arize-phoenix 4.24.0__py3-none-any.whl → 4.26.0__py3-none-any.whl

phoenix/server/api/mutations/api_key_mutations.py

@@ -0,0 +1,119 @@
+from datetime import datetime
+from typing import Any, Dict, Optional
+
+import jwt
+import strawberry
+from sqlalchemy import insert, select
+from strawberry import UNSET
+from strawberry.types import Info
+
+from phoenix.db import models
+from phoenix.server.api.context import Context
+from phoenix.server.api.mutations.auth import HasSecret, IsAuthenticated
+from phoenix.server.api.queries import Query
+from phoenix.server.api.types.SystemApiKey import SystemApiKey
+
+
+@strawberry.type
+class CreateSystemApiKeyMutationPayload:
+    jwt: str
+    api_key: SystemApiKey
+    query: Query
+
+
+@strawberry.input
+class CreateApiKeyInput:
+    name: str
+    description: Optional[str] = UNSET
+    expires_at: Optional[datetime] = UNSET
+
+
+@strawberry.type
+class ApiKeyMutationMixin:
+    @strawberry.mutation(permission_classes=[HasSecret, IsAuthenticated])  # type: ignore
+    async def create_system_api_key(
+        self, info: Info[Context, None], input: CreateApiKeyInput
+    ) -> CreateSystemApiKeyMutationPayload:
+        # TODO(auth): safe guard against auth being disabled and secret not being set
+        async with info.context.db() as session:
+            # Get the system user - note this could be pushed into a dataloader
+            system_user = await session.scalar(
+                select(models.User)
+                .join(models.UserRole)  # Join User with UserRole
+                .where(models.UserRole.name == "SYSTEM")  # Filter where role is SYSTEM
+                .limit(1)
+            )
+            if system_user is None:
+                raise ValueError("System user not found")
+
+            insert_stmt = (
+                insert(models.APIKey)
+                .values(
+                    user_id=system_user.id,
+                    name=input.name,
+                    description=input.description or None,
+                    expires_at=input.expires_at or None,
+                )
+                .returning(models.APIKey)
+            )
+            api_key = await session.scalar(insert_stmt)
+            assert api_key is not None
+
+        encoded_jwt = create_jwt(
+            secret=info.context.get_secret(),
+            name=api_key.name,
+            id=api_key.id,
+            description=api_key.description,
+            iat=api_key.created_at,
+            exp=api_key.expires_at,
+        )
+        return CreateSystemApiKeyMutationPayload(
+            jwt=encoded_jwt,
+            api_key=SystemApiKey(
+                id_attr=api_key.id,
+                name=api_key.name,
+                description=api_key.description,
+                created_at=api_key.created_at,
+                expires_at=api_key.expires_at,
+            ),
+            query=Query(),
+        )
+
+
+def create_jwt(
+    *,
+    secret: str,
+    algorithm: str = "HS256",
+    name: str,
+    description: Optional[str],
+    iat: datetime,
+    exp: Optional[datetime],
+    id: int,
+) -> str:
+    """Create a signed JSON Web Token for authentication
+
+    Args:
+        secret (str): the secret to sign with
+        name (str): name of the key / token
+        description (Optional[str]): description of the token
+        iat (datetime): the issued at time
+        exp (Optional[datetime]): the expiry, if set
+        id (int): the id of the key
+        algorithm (str, optional): the algorithm to use. Defaults to "HS256".
+
+    Returns:
+        str: The encoded JWT
+    """
+    payload: Dict[str, Any] = {
+        "name": name,
+        "description": description,
+        "iat": iat.utcnow(),
+        "id": id,
+    }
+    if exp is not None:
+        payload["exp"] = exp.utcnow()
+
+    # Encode the payload to create the JWT
+    token = jwt.encode(payload, secret, algorithm=algorithm)
+
+    return token

