diracx-logic 0.0.1a29__tar.gz

diracx_logic-0.0.1a29/PKG-INFO

@@ -0,0 +1,18 @@
+Metadata-Version: 2.2
+Name: diracx-logic
+Version: 0.0.1a29
+Summary: TODO
+License: GPL-3.0-only
+Classifier: Intended Audience :: Science/Research
+Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Scientific/Engineering
+Classifier: Topic :: System :: Distributed Computing
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: cachetools
+Requires-Dist: dirac
+Requires-Dist: diracx-core
+Requires-Dist: pydantic>=2.10
+Provides-Extra: types
+Requires-Dist: types-cachetools; extra == "types"

diracx_logic-0.0.1a29/pyproject.toml

@@ -0,0 +1,40 @@
+[project]
+name = "diracx-logic"
+description = "TODO"
+readme = "README.md"
+requires-python = ">=3.11"
+keywords = []
+license = {text = "GPL-3.0-only"}
+classifiers = [
+    "Intended Audience :: Science/Research",
+    "License :: OSI Approved :: GNU General Public License v3 (GPLv3)",
+    "Programming Language :: Python :: 3",
+    "Topic :: Scientific/Engineering",
+    "Topic :: System :: Distributed Computing",
+]
+dependencies = [
+    "cachetools",
+    "dirac",
+    "diracx-core",
+    "pydantic >=2.10",
+]
+dynamic = ["version"]
+
+[project.optional-dependencies]
+types = [
+    "types-cachetools",
+]
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[build-system]
+requires = ["setuptools>=61", "wheel", "setuptools_scm>=8"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools_scm]
+root = ".."
+
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"

diracx_logic-0.0.1a29/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

diracx_logic-0.0.1a29/src/diracx/logic/auth/authorize_code_flow.py

@@ -0,0 +1,99 @@
+"""Authorization code flow."""
+
+from __future__ import annotations
+
+from typing import Literal
+
+from diracx.core.config import Config
+from diracx.core.models import GrantType
+from diracx.core.properties import SecurityProperty
+from diracx.core.settings import AuthSettings
+from diracx.db.sql import AuthDB
+
+from .utils import (
+    decrypt_state,
+    get_token_from_iam,
+    initiate_authorization_flow_with_iam,
+    parse_and_validate_scope,
+)
+
+
+async def initiate_authorization_flow(
+    request_url: str,
+    code_challenge: str,
+    code_challenge_method: Literal["S256"],
+    client_id: str,
+    redirect_uri: str,
+    scope: str,
+    state: str,
+    auth_db: AuthDB,
+    config: Config,
+    settings: AuthSettings,
+    available_properties: set[SecurityProperty],
+) -> str:
+    """Initiate the authorization flow."""
+    if settings.dirac_client_id != client_id:
+        raise ValueError("Unrecognised client_id")
+    if redirect_uri not in settings.allowed_redirects:
+        raise ValueError("Unrecognised redirect_uri")
+
+    # Parse and validate the scope
+    parsed_scope = parse_and_validate_scope(scope, config, available_properties)
+
+    # Store the authorization flow details
+    uuid = await auth_db.insert_authorization_flow(
+        client_id,
+        scope,
+        code_challenge,
+        code_challenge_method,
+        redirect_uri,
+    )
+
+    # Initiate the authorization flow with the IAM
+    state_for_iam = {
+        "external_state": state,
+        "uuid": uuid,
+        "grant_type": GrantType.authorization_code.value,
+    }
+
+    authorization_flow_url = await initiate_authorization_flow_with_iam(
+        config,
+        parsed_scope["vo"],
+        f"{request_url}/complete",
+        state_for_iam,
+        settings.state_key.fernet,
+    )
+
+    return authorization_flow_url
+
+
+async def complete_authorization_flow(
+    code: str,
+    state: str,
+    request_url: str,
+    auth_db: AuthDB,
+    config: Config,
+    settings: AuthSettings,
+) -> str:
+    """Complete the authorization flow."""
+    # Decrypt the state to access user details
+    decrypted_state = decrypt_state(state, settings.state_key.fernet)
+    assert decrypted_state["grant_type"] == GrantType.authorization_code
+
+    # Get the ID token from the IAM
+    id_token = await get_token_from_iam(
+        config,
+        decrypted_state["vo"],
+        code,
+        decrypted_state,
+        request_url,
+    )
+
+    # Store the ID token and redirect the user to the client's redirect URI
+    code, redirect_uri = await auth_db.authorization_flow_insert_id_token(
+        decrypted_state["uuid"],
+        id_token,
+        settings.authorization_flow_expiration_seconds,
+    )
+
+    return f"{redirect_uri}?code={code}&state={decrypted_state['external_state']}"

