From 2ee5f5dfdb4b60ab4903c1256d5e977eadbc6df6 Mon Sep 17 00:00:00 2001 From: Ralf Grubenmann Date: Fri, 10 Jan 2025 08:12:32 +0100 Subject: [PATCH] fix: do not call dataservice through network from itself (#597) --- bases/renku_data_services/data_api/app.py | 1 + .../notebooks/blueprints.py | 7 +++++-- .../renku_data_services/notebooks/utils.py | 19 ------------------- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/bases/renku_data_services/data_api/app.py b/bases/renku_data_services/data_api/app.py index 1809bf745..f9772dde5 100644 --- a/bases/renku_data_services/data_api/app.py +++ b/bases/renku_data_services/data_api/app.py @@ -159,6 +159,7 @@ def register_all_handlers(app: Sanic, config: Config) -> Sanic: session_repo=config.session_repo, storage_repo=config.storage_repo, rp_repo=config.rp_repo, + user_repo=config.kc_user_repo, data_connector_repo=config.data_connector_repo, data_connector_project_link_repo=config.data_connector_to_project_link_repo, data_connector_secret_repo=config.data_connector_secret_repo, diff --git a/components/renku_data_services/notebooks/blueprints.py b/components/renku_data_services/notebooks/blueprints.py index 889d421be..26406c501 100644 --- a/components/renku_data_services/notebooks/blueprints.py +++ b/components/renku_data_services/notebooks/blueprints.py @@ -68,7 +68,6 @@ renku_2_make_server_name, ) from renku_data_services.notebooks.utils import ( - get_user_secret, merge_node_affinities, node_affinity_from_resource_class, tolerations_from_resource_class, @@ -78,6 +77,7 @@ from renku_data_services.session.db import SessionRepository from renku_data_services.storage.db import StorageRepository from renku_data_services.users.db import UserRepo +from renku_data_services.utils.cryptography import get_encryption_key @dataclass(kw_only=True) @@ -241,6 +241,7 @@ class NotebooksNewBP(CustomBlueprint): session_repo: SessionRepository rp_repo: ResourcePoolRepository storage_repo: StorageRepository + user_repo: UserRepo data_connector_repo: DataConnectorRepository data_connector_project_link_repo: DataConnectorProjectLinkRepository data_connector_secret_repo: DataConnectorSecretRepository @@ -340,7 +341,9 @@ async def _handler( data_sources: list[DataSource] = [] user_secret_key: str | None = None if isinstance(user, AuthenticatedAPIUser) and len(dcs_secrets) > 0: - user_secret_key = await get_user_secret(self.nb_config.data_service_url, user) + secret_key = await self.user_repo.get_or_create_user_secret_key(requested_by=user) + user_secret_key = get_encryption_key(secret_key.encode(), user.id.encode()).decode("utf-8") + for cs_id, cs in dcs.items(): secret_name = f"{server_name}-ds-{cs_id.lower()}" secret_key_needed = len(dcs_secrets.get(cs_id, [])) > 0 diff --git a/components/renku_data_services/notebooks/utils.py b/components/renku_data_services/notebooks/utils.py index 05ddb118f..5c4d457cb 100644 --- a/components/renku_data_services/notebooks/utils.py +++ b/components/renku_data_services/notebooks/utils.py @@ -1,9 +1,6 @@ """Utilities for notebooks.""" -import httpx - import renku_data_services.crc.models as crc_models -from renku_data_services.base_models.core import AuthenticatedAPIUser from renku_data_services.notebooks.crs import ( MatchExpression, NodeAffinity, @@ -13,7 +10,6 @@ RequiredDuringSchedulingIgnoredDuringExecution, Toleration, ) -from renku_data_services.utils.cryptography import get_encryption_key def merge_node_affinities( @@ -99,18 +95,3 @@ def tolerations_from_resource_class(resource_class: crc_models.ResourceClass) -> for tol in resource_class.tolerations: output.append(Toleration(key=tol, operator="Exists")) return output - - -async def get_user_secret(data_svc_url: str, user: AuthenticatedAPIUser) -> str | None: - """Get the user secret key from the secret service.""" - - async with httpx.AsyncClient(timeout=5) as client: - response = await client.get( - f"{data_svc_url}/user/secret_key", - headers={"Authorization": f"Bearer {user.access_token}"}, - ) - if response.status_code != 200: - return None - user_key = response.json() - - return get_encryption_key(user_key["secret_key"].encode(), user.id.encode()).decode("utf-8")