phoenix/server/api/mutations/auth.py

@@ -9,3 +9,10 @@ class IsAuthenticated(BasePermission):
 
     async def has_permission(self, source: Any, info: Info, **kwargs: Any) -> bool:
         return not info.context.read_only
+
+
+class HasSecret(BasePermission):
+    message = "Application secret is not set"
+
+    async def has_permission(self, source: Any, info: Info, **kwargs: Any) -> bool:
+        return info.context.secret is not None

phoenix/server/api/mutations/user_mutations.py

@@ -0,0 +1,89 @@
+import asyncio
+from typing import Optional
+
+import strawberry
+from sqlalchemy import insert, select
+from sqlean.dbapi2 import IntegrityError  # type: ignore[import-untyped]
+from strawberry.types import Info
+
+from phoenix.auth import compute_password_hash, validate_email_format, validate_password_format
+from phoenix.db import models
+from phoenix.server.api.context import Context
+from phoenix.server.api.input_types.UserRoleInput import UserRoleInput
+from phoenix.server.api.types.User import User
+from phoenix.server.api.types.UserRole import UserRole
+
+
+@strawberry.input
+class CreateUserInput:
+    email: str
+    username: Optional[str]
+    password: str
+    role: UserRoleInput
+
+
+@strawberry.type
+class UserMutationPayload:
+    user: User
+
+
+@strawberry.type
+class UserMutationMixin:
+    @strawberry.mutation
+    async def create_user(
+        self,
+        info: Info[Context, None],
+        input: CreateUserInput,
+    ) -> UserMutationPayload:
+        validate_email_format(email := input.email)
+        validate_password_format(password := input.password)
+        role_name = input.role.value
+        user_role_id = (
+            select(models.UserRole.id).where(models.UserRole.name == role_name).scalar_subquery()
+        )
+        secret = info.context.get_secret()
+        loop = asyncio.get_running_loop()
+        password_hash = await loop.run_in_executor(
+            executor=None,
+            func=lambda: compute_password_hash(password=password, salt=secret),
+        )
+        try:
+            async with info.context.db() as session:
+                user = await session.scalar(
+                    insert(models.User)
+                    .values(
+                        user_role_id=user_role_id,
+                        username=input.username,
+                        email=email,
+                        auth_method="LOCAL",
+                        password_hash=password_hash,
+                        reset_password=True,
+                    )
+                    .returning(models.User)
+                )
+            assert user is not None
+        except IntegrityError as error:
+            raise ValueError(_get_user_create_error_message(error))
+        return UserMutationPayload(
+            user=User(
+                id_attr=user.id,
+                email=user.email,
+                username=user.username,
+                created_at=user.created_at,
+                role=UserRole(id_attr=user.user_role_id, name=role_name),
+            )
+        )
+
+
+def _get_user_create_error_message(error: IntegrityError) -> str:
+    """
+    Gets a user-facing error message to explain why user creation failed.
+    """
+    original_error_message = str(error)
+    username_already_exists = "users.username" in original_error_message
+    email_already_exists = "users.email" in original_error_message
+    if username_already_exists:
+        return "Username already exists"
+    elif email_already_exists:
+        return "Email already exists"
+    return "Failed to create user"

