Validate tiled service account configuration at startup

Author: tpoliaw

helm/blueapi/config_schema.json

@@ -340,8 +340,15 @@
                     "minLength": 1,
                     "title": "Root",
                     "type": "string"
+                },
+                "tiled_service_account_check": {
+                    "title": "Tiled Service Account Check",
+                    "type": "string"
                 }
             },
+            "required": [
+                "tiled_service_account_check"
+            ],
             "title": "OpaConfig",
             "type": "object",
             "$id": "OpaConfig"

helm/blueapi/values.schema.json

@@ -755,6 +755,9 @@
             "$id": "OpaConfig",
             "title": "OpaConfig",
             "type": "object",
+            "required": [
+                "tiled_service_account_check"
+            ],
             "properties": {
                 "root": {
                     "title": "Root",
@@ -763,6 +766,10 @@
                     "format": "uri",
                     "maxLength": 2083,
                     "minLength": 1
+                },
+                "tiled_service_account_check": {
+                    "title": "Tiled Service Account Check",
+                    "type": "string"
                 }
             },
             "additionalProperties": false

src/blueapi/config.py

@@ -299,6 +299,7 @@ class Tag(StrEnum):
 class OpaConfig(BlueapiBaseModel):
     root: HttpUrl = HttpUrl("http://localhost:8181")
     audience: str = "account"
+    tiled_service_account_check: str
 
 
 class ApplicationConfig(BlueapiBaseModel):

src/blueapi/service/authorization.py

@@ -5,7 +5,8 @@
 
 from aiohttp import ClientSession
 
-from blueapi.config import OpaConfig
+from blueapi.config import OIDCConfig, OpaConfig, ServiceAccount
+from blueapi.service.authentication import TiledAuth
 
 LOGGER = logging.getLogger(__name__)
 
@@ -45,3 +46,29 @@ def for_config(
             return aclosing(cls(instrument, config))
         LOGGER.info("No OPA config provided - not creating OpaClient")
         return nullcontext()
+
+    async def require_tiled_service_account(self, token: str):
+        if not await self._call_opa(
+            self._config.tiled_service_account_check,
+            {"token": token, "beamline": self._instrument},
+        ):
+            raise ValueError(
+                f"Tiled service account is not valid for '{self._instrument}'"
+            )
+
+
+async def validate_tiled_config(
+    tiled: ServiceAccount | str | None, oidc: OIDCConfig | None, opa: OpaClient | None
+):
+    if not isinstance(tiled, ServiceAccount):
+        # can't validate an API key
+        return
+
+    if not opa or not oidc:
+        LOGGER.info("Missing OPA or OIDC configuration required to validate tiled auth")
+        return
+
+    LOGGER.info("Validating tiled configuration")
+    tiled.token_url = oidc.token_endpoint
+    auth = TiledAuth(tiled)
+    await opa.require_tiled_service_account(auth.get_access_token())

src/blueapi/service/main.py

@@ -40,7 +40,7 @@
 from blueapi.worker import TrackableTask, WorkerState
 from blueapi.worker.event import TaskStatusEnum
 
-from .authorization import OpaClient
+from .authorization import OpaClient, validate_tiled_config
 from .model import (
     DeviceModel,
     DeviceResponse,
@@ -98,6 +98,7 @@ async def inner(app: FastAPI):
         setup_runner(config)
         async with OpaClient.for_config(meta and meta.instrument, config.opa) as opa:
             app.state.authz = opa
+            await validate_tiled_config(config.tiled.authentication, config.oidc, opa)
             yield
         teardown_runner()
 

tests/unit_tests/test_config.py

@@ -339,6 +339,7 @@ def test_config_yaml_parsed(temp_yaml_config_file):
             },
             "opa": {
                 "root": "http://opa.example.com/",
+                "tiled_service_account_check": "v1/tiled_service_account",
             },
         },
         {