Add key-based authentication support

Signed-off-by: Mathias L. Baumann <[email protected]>

Author: Marenz

RELEASE_NOTES.md

@@ -6,7 +6,7 @@
 
 ## Upgrading
 
-<!-- Here goes notes on how to upgrade from previous versions, including deprecations and what they should be replaced with -->
+* An API key for authorization must now be passed to the `DispatchClient`.
 
 ## New Features
 

src/frequenz/client/dispatch/__main__.py

@@ -37,18 +37,19 @@
 DEFAULT_DISPATCH_API_PORT = 50051
 
 
-def get_client(host: str, port: int) -> Client:
+def get_client(host: str, port: int, key: str) -> Client:
     """Get a new client instance.
 
     Args:
         host: The host of the dispatch service.
         port: The port of the dispatch service.
+        key: The API key for authentication.
 
     Returns:
         Client: A new client instance.
     """
     channel = grpc.aio.insecure_channel(f"{host}:{port}")
-    return Client(channel, f"{host}:{port}")
+    return Client(channel, f"{host}:{port}", key)
 
 
 # Click command groups
@@ -69,11 +70,17 @@ def get_client(host: str, port: int) -> Client:
     show_envvar=True,
     show_default=True,
 )
+@click.option(
+    "--key",
+    help="API key for authentication",
+    envvar="DISPATCH_API_KEY",
+    show_envvar=True,
+)
 @click.pass_context
-async def cli(ctx: click.Context, host: str, port: int) -> None:
+async def cli(ctx: click.Context, host: str, port: int, key: str) -> None:
     """Dispatch Service CLI."""
     ctx.ensure_object(dict)
-    ctx.obj["client"] = get_client(host, port)
+    ctx.obj["client"] = get_client(host, port, key)
 
 
 @cli.command("list")

src/frequenz/client/dispatch/_client.py

@@ -36,15 +36,17 @@
 class Client:
     """Dispatch API client."""
 
-    def __init__(self, grpc_channel: grpc.aio.Channel, svc_addr: str) -> None:
+    def __init__(self, grpc_channel: grpc.aio.Channel, svc_addr: str, key: str) -> None:
         """Initialize the client.
 
         Args:
             grpc_channel: gRPC channel to use for communication with the API.
             svc_addr: Address of the service to connect to.
+            key: API key to use for authentication.
         """
         self._svc_addr = svc_addr
         self._stub = dispatch_pb2_grpc.MicrogridDispatchServiceStub(grpc_channel)
+        self._metadata = (("key", key),)
 
     # pylint: disable=too-many-arguments, too-many-locals
     async def list(
@@ -64,7 +66,7 @@ async def list(
 
         ```python
         grpc_channel = grpc.aio.insecure_channel("example")
-        client = Client(grpc_channel, "localhost:50051")
+        client = Client(grpc_channel, "localhost:50051", "key")
         async for dispatch in client.list(microgrid_id=1):
             print(dispatch)
         ```
@@ -108,7 +110,9 @@ async def list(
         )
         request = DispatchListRequest(microgrid_id=microgrid_id, filter=filters)
 
-        response = await self._stub.ListMicrogridDispatches(request)  # type: ignore
+        response = await self._stub.ListMicrogridDispatches(
+            request, metadata=self._metadata
+        )  # type: ignore
         for dispatch in response.dispatches:
             yield Dispatch.from_protobuf(dispatch)
 
@@ -166,7 +170,9 @@ async def create(
             recurrence=recurrence or RecurrenceRule(),
         )
 
-        await self._stub.CreateMicrogridDispatch(request.to_protobuf())  # type: ignore
+        await self._stub.CreateMicrogridDispatch(
+            request.to_protobuf(), metadata=self._metadata
+        )  # type: ignore
 
         if dispatch := await self._try_fetch_created_dispatch(request):
             return dispatch
@@ -246,7 +252,9 @@ async def update(
 
             msg.update_mask.paths.append(key)
 