phoenix/server/api/queries.py

@@ -92,7 +92,8 @@ class Query:
         )
         stmt = (
             select(models.User)
-            .where(models.UserRole.role != "SYSTEM")
+            .join(models.UserRole)
+            .where(models.UserRole.name != "SYSTEM")
             .order_by(models.User.email)
             .options(joinedload(models.User.role))
         )
@@ -106,7 +107,7 @@ class Query:
                     created_at=user.created_at,
                     role=UserRole(
                         id_attr=user.role.id,
-                        role=user.role.role,
+                        name=user.role.name,
                     ),
                 )
                 async for user in users
@@ -120,12 +121,12 @@ class Query:
     ) -> List[UserRole]:
         async with info.context.db() as session:
             roles = await session.scalars(
-                select(models.UserRole).where(models.UserRole.role != "SYSTEM")
+                select(models.UserRole).where(models.UserRole.name != "SYSTEM")
             )
         return [
             UserRole(
                 id_attr=role.id,
-                role=role.role,
+                name=role.name,
             )
             for role in roles
         ]
@@ -137,7 +138,7 @@ class Query:
             select(models.APIKey)
             .join(models.User)
             .join(models.UserRole)
-            .where(models.UserRole.role != "SYSTEM")
+            .where(models.UserRole.name != "SYSTEM")
         )
         async with info.context.db() as session:
             api_keys = await session.scalars(stmt)
@@ -160,7 +161,7 @@ class Query:
             select(models.APIKey)
             .join(models.User)
             .join(models.UserRole)
-            .where(models.UserRole.role == "SYSTEM")
+            .where(models.UserRole.name == "SYSTEM")
         )
         async with info.context.db() as session:
             api_keys = await session.scalars(stmt)

phoenix/server/api/routers/auth.py

@@ -0,0 +1,52 @@
+import asyncio
+from datetime import timedelta
+
+from fastapi import APIRouter, Form, Request, Response
+from sqlalchemy import select
+from starlette.status import HTTP_204_NO_CONTENT, HTTP_401_UNAUTHORIZED
+from typing_extensions import Annotated
+
+from phoenix.auth import is_valid_password
+from phoenix.db import models
+
+router = APIRouter(include_in_schema=False)
+
+PHOENIX_ACCESS_TOKEN_COOKIE_NAME = "phoenix-access-token"
+PHOENIX_ACCESS_TOKEN_COOKIE_MAX_AGE_IN_SECONDS = int(timedelta(days=31).total_seconds())
+
+
+@router.post("/login")
+async def login(
+    request: Request,
+    email: Annotated[str, Form()],
+    password: Annotated[str, Form()],
+) -> Response:
+    async with request.app.state.db() as session:
+        if (
+            user := await session.scalar(select(models.User).where(models.User.email == email))
+        ) is None or (password_hash := user.password_hash) is None:
+            return Response(status_code=HTTP_401_UNAUTHORIZED)
+    secret = request.app.state.get_secret()
+    loop = asyncio.get_running_loop()
+    if not await loop.run_in_executor(
+        executor=None,
+        func=lambda: is_valid_password(password=password, salt=secret, password_hash=password_hash),
+    ):
+        return Response(status_code=HTTP_401_UNAUTHORIZED)
+    response = Response(status_code=HTTP_204_NO_CONTENT)
+    response.set_cookie(
+        key=PHOENIX_ACCESS_TOKEN_COOKIE_NAME,
+        value="token",  # todo: compute access token
+        secure=True,
+        httponly=True,
+        samesite="strict",
+        max_age=PHOENIX_ACCESS_TOKEN_COOKIE_MAX_AGE_IN_SECONDS,
+    )
+    return response
+
+
+@router.post("/logout")
+async def logout() -> Response:
+    response = Response(status_code=HTTP_204_NO_CONTENT)
+    response.delete_cookie(key=PHOENIX_ACCESS_TOKEN_COOKIE_NAME)
+    return response

phoenix/server/api/routers/v1/datasets.py

@@ -71,6 +71,7 @@ from .utils import (
 )
 
 logger = logging.getLogger(__name__)
+logger.addHandler(logging.NullHandler())
 
 DATASET_NODE_NAME = DatasetNodeType.__name__
 DATASET_VERSION_NODE_NAME = DatasetVersionNodeType.__name__

phoenix/server/api/routers/v1/spans.py

@@ -196,7 +196,7 @@ class AnnotateSpansResponseBody(ResponseBody[List[InsertedSpanAnnotation]]):
 async def annotate_spans(
     request: Request,
     request_body: AnnotateSpansRequestBody,
-    sync: bool = Query(default=True, description="If true, fulfill request synchronously."),
+    sync: bool = Query(default=False, description="If true, fulfill request synchronously."),
 ) -> AnnotateSpansResponseBody:
     if not request_body.data:
         return AnnotateSpansResponseBody(data=[])

phoenix/server/api/types/UserRole.py

@@ -5,4 +5,4 @@ from strawberry.relay import Node, NodeID
 @strawberry.type
 class UserRole(Node):
     id_attr: NodeID[int]
-    role: str
+    name: str

phoenix/server/app.py

@@ -4,6 +4,7 @@ import json
 import logging
 from functools import cached_property
 from pathlib import Path
+from types import MethodType
 from typing import (
     TYPE_CHECKING,
     Any,
@@ -30,6 +31,7 @@ from sqlalchemy.ext.asyncio import (
     AsyncSession,
     async_sessionmaker,
 )
+from starlette.datastructures import State as StarletteState
 from starlette.exceptions import HTTPException
 from starlette.middleware import Middleware
 from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
@@ -80,6 +82,7 @@ from phoenix.server.api.dataloaders import (
     TokenCountDataLoader,
     TraceRowIdsDataLoader,
 )
+from phoenix.server.api.routers.auth import router as auth_router
 from phoenix.server.api.routers.v1 import REST_API_VERSION
 from phoenix.server.api.routers.v1 import router as v1_router
 from phoenix.server.api.schema import schema
@@ -100,6 +103,7 @@ if TYPE_CHECKING:
     from opentelemetry.trace import TracerProvider
 
 logger = logging.getLogger(__name__)
+logger.addHandler(logging.NullHandler())
 
 router = APIRouter(include_in_schema=False)
 
@@ -229,7 +233,8 @@ def _lifespan(
     dml_event_handler: DmlEventHandler,
     tracer_provider: Optional["TracerProvider"] = None,
     enable_prometheus: bool = False,
-    clean_ups: Iterable[Callable[[], None]] = (),
+    startup_callbacks: Iterable[Callable[[], None]] = (),
+    shutdown_callbacks: Iterable[Callable[[], None]] = (),
     read_only: bool = False,
 ) -> StatefulLifespan[FastAPI]:
     @contextlib.asynccontextmanager
@@ -247,6 +252,8 @@ def _lifespan(
             tracer_provider=tracer_provider,
             enable_prometheus=enable_prometheus,
         ), dml_event_handler:
+            for callback in startup_callbacks:
+                callback()
             yield {
                 "event_queue": dml_event_handler,
                 "enqueue": enqueue,
@@ -254,8 +261,8 @@ def _lifespan(
                 "queue_evaluation_for_bulk_insert": queue_evaluation,
                 "enqueue_operation": enqueue_operation,
             }
-        for clean_up in clean_ups:
-            clean_up()
+        for callback in shutdown_callbacks:
+            callback()
 
     return lifespan
 
@@ -276,7 +283,26 @@ def create_graphql_router(
     cache_for_dataloaders: Optional[CacheForDataLoaders] = None,
     event_queue: CanPutItem[DmlEvent],
     read_only: bool = False,
+    secret: Optional[str] = None,
 ) -> GraphQLRouter:  # type: ignore[type-arg]
+    """Creates the GraphQL router.
+
+    Args:
+        schema (BaseSchema): The GraphQL schema.
+        db (DbSessionFactory): The database session factory pointing to a SQL database.
+        model (Model): The Model representing inferences (legacy)
+        export_path (Path): the file path to export data to for download (legacy)
+        last_updated_at (CanGetLastUpdatedAt): How to get the last updated timestamp for updates.
+        event_queue (CanPutItem[DmlEvent]): The event queue for DML events.
+        corpus (Optional[Model], optional): the corpus for UMAP projection. Defaults to None.
+        cache_for_dataloaders (Optional[CacheForDataLoaders], optional): GraphQL data loaders.
+        read_only (bool, optional): Marks the app as read-only. Defaults to False.
+        secret (Optional[str], optional): The application secret for auth. Defaults to None.
+
+    Returns:
+        GraphQLRouter: The router mounted at /graphql
+    """
+
     def get_context() -> Context:
         return Context(
             db=db,
@@ -336,6 +362,7 @@ def create_graphql_router(
             ),
             cache_for_dataloaders=cache_for_dataloaders,
             read_only=read_only,
+            secret=secret,
         )
 
     return GraphQLRouter(
@@ -408,9 +435,12 @@ def create_app(
     initial_spans: Optional[Iterable[Union[Span, Tuple[Span, str]]]] = None,
     initial_evaluations: Optional[Iterable[pb.Evaluation]] = None,
     serve_ui: bool = True,
-    clean_up_callbacks: List[Callable[[], None]] = [],
+    startup_callbacks: Iterable[Callable[[], None]] = (),
+    shutdown_callbacks: Iterable[Callable[[], None]] = (),
+    secret: Optional[str] = None,
 ) -> FastAPI:
-    clean_ups: List[Callable[[], None]] = clean_up_callbacks  # To be called at app shutdown.
+    startup_callbacks_list: List[Callable[[], None]] = list(startup_callbacks)
+    shutdown_callbacks_list: List[Callable[[], None]] = list(shutdown_callbacks)
     initial_batch_of_spans: Iterable[Tuple[Span, str]] = (
         ()
         if initial_spans is None
@@ -472,6 +502,7 @@ def create_app(
         event_queue=dml_event_handler,
         cache_for_dataloaders=cache_for_dataloaders,
         read_only=read_only,
+        secret=secret,
     )
     if enable_prometheus:
         from phoenix.server.prometheus import PrometheusMiddleware
@@ -489,7 +520,8 @@ def create_app(
             dml_event_handler=dml_event_handler,
             tracer_provider=tracer_provider,
             enable_prometheus=enable_prometheus,
-            clean_ups=clean_ups,
+            shutdown_callbacks=shutdown_callbacks_list,
+            startup_callbacks=startup_callbacks_list,
         ),
         middleware=[
             Middleware(HeadersMiddleware),
@@ -507,6 +539,8 @@ def create_app(
     app.include_router(router)
     app.include_router(graphql_router)
     app.add_middleware(GZipMiddleware)
+    if authentication_enabled:
+        app.include_router(auth_router)
     if serve_ui:
         app.mount(
             "/",
@@ -525,12 +559,30 @@ def create_app(
             ),
             name="static",
         )
-
-    app.state.db = db
+    app = _update_app_state(app, db=db, secret=secret)
     if tracer_provider:
         from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor
 
         FastAPIInstrumentor().instrument(tracer_provider=tracer_provider)
         FastAPIInstrumentor.instrument_app(app, tracer_provider=tracer_provider)
-        clean_ups.append(FastAPIInstrumentor().uninstrument)
+        shutdown_callbacks_list.append(FastAPIInstrumentor().uninstrument)
+    return app
+
+
+def _update_app_state(app: FastAPI, /, *, db: DbSessionFactory, secret: Optional[str]) -> FastAPI:
+    """
+    Dynamically updates the app's `state` to include useful fields and methods
+    (at the time of this writing, FastAPI does not support setting this state
+    during the creation of the app).
+    """
+    app.state.db = db
+    app.state._secret = secret
+
+    def get_secret(self: StarletteState) -> str:
+        if (secret := self._secret) is None:
+            raise ValueError("app secret is not set")
+        assert isinstance(secret, str)
+        return secret
+
+    app.state.get_secret = MethodType(get_secret, app.state)
     return app

phoenix/server/main.py

@@ -1,13 +1,16 @@
 import atexit
+import codecs
 import logging
 import os
+import sys
 from argparse import ArgumentParser
-from pathlib import Path, PosixPath
+from importlib.metadata import version
+from pathlib import Path
 from threading import Thread
 from time import sleep, time
 from typing import List, Optional
+from urllib.parse import urljoin
 
-import pkg_resources
 from uvicorn import Config, Server
 
 import phoenix.trace.v1 as pb
@@ -53,6 +56,7 @@ from phoenix.trace.otel import decode_otlp_span, encode_span_to_otlp
 from phoenix.trace.schemas import Span
 
 logger = logging.getLogger(__name__)
+logger.addHandler(logging.NullHandler())
 
 _WELCOME_MESSAGE = """
 
@@ -137,6 +141,7 @@ if __name__ == "__main__":
     parser.add_argument("--debug", action="store_true")
     # Whether the app is running in a development environment
     parser.add_argument("--dev", action="store_true")
+    parser.add_argument("--no-ui", action="store_true")
     subparsers = parser.add_subparsers(dest="command", required=True)
     serve_parser = subparsers.add_parser("serve")
     datasets_parser = subparsers.add_parser("datasets")
@@ -218,7 +223,7 @@ if __name__ == "__main__":
         reference_inferences,
     )
 
-    authentication_enabled, auth_secret = get_auth_settings()
+    authentication_enabled, secret = get_auth_settings()
 
     fixture_spans: List[Span] = []
     fixture_evals: List[pb.Evaluation] = []
@@ -255,6 +260,18 @@ if __name__ == "__main__":
     engine = create_engine_and_run_migrations(db_connection_str)
     instrumentation_cleanups = instrument_engine_if_enabled(engine)
     factory = DbSessionFactory(db=_db(engine), dialect=engine.dialect.name)
+    # Print information about the server
+    msg = _WELCOME_MESSAGE.format(
+        version=version("arize-phoenix"),
+        ui_path=urljoin(f"http://{host}:{port}", host_root_path),
+        grpc_path=f"http://{host}:{get_env_grpc_port()}",
+        http_path=urljoin(urljoin(f"http://{host}:{port}", host_root_path), "v1/traces"),
+        storage=get_printable_db_url(db_connection_str),
+    )
+    if authentication_enabled:
+        msg += _EXPERIMENTAL_WARNING.format(auth_enabled=True)
+    if sys.platform.startswith("win"):
+        msg = codecs.encode(msg, "ascii", errors="ignore").decode("ascii").strip()
     app = create_app(
         db=factory,
         export_path=export_path,
@@ -266,29 +283,17 @@ if __name__ == "__main__":
         else create_model_from_inferences(corpus_inferences),
         debug=args.debug,
         dev=args.dev,
+        serve_ui=not args.no_ui,
         read_only=read_only,
         enable_prometheus=enable_prometheus,
         initial_spans=fixture_spans,
         initial_evaluations=fixture_evals,
-        clean_up_callbacks=instrumentation_cleanups,
+        startup_callbacks=[lambda: print(msg)],
+        shutdown_callbacks=instrumentation_cleanups,
+        secret=secret,
     )
     server = Server(config=Config(app, host=host, port=port, root_path=host_root_path))  # type: ignore
     Thread(target=_write_pid_file_when_ready, args=(server,), daemon=True).start()
 
-    # Print information about the server
-    phoenix_version = pkg_resources.get_distribution("arize-phoenix").version
-    print(
-        _WELCOME_MESSAGE.format(
-            version=phoenix_version,
-            ui_path=PosixPath(f"http://{host}:{port}", host_root_path),
-            grpc_path=f"http://{host}:{get_env_grpc_port()}",
-            http_path=PosixPath(f"http://{host}:{port}", host_root_path, "v1/traces"),
-            storage=get_printable_db_url(db_connection_str),
-        )
-    )
-
-    if authentication_enabled:
-        print(_EXPERIMENTAL_WARNING.format(auth_enabled=authentication_enabled))
-
     # Start the server
     server.run()