716 dissociate the encryption key from the api keys of the master password (#779)

* chore(env): add newline at the end of file

# Conflicts:
#	.env.example

* chore(docs): update inline documentation

* feat(auth): add auth_secret_key setting
- remove session_secret_key setting from configuration
- remove default value for session_secret_key
- remove constr() deprecated function to implement new Annotated syntax in configuration.py
- add new auth_secret_key setting
- deprecated auth_master_key setting (still available to use for a moment)
- add default value for auth_secret_key (default = auth_master_key value for retrocompatibility)
- add deprecation warning messages
- fix EmptyDepencency typo to EmptyDependency
- remove usage of auth_master_key in most of the codebase
- add typing in IdentityAccessManager property
- identify duplicate functions for token encoding (added TODO)
- rename get_master_key into get_secret_key
- update SessionMiddleware (cookie encoding/decoding) middleware to now use auth_secret_key
- update config.yml, config.example.yml and config.test.yml
- remove duplicate socket_keepalive in config.test.yml
- remove TOKEN_PREFIX from Key(BaseModel) class due to a duplicate from IdentityAccessManager
- remove useless comment
- remove duplicate content in api.schemas.admin.providers and most of their references
- migrate old Provider class calls to the new one (in api.infrastructure.fastapi.schemas.providers)
- update some part of the documentation (not complete yet)

# Conflicts:
#	api/schemas/admin/providers.py

* feat(admmin): add superadmin creation at startup
- remove MasterNotAllowedException exception
- remove hardcoded admin bypass
- delete MASTER_USER_ID and MASTER_KEY_ID for MASTER_ID
- add auth_master_username setting
- add auth_master_password setting
- remove use of master key as API key
- replace 0 refs to MASTER_ID global variable
- add setup_master method in lifespan (WIP: prints still present)
- rename master_key to secret_key in IdentityAccessManager

* feat(admin): force ID 0 for admin rol and user
- add master permission in PermissionType (unused for the moment)
- update inline documentation
- remove useless prints

* feat(roles): migrate PermissionType from old to new class (incomplete)
- restrict the master user permissions to only MASTER instead of the whole list.

* feat(alembic): add migration to add master permission to database
- add newline in carbon footprint migration
- fix inline doc typo
- remove debug prints and add logger prints
- check that the master role and user creation runs only at very first run

* chore(IAM): add CheckTokenResult typing class to check_token method

* chore(user): clean if statement in create_user method
- update TODO comments to make them clearer

* feat(admin): add MASTER permission bypass in is_admin method

* feat(admin): add deletion restriction for master user
- move MASTER_ID constant into variable.py
- rename user into user_id in DELETE /user endpoint

* chore(const): add typing to variable.py constants

* feat(amdin): add restrictions for master user in role creation, role update, user creation and user update
- needs to be tested

* fix(token): fix false positive on InvalidAPIKeyException for Master user

* feat(models): give access to models to master user

* chore(permission): migrate permission type
- from api.schemas.admin.roles to api.domain.role.entities

* fix(alembic): fix migration history

* fix(rebase): fix bad rebase conflict strategy
- add typing for ecologit class

* fix(rebase): revert bad python package update (mistral)

* feat(admin): remove alembic migration as we do not want to create a master user anymore

* chore: replace str, Enum inheritance by StrEnum type

* feat(role, user): migrate some endpoints from role and user ressourcesto clean architecture
- migrate endpoints
- add use cases for role, user, and bootstrap
- add exceptions

* chore(test): commented tests because of usecase migration

* feat(admin): migrate to new bootstrap admin management (without master user)
- remove master role
- add security boundaries to prevent deleting last admin user or admin role of OGL
- add new bootstrap admin version
- add new exceptions, repistories and factories
- remove old endpoints
- update default admin user and default admin password

* chore(sql): remove empty session.py

* chore: remove useless comments, update lifespan prototype

* feat(admin): remove securities about admin self deletion. An admin can now delete himself
- fix get_postgres_session iterator call
- quick fix of Routers class
- migrated to clean archi

* fix(admin): fix obsolete admin bypass (before id 0, now permission ADMIN)
- fix several playground bugs (login page glitch, redis token lock duration, migration issue on local, usage crash, 500 errors)
- add shield badge on corresponding admin roles
- add background tasks in playground

* tests(admin): add some integration tests for admin bootstrap

* tests(admin): add custom values for bootstrap admin tests

* fix(provider): replace old Provider class by new one for rebase
- still need to test

* feat(playground): fix seletors
- fix strategy display when updating a router

* test(postgres): add context comments for has admin db tests

* test(users): add test suit for get users repository
- add temporary implementation of update user
- add temporary implementation of delete user

* test(admin, bootstrap, roles, users): add tests for role and user use cases
- fix typing typo
- clean unused bootstrap and hasadmin usecases
- add some TODO comments
- move use case tests to unit folder instead of integration folder

* fix(playground): fix KeyError: 'carbon' in Usage page

* fix(playground): fix selector blank display for router update and creation (load balancing strategy)

* test(models): add new test on models when admin user don't have limits
- fix some models tests

* restore playground/ to main branch version

* fix(tests): fix unit tests. working on integration tests

Author: tibo-pdn

.env.example

@@ -19,4 +19,4 @@ REDIS_PASSWORD=changeme
 ELASTICSEARCH_HOST=elasticsearch
 ELASTICSEARCH_PORT=9200
 ELASTICSEARCH_USER=elasticsearch
-ELASTICSEARCH_PASSWORD=changeme
+ELASTICSEARCH_PASSWORD=changeme

api/alembic/versions/2025_12_22_1507-f02a2525b97c_remove_carbon_footprint_prefix.py

@@ -13,6 +13,7 @@
 import sqlalchemy as sa
 from sqlalchemy.dialects import postgresql
 
+
 # revision identifiers, used by Alembic.
 revision: str = 'f02a2525b97c'
 down_revision: Union[str, None] = '551b2920b23c'

api/app.py

@@ -54,7 +54,7 @@ def _setup_sentry(configuration: Configuration) -> None:
 
 
 def _setup_middleware(app: FastAPI, configuration: Configuration) -> None:
-    app.add_middleware(SessionMiddleware, secret_key=configuration.settings.session_secret_key)
+    app.add_middleware(SessionMiddleware, secret_key=configuration.settings.auth_secret_key)
 
     @app.middleware("http")
     async def set_request_context(request: Request, call_next):

api/dependencies.py

@@ -6,7 +6,14 @@
 
 from api.domain.key import KeyRepository
 from api.infrastructure.model import ModelProviderGateway
-from api.infrastructure.postgres import PostgresKeyRepository, PostgresProviderRepository, PostgresRouterRepository, PostgresUserInfoRepository
+from api.infrastructure.postgres import (
+    PostgresKeyRepository,
+    PostgresProviderRepository,
+    PostgresRolesRepository,
+    PostgresRouterRepository,
+    PostgresUserInfoRepository,
+    PostgresUserRepository,
+)
 from api.schemas.core.context import RequestContext
 from api.use_cases.admin.providers import (
     CreateProviderUseCase,
@@ -15,7 +22,9 @@
     GetProvidersUseCase,
     UpdateProviderUseCase,
 )
+from api.use_cases.admin.roles import CreateRoleUseCase
 from api.use_cases.admin.routers import CreateRouterUseCase, DeleteRouterUseCase, GetOneRouterUseCase, GetRoutersUseCase, UpdateRouterUseCase
+from api.use_cases.admin.users import CreateUserUseCase
 from api.use_cases.models import GetModelsUseCase
 from api.utils.configuration import configuration
 from api.utils.context import global_context, request_context
@@ -25,8 +34,8 @@ def get_request_context() -> ContextVar[RequestContext]:
     return request_context
 
 
-def get_master_key() -> str:
-    return configuration.settings.auth_master_key
+def get_secret_key() -> str:
+    return configuration.settings.auth_secret_key
 
 
 # databases
@@ -44,6 +53,14 @@ async def get_postgres_session() -> AsyncGenerator[AsyncSession]:
 
 
 # repositories
+def _user_repository(session: AsyncSession) -> PostgresUserRepository:
+    return PostgresUserRepository(postgres_session=session)
+
+
+def _role_repository(session: AsyncSession) -> PostgresRolesRepository:
+    return PostgresRolesRepository(postgres_session=session)
+
+
 def _router_repository(session: AsyncSession) -> PostgresRouterRepository:
     return PostgresRouterRepository(postgres_session=session, app_title=configuration.settings.app_title)
 
@@ -68,6 +85,16 @@ def get_models_use_case(
     )
 
 
+# users use cases
+def create_user_use_case_factory(postgres_session: AsyncSession = Depends(get_postgres_session)) -> CreateUserUseCase:
+    return CreateUserUseCase(user_repository=_user_repository(postgres_session), user_info_repository=_user_info_repository(postgres_session))
+
+
+# roles use cases
+def create_role_use_case_factory(postgres_session: AsyncSession = Depends(get_postgres_session)) -> CreateRoleUseCase:
+    return CreateRoleUseCase(role_repository=_role_repository(postgres_session), user_info_repository=_user_info_repository(postgres_session))
+
+
 # routers use cases
 def get_one_router_use_case_factory(postgres_session: AsyncSession = Depends(get_postgres_session)) -> GetOneRouterUseCase:
     return GetOneRouterUseCase(router_repository=_router_repository(postgres_session), user_info_repository=_user_info_repository(postgres_session))

api/sql/session.py api/domain/bootstrap/__init__.pyapi/sql/session.py renamed to api/domain/bootstrap/__init__.py

@@ -0,0 +1,6 @@
+from dataclasses import dataclass
+
+
+@dataclass
+class AdminAlreadyExistsError:
+    pass

api/domain/bootstrap/errors.py

@@ -1,11 +1,9 @@
 from jose import JWTError, jwt
 from pydantic import BaseModel, Field
 
+from api.helpers._identityaccessmanager import IdentityAccessManager
 from api.utils.exceptions import InvalidAPIKeyException
 
-MASTER_USER_ID = 0
-MASTER_KEY_ID = 0
-
 
 class KeyClaims(BaseModel):
     user_id: int
@@ -15,19 +13,18 @@ class KeyClaims(BaseModel):
 class Key(BaseModel):
     """API Key entity"""
 
-    TOKEN_PREFIX: str = "sk-"
     value: str = Field(..., description="The raw API key value")
 
-    def decode(self, master_key: str) -> KeyClaims:
-        if self.value == master_key:
-            return KeyClaims(user_id=MASTER_USER_ID, key_id=MASTER_KEY_ID)
-
-        if not self.value.startswith(self.TOKEN_PREFIX):
+    def decode(self, secret_key: str) -> KeyClaims:
+        if not self.value.startswith(IdentityAccessManager.TOKEN_PREFIX):
             raise InvalidAPIKeyException()
 
         try:
-            jwt_token = self.value.split(self.TOKEN_PREFIX)[1]
-            claims = jwt.decode(token=jwt_token, key=master_key, algorithms=["HS256"])
-            return KeyClaims(user_id=claims["user_id"], key_id=claims["token_id"])
+            # TODO: Refactor this. It's a duplicate with api.helpers._identityaccessmanager.IdentityAccessManager._decode_token
+            jwt_token = self.value.split(IdentityAccessManager.TOKEN_PREFIX)[1]
+            claims = jwt.decode(token=jwt_token, key=secret_key, algorithms=["HS256"])
+            return KeyClaims(
+                user_id=claims["user_id"], key_id=claims["token_id"]
+            )  # TODO: ensure token_id is included in claims when creating token, test the behavior when token_id is missing but the API key has the sk- format
         except (JWTError, IndexError):
             raise InvalidAPIKeyException()

api/domain/key/entities.py

@@ -1,15 +1,16 @@
 from abc import ABC, abstractmethod
 
-from api.domain.role.entities import Role
+from api.domain.role.entities import Limit, PermissionType, Role
+from api.domain.role.errors import RoleAlreadyExistsError
 
 
 class RoleRepository(ABC):
     @abstractmethod
-    async def get_roles(self, role_id: str) -> list[Role]:
+    async def create_role(self, name: str, permissions: list[PermissionType], limits: list[Limit]) -> Role | RoleAlreadyExistsError:
         pass
 
     @abstractmethod
-    async def create_role(self, role: Role) -> Role:
+    async def get_roles(self, role_id: str) -> list[Role]:
         pass
 
     @abstractmethod

api/domain/role/_rolerepository.py

@@ -1,17 +1,17 @@
 import datetime as dt
-from enum import Enum
+from enum import StrEnum
 
 from pydantic import BaseModel, Field
 
 
-class PermissionType(str, Enum):
+class PermissionType(StrEnum):
     ADMIN = "admin"
     CREATE_PUBLIC_COLLECTION = "create_public_collection"
     READ_METRIC = "read_metric"
     PROVIDE_MODELS = "provide_models"
 
 
-class LimitType(str, Enum):
+class LimitType(StrEnum):
     TPM = "tpm"
     TPD = "tpd"
     RPM = "rpm"

api/domain/role/entities.py

@@ -0,0 +1,11 @@
+from dataclasses import dataclass
+
+
+@dataclass
+class RoleAlreadyExistsError:
+    name: str
+
+
+@dataclass
+class RoleNotFoundError:
+    name: str