[API] Restructure auth code (#1361)

mlrun/api/api/api.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends
 
-from mlrun.api.api import deps
+import mlrun.api.api.deps
 from mlrun.api.api.endpoints import (
     artifacts,
     auth,
@@ -26,64 +26,86 @@
 
 api_router = APIRouter()
 api_router.include_router(
-    artifacts.router, tags=["artifacts"], dependencies=[Depends(deps.AuthVerifierDep)]
+    artifacts.router,
+    tags=["artifacts"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    auth.router, tags=["auth"], dependencies=[Depends(deps.AuthVerifierDep)]
+    auth.router,
+    tags=["auth"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
     background_tasks.router,
     tags=["background-tasks"],
-    dependencies=[Depends(deps.AuthVerifierDep)],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    files.router, tags=["files"], dependencies=[Depends(deps.AuthVerifierDep)]
+    files.router,
+    tags=["files"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    functions.router, tags=["functions"], dependencies=[Depends(deps.AuthVerifierDep)]
+    functions.router,
+    tags=["functions"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(healthz.router, tags=["healthz"])
 api_router.include_router(client_spec.router, tags=["client-spec"])
 api_router.include_router(
-    logs.router, tags=["logs"], dependencies=[Depends(deps.AuthVerifierDep)]
+    logs.router,
+    tags=["logs"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    pipelines.router, tags=["pipelines"], dependencies=[Depends(deps.AuthVerifierDep)]
+    pipelines.router,
+    tags=["pipelines"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    projects.router, tags=["projects"], dependencies=[Depends(deps.AuthVerifierDep)]
+    projects.router,
+    tags=["projects"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    runs.router, tags=["runs"], dependencies=[Depends(deps.AuthVerifierDep)]
+    runs.router,
+    tags=["runs"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
     runtime_resources.router,
     tags=["runtime-resources"],
-    dependencies=[Depends(deps.AuthVerifierDep)],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    schedules.router, tags=["schedules"], dependencies=[Depends(deps.AuthVerifierDep)]
+    schedules.router,
+    tags=["schedules"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    submit.router, tags=["submit"], dependencies=[Depends(deps.AuthVerifierDep)]
+    submit.router,
+    tags=["submit"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
     feature_store.router,
     tags=["feature-store"],
-    dependencies=[Depends(deps.AuthVerifierDep)],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
     frontend_spec.router,
     tags=["frontend-specs"],
-    dependencies=[Depends(deps.AuthVerifierDep)],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(
-    secrets.router, tags=["secrets"], dependencies=[Depends(deps.AuthVerifierDep)]
+    secrets.router,
+    tags=["secrets"],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )
 api_router.include_router(grafana_proxy.router, tags=["grafana", "model-endpoints"])
 api_router.include_router(model_endpoints.router, tags=["model-endpoints"])
 api_router.include_router(
     marketplace.router,
     tags=["marketplace"],
-    dependencies=[Depends(deps.AuthVerifierDep)],
+    dependencies=[Depends(mlrun.api.api.deps.authenticate_request)],
 )

mlrun/api/api/deps.py

@@ -5,7 +5,7 @@
 
 import mlrun.api.db.session
 import mlrun.api.schemas
-import mlrun.api.utils.auth
+import mlrun.api.utils.auth.verifier
 import mlrun.api.utils.clients.iguazio
 
 
@@ -17,8 +17,5 @@ def get_db_session() -> typing.Generator[Session, None, None]:
         mlrun.api.db.session.close_session(db_session)
 
 
-class AuthVerifierDep:
-    def __init__(self, request: Request):
-        self.auth_info = mlrun.api.utils.auth.AuthVerifier().authenticate_request(
-            request
-        )
+def authenticate_request(request: Request) -> mlrun.api.schemas.AuthInfo:
+    return mlrun.api.utils.auth.verifier.AuthVerifier().authenticate_request(request)

mlrun/api/api/endpoints/artifacts.py

@@ -6,7 +6,7 @@
 from sqlalchemy.orm import Session
 
 import mlrun.api.crud
-import mlrun.api.utils.clients.opa
+import mlrun.api.utils.auth.verifier
 import mlrun.api.utils.singletons.project_member
 from mlrun.api import schemas
 from mlrun.api.api import deps
@@ -26,22 +26,22 @@ async def store_artifact(
     key: str,
     tag: str = "",
     iter: int = 0,
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
     await run_in_threadpool(
         mlrun.api.utils.singletons.project_member.get_project_member().ensure_project,
         db_session,
         project,
-        auth_info=auth_verifier.auth_info,
+        auth_info=auth_info,
     )
     await run_in_threadpool(
-        mlrun.api.utils.clients.opa.Client().query_project_resource_permissions,
+        mlrun.api.utils.auth.verifier.AuthVerifier().query_project_resource_permissions,
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         project,
         key,
         mlrun.api.schemas.AuthorizationAction.store,
-        auth_verifier.auth_info,
+        auth_info,
     )
 
     data = None
@@ -67,19 +67,19 @@ async def store_artifact(
 @router.get("/projects/{project}/artifact-tags")
 def list_artifact_tags(
     project: str,
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
-    mlrun.api.utils.clients.opa.Client().query_project_permissions(
-        project, mlrun.api.schemas.AuthorizationAction.read, auth_verifier.auth_info,
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_permissions(
+        project, mlrun.api.schemas.AuthorizationAction.read, auth_info,
     )
     tag_tuples = get_db().list_artifact_tags(db_session, project)
     artifact_key_to_tag = {tag_tuple[1]: tag_tuple[2] for tag_tuple in tag_tuples}
-    allowed_artifact_keys = mlrun.api.utils.clients.opa.Client().filter_project_resources_by_permissions(
+    allowed_artifact_keys = mlrun.api.utils.auth.verifier.AuthVerifier().filter_project_resources_by_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         list(artifact_key_to_tag.keys()),
         lambda artifact_key: (project, artifact_key,),
-        auth_verifier.auth_info,
+        auth_info,
     )
     tags = [
         tag_tuple[2]
@@ -98,16 +98,16 @@ def get_artifact(
     key: str,
     tag: str = "latest",
     iter: int = 0,
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
     data = mlrun.api.crud.Artifacts().get_artifact(db_session, key, tag, iter, project)
-    mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_resource_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         project,
         key,
         mlrun.api.schemas.AuthorizationAction.read,
-        auth_verifier.auth_info,
+        auth_info,
     )
     return {
         "data": data,
@@ -120,15 +120,15 @@ def delete_artifact(
     uid: str,
     key: str,
     tag: str = "",
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
-    mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_resource_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         project,
         key,
         mlrun.api.schemas.AuthorizationAction.delete,
-        auth_verifier.auth_info,
+        auth_info,
     )
     mlrun.api.crud.Artifacts().delete_artifact(db_session, key, tag, project)
     return {}
@@ -144,13 +144,13 @@ def list_artifacts(
     labels: List[str] = Query([], alias="label"),
     iter: int = Query(None, ge=0),
     best_iteration: bool = Query(False, alias="best-iteration"),
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
     if project is None:
         project = config.default_project
-    mlrun.api.utils.clients.opa.Client().query_project_permissions(
-        project, mlrun.api.schemas.AuthorizationAction.read, auth_verifier.auth_info,
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_permissions(
+        project, mlrun.api.schemas.AuthorizationAction.read, auth_info,
     )
 
     artifacts = mlrun.api.crud.Artifacts().list_artifacts(
@@ -164,14 +164,14 @@ def list_artifacts(
         iter=iter,
         best_iteration=best_iteration,
     )
-    artifacts = mlrun.api.utils.clients.opa.Client().filter_project_resources_by_permissions(
+    artifacts = mlrun.api.utils.auth.verifier.AuthVerifier().filter_project_resources_by_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         artifacts,
         lambda artifact: (
             artifact.get("project", mlrun.mlconf.default_project),
             artifact["db_key"],
         ),
-        auth_verifier.auth_info,
+        auth_info,
     )
     return {
         "artifacts": artifacts,
@@ -184,18 +184,18 @@ def delete_artifacts(
     name: str = "",
     tag: str = "",
     labels: List[str] = Query([], alias="label"),
-    auth_verifier: deps.AuthVerifierDep = Depends(deps.AuthVerifierDep),
+    auth_info: mlrun.api.schemas.AuthInfo = Depends(deps.authenticate_request),
     db_session: Session = Depends(deps.get_db_session),
 ):
     artifacts = mlrun.api.crud.Artifacts().list_artifacts(
         db_session, project, name, tag, labels
     )
-    mlrun.api.utils.clients.opa.Client().query_project_resources_permissions(
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_resources_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.artifact,
         artifacts,
         lambda artifact: (artifact["project"], artifact["db_key"]),
         mlrun.api.schemas.AuthorizationAction.delete,
-        auth_verifier.auth_info,
+        auth_info,
     )
     mlrun.api.crud.Artifacts().delete_artifacts(db_session, project, name, tag, labels)
     return {}

mlrun/api/api/endpoints/auth.py

@@ -2,20 +2,20 @@
 
 import mlrun.api.api.deps
 import mlrun.api.schemas
-import mlrun.api.utils.clients.opa
+import mlrun.api.utils.auth.verifier
 
 router = fastapi.APIRouter()
 
 
 @router.post("/authorization/verifications")
 def verify_authorization(
     authorization_verification_input: mlrun.api.schemas.AuthorizationVerificationInput,
-    auth_verifier: mlrun.api.api.deps.AuthVerifierDep = fastapi.Depends(
-        mlrun.api.api.deps.AuthVerifierDep
+    auth_info: mlrun.api.schemas.AuthInfo = fastapi.Depends(
+        mlrun.api.api.deps.authenticate_request
     ),
 ):
-    mlrun.api.utils.clients.opa.Client().query_permissions(
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_permissions(
         authorization_verification_input.resource,
         authorization_verification_input.action,
-        auth_verifier.auth_info,
+        auth_info,
     )

mlrun/api/api/endpoints/background_tasks.py

@@ -2,8 +2,8 @@
 
 import mlrun.api.api.deps
 import mlrun.api.schemas
+import mlrun.api.utils.auth.verifier
 import mlrun.api.utils.background_tasks
-import mlrun.api.utils.clients.opa
 
 router = fastapi.APIRouter()
 
@@ -15,16 +15,16 @@
 def get_background_task(
     project: str,
     name: str,
-    auth_verifier: mlrun.api.api.deps.AuthVerifierDep = fastapi.Depends(
-        mlrun.api.api.deps.AuthVerifierDep
+    auth_info: mlrun.api.schemas.AuthInfo = fastapi.Depends(
+        mlrun.api.api.deps.authenticate_request
     ),
 ):
     # Since there's no not-found option on get_background_task - we authorize before getting (unlike other get endpoint)
-    mlrun.api.utils.clients.opa.Client().query_project_resource_permissions(
+    mlrun.api.utils.auth.verifier.AuthVerifier().query_project_resource_permissions(
         mlrun.api.schemas.AuthorizationResourceTypes.background_task,
         project,
         name,
         mlrun.api.schemas.AuthorizationAction.read,
-        auth_verifier.auth_info,
+        auth_info,
     )
     return mlrun.api.utils.background_tasks.Handler().get_background_task(project, name)