feat: Service account authentication (#210)

Author: ptiurin

.github/workflows/integration-tests.yml

@@ -7,6 +7,10 @@ on:
         required: true
       FIREBOLT_PASSWORD:
         required: true
+      SERVICE_ID:
+        required: true
+      SERVICE_SECRET:
+        required: true
 jobs:
   tests:
     runs-on: ubuntu-latest
@@ -37,6 +41,8 @@ jobs:
         env:
           USER_NAME: ${{ secrets.FIREBOLT_USERNAME }}
           PASSWORD: ${{ secrets.FIREBOLT_PASSWORD }}
+          SERVICE_ID: ${{ secrets.SERVICE_ID }}
+          SERVICE_SECRET: ${{ secrets.SERVICE_SECRET }}
           DATABASE_NAME: ${{ steps.setup.outputs.database_name }}
           ENGINE_NAME: ${{ steps.setup.outputs.engine_name }}
           ENGINE_URL: ${{ steps.setup.outputs.engine_url }}

.github/workflows/nightly.yml

@@ -56,6 +56,8 @@ jobs:
         env:
           USER_NAME: ${{ secrets.FIREBOLT_USERNAME }}
           PASSWORD: ${{ secrets.FIREBOLT_PASSWORD }}
+          SERVICE_ID: ${{ secrets.SERVICE_ID }}
+          SERVICE_SECRET: ${{ secrets.SERVICE_SECRET }}
           DATABASE_NAME: ${{ steps.setup.outputs.database_name }}
           ENGINE_NAME: ${{ steps.setup.outputs.engine_name }}
           ENGINE_URL: ${{ steps.setup.outputs.engine_url }}

.github/workflows/release.yml

@@ -16,6 +16,8 @@ jobs:
     secrets:
       FIREBOLT_USERNAME: ${{ secrets.FIREBOLT_USERNAME }}
       FIREBOLT_PASSWORD: ${{ secrets.FIREBOLT_PASSWORD }}
+      SERVICE_ID: ${{ secrets.SERVICE_ID }}
+      SERVICE_SECRET: ${{ secrets.SERVICE_SECRET }}
 
   publish:
     runs-on: ubuntu-latest

src/firebolt/client/auth/__init__.py

@@ -1,3 +1,4 @@
 from firebolt.client.auth.base import Auth
+from firebolt.client.auth.service_account import ServiceAccount
 from firebolt.client.auth.token import Token
 from firebolt.client.auth.username_password import UsernamePassword

src/firebolt/client/auth/request_auth_base.py

@@ -0,0 +1,57 @@
+from time import time
+from typing import Generator
+
+from httpx import Request, Response
+
+from firebolt.client.auth.base import Auth
+from firebolt.client.constants import _REQUEST_ERRORS
+from firebolt.utils.exception import AuthenticationError
+from firebolt.utils.usage_tracker import get_user_agent_header
+
+
+class _RequestBasedAuth(Auth):
+    """Base abstract class for http request based authentication."""
+
+    def __init__(self, use_token_cache: bool = True):
+        self._user_agent = get_user_agent_header()
+        super().__init__(use_token_cache)
+
+    def _make_auth_request(self) -> Request:
+        """Create an HTTP request required for authentication.
+        Returns:
+            Request: HTTP request, required for authentication.
+        """
+        raise NotImplementedError()
+
+    @staticmethod
+    def _check_response_error(response: dict) -> None:
+        """Check if response data contains errors.
+        Args:
+            response (dict): Response data
+        Raises:
+            AuthenticationError: Were unable to authenticate
+        """
+        if "error" in response:
+            raise AuthenticationError(
+                response.get("message", "unknown server error"),
+            )
+
+    def get_new_token_generator(self) -> Generator[Request, Response, None]:
+        """Get new token using username and password.
+        Yields:
+            Request: An http request to get token. Expects Response to be sent back
+        Raises:
+            AuthenticationError: Error while authenticating with provided credentials
+        """
+        try:
+            response = yield self._make_auth_request()
+            response.raise_for_status()
+
+            parsed = response.json()
+            self._check_response_error(parsed)
+
+            self._token = parsed["access_token"]
+            self._expires = int(time()) + int(parsed["expires_in"])
+
+        except _REQUEST_ERRORS as e:
+            raise AuthenticationError(repr(e)) from e

