digitalhub 0.12.0__py3-none-any.whl → 0.13.0b1__py3-none-any.whl

digitalhub/stores/client/dhcore/configurator.py

@@ -5,14 +5,13 @@
 from __future__ import annotations
 
 import typing
-from warnings import warn
 
 from requests import request
 
-from digitalhub.stores.client.dhcore.enums import AuthType, DhcoreEnvVar
-from digitalhub.stores.configurator.configurator import configurator
-from digitalhub.stores.data.s3.enums import S3StoreEnv
-from digitalhub.stores.data.sql.enums import SqlStoreEnv
+from digitalhub.stores.client.dhcore.enums import AuthType
+from digitalhub.stores.credentials.configurator import Configurator
+from digitalhub.stores.credentials.enums import CredsEnvVar, CredsOrigin
+from digitalhub.stores.credentials.handler import creds_handler
 from digitalhub.utils.exceptions import ClientError
 from digitalhub.utils.generic_utils import list_enum
 from digitalhub.utils.uri_utils import has_remote_scheme
@@ -21,191 +20,282 @@ if typing.TYPE_CHECKING:
     from requests import Response
 
 
-# Default key used to store authentication information
-AUTH_KEY = "_auth"
-
-# API levels that are supported
-MAX_API_LEVEL = 20
-MIN_API_LEVEL = 11
-LIB_VERSION = 11
-
-
-class ClientDHCoreConfigurator:
+class ClientDHCoreConfigurator(Configurator):
     """
     Configurator object used to configure the client.
+
+    The configurator starts reading the credentials from the
+    environment and from the ini file and stores them into the
+    creds_handler object.
+
+    While reading the credentials from the two sources (environment and file),
+    the configurator evaluate if the required keys are present in both sources.
+    If the required keys are not present in both sources, the configurator
+    will rise an error, otherwise decide which source to use.
+
+    Once the credentials are read, the configurator check the current profile
+    name from the ini file, and set it. The default one is __default. The
+    profile is used to discriminate a set of credentials inside the ini file.
+
+    The configurator finally set the authentication type based on the credentials.
+    The logic is the following:
+
+        1. Check for a personal access token. Use it immediately to
+           require a timed access token in an exchange endpoint.
+           Switche then the origin to file and .
+           Set the auth type to EXCHANGE.
+        2. Check for an access token and a refresh token.
+           Set the auth type to OAUTH2.
+        3. Check for username and password.
+           Set the auth type to BASIC.
+        4. If none of the above is true, leave the auth type to None.
     """
 
+    keys = [*list_enum(CredsEnvVar)]
+    required_keys = [CredsEnvVar.DHCORE_ENDPOINT.value]
+    keys_to_unprefix = [
+        CredsEnvVar.DHCORE_REFRESH_TOKEN.value,
+        CredsEnvVar.DHCORE_ACCESS_TOKEN.value,
+        CredsEnvVar.DHCORE_ISSUER.value,
+        CredsEnvVar.DHCORE_CLIENT_ID.value,
+    ]
+
     def __init__(self) -> None:
-        self._current_env = configurator.get_current_env()
+        super().__init__()
+        self.load_configs()
+        self._origin = self.set_origin()
+        self._current_profile = creds_handler.get_current_env()
+        self._auth_type: str | None = None
+        self.set_auth_type()
 
     ##############################
-    # Configuration methods
+    # Credentials methods
     ##############################
 
-    def check_config(self) -> None:
+    def load_configs(self) -> str:
         """
-        Check if the config is valid.
-
-        Parameters
-        ----------
-        config : dict
-            Configuration dictionary.
+        Load the configuration from the environment and from the file.
+        """
+        self.load_env_vars()
+        self.load_file_vars()
 
-        Returns
-        -------
-        None
+    def load_env_vars(self) -> None:
         """
-        if configurator.get_current_env() != self._current_env:
-            self.configure()
+        Load the credentials from the environment.
+        """
+        env_creds = {var: self._creds_handler.load_from_env(var) for var in self.keys}
+        env_creds = self._sanitize_env_vars(env_creds)
+        self._creds_handler.set_credentials(self._env, env_creds)
 
