Merge pull request #159 from permitio/raz/per-9141-allow-the-pdp-to-use-org-project-keys-v2

add api_keys and other refactors for startup pkg

Author: RazcoDev

horizon/authentication.py

@@ -1,6 +1,7 @@
 from fastapi import Header, HTTPException, status
 
 from horizon.config import MOCK_API_KEY, sidecar_config
+from horizon.startup.api_keys import get_env_api_key
 
 
 def enforce_pdp_token(authorization=Header(None)):
@@ -10,7 +11,7 @@ def enforce_pdp_token(authorization=Header(None)):
         )
     schema, token = authorization.split(" ")
 
-    if schema.strip().lower() != "bearer" or token.strip() != sidecar_config.API_KEY:
+    if schema.strip().lower() != "bearer" or token.strip() != get_env_api_key():
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, detail="Invalid PDP token")
 
 

horizon/config.py

@@ -2,8 +2,21 @@
 
 MOCK_API_KEY = "MUST BE DEFINED"
 
+# scopes enum
+class ApiKeyLevel(str):
+    ORGANIZATION = "organization"
+    PROJECT = "project"
+    ENVIRONMENT = "environment"
+
 
 class SidecarConfig(Confi):
+    def __new__(cls, prefix=None, is_model=True):
+        """creates a singleton object, if it is not created,
+        or else returns the previous singleton object"""
+        if not hasattr(cls, "instance"):
+            cls.instance = super(SidecarConfig, cls).__new__(cls)
+        return cls.instance
+
     SHARD_ID = confi.str(
         "SHARD_ID",
         None,
@@ -48,7 +61,35 @@ class SidecarConfig(Confi):
     REMOTE_STATE_ENDPOINT = confi.str("REMOTE_STATE_ENDPOINT", "/v2/pdps/me/state")
 
     # access token to access backend api
-    API_KEY = confi.str("API_KEY", MOCK_API_KEY)
+    API_KEY = confi.str(
+        "API_KEY",
+        MOCK_API_KEY,
+        description="set this to your environment's API key if you prefer to use the environment level API key.",
+    )
+
+    # access token to your organization
+    ORG_API_KEY = confi.str(
+        "ORG_API_KEY",
+        None,
+        description="set this to your organization's API key if you prefer to use the organization level API key. If not set, the PDP will use the project level API key",
+    )
+
+    # access token to your project
+    PROJECT_API_KEY = confi.str(
+        "PROJECT_API_KEY",
+        None,
+        description="set this to your project's API key if you prefer to use the project level API key. If not set, the PDP will use the default project API key",
+    )
+
+    # chosen project id/key to use for the PDP
+    ACTIVE_PROJECT = confi.str(
+        "ACTIVE_PROJECT", None, description="the project id/key to use for the PDP"
+    )
+
+    # chosen environment id/key to use for the PDP
+    ACTIVE_ENV = confi.str(
+        "ACTIVE_ENV", None, description="the environment id/key to use for the PDP"
+    )
 
     # access token to perform system control operations
     CONTAINER_CONTROL_KEY = confi.str("CONTAINER_CONTROL_KEY", MOCK_API_KEY)

horizon/enforcer/opa/config_maker.py

@@ -4,6 +4,7 @@
 from opal_common.logger import logger
 
 from horizon.config import SidecarConfig
+from horizon.startup.api_keys import get_env_api_key
 
 
 def get_jinja_environment() -> jinja2.Environment:
@@ -51,7 +52,7 @@ def get_opa_config_file_path(
         template = env.get_template(template_path)
         contents = template.render(
             cloud_service_url=decision_logs_backend_tier,
-            bearer_token=sidecar_config.API_KEY,
+            bearer_token=get_env_api_key(),
             log_ingress_endpoint=sidecar_config.OPA_DECISION_LOG_INGRESS_ROUTE,
             min_delay_seconds=sidecar_config.OPA_DECISION_LOG_MIN_DELAY,
             max_delay_seconds=sidecar_config.OPA_DECISION_LOG_MAX_DELAY,
@@ -84,7 +85,7 @@ def get_opa_authz_policy_file_path(
     try:
         template = env.get_template(template_path)
         contents = template.render(
-            bearer_token=sidecar_config.API_KEY,
+            bearer_token=get_env_api_key(),
             allow_metrics_unauthenticated=sidecar_config.ALLOW_METRICS_UNAUTHENTICATED,
         )
     except jinja2.TemplateNotFound:

horizon/facts/client.py

@@ -10,6 +10,7 @@
 
 from horizon.config import sidecar_config
 from horizon.startup.remote_config import get_remote_config
+from horizon.startup.api_keys import get_env_api_key
 
 
 class FactsClient:
@@ -19,9 +20,10 @@ def __init__(self):
     @property
     def client(self) -> AsyncClient:
         if self._client is None:
+            env_api_key = get_env_api_key()
             self._client = AsyncClient(
                 base_url=sidecar_config.CONTROL_PLANE,
-                headers={"Authorization": f"Bearer {sidecar_config.API_KEY}"},
+                headers={"Authorization": f"Bearer {env_api_key}"},
             )
         return self._client
 

horizon/local/api.py

@@ -157,5 +157,4 @@ async def list_role_assignments(
         else:
             return parse_obj_as(WrappedResponse, result).result
 
-
     return router

horizon/opal_relay_api.py

@@ -14,6 +14,7 @@
 from pydantic import BaseModel
 
 from horizon.config import sidecar_config
+from horizon.startup.api_keys import get_env_api_key
 from horizon.state import PersistentStateHandler
 
 
@@ -95,8 +96,9 @@ def _apply_context(self, context: dict[str, str]):
 
     def api_session(self) -> ClientSession:
         if self._api_session is None:
+            env_api_key = get_env_api_key()
             self._api_session = ClientSession(
-                headers={"Authorization": f"Bearer {sidecar_config.API_KEY}"}
+                headers={"Authorization": f"Bearer {env_api_key}"}
             )
         return self._api_session
 

horizon/pdp.py

@@ -1,4 +1,5 @@
 import logging
+import os
 import sys
 from typing import List
 from uuid import uuid4, UUID
@@ -21,7 +22,7 @@
 
 from horizon.facts.router import facts_router
 from horizon.authentication import enforce_pdp_token
-from horizon.config import MOCK_API_KEY, sidecar_config
+from horizon.config import MOCK_API_KEY, sidecar_config, ApiKeyLevel
 from horizon.enforcer.api import init_enforcer_api_router, stats_manager
 from horizon.enforcer.opa.config_maker import (
     get_opa_authz_policy_file_path,
@@ -30,7 +31,9 @@
 from horizon.local.api import init_local_cache_api_router
 from horizon.opal_relay_api import OpalRelayAPIClient
 from horizon.proxy.api import router as proxy_router
-from horizon.startup.remote_config import InvalidPDPTokenException, get_remote_config
+from horizon.startup.remote_config import get_remote_config
+from horizon.startup.exceptions import InvalidPDPTokenException
+from horizon.startup.api_keys import get_env_api_key
 from horizon.state import PersistentStateHandler
 from horizon.system.api import init_system_api_router
 from horizon.system.consts import GUNICORN_EXIT_APP
@@ -85,8 +88,7 @@ class PermitPDP:
 
     def __init__(self):
         self._setup_temp_logger()
-        PersistentStateHandler.initialize()
-        self._verify_config()
+        PersistentStateHandler.initialize(get_env_api_key())
         # fetch and apply config override from cloud control plane
         try:
             remote_config = get_remote_config()
@@ -247,7 +249,7 @@ def _configure_inline_opa_config(self):
 
         if sidecar_config.OPA_BEARER_TOKEN_REQUIRED:
             # overrides OPAL client config so that OPAL passes the bearer token in requests
-            opal_client_config.POLICY_STORE_AUTH_TOKEN = sidecar_config.API_KEY
+            opal_client_config.POLICY_STORE_AUTH_TOKEN = get_env_api_key()
             opal_client_config.POLICY_STORE_AUTH_TYPE = PolicyStoreAuth.TOKEN
 
             # append the bearer token authz policy to inline OPA config
@@ -390,7 +392,7 @@ def app(self):
         return self._app
 
     def _verify_config(self):
-        if sidecar_config.API_KEY == MOCK_API_KEY:
+        if get_env_api_key() == MOCK_API_KEY:
             logger.critical(
                 "No API key specified. Please specify one with the PDP_API_KEY environment variable."
             )

horizon/startup/api_keys.py

@@ -0,0 +1,146 @@
+import requests
+from tenacity import retry, retry_if_not_exception_type, stop, wait
+
+from horizon.config import ApiKeyLevel, sidecar_config, MOCK_API_KEY
+from opal_common.logger import logger
+
+from horizon.startup.exceptions import NoRetryException
+from horizon.startup.blocking_request import BlockingRequest
+from horizon.system.consts import GUNICORN_EXIT_APP
+
+
+class EnvApiKeyFetcher:
+
+    DEFAULT_RETRY_CONFIG = {
+        "retry": retry_if_not_exception_type(NoRetryException),
+        "wait": wait.wait_random_exponential(max=10),
+        "stop": stop.stop_after_attempt(10),
+        "reraise": True,
+    }
+
+    def __init__(
+        self,
+        backend_url: str = sidecar_config.CONTROL_PLANE,
+        retry_config=None,
+    ):
+        self._backend_url = backend_url
+        self._retry_config = retry_config or self.DEFAULT_RETRY_CONFIG
+        self.api_key_level = self._get_api_key_level()
+
+    @staticmethod
+    def _get_api_key_level() -> ApiKeyLevel:
+        if sidecar_config.API_KEY != MOCK_API_KEY:
+            if sidecar_config.ORG_API_KEY or sidecar_config.PROJECT_API_KEY:
+                logger.warning(
+                    "PDP_API_KEY is set, but PDP_ORG_API_KEY or PDP_PROJECT_API_KEY are also set and will be ignored."
+                )
+            return ApiKeyLevel.ENVIRONMENT
+
+        if sidecar_config.PROJECT_API_KEY:
+            if sidecar_config.ORG_API_KEY:
+                logger.warning(
+                    "PDP_PROJECT_API_KEY is set, but PDP_ORG_API_KEY is also set and will be ignored."
+                )
+            if not sidecar_config.ACTIVE_ENV:
+                logger.error(
+                    "PDP_PROJECT_API_KEY is set, but PDP_ACTIVE_ENV is not. Please set it with Environment ID or Key."
+                )
+                raise
+            return ApiKeyLevel.PROJECT
+
+        if sidecar_config.ORG_API_KEY:
+            if not sidecar_config.ACTIVE_ENV or not sidecar_config.ACTIVE_PROJECT:
+                logger.error(
+                    "PDP_ORG_API_KEY is set, but PDP_ACTIVE_ENV or PDP_ACTIVE_PROJECT are not. Please set them with Environment ID/Key and Project ID/Key."
+                )
+                raise
+            return ApiKeyLevel.ORGANIZATION
+
+        logger.critical(
+            "No API key specified. Please specify one with the PDP_API_KEY environment variable."
+        )
+        raise
+
+    def get_env_api_key_by_level(self) -> str:
+        api_key_level = self.api_key_level
+        api_key = sidecar_config.ORG_API_KEY
+        active_project_id = sidecar_config.ACTIVE_PROJECT
+        active_env_id = sidecar_config.ACTIVE_ENV
+
+        if api_key_level == ApiKeyLevel.ENVIRONMENT:
+            return sidecar_config.API_KEY
+        if api_key_level == ApiKeyLevel.PROJECT:
+            api_key = sidecar_config.PROJECT_API_KEY
+            active_project_id = get_scope(sidecar_config.ORG_API_KEY).get("project_id")
+            if not active_project_id:
+                logger.error(
+                    "PDP_PROJECT_API_KEY is set, but failed to get Project ID from provided Organization API Key."
+                )
+                raise
+        return self._fetch_env_key(api_key, active_project_id, active_env_id)
+
+    def _fetch_env_key(
+        self, api_key: str, active_project_key: str, active_env_key: str
+    ) -> str:
+        """
+        fetches the active environment's API Key by identifying with the provided Project/Organization API Key.
+        """
+        api_key_url = (
+            f"{self._backend_url}/v2/api-key/{active_project_key}/{active_env_key}"
+        )
+        logger.info(
+            "Fetching Environment API Key from control plane: {url}", url=api_key_url
+        )
+        fetch_with_retry = retry(**self._retry_config)(
+            lambda: BlockingRequest(
+                token=api_key,
+            ).get(url=api_key_url)
+        )
+        try:
+            secret = fetch_with_retry().get("secret")
+            if secret is None:
+                logger.error("No secret found in response from control plane")
+                raise
+            return secret
+
+        except requests.RequestException as e:
+            logger.warning(f"Failed to get Environment API Key: {e}")
+            raise
+
+    def fetch_scope(self, api_key: str) -> dict | None:
+        """
+        fetches the provided Project/Organization Scope.
+        """
+        api_key_url = f"{self._backend_url}/v2/api-key/scope"
+        logger.info("Fetching Scope from control plane: {url}", url=api_key_url)
+        fetch_with_retry = retry(**self._retry_config)(
+            lambda: BlockingRequest(
+                token=api_key,
+            ).get(url=api_key_url)
+        )
+        try:
+            return fetch_with_retry()
+        except requests.RequestException:
+            logger.warning("Failed to get scope from provided API Key")
+            return
+
+
+_env_api_key: str | None = None
+
+
+def get_env_api_key() -> str:
+    global _env_api_key
+    if not _env_api_key:
+        try:
+            _env_api_key = EnvApiKeyFetcher().get_env_api_key_by_level()
+        except Exception as e:
+            logger.error(f"Failed to get Environment API Key: {e}")
+            raise SystemExit(GUNICORN_EXIT_APP)
+    return _env_api_key
+
+
+def get_scope(api_key: str) -> dict:
+    if scope := EnvApiKeyFetcher().fetch_scope(api_key) is None:
+        logger.warning("Failed to get scope from provided API Key")
+        raise
+    return scope

horizon/startup/blocking_request.py

@@ -0,0 +1,47 @@
+from typing import Optional, Any, Dict
+
+import requests
+
+from horizon.startup.exceptions import InvalidPDPTokenException
+
+
+class BlockingRequest:
+    def __init__(
+        self, token: Optional[str], extra_headers: dict[str, Any] | None = None
+    ):
+        self._token = token
+        self._extra_headers = {
+            k: v for k, v in (extra_headers or {}).items() if v is not None
+        }
+
+    def _headers(self) -> Dict[str, str]:
+        headers = {}
+        if self._token is not None:
+            headers["Authorization"] = f"Bearer {self._token}"
+
+        headers.update(self._extra_headers)
+        return headers
+
+    def get(self, url: str, params=None) -> dict:
+        """
+        utility method to send a *blocking* HTTP GET request and get the response back.
+        """
+        response = requests.get(url, headers=self._headers(), params=params)
+
+        if response.status_code == 401:
+            raise InvalidPDPTokenException()
+
+        return response.json()
+
+    def post(self, url: str, payload: dict = None, params=None) -> dict:
+        """
+        utility method to send a *blocking* HTTP POST request with a JSON payload and get the response back.
+        """
+        response = requests.post(
+            url, json=payload, headers=self._headers(), params=params
+        )
+
+        if response.status_code == 401:
+            raise InvalidPDPTokenException()
+
+        return response.json()