isa-model 0.3.91__py3-none-any.whl → 0.4.3__py3-none-any.whl

isa_model/serving/api/middleware/auth.py

@@ -0,0 +1,317 @@
+"""
+Optional Authentication Middleware
+
+Provides optional API key authentication for the ISA Model Platform.
+When authentication is disabled (default), all endpoints remain open.
+When enabled, requires API keys for access.
+"""
+
+from fastapi import HTTPException, status, Depends, Request
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials, APIKeyHeader, APIKeyQuery
+from typing import Optional, Dict, List, Union
+import hashlib
+import secrets
+import time
+import logging
+import os
+import json
+from pathlib import Path
+
+logger = logging.getLogger(__name__)
+
+# Configuration
+AUTH_ENABLED = os.getenv("REQUIRE_API_KEYS", "false").lower() == "true"
+API_KEYS_FILE = Path(os.path.dirname(__file__)).parent.parent.parent / "deployment" / "dev" / ".api_keys.json"
+
+# Security schemes (only used when auth is enabled)
+bearer_scheme = HTTPBearer(auto_error=False)
+api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
+api_key_query = APIKeyQuery(name="api_key", auto_error=False)
+
+class APIKeyManager:
+    def __init__(self):
+        self.api_keys: Dict[str, Dict] = {}
+        
+        # Load API keys first to check if auth should be enabled
+        self.load_api_keys()
+        
+        # Determine auth state: check explicit setting first, then auto-detect from keys
+        explicit_auth = AUTH_ENABLED
+        has_keys = len(self.api_keys) > 0
+        
+        # If explicitly disabled (REQUIRE_API_KEYS=false), respect that setting
+        if os.getenv("REQUIRE_API_KEYS", "").lower() == "false":
+            self.auth_enabled = False
+        else:
+            # Otherwise, enable if explicitly set OR if API keys exist
+            self.auth_enabled = explicit_auth or has_keys
+        
+        if self.auth_enabled:
+            logger.info(f"API Key authentication is ENABLED ({'explicit' if explicit_auth else 'auto-detected from keys'})")
+        else:
+            logger.info("API Key authentication is DISABLED - all endpoints are open")
+    
+    def load_api_keys(self):
+        """Load API keys from file"""
+        try:
+            if API_KEYS_FILE.exists():
+                with open(API_KEYS_FILE, 'r') as f:
+                    self.api_keys = json.load(f)
+                logger.info(f"Loaded {len(self.api_keys)} API keys")
+            else:
+                self.api_keys = {}
+                logger.info("No API keys file found - authentication will be disabled")
+        except Exception as e:
+            logger.error(f"Error loading API keys: {e}")
+            self.api_keys = {}
+    
+    def save_api_keys(self):
+        """Save API keys to file"""
+        try:
+            API_KEYS_FILE.parent.mkdir(parents=True, exist_ok=True)
+            with open(API_KEYS_FILE, 'w') as f:
+                json.dump(self.api_keys, f, indent=2)
+            logger.info("API keys saved successfully")
+        except Exception as e:
+            logger.error(f"Error saving API keys: {e}")
+    
+    def create_default_keys(self):
+        """Create default API keys for initial setup"""
+        admin_key = self.generate_api_key("admin", scopes=["read", "write", "admin"])
+        dev_key = self.generate_api_key("development", scopes=["read", "write"])
+        
+        logger.warning("=== CREATED DEFAULT API KEYS ===")
+        logger.warning(f"Admin API Key: {admin_key}")
+        logger.warning(f"Development API Key: {dev_key}")
+        logger.warning("Please save these keys securely!")
