meerschaum 2.9.4__py3-none-any.whl → 3.0.0rc1__py3-none-any.whl

meerschaum/api/__init__.py

@@ -14,7 +14,7 @@ from fnmatch import fnmatch
 import meerschaum as mrsm
 from meerschaum.utils.typing import Dict, Any, Optional, PipesDict
 from meerschaum.config import get_config
-from meerschaum.config.static import STATIC_CONFIG, SERVER_ID
+from meerschaum._internal.static import STATIC_CONFIG, SERVER_ID
 from meerschaum.utils.packages import attempt_import
 from meerschaum.utils import get_pipes as _get_pipes
 from meerschaum.config._paths import API_UVICORN_CONFIG_PATH, API_UVICORN_RESOURCES_PATH
@@ -95,10 +95,12 @@ def get_uvicorn_config() -> Dict[str, Any]:
 
 debug = get_uvicorn_config().get('debug', False)
 no_dash = get_uvicorn_config().get('no_dash', False)
+no_webterm = get_uvicorn_config().get('no_webterm', False)
 no_auth = get_uvicorn_config().get('no_auth', False)
 private = get_uvicorn_config().get('private', False)
 production = get_uvicorn_config().get('production', False)
 _include_dash = (not no_dash)
+_include_webterm = (not no_webterm) and _include_dash
 docs_enabled = not production or sys_config.get('endpoints', {}).get('docs_in_production', True)
 
 default_instance_keys = None
@@ -210,6 +212,11 @@ def get_pipe(
     if location_key in ('[None]', 'None', 'null'):
         location_key = None
     instance_keys = str(get_api_connector(instance_keys))
+    if connector_keys == 'mrsm':
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail="Unable to serve any pipes with connector keys `mrsm` over the API.",
+        )
     pipe = mrsm.Pipe(connector_keys, metric_key, location_key, mrsm_instance=instance_keys)
     if is_pipe_registered(pipe, pipes(instance_keys)):
         return pipes(instance_keys, refresh=refresh)[connector_keys][metric_key][location_key]
@@ -291,7 +298,7 @@ def __getattr__(name: str):
     raise AttributeError(f"Could not import '{name}'.")
 
 ### Import everything else within the API.
-from meerschaum.api._oauth2 import manager
+from meerschaum.api._oauth2 import manager, ScopedAuth
 import meerschaum.api.routes as routes
 import meerschaum.api._events
 import meerschaum.api._websockets

meerschaum/api/_events.py

@@ -16,6 +16,8 @@ from meerschaum.api import (
     get_uvicorn_config,
     debug,
     no_dash,
+    _include_dash,
+    _include_webterm,
 )
 from meerschaum.utils.debug import dprint
 from meerschaum.connectors.poll import retry_connect
@@ -25,7 +27,7 @@ from meerschaum.jobs import (
     start_check_jobs_thread,
     stop_check_jobs_thread,
 )
-from meerschaum.config.static import STATIC_CONFIG
+from meerschaum._internal.static import STATIC_CONFIG
 
 TEMP_PREFIX: str = STATIC_CONFIG['api']['jobs']['temp_prefix']
 
@@ -35,8 +37,43 @@ async def startup():
     """
     Connect to the instance database and begin monitoring jobs.
     """
+    app.openapi_schema = app.openapi()
+
+    ### Remove the implicitly added HTTPBearer scheme if it exists.
+    if 'BearerAuth' in app.openapi_schema['components']['securitySchemes']:
+        del app.openapi_schema['components']['securitySchemes']['BearerAuth']
+    elif 'HTTPBearer' in app.openapi_schema['components']['securitySchemes']:
+        del app.openapi_schema['components']['securitySchemes']['HTTPBearer']
+    if 'LoginManager' in app.openapi_schema['components']['securitySchemes']:
+        del app.openapi_schema['components']['securitySchemes']['LoginManager']
+
+    scopes = STATIC_CONFIG['tokens']['scopes']
+    app.openapi_schema['components']['securitySchemes']['OAuth2PasswordBearer'] = {
+        'type': 'oauth2',
+        'flows': {
+            'password': {
+                'tokenUrl': STATIC_CONFIG['api']['endpoints']['login'],
+                'scopes': scopes,
+            },
+        },
+    }
+    app.openapi_schema['components']['securitySchemes']['APIKey'] = {
+        'type': 'http',
+        'scheme': 'bearer',
+        'bearerFormat': 'mrsm-key:{client_id}:{client_secret}',
+        'description': 'Authentication using a Meerschaum API Key.',
+    }
+    app.openapi_schema['security'] = [
+        {
+            'OAuth2PasswordBearer': [],
+        },
+        {
+            'APIKey': [],
+        }
+    ]
+
     try:
-        if not no_dash:
+        if _include_webterm:
             from meerschaum.api.dash.webterm import start_webterm
             start_webterm()
 

