squashme: minor fixes

Author: olevski

components/renku_data_services/authn/dummy.py

@@ -64,4 +64,5 @@ async def authenticate(access_token: str, request: Request) -> base_models.APIUs
             last_name=user_props.get("last_name", "Doe") if is_set else None,
             email=user_props.get("email", "john.doe@gmail.com") if is_set else None,
             full_name=user_props.get("full_name", "John Doe") if is_set else None,
+            refresh_token=request.headers.get("Renku-Auth-Refresh-Token"),
         )

components/renku_data_services/authn/gitlab.py

@@ -1,11 +1,18 @@
 """Gitlab authenticator."""
 
+import base64
 import contextlib
+import json
+import re
 import urllib.parse as parse
+from contextlib import suppress
 from dataclasses import dataclass
+from datetime import datetime
+from typing import Any
 
 import gitlab
 from sanic import Request
+from sanic.compat import Header
 
 import renku_data_services.base_models as base_models
 from renku_data_services import errors
@@ -36,10 +43,10 @@ async def authenticate(self, access_token: str, request: Request) -> base_models
         if self.token_field != "Authorization":  # nosec: B105
             access_token = str(request.headers.get(self.token_field))
 
-        result = await self._get_gitlab_api_user(access_token)
+        result = await self._get_gitlab_api_user(access_token, request.headers)
         return result
 
-    async def _get_gitlab_api_user(self, access_token: str) -> base_models.APIUser:
+    async def _get_gitlab_api_user(self, access_token: str, headers: Header) -> base_models.APIUser:
         """Get and validate a Gitlab API User."""
         client = gitlab.Gitlab(self.gitlab_url, oauth_token=access_token)
         try:
@@ -69,11 +76,35 @@ async def _get_gitlab_api_user(self, access_token: str) -> base_models.APIUser:
             if len(name_parts) >= 1:
                 last_name = " ".join(name_parts)
 
+        _, _, _, expires_at = self.git_creds_from_headers(headers)
         return base_models.APIUser(
             id=str(user_id),
             access_token=access_token,
             first_name=first_name,
             last_name=last_name,
             email=email,
             full_name=full_name,
+            access_token_expires_at=expires_at,
+        )
+
+    @staticmethod
+    def git_creds_from_headers(headers: Header) -> tuple[Any, Any, Any, datetime | None]:
+        """Extract git credentials from the encoded header sent by the gateway."""
+        parsed_dict = json.loads(base64.decodebytes(headers["Renku-Auth-Git-Credentials"].encode()))
+        git_url, git_credentials = next(iter(parsed_dict.items()))
+        token_match = re.match(r"^[^\s]+\ ([^\s]+)$", git_credentials["AuthorizationHeader"])
+        git_token = token_match.group(1) if token_match is not None else None
+        git_token_expires_at_raw = git_credentials["AccessTokenExpiresAt"]
+        git_token_expires_at_num: float | None = None
+        with suppress(ValueError, TypeError):
+            git_token_expires_at_num = float(git_token_expires_at_raw)
+        git_token_expires_at: datetime | None = None
+        if git_token_expires_at_num is not None and git_token_expires_at_num > 0:
+            with suppress(ValueError):
+                git_token_expires_at = datetime.fromtimestamp(git_token_expires_at_num)
+        return (
+            git_url,
+            git_credentials["AuthorizationHeader"],
+            git_token,
+            git_token_expires_at,
         )

components/renku_data_services/authn/keycloak.py

@@ -1,6 +1,7 @@
 """Keycloak user store."""
 
 from dataclasses import dataclass
+from datetime import datetime
 from typing import Any, Optional, cast
 
 import httpx
@@ -42,6 +43,7 @@ class KeycloakAuthenticator(Authenticator):
     algorithms: list[str]
     admin_role: str = "renku-admin"
     token_field: str = "Authorization"
+    refresh_token_header: str = "Renku-Auth-Refresh-Token"
 
     def __post_init__(self) -> None:
         if len(self.algorithms) == 0:
@@ -76,6 +78,7 @@ async def authenticate(self, access_token: str, request: Request) -> base_models
 
         parsed = self._validate(access_token)
         is_admin = self.admin_role in parsed.get("realm_access", {}).get("roles", [])
+        exp = parsed.get("exp")
         return base_models.APIUser(
             is_admin_init=is_admin,
             id=parsed.get("sub"),
@@ -84,4 +87,6 @@ async def authenticate(self, access_token: str, request: Request) -> base_models
             first_name=parsed.get("given_name"),
             last_name=parsed.get("family_name"),
             email=parsed.get("email"),
+            refresh_token=request.headers.get(self.refresh_token_header),
+            access_token_expires_at=datetime.fromtimestamp(exp) if exp is not None else None,
         )

components/renku_data_services/base_api/auth.py

@@ -52,7 +52,7 @@ async def _authenticate(authenticator: Authenticator, request: Request) -> Authe
 
     token = token.removeprefix("Bearer ").removeprefix("bearer ")
     user = await authenticator.authenticate(token, request)
-    if not user.is_authenticated or user.id is None or user.access_token is None:
+    if not user.is_authenticated or user.id is None or user.access_token is None or user.refresh_token is None:
         raise errors.UnauthorizedError(message="You have to log in to access this endpoint.", quiet=True)
     if not user.email:
         raise errors.ProgrammingError(
@@ -67,6 +67,7 @@ async def _authenticate(authenticator: Authenticator, request: Request) -> Authe
         last_name=user.last_name,
         email=user.email,
         is_admin_init=user.is_admin,
+        refresh_token=user.refresh_token,
     )
 
 

components/renku_data_services/base_models/core.py

@@ -3,6 +3,7 @@
 import re
 import unicodedata
 from dataclasses import InitVar, dataclass, field
+from datetime import datetime
 from enum import Enum, StrEnum
 from typing import ClassVar, Optional, Protocol
 
@@ -27,10 +28,12 @@ class APIUser:
 
     id: Optional[str] = None  # the sub claim in the access token - i.e. the Keycloak user ID
     access_token: Optional[str] = field(repr=False, default=None)
+    refresh_token: Optional[str] = field(repr=False, default=None)
     full_name: Optional[str] = None
     first_name: Optional[str] = None
     last_name: Optional[str] = None
     email: Optional[str] = None
+    access_token_expires_at: datetime | None = None
     is_admin_init: InitVar[bool] = False
     __is_admin: bool = field(init=False, repr=False)
 
@@ -55,6 +58,7 @@ class AuthenticatedAPIUser(APIUser):
     id: str
     email: str
     access_token: str = field(repr=False)
+    refresh_token: str = field(repr=False)
     full_name: str | None = None
     first_name: str | None = None
     last_name: str | None = None
@@ -70,6 +74,7 @@ class AnonymousAPIUser(APIUser):
     first_name = None
     last_name = None
     email = None
+    refresh_token = None
 
     @property
     def is_authenticated(self) -> bool:

components/renku_data_services/notebooks/api/amalthea_patches/cloudstorage.py

@@ -8,19 +8,20 @@
     from renku_data_services.notebooks.api.classes.server import UserServer
 
 
-def main(server: "UserServer") -> list[dict[str, Any]]:
+async def main(server: "UserServer") -> list[dict[str, Any]]:
     """Cloud storage patches."""
     cloud_storage_patches: list[dict[str, Any]] = []
     cloud_storage_request: ICloudStorageRequest
     if not server.cloudstorage:
         return []
+    repositories = await server.repositories()
     for i, cloud_storage_request in enumerate(server.cloudstorage):
         cloud_storage_patches.extend(
             cloud_storage_request.get_manifest_patch(
                 f"{server.server_name}-ds-{i}", server.k8s_client.preferred_namespace
             )
         )
-        if server.repositories:
+        if repositories:
             cloud_storage_patches.append(
                 {
                     "type": "application/json-patch+json",

components/renku_data_services/notebooks/api/amalthea_patches/git_proxy.py

@@ -13,9 +13,10 @@
     from renku_data_services.notebooks.api.classes.server import UserServer
 
 
-def main_container(server: "UserServer") -> client.V1Container | None:
+async def main_container(server: "UserServer") -> client.V1Container | None:
     """The patch that adds the git proxy container to a session statefulset."""
-    if not server.user.is_authenticated or not server.repositories:
+    repositories = await server.repositories()
+    if not server.user.is_authenticated or not repositories:
         return None
 
     etc_cert_volume_mount = get_certificates_volume_mounts(
@@ -26,6 +27,8 @@ def main_container(server: "UserServer") -> client.V1Container | None:
     )
 
     prefix = "GIT_PROXY_"
+    git_providers = await server.git_providers()
+    repositories = await server.repositories()
     env = [
         client.V1EnvVar(name=f"{prefix}PORT", value=str(server.config.sessions.git_proxy.port)),
         client.V1EnvVar(name=f"{prefix}HEALTH_PORT", value=str(server.config.sessions.git_proxy.health_port)),
@@ -47,18 +50,18 @@ def main_container(server: "UserServer") -> client.V1Container | None:
         client.V1EnvVar(name=f"{prefix}RENKU_URL", value="https://" + server.config.sessions.ingress.host),
         client.V1EnvVar(
             name=f"{prefix}REPOSITORIES",
-            value=json.dumps([asdict(repo) for repo in server.repositories]),
+            value=json.dumps([asdict(repo) for repo in repositories]),
         ),
         client.V1EnvVar(
             name=f"{prefix}PROVIDERS",
             value=json.dumps(
-                [dict(id=provider.id, access_token_url=provider.access_token_url) for provider in server.git_providers]
+                [dict(id=provider.id, access_token_url=provider.access_token_url) for provider in git_providers]
             ),
         ),
     ]
     container = client.V1Container(
         image=server.config.sessions.git_proxy.image,
-        securityContext={
+        security_context={
             "fsGroup": 100,
             "runAsGroup": 1000,
             "runAsUser": 1000,
@@ -67,34 +70,35 @@ def main_container(server: "UserServer") -> client.V1Container | None:
         },
         name="git-proxy",
         env=env,
-        livenessProbe={
+        liveness_probe={
             "httpGet": {
                 "path": "/health",
                 "port": server.config.sessions.git_proxy.health_port,
             },
             "initialDelaySeconds": 3,
         },
-        readinessProbe={
+        readiness_probe={
             "httpGet": {
                 "path": "/health",
                 "port": server.config.sessions.git_proxy.health_port,
             },
             "initialDelaySeconds": 3,
         },
-        volumeMounts=etc_cert_volume_mount,
+        volume_mounts=etc_cert_volume_mount,
         resources={
             "requests": {"memory": "16Mi", "cpu": "50m"},
         },
     )
     return container
 
