nmdc-runtime 2.6.0__py3-none-any.whl → 2.12.0__py3-none-any.whl

nmdc_runtime/api/core/auth.py

@@ -0,0 +1,212 @@
+import os
+from datetime import datetime, timedelta, timezone
+from typing import Optional, Dict
+
+from fastapi import Depends
+from fastapi.exceptions import HTTPException
+from fastapi.openapi.models import OAuthFlows as OAuthFlowsModel
+from fastapi.param_functions import Form
+from fastapi.security import (
+    OAuth2,
+    HTTPBasic,
+    HTTPBasicCredentials,
+    HTTPBearer,
+    HTTPAuthorizationCredentials,
+)
+from fastapi.security.utils import get_authorization_scheme_param
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from pydantic import BaseModel
+from starlette.requests import Request
+from starlette.status import HTTP_400_BAD_REQUEST, HTTP_401_UNAUTHORIZED
+
+ORCID_PRODUCTION_BASE_URL = "https://orcid.org"
+
+SECRET_KEY = os.getenv("JWT_SECRET_KEY")
+ALGORITHM = "HS256"
+ORCID_NMDC_CLIENT_ID = os.getenv("ORCID_NMDC_CLIENT_ID")
+ORCID_NMDC_CLIENT_SECRET = os.getenv("ORCID_NMDC_CLIENT_SECRET")
+ORCID_BASE_URL = os.getenv("ORCID_BASE_URL", default=ORCID_PRODUCTION_BASE_URL)
+
+# Define the JSON Web Key Set (JWKS) for ORCID.
+#
+# Note: The URL from which we got this dictionary is: https://orcid.org/oauth/jwks
+#       We got _that_ URL from the dictionary at: https://orcid.org/.well-known/openid-configuration
+#
+# TODO: Consider _live-loading_ this dictionary from the Internet.
+#
+ORCID_JWK = {
+    "e": "AQAB",
+    "kid": "production-orcid-org-7hdmdswarosg3gjujo8agwtazgkp1ojs",
+    "kty": "RSA",
+    "n": "jxTIntA7YvdfnYkLSN4wk__E2zf_wbb0SV_HLHFvh6a9ENVRD1_rHK0EijlBzikb-1rgDQihJETcgBLsMoZVQqGj8fDUUuxnVHsuGav_bf41PA7E_58HXKPrB2C0cON41f7K3o9TStKpVJOSXBrRWURmNQ64qnSSryn1nCxMzXpaw7VUo409ohybbvN6ngxVy4QR2NCC7Fr0QVdtapxD7zdlwx6lEwGemuqs_oG5oDtrRuRgeOHmRps2R6gG5oc-JqVMrVRv6F9h4ja3UgxCDBQjOVT1BFPWmMHnHCsVYLqbbXkZUfvP2sO1dJiYd_zrQhi-FtNth9qrLLv3gkgtwQ",
+    "use": "sig",
+}
+# If the application is using a _non-production_ ORCID environment, overwrite
+# the "kid" and "n" values with those from the sandbox ORCID environment.
