API gateway: api-keys in webserver, gateway services and client sdk (#1460)

implements parts of  #1268 and #1269

- webserver service:
  - frontend UI to add API keys (by @odeimaiz )
  - extends API specs auth section: see auth/api-keys path
- api-gateway service:
  - exposes basic API with two resources: me and studies (dummy handles in this PR)
  - customized autodoc with vendor extensions e.g. logo or client-sdk examples
  - drafts client-sdk calls (marked as tests to skip for this PR)
  - still not part of the swarm in this PR
  - only roles>=USER can create API keys

This commit requires DB migration!

Author: pcrespov

.github/CODEOWNERS

@@ -13,6 +13,7 @@ Makefile                                  @pcrespov, @sanderegg
 /scripts/demo                             @odeimaiz, @pcrespov
 /scripts/json-schema-to-openapi-schema    @sanderegg
 /scripts/template-projects                @odeimaiz, @pcrespov
+/services/api-gateway                     @pcrespov
 /services/catalog                         @pcrespov
 /services/sidecar                         @pcrespov, @mguidon
 /services/web/client                      @odeimaiz, @oetiker, @ignapas

api/specs/webserver/openapi-auth.yaml

@@ -210,6 +210,70 @@ paths:
         "3XX":
           description: redirection to specific ui application page
 
+  /auth/api-keys:
+    get:
+      summary: lists display names of API keys by this user
+      tags:
+        - authentication
+      operationId: list_api_keys
+      responses:
+        "200":
+          description: returns the display names of API keys
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: string
+        "401":
+          description: requires login to  list keys
+        "403":
+          description: not enough permissions to list keys
+
+    post:
+      summary: creates API keys to access public API
+      tags:
+        - authentication
+      operationId: create_api_key
+      requestBody:
+        description: user registration
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ApiKeyName"
+      responses:
+        "200":
+          description: Authorization granted returning API key
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ApiKeyGranted"
+        "400":
+          description: key name requested is invalid
+        "401":
+          description: requires login to  create a key
+        "403":
+          description: not enough permissions to create a key
+
+    delete:
+      summary: deletes API key by name
+      tags:
+        - authentication
+      operationId: delete_api_key
+      requestBody:
+        description: deletes given api key by name
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/ApiKeyName"
+      responses:
+        "204":
+          description: api key successfully deleted
+        "401":
+          description: requires login to  delete a key
+        "403":
+          description: not enough permissions to delete a key
+
 components:
   responses:
     DefaultErrorResponse:
@@ -221,3 +285,17 @@ components:
         client_session_id:
           type: string
           example: 5ac57685-c40f-448f-8711-70be1936fd63
+    ApiKeyName:
+      type: object
+      properties:
+        display_name:
+          type: string
+    ApiKeyGranted:
+      type: object
+      properties:
+        display_name:
+          type: string
+        api_key:
+          type: string
+        api_secret:
+          type: string

api/specs/webserver/openapi.yaml

@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: "osparc-simcore RESTful API"
-  version: 0.4.0
+  version: 0.5.1
   description: "RESTful API designed for web clients"
   contact:
     name: IT'IS Foundation
@@ -49,7 +49,7 @@ paths:
   # DIAGNOSTICS ---------------------------------------------------------
   /:
     $ref: "./openapi-diagnostics.yaml#/paths/~1"
-  
+
   /health:
     $ref: "./openapi-diagnostics.yaml#/paths/~1health"
 
@@ -85,6 +85,8 @@ paths:
   /auth/confirmation/{code}:
     $ref: "./openapi-auth.yaml#/paths/~1auth~1confirmation~1{code}"
 
+  /auth/api-keys:
+    $ref: "./openapi-auth.yaml#/paths/~1auth~1api-keys"
   # USER SETTINGS ------------------------------------------------------------------
 
   /me:

packages/postgres-database/src/simcore_postgres_database/migration/versions/16ee7d73b9cc_adds_api_keys_table.py

@@ -0,0 +1,37 @@
+"""Adds api_keys table
+
+Revision ID: 16ee7d73b9cc
+Revises: f3555bb4bc34
+Create Date: 2020-04-28 08:11:42.785688+00:00
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '16ee7d73b9cc'
+down_revision = 'f3555bb4bc34'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('api_keys',
+    sa.Column('id', sa.BigInteger(), nullable=False),
+    sa.Column('display_name', sa.String(), nullable=False),
+    sa.Column('user_id', sa.BigInteger(), nullable=False),
+    sa.Column('api_key', sa.String(), nullable=False),
+    sa.Column('api_secret', sa.String(), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('display_name', 'user_id', name='display_name_userid_uniqueness')
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('api_keys')
+    # ### end Alembic commands ###

packages/postgres-database/src/simcore_postgres_database/models/api_keys.py

@@ -0,0 +1,34 @@
+""" API keys to access public gateway
+
+
+These keys grant the client authorization to the API resources
+
+ +--------+                               +---------------+
+ |        |--(A)- Authorization Request ->|   Resource    |
+ |client  |                               |     Owner     | Authorization request
+ |        |<-(B)-- Authorization Grant ---|               |
+ +--------+                                +---------------+
+
+"""
+import sqlalchemy as sa
+
+from .base import metadata
+from .users import users
+
+api_keys = sa.Table(
+    "api_keys",
+    metadata,
+    sa.Column("id", sa.BigInteger, nullable=False, primary_key=True),
+    sa.Column("display_name", sa.String, nullable=False),
+    sa.Column(
+        "user_id",
+        sa.BigInteger,
+        sa.ForeignKey(users.c.id, ondelete="CASCADE"),
+        nullable=False,
+    ),
+    sa.Column("api_key", sa.String, nullable=False),
+    sa.Column("api_secret", sa.String, nullable=False),
+    sa.UniqueConstraint(
+        "display_name", "user_id", name="display_name_userid_uniqueness"
+    ),
+)

packages/postgres-database/src/simcore_postgres_database/webserver_models.py

@@ -12,6 +12,7 @@
 from .models.user_to_projects import user_to_projects
 from .models.users import UserRole, UserStatus, users
 from .models.tags import tags, study_tags
+from .models.api_keys import api_keys
 
 __all__ = [
     "users",
@@ -27,4 +28,5 @@
     "comp_pipeline",
     "tags",
     "study_tags",
+    "api_keys",
 ]

requirements.txt

@@ -2,7 +2,6 @@
 #
 # $ make devenv
 #
-pylint
 black
 pip-tools
 rope

scripts/common.Makefile

@@ -76,11 +76,12 @@ info: ## displays basic info
 	@echo ' NOW_TIMESTAMP    : ${NOW_TIMESTAMP}'
 	@echo ' VCS_URL          : ${VCS_URL}'
 	@echo ' VCS_REF          : ${VCS_REF}'
-	# installed
+	# installed in .venv
 	@pip list
-	# version
-	@cat setup.py | grep name=
-	@cat setup.py | grep version=
+	# package
+	-@echo ' name         : ' $(shell python ${CURDIR}/setup.py --name)
+	-@echo ' version      : ' $(shell python ${CURDIR}/setup.py --version)
+
 
 
 .PHONY: autoformat

services/api-gateway/.cookiecutterrc

@@ -16,5 +16,5 @@ default_context:
     project_name:              'Public API Gateway'
     project_short_description: "Platform's API Gateway for external clients"
     project_slug:              'api-gateway'
-    version:                   '0.1.0'
+    version:                   '0.1.1'
     year:                      '2020'

services/api-gateway/.env-devel

@@ -0,0 +1,13 @@
+#
+# Environment variables used to configure this service
+#
+
+# SEE services/api-gateway/src/simcore_service_api_gateway/auth_security.py
+SECRET_KEY=d0d0397de2c85ad26ffd4a0f9643dfe3a0ca3937f99cf3c2e174e11b5ef79880
+
+# SEE services/api-gateway/src/simcore_service_api_gateway/settings.py
+LOGLEVEL=DEBUG
+
+POSTGRES_USER=test
+POSTGRES_PASSWORD=test
+POSTGRES_DB=test

services/api-gateway/Makefile

@@ -13,8 +13,9 @@ export APP_VERSION = $(shell cat VERSION)
 reqs: ## compiles pip requirements (.in -> .txt)
 	@$(MAKE) --directory requirements reqs
 
+
 .PHONY: install-dev install-prod install-ci
-install-dev install-prod install-ci: _check-venv-active ## install app in development/production or CI mode
+install-dev install-prod install-ci: _check_venv_active ## install app in development/production or CI mode
 	# installing in $(subst install-,,$@) mode
 	pip-sync requirements/$(subst install-,,$@).txt
 
@@ -34,23 +35,26 @@ tests-integration: ## runs integration tests against local+production images
 
 
 .PHONY: run-devel down
-run-devel: down ## runs app with pg fixture for development
-	# starting pg database ...
-	docker-compose -f $(CURDIR)/tests/unit/with_dbs/docker-compose.yml up --detach
-	# starting service
-	export SECRET_KEY="d0d0397de2c85ad26ffd4a0f9643dfe3a0ca3937f99cf3c2e174e11b5ef79880"; \
+run-devel: .env-devel down ## runs app on host with pg fixture for development
+	# running current app
+	export $(shell grep -v '^#' $< | xargs  -d '\n'); \
+	docker-compose -f $(CURDIR)/tests/utils/docker-compose.yml up --detach; \
 	uvicorn simcore_service_api_gateway.main:the_app --reload --port=8001 --host=0.0.0.0
-	# stop
 
 down: ## stops pg fixture
-	docker-compose -f $(CURDIR)/tests/unit/with_dbs/docker-compose.yml down
+	# stopping extra services
+	-@docker-compose -f $(CURDIR)/tests/utils/docker-compose.yml down
+	# killing any process using port 8001
+	-@fuser --kill --verbose --namespace tcp 8001
+
 
 .PHONY: build
 build: ## builds docker image (using main services/docker-compose-build.yml)
 	@$(MAKE) --directory ${REPO_BASE_DIR} target=${APP_NAME} $@
 
 
 .PHONY: replay
+# TODO: replay shall point to online cookiecutter
 replay: .cookiecutterrc ## re-applies cookiecutter
 	# Replaying /home/crespo/devp/osparc-simcore/services/api-gateway/../../../cookiecutter-simcore-py-fastapi ...
 	@cookiecutter --no-input --overwrite-if-exists \

services/api-gateway/README.md

@@ -14,3 +14,10 @@ Platform's API Gateway for external clients
 [image-version]https://images.microbadger.com/badges/version/itisfoundation/api-gateway.svg
 [image-commit]:https://images.microbadger.com/badges/commit/itisfoundation/api-gateway.svg
 <!------------------------->
+
+
+
+## References
+
+- [Design patterns for modern web APIs](https://blog.feathersjs.com/design-patterns-for-modern-web-apis-1f046635215) by D. Luecke
+- [API Design Guide](https://cloud.google.com/apis/design/) by Google Cloud

services/api-gateway/VERSION

@@ -1 +1 @@
-0.1.0
+0.1.1

services/api-gateway/requirements/dev.txt

@@ -11,3 +11,6 @@
 
 # installs current package
 -e .
+
+# common dev-tools as well
+-r ../../../requirements.txt

services/api-gateway/setup.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.0
+current_version = 0.1.1
 commit = True
 tag = True
 

services/api-gateway/src/simcore_service_api_gateway/__version__.py

@@ -7,4 +7,4 @@
 major, minor, patch = __version__.split(".")
 
 api_version = __version__
-api_version_prefix: str = f"v{major}"
+api_vtag: str = f"v{major}"