Adds personal-access-token table (#83)

* Adds personal-access-token table

* Adds graphql-endpoint for PAT creation

* Adds logic to store PATs in database

* Adds logic to query and delete PATs

* Adds hashing to PATs and changes queries so the token does not get displayed

* Updates submodule

* Removes print of token

* Adds last used and intros delete by token id

* Adds created at field for PATs

* Adds typing where missing

* Outsources hash functionality into own file

* Updates submodule

* Changes query for tokens from user based to all of project and adds created by

* Changes delete PATs by removing user id of check

* Renames PersonAccessTokenMutation to keep singular convention

* Adapts to renamed methods

* Adds checks for kern admins at PATs endpoints

Author: SirDegraf

alembic/versions/f803a0c4343c_adds_personal_access_token_table.py

@@ -0,0 +1,60 @@
+"""Adds personal-access-token-table
+
+Revision ID: f803a0c4343c
+Revises: 09311360f8b9
+Create Date: 2022-11-23 13:50:24.978181
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = "f803a0c4343c"
+down_revision = "09311360f8b9"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "personal_access_token",
+        sa.Column("id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column("project_id", postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column("user_id", postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column("name", sa.String(), nullable=True),
+        sa.Column("scope", sa.String(), nullable=True),
+        sa.Column("created_at", sa.DateTime(), nullable=True),
+        sa.Column("expires_at", sa.DateTime(), nullable=True),
+        sa.Column("last_used", sa.DateTime(), nullable=True),
+        sa.Column("token", sa.String(), nullable=True),
+        sa.ForeignKeyConstraint(["project_id"], ["project.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["user_id"], ["user.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(
+        op.f("ix_personal_access_token_project_id"),
+        "personal_access_token",
+        ["project_id"],
+        unique=False,
+    )
+    op.create_index(
+        op.f("ix_personal_access_token_user_id"),
+        "personal_access_token",
+        ["user_id"],
+        unique=False,
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(
+        op.f("ix_personal_access_token_user_id"), table_name="personal_access_token"
+    )
+    op.drop_index(
+        op.f("ix_personal_access_token_project_id"), table_name="personal_access_token"
+    )
+    op.drop_table("personal_access_token")
+    # ### end Alembic commands ###

controller/personal_access_token/__init__.py

@@ -0,0 +1,57 @@
+from typing import List
+from controller.personal_access_token.util import get_token_and_hash
+from submodules.model import enums
+from datetime import date
+from dateutil.relativedelta import relativedelta
+
+from submodules.model.business_objects import personal_access_token
+from submodules.model.models import PersonalAccessToken
+
+
+def get_personal_access_token(
+    project_id: str, user_id: str, name: str
+) -> PersonalAccessToken:
+    return personal_access_token.get_by_user_and_name(project_id, user_id, name)
+
+
+def get_all_personal_access_tokens(project_id: str) -> List[PersonalAccessToken]:
+    return personal_access_token.get_all(project_id)
+
+
+def create_personal_access_token(
+    project_id: str, user_id: str, name: str, scope: str, expires_at: str
+) -> None:
+    if personal_access_token.get_by_user_and_name(project_id, user_id, name):
+        raise Exception(
+            f"Personal Access Key with name {name} already exists for user/project-combination."
+        )
+
+    if expires_at == enums.TokenExpireAtValues.ONE_MONTH.value:
+        expires_at = date.today() + relativedelta(months=+1)
+    elif expires_at == enums.TokenExpireAtValues.THREE_MONTHS.value:
+        expires_at = date.today() + relativedelta(months=+3)
+    elif expires_at == enums.TokenExpireAtValues.NEVER.value:
+        expires_at = None
+    else:
+        raise Exception(
+            f"Option for token expiration date was invalid: Option: {expires_at}."
+        )
+
+    if scope not in [enums.TokenScope.READ.value, enums.TokenScope.READ_WRITE.value]:
+        raise Exception(f"Option for token scope was invalid: Option: {scope}.")
+
+    token, token_hex_dig = get_token_and_hash()
+    personal_access_token.create(
+        project_id=project_id,
+        user_id=user_id,
+        name=name,
+        scope=scope,
+        expires_at=expires_at,
+        token=token_hex_dig,
+        with_commit=True,
+    )
+    return token
+
+
+def delete_personal_access_token(project_id: str, token_id: str) -> None:
+    personal_access_token.delete(project_id, token_id, with_commit=True)

controller/personal_access_token/manager.py

@@ -0,0 +1,10 @@
+import hashlib
+import secrets
+
+
+def get_token_and_hash():
+    token = secrets.token_urlsafe(80)
+    encoded_token = str.encode(token)
+    hash_token = hashlib.sha256(encoded_token)
+    token_hex_dig = hash_token.hexdigest()
+    return token, token_hex_dig

controller/personal_access_token/util.py

@@ -0,0 +1,49 @@
+from controller.auth import manager as auth
+from controller.personal_access_token import manager as token_manager
+import graphene
+
+
+class CreatePersonalAccessToken(graphene.Mutation):
+    class Arguments:
+        project_id = graphene.ID(required=True)
+        name = graphene.String(required=True)
+        scope = graphene.String(required=True)
+        expires_at = graphene.String(required=True)
+
+    token = graphene.String()
+
+    def mutate(self, info, project_id: str, name: str, scope: str, expires_at: str):
+        auth.check_demo_access(info)
+        auth.check_project_access(info, project_id)
+        auth.check_admin_access(info)
+        user_id = auth.get_user_id_by_info(info)
+        token = token_manager.create_personal_access_token(
+            project_id=project_id,
+            user_id=user_id,
+            name=name,
+            scope=scope,
+            expires_at=expires_at,
+        )
+        return CreatePersonalAccessToken(token=token)
+
+
+class DeletePersonalAccessToken(graphene.Mutation):
+    class Arguments:
+        project_id = graphene.ID(required=True)
+        token_id = graphene.ID(required=True)
+
+    ok = graphene.Boolean()
+
+    def mutate(self, info, project_id: str, token_id: str):
+        auth.check_demo_access(info)
+        auth.check_project_access(info, project_id)
+        auth.check_admin_access(info)
+        token_manager.delete_personal_access_token(
+            project_id=project_id, token_id=token_id
+        )
+        return DeletePersonalAccessToken(ok=True)
+
+
+class PersonalAccessTokenMutation(graphene.ObjectType):
+    create_personal_access_token = CreatePersonalAccessToken.Field()
+    delete_personal_access_token = DeletePersonalAccessToken.Field()

graphql_api/mutation/personal_access_token.py

@@ -0,0 +1,35 @@
+import graphene
+
+from controller.auth import manager as auth
+from controller.personal_access_token import manager as token_manager
+from graphql_api.types import PersonalAccessToken
+
+
+class PersonalAccessTokenQuery(graphene.ObjectType):
+
+    personal_access_token = graphene.Field(
+        PersonalAccessToken,
+        project_id=graphene.ID(required=True),
+        name=graphene.String(required=True),
+    )
+
+    all_personal_access_tokens = graphene.Field(
+        graphene.List(PersonalAccessToken), project_id=graphene.ID(required=True)
+    )
+
+    def resolve_personal_access_token(
+        self, info, project_id: str, name: str
+    ) -> PersonalAccessToken:
+        auth.check_demo_access(info)
+        auth.check_project_access(info, project_id)
+        auth.check_admin_access(info)
+        user_id = auth.get_user_id_by_info(info)
+        return token_manager.get_personal_access_token(project_id, user_id, name)
+
+    def resolve_all_personal_access_tokens(
+        self, info, project_id: str
+    ) -> PersonalAccessToken:
+        auth.check_demo_access(info)
+        auth.check_project_access(info, project_id)
+        auth.check_admin_access(info)
+        return token_manager.get_all_personal_access_tokens(project_id)

graphql_api/query/personal_access_token.py

@@ -6,6 +6,7 @@
 from graphql_api.query.data_slice import DataSliceQuery
 from graphql_api.query.labeling_access_link import LabelingAccessLinkQuery
 from graphql_api.query.embedding import EmbeddingQuery
+from graphql_api.query.personal_access_token import PersonalAccessTokenQuery
 from graphql_api.query.transfer import TransferQuery
 from graphql_api.query.information_source import InformationSourceQuery
 from graphql_api.query.knowledge_base import KnowledgeBaseQuery
@@ -46,6 +47,7 @@
 from graphql_api.mutation.tokenization import TokenizationMutation
 from graphql_api.mutation.weak_supervisor import WeakSupervisionMutation
 from graphql_api.mutation.zero_shot import ZeroShotMutation
+from graphql_api.mutation.personal_access_token import PersonalAccessTokenMutation
 
 
 class Query(
@@ -72,6 +74,7 @@ class Query(
     WeakSupervisionQuery,
     ZeroShotQuery,
     RunRecordIDEPayload,
+    PersonalAccessTokenQuery,
     graphene.ObjectType,
 ):
     pass
@@ -100,6 +103,7 @@ class Mutation(
     WeakSupervisionMutation,
     ZeroShotMutation,
     UploadTaskMutation,
+    PersonalAccessTokenMutation,
     graphene.ObjectType,
 ):
     pass

graphql_api/schema.py

@@ -538,6 +538,21 @@ def resolve_docs(self, info):
         )
 
 
+class PersonalAccessToken(graphene.ObjectType):
+    id = graphene.ID()
+    project_id = graphene.ID()
+    name = graphene.String()
+    scope = graphene.String()
+    created_by = graphene.String()
+    created_at = graphene.DateTime()
+    expires_at = graphene.DateTime()
+    last_used = graphene.DateTime()
+
+    def resolve_created_by(self, info):
+        name = kratos.resolve_user_name_by_id(self.user_id)
+        return f"{name.get('first')} {name.get('last')}"
+
+
 class KnowledgeBase(SQLAlchemyObjectType):
     class Meta:
         model = models.KnowledgeBase