66import aiohttp
77from aiohttp import ClientSession
88
9- from blueapi .config import OpaConfig
9+ from blueapi .config import OIDCConfig , OpaConfig , ServiceAccount
10+ from blueapi .service .authentication import TiledAuth
1011
1112LOGGER = logging .getLogger (__name__ )
1213
@@ -52,6 +53,14 @@ def for_config(
5253 LOGGER .info ("No OPA config provided - not creating OpaClient" )
5354 return nullcontext ()
5455
56+ async def require_tiled_service_account (self , token : str ):
57+ if not await self ._call_opa (
58+ self ._conf .tiled_service_account_check ,
59+ {"token" : token , "beamline" : self ._instrument },
60+ ):
61+ raise ValueError (
62+ f"Tiled service account is not valid for '{ self ._instrument } '"
63+ )
5564
5665class OpaUserClient :
5766 client : OpaClient
@@ -60,3 +69,20 @@ class OpaUserClient:
6069 def __init__ (self , client : OpaClient , token : str ):
6170 self .client = client
6271 self .token = token
72+
73+
74+ async def validate_tiled_config (
75+ tiled : ServiceAccount | str | None , oidc : OIDCConfig | None , opa : OpaClient | None
76+ ):
77+ if not isinstance (tiled , ServiceAccount ):
78+ # can't validate an API key
79+ return
80+
81+ if not opa or not oidc :
82+ LOGGER .info ("Missing OPA or OIDC configuration required to validate tiled auth" )
83+ return
84+
85+ LOGGER .info ("Validating tiled configuration" )
86+ tiled .token_url = oidc .token_endpoint
87+ auth = TiledAuth (tiled )
88+ await opa .require_tiled_service_account (auth .get_access_token ())
0 commit comments