feat: BI-6817 add dl_app_api_lib.AuthMiddleware (#1466)

Author: ovsds

lib/dl_app_api_base/dl_app_api_base/__init__.py

@@ -5,6 +5,16 @@
     HttpServerRequestContext,
     HttpServerRequestContextDependencies,
     HttpServerRequestContextManager,
+    HttpServerSettings,
+)
+from .auth import (
+    NoAuthChecker,
+    NoAuthResult,
+    OAuthChecker,
+    OAuthCheckerSettings,
+    OAuthResult,
+    RequestAuthCheckerProtocol,
+    RouteMatcher,
 )
 from .handlers import (
     BadRequestResponseSchema,
@@ -48,6 +58,7 @@
     "SubsystemReadinessAsyncCallback",
     "SubsystemReadinessCallback",
     "SubsystemReadinessSyncCallback",
+    "HttpServerSettings",
     "HttpServerAppSettingsMixin",
     "HttpServerAppMixin",
     "HttpServerAppFactoryMixin",
@@ -71,4 +82,11 @@
     "HttpServerRequestContextDependencies",
     "HttpServerRequestContext",
     "HttpServerRequestContextManager",
+    "RequestAuthCheckerProtocol",
+    "OAuthChecker",
+    "OAuthResult",
+    "NoAuthChecker",
+    "NoAuthResult",
+    "RouteMatcher",
+    "OAuthCheckerSettings",
 ]

lib/dl_app_api_base/dl_app_api_base/app.py

@@ -1,3 +1,4 @@
+import re
 from typing import (
     Generic,
     TypeVar,
@@ -9,6 +10,7 @@
 import pydantic
 from typing_extensions import override
 
+import dl_app_api_base.auth as auth
 import dl_app_api_base.handlers as handlers
 import dl_app_api_base.middlewares as middlewares
 import dl_app_api_base.openapi as openapi
@@ -38,13 +40,15 @@ class HttpServerAppMixin(dl_app_base.BaseApp):
 
 @attr.define(frozen=True, kw_only=True)
 class HttpServerRequestContextDependencies(
+    auth.AuthRequestContextDependenciesMixin,
     request_context.BaseRequestContextDependencies,
 ):
     ...
 
 
 class HttpServerRequestContext(
     request_id.RequestIdRequestContextMixin,
+    auth.AuthRequestContextMixin,
     request_context.BaseRequestContext,
 ):
     _dependencies: HttpServerRequestContextDependencies
@@ -103,9 +107,30 @@ async def _get_request_context_manager(
     ) -> HttpServerRequestContextManager:
         return HttpServerRequestContextManager(
             context_factory=HttpServerRequestContext.factory,
-            dependencies=HttpServerRequestContextDependencies(),
+            dependencies=HttpServerRequestContextDependencies(
+                request_auth_checkers=await self._get_request_auth_checkers(),
+            ),
         )
 
+    @dl_app_base.singleton_class_method_result
+    async def _get_request_auth_checkers(
+        self,
+    ) -> list[auth.RequestAuthCheckerProtocol]:
+        return [
+            auth.NoAuthChecker(
+                route_matchers=[
+                    auth.RouteMatcher(
+                        path_regex=re.compile(r"^/api/v1/health/.*$"),
+                        methods=frozenset(["GET"]),
+                    ),
+                    auth.RouteMatcher(
+                        path_regex=re.compile(r"^/api/v1/docs/.*$"),
+                        methods=frozenset(["GET"]),
+                    ),
+                ],
+            ),
+        ]
+
     @dl_app_base.singleton_class_method_result
     async def _get_aiohttp_app_middlewares(
         self,
@@ -119,11 +144,15 @@ async def _get_aiohttp_app_middlewares(
             request_context_provider=request_context_manager,
         )
         error_handling_middleware = middlewares.ErrorHandlingMiddleware()
+        auth_middleware = auth.AuthMiddleware(
+            request_context_provider=request_context_manager,
+        )
 
         return [
             request_context_middlewares.process,
             logging_middleware.process,
             error_handling_middleware.process,
+            auth_middleware.process,
         ]
 
     async def _setup_routes(self, app: aiohttp.web.Application) -> None:

lib/dl_app_api_base/dl_app_api_base/auth/__init__.py

@@ -0,0 +1,40 @@
+from .checkers import (
+    BaseRequestAuthChecker,
+    BaseRequestAuthResult,
+    NoAuthChecker,
+    NoAuthResult,
+    OAuthChecker,
+    OAuthCheckerSettings,
+    OAuthResult,
+    RequestAuthCheckerProtocol,
+)
+from .exc import (
+    AuthError,
+    AuthFailureError,
+    NoApplicableAuthCheckersError,
+)
+from .middleware import AuthMiddleware
+from .models import RouteMatcher
+from .request_context import (
+    AuthRequestContextDependenciesMixin,
+    AuthRequestContextMixin,
+)
+
+
+__all__ = [
+    "BaseRequestAuthChecker",
+    "RequestAuthCheckerProtocol",
+    "BaseRequestAuthResult",
+    "NoAuthChecker",
+    "NoAuthResult",
+    "OAuthChecker",
+    "OAuthCheckerSettings",
+    "OAuthResult",
+    "AuthRequestContextDependenciesMixin",
+    "AuthRequestContextMixin",
+    "AuthError",
+    "NoApplicableAuthCheckersError",
+    "AuthFailureError",
+    "AuthMiddleware",
+    "RouteMatcher",
+]

lib/dl_app_api_base/dl_app_api_base/auth/checkers/__init__.py

@@ -0,0 +1,26 @@
+from .base import (
+    BaseRequestAuthChecker,
+    BaseRequestAuthResult,
+    RequestAuthCheckerProtocol,
+)
+from .no_auth import (
+    NoAuthChecker,
+    NoAuthResult,
+)
+from .oauth import (
+    OAuthChecker,
+    OAuthCheckerSettings,
+    OAuthResult,
+)
+
+
+__all__ = [
+    "BaseRequestAuthChecker",
+    "RequestAuthCheckerProtocol",
+    "BaseRequestAuthResult",
+    "NoAuthChecker",
+    "NoAuthResult",
+    "OAuthChecker",
+    "OAuthCheckerSettings",
+    "OAuthResult",
+]

lib/dl_app_api_base/dl_app_api_base/auth/checkers/base.py

@@ -0,0 +1,42 @@
+import abc
+import logging
+from typing import (
+    Protocol,
+    Sequence,
+)
+
+import aiohttp.web
+import attr
+
+import dl_app_api_base.auth.models as auth_models
+
+
+LOGGER = logging.getLogger(__name__)
+
+
+@attr.define(frozen=True, kw_only=True)
+class BaseRequestAuthResult:
+    ...
+
+
+class RequestAuthCheckerProtocol(Protocol):
+    async def is_applicable(self, request: aiohttp.web.Request) -> bool:
+        ...
+
+    async def check(self, request: aiohttp.web.Request) -> BaseRequestAuthResult:
+        """
+        :raises: AuthFailureError if the authentication fails
+        """
+        ...
+
+
+@attr.define(frozen=True, kw_only=True)
+class BaseRequestAuthChecker(abc.ABC):
+    _route_matchers: Sequence[auth_models.RouteMatcher]
+
+    async def is_applicable(self, request: aiohttp.web.Request) -> bool:
+        return any(route_matcher.matches(request.path, request.method) for route_matcher in self._route_matchers)
+
+    @abc.abstractmethod
+    async def check(self, request: aiohttp.web.Request) -> BaseRequestAuthResult:
+        ...

lib/dl_app_api_base/dl_app_api_base/auth/checkers/no_auth.py

@@ -0,0 +1,14 @@
+import aiohttp.web
+import attr
+
+import dl_app_api_base.auth.checkers.base as auth_checkers_base
+
+
+class NoAuthResult(auth_checkers_base.BaseRequestAuthResult):
+    ...
+
+
+@attr.define(frozen=True, kw_only=True)
+class NoAuthChecker(auth_checkers_base.BaseRequestAuthChecker):
+    async def check(self, request: aiohttp.web.Request) -> NoAuthResult:
+        return NoAuthResult()

lib/dl_app_api_base/dl_app_api_base/auth/checkers/oauth.py

@@ -0,0 +1,72 @@
+from typing import Sequence
+
+import aiohttp.web
+import attr
+import pydantic
+from typing_extensions import Self
+
+import dl_app_api_base.auth.checkers.base as auth_checkers_base
+import dl_app_api_base.auth.exc as auth_exc
+import dl_app_api_base.auth.models as auth_models
+import dl_settings
+
+
+@attr.define(frozen=True, kw_only=True)
+class OAuthResult(auth_checkers_base.BaseRequestAuthResult):
+    client_id: str
+
+
+class OAuthUserSettings(dl_settings.BaseSettings):
+    CLIENT_ID: str
+    TOKEN: str = pydantic.Field(repr=False, alias="token")
+
+
+class OAuthCheckerSettings(dl_settings.BaseSettings):
+    USERS: dict[str, OAuthUserSettings]
+    HEADER_KEY: str = "Authorization"
+    HEADER_PREFIX: str = "Bearer "
+
+
+@attr.define(frozen=True, kw_only=True)
+class OAuthChecker(auth_checkers_base.BaseRequestAuthChecker):
+    _token_to_result_map: dict[str, OAuthResult]
+    _header_key: str
+    _header_prefix: str
+
+    @classmethod
+    def from_settings(
+        cls,
+        settings: OAuthCheckerSettings,
+        route_matchers: Sequence[auth_models.RouteMatcher],
+    ) -> Self:
+        return cls(
+            route_matchers=route_matchers,
+            token_to_result_map={user.TOKEN: OAuthResult(client_id=user.CLIENT_ID) for user in settings.USERS.values()},
+            header_key=settings.HEADER_KEY,
+            header_prefix=settings.HEADER_PREFIX,
+        )
+
+    async def is_applicable(self, request: aiohttp.web.Request) -> bool:
+        if not await super().is_applicable(request):
+            return False
+
+        authorization_header = request.headers.get(self._header_key, None)
+        if authorization_header is None:
+            return False
+
+        return authorization_header.startswith(self._header_prefix)
+
+    async def check(self, request: aiohttp.web.Request) -> OAuthResult:
+        authorization_header = request.headers.get(self._header_key, None)
+        if authorization_header is None:
+            raise auth_exc.AuthFailureError("Authorization header is required")
+
+        if not authorization_header.startswith(self._header_prefix):
+            raise auth_exc.AuthFailureError("Invalid authorization header format")
+
+        token = authorization_header.removeprefix(self._header_prefix)
+        user = self._token_to_result_map.get(token, None)
+        if user is None:
+            raise auth_exc.AuthFailureError("Invalid token")
+
+        return user

lib/dl_app_api_base/dl_app_api_base/auth/exc.py

@@ -0,0 +1,10 @@
+class AuthError(Exception):
+    ...
+
+
+class NoApplicableAuthCheckersError(AuthError):
+    ...
+
+
+class AuthFailureError(AuthError):
+    ...

lib/dl_app_api_base/dl_app_api_base/auth/middleware.py

@@ -0,0 +1,40 @@
+import http
+import logging
+
+import aiohttp.typedefs
+import aiohttp.web
+import attr
+
+import dl_app_api_base.auth.exc as auth_exc
+import dl_app_api_base.auth.request_context as auth_request_context
+import dl_app_api_base.handlers as handlers
+import dl_app_api_base.request_context as request_context
+
+
+LOGGER = logging.getLogger(__name__)
+
+
+@attr.define(frozen=True, kw_only=True)
+class AuthMiddleware:
+    _request_context_provider: request_context.RequestContextProviderProtocol[
+        auth_request_context.AuthRequestContextMixin
+    ]
+
+    @aiohttp.web.middleware
+    async def process(
+        self,
+        request: aiohttp.web.Request,
+        handler: aiohttp.typedefs.Handler,
+    ) -> aiohttp.web.StreamResponse:
+        context = self._request_context_provider.get()
+        try:
+            await context.get_auth_user()
+        except auth_exc.AuthError:
+            LOGGER.exception("Authentication failed")
+            return handlers.Response.with_error(
+                message="Unauthorized",
+                code="UNAUTHORIZED",
+                status=http.HTTPStatus.UNAUTHORIZED,
+            )
+
+        return await handler(request)

lib/dl_app_api_base/dl_app_api_base/auth/models.py

@@ -0,0 +1,22 @@
+import logging
+import re
+
+import attr
+
+
+LOGGER = logging.getLogger(__name__)
+
+_DEFAULT_ROUTE_MATCHER_METHODS = frozenset(["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"])
+
+
+@attr.define(frozen=True, kw_only=True)
+class RouteMatcher:
+    path_regex: re.Pattern[str]
+    methods: frozenset[str] = attr.ib(default=_DEFAULT_ROUTE_MATCHER_METHODS)
+
+    def matches(
+        self,
+        route: str,
+        method: str,
+    ) -> bool:
+        return self.path_regex.match(route) is not None and method in self.methods