diracx_logic-0.0.1a29/src/diracx/logic/auth/device_flow.py

@@ -0,0 +1,100 @@
+"""Device flow."""
+
+from __future__ import annotations
+
+from diracx.core.config import Config
+from diracx.core.models import GrantType, InitiateDeviceFlowResponse
+from diracx.core.properties import SecurityProperty
+from diracx.core.settings import AuthSettings
+from diracx.db.sql import AuthDB
+
+from .utils import (
+    decrypt_state,
+    get_token_from_iam,
+    initiate_authorization_flow_with_iam,
+    parse_and_validate_scope,
+)
+
+
+async def initiate_device_flow(
+    client_id: str,
+    scope: str,
+    verification_uri: str,
+    auth_db: AuthDB,
+    config: Config,
+    available_properties: set[SecurityProperty],
+    settings: AuthSettings,
+) -> InitiateDeviceFlowResponse:
+    """Initiate the device flow against DIRAC authorization Server."""
+    if settings.dirac_client_id != client_id:
+        raise ValueError("Unrecognised client ID")
+
+    parse_and_validate_scope(scope, config, available_properties)
+
+    user_code, device_code = await auth_db.insert_device_flow(client_id, scope)
+
+    return {
+        "user_code": user_code,
+        "device_code": device_code,
+        "verification_uri_complete": f"{verification_uri}?user_code={user_code}",
+        "verification_uri": verification_uri,
+        "expires_in": settings.device_flow_expiration_seconds,
+    }
+
+
+async def do_device_flow(
+    request_url: str,
+    auth_db: AuthDB,
+    user_code: str,
+    config: Config,
+    available_properties: set[SecurityProperty],
+    settings: AuthSettings,
+) -> str:
+    """This is called as the verification URI for the device flow."""
+    # Here we make sure the user_code actually exists
+    scope = await auth_db.device_flow_validate_user_code(
+        user_code, settings.device_flow_expiration_seconds
+    )
+    parsed_scope = parse_and_validate_scope(scope, config, available_properties)
+
+    redirect_uri = f"{request_url}/complete"
+
+    state_for_iam = {
+        "grant_type": GrantType.device_code.value,
+        "user_code": user_code,
+    }
+
+    authorization_flow_url = await initiate_authorization_flow_with_iam(
+        config,
+        parsed_scope["vo"],
+        redirect_uri,
+        state_for_iam,
+        settings.state_key.fernet,
+    )
+    return authorization_flow_url
+
+
+async def finish_device_flow(
+    request_url: str,
+    code: str,
+    state: str,
+    auth_db: AuthDB,
+    config: Config,
+    settings: AuthSettings,
+):
+    """This the url callbacked by IAM/Checkin after the authorization
+    flow was granted.
+    """
+    decrypted_state = decrypt_state(state, settings.state_key.fernet)
+    assert decrypted_state["grant_type"] == GrantType.device_code
+
+    id_token = await get_token_from_iam(
+        config,
+        decrypted_state["vo"],
+        code,
+        decrypted_state,
+        request_url,
+    )
+    await auth_db.device_flow_insert_id_token(
+        decrypted_state["user_code"], id_token, settings.device_flow_expiration_seconds
+    )

