-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathbase.py
More file actions
270 lines (211 loc) · 8.11 KB
/
Copy pathbase.py
File metadata and controls
270 lines (211 loc) · 8.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
import logging
from abc import abstractmethod
from enum import IntEnum
from time import time
from typing import AsyncGenerator, Generator, Optional, Tuple
from anyio import Lock
from httpx import Auth as HttpxAuth
from httpx import Request, Response, codes
from firebolt.utils.cache import (
ConnectionInfo,
SecureCacheKey,
_firebolt_cache,
)
from firebolt.utils.util import Timer, get_internal_error_code
logger = logging.getLogger(__name__)
class FireboltAuthVersion(IntEnum):
"""Enum for Firebolt authentication versions."""
V1 = 1 # Service Account, Username Password
V2 = 2 # Client Credentials
CORE = 3 # Firebolt Core
class AuthRequest(Request):
"""Class to distinguish auth requests from regular"""
class Auth(HttpxAuth):
"""Base authentication class for Firebolt database.
Updates all http requests with bearer token authorization header
Args:
use_token_cache (bool): True if token should be cached in filesystem;
False otherwise
"""
__slots__ = (
"_token",
"_account_name",
"_expires",
"_use_token_cache",
)
requires_response_body = True
request_class = AuthRequest
def __init__(self, use_token_cache: bool = True):
self._use_token_cache = use_token_cache
self._account_name: Optional[str] = None
self._token: Optional[str] = None
self._expires: Optional[int] = None
self._lock = Lock()
@property
def account(self) -> Optional[str]:
return self._account_name
@account.setter
def account(self, value: Optional[str]) -> None:
self._account_name = value
# Now we have all the elements to fetch the cached token
if not self._token:
self._token, self._expires = self._get_cached_token()
def copy(self) -> "Auth":
"""Make another auth object with same credentials.
Returns:
Auth: Auth object
"""
return self.__class__(self._use_token_cache)
@property
def token(self) -> Optional[str]:
"""Acquired bearer token.
Returns:
Optional[str]: Acquired token
"""
return self._token
@property
@abstractmethod
def principal(self) -> str:
"""Get the principal (username or id) associated with the token.
Returns:
str: Principal string
"""
@property
@abstractmethod
def secret(self) -> str:
"""Get the secret (password or secret key) associated with the token.
Returns:
str: Secret string
"""
@abstractmethod
def get_firebolt_version(self) -> FireboltAuthVersion:
"""Get Firebolt version from auth.
Returns:
FireboltAuthVersion: The authentication version enum
"""
@property
def expired(self) -> bool:
"""Check if current token is expired.
Returns:
bool: True if expired, False otherwise
"""
return self._expires is not None and self._expires <= int(time())
def _get_cached_token(self) -> Tuple[Optional[str], Optional[int]]:
"""If caching is enabled, get token from cache.
If caching is disabled, None is returned.
Returns:
Optional[Tuple[Optional[str], Optional[int]]]: Cached token and expiry time
"""
if not self._use_token_cache:
return (None, None)
cache_key = SecureCacheKey(
[self.principal, self.secret, self._account_name], self.secret
)
connection_info = _firebolt_cache.get(cache_key)
if connection_info and connection_info.token:
return (connection_info.token, connection_info.expiry_time)
return (None, None)
def _cache_token(self) -> None:
"""If caching is enabled, cache token."""
if not self._use_token_cache:
return
# Only cache if token is retrieved
if self._token:
cache_key = SecureCacheKey(
[self.principal, self.secret, self._account_name], self.secret
)
# Get existing connection info or create new one
connection_info = _firebolt_cache.get(cache_key)
if connection_info is None:
connection_info = ConnectionInfo(
id="NONE"
) # This is triggered first so there will be no id
# Update token information
connection_info.token = self._token
# Cache it
_firebolt_cache.set(cache_key, connection_info)
@abstractmethod
def get_new_token_generator(self) -> Generator[Request, Response, None]:
"""Generate requests needed to create a new token session."""
def auth_flow(self, request: Request) -> Generator[Request, Response, None]:
"""Add authorization token to request headers.
Overrides ``httpx.Auth.auth_flow``
Args:
request (Request): Request object to update
Yields:
Request: Request required for auth flow
"""
with Timer("[PERFORMANCE] Authentication "):
if not self.token or self.expired:
yield from self.get_new_token_generator()
self._cache_token()
request.headers["Authorization"] = f"Bearer {self.token}"
response = yield request
if (
response.status_code == codes.UNAUTHORIZED
or get_internal_error_code(response) == codes.UNAUTHORIZED
):
yield from self.get_new_token_generator()
request.headers["Authorization"] = f"Bearer {self.token}"
yield request
async def async_auth_flow(
self, request: Request
) -> AsyncGenerator[Request, Response]:
"""
Execute the authentication flow asynchronously.
Overridden in order to lock and ensure no more than
one authentication request is sent at a time. This
avoids excessive load on the auth server.
It also makes sure to read the response body in case of an error status code
"""
if self.requires_request_body:
await request.aread()
if not self.token or self.expired:
await self._lock.acquire()
# If another task has already updated the token,
# we don't need to hold the lock
if self.token and not self.expired:
self._lock.release()
flow = self.auth_flow(request)
request = next(flow)
while True:
response = yield request
if self.requires_response_body or codes.is_error(response.status_code):
await response.aread()
try:
request = flow.send(response)
except StopIteration:
break
finally:
# token gets updated only after flow.send is called
# so unlock only after that
self._release_lock()
def _release_lock(self) -> None:
"""Release the lock if held."""
if self._lock.locked():
try:
self._lock.release()
except RuntimeError as e:
# Check the error string since RuntimeError is very generic
if "a Lock you don't own" not in str(e):
raise
# This task does not own the lock, can't release
logging.warning("Tried to release a lock not owned by the current task")
def sync_auth_flow(self, request: Request) -> Generator[Request, Response, None]:
"""
Execute the authentication flow synchronously.
Overridden in order to ensure reading the response body
in case of an error status code
"""
if self.requires_request_body:
request.read()
flow = self.auth_flow(request)
request = next(flow)
while True:
response = yield request
if self.requires_response_body or codes.is_error(response.status_code):
response.read()
try:
request = flow.send(response)
except StopIteration:
break