Add support for secret key (#405)

Secret keys are JWTs prefixed with nbwt_ or edbt_ for authentication, default to secret_key in $config_dir/$cloud_profile.json for cloud instances.
edgedb · Feb 9, 2023 · df1f6fb · df1f6fb
1 parent 33a2f6a
commit df1f6fb
Show file tree

Hide file tree

Showing 10 changed files with 183 additions and 24 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -26,12 +26,23 @@ jobs:
       matrix:
         python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
         edgedb-version: [stable , nightly]
-        os: [ubuntu-latest, macos-latest, windows-2019]
+        os: [ubuntu-20.04, ubuntu-latest, macos-latest, windows-2019]
         loop: [asyncio, uvloop]
         exclude:
           # uvloop does not support windows
           - loop: uvloop
             os: windows-2019
+          # Python 3.7 on ubuntu-22.04 has a broken OpenSSL 3.0
+          - python-version: 3.7
+            os: ubuntu-latest
+          - python-version: 3.8
+            os: ubuntu-20.04
+          - python-version: 3.9
+            os: ubuntu-20.04
+          - python-version: 3.10
+            os: ubuntu-20.04
+          - python-version: 3.11
+            os: ubuntu-20.04
 
     steps:
     - uses: actions/checkout@v2
@@ -70,7 +81,7 @@ jobs:
         server-version: ${{ matrix.edgedb-version }}
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       if: steps.release.outputs.version == 0
       with:
         python-version: ${{ matrix.python-version }}

diff --git a/docs/api/asyncio_client.rst b/docs/api/asyncio_client.rst
@@ -15,6 +15,7 @@ Client
 .. py:function:: create_async_client(dsn=None, *, \
             host=None, port=None, \
             user=None, password=None, \
+            secret_key=None, \
             database=None, \
             timeout=60, \
             concurrency=None)
@@ -85,6 +86,14 @@ Client
         other users and applications may be able to read it without needing
         specific privileges.
 
+    :param secret_key:
+        Secret key to be used for authentication, if the server requires one.
+        If not specified, the value parsed from the *dsn* argument is used,
+        or the value of the ``EDGEDB_SECRET_KEY`` environment variable.
+        Note that the use of the environment variable is discouraged as
+        other users and applications may be able to read it without needing
+        specific privileges.
+
     :param float timeout:
         Connection timeout in seconds.
 

diff --git a/docs/api/blocking_client.rst b/docs/api/blocking_client.rst
@@ -15,6 +15,7 @@ Client
 .. py:function:: create_client(dsn=None, *, \
             host=None, port=None, \
             user=None, password=None, \
+            secret_key=None, \
             database=None, \
             timeout=60, \
             concurrency=None)
@@ -85,6 +86,14 @@ Client
         other users and applications may be able to read it without needing
         specific privileges.
 
+    :param secret_key:
+        Secret key to be used for authentication, if the server requires one.
+        If not specified, the value parsed from the *dsn* argument is used,
+        or the value of the ``EDGEDB_SECRET_KEY`` environment variable.
+        Note that the use of the environment variable is discouraged as
+        other users and applications may be able to read it without needing
+        specific privileges.
+
     :param float timeout:
         Connection timeout in seconds.
 

diff --git a/edgedb/asyncio_client.py b/edgedb/asyncio_client.py
@@ -378,6 +378,7 @@ def create_async_client(
     credentials_file: str = None,
     user: str = None,
     password: str = None,
+    secret_key: str = None,
     database: str = None,
     tls_ca: str = None,
     tls_ca_file: str = None,
@@ -397,6 +398,7 @@ def create_async_client(
         credentials_file=credentials_file,
         user=user,
         password=password,
+        secret_key=secret_key,
         database=database,
         tls_ca=tls_ca,
         tls_ca_file=tls_ca_file,

diff --git a/edgedb/base_client.py b/edgedb/base_client.py
@@ -670,6 +670,7 @@ def __init__(
         credentials_file: str = None,
         user: str = None,
         password: str = None,
+        secret_key: str = None,
         database: str = None,
         tls_ca: str = None,
         tls_ca_file: str = None,
@@ -687,6 +688,7 @@ def __init__(
             "credentials_file": credentials_file,
             "user": user,
             "password": password,
+            "secret_key": secret_key,
             "database": database,
             "timeout": timeout,
             "tls_ca": tls_ca,

diff --git a/edgedb/blocking_client.py b/edgedb/blocking_client.py
@@ -401,6 +401,7 @@ def create_client(
     credentials_file: str = None,
     user: str = None,
     password: str = None,
+    secret_key: str = None,
     database: str = None,
     tls_ca: str = None,
     tls_ca_file: str = None,
@@ -420,6 +421,7 @@ def create_client(
         credentials_file=credentials_file,
         user=user,
         password=password,
+        secret_key=secret_key,
         database=database,
         tls_ca=tls_ca,
         tls_ca_file=tls_ca_file,