Merge pull request #97 from ssl-hep:oauth

Authenticate with ServiceX API token

Author: gordonwatts

.vscode/settings.json

@@ -18,6 +18,7 @@
         "SXPASS",
         "SXTYPE",
         "SXUSER",
+        "SXTOKEN",
         "Servivce",
         "Topo",
         "accesskey",

README.md

@@ -33,13 +33,14 @@ The API access information is normally placed in a `.servicex` file (to keep thi
    directory on Windows).
 1. The `config_defaults.yaml` file distributed with the `servicex` package.
 
-Create a `.servicex` file, in the `yaml` format, in the appropriate place for your work that contains the following:
+If no endpoint is specified, then the library defaults to the developer endpoint, which is `http://localhost:5000` for the web-service API, and `localhost:9000` for the `minio` endpoint. No passwords are required.
+
+Create a `.servicex` file, in the `yaml` format, in the appropriate place for your work that contains the following (for the `xaod` backend; use `uproot` for the uproot backend):
 
 ```yaml
 api_endpoints:
-  - endpoint: <your-endpoint-url>
-    email: <api-email>
-    password: <api-password>
+  - endpoint: <your-endpoint>
+    token: <api-token>
     type: xaod
 ```
 

servicex/config_default.yaml

@@ -3,8 +3,7 @@
 
 api_endpoints:
   - endpoint: http://localhost:5000
-    # email: xxx
-    # password: yyy
+    # token: xxx
 
 # These are default settings, depreciated, and should not be used.
 # They will be removed in the next version.

servicex/minio_adaptor.py

@@ -44,17 +44,19 @@ class MinioAdaptor:
     # uses blocking http requests, so we can't use asyncio to interleave them.
     _download_executor = ThreadPoolExecutor(max_workers=5)
 
-    def __init__(self, mino_endpoint: str,
+    def __init__(self, minio_endpoint: str,
+                 secured: bool = False,
                  access_key: str = 'miniouser',
                  secretkey: str = 'leftfoot1'):
-        self._endpoint = mino_endpoint
+        self._endpoint = minio_endpoint
+        self._secured = secured
         self._access_key = access_key
         self._secretkey = secretkey
 
         self._client = Minio(self._endpoint,
                              access_key=self._access_key,
                              secret_key=self._secretkey,
-                             secure=False)
+                             secure=self._secured)
 
     @on_exception(backoff.constant, ResponseError, interval=0.1)
     def get_files(self, request_id):
@@ -118,7 +120,7 @@ def __init__(self, c: Optional[ConfigView] = None,
         if self._always is None and c is not None:
             self._config_adaptor = self._from_config(c)
 
-    def from_best(self, transation_info: Optional[Dict[str, str]] = None) -> MinioAdaptor:
+    def from_best(self, transaction_info: Optional[Dict[str, str]] = None) -> MinioAdaptor:
         '''Using the information we have, create the proper Minio Adaptor with the correct
         endpoint and login information. Order of adaptor generation:
 
@@ -136,14 +138,14 @@ def from_best(self, transation_info: Optional[Dict[str, str]] = None) -> MinioAd
         if self._always is not None:
             logging.getLogger(__name__).debug('Using the pre-defined minio_adaptor')
             return self._always
-        if transation_info is not None:
-            if 'minio-endpoint' in transation_info \
-                    and 'minio-access-key' in transation_info \
-                    and 'minio-secret-key' in transation_info:
+        if transaction_info is not None:
+            keys = ['minio-endpoint', 'minio-secured', 'minio-access-key', 'minio-secret-key']
+            if all(k in transaction_info for k in keys):
                 logging.getLogger(__name__).debug('Using the request-specific minio_adaptor')
-                return MinioAdaptor(transation_info['minio-endpoint'],
-                                    transation_info['minio-access-key'],
-                                    transation_info['minio-secret-key'])
+                return MinioAdaptor(transaction_info['minio-endpoint'],
+                                    transaction_info['minio-secured'],
+                                    transaction_info['minio-access-key'],
+                                    transaction_info['minio-secret-key'])
         if self._config_adaptor is not None:
             logging.getLogger(__name__).debug('Using the config-file minio_adaptor')
             return self._config_adaptor

servicex/servicex.py

@@ -107,8 +107,8 @@ def __init__(self,
 
         if not servicex_adaptor:
             # Given servicex adaptor is none, this should be ok. Fixes type checkers
-            end_point, email, password = config.get_servicex_adaptor_config(backend_type)
-            servicex_adaptor = ServiceXAdaptor(end_point, email, password)
+            end_point, token = config.get_servicex_adaptor_config(backend_type)
+            servicex_adaptor = ServiceXAdaptor(end_point, token)
         self._servicex_adaptor = servicex_adaptor
 
         if not minio_adaptor:

servicex/servicex_adaptor.py

@@ -21,41 +21,32 @@
 
 # Low level routines for interacting with a ServiceX instance via the WebAPI
 class ServiceXAdaptor:
-    def __init__(self, endpoint, email=None, password=None):
+    def __init__(self, endpoint, refresh_token=None):
         '''
         Authenticated access to ServiceX
         '''
         self._endpoint = endpoint
-        self._email = email
-        self._password = password
-
         self._token = None
-        self._refresh_token = None
-
-    async def _login(self, client: aiohttp.ClientSession):
-        url = f'{self._endpoint}/login'
-        async with client.post(url, json={
-            'email': self._email,
-            'password': self._password
-        }) as response:
+        self._refresh_token = refresh_token
+
+    async def _get_token(self, client: aiohttp.ClientSession):
+        url = f'{self._endpoint}/token/refresh'
+        headers = {'Authorization': f'Bearer {self._refresh_token}'}
+        async with client.post(url, headers=headers, json=None) as response:
             status = response.status
             if status == 200:
                 j = await response.json()
                 self._token = j['access_token']
-                self._refresh_token = j['refresh_token']
             else:
-                raise ServiceXException(f'ServiceX login request rejected: {status}')
+                raise ServiceXException(f'ServiceX access token request rejected: {status}')
 
     async def _get_authorization(self, client: aiohttp.ClientSession):
-        if self._email:
-            now = datetime.utcnow().timestamp()
-            if not self._token or jwt.decode(self._token, verify=False)['exp'] - now < 0:
-                await self._login(client)
-            return {
-                'Authorization': f'Bearer {self._token}'
-            }
-        else:
+        if not self._refresh_token:
             return {}
+        now = datetime.utcnow().timestamp()
+        if not self._token or jwt.decode(self._token, verify=False)['exp'] - now < 0:
+            await self._get_token(client)
+        return {'Authorization': f'Bearer {self._token}'}
 
     async def submit_query(self, client: aiohttp.ClientSession,
                            json_query: Dict[str, str]) -> Dict[str, str]:

servicex/servicex_config.py

@@ -82,7 +82,7 @@ def find_in_list(c, key) -> Optional[str]:
         return a
 
     def get_servicex_adaptor_config(self, backend_type: Optional[str] = None) -> \
-            Tuple[str, Optional[str], Optional[str]]:
+            Tuple[str, Optional[str]]:
         '''Return the servicex (endpoint, username, email) from a given backend configuration.
 
         Args:
@@ -97,14 +97,12 @@ def get_servicex_adaptor_config(self, backend_type: Optional[str] = None) -> \
         # It is an error if this is not specified somewhere.
         endpoints = self._settings['api_endpoints']
 
-        def extract_info(ep) -> Tuple[str, Optional[str], Optional[str]]:
+        def extract_info(ep) -> Tuple[str, Optional[str]]:
             endpoint = ep['endpoint'].as_str_expanded()
-            email = ep['email'].as_str_expanded() if 'email' in ep else None
-            password = ep['password'].as_str_expanded() if 'password' in ep \
-                else None
+            token = ep['token'].as_str_expanded() if 'token' in ep else None
 
             # We can default these to "None"
-            return (endpoint, email, password)  # type: ignore
+            return (endpoint, token)  # type: ignore
 
         # If we have a good name, look for exact match
         if backend_type is not None:

tests/test_minio_adaptor.py

@@ -231,10 +231,12 @@ def test_factory_from_request():
     info = {
         'minio-access-key': 'miniouser',
         'minio-endpoint': 'minio.servicex.com:9000',
+        'minio-secured': False,
         'minio-secret-key': 'leftfoot1',
     }
     m = MinioAdaptorFactory().from_best(info)
     assert m._endpoint == 'minio.servicex.com:9000'
+    assert not m._secured
     assert m._access_key == "miniouser"
     assert m._secretkey == "leftfoot1"
 

tests/test_servicex.py

@@ -32,7 +32,7 @@ def test_default_ctor(mocker):
     '''
     config = mocker.MagicMock(spec=ServiceXConfigAdaptor)
     config.settings = Configuration('servicex', 'servicex')
-    config.get_servicex_adaptor_config.return_value = ('http://no-way.dude', 'j@yaol.com',
+    config.get_servicex_adaptor_config.return_value = ('http://no-way.dude',
                                                        'no_spoon_there_is')
 
     fe.ServiceXDataset('localds://dude', "uproot-ftw", config_adaptor=config)
@@ -47,7 +47,7 @@ def test_default_ctor_no_type(mocker):
     '''
     config = mocker.MagicMock(spec=ServiceXConfigAdaptor)
     config.settings = Configuration('servicex', 'servicex')
-    config.get_servicex_adaptor_config.return_value = ('http://no-way.dude', 'j@yaol.com',
+    config.get_servicex_adaptor_config.return_value = ('http://no-way.dude',
                                                        'no_spoon_there_is')
 
     fe.ServiceXDataset('localds://dude', config_adaptor=config)