Add service of internal tokens to Redis

In preparation for exposing service information for internal tokens and using it for authorization decisions, add that data to Redis.
lsst-sqre · Sep 25, 2024 · cb71501 · cb71501
1 parent 5e46502
commit cb71501
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 26 deletions.
diff --git a/src/gafaelfawr/models/token.py b/src/gafaelfawr/models/token.py
@@ -166,6 +166,18 @@ class TokenBase(BaseModel):
         examples=["session"],
     )
 
+    service: str | None = Field(
+        None,
+        title="Service",
+        description=(
+            "Service to which the token was delegated. Only present for"
+            " internal tokens."
+        ),
+        examples=["some-service"],
+        min_length=1,
+        max_length=64,
+    )
+
     scopes: list[str] = Field(
         ...,
         title="Token scopes",
@@ -215,18 +227,6 @@ class TokenInfo(TokenBase):
         max_length=64,
     )
 
-    service: str | None = Field(
-        None,
-        title="Service",
-        description=(
-            "Service to which the token was delegated.  Only present for"
-            " internal tokens"
-        ),
-        examples=["some-service"],
-        min_length=1,
-        max_length=64,
-    )
-
     last_used: Timestamp | None = Field(
         None,
         title="Last used",

diff --git a/src/gafaelfawr/services/token_cache.py b/src/gafaelfawr/services/token_cache.py
@@ -238,6 +238,7 @@ async def _create_internal_token(
             token=token,
             username=token_data.username,
             token_type=TokenType.internal,
+            service=service,
             scopes=scopes,
             created=created,
             expires=expires,
@@ -263,9 +264,7 @@ async def _create_internal_token(
 
         await self._token_redis_store.store_data(data)
         try:
-            await self._token_db_store.add(
-                data, service=service, parent=token_data.token.key
-            )
+            await self._token_db_store.add(data, parent=token_data.token.key)
             await self._token_change_store.add(history_entry)
         except Exception:
             await self._token_redis_store.delete(data.token.key)

diff --git a/src/gafaelfawr/storage/token.py b/src/gafaelfawr/storage/token.py
@@ -43,7 +43,6 @@ async def add(
         data: TokenData,
         *,
         token_name: str | None = None,
-        service: str | None = None,
         parent: str | None = None,
     ) -> None:
         """Store a new token.
@@ -72,7 +71,7 @@ async def add(
             token_type=data.token_type,
             token_name=token_name,
             scopes=",".join(sorted(data.scopes)),
-            service=service,
+            service=data.service,
             created=datetime_to_db(data.created),
             expires=datetime_to_db(data.expires),
         )

diff --git a/tests/services/oidc_test.py b/tests/services/oidc_test.py
@@ -141,6 +141,7 @@ async def test_redeem_code(
         "token": access_token.model_dump(),
         "username": token_data.username,
         "token_type": TokenType.oidc,
+        "service": None,
         "scopes": [],
         "created": ANY,
         "expires": int(token_data.expires.timestamp()),

diff --git a/tests/services/token_test.py b/tests/services/token_test.py
@@ -370,6 +370,7 @@ async def test_internal_token(config: Config, factory: Factory) -> None:
         token=internal_token,
         username=user_info.username,
         token_type=TokenType.internal,
+        service="some-service",
         scopes=["read:all"],
         created=info.created,
         expires=data.expires,
@@ -441,6 +442,7 @@ async def test_internal_token(config: Config, factory: Factory) -> None:
         token=second_internal_token,
         username=data.username,
         token_type=TokenType.internal,
+        service="some-service",
         scopes=["read:all"],
         created=created,
         expires=expires,
@@ -452,7 +454,7 @@ async def test_internal_token(config: Config, factory: Factory) -> None:
     await token_service._token_redis_store.store_data(internal_token_data)
     async with factory.session.begin():
         await token_service._token_db_store.add(
-            internal_token_data, service="some-service", parent=data.token.key
+            internal_token_data, parent=data.token.key
         )
     await token_service._token_cache.clear()
     async with factory.session.begin():
@@ -1508,6 +1510,7 @@ async def test_expire_tokens(factory: Factory) -> None:
         token=Token(),
         username=session_token_data.username,
         token_type=TokenType.internal,
+        service="tap",
         scopes=[],
         created=now - timedelta(minutes=58),
         expires=now - timedelta(minutes=30),
@@ -1516,6 +1519,7 @@ async def test_expire_tokens(factory: Factory) -> None:
         token=Token(),
         username=session_token_data.username,
         token_type=TokenType.internal,
+        service="tap",
         scopes=["read:all"],
         created=now - timedelta(minutes=58),
         expires=now - timedelta(minutes=30),
@@ -1543,14 +1547,10 @@ async def test_expire_tokens(factory: Factory) -> None:
             notebook_token_data, parent=session_token_data.token.key
         )
         await token_store.add(
-            internal_token_data,
-            service="tap",
-            parent=session_token_data.token.key,
+            internal_token_data, parent=session_token_data.token.key
         )
         await token_store.add(
-            notebook_internal_token_data,
-            service="tap",
-            parent=notebook_token_data.token.key,
+            notebook_internal_token_data, parent=notebook_token_data.token.key
         )
         await token_store.add(service_token_data)
 
@@ -1708,6 +1708,7 @@ async def test_audit(factory: Factory) -> None:
         token=Token(),
         username="some-user",
         token_type=TokenType.internal,
+        service="some-service",
         scopes=[],
         created=now,
         expires=now + timedelta(days=14),
@@ -1716,7 +1717,6 @@ async def test_audit(factory: Factory) -> None:
     async with factory.session.begin():
         await token_db_store.add(
             internal_token_data,
-            service="some-service",
             parent=db_user_token_data.token.key,
         )
 
@@ -1725,13 +1725,14 @@ async def test_audit(factory: Factory) -> None:
         token=Token(),
         username="some-user",
         token_type=TokenType.internal,
+        service="some-service",
         scopes=[],
         created=now,
         expires=now + timedelta(days=7),
     )
     await token_redis_store.store_data(orphaned_token_data)
     async with factory.session.begin():
-        await token_db_store.add(orphaned_token_data, service="some-service")
+        await token_db_store.add(orphaned_token_data)
         subtoken = Subtoken(parent=None, child=orphaned_token_data.token.key)
         factory.session.add(subtoken)