-        await self._stub.UpdateMicrogridDispatch(msg)  # type: ignore
+        await self._stub.UpdateMicrogridDispatch(
+            msg, metadata=self._metadata
+        )  # type: ignore
 
     async def get(self, dispatch_id: int) -> Dispatch:
         """Get a dispatch.
@@ -258,7 +266,9 @@ async def get(self, dispatch_id: int) -> Dispatch:
             Dispatch: The dispatch.
         """
         request = DispatchGetRequest(id=dispatch_id)
-        response = await self._stub.GetMicrogridDispatch(request)  # type: ignore
+        response = await self._stub.GetMicrogridDispatch(
+            request, metadata=self._metadata
+        )  # type: ignore
         return Dispatch.from_protobuf(response)
 
     async def delete(self, dispatch_id: int) -> None:
@@ -268,7 +278,9 @@ async def delete(self, dispatch_id: int) -> None:
             dispatch_id: The dispatch_id to delete.
         """
         request = DispatchDeleteRequest(id=dispatch_id)
-        await self._stub.DeleteMicrogridDispatch(request)  # type: ignore
+        await self._stub.DeleteMicrogridDispatch(
+            request, metadata=self._metadata
+        )  # type: ignore
 
     async def _try_fetch_created_dispatch(
         self,

src/frequenz/client/dispatch/test/_service.py

@@ -49,18 +49,59 @@ class FakeService:
     _shuffle_after_create: bool = False
     """Whether to shuffle the dispatches after creating them."""
 
+    def _check_access(self, metadata: grpc.aio.Metadata) -> None:
+        """Check if the access key is valid.
+
+        Args:
+            metadata: The metadata.
+
+        Raises:
+            grpc.RpcError: If the access key is invalid.
+        """
+        # metadata is a weird tuple of tuples, we don't like it
+        metadata_dict = dict(metadata)
+
+        if "key" not in metadata_dict:
+            raise grpc.RpcError(
+                grpc.StatusCode.UNAUTHENTICATED,
+                "No access key provided",
+            )
+
+        key = metadata_dict["key"]
+
+        if key is None:
+            raise grpc.RpcError(
+                grpc.StatusCode.UNAUTHENTICATED,
+                "No access key provided",
+            )
+
+        if key == "none":
+            raise grpc.RpcError(
+                grpc.StatusCode.PERMISSION_DENIED,
+                "Permission denied",
+            )
+
+        if key != "all":
+            raise grpc.RpcError(
+                grpc.StatusCode.UNAUTHENTICATED,
+                "Invalid access key",
+            )
+
     # pylint: disable=invalid-name
     async def ListMicrogridDispatches(
-        self, request: PBDispatchListRequest
+        self, request: PBDispatchListRequest, metadata: grpc.aio.Metadata
     ) -> DispatchList:
         """List microgrid dispatches.
 
         Args:
             request: The request.
+            metadata: The metadata.
 
         Returns:
             The dispatch list.
         """
+        self._check_access(metadata)
+
         return DispatchList(
             dispatches=map(
                 lambda d: d.to_protobuf(),
@@ -108,8 +149,10 @@ def _filter_dispatch(dispatch: Dispatch, request: PBDispatchListRequest) -> bool
     async def CreateMicrogridDispatch(
         self,
         request: PBDispatchCreateRequest,
+        metadata: grpc.aio.Metadata,
     ) -> Empty:
         """Create a new dispatch."""
+        self._check_access(metadata)
         self._last_id += 1
 
         self.dispatches.append(
@@ -128,8 +171,10 @@ async def CreateMicrogridDispatch(
     async def UpdateMicrogridDispatch(
         self,
         request: DispatchUpdateRequest,
+        metadata: grpc.aio.Metadata,
     ) -> Empty:
         """Update a dispatch."""
+        self._check_access(metadata)
         index = next(
             (i for i, d in enumerate(self.dispatches) if d.id == request.id),
             None,
@@ -194,8 +239,10 @@ async def UpdateMicrogridDispatch(
     async def GetMicrogridDispatch(
         self,
         request: DispatchGetRequest,
+        metadata: grpc.aio.Metadata,
     ) -> PBDispatch:
         """Get a single dispatch."""
+        self._check_access(metadata)
         dispatch = next((d for d in self.dispatches if d.id == request.id), None)
 
         if dispatch is None:
@@ -211,8 +258,10 @@ async def GetMicrogridDispatch(
     async def DeleteMicrogridDispatch(
         self,
         request: DispatchDeleteRequest,
+        metadata: grpc.aio.Metadata,
     ) -> Empty:
         """Delete a given dispatch."""
+        self._check_access(metadata)
         num_dispatches = len(self.dispatches)
         self.dispatches = [d for d in self.dispatches if d.id != request.id]
 

src/frequenz/client/dispatch/test/client.py

@@ -17,13 +17,16 @@ class FakeClient(Client):
     This client uses a fake service to simulate the dispatch api.
     """
 
-    def __init__(self, shuffle_after_create: bool = False) -> None:
+    def __init__(
+        self,
+        shuffle_after_create: bool = False,
+    ) -> None:
         """Initialize the mock client.
 
         Args:
             shuffle_after_create: Whether to shuffle the dispatches after creating them.
         """
-        super().__init__(MagicMock(), "mock")
+        super().__init__(MagicMock(), "mock", "all")
         self._stub = FakeService()  # type: ignore
         self._service._shuffle_after_create = shuffle_after_create
 

tests/test_dispatch_cli.py

@@ -26,6 +26,8 @@
 TEST_NOW = datetime(2023, 1, 1, 0, 0, 0, tzinfo=timezone.utc)
 """Arbitrary time used as NOW for testing."""
 
+ENVIRONMENT_VARIABLES = {"DISPATCH_API_KEY": "all"}
+
 
 @pytest.fixture
 def runner() -> CliRunner:
@@ -148,9 +150,11 @@ async def test_list_command(  # pylint: disable=too-many-arguments
 ) -> None:
     """Test the list command."""
     fake_client.dispatches = dispatches
-    result = await runner.invoke(cli, ["list", str(microgrid_id)])
-    assert result.exit_code == expected_return_code
+    result = await runner.invoke(
+        cli, ["list", str(microgrid_id)], env=ENVIRONMENT_VARIABLES
+    )
     assert expected_output in result.output
+    assert result.exit_code == expected_return_code
 
 
 @pytest.mark.asyncio
@@ -311,7 +315,7 @@ async def test_create_command(  # pylint: disable=too-many-arguments,too-many-lo
     expected_return_code: int,
 ) -> None:
     """Test the create command."""
-    result = await runner.invoke(cli, args)
+    result = await runner.invoke(cli, args, env=ENVIRONMENT_VARIABLES)
     now = datetime.now(get_localzone())
 
     if (
@@ -501,7 +505,7 @@ async def test_update_command(  # pylint: disable=too-many-arguments
 ) -> None:
     """Test the update command."""
     fake_client.dispatches = dispatches
-    result = await runner.invoke(cli, ["update", "1", *args])
+    result = await runner.invoke(cli, ["update", "1", *args], env=ENVIRONMENT_VARIABLES)
     assert expected_output in result.output
     assert result.exit_code == expected_return_code
     if dispatches:
@@ -551,7 +555,9 @@ async def test_get_command(
 ) -> None:
     """Test the get command."""
     fake_client.dispatches = dispatches
-    result = await runner.invoke(cli, ["get", str(dispatch_id)])
+    result = await runner.invoke(
+        cli, ["get", str(dispatch_id)], env=ENVIRONMENT_VARIABLES
+    )
     assert result.exit_code == 0 if dispatches else 1
     assert expected_in_output in result.output
 
@@ -600,7 +606,9 @@ async def test_delete_command(  # pylint: disable=too-many-arguments
 ) -> None:
     """Test the delete command."""
     fake_client.dispatches = dispatches
-    result = await runner.invoke(cli, ["delete", str(dispatch_id)])
+    result = await runner.invoke(
+        cli, ["delete", str(dispatch_id)], env=ENVIRONMENT_VARIABLES
+    )
     assert result.exit_code == expected_return_code
     assert expected_output in result.output
     if dispatches: