service auth

Author: khamitovdr

app/dl_control_api/dl_control_api/app_factory.py

@@ -175,6 +175,7 @@ def _setup_auth_middleware_native(
             settings=dl_auth_native.MiddlewareSettings(
                 decoder_key=settings.JWT_KEY,
                 decoder_algorithms=[settings.JWT_ALGORITHM],
+                master_token=self._settings.US_MASTER_TOKEN,
             )
         ).set_up(app=app)
         LOGGER.info("Native auth setup complete")

lib/dl_auth_native/dl_auth_native/middlewares/base.py

@@ -39,13 +39,16 @@ class AuthResult:
 class MiddlewareSettings:
     decoder_key: str = attr.ib()
     decoder_algorithms: list[str] = attr.ib()
+    master_token: str | None = attr.ib(default=None)
 
 
 @attr.s()
 class BaseMiddleware:
     _token_decoder: token.DecoderProtocol = attr.ib()
     _user_access_header_key: str = attr.ib(default=dl_constants.DLHeadersCommon.AUTHORIZATION_TOKEN)
     _token_type: str = attr.ib(default="Bearer")
+    _master_token: str | None = attr.ib(default=None)
+    _service_auth_header_key: str = attr.ib(default=dl_constants.DLHeadersCommon.US_MASTER_TOKEN)
 
     @classmethod
     def from_settings(cls, settings: MiddlewareSettings) -> Self:
@@ -56,12 +59,17 @@ def from_settings(cls, settings: MiddlewareSettings) -> Self:
 
         return cls(
             token_decoder=token_decoder,
+            master_token=settings.master_token,
         )
 
     @attr.s(frozen=True)
     class Unauthorized(Exception):
         message: str = attr.ib()
 
+    @attr.s(frozen=True)
+    class Forbidden(Exception):
+        message: str = attr.ib()
+
     def _auth(self, user_access_header: str | None) -> AuthResult:
         if user_access_header is None:
             raise self.Unauthorized("User access token header is missing")
@@ -86,6 +94,16 @@ def _auth(self, user_access_header: str | None) -> AuthResult:
             ),
         )
 
+    def _service_auth(self, service_token_header: str | None) -> None:
+        if self._master_token is None:
+            raise self.Unauthorized("Service auth is not configured")
+
+        if service_token_header is None:
+            raise self.Unauthorized("Service token header is missing")
+
+        if service_token_header != self._master_token:
+            raise self.Forbidden("Invalid service token")
+
 
 __all__ = [
     "AuthData",

lib/dl_auth_native/dl_auth_native/middlewares/flask.py

@@ -36,6 +36,21 @@ def process(self) -> None:
             LOGGER.info("Auth was skipped due to SKIP_AUTH flag in target view")
             return None
 
+        if RequiredResourceCommon.ONLY_SERVICES_ALLOWED in required_resources:
+            LOGGER.info("Using service auth flow due to ONLY_SERVICES_ALLOWED flag in target view")
+            service_token_header = flask.request.headers.get(self._service_auth_header_key)
+
+            try:
+                self._service_auth(service_token_header)
+            except self.Unauthorized as exc:
+                LOGGER.info(f"Unauthorized: {exc.message}")
+                raise werkzeug_exceptions.Unauthorized(description=exc.message) from exc
+            except self.Forbidden as exc:
+                LOGGER.info(f"Forbidden: {exc.message}")
+                raise werkzeug_exceptions.Forbidden(description=exc.message) from exc
+
+            return None
+
         user_access_token_header = flask.request.headers.get(self._user_access_header_key)
 
         try:

lib/dl_auth_native/dl_auth_native_tests/unit/middleware/test_flask.py

@@ -2,10 +2,14 @@
 import unittest.mock as mock
 
 import flask
+from flask.views import MethodView
 import pytest
 
 import dl_api_commons.flask.middlewares as dl_api_commons_flask_middlewares
+from dl_api_commons.flask.middlewares.commit_rci_middleware import ReqCtxInfoMiddleware
+from dl_api_commons.flask.required_resources import RequiredResourceCommon
 import dl_auth_native
+from dl_constants.api_constants import DLHeadersCommon
 
