Skip to content

Commit a3a1f15

Browse files
committed
Validate tiled service account configuration at startup
1 parent 5c3dba8 commit a3a1f15

6 files changed

Lines changed: 45 additions & 2 deletions

File tree

helm/blueapi/config_schema.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -340,8 +340,15 @@
340340
"minLength": 1,
341341
"title": "Root",
342342
"type": "string"
343+
},
344+
"tiled_service_account_check": {
345+
"title": "Tiled Service Account Check",
346+
"type": "string"
343347
}
344348
},
349+
"required": [
350+
"tiled_service_account_check"
351+
],
345352
"title": "OpaConfig",
346353
"type": "object",
347354
"$id": "OpaConfig"

helm/blueapi/values.schema.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -755,6 +755,9 @@
755755
"$id": "OpaConfig",
756756
"title": "OpaConfig",
757757
"type": "object",
758+
"required": [
759+
"tiled_service_account_check"
760+
],
758761
"properties": {
759762
"root": {
760763
"title": "Root",
@@ -763,6 +766,10 @@
763766
"format": "uri",
764767
"maxLength": 2083,
765768
"minLength": 1
769+
},
770+
"tiled_service_account_check": {
771+
"title": "Tiled Service Account Check",
772+
"type": "string"
766773
}
767774
},
768775
"additionalProperties": false

src/blueapi/config.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -298,6 +298,7 @@ class Tag(StrEnum):
298298

299299
class OpaConfig(BlueapiBaseModel):
300300
root: HttpUrl = HttpUrl("http://localhost:8181")
301+
tiled_service_account_check: str
301302

302303

303304
class ApplicationConfig(BlueapiBaseModel):

src/blueapi/service/authorization.py

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@
66
import aiohttp
77
from aiohttp import ClientSession
88

9-
from blueapi.config import OpaConfig
9+
from blueapi.config import OIDCConfig, OpaConfig, ServiceAccount
10+
from blueapi.service.authentication import TiledAuth
1011

1112
LOGGER = logging.getLogger(__name__)
1213

@@ -52,6 +53,14 @@ def for_config(
5253
LOGGER.info("No OPA config provided - not creating OpaClient")
5354
return nullcontext()
5455

56+
async def require_tiled_service_account(self, token: str):
57+
if not await self._call_opa(
58+
self._conf.tiled_service_account_check,
59+
{"token": token, "beamline": self._instrument},
60+
):
61+
raise ValueError(
62+
f"Tiled service account is not valid for '{self._instrument}'"
63+
)
5564

5665

5766
class OpaUserClient:
@@ -61,3 +70,20 @@ class OpaUserClient:
6170
def __init__(self, client: OpaClient, token: str):
6271
self.client = client
6372
self.token = token
73+
74+
75+
async def validate_tiled_config(
76+
tiled: ServiceAccount | str | None, oidc: OIDCConfig | None, opa: OpaClient | None
77+
):
78+
if not isinstance(tiled, ServiceAccount):
79+
# can't validate an API key
80+
return
81+
82+
if not opa or not oidc:
83+
LOGGER.info("Missing OPA or OIDC configuration required to validate tiled auth")
84+
return
85+
86+
LOGGER.info("Validating tiled configuration")
87+
tiled.token_url = oidc.token_endpoint
88+
auth = TiledAuth(tiled)
89+
await opa.require_tiled_service_account(auth.get_access_token())

src/blueapi/service/main.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
from blueapi.worker import TrackableTask, WorkerState
4141
from blueapi.worker.event import TaskStatusEnum
4242

43-
from .authorization import OpaClient
43+
from .authorization import OpaClient, validate_tiled_config
4444
from .model import (
4545
DeviceModel,
4646
DeviceResponse,
@@ -98,6 +98,7 @@ async def inner(app: FastAPI):
9898
setup_runner(config)
9999
async with OpaClient.for_config(meta and meta.instrument, config.opa) as opa:
100100
app.state.authz = opa
101+
await validate_tiled_config(config.tiled.authentication, config.oidc, opa)
101102
yield
102103
teardown_runner()
103104

tests/unit_tests/test_config.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -339,6 +339,7 @@ def test_config_yaml_parsed(temp_yaml_config_file):
339339
},
340340
"opa": {
341341
"root": "http://opa.example.com/",
342+
"tiled_service_account_check": "v1/tiled_service_account",
342343
},
343344
},
344345
{

0 commit comments

Comments
 (0)