🔑->🗑️ Enable Tiled Admins to delete API Keys belonging to other user'…

…s principals (#786) * 🔏 The actual logic for loading and performing deletion. * ✅ Finish task by adding a dedicated test, extending context.admin * 🗜️ Rework namespaces for `revoke_api_key` * 🏷️ More susinct method name * 📋️ Check off all testing and renaming revisions * 📐📐🔵📐 I guess we doin' `enter_username_password` now (upstream breaking API change) * Truncate first_eight client-side. * Refine docstrings. --------- Co-authored-by: Dan Allan <dallan@bnl.gov>
bluesky · Oct 3, 2024 · 5c30719 · 5c30719
1 parent 3fda02e
commit 5c30719
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 2 deletions.
diff --git a/tiled/_tests/test_authentication.py b/tiled/_tests/test_authentication.py
@@ -655,3 +655,34 @@ def test_api_key_bypass_scopes(enter_username_password, principals_context):
                     context.http_client.get(
                         resource, params=query_params
                     ).raise_for_status()
+
+
+def test_admin_delete_principal_apikey(
+    enter_username_password,
+    principals_context,
+):
+    """
+    Admin can delete API keys for any prinicipal, revoking access.
+    """
+    with principals_context["context"] as context:
+        # Log in as Bob (Ordinary user)
+        with enter_username_password("bob", "secret2"):
+            context.authenticate(username="bob")
+
+        # Create an ordinary user API Key
+        principal_uuid = principals_context["uuid"]["bob"]
+        api_key_info = context.create_api_key(scopes=["read:data"])
+        context.logout()
+
+        # Log in as Alice (Admin)
+        with enter_username_password("alice", "secret1"):
+            context.authenticate(username="alice")
+
+        # Delete the created API Key via service principal
+        context.admin.revoke_api_key(principal_uuid, api_key_info["first_eight"])
+        context.logout()
+
+        # Try to use the revoked API Key
+        context.api_key = api_key_info["secret"]
+        with fail_with_status_code(HTTP_401_UNAUTHORIZED):
+            context.whoami()
diff --git a/tiled/client/context.py b/tiled/client/context.py
@@ -402,7 +402,10 @@ def which_api_key(self):
 
     def create_api_key(self, scopes=None, expires_in=None, note=None):
         """
-        Generate a new API for the currently-authenticated user.
+        Generate a new API key.
+
+        Users with administrative scopes may use ``Context.admin.revoke_api_key``
+        to create API keys on behalf of other users or services.
 
         Parameters
         ----------
@@ -425,11 +428,24 @@ def create_api_key(self, scopes=None, expires_in=None, note=None):
         ).json()
 
     def revoke_api_key(self, first_eight):
+        """
+        Revoke an API key.
+
+        The API key must belong to the currently-authenticated user or service.
+        Users with administrative scopes may use ``Context.admin.revoke_api_key``
+        to revoke API keys belonging to other users.
+
+        Parameters
+        ----------
+        first_eight : str
+            Identify the API key to be deleted by passing its first 8 characters.
+            (Any additional characters passed will be truncated.)
+        """
         handle_error(
             self.http_client.delete(
                 self.server_info["authentication"]["links"]["apikey"],
                 headers={"x-csrf": self.http_client.cookies["tiled_csrf"]},
-                params={"first_eight": first_eight},
+                params={"first_eight": first_eight[:8]},
             )
         )
 
@@ -851,6 +867,28 @@ def create_service_principal(
             )
         ).json()
 
+    def revoke_api_key(self, uuid, first_eight=None):
+        """
+        Revoke an API key belonging to any user or service.
+
+        Parameters
+        ----------
+        uuid : str
+            Identify the principal whose API key will be deleted. This is
+            required in order to reduce the chance of accidentally revoking
+            the wrong key.
+        first_eight : str
+            Identify the API key to be deleted by passing its first 8 characters.
+            (Any additional characters passed will be truncated.)
+        """
+        return handle_error(
+            self.context.http_client.delete(
+                f"{self.base_url}/auth/principal/{uuid}/apikey",
+                headers={"Accept": MSGPACK_MIME_TYPE},
+                params={"first_eight": first_eight[:8]},
+            )
+        )
+
 
 class CannotPrompt(Exception):
     pass

diff --git a/tiled/server/authentication.py b/tiled/server/authentication.py
@@ -912,6 +912,35 @@ async def principal(
     )
 
 
+@base_authentication_router.delete(
+    "/principal/{uuid}/apikey",
+    response_model=schemas.Principal,
+)
+async def revoke_apikey_for_principal(
+    request: Request,
+    uuid: uuid_module.UUID,
+    first_eight: str,
+    principal=Security(get_current_principal, scopes=["admin:apikeys"]),
+    db=Depends(get_database_session),
+):
+    "Allow Tiled Admins to delete any user's apikeys e.g."
+    request.state.endpoint = "auth"
+    api_key_orm = (
+        await db.execute(
+            select(orm.APIKey).filter(orm.APIKey.first_eight == first_eight[:8])
+        )
+    ).scalar()
+    if (api_key_orm is None) or (api_key_orm.principal.uuid != uuid):
+        raise HTTPException(
+            404,
+            f"The principal {uuid} has no such API key.",
+        )
+    await db.delete(api_key_orm)
+    await db.commit()
+
+    return Response(status_code=HTTP_204_NO_CONTENT)
+
+
 @base_authentication_router.post(
     "/principal/{uuid}/apikey",
     response_model=schemas.APIKeyWithSecret,