fix: Refactor in order to include source of token issuing

DSD-DBS · Oct 11, 2023 · 8898475 · 8898475
1 parent a30f295
commit 8898475
Show file tree

Hide file tree

Showing 36 changed files with 565 additions and 376 deletions.
diff --git a/backend/capellacollab/alembic/versions/c9f30ccd4650_add_basic_auth_token.py b/backend/capellacollab/alembic/versions/c9f30ccd4650_add_basic_auth_token.py
@@ -4,7 +4,7 @@
 """Add basic auth token
 
 Revision ID: c9f30ccd4650
-Revises: d8cf851562cd
+Revises: 1a4208c18909
 Create Date: 2023-09-06 14:42:53.016924
 
 """
@@ -13,24 +13,21 @@
 
 # revision identifiers, used by Alembic.
 revision = "c9f30ccd4650"
-down_revision = "d8cf851562cd"
+down_revision = "1a4208c18909"
 branch_labels = None
 depends_on = None
 
 
 def upgrade():
-    # ### commands auto generated by Alembic - please adjust! ###
     op.create_table(
         "basic_auth_token",
         sa.Column("id", sa.Integer(), autoincrement=True, nullable=False),
         sa.Column("user_id", sa.Integer(), nullable=False),
         sa.Column("hash", sa.String(), nullable=False),
         sa.Column("expiration_date", sa.Date(), nullable=False),
         sa.Column("description", sa.String(), nullable=False),
-        sa.ForeignKeyConstraint(
-            ["user_id"],
-            ["users.id"],
-        ),
+        sa.Column("source", sa.String(), nullable=False),
+        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
         sa.PrimaryKeyConstraint("id"),
     )
     op.create_index(
@@ -39,4 +36,3 @@ def upgrade():
         ["id"],
         unique=False,
     )
-    # ### end Alembic commands ###
diff --git a/backend/capellacollab/core/authentication/basic_auth.py b/backend/capellacollab/core/authentication/basic_auth.py
@@ -17,54 +17,53 @@
 class HTTPBasicAuth(security.HTTPBasic):
     async def __call__(  # type: ignore
         self, request: fastapi.Request
-    ) -> tuple[str | None, fastapi.HTTPException | None]:
+    ) -> str | None:
         credentials: security.HTTPBasicCredentials | None = (
             await super().__call__(request)
         )
         if not credentials:
-            error = fastapi.HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Not authenticated",
-                headers={"WWW-Authenticate": "Bearer, Basic"},
-            )
             if self.auto_error:
-                raise error
-            return None, error
+                raise fastapi.HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer, Basic"},
+                )
+            return None
         with database.SessionLocal() as session:
             user = user_crud.get_user_by_name(session, credentials.username)
-            token_data = None
-            if user:
-                token_data = token_crud.get_token(
+            db_token = (
+                token_crud.get_token_by_token_and_user(
                     session, credentials.password, user.id
                 )
-            if not token_data or not user or token_data.user_id != user.id:
-                logger.error("Token invalid for user %s", credentials.username)
-                error = fastapi.HTTPException(
-                    status_code=status.HTTP_401_UNAUTHORIZED,
-                    detail={
-                        "err_code": "TOKEN_INVALID",
-                        "reason": "The used token is not valid.",
-                    },
-                    headers={"WWW-Authenticate": "Bearer, Basic"},
-                )
+                if user
+                else None
+            )
+            if not db_token:
+                logger.info("Token invalid for user %s", credentials.username)
                 if self.auto_error:
-                    raise error
-                return None, error
+                    raise fastapi.HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail={
+                            "err_code": "BASIC_TOKEN_INVALID",
+                            "reason": "The used token is not valid.",
+                        },
+                        headers={"WWW-Authenticate": "Bearer, Basic"},
+                    )
+                return None
 
-            if token_data.expiration_date < datetime.date.today():
-                logger.error("Token expired for user %s", credentials.username)
-                error = fastapi.HTTPException(
-                    status_code=status.HTTP_401_UNAUTHORIZED,
-                    detail={
-                        "err_code": "token_exp",
-                        "reason": "The Signature of the token is expired. Please request a new access token.",
-                    },
-                    headers={"WWW-Authenticate": "Bearer, Basic"},
-                )
+            if db_token.expiration_date < datetime.date.today():
+                logger.info("Token expired for user %s", credentials.username)
                 if self.auto_error:
-                    raise error
-                return None, error
-        return self.get_username(credentials), None
+                    raise fastapi.HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail={
+                            "err_code": "token_exp",
+                            "reason": "The Signature of the token is expired. Please request a new access token.",
+                        },
+                        headers={"WWW-Authenticate": "Bearer, Basic"},
+                    )
+                return None
+        return self.get_username(credentials)
 