meerschaum/api/_oauth2.py

@@ -7,21 +7,34 @@ Define JWT authorization here.
 """
 
 import os
-from meerschaum.api import app, endpoints, CHECK_UPDATE
+import base64
+import functools
+import inspect
+from typing import List, Optional, Union
+
+from meerschaum.api import endpoints, CHECK_UPDATE, no_auth, debug
+from meerschaum.api._tokens import optional_token, get_token_from_authorization
+from meerschaum._internal.static import STATIC_CONFIG
 from meerschaum.utils.packages import attempt_import
-fastapi = attempt_import('fastapi', lazy=False, check_update=CHECK_UPDATE)
+from meerschaum.core import User, Token
+
+fastapi, starlette = attempt_import('fastapi', 'starlette', lazy=False, check_update=CHECK_UPDATE)
 fastapi_responses = attempt_import('fastapi.responses', lazy=False, check_update=CHECK_UPDATE)
 fastapi_login = attempt_import('fastapi_login', check_update=CHECK_UPDATE)
+from fastapi import Depends, HTTPException, Request
+from starlette import status
+
 
 class CustomOAuth2PasswordRequestForm:
     def __init__(
         self,
         grant_type: str = fastapi.Form(None, regex="password|client_credentials"),
-        username: str = fastapi.Form(...),
-        password: str = fastapi.Form(...),
-        scope: str = fastapi.Form(""),
-        client_id: str = fastapi.Form(None),
-        client_secret: str = fastapi.Form(None),
+        username: Optional[str] = fastapi.Form(None),
+        password: Optional[str] = fastapi.Form(None),
+        scope: str = fastapi.Form(" ".join(STATIC_CONFIG['tokens']['scopes'])),
+        client_id: Optional[str] = fastapi.Form(None),
+        client_secret: Optional[str] = fastapi.Form(None),
+        authorization: Optional[str] = fastapi.Header(None),
     ):
         self.grant_type = grant_type
         self.username = username
@@ -30,9 +43,106 @@ class CustomOAuth2PasswordRequestForm:
         self.client_id = client_id
         self.client_secret = client_secret
 
+        if (
+            not username
+            and not password
+            and not self.client_id
+            and not self.client_secret
+            and authorization
+        ):
+            try:
+                scheme, credentials = authorization.split()
+                if credentials.startswith('mrsm-key:'):
+                    credentials = credentials[len('mrsm-key:'):]
+                if scheme.lower() in ('basic', 'bearer'):
+                    decoded_credentials = base64.b64decode(credentials).decode('utf-8')
+                    _client_id, _client_secret = decoded_credentials.split(':', 1)
+                    self.client_id = _client_id
+                    self.client_secret = _client_secret
+                    self.grant_type = 'client_credentials'
+            except ValueError:
+                pass
+
+
+async def optional_user(request: Request) -> Optional[User]:
+    """
+    FastAPI dependency that returns a User if logged in, otherwise None.
+    """
+    if no_auth:
+        return None
+    return await manager(request)
+    try:
+        return await manager(request)
+    except HTTPException:
+        return None
+
+
+async def load_user_or_token(
+    request: Request,
+    users: bool = True,
+    tokens: bool = True,
+) -> Union[User, Token, None]:
+    """
+    Load the current user or token.
+    """
+    authorization = request.headers.get('authorization', request.headers.get('Authorization', None))
+    if not authorization:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated.",
+        )
+    authorization = authorization.replace('Basic ', '').replace('Bearer ', '')
+    if not authorization.startswith('mrsm-key:'):
+        if not users:
+            raise HTTPException(
+                status=status.HTTP_401_UNAUTHORIZED,
+                detail="Users not authenticated for this endpoint.",
+            )
+        return await manager(request)
+    if not tokens:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Tokens not authenticated for this endpoint.",
+        )
+    return get_token_from_authorization(authorization)
+
+
+def ScopedAuth(scopes: List[str]):
+    """
+    Dependency factory for authenticating with either a user session or a scoped token.
+    """
+    async def _authenticate(
+        user_or_token: Union[User, Token, None] = Depends(
+            load_user_or_token,
+        ),
+    ) -> Union[User, Token, None]:
+        if no_auth:
+            return None
+
+        if not user_or_token:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Not authenticated.",
+                headers={"WWW-Authenticate": "Basic"},
+            )
+
+        fresh_scopes = user_or_token.get_scopes(refresh=True, debug=debug)
+        if '*' in fresh_scopes:
+            return user_or_token
+
+        for scope in scopes:
+            if scope not in fresh_scopes:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=f"Missing required scope: '{scope}'",
+                )
+        
+        return user_or_token
+    return _authenticate
+
 
 LoginManager = fastapi_login.LoginManager
-def generate_secret_key() -> str:
+def generate_secret_key() -> bytes:
     """
     Read or generate the secret keyfile.
     """

meerschaum/api/_tokens.py

@@ -0,0 +1,102 @@
+#! /usr/bin/env python3
+# vim:fenc=utf-8
+
+"""
+Define the authentication logic for Meerschaum Tokens.
+"""
+
+import base64
+import uuid
+from typing import Optional, Union, List
+from datetime import datetime, timezone
+
+from fastapi import Depends, HTTPException, Request
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from starlette import status
+
+import meerschaum as mrsm
+from meerschaum.api import (
+    get_api_connector,
+    debug,
+)
+from meerschaum.core import Token, User
+from meerschaum.core.User import verify_password
+
+
+http_bearer = HTTPBearer(auto_error=False, scheme_name="APIKey")
+
+
+def get_token_from_authorization(authorization: str) -> Token:
+    """
+    Helper function to decode and verify a token from credentials.
+    Raises HTTPException on failure.
+    """
+    if authorization.startswith('mrsm-key:'):
+        authorization = authorization[len('mrsm-key:'):]
+    try:
+        credential_string = base64.b64decode(authorization).decode('utf-8')
+        token_id_str, secret = credential_string.split(':', 1)
+        token_id = uuid.UUID(token_id_str)
+    except Exception:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token format. Expected Base64-encoded 'token_id:secret'.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    conn = get_api_connector()
+    token = conn.get_token(token_id)
+
+    if not token or not token.is_valid:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or revoked token.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    if token.get_expiration_status(debug=debug):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has expired.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    if not verify_password(secret, token.secret_hash):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid secret.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    return token
+
+
+def get_current_token(
+    auth_creds: Optional[HTTPAuthorizationCredentials] = Depends(http_bearer),
+) -> Token:
+    """
+    FastAPI dependency to authenticate a request with a Meerschaum Token.
+    This dependency will fail if no token is provided.
+    """
+    if auth_creds is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return get_token_from_authorization(auth_creds.credentials)
+
+
+async def optional_token(
+    auth_creds: Optional[HTTPAuthorizationCredentials] = Depends(http_bearer),
+) -> Optional[Token]:
+    """
+    FastAPI dependency that returns a Token if provided, otherwise None.
+    """
+    if not auth_creds:
+        return None
+
+    try:
+        return get_token_from_authorization(auth_creds.credentials)
+    except HTTPException as e:
+        return None

meerschaum/api/dash/__init__.py

@@ -19,7 +19,6 @@ _monkey_patch_get_distribution('flask-compress', flask_compress.__version__)
 dash = attempt_import('dash', lazy=False)
 
 from meerschaum.utils.typing import List, Optional
-from meerschaum.config.static import _static_config
 from meerschaum.api import (
     app as fastapi_app,
     debug,

meerschaum/api/dash/callbacks/custom.py

@@ -36,9 +36,9 @@ def add_plugin_pages(debug: bool = False):
     """
     Allow users to add pages via the `@web_page` decorator.
     """
-    for plugin_name, pages_dicts in _plugin_endpoints_to_pages.items():
+    for page_group, pages_dicts in _plugin_endpoints_to_pages.items():
         if debug:
-            dprint(f"Adding pages from plugin '{plugin_name}'...")
+            dprint(f"Adding pages for group '{page_group}'...")
         for _endpoint, _page_dict in pages_dicts.items():
             page_layout = _page_dict['function']()
             if not _page_dict['skip_navbar']: