Finished release 0.4.

7b4d8ca9 · geant-release-service · 5223a4e8 · a7823bb4 · 7b4d8ca9 · 7b4d8ca9
Commit 7b4d8ca9 authored 1 year ago by geant-release-service
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,9 @@

 All notable changes to this project will be documented in this file.

+## [0.3] - 2024-01-26
+- Added Token authentication for LSO callbacks.
+
 ## [0.3] - 2024-01-23
 - Fixed related to the Authentication and some small improvments.


--- a/gso/api/v1/subscriptions.py
+++ b/gso/api/v1/subscriptions.py
@@ -8,13 +8,13 @@ from orchestrator.domain import SubscriptionModel
 from orchestrator.schemas import SubscriptionDomainModelSchema
 from orchestrator.services.subscriptions import build_extended_domain_model

-from gso.auth.security import opa_security_default
+from gso.auth.api_key_auth import get_api_key
 from gso.services.subscriptions import get_active_router_subscriptions

 router = APIRouter(
    prefix="/subscriptions",
    tags=["Subscriptions"],
-    dependencies=[Depends(opa_security_default)],
+    dependencies=[Depends(get_api_key)],
 )



--- a/gso/auth/api_key_auth.py
+++ b/gso/auth/api_key_auth.py
+"""Manage API key validation for FastAPI routes."""
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from gso.settings import load_oss_params
+
+security = HTTPBearer()
+
+
+async def get_api_key(
+    credentials: HTTPAuthorizationCredentials = Depends(security),  # noqa: B008
+) -> str:
+    """Validate the provided API key against known third-party keys and returns it if valid, else raises HTTP 403."""
+    settings = load_oss_params()
+    api_key = credentials.credentials
+
+    # TODO: This is a simulated database of API keys which should be replace with a real one
+    if api_key in settings.THIRD_PARTY_API_KEYS.values():
+        return api_key
+
+    raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid API Key")
--- a/gso/oss-params-example.json
+++ b/gso/oss-params-example.json
@@ -73,5 +73,9 @@
    "broker_url": "redis://localhost:6379/0",
    "result_backend": "rpc://localhost:6379/0",
    "result_expires": 3600
+  },
+  "THIRD_PARTY_API_KEYS": {
+    "AnsibleDynamicInventoryGenerator": "REALLY_random_AND_secure_T0keN",
+    "Application_2": "another_REALY_random_AND_3cure_T0keN"
  }
 }
--- a/gso/services/provisioning_proxy.py
+++ b/gso/services/provisioning_proxy.py
@@ -62,8 +62,8 @@ def execute_playbook(
    .. code-block:: json

        "inventory": {
-            "_meta": {
-                "vars": {
+            "all": {
+                "hosts": {
                    "host1.local": {
                        "foo": "bar"
                    },
@@ -71,12 +71,6 @@ def execute_playbook(
                        "key": "value"
                    }
                }
-            },
-            "all": {
-                "hosts": {
-                    "host1.local": null,
-                    "host2.local": null
-                }
            }
        }


--- a/gso/settings.py
+++ b/gso/settings.py
@@ -161,6 +161,7 @@ class OSSParams(BaseSettings):
    MONITORING: MonitoringParams
    PROVISIONING_PROXY: ProvisioningProxyParams
    CELERY: CeleryParams
+    THIRD_PARTY_API_KEYS: dict[str, str]


 def load_oss_params() -> OSSParams:

--- a/gso/workflows/router/update_ibgp_mesh.py
+++ b/gso/workflows/router/update_ibgp_mesh.py
@@ -59,23 +59,22 @@ def calculate_pe_router_list() -> State:
 def _generate_pe_inventory(pe_router_list: list[Router]) -> dict[str, Any]:
    """Generate an Ansible-compatible inventory for executing playbooks. Contains all active PE routers."""
    return {
-        "_meta": {
-            "vars": {
+        "all": {
+            "hosts": {
                router.router.router_fqdn: {
                    "lo4": str(router.router.router_lo_ipv4_address),
                    "lo6": str(router.router.router_lo_ipv6_address),
-                    "vendor": router.router.vendor,
+                    "vendor": str(router.router.vendor),
                }
                for router in pe_router_list
            }
        },
-        "all": {"hosts": {router.router.router_fqdn: None for router in pe_router_list}},
    }


 @step("[DRY RUN] Add P router to iBGP mesh")
 def add_p_to_mesh_dry(
-    subscription: Router, callback_route: str, pe_router_list: list[Router], tt_number: str, process_id: UUIDstr
+    subscription: dict[str, Any], callback_route: str, pe_router_list: list[Router], tt_number: str, process_id: UUIDstr
 ) -> None:
    """Perform a dry run of adding the new P router to the PE router mesh."""
    extra_vars = {
@@ -95,7 +94,7 @@ def add_p_to_mesh_dry(

 @step("[FOR REAL] Add P router to iBGP mesh")
 def add_p_to_mesh_real(
-    subscription: Router, callback_route: str, pe_router_list: list[Router], tt_number: str, process_id: UUIDstr
+    subscription: dict[str, Any], callback_route: str, pe_router_list: list[Router], tt_number: str, process_id: UUIDstr
 ) -> None:
    """Add the P router to the mesh of PE routers."""
    extra_vars = {
@@ -115,7 +114,7 @@ def add_p_to_mesh_real(

 @step("[DRY RUN] Add all PE routers to P router iBGP table")
 def add_all_pe_to_p_dry(
-    subscription: Router, pe_router_list: list[Router], callback_route: str, tt_number: str, process_id: UUIDstr
+    subscription: dict[str, Any], pe_router_list: list[Router], callback_route: str, tt_number: str, process_id: UUIDstr
 ) -> None:
    """Perform a dry run of adding the list of all PE routers to the new P router."""
    extra_vars = {
@@ -136,14 +135,14 @@ def add_all_pe_to_p_dry(
    provisioning_proxy.execute_playbook(
        playbook_name="update_ibgp_mesh.yaml",
        callback_route=callback_route,
-        inventory=subscription.router.router_fqdn,
+        inventory=subscription["router"]["router_fqdn"],
        extra_vars=extra_vars,
    )


 @step("[FOR REAL] Add all PE routers to P router iBGP table")
 def add_all_pe_to_p_real(
-    subscription: Router, pe_router_list: list[Router], callback_route: str, tt_number: str, process_id: UUIDstr
+    subscription: dict[str, Any], pe_router_list: list[Router], callback_route: str, tt_number: str, process_id: UUIDstr
 ) -> None:
    """Add the list of all PE routers to the new P router."""
    extra_vars = {
@@ -164,7 +163,7 @@ def add_all_pe_to_p_real(
    provisioning_proxy.execute_playbook(
        playbook_name="update_ibgp_mesh.yaml",
        callback_route=callback_route,
-        inventory=subscription.router.router_fqdn,
+        inventory=subscription["router"]["router_fqdn"],
        extra_vars=extra_vars,
    )


--- a/setup.py
+++ b/setup.py
@@ -2,7 +2,7 @@ from setuptools import find_packages, setup

 setup(
    name="geant-service-orchestrator",
-    version="0.3",
+    version="0.4",
    author="GÉANT",
    author_email="swd@geant.org",
    description="GÉANT Service Orchestrator",

--- a/test/api/test_subscriptions.py
+++ b/test/api/test_subscriptions.py
@@ -3,14 +3,30 @@ from orchestrator.types import SubscriptionLifecycle
 ROUTER_SUBSCRIPTION_ENDPOINT = "/api/v1/subscriptions/routers"


-def test_router_subscriptions_endpoint(test_client, nokia_router_subscription_factory):
+def test_router_subscriptions_endpoint_with_valid_api_key(test_client, nokia_router_subscription_factory):
    nokia_router_subscription_factory()
    nokia_router_subscription_factory()
    nokia_router_subscription_factory()
    nokia_router_subscription_factory(status=SubscriptionLifecycle.TERMINATED)
    nokia_router_subscription_factory(status=SubscriptionLifecycle.INITIAL)

-    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT)
+    response = test_client.get(
+        ROUTER_SUBSCRIPTION_ENDPOINT, headers={"Authorization": "Bearer REALY_random_AND_3cure_T0keN"}
+    )

    assert response.status_code == 200
    assert len(response.json()) == 3
+
+
+def test_router_subscriptions_endpoint_with_invalid_api_key(test_client, nokia_router_subscription_factory):
+    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT, headers={"Authorization": "Bearer fake_invalid_api_key"})
+
+    assert response.status_code == 403
+    assert response.json() == {"detail": "Invalid API Key"}
+
+
+def test_router_subscriptions_endpoint_without_api_key(test_client, nokia_router_subscription_factory):
+    response = test_client.get(ROUTER_SUBSCRIPTION_ENDPOINT)
+
+    assert response.status_code == 403
+    assert response.json() == {"detail": "Not authenticated"}
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -204,6 +204,10 @@ def configuration_data() -> dict:
                "result_backend": "rpc://localhost:6379/0",
                "result_expires": 3600,
            },
+            "THIRD_PARTY_API_KEYS": {
+                "AnsibleDynamicInventoryGenerator": "REALY_random_AND_3cure_T0keN",
+                "Application_2": "another_REALY_random_AND_3cure_T0keN",
+            },
        }