+#
+# Source: https://sandbox.orcid.org/oauth/jwks
+#
+if ORCID_BASE_URL != ORCID_PRODUCTION_BASE_URL:
+    ORCID_JWK["kid"] = "sandbox-orcid-org-3hpgosl3b6lapenh1ewsgdob3fawepoj"
+    ORCID_JWK["n"] = (
+        "pl-jp-kTAGf6BZUrWIYUJTvqqMVd4iAnoLS6vve-KNV0q8TxKvMre7oi9IulDcqTuJ1alHrZAIVlgrgFn88MKirZuTqHG6LCtEsr7qGD9XyVcz64oXrb9vx4FO9tLNQxvdnIWCIwyPAYWtPMHMSSD5oEVUtVL_5IaxfCJvU-FchdHiwfxvXMWmA-i3mcEEe9zggag2vUPPIqUwbPVUFNj2hE7UsZbasuIToEMFRZqSB6juc9zv6PEUueQ5hAJCEylTkzMwyBMibrt04TmtZk2w9DfKJR91555s2ZMstX4G_su1_FqQ6p9vgcuLQ6tCtrW77tta-Rw7McF_tyPmvnhQ"
+    )
+
+ORCID_JWS_VERITY_ALGORITHM = "RS256"
+
+
+class ClientCredentials(BaseModel):
+    client_id: str
+    client_secret: str
+
+
+class TokenExpires(BaseModel):
+    days: Optional[int] = 1
+    hours: Optional[int] = 0
+    minutes: Optional[int] = 0
+
+
+ACCESS_TOKEN_EXPIRES = TokenExpires(days=1, hours=0, minutes=0)
+
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str
+    expires: Optional[TokenExpires] = None
+
+
+class TokenData(BaseModel):
+    subject: Optional[str] = None
+
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+credentials_exception = HTTPException(
+    status_code=HTTP_401_UNAUTHORIZED,
+    detail="Could not validate credentials",
+    headers={"WWW-Authenticate": "Bearer"},
+)
+
+
+def verify_password(plain_password, hashed_password):
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def get_password_hash(password):
+    return pwd_context.hash(password)
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.now(timezone.utc) + expires_delta
+    else:
+        expire = datetime.now(timezone.utc) + timedelta(minutes=15)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+
+def get_access_token_expiration(token) -> datetime:
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return payload.get("exp")
+    except JWTError:
+        raise credentials_exception
+
+
+class OAuth2PasswordOrClientCredentialsBearer(OAuth2):
+    """
+    TODO: Document this undocumented class.
+    """
+
+    def __init__(
+        self,
+        tokenUrl: str,
+        scheme_name: Optional[str] = None,
+        scopes: Optional[Dict[str, str]] = None,
+        auto_error: bool = True,
+    ):
+        if not scopes:
+            scopes = {}
+        flows = OAuthFlowsModel(
+            password={"tokenUrl": tokenUrl, "scopes": scopes},
+            clientCredentials={"tokenUrl": tokenUrl},
+        )
+        super().__init__(flows=flows, scheme_name=scheme_name, auto_error=auto_error)
+
+    async def __call__(self, request: Request) -> Optional[str]:
+        authorization: str = request.headers.get("Authorization")
+        scheme, param = get_authorization_scheme_param(authorization)
+        if not authorization or scheme.lower() != "bearer":
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=HTTP_401_UNAUTHORIZED,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+            else:
+                print(request.url)
+                return None
+        return param
+
+
+oauth2_scheme = OAuth2PasswordOrClientCredentialsBearer(
+    tokenUrl="token", auto_error=False
+)
+optional_oauth2_scheme = OAuth2PasswordOrClientCredentialsBearer(
+    tokenUrl="token", auto_error=False
+)
+
+bearer_scheme = HTTPBearer(scheme_name="bearerAuth", auto_error=False)
+
+
+async def basic_credentials(req: Request):
+    return await HTTPBasic(auto_error=False)(req)
+
+
+async def bearer_credentials(req: Request):
+    return await HTTPBearer(scheme_name="bearerAuth", auto_error=False)(req)
+
+
+class OAuth2PasswordOrClientCredentialsRequestForm:
+    def __init__(
+        self,
+        basic_creds: Optional[HTTPBasicCredentials] = Depends(basic_credentials),
+        bearer_creds: Optional[HTTPAuthorizationCredentials] = Depends(
+            bearer_credentials
+        ),
+        grant_type: str = Form(None, pattern="^password$|^client_credentials$"),
+        username: Optional[str] = Form(None),
+        password: Optional[str] = Form(None),
+        scope: str = Form(""),
+        client_id: Optional[str] = Form(None),
+        client_secret: Optional[str] = Form(None),
+    ):
+        if bearer_creds:
+            self.grant_type = "client_credentials"
+            self.username, self.password = None, None
+            self.scopes = scope.split()
+            self.client_id = bearer_creds.credentials
+            self.client_secret = None
+        elif grant_type == "password" and (username is None or password is None):
+            raise HTTPException(
+                status_code=HTTP_400_BAD_REQUEST,
+                detail="grant_type password requires username and password",
+            )
+        elif grant_type == "client_credentials" and (client_id is None):
+            if basic_creds:
+                client_id = basic_creds.username
+                client_secret = basic_creds.password
+            else:
+                raise HTTPException(
+                    status_code=HTTP_400_BAD_REQUEST,
+                    detail="grant_type client_credentials requires client_id and client_secret",
+                )
+        self.grant_type = grant_type
+        self.username = username
+        self.password = password
+        self.scopes = scope.split()
+        self.client_id = client_id
+        self.client_secret = client_secret

nmdc_runtime/api/core/idgen.py

@@ -0,0 +1,200 @@
+from datetime import datetime, timezone
+from typing import List
+
+import base32_lib as base32
+from pymongo.database import Database as MongoDatabase
+
+
+def generate_id(length=10, split_every=4, checksum=True) -> str:
+    """Generate random base32 string: a user-shareable ID for a database entity.
+
+    Uses Douglas Crockford Base32 encoding: <https://www.crockford.com/base32.html>
+
+    Default is 8 characters (5-bits each) plus 2 digit characters for ISO 7064 checksum,
+    so 2**40 ~ 1 trillion possible values, *much* larger than the number of statements
+    feasibly storable by the database. Hyphen splits are optional for human readability,
+    and the default is one split after 5 characters, so an example output using the default
+    settings is '3sbk2-5j060'.
+
+    :param length: non-hyphen identifier length *including* checksum
+    :param split_every: hyphenates every that many characters
+    :param checksum: computes and appends ISO-7064 checksum
+    :returns: identifier as a string
+    """
+    return base32.generate(length=length, split_every=split_every, checksum=checksum)
+
+
+def decode_id(encoded: str, checksum=True) -> int:
+    """Decodes generated string ID (via `generate_id`) to a number.
+
+    The string is normalized -- lowercased, hyphens removed,
+    {I,i,l,L}=>1 and {O,o}=>0 (user typos corrected) -- before decoding.
+
+    If `checksum` is enabled, raises a ValueError on checksum error.
+
+    :param encoded: string to decode
+    :param checksum: extract checksum and validate
+    :returns: original number.
+    """
+    return base32.decode(encoded=encoded, checksum=checksum)
+
+
+def encode_id(number: int, split_every=4, min_length=10, checksum=True) -> int:
+    """Encodes `number` to URI-friendly Douglas Crockford base32 string.
+
+    :param number: number to encode
+    :param split_every: if provided, insert '-' every `split_every` characters
+                        going from left to right
+    :param min_length: 0-pad beginning of string to obtain minimum desired length
+    :param checksum: append modulo 97-10 (ISO 7064) checksum to string
+    :returns: A random Douglas Crockford base32 encoded string composed only
+              of valid URI characters.
+    """
+    return base32.encode(
+        number, split_every=split_every, min_length=min_length, checksum=checksum
+    )
+
+
+# sping: "semi-opaque string" (https://n2t.net/e/n2t_apidoc.html).
+#
+# Note: The result is always the following list of tuples:
+#       ```
+#       [
+#         ( 2,             512),
+#         ( 4,          524288),
+#         ( 6,       536870912),
+#         ( 8,    549755813888),
+#         (10, 562949953421312)
+#       ]
+#       ````
+SPING_SIZE_THRESHOLDS = [(n, (2 ** (5 * n)) // 2) for n in [2, 4, 6, 8, 10]]
+
+
+def collection_name(naa, shoulder):
+    r"""
+    Returns a string designed to be used as a MongoDB collection name.
+
+    TODO: Document the function parameters, including expanding the "naa" acronym.
+    """
+    return f"ids_{naa}_{shoulder}"
+
+
+def generate_ids(
+    mdb: MongoDatabase,
+    owner: str,
+    populator: str,
+    number: int,
+    ns: str = "",
+    naa: str = "nmdc",
+    shoulder: str = "fk4",
+) -> List[str]:
+    r"""
+    Generate the specified number of identifiers, storing them in a MongoDB collection
+    whose name is derived from the specified Name-Assigning Authority (NAA) and Shoulder.
+
+    :param mdb: Handle to a MongoDB database
+    :param owner: String that will go in the "__ao" field of the identifier record.
+                  Callers will oftentimes set this to the name of a Runtime "site"
+                  (as in, a "site client" site, not a "Dagster" site).
+    :param populator: String that will go in the "who" field of the identifier record.
+                      Indicates "who generated this ID." Callers will oftentimes set
+                      this to the name of a Runtime "site" (as in, a "site client" site,
+                      not a "Dagster" site).
+    :param ns: Namespace (see Minter docs); e.g. "changesheets"
+    :param naa: Name-Assigning Authority (see Minter docs); e.g. "nmdc"
+    :param shoulder: String that will go in the "how" field (see Minter docs); e.g. "sys0"
+
+    This function was written the way it was in an attempt to mirror the ARK spec:
+    https://www.ietf.org/archive/id/draft-kunze-ark-41.html (found via: https://arks.org/specs/)
+
+    Deviations from the ARK spec include:
+    1. The inclusion of a typecode.
+       The inclusion of a typecode came out of discussions with team members,
+       who wanted identifiers to include some non-opaque substring that could be used
+       to determine what type of resource a given identifier refers to.
+    2. Making hyphens mandatory.
+       We decided to make the hyphens mandatory, whereas the spec says they are optional.
+       > "Hyphens are considered to be insignificant and are always ignored in ARKs."
+       > Reference: https://www.ietf.org/archive/id/draft-kunze-ark-41.html#name-character-repertoires
+       In our case, we require that users include an identifier's hyphens whenever
+       they are using that identifier.
+    """
+    collection = mdb.get_collection(collection_name(naa, shoulder))
+    estimated_document_count = collection.estimated_document_count()
+    n_chars = next(
+        (
+            n
+            for n, t in SPING_SIZE_THRESHOLDS
+            if (number + estimated_document_count) < t
+        ),
+        12,
+    )
+    collected = []
+
+    while True:
+        eids = set()
+        n_to_generate = number - len(collected)
+        while len(eids) < n_to_generate:
+            eids.add(generate_id(length=(n_chars + 2), split_every=0, checksum=True))
+        eids = list(eids)
+        deids = [decode_id(eid) for eid in eids]
+        taken = {d["_id"] for d in collection.find({"_id": {"$in": deids}}, {"_id": 1})}
+        not_taken = [
+            (eid, eid_decoded)
+            for eid, eid_decoded in zip(eids, deids)
+            if eid_decoded not in taken
+        ]
+        if not_taken:
+            # All attribute names beginning with "__a" are reserved...
+            # https://github.com/jkunze/n2t-eggnog/blob/0f0f4c490e6dece507dba710d3557e29b8f6627e/egg#L1882
+            # The author of this function opted to refrain from using property names beginning with "_.e",
+            # because he thought it would complicate MongoDB queries involving those properties, given that
+            # the "." is used as a field delimiter in MongoDB syntax (e.g. "foo.bar.baz").
+            docs = [
+                {
+                    "@context": "https://n2t.net/e/n2t_apidoc.html#identifier-metadata",
+                    "_id": eid_decoded,
+                    "who": populator,
+                    "what": (f"{ns}/{eid}" if ns else "(:tba) Work in progress"),
+                    "when": datetime.now(timezone.utc).isoformat(timespec="seconds"),
+                    "how": shoulder,
+                    "where": f"{naa}:{shoulder}{eid}",
+                    "__as": "reserved",  # status, public|reserved|unavailable
+                    "__ao": owner,  # owner
+                    "__ac": datetime.now(timezone.utc).isoformat(
+                        timespec="seconds"
+                    ),  # created
+                }
+                for eid, eid_decoded in not_taken
+            ]
+            collection.insert_many(docs)
+            collected.extend(docs)
+        if len(collected) == number:
+            break
+    return [d["where"] for d in collected]
+
+
+def generate_one_id(
+    mdb: MongoDatabase,
+    ns: str = "",
+    shoulder: str = "sys0",  # "sys0" represents the Runtime
+) -> str:
+    """Generate unique Crockford Base32-encoded ID for mdb repository.
+
+    Can associate ID with namespace ns to facilitate ID deletion/recycling.
+
+    """
+    return generate_ids(
+        mdb,
+        owner="_system",  # "_system" represents the Runtime
+        populator="_system",  # "_system" represents the Runtime
+        number=1,
+        ns=ns,
+        naa="nmdc",
+        shoulder=shoulder,
+    )[0]
+
+
+def local_part(id_):
+    """nmdc:fk0123 -> fk0123"""
+    return id_.split(":", maxsplit=1)[1]