Merge pull request #40 from dataiku/feature/dss12-sc-155806-add-secure-basic-preset

feat: [sc-155806] [api-connect plugin] Add a preset for secure username/password/SSO

Author: alexbourret

CHANGELOG.md

@@ -3,6 +3,8 @@
 ## [Version 1.2.2](https://github.com/dataiku/dss-plugin-api-connect/releases/tag/v1.2.2) - Feature release - 2024-02-14
 
 - Handle XML and CSV endpoints
+- Add secure SSO preset
+- Add secure username / password preset
 
 ## [Version 1.2.1](https://github.com/dataiku/dss-plugin-api-connect/releases/tag/v1.2.1) - Bugfix release - 2023-12-13
 

custom-recipes/api-connect/recipe.json

@@ -32,11 +32,38 @@
             "type": "SEPARATOR",
             "label": "Authentication"
         },
+        {
+            "name": "auth_type",
+            "label": "Authentication type",
+            "description": "",
+            "type": "SELECT",
+            "defaultValue": null,
+            "selectChoices":[
+                {"value": "secure_oauth", "label": "SSO"},
+                {"value": "secure_basic", "label": "Secure username / password"},
+                {"value": null, "label": "Other"}
+            ]
+        },
         {
             "name": "credential",
             "label": "Credential preset",
             "type": "PRESET",
-            "parameterSetId": "credential"
+            "parameterSetId": "credential",
+            "visibilityCondition": "model.auth_type == null"
+        },
+        {
+            "name": "secure_oauth",
+            "label": "SSO preset",
+            "type": "PRESET",
+            "parameterSetId": "secure-oauth",
+            "visibilityCondition": "model.auth_type == 'secure_oauth'"
+        },
+        {
+            "name": "secure_basic",
+            "label": "Credential preset",
+            "type": "PRESET",
+            "parameterSetId": "secure-basic",
+            "visibilityCondition": "model.auth_type == 'secure_basic'"
         },
         {
             "type": "SEPARATOR",
@@ -254,6 +281,7 @@
             "name": "ignore_ssl_check",
             "label": "Ignore SSL check",
             "type": "BOOLEAN",
+            "visibilityCondition": "model.auth_type!='secure_oauth' && model.auth_type!='secure_basic'",
             "defaultValue": false
         },
         {

custom-recipes/api-connect/recipe.py

@@ -3,7 +3,7 @@
 from dataiku.customrecipe import get_input_names_for_role, get_recipe_config, get_output_names_for_role
 import pandas as pd
 from safe_logger import SafeLogger
-from dku_utils import get_dku_key_values, get_endpoint_parameters
+from dku_utils import get_dku_key_values, get_endpoint_parameters, get_secure_credentials
 from rest_api_recipe_session import RestApiRecipeSession
 from dku_constants import DKUConstants
 
@@ -37,6 +37,7 @@ def get_partitioning_keys(id_list, dku_flow_variables):
 credential_parameters = config.get("credential", {})
 behaviour_when_error = config.get("behaviour_when_error", "add-error-column")
 endpoint_parameters = get_endpoint_parameters(config)
+secure_credentials = get_secure_credentials(config)
 extraction_key = endpoint_parameters.get("extraction_key", "")
 is_raw_output = endpoint_parameters.get("raw_output", True)
 parameter_columns = [column for column in config.get("parameter_columns", []) if column]
@@ -54,6 +55,7 @@ def get_partitioning_keys(id_list, dku_flow_variables):
 recipe_session = RestApiRecipeSession(
     custom_key_values,
     credential_parameters,
+    secure_credentials,
     endpoint_parameters,
     extraction_key,
     parameter_columns,

parameter-sets/secure-basic/parameter-set.json

@@ -0,0 +1,45 @@
+{
+    "meta" : {
+        "label": "Secure basic",
+        "description": "Secured preset to be used solely on one domain. Username / password have to be set by individual users from their own profile's credential tab.",
+        "icon": "icon-puzzle-piece"
+    },
+    "defaultDefinableInline": false,
+    "defaultDefinableAtProjectLevel": false,
+    "pluginParams": [
+    ],
+    "params": [
+        {
+            "name": "secure_token",
+            "type": "CREDENTIAL_REQUEST",
+            "label": "Azure Single Sign On",
+            "credentialRequestSettings": {
+                "type": "BASIC"
+            },
+            "mandatory": true
+        },
+        {
+            "name": "secure_domain",
+            "label": "Domain",
+            "description": "",
+            "type": "STRING",
+            "mandatory": true
+        },
+        {
+            "name": "login_type",
+            "label": "Login type",
+            "type": "SELECT",
+            "defaultValue": "basic_login",
+            "selectChoices": [
+                {
+                    "value": "basic_login",
+                    "label": "Basic auth"
+                },
+                {
+                    "value": "ntlm",
+                    "label": "NTLM"
+                }
+            ]
+        }
+    ]
+}

parameter-sets/secure-oauth/parameter-set.json

@@ -0,0 +1,54 @@
+{
+    "meta" : {
+        "label": "Secure SSO credentials",
+        "description": "",
+        "icon": "icon-puzzle-piece"
+    },
+    "defaultDefinableInline": false,
+    "defaultDefinableAtProjectLevel": false,
+    "pluginParams": [
+    ],
+
+    "params": [
+        {
+            "name": "secure_token",
+            "type": "CREDENTIAL_REQUEST",
+            "label": "Single Sign On",
+            "credentialRequestSettings": {
+                "type": "OAUTH2",
+                "authorizationEndpoint": " ",
+                "tokenEndpoint": " ",
+                "scope": " "
+            },
+            "mandatory": true
+        },
+        {
+            "name": "authorizationEndpoint",
+            "label": "Authorization endpoint",
+            "type": "STRING",
+            "description": "",
+            "mandatory": false
+        },
+        {
+            "name": "tokenEndpoint",
+            "label": "Token endpoint",
+            "type": "STRING",
+            "description": "",
+            "mandatory": false
+        },
+        {
+            "name": "scope",
+            "label": "Scope",
+            "type": "STRING",
+            "description": "",
+            "mandatory": false
+        },
+        {
+            "name": "secure_domain",
+            "label": "Domain",
+            "description": "",
+            "type": "STRING",
+            "mandatory": true
+        }
+    ]
+}

python-connectors/api-connect_dataset/connector.json

@@ -11,11 +11,38 @@
             "type": "SEPARATOR",
             "label": "Authentication"
         },
+        {
+            "name": "auth_type",
+            "label": "Authentication type",
+            "description": "",
+            "type": "SELECT",
+            "defaultValue": null,
+            "selectChoices":[
+                {"value": "secure_oauth", "label": "SSO"},
+                {"value": "secure_basic", "label": "Secure username / password"},
+                {"value": null, "label": "Other"}
+            ]
+        },
         {
             "name": "credential",
             "label": "Credential preset",
             "type": "PRESET",
-            "parameterSetId": "credential"
+            "parameterSetId": "credential",
+            "visibilityCondition": "model.auth_type == null"
+        },
+        {
+            "name": "secure_oauth",
+            "label": "SSO preset",
+            "type": "PRESET",
+            "parameterSetId": "secure-oauth",
+            "visibilityCondition": "model.auth_type == 'secure_oauth'"
+        },
+        {
+            "name": "secure_basic",
+            "label": "Credential preset",
+            "type": "PRESET",
+            "parameterSetId": "secure-basic",
+            "visibilityCondition": "model.auth_type == 'secure_basic'"
         },
         {
             "type": "SEPARATOR",
@@ -117,8 +144,8 @@
         },
         {
             "name": "raw_output",
-            "label": "Raw JSON output",
-            "description": "",
+            "label": " ",
+            "description": "Raw JSON output",
             "defaultValue": true,
             "type": "BOOLEAN"
         },
@@ -198,20 +225,23 @@
         },
         {
             "name": "ignore_ssl_check",
-            "label": "Ignore SSL check",
+            "label": " ",
+            "description": "Ignore SSL check",
             "type": "BOOLEAN",
+            "visibilityCondition": "model.auth_type!='secure_oauth' && model.auth_type!='secure_basic'",
             "defaultValue": false
         },
         {
             "name": "redirect_auth_header",
-            "label": "Redirect authorization header",
+            "label": " ",
+            "description": "Redirect authorization header",
             "type": "BOOLEAN",
             "defaultValue": false
         },
         {
             "name": "display_metadata",
-            "label": "Display metadata",
-            "description": "Status code, request time...",
+            "label": " ",
+            "description": "Display metadata",
             "type": "BOOLEAN",
             "defaultValue": false
         },

python-connectors/api-connect_dataset/connector.py

@@ -4,7 +4,7 @@
 from rest_api_client import RestAPIClient
 from dku_utils import (
     get_dku_key_values, get_endpoint_parameters,
-    parse_keys_for_json, get_value_from_path, decode_csv_data
+    parse_keys_for_json, get_value_from_path, get_secure_credentials, decode_csv_data
 )
 from dku_constants import DKUConstants
 import json
@@ -20,9 +20,10 @@ def __init__(self, config, plugin_config):
         logger.info('API-Connect plugin connector v{}'.format(DKUConstants.PLUGIN_VERSION))
         logger.info("config={}".format(logger.filter_secrets(config)))
         endpoint_parameters = get_endpoint_parameters(config)
+        secure_credentials = get_secure_credentials(config)
         credential = config.get("credential", {})
         custom_key_values = get_dku_key_values(config.get("custom_key_values", {}))
-        self.client = RestAPIClient(credential, endpoint_parameters, custom_key_values)
+        self.client = RestAPIClient(credential, secure_credentials, endpoint_parameters, custom_key_values)
         extraction_key = endpoint_parameters.get("extraction_key", None)
         self.extraction_key = extraction_key or ''
         self.extraction_path = self.extraction_key.split('.')

python-lib/dku_constants.py

@@ -1,6 +1,6 @@
 class DKUConstants(object):
     API_RESPONSE_KEY = "api_response"
-    FORBIDDEN_KEYS = ["token", "password", "api_key_value"]
+    FORBIDDEN_KEYS = ["token", "password", "api_key_value", "secure_token"]
     FORM_DATA_BODY_FORMAT = "FORM_DATA"
     PLUGIN_VERSION = "1.2.2"
     RAW_BODY_FORMAT = "RAW"

python-lib/dku_utils.py

@@ -37,6 +37,26 @@ def get_endpoint_parameters(configuration):
     return parameters
 
 
+def get_secure_credentials(configuration):
+    secure_credentials = {}
+    auth_type = configuration.get("auth_type")
+    if auth_type:
+        secure_credentials["auth_type"] = auth_type
+    if auth_type == "secure_basic":
+        secure_credentials["login_type"] = configuration.get("login_type")
+        secure_basic = configuration.get("secure_basic", {})
+        secure_token = secure_basic.pop("secure_token", {})
+        secure_credentials.update(secure_basic)
+        secure_credentials.update(secure_token)
+
+    if auth_type == "secure_oauth":
+        secure_credentials["login_type"] = "bearer_token"
+        secure_oauth = configuration.get("secure_oauth", {})
+        secure_credentials["token"] = secure_oauth.pop("secure_token")
+        secure_credentials.update(secure_oauth)
+    return secure_credentials
+
+
 def parse_keys_for_json(items):
     ret = {}
     for key in items:

python-lib/rest_api_auth.py

@@ -0,0 +1,59 @@
+import requests
+import logging
+import urllib.parse
+
+
+logging.basicConfig(level=logging.INFO, format='dss-plugin-microstrategy %(levelname)s - %(message)s')
+logger = logging.getLogger()
+
+
+class RestApiAuth(requests.auth.AuthBase):
+    def __init__(self, credential):
+        login_type = credential.get("login_type", "no_auth")
+        self.api_key_destination = None
+        self.auth_key = None
+        self.auth_value = None
+        if login_type == "bearer_token":
+            token = credential.get("token", "")
+            bearer_template = credential.get("bearer_template", "Bearer {{token}}")
+            bearer_template = bearer_template.replace("{{token}}", token)
+            self.auth_key = "Authorization"
+            self.auth_value = bearer_template
+            self.api_key_destination = "header"
+        elif login_type == "api_key":
+            self.auth_key = credential.get("api_key_name", "")
+            self.auth_value = credential.get("api_key_value", "")
+            self.api_key_destination = credential.get("api_key_destination", "header")
+        else:
+            return None
+
+    def __call__(self, request):
+        if self.api_key_destination == "header":
+            request.headers[self.auth_key] = self.auth_value
+        elif self.api_key_destination == "params":
+            request.url = update_query_string(request.url, {self.auth_key:self.auth_value})
+        return request
+
+
+def get_auth(credential):
+    login_type = credential.get("login_type", "no_auth")
+    if login_type == "basic_login":
+        username = credential.get("username", credential.get("user", ""))
+        password = credential.get("password", "")
+        return (username, password)
+    if login_type == "ntlm":
+        from requests_ntlm import HttpNtlmAuth
+        username = credential.get("username", credential.get("user", ""))
+        password = credential.get("password", "")
+        return HttpNtlmAuth(username, password)
+    if login_type in ["bearer_token", "api_key"]:
+        return RestApiAuth(credential)
+
+
+def update_query_string(old_url, request_params_to_update):
+    url_parts = urllib.parse.urlparse(old_url)
+    request_params = dict(urllib.parse.parse_qsl(url_parts.query))
+    request_params.update(request_params_to_update)
+    request_params=urllib.parse.urlencode(request_params)
+    new_url = url_parts._replace(query=request_params).geturl()
+    return new_url