separete web from service interfaces

pcrespov · pcrespov · commit e2f609b1e81a · 2025-06-11T15:42:19.000+02:00
diff --git a/packages/pytest-simcore/src/pytest_simcore/helpers/webserver_login.py b/packages/pytest-simcore/src/pytest_simcore/helpers/webserver_login.py
@@ -17,7 +17,7 @@
     get_plugin_storage,
 )
 from simcore_service_webserver.products.products_service import list_products
-from simcore_service_webserver.security import security_web
+from simcore_service_webserver.security import security_service
 from yarl import URL
 
 from .assert_checks import assert_status
@@ -187,7 +187,7 @@ async def __aexit__(self, *args):
         assert self.client.app
         # NOTE: cache key is based on an email. If the email is
         # reused during the test, then it creates quite some noise
-        await security_web.clean_auth_policy_cache(self.client.app)
+        await security_service.clean_auth_policy_cache(self.client.app)
         return await super().__aexit__(*args)
 
 
diff --git a/services/web/server/src/simcore_service_webserver/garbage_collector/_tasks_users.py b/services/web/server/src/simcore_service_webserver/garbage_collector/_tasks_users.py
@@ -15,7 +15,7 @@
 from tenacity.wait import wait_exponential
 
 from ..login import login_service
-from ..security import security_web
+from ..security import security_service
 from ..users.api import update_expired_users
 
 _logger = logging.getLogger(__name__)
@@ -62,7 +62,7 @@ async def _update_expired_users(app: web.Application):
     if updated := await update_expired_users(app):
         # expired users might be cached in the auth. If so, any request
         # with this user-id will get thru producing unexpected side-effects
-        await security_web.clean_auth_policy_cache(app)
+        await security_service.clean_auth_policy_cache(app)
 
         # broadcast force logout of user_id
         for user_id in updated:
diff --git a/services/web/server/src/simcore_service_webserver/login/_auth_service.py b/services/web/server/src/simcore_service_webserver/login/_auth_service.py
@@ -7,10 +7,10 @@
 from simcore_postgres_database.utils_repos import transaction_context
 from simcore_postgres_database.utils_users import UsersRepo
 from simcore_service_webserver.db.plugin import get_asyncpg_engine
+from simcore_service_webserver.security import security_service
 
 from ..groups import api as groups_service
 from ..products.models import Product
-from ..security import security_web
 from . import _login_service
 from ._constants import MSG_UNKNOWN_EMAIL, MSG_WRONG_PASSWORD
 from ._login_repository_legacy import AsyncpgStorage, get_plugin_storage
@@ -35,7 +35,7 @@ async def create_user(
         user = await UsersRepo.new_user(
             conn,
             email=email,
-            password_hash=security_web.encrypt_password(password),
+            password_hash=security_service.encrypt_password(password),
             status=status_upon_creation,
             expires_at=expires_at,
         )
@@ -58,7 +58,7 @@ async def check_authorized_user_credentials_or_raise(
 
     _login_service.validate_user_status(user=user, support_email=product.support_email)
 
-    if not security_web.check_password(password, user["password_hash"]):
+    if not security_service.check_password(password, user["password_hash"]):
         raise web.HTTPUnauthorized(
             reason=MSG_WRONG_PASSWORD, content_type=MIMETYPE_APPLICATION_JSON
         )
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/change.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/change.py
@@ -15,7 +15,7 @@
 from ...._meta import API_VTAG
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_web
+from ....security import security_service
 from ....users import api as users_service
 from ....utils import HOUR
 from ....utils_rate_limiting import global_rate_limit_route
@@ -293,7 +293,7 @@ async def change_password(request: web.Request):
     user = await db.get_user({"id": request[RQT_USERID_KEY]})
     assert user  # nosec
 
-    if not security_web.check_password(
+    if not security_service.check_password(
         passwords.current.get_secret_value(), user["password_hash"]
     ):
         raise web.HTTPUnprocessableEntity(
@@ -303,7 +303,7 @@ async def change_password(request: web.Request):
     await db.update_user(
         dict(user),
         {
-            "password_hash": security_web.encrypt_password(
+            "password_hash": security_service.encrypt_password(
                 passwords.new.get_secret_value()
             )
         },
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/confirmation.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/confirmation.py
@@ -24,11 +24,11 @@
 from servicelib.logging_errors import create_troubleshotting_log_kwargs
 from servicelib.mimetype_constants import MIMETYPE_APPLICATION_JSON
 from simcore_postgres_database.aiopg_errors import UniqueViolation
+from simcore_service_webserver.security import security_service
 from yarl import URL
 
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_web
 from ....session.access_policies import session_access_required
 from ....utils import HOUR, MINUTE
 from ....utils_aiohttp import create_redirect_to_page_response
@@ -302,7 +302,7 @@ async def complete_reset_password(request: web.Request):
         await db.update_user(
             user={"id": user["id"]},
             updates={
-                "password_hash": security_web.encrypt_password(
+                "password_hash": security_service.encrypt_password(
                     request_body.password.get_secret_value()
                 )
             },
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/preregistration.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/preregistration.py
@@ -20,7 +20,7 @@
 from ....constants import RQ_PRODUCT_KEY
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_web
+from ....security import security_service, security_web
 from ....security.decorators import permission_required
 from ....session.api import get_session
 from ....users.api import get_user_credentials, set_user_as_deleted
@@ -109,7 +109,7 @@ async def unregister_account(request: web.Request):
 
     # checks before deleting
     credentials = await get_user_credentials(request.app, user_id=req_ctx.user_id)
-    if body.email != credentials.email.lower() or not security_web.check_password(
+    if body.email != credentials.email.lower() or not security_service.check_password(
         body.password.get_secret_value(), credentials.password_hash
     ):
         raise web.HTTPConflict(
diff --git a/services/web/server/src/simcore_service_webserver/projects/_security_service.py b/services/web/server/src/simcore_service_webserver/projects/_security_service.py
@@ -1,8 +1,8 @@
 import jsondiff  # type: ignore[import-untyped]
 from aiohttp import web
 from simcore_postgres_database.models.users import UserRole
+from simcore_service_webserver.security import security_service
 
-from ..security import security_web
 from ._projects_repository_legacy import ProjectDBAPI
 from .api import check_user_project_permission
 
@@ -52,7 +52,7 @@ def setup_projects_access(app: web.Application):
     """
     security - access : Inject permissions to rest API resources
     """
-    hrba = security_web.get_access_model(app)
+    hrba = security_service.get_access_model(app)
 
     hrba.roles[UserRole.GUEST].check[
         "project.workbench.node.inputs.update"
diff --git a/services/web/server/src/simcore_service_webserver/security/_authz_service.py b/services/web/server/src/simcore_service_webserver/security/_authz_service.py
@@ -4,9 +4,8 @@
 import aiohttp_security.api  # type: ignore[import-untyped]
 import passlib.hash
 from aiohttp import web
-from models_library.users import UserID
 
-from ._authz_access_model import AuthContextDict, OptionalContext, RoleBasedAccessModel
+from ._authz_access_model import RoleBasedAccessModel
 from ._authz_policy import AuthorizationPolicy
 from ._constants import PERMISSION_PRODUCT_LOGIN_KEY
 
@@ -23,51 +22,6 @@ async def clean_auth_policy_cache(app: web.Application) -> None:
     await autz_policy.clear_cache()
 
 
-async def is_anonymous(request: web.Request) -> bool:
-    """
-    User is considered anonymous if there is not verified identity in request.
-    """
-    is_user_id_none: bool = await aiohttp_security.api.is_anonymous(request)
-    return is_user_id_none
-
-
-async def check_user_authorized(request: web.Request) -> UserID:
-    """
-    Raises:
-        web.HTTPUnauthorized: for anonymous user (i.e. user_id is None)
-
-    """
-    # NOTE: Same as aiohttp_security.api.check_authorized
-    user_id: UserID | None = await aiohttp_security.api.authorized_userid(request)
-    if user_id is None:
-        raise web.HTTPUnauthorized
-    return user_id
-
-
-async def check_user_permission(
-    request: web.Request, permission: str, *, context: OptionalContext = None
-) -> None:
-    """Checker that passes only to authoraised users with given permission.
-
-    Raises:
-        web.HTTPUnauthorized: If user is not authorized
-        web.HTTPForbidden: If user is authorized and does not have permission
-    """
-    # NOTE: Same as aiohttp_security.api.check_permission
-    context = context or AuthContextDict()
-    if not context.get("authorized_uid"):
-        context["authorized_uid"] = await check_user_authorized(request)
-
-    allowed = await aiohttp_security.api.permits(request, permission, context)
-    if not allowed:
-        msg = "You do not have sufficient access rights for"
-        if permission == PERMISSION_PRODUCT_LOGIN_KEY:
-            msg += f" {context.get('product_name')}"
-        else:
-            msg += f" {permission}"
-        raise web.HTTPForbidden(reason=msg)
-
-
 #
 # utils (i.e. independent from setup)
 #
diff --git a/services/web/server/src/simcore_service_webserver/security/_authz_web.py b/services/web/server/src/simcore_service_webserver/security/_authz_web.py
@@ -0,0 +1,56 @@
+# mypy: disable-error-code=truthy-function
+
+
+import aiohttp_security.api  # type: ignore[import-untyped]
+from aiohttp import web
+from models_library.users import UserID
+
+from ._authz_access_model import AuthContextDict, OptionalContext
+from ._constants import PERMISSION_PRODUCT_LOGIN_KEY
+
+assert PERMISSION_PRODUCT_LOGIN_KEY  # nosec
+
+
+async def is_anonymous(request: web.Request) -> bool:
+    """
+    User is considered anonymous if there is not verified identity in request.
+    """
+    is_user_id_none: bool = await aiohttp_security.api.is_anonymous(request)
+    return is_user_id_none
+
+
+async def check_user_authorized(request: web.Request) -> UserID:
+    """
+    Raises:
+        web.HTTPUnauthorized: for anonymous user (i.e. user_id is None)
+
+    """
+    # NOTE: Same as aiohttp_security.api.check_authorized
+    user_id: UserID | None = await aiohttp_security.api.authorized_userid(request)
+    if user_id is None:
+        raise web.HTTPUnauthorized
+    return user_id
+
+
+async def check_user_permission(
+    request: web.Request, permission: str, *, context: OptionalContext = None
+) -> None:
+    """Checker that passes only to authoraised users with given permission.
+
+    Raises:
+        web.HTTPUnauthorized: If user is not authorized
+        web.HTTPForbidden: If user is authorized and does not have permission
+    """
+    # NOTE: Same as aiohttp_security.api.check_permission
+    context = context or AuthContextDict()
+    if not context.get("authorized_uid"):
+        context["authorized_uid"] = await check_user_authorized(request)
+
+    allowed = await aiohttp_security.api.permits(request, permission, context)
+    if not allowed:
+        msg = "You do not have sufficient access rights for"
+        if permission == PERMISSION_PRODUCT_LOGIN_KEY:
+            msg += f" {context.get('product_name')}"
+        else:
+            msg += f" {permission}"
+        raise web.HTTPForbidden(reason=msg)
diff --git a/services/web/server/src/simcore_service_webserver/security/security_service.py b/services/web/server/src/simcore_service_webserver/security/security_service.py
@@ -0,0 +1,20 @@
+"""Service-layer interface
+
+NOTE: Must not include functions that depend on aiohttp.web.Request (use *_web.py instead)
+"""
+
+from ._authz_service import (
+    check_password,
+    clean_auth_policy_cache,
+    encrypt_password,
+    get_access_model,
+)
+
+__all__: tuple[str, ...] = (
+    "check_password",
+    "clean_auth_policy_cache",
+    "encrypt_password",
+    "get_access_model",
+)
+
+# nopycln: file
diff --git a/services/web/server/src/simcore_service_webserver/security/security_web.py b/services/web/server/src/simcore_service_webserver/security/security_web.py
@@ -1,17 +1,14 @@
 # mypy: disable-error-code=truthy-function
-"""
+"""aiohttp.web-related interfaces i.e. web.Request is used in the inputs
 