+        logger.warning("=====================================")
+        
+        return {"admin_key": admin_key, "dev_key": dev_key}
+    
+    def generate_api_key(self, name: str, scopes: List[str] = None) -> str:
+        """Generate a new API key"""
+        if scopes is None:
+            scopes = ["read"]
+        
+        # Generate secure random key
+        key = f"isa_{secrets.token_urlsafe(32)}"
+        key_hash = hashlib.sha256(key.encode()).hexdigest()
+        
+        # Store key metadata
+        self.api_keys[key_hash] = {
+            "name": name,
+            "scopes": scopes,
+            "created_at": time.time(),
+            "last_used": None,
+            "usage_count": 0,
+            "active": True
+        }
+        
+        self.save_api_keys()
+        return key
+    
+    def validate_api_key(self, api_key: str) -> Optional[Dict]:
+        """Validate an API key and return its metadata"""
+        if not self.auth_enabled:
+            # When auth is disabled, return a default user context
+            return {
+                "name": "anonymous",
+                "scopes": ["read", "write", "admin"],
+                "auth_enabled": False
+            }
+        
+        if not api_key:
+            return None
+        
+        key_hash = hashlib.sha256(api_key.encode()).hexdigest()
+        key_data = self.api_keys.get(key_hash)
+        
+        if not key_data or not key_data.get("active", True):
+            return None
+        
+        # Update usage statistics
+        key_data["last_used"] = time.time()
+        key_data["usage_count"] = key_data.get("usage_count", 0) + 1
+        key_data["auth_enabled"] = True
+        self.save_api_keys()
+        
+        return key_data
+    
+    def revoke_api_key(self, api_key: str) -> bool:
+        """Revoke an API key"""
+        if not self.auth_enabled:
+            return False
+        
+        key_hash = hashlib.sha256(api_key.encode()).hexdigest()
+        if key_hash in self.api_keys:
+            self.api_keys[key_hash]["active"] = False
+            self.save_api_keys()
+            return True
+        return False
+    
+    def list_api_keys(self) -> List[Dict]:
+        """List all API keys (without revealing the actual keys)"""
+        if not self.auth_enabled:
+            return []
+        
+        return [
+            {
+                "key_hash": key_hash[:16] + "...",
+                "name": data["name"],
+                "scopes": data["scopes"],
+                "created_at": data["created_at"],
+                "last_used": data.get("last_used"),
+                "usage_count": data.get("usage_count", 0),
+                "active": data.get("active", True)
+            }
+            for key_hash, data in self.api_keys.items()
+        ]
+    
+    def enable_auth(self):
+        """Enable authentication"""
+        self.auth_enabled = True
+        if not self.api_keys:
+            return self.create_default_keys()
+        return None
+    
+    def disable_auth(self):
+        """Disable authentication"""
+        self.auth_enabled = False
+
+# Global API key manager instance
+api_key_manager = APIKeyManager()
+
+async def get_api_key_from_request(
+    request: Request,
+    bearer_token: Optional[HTTPAuthorizationCredentials] = Depends(bearer_scheme),
+    header_key: Optional[str] = Depends(api_key_header),
+    query_key: Optional[str] = Depends(api_key_query)
+) -> Optional[str]:
+    """Extract API key from various sources"""
+    
+    # If auth is disabled, return None (will be handled as anonymous)
+    if not api_key_manager.auth_enabled:
+        return None
+    
+    # Try Bearer token first
+    if bearer_token:
+        return bearer_token.credentials
+    
+    # Try X-API-Key header
+    if header_key:
+        return header_key
+    
+    # Try query parameter
+    if query_key:
+        return query_key
+    
+    return None
+
+async def authenticate_api_key(api_key: str = Depends(get_api_key_from_request)) -> Dict:
+    """Authenticate API key and return user info (optional when auth disabled)"""
+    
+    # When auth is disabled, always succeed with anonymous user
+    if not api_key_manager.auth_enabled:
+        return {
+            "name": "anonymous",
+            "scopes": ["read", "write", "admin"],
+            "auth_enabled": False,
+            "authenticated": False
+        }
+    
+    # When auth is enabled, require valid API key
+    if not api_key:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="API key required. Provide via Authorization header, X-API-Key header, or api_key query parameter",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    
+    key_data = api_key_manager.validate_api_key(api_key)
+    
+    if not key_data:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired API key",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    
+    key_data["authenticated"] = True
+    return key_data
+
+async def require_scope(required_scope: str):
+    """Create a dependency that requires a specific scope"""
+    async def check_scope(current_user: Dict = Depends(authenticate_api_key)) -> Dict:
+        # When auth is disabled, always allow
+        if not current_user.get("auth_enabled", True):
+            return current_user
+        
+        user_scopes = current_user.get("scopes", [])
+        
+        if required_scope not in user_scopes and "admin" not in user_scopes:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Insufficient permissions. Required scope: {required_scope}"
+            )
+        
+        return current_user
+    
+    return check_scope
+
+# Convenience dependencies for common scopes
+async def require_read_access(current_user: Dict = Depends(authenticate_api_key)) -> Dict:
+    """Require read access (or auth disabled)"""
+    if not current_user.get("auth_enabled", True):
+        return current_user
+    
+    user_scopes = current_user.get("scopes", [])
+    if not any(scope in user_scopes for scope in ["read", "write", "admin"]):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Read access required"
+        )
+    return current_user
+
+async def require_write_access(current_user: Dict = Depends(authenticate_api_key)) -> Dict:
+    """Require write access (or auth disabled)"""
+    if not current_user.get("auth_enabled", True):
+        return current_user
+    
+    user_scopes = current_user.get("scopes", [])
+    if not any(scope in user_scopes for scope in ["write", "admin"]):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Write access required"
+        )
+    return current_user
+
+async def require_admin_access(current_user: Dict = Depends(authenticate_api_key)) -> Dict:
+    """Require admin access (or auth disabled)"""
+    if not current_user.get("auth_enabled", True):
+        return current_user
+    
+    user_scopes = current_user.get("scopes", [])
+    if "admin" not in user_scopes:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required"
+        )
+    return current_user
+
+# Optional authentication (always returns user info, never fails)
+async def optional_auth(api_key: str = Depends(get_api_key_from_request)) -> Dict:
+    """Optional authentication - returns user info if available, anonymous if not"""
+    try:
+        return api_key_manager.validate_api_key(api_key) or {
+            "name": "anonymous",
+            "scopes": [],
+            "auth_enabled": api_key_manager.auth_enabled,
+            "authenticated": False
+        }
+    except Exception:
+        return {
+            "name": "anonymous", 
+            "scopes": [],
+            "auth_enabled": api_key_manager.auth_enabled,
+            "authenticated": False
+        }

isa_model/serving/api/middleware/security.py

@@ -0,0 +1,268 @@
+"""
+Security middleware for production deployment
+
+Provides comprehensive security features including:
+- Rate limiting with Redis backend
+- Security headers
+- Request size limits
+- Input validation and sanitization
+- CORS protection
+"""
+
+import time
+import logging
+import os
+import redis
+from typing import Dict, Any, Optional, Callable
+from fastapi import FastAPI, Request, Response, HTTPException, status
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.util import get_remote_address
+from slowapi.errors import RateLimitExceeded
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import JSONResponse
+import html
+
+from ....core.config.config_manager import ConfigManager
+
+# Configure logging
+logger = logging.getLogger(__name__)
+
+# Configuration from environment variables
+config_manager = ConfigManager()
+MAX_REQUEST_SIZE = int(os.getenv("MAX_REQUEST_SIZE_MB", "50")) * 1024 * 1024  # 50MB default
+# Use Consul discovery for Redis URL with fallback
+REDIS_URL = os.getenv("REDIS_URL", config_manager.get_redis_url())
+ENABLE_RATE_LIMITING = os.getenv("ENABLE_RATE_LIMITING", "true").lower() == "true"
+RATE_LIMIT_PER_MINUTE = os.getenv("RATE_LIMIT_PER_MINUTE", "100")
+RATE_LIMIT_PER_HOUR = os.getenv("RATE_LIMIT_PER_HOUR", "1000")
+
+# Security headers configuration
+SECURITY_HEADERS = {
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    "X-XSS-Protection": "1; mode=block",
+    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+    "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://fastapi.tiangolo.com data:; connect-src 'self'",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+    "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
+}
+
+# Initialize Redis connection for rate limiting
+try:
+    redis_client = redis.from_url(REDIS_URL, decode_responses=True)
+    redis_client.ping()  # Test connection
+    logger.info("Redis connection established for rate limiting")
+except Exception as e:
+    logger.warning(f"Redis connection failed, using in-memory rate limiting: {e}")
+    redis_client = None
+
+# Initialize rate limiter
+def get_remote_address_with_proxy(request: Request):
+    """Get client IP considering proxy headers"""
+    forwarded_for = request.headers.get("X-Forwarded-For")
+    if forwarded_for:
+        return forwarded_for.split(",")[0].strip()
+    
+    real_ip = request.headers.get("X-Real-IP")
+    if real_ip:
+        return real_ip
+    
+    return get_remote_address(request)
+
+# Rate limiter with Redis backend if available
+if redis_client:
+    limiter = Limiter(
+        key_func=get_remote_address_with_proxy,
+        storage_uri=REDIS_URL,
+        strategy="fixed-window"
+    )
+else:
+    limiter = Limiter(
+        key_func=get_remote_address_with_proxy,
+        strategy="fixed-window"
+    )
+
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    """Add security headers to all responses"""
+    
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        try:
+            response = await call_next(request)
+            
+            # Add security headers
+            for header, value in SECURITY_HEADERS.items():
+                response.headers[header] = value
+            
+            # Add processing time header
+            if hasattr(request.state, 'start_time'):
+                process_time = time.time() - request.state.start_time
+                response.headers["X-Process-Time"] = str(process_time)
+            
+            return response
+            
+        except Exception as e:
+            logger.error(f"Error in security headers middleware: {e}")
+            return JSONResponse(
+                status_code=500,
+                content={"error": "Internal server error"},
+                headers=SECURITY_HEADERS
+            )
+
+class RequestValidationMiddleware(BaseHTTPMiddleware):
+    """Validate request size and sanitize inputs"""
+    
+    async def dispatch(self, request: Request, call_next: Callable) -> Response:
+        # Record start time for performance monitoring
+        request.state.start_time = time.time()
+        
+        try:
+            # Check request size
+            content_length = request.headers.get("content-length")
+            if content_length and int(content_length) > MAX_REQUEST_SIZE:
+                logger.warning(
+                    f"Request too large: {content_length} bytes > {MAX_REQUEST_SIZE} bytes "
+                    f"from client {get_remote_address_with_proxy(request)}"
+                )
+                raise HTTPException(
+                    status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
+                    detail=f"Request too large. Maximum size: {MAX_REQUEST_SIZE // (1024*1024)}MB"
+                )
+            
+            # Sanitize query parameters
+            if request.url.query:
+                sanitized_query = html.escape(request.url.query)
+                if sanitized_query != request.url.query:
+                    logger.warning(
+                        f"Potentially malicious query parameters detected from client {get_remote_address_with_proxy(request)}: "
+                        f"'{request.url.query}' -> '{sanitized_query}'"
+                    )
+            
+            # Log request details for monitoring
+            logger.info(
+                f"Request received: {request.method} {request.url.path} "
+                f"from {get_remote_address_with_proxy(request)} "
+                f"(UA: {request.headers.get('user-agent', 'unknown')})"
+            )
+            
+            response = await call_next(request)
+            
+            # Log response details
+            process_time = time.time() - request.state.start_time
+            logger.info(
+                f"Request completed: {request.method} {request.url.path} -> {response.status_code} "
+                f"in {process_time:.3f}s from {get_remote_address_with_proxy(request)}"
+            )
+            
+            return response
+            
+        except HTTPException:
+            raise
+        except Exception as e:
+            logger.error(
+                f"Error in request validation middleware: {e} "
+                f"({request.method} {request.url.path} from {get_remote_address_with_proxy(request)})"
+            )
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Internal server error"
+            )
+
+def setup_security_middleware(app: FastAPI):
+    """Setup all security middleware for the FastAPI application"""
+    
+    # Rate limiting setup
+    if ENABLE_RATE_LIMITING:
+        app.state.limiter = limiter
+        app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+        logger.info(f"Rate limiting enabled (Redis backend: {redis_client is not None})")
+    
+    # Trusted hosts (production should specify allowed hosts)
+    allowed_hosts = os.getenv("ALLOWED_HOSTS", "*").split(",")
+    if allowed_hosts != ["*"]:
+        app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)
+        logger.info(f"Trusted hosts middleware enabled: {allowed_hosts}")
+    
+    # CORS configuration
+    cors_origins = os.getenv("CORS_ORIGINS", "*").split(",")
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=cors_origins,
+        allow_credentials=True,
+        allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+        allow_headers=["*"],
+        expose_headers=["X-Process-Time"]
+    )
+    logger.info(f"CORS middleware enabled for origins: {cors_origins}")
+    
+    # Custom security middleware
+    app.add_middleware(SecurityHeadersMiddleware)
+    app.add_middleware(RequestValidationMiddleware)
+    
+    logger.info("Security middleware setup completed")
+
+def get_rate_limiter():
+    """Get the configured rate limiter"""
+    return limiter
+
+# Rate limiting decorators for different use cases
+def rate_limit_standard():
+    """Standard rate limit for general API usage"""
+    return limiter.limit(f"{RATE_LIMIT_PER_MINUTE}/minute")
+
+def rate_limit_heavy():
+    """Heavy rate limit for resource-intensive operations"""
+    heavy_limit = int(RATE_LIMIT_PER_MINUTE) // 5  # 20% of standard limit
+    return limiter.limit(f"{heavy_limit}/minute")
+
+def rate_limit_auth():
+    """Strict rate limit for authentication endpoints"""
+    return limiter.limit("10/minute")
+
+# Security utilities
+def sanitize_input(text: str) -> str:
+    """Sanitize text input to prevent XSS attacks"""
+    if not isinstance(text, str):
+        return text
+    return html.escape(text)
+
+def validate_api_key_format(api_key: str) -> bool:
+    """Validate API key format"""
+    if not isinstance(api_key, str):
+        return False
+    
+    # Check if it starts with expected prefix
+    if not api_key.startswith("isa_"):
+        return False
+    
+    # Check minimum length (should be > 20 characters)
+    if len(api_key) < 25:
+        return False
+    
+    return True
+
+def get_client_info(request: Request) -> Dict[str, Any]:
+    """Extract client information for logging and monitoring"""
+    return {
+        "ip": get_remote_address_with_proxy(request),
+        "user_agent": request.headers.get("user-agent", "unknown"),
+        "referer": request.headers.get("referer"),
+        "forwarded_for": request.headers.get("x-forwarded-for"),
+        "real_ip": request.headers.get("x-real-ip"),
+        "method": request.method,
+        "path": request.url.path,
+        "query": request.url.query
+    }
+
+# Health check for Redis connection
+async def check_redis_health() -> Dict[str, Any]:
+    """Check Redis connection health"""
+    if not redis_client:
+        return {"redis": "disabled", "status": "ok"}
+    
+    try:
+        redis_client.ping()
+        return {"redis": "connected", "status": "ok"}
+    except Exception as e:
+        return {"redis": "error", "status": "error", "error": str(e)}