Merge pull request #2814 from ASFHyP3/develop

Release v10.9.0

Author: jtherrmann

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [10.9.0]
+
+### Added
+- Support for API authentication via [Earthdata Login bearer tokens](https://urs.earthdata.nasa.gov/documentation/for_users/user_token)
+
 ## [10.8.0]
 
 ### Added

README.md

@@ -400,30 +400,22 @@ To delete a HyP3 deployment, delete any of the resources created above that are
 Before deleting the HyP3 CloudFormation stack,
 you should manually empty and delete the `contentbucket` and `logbucket` for the deployment via the S3 console.
 
-## Running the API Locally
+## Running the API locally
 
-The API can be run locally to verify changes, but must be connected to a set of existing DynamoDB tables.
+The API can be run locally for testing and development purposes:
 
-1. Set up AWS credentials in your environment as described
+1. Choose an existing HyP3 deployment that you want to connect to.
+2. Set up credentials for the corresponding AWS account as described
    [here](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#configuration).
-   Also see our [wiki page](https://github.com/ASFHyP3/.github-private/wiki/AWS-Access#aws-access-keys).
-2. Edit `tests/cfg.env` to specify the names of existing DynamoDB tables from a particular HyP3 deployment.
+   Also see our [developer docs article](https://github.com/ASFHyP3/.github-private/blob/main/docs/AWS-Access.md#aws-access-keys).
+3. If you haven't already, follow the [Developer Setup](#developer-setup) section to clone this repo and activate your conda environment.
+4. Edit your local copy of [`tests/cfg.env`](./tests/cfg.env) to specify the names of the DynamoDB tables from the HyP3 deployment.
    Delete all of the `AWS_*` variables.
-3. Run the API (replace `<profile>` with the AWS config profile that corresponds to the HyP3 deployment):
+5. Run the following command, replacing `<profile>` with the AWS config profile that corresponds to the HyP3 deployment:
    ```sh
    AWS_PROFILE=<profile> make run
    ```
-4. You should see something like `Running on http://127.0.0.1:8080` in the output. Open the host URL in your browser.
-   You should see the Swagger UI for the locally running API.
-5. In Chrome or Chromium, from the Swagger UI tab, open Developer tools, select the Application tab, then select
-   the host URL under Cookies. In Firefox, open Web Developer Tools, select the Storage tab, then select
-   the host URL under Cookies. Add a new cookie with the following Name:
-   ```
-   asf-urs
-   ```
-   And the following Value:
-   ```
-   eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1cnMtdXNlci1pZCI6InVzZXIiLCJleHAiOjIxNTk1Mzc0OTYyLCJ1cnMtZ3JvdXBzIjpbeyJuYW1lIjoiYXV0aC1ncm91cCIsImFwcF91aWQiOiJhdXRoLXVpZCJ9XX0.hMtgDTqS5wxDPCzK9MlXB-3j6MAcGYeSZjGf4SYvq9Y
-   ```
-   And `/` for Path.
-6. To verify access, query the `GET /user` endpoint and verify that the response includes `"user_id": "user"`.
+6. You should see something like `Running on http://127.0.0.1:8080` in the output.
+   Open the URL in your browser and verify that you see the Swagger UI for the locally running API.
+7. Click the "Authorize" button in the upper right and input your [Earthdata Login bearer token](https://urs.earthdata.nasa.gov/documentation/for_users/user_token).
+8. To verify access, query the `GET /user` endpoint and verify that it returns the correct information for your username.

apps/api/src/hyp3_api/api-spec/openapi-spec.yml.j2

@@ -5,6 +5,7 @@ info:
   version: {{ api_version }}
 
 security:
+  - BearerAuth: []
   - EarthDataLogin: []
 
 {% if security_environment == 'EDC' %}
@@ -477,6 +478,13 @@ components:
       example: 50
 
   securitySchemes:
+    BearerAuth:
+      description: |-
+        Authentication via Earthdata Login Bearer Tokens; https://urs.earthdata.nasa.gov/documentation/for_users/user_token
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+
     EarthDataLogin:
       description: |-
         Authentication requires the user to have an account at urs.earthdata.nasa.gov and log in at auth.asf.alaska.edu

apps/api/src/hyp3_api/auth.py

@@ -1,27 +1,28 @@
-import time
 from os import environ
 
 import jwt
 
 
-def decode_token(token: str | None) -> dict | None:
-    if token is None:
-        return None
+class InvalidTokenException(Exception):
+    """Raised when authorization token cannot be decoded."""
+
+
+def decode_edl_bearer_token(token: str, jwks_client: jwt.PyJWKClient) -> tuple[str, str]:
+    signing_key = jwks_client.get_signing_key('edljwtpubkey_ops')
     try:
-        return jwt.decode(token, environ['AUTH_PUBLIC_KEY'], algorithms=environ['AUTH_ALGORITHM'])
-    except (jwt.ExpiredSignatureError, jwt.DecodeError):
-        return None
-
-
-def get_mock_jwt_cookie(user: str, lifetime_in_seconds: int, access_token: str) -> str:
-    payload = {
-        'urs-user-id': user,
-        'urs-access-token': access_token,
-        'exp': int(time.time()) + lifetime_in_seconds,
-    }
-    value = jwt.encode(
-        payload=payload,
-        key=environ['AUTH_PUBLIC_KEY'],
-        algorithm=environ['AUTH_ALGORITHM'],
-    )
-    return value
+        payload = jwt.decode(token, signing_key, algorithms=['RS256'])
+    except jwt.exceptions.InvalidTokenError as e:
+        raise InvalidTokenException(f'Invalid authorization token provided: {str(e)}')
+    return payload['uid'], token
+
+
+def decode_asf_cookie(cookie: str) -> tuple[str, str]:
+    try:
+        payload = jwt.decode(cookie, environ['AUTH_PUBLIC_KEY'], algorithms=environ['AUTH_ALGORITHM'])
+    except jwt.exceptions.InvalidTokenError as e:
+        raise InvalidTokenException(f'Invalid authorization cookie provided: {str(e)}')
+    return payload['urs-user-id'], payload['urs-access-token']
+
+
+def get_jwks_client() -> jwt.PyJWKClient:
+    return jwt.PyJWKClient('https://urs.earthdata.nasa.gov/.well-known/edl_ops_jwks.json')

apps/api/src/hyp3_api/routes.py

@@ -24,6 +24,8 @@
 api_spec = OpenAPI.from_dict(api_spec_dict)
 CORS(app, origins=r'https?://([-\w]+\.)*asf\.alaska\.edu', supports_credentials=True)
 
+
+JWKS_CLIENT = auth.get_jwks_client()
 AUTHENTICATED_ROUTES = ['/jobs', '/user']
 
 
@@ -33,19 +35,22 @@ def check_system_available() -> Response | None:
         message = 'HyP3 is currently unavailable. Please try again later.'
         error = {'detail': message, 'status': 503, 'title': 'Service Unavailable', 'type': 'about:blank'}
         return make_response(jsonify(error), 503)
+
     return None
 
 
 @app.before_request
 def authenticate_user() -> None:
-    cookie = request.cookies.get('asf-urs')
-    payload = auth.decode_token(cookie)
-    if payload is not None:
-        g.user = payload['urs-user-id']
-        g.edl_access_token = payload['urs-access-token']
-    else:
-        if any([request.path.startswith(route) for route in AUTHENTICATED_ROUTES]) and request.method != 'OPTIONS':
-            abort(handlers.problem_format(401, 'No authorization token provided'))
+    if any([request.path.startswith(route) for route in AUTHENTICATED_ROUTES]) and request.method != 'OPTIONS':
+        try:
+            if request.authorization and request.authorization.type == 'bearer':
+                g.user, g.edl_access_token = auth.decode_edl_bearer_token(str(request.authorization.token), JWKS_CLIENT)
+            elif 'asf-urs' in request.cookies:
+                g.user, g.edl_access_token = auth.decode_asf_cookie(request.cookies['asf-urs'])
+            else:
+                abort(handlers.problem_format(401, 'No authorization token provided'))
+        except auth.InvalidTokenException as e:
+            abort(handlers.problem_format(401, str(e)))
 
 
 @app.route('/')

tests/test_api/conftest.py

@@ -1,11 +1,14 @@
 import json
+import os
 import re
+import time
 from datetime import date, timedelta
 
+import jwt
 import pytest
 import responses
 
-from hyp3_api import CMR_URL, app, auth
+from hyp3_api import CMR_URL, app
 
 
 AUTH_COOKIE = 'asf-urs'
@@ -30,7 +33,7 @@ def login(client, username=DEFAULT_USERNAME, access_token=DEFAULT_ACCESS_TOKEN):
     client.set_cookie(
         domain='localhost',
         key=AUTH_COOKIE,
-        value=auth.get_mock_jwt_cookie(username, lifetime_in_seconds=10_000, access_token=access_token),
+        value=get_mock_jwt_cookie(username, lifetime_in_seconds=10_000, access_token=access_token),
     )
 
 
@@ -81,3 +84,17 @@ def setup_mock_cmr_response_for_polygons(granule_polygon_pairs):
         }
     }
     responses.add(responses.POST, CMR_URL_RE, json.dumps(cmr_response))
+
+
+def get_mock_jwt_cookie(user: str, lifetime_in_seconds: int, access_token: str) -> str:
+    payload = {
+        'urs-user-id': user,
+        'urs-access-token': access_token,
+        'exp': int(time.time()) + lifetime_in_seconds,
+    }
+    value = jwt.encode(
+        payload=payload,
+        key=os.environ['AUTH_PUBLIC_KEY'],
+        algorithm=os.environ['AUTH_ALGORITHM'],
+    )
+    return value

tests/test_api/test_api_spec.py

@@ -1,7 +1,6 @@
 from http import HTTPStatus
 
-from hyp3_api import auth
-from test_api.conftest import AUTH_COOKIE, JOBS_URI, USER_URI, login
+from test_api.conftest import AUTH_COOKIE, JOBS_URI, USER_URI, get_mock_jwt_cookie, login
 
 
 ENDPOINTS = {
@@ -41,14 +40,22 @@ def test_invalid_cookie(client):
         client.set_cookie(domain='localhost', key=AUTH_COOKIE, value='garbage I say!!! GARGBAGE!!!')
         response = client.get(uri)
         assert response.status_code == HTTPStatus.UNAUTHORIZED
+        assert 'Invalid authorization cookie provided' in response.json['detail']
+
+
+def test_invalid_bearer(client):
+    for uri in ENDPOINTS:
+        response = client.get(uri, headers={'Authorization': 'Bearer BAD TOKEN'})
+        assert response.status_code == HTTPStatus.UNAUTHORIZED
+        assert 'Invalid authorization token provided' in response.json['detail']
 
 
 def test_expired_cookie(client):
     for uri in ENDPOINTS:
         client.set_cookie(
             domain='localhost',
             key=AUTH_COOKIE,
-            value=auth.get_mock_jwt_cookie('user', lifetime_in_seconds=-1, access_token='token'),
+            value=get_mock_jwt_cookie('user', lifetime_in_seconds=-1, access_token='token'),
         )
         response = client.get(uri)
         assert response.status_code == HTTPStatus.UNAUTHORIZED

tests/test_api/test_auth.py

@@ -0,0 +1,51 @@
+from unittest.mock import patch
+
+import jwt
+import pytest
+
+from hyp3_api import auth
+from test_api import conftest
+
+
+def test_decode_asf_cookie():
+    cookie = conftest.get_mock_jwt_cookie('user', lifetime_in_seconds=100, access_token='token')
+
+    user, token = auth.decode_asf_cookie(cookie)
+    assert user == 'user'
+    assert token == 'token'
+
+
+@pytest.mark.network
+def test_decode_edl_bearer_token(jwks_client):
+    with patch('hyp3_api.auth.jwt.decode', return_value={'uid': 'test-user'}) as mock_decode:
+        user, token = auth.decode_edl_bearer_token('test-token', jwks_client)
+
+        mock_decode.assert_called_once()
+        assert len(mock_decode.call_args.args) == 2
+        assert mock_decode.call_args.args[0] == 'test-token'
+        assert isinstance(mock_decode.call_args.args[1], jwt.api_jwk.PyJWK)
+        assert mock_decode.call_args.kwargs == {'algorithms': ['RS256']}
+
+        assert user == 'test-user'
+        assert token == 'test-token'
+
+
+@pytest.mark.network
+def test_get_jwks_client(jwks_client):
+    assert 'urs.earthdata.nasa.gov' in jwks_client.uri
+
+
+@pytest.mark.network
+def test_bad_bearer_token(jwks_client):
+    with pytest.raises(auth.InvalidTokenException, match=r'^Invalid authorization token provided'):
+        auth.decode_edl_bearer_token('bad token', jwks_client)
+
+
+def test_bad_asf_cookie():
+    with pytest.raises(auth.InvalidTokenException, match=r'^Invalid authorization cookie provided'):
+        auth.decode_asf_cookie('bad token')
+
+
+@pytest.fixture(scope='session')
+def jwks_client():
+    return auth.get_jwks_client()