 NOTE: DO NOT USE aiohttp_security.api directly but use this interface instead
+NOTE: functions in this module
 """
 
 from ._authz_access_model import AuthContextDict
-from ._authz_service import (
-    check_password,
+from ._authz_web import (
     check_user_authorized,
     check_user_permission,
-    clean_auth_policy_cache,
-    encrypt_password,
-    get_access_model,
     is_anonymous,
 )
 from ._constants import PERMISSION_PRODUCT_LOGIN_KEY
@@ -20,13 +17,9 @@
 __all__: tuple[str, ...] = (
     "PERMISSION_PRODUCT_LOGIN_KEY",
     "AuthContextDict",
-    "check_password",
     "check_user_authorized",
     "check_user_permission",
-    "clean_auth_policy_cache",
-    "encrypt_password",
     "forget_identity",
-    "get_access_model",
     "is_anonymous",
     "remember_identity",
 )
diff --git a/services/web/server/src/simcore_service_webserver/studies_dispatcher/_users.py b/services/web/server/src/simcore_service_webserver/studies_dispatcher/_users.py
@@ -24,6 +24,7 @@
 from servicelib.logging_utils import log_decorator
 from servicelib.utils import fire_and_forget_task
 from servicelib.utils_secrets import generate_password
+from simcore_service_webserver.security import security_service
 
 from ..garbage_collector.settings import GUEST_USER_RC_LOCK_FORMAT
 from ..groups.api import auto_add_user_to_product_group
@@ -120,7 +121,7 @@ async def create_temporary_guest_user(request: web.Request):
                 {
                     "name": random_user_name,
                     "email": email,
-                    "password_hash": security_web.encrypt_password(password),
+                    "password_hash": security_service.encrypt_password(password),
                     "status": ACTIVE,
                     "role": GUEST,
                     "expires_at": expires_at,
diff --git a/services/web/server/src/simcore_service_webserver/users/_users_service.py b/services/web/server/src/simcore_service_webserver/users/_users_service.py
@@ -18,7 +18,7 @@
 )
 
 from ..db.plugin import get_asyncpg_engine
-from ..security import security_web
+from ..security import security_service
 from . import _preferences_service, _users_repository
 from ._common.models import (
     FullNameDict,
@@ -278,7 +278,7 @@ async def delete_user_without_projects(app: web.Application, user_id: UserID) ->
 
     # This user might be cached in the auth. If so, any request
     # with this user-id will get thru producing unexpected side-effects
-    await security_web.clean_auth_policy_cache(app)
+    await security_service.clean_auth_policy_cache(app)
 
 
 async def set_user_as_deleted(app: web.Application, *, user_id: UserID) -> None:
diff --git a/services/web/server/tests/unit/isolated/test_security_api.py b/services/web/server/tests/unit/isolated/test_security_api.py
@@ -32,9 +32,9 @@
 from simcore_service_webserver.products.models import Product
 from simcore_service_webserver.security.decorators import permission_required
 from simcore_service_webserver.security.plugin import setup_security
+from simcore_service_webserver.security.security_service import clean_auth_policy_cache
 from simcore_service_webserver.security.security_web import (
     check_user_authorized,
-    clean_auth_policy_cache,
     forget_identity,
     remember_identity,
 )
diff --git a/services/web/server/tests/unit/isolated/test_security_api_utils.py b/services/web/server/tests/unit/isolated/test_security_api_utils.py
diff --git a/services/web/server/tests/unit/with_dbs/01/groups/test_groups_handlers_users.py b/services/web/server/tests/unit/with_dbs/01/groups/test_groups_handlers_users.py
