not a service by a web

pcrespov · pcrespov · commit ed0f7ac079e4 · 2025-06-11T17:47:21.000+02:00
diff --git a/packages/pytest-simcore/src/pytest_simcore/helpers/webserver_login.py b/packages/pytest-simcore/src/pytest_simcore/helpers/webserver_login.py
@@ -17,7 +17,7 @@
     get_plugin_storage,
 )
 from simcore_service_webserver.products.products_service import list_products
-from simcore_service_webserver.security.security_service import clean_auth_policy_cache
+from simcore_service_webserver.security import security_web
 from yarl import URL
 
 from .assert_checks import assert_status
@@ -187,7 +187,7 @@ async def __aexit__(self, *args):
         assert self.client.app
         # NOTE: cache key is based on an email. If the email is
         # reused during the test, then it creates quite some noise
-        await clean_auth_policy_cache(self.client.app)
+        await security_web.clean_auth_policy_cache(self.client.app)
         return await super().__aexit__(*args)
 
 
diff --git a/services/web/server/src/simcore_service_webserver/garbage_collector/_tasks_users.py b/services/web/server/src/simcore_service_webserver/garbage_collector/_tasks_users.py
@@ -15,7 +15,7 @@
 from tenacity.wait import wait_exponential
 
 from ..login import login_service
-from ..security import security_service
+from ..security import security_web
 from ..users.api import update_expired_users
 
 _logger = logging.getLogger(__name__)
@@ -62,7 +62,7 @@ async def _update_expired_users(app: web.Application):
     if updated := await update_expired_users(app):
         # expired users might be cached in the auth. If so, any request
         # with this user-id will get thru producing unexpected side-effects
-        await security_service.clean_auth_policy_cache(app)
+        await security_web.clean_auth_policy_cache(app)
 
         # broadcast force logout of user_id
         for user_id in updated:
diff --git a/services/web/server/src/simcore_service_webserver/login/_auth_service.py b/services/web/server/src/simcore_service_webserver/login/_auth_service.py
@@ -10,7 +10,7 @@
 
 from ..groups import api as groups_service
 from ..products.models import Product
-from ..security import security_service
+from ..security import security_web
 from . import _login_service
 from ._constants import MSG_UNKNOWN_EMAIL, MSG_WRONG_PASSWORD
 from ._login_repository_legacy import AsyncpgStorage, get_plugin_storage
@@ -35,7 +35,7 @@ async def create_user(
         user = await UsersRepo.new_user(
             conn,
             email=email,
-            password_hash=security_service.encrypt_password(password),
+            password_hash=security_web.encrypt_password(password),
             status=status_upon_creation,
             expires_at=expires_at,
         )
@@ -58,7 +58,7 @@ async def check_authorized_user_credentials_or_raise(
 
     _login_service.validate_user_status(user=user, support_email=product.support_email)
 
-    if not security_service.check_password(password, user["password_hash"]):
+    if not security_web.check_password(password, user["password_hash"]):
         raise web.HTTPUnauthorized(
             reason=MSG_WRONG_PASSWORD, content_type=MIMETYPE_APPLICATION_JSON
         )
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/auth.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/auth.py
@@ -15,7 +15,7 @@
 from ...._meta import API_VTAG
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_service
+from ....security import security_web
 from ....session.access_policies import (
     on_success_grant_session_access_to,
     session_access_required,
@@ -284,7 +284,7 @@ async def logout(request: web.Request) -> web.Response:
         await _login_service.notify_user_logout(
             request.app, user_id, logout_.client_session_id
         )
-        await security_service.forget_identity(request, response)
+        await security_web.forget_identity(request, response)
 
         return response
 
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/change.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/change.py
@@ -15,7 +15,7 @@
 from ...._meta import API_VTAG
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_service
+from ....security import security_web
 from ....users import api as users_service
 from ....utils import HOUR
 from ....utils_rate_limiting import global_rate_limit_route
@@ -293,7 +293,7 @@ async def change_password(request: web.Request):
     user = await db.get_user({"id": request[RQT_USERID_KEY]})
     assert user  # nosec
 
-    if not security_service.check_password(
+    if not security_web.check_password(
         passwords.current.get_secret_value(), user["password_hash"]
     ):
         raise web.HTTPUnprocessableEntity(
@@ -303,7 +303,7 @@ async def change_password(request: web.Request):
     await db.update_user(
         dict(user),
         {
-            "password_hash": security_service.encrypt_password(
+            "password_hash": security_web.encrypt_password(
                 passwords.new.get_secret_value()
             )
         },
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/confirmation.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/confirmation.py
@@ -28,7 +28,7 @@
 
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_service
+from ....security import security_web
 from ....session.access_policies import session_access_required
 from ....utils import HOUR, MINUTE
 from ....utils_aiohttp import create_redirect_to_page_response
@@ -302,7 +302,7 @@ async def complete_reset_password(request: web.Request):
         await db.update_user(
             user={"id": user["id"]},
             updates={
-                "password_hash": security_service.encrypt_password(
+                "password_hash": security_web.encrypt_password(
                     request_body.password.get_secret_value()
                 )
             },
diff --git a/services/web/server/src/simcore_service_webserver/login/_controller/rest/preregistration.py b/services/web/server/src/simcore_service_webserver/login/_controller/rest/preregistration.py
@@ -20,7 +20,7 @@
 from ....constants import RQ_PRODUCT_KEY
 from ....products import products_web
 from ....products.models import Product
-from ....security import security_service
+from ....security import security_web
 from ....security.decorators import permission_required
 from ....session.api import get_session
 from ....users.api import get_user_credentials, set_user_as_deleted
@@ -109,7 +109,7 @@ async def unregister_account(request: web.Request):
 
     # checks before deleting
     credentials = await get_user_credentials(request.app, user_id=req_ctx.user_id)
-    if body.email != credentials.email.lower() or not security_service.check_password(
+    if body.email != credentials.email.lower() or not security_web.check_password(
         body.password.get_secret_value(), credentials.password_hash
     ):
         raise web.HTTPConflict(
@@ -131,7 +131,7 @@ async def unregister_account(request: web.Request):
             request.app, user_id=req_ctx.user_id, client_session_id=None
         )
         response = flash_response(MSG_LOGGED_OUT, "INFO")
-        await security_service.forget_identity(request, response)
+        await security_web.forget_identity(request, response)
 
         # send email in the background
         fire_and_forget_task(
diff --git a/services/web/server/src/simcore_service_webserver/login/_security_service.py b/services/web/server/src/simcore_service_webserver/login/_security_service.py
@@ -6,7 +6,7 @@
 from aiohttp import web
 from servicelib.logging_utils import get_log_record_extra, log_context
 
-from ..security import security_service
+from ..security import security_web
 from ._constants import MSG_LOGGED_IN
 from ._login_service import flash_response
 
@@ -36,7 +36,7 @@ async def login_granted_response(
         extra=get_log_record_extra(user_id=user_id),
     ):
         response = flash_response(MSG_LOGGED_IN, "INFO")
-        return await security_service.remember_identity(
+        return await security_web.remember_identity(
             request=request,
             response=response,
             user_email=email,
diff --git a/services/web/server/src/simcore_service_webserver/login/decorators.py b/services/web/server/src/simcore_service_webserver/login/decorators.py
@@ -8,7 +8,7 @@
 from servicelib.request_keys import RQT_USERID_KEY
 
 from ..products import products_web
-from ..security import security_service
+from ..security import security_web
 
 
 def login_required(handler: HandlerAnyReturn) -> HandlerAnyReturn:
@@ -51,13 +51,13 @@ async def _wrapper(request: web.Request):
         """
         # WARNING: note that check_authorized is patched in some tests.
         # Careful when changing the function signature
-        user_id = await security_service.check_user_authorized(request)
+        user_id = await security_web.check_user_authorized(request)
         product_name = products_web.get_product_name(request)
 
-        await security_service.check_user_permission(
+        await security_web.check_user_permission(
             request,
-            security_service.PERMISSION_PRODUCT_LOGIN_KEY,
-            context=security_service.AuthContextDict(
+            security_web.PERMISSION_PRODUCT_LOGIN_KEY,
+            context=security_web.AuthContextDict(
                 product_name=product_name,
                 authorized_uid=user_id,
             ),
diff --git a/services/web/server/src/simcore_service_webserver/projects/_controller/projects_rest.py b/services/web/server/src/simcore_service_webserver/projects/_controller/projects_rest.py
@@ -32,7 +32,7 @@
 from ...login.decorators import login_required
 from ...redis import get_redis_lock_manager_client_sdk
 from ...resource_manager.user_sessions import PROJECT_ID_KEY, managed_resource
-from ...security import security_service
+from ...security import security_web
 from ...security.decorators import permission_required
 from ...users.api import get_user_fullname
 from ...utils_aiohttp import envelope_json_response, get_api_base_url
@@ -76,7 +76,7 @@ async def create_project(request: web.Request):
     )
     header_params = parse_request_headers_as(ProjectCreateHeaders, request)
     if query_params.as_template:  # create template from
-        await security_service.check_user_permission(request, "project.template.create")
+        await security_web.check_user_permission(request, "project.template.create")
 
     # NOTE: Having so many different types of bodys is an indication that
     # this entrypoint are in reality multiple entrypoints in one, namely
diff --git a/services/web/server/src/simcore_service_webserver/projects/_security_service.py b/services/web/server/src/simcore_service_webserver/projects/_security_service.py
@@ -2,7 +2,7 @@
 from aiohttp import web
 from simcore_postgres_database.models.users import UserRole
 
-from ..security import security_service
+from ..security import security_web
 from ._projects_repository_legacy import ProjectDBAPI
 from .api import check_user_project_permission
 
@@ -52,7 +52,7 @@ def setup_projects_access(app: web.Application):
     """
     security - access : Inject permissions to rest API resources
     """
-    hrba = security_service.get_access_model(app)
+    hrba = security_web.get_access_model(app)
 
     hrba.roles[UserRole.GUEST].check[
         "project.workbench.node.inputs.update"
diff --git a/services/web/server/src/simcore_service_webserver/security/decorators.py b/services/web/server/src/simcore_service_webserver/security/decorators.py
@@ -3,7 +3,7 @@
 from aiohttp import web
 from servicelib.aiohttp.typing_extension import Handler
 
-from .security_service import check_user_permission
+from .security_web import check_user_permission
 
 
 def permission_required(permissions: str):
diff --git a/services/web/server/src/simcore_service_webserver/security/security_web.py b/services/web/server/src/simcore_service_webserver/security/security_web.py
@@ -6,7 +6,10 @@
 
 from ._authz_access_model import AuthContextDict
 from ._authz_service import (
+    check_password,
+    check_user_authorized,
     check_user_permission,
+    clean_auth_policy_cache,
     encrypt_password,
     get_access_model,
     is_anonymous,
@@ -17,7 +20,10 @@
 __all__: tuple[str, ...] = (
     "PERMISSION_PRODUCT_LOGIN_KEY",
     "AuthContextDict",
+    "check_password",
+    "check_user_authorized",
     "check_user_permission",
+    "clean_auth_policy_cache",
     "encrypt_password",
     "forget_identity",
     "get_access_model",
diff --git a/services/web/server/src/simcore_service_webserver/studies_dispatcher/_studies_access.py b/services/web/server/src/simcore_service_webserver/studies_dispatcher/_studies_access.py
@@ -39,7 +39,7 @@
     ProjectNotFoundError,
 )
 from ..projects.models import ProjectDict
-from ..security import security_service
+from ..security import security_web
 from ..storage.api import copy_data_folders_from_project
 from ..utils import compose_support_error_msg
 from ..utils_aiohttp import create_redirect_to_page_response, get_api_base_url
@@ -300,7 +300,7 @@ async def get_redirection_to_study_page(request: web.Request) -> web.Response:
 
     # Checks USER
     user = None
-    is_anonymous_user = await security_service.is_anonymous(request)
+    is_anonymous_user = await security_web.is_anonymous(request)
     if not is_anonymous_user:
         # NOTE: covers valid cookie with unauthorized user (e.g. expired guest/banned)
         user = await get_authorized_user(request)
@@ -405,7 +405,7 @@ async def get_redirection_to_study_page(request: web.Request) -> web.Response:
     if is_anonymous_user:
         _logger.debug("Auto login for anonymous user %s", user["name"])
 
-        await security_service.remember_identity(
+        await security_web.remember_identity(
             request,
             response,
             user_email=user["email"],
diff --git a/services/web/server/src/simcore_service_webserver/studies_dispatcher/_users.py b/services/web/server/src/simcore_service_webserver/studies_dispatcher/_users.py
@@ -31,7 +31,7 @@
 from ..login.login_repository_legacy import AsyncpgStorage, get_plugin_storage
 from ..products import products_web
 from ..redis import get_redis_lock_manager_client
-from ..security import security_service
+from ..security import security_web
 from ..users.api import get_user
 from ..users.exceptions import UserNotFoundError
 from ._constants import MSG_GUESTS_NOT_ALLOWED
@@ -55,7 +55,7 @@ async def get_authorized_user(request: web.Request) -> dict:
     and logged in (valid cookie)?
     """
     with suppress(web.HTTPUnauthorized, UserNotFoundError):
-        user_id = await security_service.check_user_authorized(request)
+        user_id = await security_web.check_user_authorized(request)
         user: dict = await get_user(request.app, user_id)
         return user
     return {}
@@ -120,7 +120,7 @@ async def create_temporary_guest_user(request: web.Request):
                 {
                     "name": random_user_name,
                     "email": email,
-                    "password_hash": security_service.encrypt_password(password),
+                    "password_hash": security_web.encrypt_password(password),
                     "status": ACTIVE,
                     "role": GUEST,
                     "expires_at": expires_at,
@@ -187,7 +187,7 @@ async def get_or_create_guest_user(
     user = None
 
     # anonymous = no identity in request
-    is_anonymous_user = await security_service.is_anonymous(request)
+    is_anonymous_user = await security_web.is_anonymous(request)
     if not is_anonymous_user:
         # NOTE: covers valid cookie with unauthorized user (e.g. expired guest/banned)
         user = await get_authorized_user(request)
@@ -218,7 +218,7 @@ async def ensure_authentication(
 ):
     if user.needs_login:
         _logger.debug("Auto login for anonymous user %s", user.name)
-        await security_service.remember_identity(
+        await security_web.remember_identity(
             request,
             response,
             user_email=user.email,
diff --git a/services/web/server/src/simcore_service_webserver/users/_users_service.py b/services/web/server/src/simcore_service_webserver/users/_users_service.py
@@ -18,7 +18,7 @@
 )
 
 from ..db.plugin import get_asyncpg_engine
-from ..security import security_service
+from ..security import security_web
 from . import _preferences_service, _users_repository
 from ._common.models import (
     FullNameDict,
@@ -278,7 +278,7 @@ async def delete_user_without_projects(app: web.Application, user_id: UserID) ->
 
     # This user might be cached in the auth. If so, any request
     # with this user-id will get thru producing unexpected side-effects
-    await security_service.clean_auth_policy_cache(app)
+    await security_web.clean_auth_policy_cache(app)
 
 
 async def set_user_as_deleted(app: web.Application, *, user_id: UserID) -> None:
diff --git a/services/web/server/tests/unit/isolated/test_security_api.py b/services/web/server/tests/unit/isolated/test_security_api.py
@@ -32,7 +32,7 @@
 from simcore_service_webserver.products.models import Product
 from simcore_service_webserver.security.decorators import permission_required
 from simcore_service_webserver.security.plugin import setup_security
-from simcore_service_webserver.security.security_service import (
+from simcore_service_webserver.security.security_web import (
     check_user_authorized,
     clean_auth_policy_cache,
     forget_identity,
diff --git a/services/web/server/tests/unit/isolated/test_security_api_utils.py b/services/web/server/tests/unit/isolated/test_security_api_utils.py
@@ -11,22 +11,22 @@
 from hypothesis import given
 from hypothesis import strategies as st
 from passlib.hash import sha256_crypt
-from simcore_service_webserver.security import security_service
+from simcore_service_webserver.security import security_web
 
 
 def test_encrypt_password_returns_string():
-    assert isinstance(security_service.encrypt_password("password"), str)
+    assert isinstance(security_web.encrypt_password("password"), str)
 
 
 def test_encrypt_password_returns_valid_sha256_hash():
     password = "password"
-    hashed_password = security_service.encrypt_password(password)
-    assert security_service.check_password(password, hashed_password)
+    hashed_password = security_web.encrypt_password(password)
+    assert security_web.check_password(password, hashed_password)
 
 
 def test_encrypt_password_raises_type_error_for_non_string_input():
     with pytest.raises(TypeError):
-        security_service.encrypt_password(123)
+        security_web.encrypt_password(123)
 
 
 @given(
@@ -44,4 +44,4 @@ def test_encrypt_decrypt_deprecated_and_new_method_return_same_values(password:
     hashed_password_old = sha256_crypt.hash(password, rounds=1000, salt=salt)
     assert hashed_password_new == hashed_password_old
 
-    assert security_service.check_password(password, hashed_password_new)
+    assert security_web.check_password(password, hashed_password_new)
diff --git a/services/web/server/tests/unit/with_dbs/01/groups/test_groups_handlers_users.py b/services/web/server/tests/unit/with_dbs/01/groups/test_groups_handlers_users.py