 
 @pytest.fixture(name="flask_app")
@@ -81,3 +85,119 @@ def test_invalid_token(
 
     assert response.status_code == 401
     assert "Invalid user access token: invalid token" in response.text
+
+
+MASTER_TOKEN = "test-master-token-secret"
+
+
+@pytest.fixture(name="flask_app_with_service_auth")
+def fixture_flask_app_with_service_auth(
+    token_decoder: dl_auth_native.DecoderProtocol,
+) -> flask.Flask:
+    app = flask.Flask(__name__)
+
+    dl_api_commons_flask_middlewares.ContextVarMiddleware().wrap_flask_app(app)
+    dl_api_commons_flask_middlewares.RequestLoggingContextControllerMiddleWare().set_up(app)
+    dl_api_commons_flask_middlewares.RequestIDService(
+        append_local_req_id=False,
+        request_id_app_prefix=None,
+    ).set_up(app)
+    dl_auth_native.FlaskMiddleware(
+        token_decoder=token_decoder,
+        master_token=MASTER_TOKEN,
+    ).set_up(app)
+    ReqCtxInfoMiddleware().set_up(app)
+
+    class ServiceView(MethodView):
+        REQUIRED_RESOURCES = frozenset({RequiredResourceCommon.ONLY_SERVICES_ALLOWED})
+
+        def get(self) -> flask.Response:
+            return flask.jsonify({"ok": True})
+
+    app.add_url_rule("/service", view_func=ServiceView.as_view("service"))
+
+    @app.route("/user")
+    def user_handler() -> flask.Response:
+        return flask.jsonify({"ok": True})
+
+    return app
+
+
+def test_service_auth_correct_token(
+    flask_app_with_service_auth: flask.Flask,
+) -> None:
+    with flask_app_with_service_auth.test_client() as client:
+        response = client.get(
+            "/service",
+            headers={DLHeadersCommon.US_MASTER_TOKEN.value: MASTER_TOKEN},
+        )
+    assert response.status_code == 200
+
+
+def test_service_auth_wrong_token(
+    flask_app_with_service_auth: flask.Flask,
+) -> None:
+    with flask_app_with_service_auth.test_client() as client:
+        response = client.get(
+            "/service",
+            headers={DLHeadersCommon.US_MASTER_TOKEN.value: "wrong-token"},
+        )
+    assert response.status_code == 403
+    assert "Invalid service token" in response.text
+
+
+def test_service_auth_missing_token(
+    flask_app_with_service_auth: flask.Flask,
+) -> None:
+    with flask_app_with_service_auth.test_client() as client:
+        response = client.get("/service")
+    assert response.status_code == 401
+    assert "Service token header is missing" in response.text
+
+
+def test_service_auth_not_configured(
+    token_decoder: dl_auth_native.DecoderProtocol,
+) -> None:
+    """When master_token is None, service endpoints should return 401."""
+    app = flask.Flask(__name__)
+
+    dl_api_commons_flask_middlewares.ContextVarMiddleware().wrap_flask_app(app)
+    dl_api_commons_flask_middlewares.RequestLoggingContextControllerMiddleWare().set_up(app)
+    dl_api_commons_flask_middlewares.RequestIDService(
+        append_local_req_id=False,
+        request_id_app_prefix=None,
+    ).set_up(app)
+    dl_auth_native.FlaskMiddleware(
+        token_decoder=token_decoder,
+    ).set_up(app)
+    ReqCtxInfoMiddleware().set_up(app)
+
+    class ServiceView(MethodView):
+        REQUIRED_RESOURCES = frozenset({RequiredResourceCommon.ONLY_SERVICES_ALLOWED})
+
+        def get(self) -> flask.Response:
+            return flask.jsonify({"ok": True})
+
+    app.add_url_rule("/service", view_func=ServiceView.as_view("service"))
+
+    with app.test_client() as client:
+        response = client.get(
+            "/service",
+            headers={DLHeadersCommon.US_MASTER_TOKEN.value: "some-token"},
+        )
+    assert response.status_code == 401
+    assert "Service auth is not configured" in response.text
+
+
+def test_user_endpoint_still_uses_jwt(
+    flask_app_with_service_auth: flask.Flask,
+    token_decoder: mock.Mock,
+) -> None:
+    """Regular endpoints should still require JWT auth, not accept master token."""
+    with flask_app_with_service_auth.test_client() as client:
+        response = client.get(
+            "/user",
+            headers={DLHeadersCommon.US_MASTER_TOKEN.value: MASTER_TOKEN},
+        )
+    assert response.status_code == 401
+    assert "User access token header is missing" in response.text