_name=request.token_name,
scopes=data.scopes,
expires=request.expires,
actor=auth_data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await self._token_redis_store.store_data(data)
with self._transaction_manager.transaction():
self._token_db_store.add(data, token_name=request.token_name)
self._token_change_store.add(history_entry)
if data.token_type == TokenType.user:
self._logger.info(
"Created new user token",
key=token.key,
token_name=request.token_name,
token_scope=",".join(data.scopes),
token_username=data.username,
)
else:
self._logger.info(
"Created new service token",
key=token.key,
token_scope=",".join(data.scopes),
token_username=data.username,
)
return token
async def create_user_token(
self,
auth_data: TokenData,
username: str,
*,
token_name: str,
scopes: List[str],
expires: Optional[datetime] = None,
ip_address: str,
) -> Token:
"""Add a new user token.
Parameters
----------
auth_data : `gafaelfawr.models.token.TokenData`
The token data for the authentication token of the user creating
a user token.
username : `str`
The username for which to create a token.
token_name : `str`
The name of the token.
scopes : List[`str`]
The scopes of the token.
expires : `datetime` or `None`
When the token should expire. If not given, defaults to the
expiration of the authentication token taken from ``data``.
ip_address : `str`
The IP address from which the request came.
Returns
-------
token : `gafaelfawr.models.token.Token`
The newly-created token.
Raises
------
gafaelfawr.exceptions.DuplicateTokenNameError
A token with this name for this user already exists.
gafaelfawr.exceptions.InvalidExpiresError
The provided expiration time was invalid.
gafaelfawr.exceptions.PermissionDeniedError
If the given username didn't match the user information in the
authentication token, or if the specified username is invalid.
Notes
-----
This can only be used by the user themselves, not by a token
administrator, because this API does not provide a way to set the
additional user information for the token. Once the user information
no longer needs to be tracked by the token system, it can be unified
with ``create_token_from_admin_request``.
"""
self._check_authorization(username, auth_data, require_same_user=True)
self._validate_username(username)
self._validate_expires(expires)
self._validate_scopes(scopes, auth_data)
scopes = sorted(scopes)
token = Token()
created = current_datetime()
data = TokenData(
token=token,
username=username,
token_type=TokenType.user,
scopes=scopes,
created=created,
expires=expires,
name=auth_data.name,
email=auth_data.email,
uid=auth_data.uid,
groups=auth_data.groups,
)
history_entry = TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.user,
token_name=token_name,
scopes=scopes,
expires=expires,
actor=auth_data.username,
action=TokenChange.create,
ip_address=ip_address,
event_time=created,
)
await self._token_redis_store.store_data(data)
with self._transaction_manager.transaction():
self._token_db_store.add(data, token_name=token_name)
self._token_change_store.add(history_entry)
self._logger.info(
"Created new user token",
key=token.key,
token_name=token_name,
token_scope=",".join(data.scopes),
)
return token
async def test_notebook_token(setup: SetupTest) -> None:
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[TokenGroup(name="foo", id=1000)],
)
token_service = setup.factory.create_token_service()
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
token = await token_service.get_notebook_token(data, ip_address="1.0.0.1")
assert await token_service.get_user_info(token) == user_info
info = token_service.get_token_info_unchecked(token.key)
assert info and info == TokenInfo(
token=token.key,
username=user_info.username,
token_type=TokenType.notebook,
scopes=["exec:admin", "read:all", "user:token"],
created=info.created,
last_used=None,
expires=data.expires,
parent=session_token.key,
)
assert_is_now(info.created)
assert await token_service.get_data(token) == TokenData(
token=token,
username=user_info.username,
token_type=TokenType.notebook,
scopes=["exec:admin", "read:all", "user:token"],
created=info.created,
expires=data.expires,
name=user_info.name,
uid=user_info.uid,
groups=user_info.groups,
)
# Creating another notebook token from the same parent token just returns
# the same notebook token as before.
new_token = await token_service.get_notebook_token(
data, ip_address="127.0.0.1"
)
assert token == new_token
history = token_service.get_change_history(
data, token=token.key, username=data.username
)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.notebook,
parent=data.token.key,
scopes=["exec:admin", "read:all", "user:token"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="1.0.0.1",
event_time=info.created,
)
]
# Check that the expiration time is capped by creating a user token that
# doesn't expire and then creating a notebook token from it.
user_token = await token_service.create_user_token(
data,
data.username,
token_name="some token",
scopes=[],
expires=None,
ip_address="127.0.0.1",
)
data = await token_service.get_data(user_token)
assert data
new_token = await token_service.get_notebook_token(
data, ip_address="127.0.0.1"
)
assert new_token != token
info = token_service.get_token_info_unchecked(new_token.key)
assert info
expires = info.created + timedelta(minutes=setup.config.issuer.exp_minutes)
assert info.expires == expires
async def test_token_from_admin_request(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
token = await token_service.create_session_token(
user_info, scopes=[], ip_address="127.0.0.1")
data = await token_service.get_data(token)
assert data
expires = current_datetime() + timedelta(days=2)
request = AdminTokenRequest(
username="******",
token_type=TokenType.user,
token_name="some token",
scopes=["read:all"],
expires=expires,
name="Other User",
uid=1345,
groups=[TokenGroup(name="some-group", id=4133)],
)
# Cannot create a token via admin request because the authentication
# information is missing the admin:token scope.
with pytest.raises(PermissionDeniedError):
await token_service.create_token_from_admin_request(
request, data, ip_address="127.0.0.1")
# Get a token with an appropriate scope.
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info, scopes=["admin:token"], ip_address="127.0.0.1")
admin_data = await token_service.get_data(session_token)
assert admin_data
# Test a few more errors.
request.scopes = ["bogus:scope"]
with pytest.raises(InvalidScopesError):
await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
request.scopes = ["read:all"]
request.expires = current_datetime()
with pytest.raises(InvalidExpiresError):
await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
request.expires = expires
# Try a successful request.
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
user_data = await token_service.get_data(token)
assert user_data and user_data == TokenData(
token=token, created=user_data.created, **request.dict())
assert_is_now(user_data.created)
async with factory.session.begin():
history = await token_service.get_change_history(
admin_data, token=token.key, username=request.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=request.username,
token_type=TokenType.user,
token_name=request.token_name,
scopes=["read:all"],
expires=request.expires,
actor=admin_data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=user_data.created,
)
]
# Non-admins can't see other people's tokens.
with pytest.raises(PermissionDeniedError):
await token_service.get_change_history(data,
token=token.key,
username=request.username)
# Now request a service token with minimal data instead.
request = AdminTokenRequest(username="******",
token_type=TokenType.service)
async with factory.session.begin():
token = await token_service.create_token_from_admin_request(
request, admin_data, ip_address="127.0.0.1")
service_data = await token_service.get_data(token)
assert service_data and service_data == TokenData(
token=token, created=service_data.created, **request.dict())
assert_is_now(service_data.created)
async with factory.session.begin():
history = await token_service.get_change_history(
admin_data, token=token.key, username=request.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=request.username,
token_type=TokenType.service,
scopes=[],
expires=None,
actor=admin_data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=service_data.created,
)
]
async def test_session_token(config: Config,
factory: ComponentFactory) -> None:
token_service = factory.create_token_service()
user_info = TokenUserInfo(
username="******",
name="Example Person",
uid=4137,
groups=[
TokenGroup(name="group", id=1000),
TokenGroup(name="another", id=3134),
],
)
async with factory.session.begin():
token = await token_service.create_session_token(
user_info, scopes=["user:token"], ip_address="127.0.0.1")
data = await token_service.get_data(token)
assert data and data == TokenData(
token=token,
username="******",
token_type=TokenType.session,
scopes=["user:token"],
created=data.created,
expires=data.expires,
name="Example Person",
uid=4137,
groups=[
TokenGroup(name="group", id=1000),
TokenGroup(name="another", id=3134),
],
)
assert_is_now(data.created)
expires = data.created + timedelta(minutes=config.issuer.exp_minutes)
assert data.expires == expires
async with factory.session.begin():
info = await token_service.get_token_info_unchecked(token.key)
assert info and info == TokenInfo(
token=token.key,
username=user_info.username,
token_name=None,
token_type=TokenType.session,
scopes=data.scopes,
created=int(data.created.timestamp()),
last_used=None,
expires=int(data.expires.timestamp()),
parent=None,
)
assert await token_service.get_user_info(token) == user_info
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=token.key,
username=data.username,
token_type=TokenType.session,
scopes=["user:token"],
expires=data.expires,
actor=data.username,
action=TokenChange.create,
ip_address="127.0.0.1",
event_time=data.created,
)
]
# Test a session token with scopes.
async with factory.session.begin():
token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(token)
assert data and data.scopes == ["exec:admin", "read:all"]
info = await token_service.get_token_info_unchecked(token.key)
assert info and info.scopes == ["exec:admin", "read:all"]
async def authenticate(self,
context: RequestContext,
x_csrf_token: Optional[str] = None) -> TokenData:
"""Authenticate the request.
Always check the user's cookie-based session first before checking the
``Authorization`` header because some applications (JupyterHub, for
instance) may use the ``Authorization`` header for their own purposes.
If the request was authenticated via a browser cookie rather than a
provided ``Authorization`` header, and the method was something other
than ``GET`` or ``OPTIONS``, require and verify the CSRF header as
well.
Parameters
----------
context : `gafaelfawr.dependencies.context.RequestContext`
The request context.
x_csrf_token : `str`, optional
The value of the ``X-CSRF-Token`` header, if provided.
Returns
-------
data : `gafaelfawr.models.token.TokenData`
The data associated with the verified token.
Raises
------
fastapi.HTTPException
If authentication is not provided or is not valid.
"""
token = context.state.token
if token:
context.rebind_logger(token_source="cookie")
self._verify_csrf(context, x_csrf_token)
elif not self.require_session:
try:
token_str = parse_authorization(context)
if token_str:
token = Token.from_str(token_str)
except (InvalidRequestError, InvalidTokenError) as e:
raise generate_challenge(context, self.auth_type, e)
if not token:
raise self._redirect_or_error(context)
if self.allow_bootstrap_token:
if token == context.config.bootstrap_token:
bootstrap_data = TokenData.bootstrap_token()
context.rebind_logger(
token="<bootstrap>",
user="******",
scope=" ".join(sorted(bootstrap_data.scopes)),
)
context.logger.info("Authenticated with bootstrap token")
return bootstrap_data
token_service = context.factory.create_token_service()
data = await token_service.get_data(token)
if not data:
if context.state.token:
raise self._redirect_or_error(context)
else:
exc = InvalidTokenError("Token is not valid")
raise generate_challenge(context, self.auth_type, exc)
context.rebind_logger(
token=token.key,
user=data.username,
scope=" ".join(sorted(data.scopes)),
)
if self.require_scope and self.require_scope not in data.scopes:
msg = f"Token does not have required scope {self.require_scope}"
context.logger.info("Permission denied", error=msg)
raise PermissionDeniedError(msg)
return data
async def test_user_token(factory: ComponentFactory) -> None:
user_info = TokenUserInfo(username="******",
name="Example Person",
uid=4137)
token_service = factory.create_token_service()
async with factory.session.begin():
session_token = await token_service.create_session_token(
user_info,
scopes=["read:all", "exec:admin", "user:token"],
ip_address="127.0.0.1",
)
data = await token_service.get_data(session_token)
assert data
expires = current_datetime() + timedelta(days=2)
# Scopes are provided not in sorted order to ensure they're sorted when
# creating the token.
async with factory.session.begin():
user_token = await token_service.create_user_token(
data,
"example",
token_name="some-token",
scopes=["read:all", "exec:admin"],
expires=expires,
ip_address="192.168.0.1",
)
assert await token_service.get_user_info(user_token) == user_info
info = await token_service.get_token_info_unchecked(user_token.key)
assert info and info == TokenInfo(
token=user_token.key,
username=user_info.username,
token_name="some-token",
token_type=TokenType.user,
scopes=["exec:admin", "read:all"],
created=info.created,
last_used=None,
expires=int(expires.timestamp()),
parent=None,
)
assert_is_now(info.created)
assert await token_service.get_data(user_token) == TokenData(
token=user_token,
username=user_info.username,
token_type=TokenType.user,
scopes=["exec:admin", "read:all"],
created=info.created,
expires=info.expires,
name=user_info.name,
uid=user_info.uid,
)
async with factory.session.begin():
history = await token_service.get_change_history(
data, token=user_token.key, username=data.username)
assert history.entries == [
TokenChangeHistoryEntry(
token=user_token.key,
username=data.username,
token_type=TokenType.user,
token_name="some-token",
scopes=["exec:admin", "read:all"],
expires=info.expires,
actor=data.username,
action=TokenChange.create,
ip_address="192.168.0.1",
event_time=info.created,
)
]
async def test_modify(setup: SetupTest, mock_kubernetes: MockCoreV1Api,
caplog: LogCaptureFixture) -> None:
assert setup.config.kubernetes
assert len(setup.config.kubernetes.service_secrets) >= 2
service_secret_one = setup.config.kubernetes.service_secrets[0]
service_secret_two = setup.config.kubernetes.service_secrets[1]
kubernetes_service = setup.factory.create_kubernetes_service()
token_service = setup.factory.create_token_service()
# Secret that shouldn't exist.
secret = V1Secret(
api_version="v1",
data={"token": "bogus"},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name="foo",
namespace="bar",
),
type="Opaque",
)
mock_kubernetes.create_namespaced_secret("bar", secret)
# Valid secret but with a bogus token.
secret = V1Secret(
api_version="v1",
data={"token": "bogus"},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=service_secret_one.secret_name,
namespace=service_secret_one.secret_namespace,
),
type="Opaque",
)
mock_kubernetes.create_namespaced_secret(
service_secret_one.secret_namespace, secret)
# Valid secret but with a nonexistent token.
secret = V1Secret(
api_version="v1",
data={"token": token_as_base64(Token())},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=service_secret_two.secret_name,
namespace=service_secret_two.secret_namespace,
),
type="Opaque",
)
mock_kubernetes.create_namespaced_secret(
service_secret_two.secret_namespace, secret)
# Update the secrets. This should delete the secret that shouldn't exist
# and update the two that should with fresh secrets.
await kubernetes_service.update_service_secrets()
await assert_kubernetes_secrets_match_config(setup, mock_kubernetes)
# Check the logging.
expected = [
{
"event": "Deleted bar/foo secret",
"level": "info",
"logger": "gafaelfawr",
},
{
"event": "Created new service token",
"key": ANY,
"level": "info",
"logger": "gafaelfawr",
"token_scope": ",".join(service_secret_one.scopes),
"token_username": service_secret_one.service,
},
{
"event": (f"Updated {service_secret_one.secret_namespace}"
f"/{service_secret_one.secret_name} secret"),
"level":
"info",
"logger":
"gafaelfawr",
"scopes":
service_secret_one.scopes,
"service":
service_secret_one.service,
},
{
"event": "Created new service token",
"key": ANY,
"level": "info",
"logger": "gafaelfawr",
"token_scope": ",".join(service_secret_two.scopes),
"token_username": service_secret_two.service,
},
{
"event": (f"Updated {service_secret_two.secret_namespace}"
f"/{service_secret_two.secret_name} secret"),
"level":
"info",
"logger":
"gafaelfawr",
"scopes":
service_secret_two.scopes,
"service":
service_secret_two.service,
},
]
assert [json.loads(r[2]) for r in caplog.record_tuples] == expected
# Replace one secret with a valid token for the wrong service.
token = await token_service.create_token_from_admin_request(
AdminTokenRequest(
username="******",
token_type=TokenType.service,
scopes=service_secret_one.scopes,
),
TokenData.internal_token(),
ip_address=None,
)
secret = V1Secret(
api_version="v1",
data={"token": token_as_base64(token)},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=service_secret_one.secret_name,
namespace=service_secret_one.secret_namespace,
),
type="Opaque",
)
mock_kubernetes.delete_namespaced_secret(
service_secret_one.secret_name, service_secret_one.secret_namespace)
mock_kubernetes.create_namespaced_secret(
service_secret_one.secret_namespace, secret)
# Replace the other token with a valid token with the wrong scopes.
token = await token_service.create_token_from_admin_request(
AdminTokenRequest(
username=service_secret_two.service,
token_type=TokenType.service,
scopes=["read:all"],
),
TokenData.internal_token(),
ip_address=None,
)
secret = V1Secret(
api_version="v1",
data={"token": token_as_base64(token)},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=service_secret_two.secret_name,
namespace=service_secret_two.secret_namespace,
),
type="Opaque",
)
mock_kubernetes.delete_namespaced_secret(
service_secret_two.secret_name, service_secret_two.secret_namespace)
mock_kubernetes.create_namespaced_secret(
service_secret_two.secret_namespace, secret)
# Update the secrets. This should create new tokens for both.
await kubernetes_service.update_service_secrets()
await assert_kubernetes_secrets_match_config(setup, mock_kubernetes)
# Finally, replace a secret with one with no token.
secret = V1Secret(
api_version="v1",
data={},
metadata=V1ObjectMeta(
labels={KUBERNETES_TOKEN_TYPE_LABEL: "service"},
name=service_secret_one.secret_name,
namespace=service_secret_one.secret_namespace,
),
type="Opaque",
)
mock_kubernetes.delete_namespaced_secret(
service_secret_one.secret_name, service_secret_one.secret_namespace)
mock_kubernetes.create_namespaced_secret(
service_secret_one.secret_namespace, secret)
# Update the secrets. This should create a new token for the first secret
# but not for the second.
await kubernetes_service.update_service_secrets()
await assert_kubernetes_secrets_match_config(setup,
mock_kubernetes,
is_fresh=False)