src/firebolt/client/auth/service_account.py

@@ -0,0 +1,89 @@
+from typing import Optional
+
+from firebolt.client.auth.base import AuthRequest
+from firebolt.client.auth.request_auth_base import _RequestBasedAuth
+from firebolt.utils.token_storage import TokenSecureStorage
+from firebolt.utils.urls import AUTH_SERVICE_ACCOUNT_URL
+from firebolt.utils.util import cached_property
+
+
+class ServiceAccount(_RequestBasedAuth):
+    """Service Account authentication class for Firebolt Database.
+
+    Gets authentication token using
+    provided credentials and updates it when it expires.
+
+    Args:
+        client_id (str): Client ID
+        client_secret (str): Client secret
+        use_token_cache (bool): True if token should be cached in filesystem;
+            False otherwise
+
+    Attributes:
+        client_id (str): Client ID
+        client_secret (str): Client secret
+    """
+
+    __slots__ = (
+        "client_id",
+        "client_secret",
+        "_token",
+        "_expires",
+        "_use_token_cache",
+        "_user_agent",
+    )
+
+    requires_response_body = True
+
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        use_token_cache: bool = True,
+    ):
+        self.client_id = client_id
+        self.client_secret = client_secret
+        super().__init__(use_token_cache)
+
+    def copy(self) -> "ServiceAccount":
+        """Make another auth object with same credentials.
+
+        Returns:
+            ServiceAccount: Auth object
+        """
+        return ServiceAccount(self.client_id, self.client_secret, self._use_token_cache)
+
+    @cached_property
+    def _token_storage(self) -> Optional[TokenSecureStorage]:
+        """Token filesystem cache storage.
+
+        This is evaluated lazily, only if caching is enabled
+
+        Returns:
+            TokenSecureStorage: Token filesystem cache storage
+        """
+        return TokenSecureStorage(username=self.client_id, password=self.client_secret)
+
+    def _make_auth_request(self) -> AuthRequest:
+        """Get new token using username and password.
+
+        Yields:
+            Request: An http request to get token. Expects Response to be sent back
+
+        Raises:
+            AuthenticationError: Error while authenticating with provided credentials
+        """
+
+        response = self.request_class(
+            "POST",
+            AUTH_SERVICE_ACCOUNT_URL,
+            headers={
+                "User-Agent": self._user_agent,
+            },
+            data={
+                "client_id": self.client_id,
+                "client_secret": self.client_secret,
+                "grant_type": "client_credentials",
+            },
+        )
+        return response

src/firebolt/client/auth/username_password.py

@@ -1,17 +1,13 @@
-from time import time
-from typing import Generator, Optional
+from typing import Optional
 
-from httpx import Request, Response
-
-from firebolt.client.auth.base import Auth
-from firebolt.client.constants import _REQUEST_ERRORS
-from firebolt.utils.exception import AuthenticationError
+from firebolt.client.auth.base import AuthRequest
+from firebolt.client.auth.request_auth_base import _RequestBasedAuth
 from firebolt.utils.token_storage import TokenSecureStorage
 from firebolt.utils.urls import AUTH_URL
 from firebolt.utils.util import cached_property
 
 
-class UsernamePassword(Auth):
+class UsernamePassword(_RequestBasedAuth):
     """Username/Password authentication class for Firebolt Database.
 
     Gets authentication token using
@@ -34,6 +30,7 @@ class UsernamePassword(Auth):
         "_token",
         "_expires",
         "_use_token_cache",
+        "_user_agent",
     )
 
     requires_response_body = True
@@ -67,7 +64,7 @@ def _token_storage(self) -> Optional[TokenSecureStorage]:
         """
         return TokenSecureStorage(username=self.username, password=self.password)
 
-    def get_new_token_generator(self) -> Generator[Request, Response, None]:
+    def _make_auth_request(self) -> AuthRequest:
         """Get new token using username and password.
 
