Reviewed helpers

daviddenis-stx · daviddenis-stx · commit 25ff6cf2c68f · 2022-02-01T18:38:02.000+01:00
diff --git a/src/systemathics/helpers/channel_helpers.py b/src/systemathics/helpers/channel_helpers.py
@@ -1,19 +1,59 @@
-"""Systemathics APIs Token Helpers
+"""Systemathics Ganymede APIs Token Helpers
 
-This module helps to create tokens to access Systemathics authenticated APIs
+This module helps to create channels to access Systemathics Ganymede authenticated APIs.
 
 functions:
-    * get_channel_credentials - get a vanilla ChannelCredentials with default trusted root certificates (from SSL_CERT_FILE environment variable if set, or using auto dection if not)
-    * autodetect_ca_bundle - automatically detect system wide trusted root certificates to use by probing well known OS paths.
-    * get_grpc_api_endpoint - get the endpoint to connect to Systemathics APIs (from GRPC_APIS environment variable)
-    * get_grpc_channel - get a gRPC channel to connect to Systemathics APIs with default credentials.
+    * get_grpc_channel - Get a channel suitable to call Ganymede gRPC APIs.
+    * get_aio_grpc_channel - Get an aio channel suitable to call Ganymede gRPC APIs.
 """
 
 import os
 from shutil import ExecError
 import grpc
 
-def get_channel_credentials() -> grpc.ChannelCredentials:
+DEFAULT_ENDPOINT = "https://grpc.ganymede.cloud"
+
+def get_grpc_channel() -> grpc.Channel:
+    """
+    Get a channel suitable to call Ganymede gRPC APIs.
+    This uses the GRPC_APIS environment variable in the form http[s]://fdqn[:port] (if no scheme is give, we'll assume https).
+    If none is detected, use DEFAULT_ENDPOINT.
+    Note:
+        For secure channels, we'll try to guess the path of CA certificates chain automatically.
+        For windows you need to 'pip install wheel python-certifi-win32' for that to work (it exports Windows CA Store to a PEM file).
+        In the event CA certificates cannot be found, or if you want to use a custom file, set the SSL_CERT_FILE environment variable.
+    Returns:
+        An aio channel suitable to call Ganymede gRPC APIs.
+    """
+    endpoint = os.getenv('GRPC_APIS','')
+    endpoint = endpoint if endpoint else DEFAULT_ENDPOINT # if no endpoint was provided, use the default one
+    endpoint = endpoint if endpoint.startswith("http") else f"https://{endpoint}" # if no scheme was provided, assume it's https
+    if (endpoint.startswith("https")):
+        return grpc.secure_channel(endpoint.replace("https://",""), _get_channel_credentials())
+    else:
+        return grpc.insecure_channel(endpoint.replace("http://",""))
+
+def get_aio_grpc_channel() -> grpc.aio.Channel:
+    """
+    Get an aio channel suitable to call Ganymede gRPC APIs.
+    This uses the GRPC_APIS environment variable in the form http[s]://fdqn[:port].
+    If none is detected, use DEFAULT_ENDPOINT.
+    Note:
+        For secure channels, we'll try to guess the path of CA certificates chain automatically.
+        For windows you need to 'pip install wheel python-certifi-win32' for that to work (it exports Windows CA Store to a PEM file).
+        In the event CA certificates cannot be found, or if you want to use a custom file, set the SSL_CERT_FILE environment variable.
+    Returns:
+        An aio channel suitable to call Ganymede gRPC APIs.
+    """
+    endpoint = os.getenv('GRPC_APIS','')
+    endpoint = endpoint if endpoint else DEFAULT_ENDPOINT # if no endpoint was provided, use the default one
+    endpoint = endpoint if endpoint.startswith("http") else f"https://{endpoint}" # if no scheme was provided, assume it's https
+    if (endpoint.startswith("https")):
+        return grpc.aio.secure_channel(endpoint.replace("https://",""), _get_channel_credentials())
+    else:
+        return grpc.aio.insecure_channel(endpoint.replace("http://",""))
+
+def _get_channel_credentials() -> grpc.ChannelCredentials:
     # If we have a SSL_CERT_FILE env variable, use it
     ssl_cert_file = os.getenv('SSL_CERT_FILE','')
     if (ssl_cert_file !='' ):
@@ -22,35 +62,27 @@ def get_channel_credentials() -> grpc.ChannelCredentials:
         cabundle = ssl_cert_file
     # Otherwise try autodetection
     else:
-        cabundle = autodetect_ca_bundle()
+        cabundle = _autodetect_ca_bundle()
 
     with open(cabundle, 'rb') as f:
         credentials = grpc.ssl_channel_credentials(f.read())
         return credentials
 
-def autodetect_ca_bundle() -> str:
+def _autodetect_ca_bundle() -> str:
     cabundles = [
-	"/etc/ssl/certs/ca-certificates.crt",                # Debian/Ubuntu/Gentoo/etc..
-	"/etc/pki/tls/certs/ca-bundle.crt",                  # Fedora/RHEL 6
-	"/etc/ssl/ca-bundle.pem",                            # OpenSUSE
-	"/etc/pki/tls/cacert.pem",                           # OpenELEC
-	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
-	"/etc/ssl/cert.pem"                                  # Alpine Linux
-                                                         # Windows ?
+	"/etc/ssl/certs/ca-certificates.crt",                                  # Debian/Ubuntu/Gentoo/etc..
+	"/etc/pki/tls/certs/ca-bundle.crt",                                    # Fedora/RHEL 6
+	"/etc/ssl/ca-bundle.pem",                                              # OpenSUSE
+	"/etc/pki/tls/cacert.pem",                                             # OpenELEC
+	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",                   # CentOS/RHEL 7
+	"/etc/ssl/cert.pem",                                                   # Alpine Linux
+    os.path.join(os.getenv('LOCALAPPDATA',''), '.certifi', 'cacert.pem')   # Windows (requires: pip install wheel python-certifi-win32)
     ]
 
     for cabundle in cabundles:
         if (os.path.isfile(cabundle)):
             return cabundle
 
-    raise Exception(f"Could not find any trusted root certificates file, tried {cabundles}")
+    raise Exception(f"Could not auto detect trusted root certificates file, tried {cabundles}. Please help by setting SSL_CERT_FILE environment variable")
 
-def get_grpc_api_endpoint() -> str:
-    grpc_apis = os.getenv('GRPC_APIS','')
-    if (grpc_apis == ''):
-        raise Exception("Environment variable GRPC_APIS is not set!")
-    return grpc_apis
-
-def get_grpc_channel() -> grpc.Channel:
-    credentials = get_channel_credentials()
-    return grpc.secure_channel(get_grpc_api_endpoint(), credentials)
+print(get_grpc_channel())
diff --git a/src/systemathics/helpers/token_helpers.py b/src/systemathics/helpers/token_helpers.py
@@ -1,90 +1,73 @@
-"""Systemathics APIs Token Helpers
+"""Systemathics Ganymede  APIs Token Helpers
 
-This module helps to create tokens to access Systemathics authenticated APIs
+This module helps to create tokens to access Systemathics Ganymede authenticated APIs.
 
 functions:
-    * get_token - get token by autodecting environment variables
-    * create_bearer_token - create a bearer token (used by get_token when AUTH0_TOKEN env variable is set)
-    * create_bearer_token_using_rest - create beared token using REST API (used by get_token when AUTH0_TOKEN env variable is not set and CLIENT_ID, CLIENT_SECRET, AUDIENCE and TENANT environment variables are set)
+    * get_token - Get a JWT Authorization token suitable to call Ganymede gRPC APIs.
 """
 
 import os
 import http.client
 import json
 
+DEFAULT_AUDIENCE = "https://prod.ganymede-prod"
+
+DEFAULT_TENANT = "ganymede-prod.eu.auth0.com"
+
 def get_token() -> str:    
-    auth0_token = os.getenv('AUTH0_TOKEN','')
-    client_id = os.getenv('CLIENT_ID','')
-    client_secret = os.getenv('CLIENT_SECRET','')
-    audience = os.getenv('AUDIENCE','')
-    tenant = os.getenv('TENANT','')
+    """
+    Get a JWT Authorization token suitable to call Ganymede gRPC APIs.
+    We either use 'AUTH0_TOKEN' environment variable (if present) to create a bearer token from it.
+    Or 'CLIENT_ID' and 'CLIENT_SECRET' environment variables (optionally 'AUDIENCE' can override DEFAULT_AUDIENCE, and 'TENANT' can override DEFAULT_TENANT).  
+    Returns:
+        A JWT Authorization token suitable to call Ganymede gRPC APIs.
+    """
+    auth0_token = os.getenv("AUTH0_TOKEN","")
+    client_id = os.getenv("CLIENT_ID","")
+    client_secret = os.getenv("CLIENT_SECRET","")
+    audience = os.getenv("AUDIENCE","")
+    tenant = os.getenv("TENANT","")
 
     # If we have AUTH0_TOKEN, generate a bearer token
-    if(auth0_token != ''):
-        if (client_id != ''):
-            print(f"print: AUTH0_TOKEN environment variable is set, CLIENT_ID environment variable will be ignored")
-        if (client_secret != ''):
-            print(f"print: AUTH0_TOKEN environment variable is set, CLIENT_SECRET environment variable will be ignored")
-        if (audience != ''):
-            print(f"print: AUTH0_TOKEN environment variable is set, AUDIENCE environment variable will be ignored")
-        if (tenant != ''):
-            print(f"print: AUTH0_TOKEN environment variable is set, TENANT environment variable will be ignored")
-        return create_bearer_token(auth0_token)
+    if(auth0_token != ""):
+        return f"Bearer {auth0_token}"
 
-    # If we don't, look for CLIENT_ID, CLIENT_SECRET, AUDIENCE and TENANT to create a token using Auth0 API
-    missing=[]
-    if(client_id == ''):
-        missing.append("CLIENT_ID")
-    if(client_secret == ''):
-        missing.append("CLIENT_SECRET")
-    if(audience == ''):
-        missing.append("AUDIENCE")
-    if(tenant == ''):
-        missing.append("TENANT")
-
-    if (len(missing) == 0):
-        return create_bearer_token_using_rest(client_id, client_secret, audience, tenant)
+    # If we don't, use Auth0 REST API to request one (we need CLIENT_ID and CLIENT_SECRET; Optionally AUDIENCE and TENANT)
+    if (client_id and client_secret):
+        return _create_bearer_token_using_rest(
+            client_id, 
+            client_secret, 
+            audience if audience else DEFAULT_AUDIENCE, 
+            tenant if tenant else DEFAULT_TENANT)
     else:    
-        raise Exception(f"AUTH0_TOKEN environment variable is not set, therefore CLIENT_ID, CLIENT_SECRET, AUDIENCE and TENANT environment variables must be set. Missing env variables {missing}")
-
-def create_bearer_token(auth0_token) -> str:
-    if (auth0_token == ''):
-        raise Exception(f"auth0_token cannot be null")
+        raise Exception(f"AUTH0_TOKEN environment variable is not set, therefore CLIENT_ID and CLIENT_SECRET (and optionally AUDIENCE and TENANT) environment variables must be set")
 
-    return f"Bearer {auth0_token}"
-
-def create_bearer_token_using_rest(client_id, client_secret, audience, tenant) -> str:
-    if (client_id == ''):
+def _create_bearer_token_using_rest(client_id, client_secret, audience, tenant) -> str:
+    if (client_id == ""):
         raise Exception(f"client_id cannot be null")
-    if (client_secret == ''):
+    if (client_secret == ""):
         raise Exception(f"client_secret cannot be null")
-    if (audience == ''):
+    if (audience == ""):
         raise Exception(f"audience cannot be null")
-    if (tenant == ''):
+    if (tenant == ""):
         raise Exception(f"tenant cannot be null")
 
-    try:
-        # Setup connection and payload
-        conn = http.client.HTTPSConnection(tenant)
-        headers = { 'content-type': "application/json" }
-        params = {"client_id": client_id, "client_secret": client_secret, "grant_type" : "client_credentials", "audience": audience }
-        payload = json.dumps(params)
+    # Setup connection and payload
+    conn = http.client.HTTPSConnection(tenant)
+    headers = { "content-type": "application/json" }
+    params = {"client_id": client_id, "client_secret": client_secret, "grant_type" : "client_credentials", "audience": audience }
+    payload = json.dumps(params)
 
-        # Send Request
-        conn.request("POST", "/oauth/token", payload, headers)
-        res = conn.getresponse()
-        data = res.read()
-        
-        json_data =  json.loads(data.decode("utf-8"))
+    # Send Request
+    conn.request("POST", "/oauth/token", payload, headers)
+    res = conn.getresponse()
+    data = res.read()
+       
+    json_data =  json.loads(data.decode("utf-8"))
                             
-        # Get access token to be used to authenticate against API
-        try:
-            token = f"{json_data['token_type']} {json_data['access_token']}"
-            return token
-        except Exception as ee:
-            print(f"create_bearer_token_using_rest: Returned JSON doesn't contain 'token_type' and/or 'access_token'. Check your client_id, client_secret, audience and tenant: {json_data}")
-            return ""
-
-    except Exception as e:
-        print(f"create_bearer_token_using_rest: Got exception {e}")
-        return ""
+    # Get access token to be used to authenticate against API
+    try:
+        token = f"{json_data['token_type']} {json_data['access_token']}"
+        return token
+    except Exception as ee:
+        raise Exception(f"Returned JSON doesn't contain 'token_type' and/or 'access_token'. Check your client ID, client secret, audience and tenant: {json_data}")