diracx_logic-0.0.1a29/src/diracx/logic/auth/management.py

@@ -0,0 +1,32 @@
+"""This module contains the auth management functions."""
+
+from __future__ import annotations
+
+from uuid import UUID
+
+from diracx.db.sql import AuthDB
+
+
+async def get_refresh_tokens(
+    auth_db: AuthDB,
+    subject: str | None,
+) -> list:
+    """Get all refresh tokens bound to a given subject. If there is no subject, then
+    all the refresh tokens are retrieved.
+    """
+    return await auth_db.get_user_refresh_tokens(subject)
+
+
+async def revoke_refresh_token(
+    auth_db: AuthDB,
+    subject: str | None,
+    jti: UUID,
+) -> str:
+    """Revoke a refresh token. If a subject is provided, then the refresh token must be owned by that subject."""
+    res = await auth_db.get_refresh_token(jti)
+
+    if subject and subject != res["Sub"]:
+        raise PermissionError("Cannot revoke a refresh token owned by someone else")
+
+    await auth_db.revoke_refresh_token(jti)
+    return f"Refresh token {jti} revoked"

diracx_logic-0.0.1a29/src/diracx/logic/auth/token.py

@@ -0,0 +1,396 @@
+"""Token endpoint implementation."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import re
+from datetime import datetime, timedelta, timezone
+from uuid import UUID, uuid4
+
+from authlib.jose import JsonWebToken
+
+from diracx.core.config import Config
+from diracx.core.exceptions import (
+    AuthorizationError,
+    ExpiredFlowError,
+    InvalidCredentialsError,
+    PendingAuthorizationError,
+)
+from diracx.core.models import (
+    AccessTokenPayload,
+    GrantType,
+    RefreshTokenPayload,
+    TokenPayload,
+)
+from diracx.core.properties import SecurityProperty
+from diracx.core.settings import AuthSettings
+from diracx.db.sql import AuthDB
+from diracx.db.sql.auth.schema import FlowStatus, RefreshTokenStatus
+from diracx.db.sql.utils.functions import substract_date
+
+from .utils import (
+    get_allowed_user_properties,
+    parse_and_validate_scope,
+    verify_dirac_refresh_token,
+)
+
+
+async def get_oidc_token(
+    grant_type: GrantType,
+    client_id: str,
+    auth_db: AuthDB,
+    config: Config,
+    settings: AuthSettings,
+    available_properties: set[SecurityProperty],
+    device_code: str | None = None,
+    code: str | None = None,
+    redirect_uri: str | None = None,
+    code_verifier: str | None = None,
+    refresh_token: str | None = None,
+) -> tuple[AccessTokenPayload, RefreshTokenPayload]:
+    """Token endpoint to retrieve the token at the end of a flow."""
+    legacy_exchange = False
+
+    if grant_type == GrantType.device_code:
+        assert device_code is not None
+        oidc_token_info, scope = await get_oidc_token_info_from_device_flow(
+            device_code, client_id, auth_db, settings
+        )
+
+    elif grant_type == GrantType.authorization_code:
+        assert code is not None
+        assert code_verifier is not None
+        oidc_token_info, scope = await get_oidc_token_info_from_authorization_flow(
+            code, client_id, redirect_uri, code_verifier, auth_db, settings
+        )
+
+    elif grant_type == GrantType.refresh_token:
+        assert refresh_token is not None
+        (
+            oidc_token_info,
+            scope,
+            legacy_exchange,
+        ) = await get_oidc_token_info_from_refresh_flow(
+            refresh_token, auth_db, settings
+        )
+    else:
+        raise NotImplementedError(f"Grant type not implemented {grant_type}")
+
+    # Get a TokenResponse to return to the user
+    return await exchange_token(
+        auth_db,
+        scope,
+        oidc_token_info,
+        config,
+        settings,
+        available_properties,
+        legacy_exchange=legacy_exchange,
+    )
+
+
+async def get_oidc_token_info_from_device_flow(
+    device_code: str, client_id: str, auth_db: AuthDB, settings: AuthSettings
+) -> tuple[dict, str]:
+    """Get OIDC token information from the device flow DB and check few parameters before returning it."""
+    info = await get_device_flow(
+        auth_db, device_code, settings.device_flow_expiration_seconds
+    )
+
+    if info["ClientID"] != client_id:
+        raise ValueError("Bad client_id")
+
+    oidc_token_info = info["IDToken"]
+    scope = info["Scope"]
+
+    # TODO: use HTTPException while still respecting the standard format
+    # required by the RFC
+    if info["Status"] != FlowStatus.READY:
+        # That should never ever happen
+        raise NotImplementedError(f"Unexpected flow status {info['status']!r}")
+    return (oidc_token_info, scope)
+
+
+async def get_oidc_token_info_from_authorization_flow(
+    code: str,
+    client_id: str | None,
+    redirect_uri: str | None,
+    code_verifier: str,
+    auth_db: AuthDB,
+    settings: AuthSettings,
+) -> tuple[dict, str]:
+    """Get OIDC token information from the authorization flow DB and check few parameters before returning it."""
+    info = await get_authorization_flow(
+        auth_db, code, settings.authorization_flow_expiration_seconds
+    )
+    if redirect_uri != info["RedirectURI"]:
+        raise ValueError("Invalid redirect_uri")
+    if client_id != info["ClientID"]:
+        raise ValueError("Bad client_id")
+
+    # Check the code_verifier
+    try:
+        code_challenge = (
+            base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest())
+            .decode()
+            .strip("=")
+        )
+    except Exception as e:
+        raise ValueError("Malformed code_verifier") from e
+
+    if code_challenge != info["CodeChallenge"]:
+        raise ValueError("Invalid code_challenge")
+
+    oidc_token_info = info["IDToken"]
+    scope = info["Scope"]
+
+    # TODO: use HTTPException while still respecting the standard format
+    # required by the RFC
+    if info["Status"] != FlowStatus.READY:
+        # That should never ever happen
+        raise NotImplementedError(f"Unexpected flow status {info['status']!r}")
+
+    return (oidc_token_info, scope)
+
+
+async def get_oidc_token_info_from_refresh_flow(
+    refresh_token: str, auth_db: AuthDB, settings: AuthSettings
+) -> tuple[dict, str, bool]:
+    """Get OIDC token information from the refresh token DB and check few parameters before returning it."""
+    # Decode the refresh token to get the JWT ID
+    jti, _, legacy_exchange = await verify_dirac_refresh_token(refresh_token, settings)
+
+    # Get some useful user information from the refresh token entry in the DB
+    refresh_token_attributes = await auth_db.get_refresh_token(jti)
+
+    sub = refresh_token_attributes["Sub"]
+
+    # Check if the refresh token was obtained from the legacy_exchange endpoint
+    # If it is the case, we bypass the refresh token rotation mechanism
+    if not legacy_exchange:
+        # Refresh token rotation: https://datatracker.ietf.org/doc/html/rfc6749#section-10.4
+        # Check that the refresh token has not been already revoked
+        # This might indicate that a potential attacker try to impersonate someone
+        # In such case, all the refresh tokens bound to a given user (subject) should be revoked
+        # Forcing the user to reauthenticate interactively through an authorization/device flow (recommended practice)
+        if refresh_token_attributes["Status"] == RefreshTokenStatus.REVOKED:
+            # Revoke all the user tokens from the subject
+            await auth_db.revoke_user_refresh_tokens(sub)
+
+            # Commit here, otherwise the revokation operation will not be taken into account
+            # as we return an error to the user
+            await auth_db.conn.commit()
+
+            raise InvalidCredentialsError(
+                "Revoked refresh token reused: potential attack detected. You must authenticate again"
+            )
+
+        # Part of the refresh token rotation mechanism:
+        # Revoke the refresh token provided, a new one needs to be generated
+        await auth_db.revoke_refresh_token(jti)
+
+    # Build an ID token and get scope from the refresh token attributes received
+    oidc_token_info = {
+        # The sub attribute coming from the DB contains the VO name
+        # We need to remove it as if it were coming from an ID token from an external IdP
+        "sub": sub.split(":", 1)[1],
+        "preferred_username": refresh_token_attributes["PreferredUsername"],
+    }
+    scope = refresh_token_attributes["Scope"]
+    return (oidc_token_info, scope, legacy_exchange)
+
+
+BASE_64_URL_SAFE_PATTERN = (
+    r"(?:[A-Za-z0-9\-_]{4})*(?:[A-Za-z0-9\-_]{2}==|[A-Za-z0-9\-_]{3}=)?"
+)
+LEGACY_EXCHANGE_PATTERN = rf"Bearer diracx:legacy:({BASE_64_URL_SAFE_PATTERN})"
+
+
+async def perform_legacy_exchange(
+    expected_api_key: str,
+    preferred_username: str,
+    scope: str,
+    authorization: str,
+    auth_db: AuthDB,
+    available_properties: set[SecurityProperty],
+    settings: AuthSettings,
+    config: Config,
+    expires_minutes: int | None = None,
+) -> tuple[AccessTokenPayload, RefreshTokenPayload]:
+    """Endpoint used by legacy DIRAC to mint tokens for proxy -> token exchange."""
+    if match := re.fullmatch(LEGACY_EXCHANGE_PATTERN, authorization):
+        raw_token = base64.urlsafe_b64decode(match.group(1))
+    else:
+        raise ValueError("Invalid authorization header")
+
+    if hashlib.sha256(raw_token).hexdigest() != expected_api_key:
+        raise InvalidCredentialsError("Invalid credentials")
+
+    try:
+        parsed_scope = parse_and_validate_scope(scope, config, available_properties)
+        vo_users = config.Registry[parsed_scope["vo"]]
+        sub = vo_users.sub_from_preferred_username(preferred_username)
+    except (KeyError, ValueError) as e:
+        raise ValueError("Invalid scope or preferred_username") from e
+
+    return await exchange_token(
+        auth_db,
+        scope,
+        {"sub": sub, "preferred_username": preferred_username},
+        config,
+        settings,
+        available_properties,
+        refresh_token_expire_minutes=expires_minutes,
+        legacy_exchange=True,
+    )
+
+
+async def exchange_token(
+    auth_db: AuthDB,
+    scope: str,
+    oidc_token_info: dict,
+    config: Config,
+    settings: AuthSettings,
+    available_properties: set[SecurityProperty],
+    *,
+    refresh_token_expire_minutes: int | None = None,
+    legacy_exchange: bool = False,
+) -> tuple[AccessTokenPayload, RefreshTokenPayload]:
+    """Method called to exchange the OIDC token for a DIRAC generated access token."""
+    # Extract dirac attributes from the OIDC scope
+    parsed_scope = parse_and_validate_scope(scope, config, available_properties)
+    vo = parsed_scope["vo"]
+    dirac_group = parsed_scope["group"]
+    properties = parsed_scope["properties"]
+
+    # Extract attributes from the OIDC token details
+    sub = oidc_token_info["sub"]
+    if user_info := config.Registry[vo].Users.get(sub):
+        preferred_username = user_info.PreferedUsername
+    else:
+        preferred_username = oidc_token_info.get("preferred_username", sub)
+        raise NotImplementedError(
+            "Dynamic registration of users is not yet implemented"
+        )
+
+    # Check that the subject is part of the dirac users
+    if sub not in config.Registry[vo].Groups[dirac_group].Users:
+        raise PermissionError(
+            f"User is not a member of the requested group ({preferred_username}, {dirac_group})"
+        )
+
+    # Check that the user properties are valid
+    allowed_user_properties = get_allowed_user_properties(config, sub, vo)
+    if not properties.issubset(allowed_user_properties):
+        raise PermissionError(
+            f"{' '.join(properties - allowed_user_properties)} are not valid properties "
