Fix unauthenticated API calls

closes #172

Signed-off-by: Jérôme Jutteau <jerome.jutteau@outscale.com>

Author: jerome-jutteau

.github/workflows/pull-request.yml

@@ -54,6 +54,7 @@ jobs:
         OSC_TEST_SECRET_KEY: ${{ secrets.OSC_TEST_SECRET_KEY }}
         OSC_TEST_ENDPOINT_ICU: ${{ secrets.OSC_TEST_ENDPOINT_ICU }}
         OSC_TEST_ENDPOINT_API: ${{ secrets.OSC_TEST_ENDPOINT_API }}
+        OSC_TEST_ENDPOINT_FCU: ${{ secrets.OSC_TEST_ENDPOINT_FCU }}
         OSC_TEST_REGION: ${{ secrets.OSC_TEST_REGION }}
     - name: Test python package building
       run: make build
@@ -81,6 +82,7 @@ jobs:
         OSC_TEST_SECRET_KEY: ${{ secrets.OSC_TEST_SECRET_KEY }}
         OSC_TEST_ENDPOINT_ICU: ${{ secrets.OSC_TEST_ENDPOINT_ICU }}
         OSC_TEST_ENDPOINT_API: ${{ secrets.OSC_TEST_ENDPOINT_API }}
+        OSC_TEST_ENDPOINT_FCU: ${{ secrets.OSC_TEST_ENDPOINT_FCU }}
         OSC_TEST_REGION: ${{ secrets.OSC_TEST_REGION }}
     - name: Test python package building
       run: make build
@@ -108,6 +110,7 @@ jobs:
         OSC_TEST_SECRET_KEY: ${{ secrets.OSC_TEST_SECRET_KEY }}
         OSC_TEST_ENDPOINT_ICU: ${{ secrets.OSC_TEST_ENDPOINT_ICU }}
         OSC_TEST_ENDPOINT_API: ${{ secrets.OSC_TEST_ENDPOINT_API }}
+        OSC_TEST_ENDPOINT_FCU: ${{ secrets.OSC_TEST_ENDPOINT_FCU }}
         OSC_TEST_REGION: ${{ secrets.OSC_TEST_REGION }}
     - name: Test python package building
       run: make build
@@ -135,6 +138,7 @@ jobs:
         OSC_TEST_SECRET_KEY: ${{ secrets.OSC_TEST_SECRET_KEY }}
         OSC_TEST_ENDPOINT_ICU: ${{ secrets.OSC_TEST_ENDPOINT_ICU }}
         OSC_TEST_ENDPOINT_API: ${{ secrets.OSC_TEST_ENDPOINT_API }}
+        OSC_TEST_ENDPOINT_FCU: ${{ secrets.OSC_TEST_ENDPOINT_FCU }}
         OSC_TEST_REGION: ${{ secrets.OSC_TEST_REGION }}
     - name: Test python package building
       run: make build
@@ -162,6 +166,7 @@ jobs:
         OSC_TEST_SECRET_KEY: ${{ secrets.OSC_TEST_SECRET_KEY }}
         OSC_TEST_ENDPOINT_ICU: ${{ secrets.OSC_TEST_ENDPOINT_ICU }}
         OSC_TEST_ENDPOINT_API: ${{ secrets.OSC_TEST_ENDPOINT_API }}
+        OSC_TEST_ENDPOINT_FCU: ${{ secrets.OSC_TEST_ENDPOINT_FCU }}
         OSC_TEST_REGION: ${{ secrets.OSC_TEST_REGION }}
     - name: Test python package building
       run: make build

osc_sdk/sdk.py

@@ -8,7 +8,7 @@
 import urllib.parse
 from dataclasses import InitVar, dataclass, field
 from pathlib import Path
-from typing import Any, Dict, List, Mapping, Optional, Tuple, Union, cast
+from typing import Any, Dict, List, Mapping, Optional, Set, Tuple, Union, cast
 
 import defusedxml.ElementTree as ET
 import fire
@@ -29,7 +29,6 @@
 DEFAULT_PROFILE = "default"
 DEFAULT_REGION = "eu-west-2"
 DEFAULT_VERSION = datetime.date.today().strftime("%Y-%m-%d")
-DEFAULT_AUTHENTICATION_METHOD = "accesskey"
 
 DEFAULT_HOST = "outscale.com"
 
@@ -46,6 +45,31 @@
 EncodedCallParameters = Optional[str]
 Headers = Tuple[str, str, Dict[str, str]]
 