     def get_username(self, credentials: security.HTTPBasicCredentials) -> str:
-        return credentials.model_dump()["username"]
+        return credentials.username
diff --git a/backend/capellacollab/core/authentication/injectables.py b/backend/capellacollab/core/authentication/injectables.py
@@ -10,6 +10,8 @@
 from fastapi import status
 from fastapi.openapi import models as openapi_models
 from fastapi.security import base as security_base
+from fastapi.security import utils as security_utils
+from sqlalchemy import orm
 
 from capellacollab.core import database
 from capellacollab.core.authentication import basic_auth, jwt_bearer
@@ -70,28 +72,24 @@ async def get_username(
     request: fastapi.Request,
     _unused1=fastapi.Depends(OpenAPIPersonalAccessToken()),
     _unused2=fastapi.Depends(OpenAPIBearerToken()),
-):
-    basic = await basic_auth.HTTPBasicAuth(auto_error=False)(request)
-    jwt = await jwt_bearer.JWTBearer(auto_error=False)(request)
-
-    jwt_username, jwt_error = jwt
-    if jwt_username:
-        return jwt_username
-
-    basic_username, basic_error = basic
-    if basic_username:
-        return basic_username
-
-    if jwt_error:
-        raise jwt_error
-    if basic_error:
-        raise basic_error
-
-    raise fastapi.HTTPException(
-        status_code=status.HTTP_401_UNAUTHORIZED,
-        detail="Token is none and username cannot be derived",
-        headers={"WWW-Authenticate": "Bearer, Basic"},
-    )
+) -> str:
+    authorization = request.headers.get("Authorization")
+    scheme, _ = security_utils.get_authorization_scheme_param(authorization)
+    username = None
+    match scheme.lower():
+        case "basic":
+            username = await basic_auth.HTTPBasicAuth()(request)
+        case "bearer":
+            username = await jwt_bearer.JWTBearer()(request)
+        case _:
+            raise fastapi.HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Token is none and username cannot be derived",
+                headers={"WWW-Authenticate": "Bearer, Basic"},
+            )
+
+    assert username
+    return username
 
 
 class RoleVerification:
@@ -101,8 +99,8 @@ def __init__(self, required_role: users_models.Role, verify: bool = True):
 
     def __call__(
         self,
-        username=fastapi.Depends(get_username),
-        db=fastapi.Depends(database.get_db),
+        username: str = fastapi.Depends(get_username),
+        db: orm.Session = fastapi.Depends(database.get_db),
     ) -> bool:
         if not (user := users_crud.get_user_by_name(db, username)):
             if self.verify:
@@ -148,8 +146,8 @@ def __init__(
     def __call__(
         self,
         project_slug: str,
-        username=fastapi.Depends(get_username),
-        db=fastapi.Depends(database.get_db),
+        username: str = fastapi.Depends(get_username),
+        db: orm.Session = fastapi.Depends(database.get_db),
     ) -> bool:
         if not (user := users_crud.get_user_by_name(db, username)):
             if self.verify:

diff --git a/backend/capellacollab/core/authentication/jwt_bearer.py b/backend/capellacollab/core/authentication/jwt_bearer.py
@@ -27,31 +27,29 @@ def __init__(self, auto_error: bool = True):
 
     async def __call__(  # type: ignore
         self, request: fastapi.Request
-    ) -> tuple[str | None, fastapi.HTTPException | None]:
+    ) -> str | None:
         credentials: security.HTTPAuthorizationCredentials | None = (
             await super().__call__(request)
         )
 
         if not credentials or credentials.scheme != "Bearer":
-            error = fastapi.HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Not authenticated",
-                headers={"WWW-Authenticate": "Bearer, Basic"},
-            )
             if self.auto_error:
-                raise error
-            return None, error
+                raise fastapi.HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer, Basic"},
+                )
+            return None
         if token_decoded := self.validate_token(credentials.credentials):
             self.initialize_user(token_decoded)
-            return self.get_username(token_decoded), None
-        error = fastapi.HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Not authenticated",
-            headers={"WWW-Authenticate": "Bearer, Basic"},
-        )
+            return self.get_username(token_decoded)
         if self.auto_error:
-            raise error
-        return None, error
+            raise fastapi.HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Not authenticated",
+                headers={"WWW-Authenticate": "Bearer, Basic"},
+            )
+        return None
 
     def get_username(self, token_decoded: dict[str, str]) -> str:
         return token_decoded[
@@ -74,7 +72,7 @@ def validate_token(self, token: str) -> dict[str, t.Any] | None:
                 raise fastapi.HTTPException(
                     status_code=status.HTTP_401_UNAUTHORIZED,
                     detail={
-                        "err_code": "TOKEN_INVALID",
+                        "err_code": "JWT_TOKEN_INVALID",
                         "reason": "The used token is not valid.",
                     },
                 ) from None

diff --git a/backend/capellacollab/projects/routes.py b/backend/capellacollab/projects/routes.py
@@ -43,7 +43,7 @@ def get_projects(
         users_injectables.get_own_user
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
     log: logging.LoggerAdapter = fastapi.Depends(
         core_logging.get_request_logger
     ),

diff --git a/backend/capellacollab/projects/toolmodels/backups/routes.py b/backend/capellacollab/projects/toolmodels/backups/routes.py
@@ -72,7 +72,7 @@ def create_backup(
         toolmodels_injectables.get_existing_capella_model
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ):
     git_model = git_injectables.get_existing_git_model(
         body.git_model_id, capella_model, db
@@ -141,7 +141,7 @@ def delete_pipeline(
         injectables.get_existing_pipeline
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
     force: bool = False,
 ):
     try:

diff --git a/backend/capellacollab/projects/users/routes.py b/backend/capellacollab/projects/users/routes.py
@@ -79,7 +79,7 @@ def get_current_user(
         projects_injectables.get_existing_project
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ) -> models.ProjectUserAssociation | models.ProjectUser:
     if auth_injectables.RoleVerification(
         required_role=users_models.Role.ADMIN, verify=False

diff --git a/backend/capellacollab/sessions/hooks/interface.py b/backend/capellacollab/sessions/hooks/interface.py
@@ -37,7 +37,6 @@ def configuration_hook(
         user: users_models.DatabaseUser,
         tool_version: tools_models.DatabaseVersion,
         tool: tools_models.DatabaseTool,
-        username: str,
         **kwargs,
     ) -> tuple[
         dict[str, str],

diff --git a/backend/capellacollab/sessions/hooks/jupyter.py b/backend/capellacollab/sessions/hooks/jupyter.py
@@ -46,7 +46,6 @@ def configuration_hook(  # type: ignore[override]
         db: orm.Session,
         user: users_models.DatabaseUser,
         tool: tools_models.DatabaseTool,
-        username: str,
         **kwargs,
     ) -> tuple[
         JupyterConfigEnvironment,
@@ -63,7 +62,7 @@ def configuration_hook(  # type: ignore[override]
             "CSP_ORIGIN_HOST": f"{self._general_conf.get('scheme')}://{self._general_conf.get('host')}:{self._general_conf.get('port')}",
         }
 
-        volumes = self._get_project_share_volume_mounts(db, username, tool)
+        volumes = self._get_project_share_volume_mounts(db, user.name, tool)
 
         return environment, volumes, []  # type: ignore[return-value]
 

diff --git a/backend/capellacollab/sessions/injectables.py b/backend/capellacollab/sessions/injectables.py
@@ -15,7 +15,7 @@
 def get_existing_session(
     session_id: str,
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ) -> models.DatabaseSession:
     if not (session := crud.get_session_by_id(db, session_id)):
         raise fastapi.HTTPException(

diff --git a/backend/capellacollab/sessions/routes.py b/backend/capellacollab/sessions/routes.py
@@ -86,7 +86,7 @@ def get_current_sessions(
         users_injectables.get_own_user
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ):
     if auth_injectables.RoleVerification(
         required_role=users_models.Role.ADMIN, verify=False
@@ -283,7 +283,7 @@ def request_persistent_session(
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
     operator: k8s.KubernetesOperator = fastapi.Depends(operators.get_operator),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ):
     log.info("Starting persistent session for user %s", user.name)
 
@@ -604,7 +604,7 @@ def get_sessions_for_user(
         users_injectables.get_own_user
     ),
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ):
     if user != current_user and not auth_injectables.RoleVerification(
         required_role=users_models.Role.ADMIN, verify=False

diff --git a/backend/capellacollab/users/injectables.py b/backend/capellacollab/users/injectables.py
@@ -14,7 +14,7 @@
 
 def get_own_user(
     db: orm.Session = fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ) -> models.DatabaseUser:
     if user := crud.get_user_by_name(db, username):
         return user
@@ -25,7 +25,7 @@ def get_own_user(
 def get_existing_user(
     user_id: int | t.Literal["current"],
     db=fastapi.Depends(database.get_db),
-    username=fastapi.Depends(auth_injectables.get_username),
+    username: str = fastapi.Depends(auth_injectables.get_username),
 ) -> models.DatabaseUser:
     if user_id == "current":
         return get_own_user(db, username)

diff --git a/backend/capellacollab/users/models.py b/backend/capellacollab/users/models.py
@@ -16,6 +16,7 @@
     from capellacollab.projects.users.models import ProjectUserAssociation
     from capellacollab.sessions.models import DatabaseSession
     from capellacollab.users.events.models import DatabaseUserHistoryEvent
+    from capellacollab.users.tokens.models import DatabaseUserToken
 
 
 class Role(enum.Enum):
@@ -64,3 +65,7 @@ class DatabaseUser(database.Base):
     events: orm.Mapped[list[DatabaseUserHistoryEvent]] = orm.relationship(
         back_populates="user", foreign_keys="DatabaseUserHistoryEvent.user_id"
     )
+
+    tokens: orm.Mapped[list[DatabaseUserToken]] = orm.relationship(
+        back_populates="user", cascade="all, delete-orphan"
+    )