 
-def main(server: "UserServer") -> list[dict[str, Any]]:
+async def main(server: "UserServer") -> list[dict[str, Any]]:
     """The patch that adds the git proxy container to a session statefulset."""
-    if not server.user.is_authenticated or not server.repositories:
+    repositories = await server.repositories()
+    if not server.user.is_authenticated or not repositories:
         return []
 
-    container = main_container(server)
+    container = await main_container(server)
     if not container:
         return []
 

components/renku_data_services/notebooks/api/amalthea_patches/git_sidecar.py

@@ -8,12 +8,13 @@
     from renku_data_services.notebooks.api.classes.server import UserServer
 
 
-def main(server: "UserServer") -> list[dict[str, Any]]:
+async def main(server: "UserServer") -> list[dict[str, Any]]:
     """Adds the git sidecar container to the session statefulset."""
     # NOTE: Sessions can be persisted only for registered users
     if not server.user.is_authenticated:
         return []
-    if not server.repositories:
+    repositories = await server.repositories()
+    if not repositories:
         return []
 
     gitlab_project = getattr(server, "gitlab_project", None)

components/renku_data_services/notebooks/api/amalthea_patches/init_containers.py

@@ -15,10 +15,11 @@
     # NOTE: If these are directly imported then you get circular imports.
     from renku_data_services.notebooks.api.classes.server import UserServer
 
-def git_clone_container_v2(server: "UserServer") -> dict[str, Any] | None:
+async def git_clone_container_v2(server: "UserServer") -> dict[str, Any] | None:
     """Returns the specification for the container that clones the user's repositories for new operator."""
     amalthea_session_work_volume: str = "amalthea-volume"
-    if not server.repositories:
+    repositories = await server.repositories()
+    if not repositories:
         return None
 
     etc_cert_volume_mount = get_certificates_volume_mounts(
@@ -105,7 +106,7 @@ def git_clone_container_v2(server: "UserServer") -> dict[str, Any] | None:
 
 
     # Set up git repositories
-    for idx, repo in enumerate(server.repositories):
+    for idx, repo in enumerate(repositories):
         obj_env = f"{prefix}REPOSITORIES_{idx}_"
         env.append(
             {
@@ -115,7 +116,8 @@ def git_clone_container_v2(server: "UserServer") -> dict[str, Any] | None:
         )
 
     # Set up git providers
-    for idx, provider in enumerate(server.required_git_providers):
+    required_git_providers = await server.required_git_providers()
+    for idx, provider in enumerate(required_git_providers):
         obj_env = f"{prefix}GIT_PROVIDERS_{idx}_"
         data = dict(id=provider.id, access_token_url=provider.access_token_url)
         env.append(
@@ -151,9 +153,10 @@ def git_clone_container_v2(server: "UserServer") -> dict[str, Any] | None:
         "env": env,
     }
 
-def git_clone_container(server: "UserServer") -> dict[str, Any] | None:
+async def git_clone_container(server: "UserServer") -> dict[str, Any] | None:
     """Returns the specification for the container that clones the user's repositories."""
-    if not server.repositories:
+    repositories = await server.repositories()
+    if not repositories:
         return None
 
     etc_cert_volume_mount = get_certificates_volume_mounts(
@@ -240,7 +243,7 @@ def git_clone_container(server: "UserServer") -> dict[str, Any] | None:
 
 
     # Set up git repositories
-    for idx, repo in enumerate(server.repositories):
+    for idx, repo in enumerate(repositories):
         obj_env = f"{prefix}REPOSITORIES_{idx}_"
         env.append(
             {
@@ -250,7 +253,8 @@ def git_clone_container(server: "UserServer") -> dict[str, Any] | None:
         )
 
     # Set up git providers
-    for idx, provider in enumerate(server.required_git_providers):
+    required_git_providers = await server.required_git_providers()
+    for idx, provider in enumerate(required_git_providers):
         obj_env = f"{prefix}GIT_PROVIDERS_{idx}_"
         data = dict(id=provider.id, access_token_url=provider.access_token_url)
         env.append(
@@ -287,9 +291,9 @@ def git_clone_container(server: "UserServer") -> dict[str, Any] | None:
     }
 
 
-def git_clone(server: "UserServer") -> list[dict[str, Any]]:
+async def git_clone(server: "UserServer") -> list[dict[str, Any]]:
     """The patch for the init container that clones the git repository."""
-    container = git_clone_container(server)
+    container = await git_clone_container(server)
     if not container:
         return []
     return [