+            f"for user {preferred_username}, available values: {' '.join(allowed_user_properties)}"
+        )
+
+    # Merge the VO with the subject to get a unique DIRAC sub
+    sub = f"{vo}:{sub}"
+
+    # Insert the refresh token with user details into the RefreshTokens table
+    # User details are needed to regenerate access tokens later
+    jti, creation_time = await insert_refresh_token(
+        auth_db=auth_db,
+        subject=sub,
+        preferred_username=preferred_username,
+        scope=scope,
+    )
+
+    # Generate refresh token payload
+    if refresh_token_expire_minutes is None:
+        refresh_token_expire_minutes = settings.refresh_token_expire_minutes
+    refresh_payload: RefreshTokenPayload = {
+        "jti": str(jti),
+        "exp": creation_time + timedelta(minutes=refresh_token_expire_minutes),
+        # legacy_exchange is used to indicate that the original refresh token
+        # was obtained from the legacy_exchange endpoint
+        "legacy_exchange": legacy_exchange,
+        "dirac_policies": {},
+    }
+
+    # Generate access token payload
+    # For now, the access token is only used to access DIRAC services,
+    # therefore, the audience is not set and checked
+    access_payload: AccessTokenPayload = {
+        "sub": sub,
+        "vo": vo,
+        "iss": settings.token_issuer,
+        "dirac_properties": list(properties),
+        "jti": str(uuid4()),
+        "preferred_username": preferred_username,
+        "dirac_group": dirac_group,
+        "exp": creation_time + timedelta(minutes=settings.access_token_expire_minutes),
+        "dirac_policies": {},
+    }
+
+    return access_payload, refresh_payload
+
+
+def create_token(payload: TokenPayload, settings: AuthSettings) -> str:
+    jwt = JsonWebToken(settings.token_algorithm)
+    encoded_jwt = jwt.encode(
+        {"alg": settings.token_algorithm}, payload, settings.token_key.jwk
+    )
+    return encoded_jwt.decode("ascii")
+
+
+async def insert_refresh_token(
+    auth_db: AuthDB,
+    subject: str,
+    preferred_username: str,
+    scope: str,
+) -> tuple[UUID, datetime]:
+    """Insert a refresh token into the database and return the JWT ID and creation time."""
+    # Generate a JWT ID
+    jti = uuid4()
+
+    # Insert the refresh token into the DB
+    await auth_db.insert_refresh_token(
+        jti=jti,
+        subject=subject,
+        preferred_username=preferred_username,
+        scope=scope,
+    )
+
+    # Get the creation time of the refresh token
+    refresh_token = await auth_db.get_refresh_token(jti)
+    return jti, refresh_token["CreationTime"]
+
+
+async def get_device_flow(auth_db: AuthDB, device_code: str, max_validity: int):
+    """Get the device flow from the DB and check few parameters before returning it."""
+    res = await auth_db.get_device_flow(device_code)
+
+    if res["CreationTime"].replace(tzinfo=timezone.utc) < substract_date(
+        seconds=max_validity
+    ):
+        raise ExpiredFlowError()
+
+    if res["Status"] == FlowStatus.READY:
+        await auth_db.update_device_flow_status(device_code, FlowStatus.DONE)
+        return res
+
+    if res["Status"] == FlowStatus.DONE:
+        raise AuthorizationError("Code was already used")
+
+    if res["Status"] == FlowStatus.PENDING:
+        raise PendingAuthorizationError()
+
+    raise AuthorizationError("Bad state in device flow")
+
+
+async def get_authorization_flow(auth_db: AuthDB, code: str, max_validity: int):
+    """Get the authorization flow from the DB and check few parameters before returning it."""
+    res = await auth_db.get_authorization_flow(code, max_validity)
+
+    if res["Status"] == FlowStatus.READY:
+        await auth_db.update_authorization_flow_status(code, FlowStatus.DONE)
+        return res
+
+    if res["Status"] == FlowStatus.DONE:
+        raise AuthorizationError("Code was already used")
+
+    raise AuthorizationError("Bad state in authorization flow")