drop access key support from the sdk (#114)

NRHelmi · web-flow · commit 1e5b0b7e1616 · 2022-11-22T22:37:51.000+01:00
diff --git a/railib/config.py b/railib/config.py
@@ -19,11 +19,10 @@
 # and client credentials.
 
 import configparser
-import json
 import os
 from pathlib import Path
 
-from .credentials import AccessKeyCredentials, ClientCredentials
+from .credentials import ClientCredentials
 
 
 def _read_config_profile(fname: str, profile: str) -> dict:
@@ -35,27 +34,6 @@ def _read_config_profile(fname: str, profile: str) -> dict:
     return {k: config[profile][k] for k in config[profile]}
 
 
-def _read_pkey(fname: Path):
-    with open(fname) as fp:
-        data = json.load(fp)
-        pkey = data.get("sodium", {}).get("seed", None)
-        if pkey is None:
-            raise Exception("malformed private key")
-        return pkey
-
-
-# Reads access key credentials from the config file. Returns None if they
-# do not exist.
-def _read_access_key_credentials(data, path: Path):
-    akey = data.get("access_key", None)
-    if akey is not None:
-        fname = data.get("private_key_filename", None)
-        if fname is not None:
-            pkey = _read_pkey(path.with_name(fname))
-            return AccessKeyCredentials(akey, pkey)
-    return None
-
-
 # Read client credentials from the config file. Returns None if they do not
 # exist.
 def _read_client_credentials(data):
@@ -72,8 +50,6 @@ def _read_client_credentials(data):
 # if they exist. Returns None if no credentials exist.
 def _read_credentials(data, path):
     creds = _read_client_credentials(data)
-    if creds is None:
-        creds = _read_access_key_credentials(data, path)
     return creds
 
 
diff --git a/railib/credentials.py b/railib/credentials.py
@@ -18,7 +18,6 @@
 
 __all__ = [
     "Credentials",
-    "AccessKeyCredentials",
     "AccessToken",
     "ClientCredentials",
 ]
@@ -31,13 +30,6 @@ class Credentials(ABC):
     pass
 
 
-# Represents access key credentials.
-class AccessKeyCredentials(Credentials):
-    def __init__(self, akey: str, pkey: str):
-        self.akey = akey  # access_key
-        self.pkey = pkey  # private_key
-
-
 # Represents an OAuth access token.
 class AccessToken:
     def __init__(self, access_token: str, scope: str, expires_in: int, created_on: float = time.time()):
diff --git a/railib/rest.py b/railib/rest.py
@@ -14,18 +14,13 @@
 
 """Low level HTTP interface to the RelationalAI REST API."""
 
-import ed25519
-import base64
-from datetime import datetime
-import hashlib
 import json
 from os import path
 from urllib.parse import urlencode, urlsplit, quote
 from urllib.request import Request, urlopen
 
 from .__init__ import __version__
 from .credentials import (
-    AccessKeyCredentials,
     AccessToken,
     Credentials,
     ClientCredentials,
@@ -44,9 +39,6 @@
 SCOPE = "scope"
 
 
-_empty = bytes("", encoding="utf8")
-
-
 # Context contains the state required to make rAI REST API calls.
 class Context(object):
     def __init__(self, region: str = None, credentials: Credentials = None):
@@ -202,63 +194,6 @@ def _request_access_token(ctx: Context, url: str) -> AccessToken:
     raise Exception("failed to get the access token")
 
 
-# Implement RAI API key authentication by signing the request and adding the
-# required authorization header.
-def _sign(ctx: Context, req: Request) -> None:
-    assert isinstance(ctx.credentials, AccessKeyCredentials)
-
-    ts = datetime.utcnow()
-
-    # ISO8601 date/time strings for time of request
-    signature_date = ts.strftime("%Y%m%dT%H%M%SZ")
-    scope_date = ts.strftime("%Y%m%d")
-
-    # Authentication scope
-    scope = f"{scope_date}/{ctx.region}/{ctx.service}/rai01_request"
-
-    # SHA256 hash of content
-    content = req.data or _empty
-    content_hash = hashlib.sha256(content).hexdigest()
-
-    # Include "x-rai-date" in signed headers
-    req.headers["x-rai-date"] = signature_date
-
-    # Sort and lowercase headers to produce a canonical form
-    canonical_headers = sorted(
-        [f"{k.lower()}:{v.strip()}" for k, v in req.headers.items()]
-    )
-
-    h_names = sorted([k.lower() for k in req.headers])
-    signed_headers = ";".join(h_names)
-
-    # Create hash of canonical request
-    split_result = urlsplit(req.full_url)  # was self.url
-    canonical_form = "{}\n{}\n{}\n{}\n\n{}\n{}".format(
-        req.method,
-        _encode_path(split_result.path),
-        split_result.query,
-        "\n".join(canonical_headers),
-        signed_headers,
-        content_hash,
-    )
-
-    canonical_hash = hashlib.sha256(canonical_form.encode("utf-8")).hexdigest()
-    # Create and sign "String to sign"
-    string_to_sign = "RAI01-ED25519-SHA256\n{}\n{}\n{}".format(
-        signature_date, scope, canonical_hash
-    )
-
-    seed = base64.b64decode(ctx.credentials.pkey)
-    signing_key = ed25519.SigningKey(seed)
-    sig = signing_key.sign(string_to_sign.encode("utf-8")).hex()
-
-    req.headers["authorization"] = (
-        "RAI01-ED25519-SHA256 Credential={}/{},"
-        "SignedHeaders={},"
-        "Signature={}".format(ctx.credentials.akey, scope, signed_headers, sig)
-    )
-
-
 # Authenticate the request by signing or adding access token.
 def _authenticate(ctx: Context, req: Request) -> Request:
     creds = ctx.credentials
@@ -268,9 +203,6 @@ def _authenticate(ctx: Context, req: Request) -> Request:
         access_token = _get_access_token(ctx, req.full_url)
         req.headers["authorization"] = f"Bearer {access_token}"
         return req
-    if isinstance(creds, AccessKeyCredentials):
-        _sign(ctx, req)
-        return req
     raise Exception("unknown credential type")
 
 
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,3 @@
-ed25519==1.5
 grpcio-tools==1.47.0
 protobuf==3.20.2
 pyarrow==6.0.1

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-ed25519==1.5`
`2`	`1`	`grpcio-tools==1.47.0`
`3`	`2`	`protobuf==3.20.2`
`4`	`3`	`pyarrow==6.0.1`