+NO_AUTH_CALLS: Dict[str, Set[str]] = {
+    "api": {
+        "ReadFlexibleGpuCatalog",
+        "ReadLocations",
+        "ReadNetAccessPointServices",
+        "ReadProductTypes",
+        "ReadPublicIpRanges",
+        "ReadRegions",
+        "ReadVmTypes",
+        "ResetAccountPassword",
+        "SendResetPasswordEmail",
+    },
+    "icu": {
+        "AuthenticateAccount",
+        "ResetAccountPassword",
+        "SendResetPasswordEmail",
+        "ReadPublicCatalog",
+        "CheckSignature",
+    },
+    "fcu": {
+        "DescribeRegions",
+        "ReadPublicIpRanges",
+    },
+}
+
 
 class Configuration(TypedDict):
     method: str
@@ -151,7 +175,7 @@ class ApiCall:
     profile: str = DEFAULT_PROFILE
     login: Optional[str] = None
     password: Optional[str] = None
-    authentication_method: str = DEFAULT_AUTHENTICATION_METHOD
+    authentication_method: Optional[str] = None
 
     API_NAME: str = field(default="", init=False)
     CONTENT_TYPE = "application/x-www-form-urlencoded"
@@ -179,8 +203,6 @@ def __post_init__(self):
         if not self.API_NAME:
             raise RuntimeError("API_NAME is required and should not be empty")
 
-        self.check_authentication_options()
-
         if self.method not in METHODS_SUPPORTED:
             raise Exception(
                 f"Wrong method {self.method}. Supported: {METHODS_SUPPORTED}."
@@ -202,9 +224,9 @@ def __post_init__(self):
             self.endpoint = f"{self.protocol}://{self.endpoint}"
 
     def check_authentication_options(self):
-        if self.authentication_method not in {"accesskey", "password"}:
+        if self.authentication_method not in {"accesskey", "password", "none"}:
             raise RuntimeError(
-                "Unsupported authentication method (accesskey or password)"
+                "Unsupported authentication method (accesskey, password or none)"
             )
         if self.authentication_method == "accesskey":
             if self.access_key is None:
@@ -309,6 +331,14 @@ def make_request(self, call: str, **kwargs: CallParameters):
         # Calculate request params
         request_params = self.get_parameters(data=kwargs)
 
+        if self.authentication_method is None:
+            if call_need_auth(self.API_NAME, call):
+                self.authentication_method = "accesskey"
+            else:
+                self.authentication_method = "none"
+
+        self.check_authentication_options()
+
         if self.authentication_method == "password":
             request_params.update(self.get_password_params())
 
@@ -476,6 +506,14 @@ def make_request(self, call: str, **kwargs: CallParameters):
 
         request_params = self.get_parameters(kwargs, call)
 
+        if self.authentication_method is None:
+            if call_need_auth(self.API_NAME, call):
+                self.authentication_method = "accesskey"
+            else:
+                self.authentication_method = "none"
+
+        self.check_authentication_options()
+
         if self.authentication_method == "password":
             request_params.update(self.get_password_params())
 
@@ -675,13 +713,17 @@ def get_conf(profile: str) -> Configuration:
         raise RuntimeError(f"Profile {profile} not found in configuration file")
 
 
+def call_need_auth(service: str, call: str) -> bool:
+    return call not in NO_AUTH_CALLS.get(service, set())
+
+
 def api_connect(
     service: str,
     call: str,
     profile: str = DEFAULT_PROFILE,
     login: Optional[str] = None,
     password: Optional[str] = None,
-    authentication_method: str = DEFAULT_AUTHENTICATION_METHOD,
+    authentication_method: Optional[str] = None,
     **kwargs: CallParameters,
 ):
     calls = {
@@ -693,6 +735,7 @@ def api_connect(
         "lbu": LbuCall,
         "okms": OKMSCall,
     }
+
     handler = calls[service](
         profile, login, password, authentication_method, **get_conf(profile)
     )

osc_sdk/test_noauth.py

@@ -0,0 +1,121 @@
+import os
+from dataclasses import dataclass
+
+import pytest
+
+from . import sdk
+
+
+@dataclass
+class Env:
+    access_key: str
+    secret_key: str
+    endpoint_icu: str
+    endpoint_api: str
+    endpoint_fcu: str
+    region: str
+
+
+@pytest.fixture
+def env() -> Env:
+    return Env(
+        access_key=os.getenv("OSC_TEST_ACCESS_KEY", ""),
+        secret_key=os.getenv("OSC_TEST_SECRET_KEY", ""),
+        endpoint_icu=os.getenv("OSC_TEST_ENDPOINT_ICU", ""),
+        endpoint_api=os.getenv("OSC_TEST_ENDPOINT_API", ""),
+        endpoint_fcu=os.getenv("OSC_TEST_ENDPOINT_FCU", ""),
+        region=os.getenv("OSC_TEST_REGION", ""),
+    )
+
+
+def test_icu_noauth_call_with_auth_env(env):
+    icu = sdk.IcuCall(
+        access_key=env.access_key,
+        secret_key=env.secret_key,
+        endpoint=env.endpoint_icu,
+        region_name=env.region,
+    )
+    icu.make_request("ReadPublicCatalog")
+    assert len(icu.response)
+
+
+def test_icu_noauth_call_with_empty_auth_env(env):
+    icu = sdk.IcuCall(  # nosec
+        access_key="",
+        secret_key="",
+        endpoint=env.endpoint_icu,
+        region_name=env.region,
+    )
+    icu.make_request("ReadPublicCatalog")
+    assert len(icu.response)
+
+
+def test_icu_noauth_basic(env):
+    icu = sdk.IcuCall(
+        endpoint=env.endpoint_icu,
+        region_name=env.region,
+    )
+    icu.make_request("ReadPublicCatalog")
+    assert len(icu.response)
+
+
+def test_api_noauth_call_with_auth_env(env):
+    api = sdk.OSCCall(
+        access_key=env.access_key,
+        secret_key=env.secret_key,
+        endpoint=env.endpoint_api,
+        region_name=env.region,
+    )
+    api.make_request("ReadRegions")
+    assert len(api.response)
+
+
+def test_api_noauth_call_with_empty_auth_env(env):
+    api = sdk.OSCCall(  # nosec
+        access_key="",
+        secret_key="",
+        endpoint=env.endpoint_api,
+        region_name=env.region,
+    )
+    api.make_request("ReadRegions")
+    assert len(api.response)
+
+
+def test_api_noauth_basic(env):
+    api = sdk.OSCCall(
+        endpoint=env.endpoint_api,
+        region_name=env.region,
+    )
+    api.make_request("ReadRegions")
+    assert len(api.response)
+
+
+def test_fcu_noauth_call_with_auth_env(env):
+    fcu = sdk.FcuCall(
+        access_key=env.access_key,
+        secret_key=env.secret_key,
+        endpoint=env.endpoint_fcu,
+        region_name=env.region,
+    )
+    fcu.make_request("ReadPublicIpRanges")
+    assert len(fcu.response)
+
+
+def test_fcu_noauth_call_with_empty_auth_env(env):
+    fcu = sdk.FcuCall(  # nosec
+        access_key="",
+        secret_key="",
+        endpoint=env.endpoint_fcu,
+        region_name=env.region,
+    )
+    fcu.make_request("ReadPublicIpRanges")
+    assert len(fcu.response)
+
+
+def test_fcu_noauth_basic(env):
+    fcu = sdk.FcuCall(
+        endpoint=env.endpoint_fcu,
+        region_name=env.region,
+    )
+    fcu.make_request("ReadPublicIpRanges")
+    assert len(fcu.response)

tests/generic_tests/04_auth_none.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+set -e
+
+# Assuming you are running this from a prepared virtual environment
+PROJECT_ROOT=$(cd "$(dirname $0)/../.." && pwd)
+cd $PROJECT_ROOT
+c="python osc_sdk/sdk.py"
+
+
+echo -n "$(basename $0): "
+
+# All calls must fail with a bad auth method even if accesskey method is available
+if [ -z "$OSC_TEST_LOGIN" ]; then
+    echo "error, OSC_TEST_LOGIN must be set"
+    exit 1
+fi
+if [ -z "$OSC_TEST_PASSWORD" ]; then
+    echo "error, OSC_TEST_PASSWORD must be set"
+    exit 1
+fi
+
+# Test password auth
+$c icu ListAccessKeys --authentication-method=password --login "$OSC_TEST_LOGIN" --password "$OSC_TEST_PASSWORD" &> /dev/null || { echo "login auth check error 1"; exit 1; }
+$c icu ListAccessKeys --authentication-method=password --login "BAD_LOGIN" --password "BAD_PASSWORD" &> /dev/null && { echo "login auth check error 2"; exit 1; }
+# Test accesskey auth
+$c api ReadVolumes --authentication-method=accesskey &> /dev/null || { echo "accesskey auth check error"; exit 1; }
+
+
+# On Outscale API, calls which do not require authentication also succeed when authenticated.
+$c api ReadRegions --authentication-method=accesskey &> /dev/null || { echo "api:ReadRegion error 1"; exit 1; }
+$c api ReadRegions --authentication-method=password --login "$OSC_TEST_LOGIN" --password "$OSC_TEST_PASSWORD" &> /dev/null || { echo "api:ReadRegion error 2"; exit 1; }
+$c api ReadRegions --authentication-method=password --login "BAD_LOGIN" --password "BAD_PASSWORD" &> /dev/null || { echo "api:ReadRegion error 3"; exit 1; }
+# Bad auth method should still be refused by cli
+$c api ReadRegions --authentication-method=bad &> /dev/null && { echo "api:ReadRegion error 4"; exit 1; }
+# Explicitly ignore authentication for non auth call
+$c api ReadRegions --authentication-method=none &> /dev/null || { echo "api:ReadRegion error 5"; exit 1; }
+# Explicitly ignore authentication for auth call
+$c api ReadVolumes --authentication-method=none &> /dev/null && { echo "api:ReadVolumes error 6"; exit 1; }
+# Should default to authentication-method=none
+$c api ReadRegions &> /dev/null || { echo "api:ReadRegion error 7"; exit 1; }
+
+# On ICU, calls which do not require authentication also succeed when authenticated.
+$c icu ReadPublicCatalog --authentication-method=accesskey &> /dev/null || { echo "icu:ReadPublicCatalog error 1"; exit 1; }
+$c icu ReadPublicCatalog --authentication-method=password --login "$OSC_TEST_LOGIN" --password "$OSC_TEST_PASSWORD" &> /dev/null || { echo "icu:ReadPublicCatalog error 2"; exit 1; }
+$c icu ReadPublicCatalog --authentication-method=password --login "BAD_LOGIN" --password "BAD_PASSWORD" &> /dev/null || { echo "icu:ReadPublicCatalog error 3"; exit 1; }
+# Bad auth method should still be refused by cli
+$c icu ReadPublicCatalog --authentication-method=bad &> /dev/null && { echo "icu:ReadPublicCatalog error 4"; exit 1; }
+# Explicitly ignore authentication for non auth call
+$c icu ReadPublicCatalog --authentication-method=none &> /dev/null || { echo "icu:ReadPublicCatalog error 5"; exit 1; }
+# Explicitly ignore authentication for auth call
+$c icu GetAccount --authentication-method=none &> /dev/null && { echo "icu:GetAccount error 6"; exit 1; }
+# Should default to authentication-method=none
+$c icu ReadPublicCatalog &> /dev/null || { echo "icu:ReadPublicCatalog error 7"; exit 1; }
+
+# On FCU, calls which do not require authentication also succeed when authenticated.
+$c fcu DescribeRegions --authentication-method=accesskey &> /dev/null || { echo "fcu:DescribeRegions error 1"; exit 1; }
+# On FCU, this kind call should not work with password authentication.
+$c fcu DescribeRegions --authentication-method=password --login "$OSC_TEST_LOGIN" --password "$OSC_TEST_PASSWORD" &> /dev/null && { echo "fcu:DescribeRegions error 2"; exit 1; }
+$c fcu DescribeRegions --authentication-method=password --login "BAD_LOGIN" --password "BAD_PASSWORD" &> /dev/null && { echo "fcu:DescribeRegions error 3"; exit 1; }
+# Bad auth method should still be refused by cli
+$c fcu DescribeRegions --authentication-method=bad &> /dev/null && { echo "fcu:DescribeRegions error 4"; exit 1; }
+# Explicitly ignore authentication for non auth call
+$c fcu DescribeRegions --authentication-method=none &> /dev/null || { echo "fcu:DescribeRegions error 5"; exit 1; }
+# Explicitly ignore authentication for auth call
+$c fcu DescribeVolumes --authentication-method=none &> /dev/null && { echo "fcu:DescribeVolumes error 6"; exit 1; }
+# Should default to authentication-method=none
+$c fcu DescribeRegions &> /dev/null || { echo "fcu:DescribeRegions error 7"; exit 1; }
+
+echo "OK"

tests/test_pytest.sh

@@ -17,6 +17,11 @@ if [ -z "$OSC_TEST_ENDPOINT_ICU" ]; then
     exit 1
 fi
 
+if [ -z "$OSC_TEST_ENDPOINT_FCU" ]; then
+    echo "OSC_TEST_ENDPOINT_FCU not set, aborting"
+    exit 1
+fi
+
 if [ -z "$OSC_TEST_REGION" ]; then
     echo "OSC_TEST_REGION not set, aborting"
     exit 1