-    def configure(self, config: dict | None = None) -> None:
+    def _sanitize_env_vars(self, creds: dict) -> dict:
         """
-        Configure the client attributes with config (given or from
-        environment).
-        Regarding authentication parameters, the config parameter
-        takes precedence over the env variables, and the token
-        over the basic auth. Furthermore, the config parameter is
-        validated against the proper pydantic model.
+        Sanitize the env vars. We expect issuer to have the
+        form "DHCORE_ISSUER" in env.
 
         Parameters
         ----------
-        config : dict
-            Configuration dictionary.
+        creds : dict
+            Credentials dictionary.
 
         Returns
         -------
-        None
+        dict
         """
-        self._get_core_endpoint()
-        self._get_auth_vars()
+        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
+        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ISSUER.value])
+        return creds
 
-    def check_core_version(self, response: Response) -> None:
+    def load_file_vars(self) -> None:
+        """
+        Load the credentials from the file.
         """
-        Raise an exception if DHCore API version is not supported.
+        keys = [*self._remove_prefix_dhcore()]
+        file_creds = {var: self._creds_handler.load_from_file(var) for var in keys}
 
-        Parameters
-        ----------
-        response : Response
-            The response object.
+        # Because in the response there is no endpoint
+        if file_creds[CredsEnvVar.DHCORE_ENDPOINT.value] is None:
+            file_creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._creds_handler.load_from_env(
+                CredsEnvVar.DHCORE_ENDPOINT.value
+            )
 
-        Returns
-        -------
-        None
-        """
-        if "X-Api-Level" in response.headers:
-            core_api_level = int(response.headers["X-Api-Level"])
-            if not (MIN_API_LEVEL <= core_api_level <= MAX_API_LEVEL):
-                raise ClientError("Backend API level not supported.")
-            if LIB_VERSION < core_api_level:
-                warn("Backend API level is higher than library version. You should consider updating the library.")
+        # Because in the response there is no personal access token
+        if file_creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] is None:
+            file_creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] = self._creds_handler.load_from_env(
+                CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value
+            )
+
+        file_creds = self._sanitize_file_vars(file_creds)
+        self._creds_handler.set_credentials(self._file, file_creds)
 
-    def build_url(self, api: str) -> str:
+    def _sanitize_file_vars(self, creds: dict) -> dict:
         """
-        Build the url.
+        Sanitize the file vars. We expect issuer, client_id and access_token and
+        refresh_token to not have the form "DHCORE_" in the file.
 
         Parameters
         ----------
-        api : str
-            The api to call.
+        creds : dict
+            Credentials dictionary.
 
         Returns
         -------
-        str
-            The url.
+        dict
         """
-        api = api.removeprefix("/")
-        return f"{configurator.get_credential(DhcoreEnvVar.ENDPOINT.value)}/{api}"
-
-    ##############################
-    # Private methods
-    ##############################
+        creds[CredsEnvVar.DHCORE_ENDPOINT.value] = self._sanitize_endpoint(creds[CredsEnvVar.DHCORE_ENDPOINT.value])
+        creds[CredsEnvVar.DHCORE_ISSUER.value] = self._sanitize_endpoint(
+            creds[CredsEnvVar.DHCORE_ISSUER.value.removeprefix("DHCORE_")]
+        )
+        creds[CredsEnvVar.DHCORE_REFRESH_TOKEN.value] = creds[
+            CredsEnvVar.DHCORE_REFRESH_TOKEN.value.removeprefix("DHCORE_")
+        ]
+        creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] = creds[
+            CredsEnvVar.DHCORE_ACCESS_TOKEN.value.removeprefix("DHCORE_")
+        ]
+        creds[CredsEnvVar.DHCORE_CLIENT_ID.value] = creds[CredsEnvVar.DHCORE_CLIENT_ID.value.removeprefix("DHCORE_")]
+        return {k: v for k, v in creds.items() if k in self.keys}
 
     @staticmethod
-    def _sanitize_endpoint(endpoint: str) -> str:
+    def _sanitize_endpoint(endpoint: str | None = None) -> str | None:
         """
         Sanitize the endpoint.
 
         Returns
         -------
-        None
+        str | None
+            The sanitized endpoint.
         """
+        if endpoint is None:
+            return
         if not has_remote_scheme(endpoint):
             raise ClientError("Invalid endpoint scheme. Must start with http:// or https://.")
 
         endpoint = endpoint.strip()
         return endpoint.removesuffix("/")
 
-    def _get_core_endpoint(self) -> None:
+    def check_config(self) -> None:
         """
-        Get the DHCore endpoint from env.
+        Check if the config is valid.
+
+        Parameters
+        ----------
+        config : dict
+            Configuration dictionary.
 
         Returns
         -------
         None
+        """
+        if (current := creds_handler.get_current_env()) != self._current_profile:
+            self.load_file_vars()
+            self._current_profile = current
 
-        Raises
-        ------
-        Exception
-            If the endpoint of DHCore is not set in the env variables.
+    def get_endpoint(self) -> str:
         """
-        endpoint = configurator.load_var(DhcoreEnvVar.ENDPOINT.value)
-        if endpoint is None:
-            raise ClientError("Endpoint not set as environment variables.")
-        endpoint = self._sanitize_endpoint(endpoint)
-        configurator.set_credential(DhcoreEnvVar.ENDPOINT.value, endpoint)
+        Get the DHCore endpoint.
 
-    def _get_auth_vars(self) -> None:
+        Returns
+        -------
+        str
+            The endpoint.
         """
-        Get authentication parameters from the env.
+        creds = self._creds_handler.get_credentials(self._origin)
+        return creds[CredsEnvVar.DHCORE_ENDPOINT.value]
+
+    ##############################
+    # Origin methods
+    ##############################
+
+    def set_origin(self) -> str:
+        """
+        Evaluate the default origin from the credentials.
 
         Returns
         -------
-        None
+        str
+            The origin.
         """
-        # Give priority to access token
-        access_token = self._load_dhcore_oauth_vars(DhcoreEnvVar.ACCESS_TOKEN.value)
-        if access_token is not None:
-            configurator.set_credential(AUTH_KEY, AuthType.OAUTH2.value)
-            configurator.set_credential(DhcoreEnvVar.ACCESS_TOKEN.value.removeprefix("DHCORE_"), access_token)
+        origin = CredsOrigin.ENV.value
 
-        # Fallback to basic
+        env_creds = self._creds_handler.get_credentials(self._env)
+        missing_env = self._check_credentials(env_creds)
+
+        file_creds = self._creds_handler.get_credentials(self._file)
+        missing_file = self._check_credentials(file_creds)
+
+        msg = ""
+        if missing_env:
+            msg = f"Missing required vars in env: {', '.join(missing_env)}"
+            origin = CredsOrigin.FILE.value
+        elif missing_file:
+            msg += f"Missing required vars in .dhcore.ini file: {', '.join(missing_file)}"
+
+        if missing_env and missing_file:
+            raise ClientError(msg)
+
+        return origin
+
+    def change_origin(self) -> None:
+        """
+        Change the origin of the credentials.
+        """
+        if self._origin == CredsOrigin.ENV.value:
+            self.change_to_file()
         else:
-            user = configurator.load_var(DhcoreEnvVar.USER.value)
-            password = configurator.load_var(DhcoreEnvVar.PASSWORD.value)
-            if user is not None and password is not None:
-                configurator.set_credential(AUTH_KEY, AuthType.BASIC.value)
-                configurator.set_credential(DhcoreEnvVar.USER.value, user)
-                configurator.set_credential(DhcoreEnvVar.PASSWORD.value, password)
+            self.change_to_env()
+
+        # Re-evaluate the auth type
+        self.set_auth_type()
+
+    def change_to_file(self) -> None:
+        """
+        Change the origin to file. Re-evaluate the auth type.
+        """
+        self._origin = CredsOrigin.FILE.value
+
+    def change_to_env(self) -> None:
+        """
+        Change the origin to env. Re-evaluate the auth type.
+        """
+        self._origin = CredsOrigin.ENV.value
 
     ##############################
     # Auth methods
     ##############################
 
-    def basic_auth(self) -> bool:
+    def set_auth_type(self) -> None:
         """
-        Get basic auth.
+        Evaluate the auth type from the credentials.
 
         Returns
         -------
-        bool
+        None
         """
-        auth_type = configurator.get_credential(AUTH_KEY)
-        return auth_type == AuthType.BASIC.value
+        creds = creds_handler.get_credentials(self._origin)
+        self._auth_type = self._eval_auth_type(creds)
+        # If we have an exchange token, we need to get a new access token.
+        # Therefore, we change the origin to file, where the refresh token is written.
+        # We also try to fetch the PAT from both env and file
+        if self._auth_type == AuthType.EXCHANGE.value:
+            self.get_new_access_token(change_origin=True)
+            # Just to ensure we get the right source from file
+            self.change_to_file()
 
-    def oauth2_auth(self) -> bool:
+    def refreshable_auth_types(self) -> bool:
         """
-        Get oauth2 auth.
+        Check if the auth type is refreshable.
 
         Returns
         -------
         bool
+            True if the auth type is refreshable, False otherwise.
         """
-        auth_type = configurator.get_credential(AUTH_KEY)
-        return auth_type == AuthType.OAUTH2.value
+        return self._auth_type in [AuthType.OAUTH2.value, AuthType.EXCHANGE.value]
 
-    def set_request_auth(self, kwargs: dict) -> dict:
+    def get_auth_parameters(self, kwargs: dict) -> dict:
         """
-        Get the authentication header.
+        Get the authentication header for the request.
+        It is given for granted that the auth type is set and that,
+        if the auth type is EXCHANGE, the refresh token is set.
 
         Parameters
         ----------
@@ -215,50 +305,78 @@ class ClientDHCoreConfigurator:
         Returns
         -------
         dict
-            Authentication header.
-        """
-        creds = configurator.get_all_credentials()
-        if AUTH_KEY not in creds:
-            return kwargs
-        if self.basic_auth():
-            user = creds[DhcoreEnvVar.USER.value]
-            password = creds[DhcoreEnvVar.PASSWORD.value]
-            kwargs["auth"] = (user, password)
-        elif self.oauth2_auth():
+            Authentication parameters.
+        """
+        creds = creds_handler.get_credentials(self._origin)
+        if self._auth_type in (AuthType.EXCHANGE.value, AuthType.OAUTH2.value):
+            access_token = creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value]
             if "headers" not in kwargs:
                 kwargs["headers"] = {}
-            access_token = creds[DhcoreEnvVar.ACCESS_TOKEN.value.removeprefix("DHCORE_")]
             kwargs["headers"]["Authorization"] = f"Bearer {access_token}"
+        elif self._auth_type == AuthType.BASIC.value:
+            user = creds[CredsEnvVar.DHCORE_USER.value]
+            password = creds[CredsEnvVar.DHCORE_PASSWORD.value]
+            kwargs["auth"] = (user, password)
         return kwargs
 
-    def get_new_access_token(self) -> None:
+    def get_new_access_token(self, change_origin: bool = False) -> None:
         """
         Get a new access token.
 
+        Parameters
+        ----------
+        change_origin : bool, optional
+            Whether to change the origin of the credentials, by default False
+
         Returns
         -------
         None
         """
-        # Call issuer and get endpoint for
-        # refreshing access token
+        if not self.refreshable_auth_types():
+            raise ClientError(f"Auth type {self._auth_type} does not support refresh.")
+
+        # Get refresh endpoint
         url = self._get_refresh_endpoint()
 
-        # Call refresh token endpoint
-        # Try token from env
-        refresh_token = configurator.load_from_env(DhcoreEnvVar.REFRESH_TOKEN.value)
-        response = self._call_refresh_token_endpoint(url, refresh_token)
+        # Get credentials
+        creds = self._creds_handler.get_credentials(self._origin)
+
+        # Get client id
+        if (client_id := creds.get(CredsEnvVar.DHCORE_CLIENT_ID.value)) is None:
+            raise ClientError("Client id not set.")
 
-        # Otherwise try token from file
+        # Handling of token exchange or refresh
+        if self._auth_type == AuthType.OAUTH2.value:
+            response = self._call_refresh_token_endpoint(
+                url,
+                client_id=client_id,
+                refresh_token=creds.get(CredsEnvVar.DHCORE_REFRESH_TOKEN.value),
+                grant_type="refresh_token",
+                scope="credentials",
+            )
+        elif self._auth_type == AuthType.EXCHANGE.value:
+            response = self._call_refresh_token_endpoint(
+                url,
+                client_id=client_id,
+                subject_token=creds.get(CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value),
+                subject_token_type="urn:ietf:params:oauth:token-type:pat",
+                grant_type="urn:ietf:params:oauth:grant-type:token-exchange",
+                scope="credentials",
+            )
+
+        # Change origin of creds if needed
         if response.status_code in (400, 401, 403):
-            refresh_token = configurator.load_from_file(DhcoreEnvVar.REFRESH_TOKEN.value.removeprefix("DHCORE_"))
-            response = self._call_refresh_token_endpoint(url, refresh_token)
+            if not change_origin:
+                raise ClientError("Unable to refresh token. Please check your credentials.")
+            self.change_origin()
+            self.get_new_access_token(change_origin=False)
 
         response.raise_for_status()
 
         # Read new credentials and propagate to config file
-        self._set_creds(response.json())
+        self._export_new_creds(response.json())
 
-    def _set_creds(self, response: dict) -> None:
+    def _export_new_creds(self, response: dict) -> None:
         """
         Set new credentials.
 
@@ -271,17 +389,13 @@ class ClientDHCoreConfigurator:
         -------
         None
         """
-        keys = [
-            *self._remove_prefix_dhcore(list_enum(DhcoreEnvVar)),
-            *list_enum(S3StoreEnv),
-            *list_enum(SqlStoreEnv),
-        ]
-        for key in keys:
-            if (value := response.get(key.lower())) is not None:
-                configurator.set_credential(key, value)
-        configurator.write_env(keys)
+        creds_handler.write_env(response)
+        self.load_file_vars()
 
-    def _remove_prefix_dhcore(self, keys: list[str]) -> list[str]:
+        # Change current origin to file because of refresh
+        self._origin = CredsOrigin.FILE.value
+
+    def _remove_prefix_dhcore(self) -> list[str]:
         """
         Remove prefix from selected keys. (Compatibility with CLI)
 
@@ -296,13 +410,8 @@ class ClientDHCoreConfigurator:
             List of keys without prefix.
         """
         new_list = []
-        for key in keys:
-            if key in (
-                DhcoreEnvVar.REFRESH_TOKEN.value,
-                DhcoreEnvVar.ACCESS_TOKEN.value,
-                DhcoreEnvVar.ISSUER.value,
-                DhcoreEnvVar.CLIENT_ID.value,
-            ):
+        for key in self.keys:
+            if key in self.keys_to_unprefix:
                 new_list.append(key.removeprefix("DHCORE_"))
             else:
                 new_list.append(key)
@@ -318,11 +427,10 @@ class ClientDHCoreConfigurator:
             Refresh endpoint.
         """
         # Get issuer endpoint
-        endpoint_issuer = self._load_dhcore_oauth_vars(DhcoreEnvVar.ISSUER.value)
+        creds = self._creds_handler.get_credentials(self._origin)
+        endpoint_issuer = creds.get(CredsEnvVar.DHCORE_ISSUER.value)
         if endpoint_issuer is None:
             raise ClientError("Issuer endpoint not set.")
-        endpoint_issuer = self._sanitize_endpoint(endpoint_issuer)
-        configurator.set_credential(DhcoreEnvVar.ISSUER.value.removeprefix("DHCORE_"), endpoint_issuer)
 
         # Standard issuer endpoint path
         url = endpoint_issuer + "/.well-known/openid-configuration"
@@ -332,7 +440,11 @@ class ClientDHCoreConfigurator:
         r.raise_for_status()
         return r.json().get("token_endpoint")
 
-    def _call_refresh_token_endpoint(self, url: str, refresh_token: str) -> Response:
+    def _call_refresh_token_endpoint(
+        self,
+        url: str,
+        **kwargs,
+    ) -> Response:
         """
         Call the refresh token endpoint.
 
@@ -340,44 +452,29 @@ class ClientDHCoreConfigurator:
         ----------
         url : str
             Refresh token endpoint.
-        refresh_token : str
-            Refresh token.
+        kwargs : dict
+            Keyword arguments to pass to the request.
 
         Returns
         -------
         Response
             Response object.
         """
-        # Get client id
-        client_id = self._load_dhcore_oauth_vars(DhcoreEnvVar.CLIENT_ID.value)
-        if client_id is None:
-            raise ClientError("Client id not set.")
-
         # Send request to get new access token
-        payload = {
-            "grant_type": "refresh_token",
-            "client_id": client_id,
-            "refresh_token": refresh_token,
-            "scope": "openid credentials offline_access",
-        }
+        payload = {**kwargs}
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
         return request("POST", url, data=payload, headers=headers, timeout=60)
 
-    def _load_dhcore_oauth_vars(self, oauth_var: str) -> str | None:
-        """
-        Load DHCore oauth variables.
-
-        Parameters
-        ----------
-        oauth_var : str
-            The oauth variable to load.
-
-        Returns
-        -------
-        str
-            The oauth variable.
-        """
-        read_var = configurator.load_from_env(oauth_var)
-        if read_var is None:
-            read_var = configurator.load_from_file(oauth_var.removeprefix("DHCORE_"))
-        return read_var
+    def _eval_auth_type(self, creds: dict) -> str | None:
+        if creds[CredsEnvVar.DHCORE_PERSONAL_ACCESS_TOKEN.value] is not None:
+            return AuthType.EXCHANGE.value
+        if (
+            creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None
+            and creds[CredsEnvVar.DHCORE_REFRESH_TOKEN.value] is not None
+        ):
+            return AuthType.OAUTH2.value
+        if creds[CredsEnvVar.DHCORE_ACCESS_TOKEN.value] is not None:
+            return AuthType.ACCESS_TOKEN.value
+        if creds[CredsEnvVar.DHCORE_USER.value] is not None and creds[CredsEnvVar.DHCORE_PASSWORD.value] is not None:
+            return AuthType.BASIC.value
+        return None

digitalhub/stores/client/dhcore/enums.py

@@ -19,6 +19,7 @@ class DhcoreEnvVar(Enum):
     CLIENT_ID = "DHCORE_CLIENT_ID"
     ACCESS_TOKEN = "DHCORE_ACCESS_TOKEN"
     REFRESH_TOKEN = "DHCORE_REFRESH_TOKEN"
+    PERSONAL_ACCESS_TOKEN = "DHCORE_PERSONAL_ACCESS_TOKEN"
     WORKFLOW_IMAGE = "DHCORE_WORKFLOW_IMAGE"
 
 
@@ -29,3 +30,5 @@ class AuthType(Enum):
 
     BASIC = "basic"
     OAUTH2 = "oauth2"
+    EXCHANGE = "exchange"
+    ACCESS_TOKEN = "access_token_only"