         Yields:
@@ -76,39 +73,13 @@ def get_new_token_generator(self) -> Generator[Request, Response, None]:
         Raises:
             AuthenticationError: Error while authenticating with provided credentials
         """
-        try:
-            response = yield self.request_class(
-                "POST",
-                # The full url is generated on client side by attaching
-                # it to api_endpoint
-                AUTH_URL,
-                headers={
-                    "Content-Type": "application/json;charset=UTF-8",
-                    "User-Agent": "firebolt-sdk",
-                },
-                json={"username": self.username, "password": self.password},
-            )
-            response.raise_for_status()
-
-            parsed = response.json()
-            self._check_response_error(parsed)
-
-            self._token = parsed["access_token"]
-            self._expires = int(time()) + int(parsed["expires_in"])
-
-        except _REQUEST_ERRORS as e:
-            raise AuthenticationError(repr(e)) from e
-
-    def _check_response_error(self, response: dict) -> None:
-        """Check if response data contains errors.
-
-        Args:
-            response (dict): Response data
-
-        Raises:
-            AuthenticationError: Were unable to authenticate
-        """
-        if "error" in response:
-            raise AuthenticationError(
-                response.get("message", "unknown server error"),
-            )
+        response = self.request_class(
+            "POST",
+            AUTH_URL,
+            headers={
+                "Content-Type": "application/json;charset=UTF-8",
+                "User-Agent": self._user_agent,
+            },
+            json={"username": self.username, "password": self.password},
+        )
+        return response

src/firebolt/utils/urls.py

@@ -1,4 +1,5 @@
 AUTH_URL = "/auth/v1/login"
+AUTH_SERVICE_ACCOUNT_URL = "/auth/v1/token"
 
 DATABASES_URL = "/core/v1/account/databases"
 

tests/integration/conftest.py

@@ -17,6 +17,8 @@
 PASSWORD_ENV = "PASSWORD"
 ACCOUNT_NAME_ENV = "ACCOUNT_NAME"
 API_ENDPOINT_ENV = "API_ENDPOINT"
+SERVICE_ID_ENV = "SERVICE_ID"
+SERVICE_SECRET_ENV = "SERVICE_SECRET"
 
 
 def must_env(var_name: str) -> str:
@@ -78,3 +80,13 @@ def account_name() -> str:
 @fixture(scope="session")
 def api_endpoint() -> str:
     return must_env(API_ENDPOINT_ENV)
+
+
+@fixture(scope="session")
+def service_id() -> str:
+    return must_env(SERVICE_ID_ENV)
+
+
+@fixture(scope="session")
+def service_secret() -> str:
+    return must_env(SERVICE_SECRET_ENV)

tests/integration/dbapi/async/conftest.py

@@ -1,6 +1,7 @@
 from pytest_asyncio import fixture as async_fixture
 
 from firebolt.async_db import Connection, connect
+from firebolt.client.auth import ServiceAccount, UsernamePassword
 
 
 @async_fixture
@@ -15,8 +16,26 @@ async def connection(
     async with await connect(
         engine_url=engine_url,
         database=database_name,
-        username=username,
-        password=password,
+        auth=UsernamePassword(username, password),
+        account_name=account_name,
+        api_endpoint=api_endpoint,
+    ) as connection:
+        yield connection
+
+
+@async_fixture
+async def service_account_connection(
+    engine_url: str,
+    database_name: str,
+    service_id: str,
+    service_secret: str,
+    account_name: str,
+    api_endpoint: str,
+) -> Connection:
+    async with await connect(
+        engine_url=engine_url,
+        database=database_name,
+        auth=ServiceAccount(service_id, service_secret),
         account_name=account_name,
         api_endpoint=api_endpoint,
     ) as connection: