fix: remove default issuer and add models docstring

DIRACGrid · Mar 6, 2025 · f92d3f7 · f92d3f7
1 parent b03406b
commit f92d3f7
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 8 deletions.
diff --git a/diracx-core/src/diracx/core/models.py b/diracx-core/src/diracx/core/models.py
@@ -1,3 +1,8 @@
+"""Models are used to define the data structure of the requests and responses
+for the DiracX API. They are shared between the client components (cli, api) and
+services components (db, logic, routers).
+"""
+
 from __future__ import annotations
 
 from datetime import datetime

diff --git a/diracx-core/src/diracx/core/settings.py b/diracx-core/src/diracx/core/settings.py
@@ -134,9 +134,7 @@ class AuthSettings(ServiceSettingsBase):
     # State key is used to encrypt/decrypt the state dict passed to the IAM
     state_key: FernetKey
 
-    # TODO: this should probably be something mandatory
-    # to set by the user
-    token_issuer: str = "http://lhcbdirac.cern.ch/"  # noqa: S105
+    token_issuer: str
     token_key: TokenSigningKey
     token_algorithm: str = "RS256"  # noqa: S105
     access_token_expire_minutes: int = 20

diff --git a/diracx-db/src/diracx/db/sql/sandbox_metadata/db.py b/diracx-db/src/diracx/db/sql/sandbox_metadata/db.py
@@ -23,7 +23,6 @@ class SandboxMetadataDB(BaseSQLDB):
 
     async def get_owner_id(self, user: UserInfo) -> int | None:
         """Get the id of the owner from the database."""
-        # TODO: Follow https://github.com/DIRACGrid/diracx/issues/49
         stmt = select(SBOwners.OwnerID).where(
             SBOwners.Owner == user.preferred_username,
             SBOwners.OwnerGroup == user.dirac_group,

diff --git a/diracx-logic/src/diracx/logic/auth/token.py b/diracx-logic/src/diracx/logic/auth/token.py
@@ -273,9 +273,6 @@ async def exchange_token(
             "Dynamic registration of users is not yet implemented"
         )
 
-    # Extract attributes from the settings and configuration
-    issuer = settings.token_issuer
-
     # Check that the subject is part of the dirac users
     if sub not in config.Registry[vo].Groups[dirac_group].Users:
         raise PermissionError(
@@ -320,7 +317,7 @@ async def exchange_token(
     access_payload: AccessTokenPayload = {
         "sub": sub,
         "vo": vo,
-        "iss": issuer,
+        "iss": settings.token_issuer,
         "dirac_properties": list(properties),
         "jti": str(uuid4()),
         "preferred_username": preferred_username,

diff --git a/diracx-testing/src/diracx/testing/utils.py b/diracx-testing/src/diracx/testing/utils.py
@@ -100,6 +100,7 @@ def test_auth_settings(
     from diracx.core.settings import AuthSettings
 
     yield AuthSettings(
+        token_issuer="http://lhcbdirac.cern.ch/",
         token_algorithm="EdDSA",
         token_key=private_key_pem,
         state_key=fernet_key,

diff --git a/run_local.sh b/run_local.sh
@@ -38,6 +38,7 @@ export DIRACX_OS_DB_JOBPARAMETERSDB='{"sqlalchemy_dsn": "sqlite+aiosqlite:///'${
 export DIRACX_SERVICE_AUTH_TOKEN_KEY="file://${signing_key}"
 export DIRACX_SERVICE_AUTH_STATE_KEY="${state_key}"
 hostname_lower=$(hostname | tr -s '[:upper:]' '[:lower:]')
+export DIRACX_SERVICE_AUTH_TOKEN_ISSUER="http://$hostname_lower:8000"
 export DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS='["http://'"$hostname_lower"':8000/docs/oauth2-redirect"]'
 export DIRACX_SANDBOX_STORE_BUCKET_NAME=sandboxes
 export DIRACX_SANDBOX_STORE_AUTO_CREATE_BUCKET=true