[MCC-961880] Add MAuthASGIMiddleware

.travis.yml

@@ -3,7 +3,7 @@ language: python
 cache: pip
 
 python:
-  - 3.6
+  - 3.6.2
   - 3.7.13 # specify micro version to avoid having EnvCommandError
   - 3.8
   - 3.9

CHANGELOG.md

@@ -1,3 +1,6 @@
+# 1.3.0
+- Add `FastAPIAuthenticator` to authenticate requests in FastAPI applications.
+
 # 1.2.3
 - Ignore `boto3` import error (`ModuleNotFoundError`).
 

CONTRIBUTING.md

@@ -16,23 +16,18 @@ To setup your environment:
   ```
 1. Install Pyenv versions for the Tox Suite
   ```bash
-  pyenv install 3.5.8
   pyenv install 3.6.10
   pyenv install 3.7.7
   pyenv install 3.8.2
   pyenv install pypy3.6-7.3.1
   ```
 1. Install Poetry
   ```bash
-  curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
+  pip install poetry
   ```
-1. Install Tox
+1. Install Dependencies
   ```bash
-  pip install tox
-  ```
-1. Setup the local project versions (one for each env in the `envlist`)
-  ```bash
-  pyenv local 3.5.8 3.6.10 3.7.7 3.8.2 pypy3.6-7.1.1
+  poetry install -v
   ```
 
 
@@ -54,5 +49,5 @@ to init the submodule.
 
 ## Unit Tests
 
-1. Make any changes, update the tests and then run tests with `tox`
+1. Make any changes, update the tests and then run tests with `poetry run tox`
 1. Coverage report can be viewed using `open htmlcov/index.html`

README.md

@@ -114,22 +114,16 @@ app_uuid = authenticator.get_app_uuid()
 
 #### Flask applications
 
-You will need to create an application instance and initialize it with FlaskAuthenticator:
+You will need to create an application instance and initialize it with `FlaskAuthenticator`.
+To specify routes that need to be authenticated use the `requires_authentication` decorator.
 
 ```python
 from flask import Flask
-from mauth_client.flask_authenticator import FlaskAuthenticator
+from mauth_client.flask_authenticator import FlaskAuthenticator, requires_authentication
 
 app = Flask("Some Sample App")
 authenticator = FlaskAuthenticator()
 authenticator.init_app(app)
-```
-
-To specify routes that need to be authenticated use the `requires_authentication` decorator:
-
-```python
-from flask import Flask
-from mauth_client.flask_authenticator import requires_authentication
 
 @app.route("/some/private/route", methods=["GET"])
 @requires_authentication
@@ -141,6 +135,27 @@ def app_status():
     return "OK"
 ```
 
+#### FastAPI applications
+
+You will need to create an application instance and initialize it with `FastAPIAuthenticator`.
+To specify routes that need to be authenticated use the `requires_authentication` dependency.
+
+```python
+from fastapi import FastAPI, Depends
+from mauth_client.fastapi_authenticator import FastAPIAuthenticator, requires_authentication
+
+app = FastAPI()
+authenticator = FastAPIAuthenticator()
+authenticator.init_app(app)
+
+@app.get("/some/private/route", dependencies=[Depends(requires_authentication)])
+async def private_route():
+    return {"msg": "top secret"}
+
+@app.get("/app_status")
+async def app_status():
+    return {"msg": "OK"}
+```
 
 ## Contributing
 

mauth_client/fastapi_authenticator/__init__.py

@@ -0,0 +1 @@
+from .fastapi_authenticator import FastAPIAuthenticator, requires_authentication

mauth_client/fastapi_authenticator/fastapi_authenticator.py

@@ -0,0 +1,75 @@
+import logging
+
+from fastapi import FastAPI, HTTPException, Request
+from mauth_client.authenticator import LocalAuthenticator, RemoteAuthenticator
+from mauth_client.config import Config
+from mauth_client.signable import RequestSignable
+from mauth_client.signed import Signed
+from typing import Tuple, Union
+
+logger = logging.getLogger("fastapi_mauth")
+MAuthAuthenticator = LocalAuthenticator if Config.MAUTH_MODE == "local" else RemoteAuthenticator
+state_key = 'fastapi_mauth.client'
+
+
+class MAuthAuthenticationError(HTTPException):
+    pass
+
+
+class FastAPIAuthenticator:
+    """
+    The MAuth Authenticator instance
+    """
+
+    def __init__(self, app: FastAPI = None) -> None:
+        self._app = app
+        self._authenticator = None
+        if app:
+            self.init_app(app)
+
+    def init_app(self, app: FastAPI) -> None:
+        """
+        Attach authenticator to FastAPI app instance
+        """
+        self._app = app
+        self._authenticator = self
+        setattr(app.state, state_key, self)
+
+        self._authenticator = self._get_authenticator()
+
+    def _get_authenticator(self) -> Union[LocalAuthenticator, RemoteAuthenticator]:
+        # Validate the client settings (APP_UUID, PRIVATE_KEY)
+        if not all([Config.APP_UUID, Config.PRIVATE_KEY]):
+            raise TypeError("FastAPIAuthenticator requires APP_UUID and PRIVATE_KEY")
+        # Validate the mauth settings (MAUTH_BASE_URL, MAUTH_API_VERSION)
+        if not all([Config.MAUTH_URL, Config.MAUTH_API_VERSION]):
+            raise TypeError("FastAPIAuthenticator requires MAUTH_URL and MAUTH_API_VERSION")
+        # Validate MAUTH_MODE
+        if Config.MAUTH_MODE not in ("local", "remote"):
+            raise TypeError("FastAPIAuthenticator MAUTH_MODE must be one of local or remote")
+
+        return LocalAuthenticator if Config.MAUTH_MODE == "local" else RemoteAuthenticator
+
+    async def authenticate(self, request: Request) -> Tuple[bool, int, str]:
+        """
+        Authenticate given FastAPI request
+        """
+        body = await request.body()
+        signable = RequestSignable(
+            method=request.method,
+            url=request.url.path,
+            body=body,
+        )
+        return self._authenticator(
+            signable, Signed.from_headers(request.headers), logger
+        ).is_authentic()
+
+
+async def requires_authentication(request: Request) -> None:
+    """
+    FastAPI Dependency function for routes requiring MAuth authentication
+    """
+    authenticator = getattr(request.app.state, state_key)
+    is_authentic, status, msg = await authenticator.authenticate(request)
+    if not is_authentic:
+        raise MAuthAuthenticationError(status_code=status, detail=msg)