academy.exchange.cloud.authenticate¶

academy/exchange/cloud/authenticate.py

Authenticate users from request headers.

Authenticator ¶

Bases: Protocol

Authenticate users from request headers.

authenticate_user `async` ¶

authenticate_user(headers: Mapping[str, str]) -> ClientInfo

Authenticate user from request headers.

Warning

This method must be thread safe!

Parameters:

headers (Mapping[str, str]) –

Request headers.

Returns:

ClientInfo –

A user id upon authentication success.

Raises:

ForbiddenError –

user is authenticated but is missing permissions or accessing forbidden resources.
UnauthorizedError –

user authentication fails.

Source code in academy/exchange/cloud/authenticate.py

async def authenticate_user(
    self,
    headers: Mapping[str, str],
) -> ClientInfo:
    """Authenticate user from request headers.

    Warning:
        This method must be thread safe!

    Args:
        headers: Request headers.

    Returns:
        A user id upon authentication success.

    Raises:
        ForbiddenError: user is authenticated but is missing permissions
            or accessing forbidden resources.
        UnauthorizedError: user authentication fails.
    """
    ...

NullAuthenticator ¶

Authenticator that implements no authentication.

authenticate_user `async` ¶

authenticate_user(headers: Mapping[str, str]) -> ClientInfo

Authenticate user from request headers.

Parameters:

headers (Mapping[str, str]) –

Request headers.

Returns:

ClientInfo –

Null user regardless of provided headers.

Source code in academy/exchange/cloud/authenticate.py

async def authenticate_user(
    self,
    headers: Mapping[str, str],
) -> ClientInfo:
    """Authenticate user from request headers.

    Args:
        headers: Request headers.

    Returns:
        Null user regardless of provided headers.
    """
    return ClientInfo(client_id='', group_memberships=set())

GlobusAuthenticator ¶

GlobusAuthenticator(
    client_id: str | None = None,
    client_secret: str | None = None,
    *,
    token_cache_limit: int = 1024,
    token_ttl_s: int = 60,
    group_info_cache_ttl_s: int = 60
)

Globus Auth authorizer.

Parameters:

client_id (str | None, default: None ) –

Globus application client ID. If either client_id or client_secret is None, the values will be read from the environment variables as described in get_confidential_app_auth_client. Ignored if auth_client is provided.
client_secret (str | None, default: None ) –

Globus application client secret. See client_id for details. Ignored if auth_client is provided.
token_cache_limit (int, default: 1024 ) –

Maximum number of (token, identity) mappings to store in memory.
token_ttl_s (int, default: 60 ) –

Time in seconds before invalidating cached tokens.

Source code in academy/exchange/cloud/authenticate.py

def __init__(
    self,
    client_id: str | None = None,
    client_secret: str | None = None,
    *,
    token_cache_limit: int = 1024,
    token_ttl_s: int = 60,
    group_info_cache_ttl_s: int = 60,
) -> None:
    self._local_data = threading.local()
    self.executor = ThreadPoolExecutor(
        thread_name_prefix='exchange-auth-thread',
    )
    self.client_id = client_id or get_academy_exchange_client_id()
    self.client_secret = client_secret or get_academy_exchange_secret()
    self.audience = AcademyExchangeScopes.resource_server

    self.token_cache = TTLCache(
        maxsize=token_cache_limit,
        ttl=token_ttl_s,
    )
    self.dependent_token_cache = TTLCache(
        maxsize=token_cache_limit,
        ttl=group_info_cache_ttl_s,
    )
    self.groups_info_cache = TTLCache(
        maxsize=token_cache_limit,
        ttl=group_info_cache_ttl_s,
    )

auth_client `property` ¶

auth_client: ConfidentialAppAuthClient

A thread local copy of the Globus AuthClient.

authenticate_user `async` ¶

authenticate_user(headers: Mapping[str, str]) -> ClientInfo

Authenticate a Globus Auth user from request header.

This follows from the Globus Sample Data Portal example.

The underlying auth client is not thread safe, but this method is made thread safe using a lock.

Parameters:

headers (Mapping[str, str]) –

Request headers to extract tokens from.

Returns:

ClientInfo –

Globus Auth identity returned via token introspection.

Raises:

UnauthorizedError –

if the authorization header is missing or the header is malformed.
ForbiddenError –

if the tokens have expired or been revoked.
ForbiddenError –

if audience is not included in the token's audience.

Source code in academy/exchange/cloud/authenticate.py

async def authenticate_user(
    self,
    headers: Mapping[str, str],
) -> ClientInfo:
    """Authenticate a Globus Auth user from request header.

    This follows from the [Globus Sample Data Portal](https://github.com/globus/globus-sample-data-portal/blob/30e30cd418ee9b103e04916e19deb9902d3aafd8/service/decorators.py)
    example.

    The underlying auth client is not thread safe, but this method is made
    thread safe using a lock.

    Args:
        headers: Request headers to extract tokens from.

    Returns:
        Globus Auth identity returned via \
        [token introspection](https://docs.globus.org/api/auth/reference/#token-introspect).

    Raises:
        UnauthorizedError: if the authorization header is missing or
            the header is malformed.
        ForbiddenError: if the tokens have expired or been revoked.
        ForbiddenError: if `audience` is not included in the token's
            audience.
    """
    token = get_token_from_headers(headers)
    loop = asyncio.get_running_loop()
    token_meta = await loop.run_in_executor(
        self.executor,
        self._token_introspect,
        token,
    )

    if not token_meta.get('active'):
        raise ForbiddenError('Token is expired or has been revoked.')

    if self.audience is not None and self.audience not in token_meta.get(
        'aud',
        [],
    ):
        raise ForbiddenError(
            f'Token audience does not include "{self.audience}". This '
            'could result in a confused deputy attack. Ensure the correct '
            'scopes are requested when the token is created.',
        )

    dependent_tokens = await loop.run_in_executor(
        self.executor,
        self._get_dependent_tokens,
        token,
    )

    groups_info = await loop.run_in_executor(
        self.executor,
        self._get_groups_and_memberships,
        dependent_tokens,
    )

    client_info = ClientInfo(
        client_id=token_meta.get('username'),
        group_memberships=groups_info,
    )
    return client_info

get_authenticator ¶

get_authenticator(
    config: ExchangeAuthConfig,
) -> Authenticator

Create an authenticator from a configuration.

Parameters:

config (ExchangeAuthConfig) –

Configuration.

Returns:

Authenticator –

Authenticator.

Raises:

ValueError –

if the authentication method in the config is unknown.

Source code in academy/exchange/cloud/authenticate.py

def get_authenticator(config: ExchangeAuthConfig) -> Authenticator:
    """Create an authenticator from a configuration.

    Args:
        config: Configuration.

    Returns:
        Authenticator.

    Raises:
        ValueError: if the authentication method in the config is unknown.
    """
    if config.method is None:
        return NullAuthenticator()
    elif config.method == 'globus':
        return GlobusAuthenticator(**config.kwargs)
    else:
        raise ValueError(f'Unknown authentication method "{config.method}."')

get_token_from_headers ¶

get_token_from_headers(headers: Mapping[str, str]) -> str

Extract token from websockets headers.

The header is expected to have the format Authorization: Bearer <TOKEN>.

Parameters:

headers (Mapping[str, str]) –

Request headers to extract tokens from.

Returns:

str –

String token.

Raises:

UnauthorizedError –

if the authorization header is missing.
UnauthorizedError –

if the authorization header is malformed.

Source code in academy/exchange/cloud/authenticate.py

def get_token_from_headers(headers: Mapping[str, str]) -> str:
    """Extract token from websockets headers.

    The header is expected to have the format `Authorization: Bearer <TOKEN>`.

    Args:
         headers: Request headers to extract tokens from.

    Returns:
        String token.

    Raises:
        UnauthorizedError: if the authorization header is missing.
        UnauthorizedError: if the authorization header is malformed.
    """
    if 'Authorization' not in headers:
        raise UnauthorizedError(
            'Request headers are missing authorization header.',
        )

    auth_header_parts = headers['Authorization'].split(' ')

    if len(auth_header_parts) != 2 or auth_header_parts[0] != 'Bearer':  # noqa: PLR2004
        raise UnauthorizedError(
            'Bearer token in authorization header is malformed.',
        )

    return auth_header_parts[1]

academy.exchange.cloud.authenticate¶

Authenticator ¶

authenticate_user async ¶

NullAuthenticator ¶

authenticate_user async ¶

GlobusAuthenticator ¶

auth_client property ¶

authenticate_user async ¶

get_authenticator ¶

get_token_from_headers ¶

authenticate_user `async` ¶

authenticate_user `async` ¶

auth_client `property` ¶

authenticate_user `async` ¶