Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated usage of python package in user.py #345

Closed
mmacata opened this issue Apr 28, 2022 · 2 comments · Fixed by #386
Closed

Deprecated usage of python package in user.py #345

mmacata opened this issue Apr 28, 2022 · 2 comments · Fixed by #386
Assignees
@mmacata

Comments

@mmacata
Copy link
Member

mmacata commented Apr 28, 2022

The usage of recent versions of itsdangerous leads to following error:

[2022-04-28 11:54:36,723] ERROR     : gunicorn.error.glogging   -Exception in worker process [in /usr/lib/python3.9/site-packages/gunicorn/glogging.py:270]
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
    worker.init_process()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/gthread.py", line 92, in init_process
    super().init_process()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/base.py", line 134, in init_process
    self.load_wsgi()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
    self.wsgi = self.app.wsgi()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/base.py", line 67, in wsgi
    self.callable = self.load()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
    return self.load_wsgiapp()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
    return util.import_app(self.app_uri)
  File "/usr/lib/python3.9/site-packages/gunicorn/util.py", line 359, in import_app
    mod = importlib.import_module(module)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/src/actinia_core/src/actinia_core/main.py", line 30, in <module>
    from .endpoints import create_endpoints
  File "/src/actinia_core/src/actinia_core/endpoints.py", line 34, in <module>
    from actinia_core.rest.location_management import \
  File "/src/actinia_core/src/actinia_core/rest/location_management.py", line 41, in <module>
    from actinia_core.rest.base.user_auth import very_admin_role
  File "/src/actinia_core/src/actinia_core/rest/base/user_auth.py", line 34, in <module>
    from actinia_core.core.common.user import ActiniaUser
  File "/src/actinia_core/src/actinia_core/core/common/user.py", line 31, in <module>
    from itsdangerous import (TimedJSONWebSignatureSerializer,
ImportError: cannot import name 'TimedJSONWebSignatureSerializer' from 'itsdangerous' (/usr/lib/python3.9/site-packages/itsdangerous/__init__.py)

As mentioned TimedJSONWebSignatureSerializer is deprecated from v2.0.0 but Flask requires itsdangerous>=2 also from v2.0.0, until this deprecated usage in actinia is fixed, the Flask version must be pinned to a version lower than that. Eg Flask==1.1.4. This then leads to:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
    worker.init_process()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/gthread.py", line 92, in init_process
    super().init_process()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/base.py", line 134, in init_process
    self.load_wsgi()
  File "/usr/lib/python3.9/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
    self.wsgi = self.app.wsgi()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/base.py", line 67, in wsgi
    self.callable = self.load()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
    return self.load_wsgiapp()
  File "/usr/lib/python3.9/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
    return util.import_app(self.app_uri)
  File "/usr/lib/python3.9/site-packages/gunicorn/util.py", line 359, in import_app
    mod = importlib.import_module(module)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/src/actinia_core/src/actinia_core/main.py", line 30, in <module>
    from .endpoints import create_endpoints
  File "/src/actinia_core/src/actinia_core/endpoints.py", line 31, in <module>
    from actinia_core.core.common.app import flask_api
  File "/src/actinia_core/src/actinia_core/core/common/app.py", line 95, in <module>
    from flask_httpauth import HTTPBasicAuth
  File "/usr/lib/python3.9/site-packages/flask_httpauth.py", line 15, in <module>
    from flask import request, make_response, session, g, Response, current_app
  File "/usr/lib/python3.9/site-packages/flask/__init__.py", line 14, in <module>
    from jinja2 import escape
  File "/usr/lib/python3.9/site-packages/jinja2/__init__.py", line 12, in <module>
    from .environment import Environment
  File "/usr/lib/python3.9/site-packages/jinja2/environment.py", line 25, in <module>
    from .defaults import BLOCK_END_STRING
  File "/usr/lib/python3.9/site-packages/jinja2/defaults.py", line 3, in <module>
    from .filters import FILTERS as DEFAULT_FILTERS  # noqa: F401
  File "/usr/lib/python3.9/site-packages/jinja2/filters.py", line 13, in <module>
    from markupsafe import soft_unicode
ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/lib/python3.9/site-packages/markupsafe/__init__.py)

Which can be fixed by pinning MarkupSafe==2.0.1

When the deprecated usage is removed, pinning of these versions can be undone (Flask>=0.12.3, no spcific mention of MarkupSafe)
@mmacata mmacata mentioned this issue Apr 28, 2022
Merged
mmacata added a commit to mmacata/actinia-core that referenced this issue Jul 29, 2022
@mmacata
actinia-org#345
03ac6d4
@mmacata mmacata mentioned this issue Aug 3, 2022
Merged
@mmacata
Copy link
Member Author

mmacata commented Sep 22, 2022
edited
Loading

The version pinning of Flask leads to a version conflict with click when the actinia-stac-plugin is installed:

{'message': '(click 7.1.2 (/usr/lib/python3.9/site-packages), '
            "Requirement.parse('click>=8.0.0'), {'stac-validator'})",
 'traceback': '[\'  File "/src/actinia_core/src/actinia_core/endpoints.py", '
              "line 272, in create_endpoints\\n    check_import_plugins()\\n', "
              '\'  File "/src/actinia_core/src/actinia_core/endpoints.py", '
              'line 266, in check_import_plugins\\n    '
              'exec(import_run_str)\\n\', \'  File "<string>", line 1, in '
              "<module>\\n', '  File "
              '"/usr/lib/python3.9/site-packages/actinia_stac_plugin/endpoints.py", '
              'line 33, in <module>\\n    from actinia_stac_plugin.api.stac '
              "import Stac\\n', '  File "
              '"/usr/lib/python3.9/site-packages/actinia_stac_plugin/api/stac.py", '
              'line 32, in <module>\\n    from actinia_stac_plugin.core.stac '
              "import createStacItemList\\n', '  File "
              '"/usr/lib/python3.9/site-packages/actinia_stac_plugin/core/stac.py", '
              'line 28, in <module>\\n    from actinia_stac_plugin.core.common '
              "import connectRedis, defaultInstance\\n', '  File "
              '"/usr/lib/python3.9/site-packages/actinia_stac_plugin/core/common.py", '
              'line 30, in <module>\\n    from stac_validator import '
              "stac_validator\\n', '  File "
              '"/usr/lib/python3.9/site-packages/stac_validator/stac_validator.py", '
              'line 64, in <module>\\n    '
              '@click.version_option(version=pkg_resources.require("stac-validator")[0].version)\\n\', '
              "'  File "
              '"/usr/lib/python3.9/site-packages/pkg_resources/__init__.py", '
              'line 886, in require\\n    needed = '
              "self.resolve(parse_requirements(requirements))\\n', '  File "
              '"/usr/lib/python3.9/site-packages/pkg_resources/__init__.py", '
              'line 777, in resolve\\n    raise VersionConflict(dist, '
              "req).with_context(dependent_req)\\n']",
 'type': "<class 'pkg_resources.ContextualVersionConflict'>"}

This makes this issue more urgent.

As downpinning of Flask is only needed for TimedJSONWebSignatureSerializer and JSONWebSignatureSerializer and these again are only needed for API key and token generation and validation, possible solutions are:

  • Minimize authentication to basic auth with credentials only when keycloak integration is finished
  • Refactoring of user.py to move API key and token handling to a separate plugin which cannot be used together with stac-plugin then (not very sustainable)
  • Rewrite API key and token handling with new tools, best using exact same hash algorithm / signature as current one to not invalidate current API keys
  • dirty hack which shouldn't be used:
pip3 install --upgrade flask click \
   && sed -i "s+TimedJSONWebSignatureSerializer+BadSignature+g" /usr/lib/python3.9/site-packages/actinia_core/core/common/user.py \
   && sed -i "s+JSONWebSignatureSerializer+SignatureExpired+g" /usr/lib/python3.9/site-packages/actinia_core/core/common/user.py \
   && sed -i "s+user = ActiniaUser.verify_auth_token(username_or_token)+user = False+g" /usr/lib/python3.9/site-packages/actinia_core/rest/base/user_auth.py \
   && sed -i "s+user = ActiniaUser.verify_api_key(username_or_token)+user = False+g" /usr/lib/python3.9/site-packages/actinia_core/rest/base/user_auth.py

@metzm metzm mentioned this issue Oct 4, 2022
Merged
@mmacata
Copy link
Member Author

mmacata commented Oct 14, 2022

Decided solution:

Minimize authentication to basic auth with credentials only when keycloak integration is finished

Then actinia API will be upgraded to v4, actinia.mundialis.de v3 + v4 will be deployed in parallel.

@metzm metzm mentioned this issue Oct 14, 2022
Merged
@metzm metzm moved this to Done in actinia endurance run Oct 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmacata mmacata

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

replace deprecated (Timed)JSONWebSignatureSerializer actinia-org/actinia-core
1 participant
@mmacata