fix: remove default issuer and add models docstring

Author: aldbr

diracx-cli/src/diracx/cli/internal/legacy.py

@@ -230,6 +230,7 @@ def generate_helm_values(
     helm_values["diracx"] = diracx_config
     diracx_config["hostname"] = diracx_hostname
 
+    diracx_settings["DIRACX_SERVICE_AUTH_TOKEN_ISSUER"] = diracx_url
     diracx_settings["DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS"] = json.dumps(
         [
             urljoin(diracx_url, "api/docs/oauth2-redirect"),

diracx-core/src/diracx/core/models.py

@@ -1,3 +1,8 @@
+"""Models are used to define the data structure of the requests and responses
+for the DiracX API. They are shared between the client components (cli, api) and
+services components (db, logic, routers).
+"""
+
 from __future__ import annotations
 
 from datetime import datetime

diracx-core/src/diracx/core/settings.py

@@ -134,9 +134,7 @@ class AuthSettings(ServiceSettingsBase):
     # State key is used to encrypt/decrypt the state dict passed to the IAM
     state_key: FernetKey
 
-    # TODO: this should probably be something mandatory
-    # to set by the user
-    token_issuer: str = "http://lhcbdirac.cern.ch/"  # noqa: S105
+    token_issuer: str
     token_key: TokenSigningKey
     token_algorithm: str = "RS256"  # noqa: S105
     access_token_expire_minutes: int = 20

diracx-db/src/diracx/db/sql/sandbox_metadata/db.py

@@ -23,7 +23,6 @@ class SandboxMetadataDB(BaseSQLDB):
 
     async def get_owner_id(self, user: UserInfo) -> int | None:
         """Get the id of the owner from the database."""
-        # TODO: Follow https://github.com/DIRACGrid/diracx/issues/49
         stmt = select(SBOwners.OwnerID).where(
             SBOwners.Owner == user.preferred_username,
             SBOwners.OwnerGroup == user.dirac_group,

diracx-logic/src/diracx/logic/auth/token.py

@@ -273,9 +273,6 @@ async def exchange_token(
             "Dynamic registration of users is not yet implemented"
         )
 
-    # Extract attributes from the settings and configuration
-    issuer = settings.token_issuer
-
     # Check that the subject is part of the dirac users
     if sub not in config.Registry[vo].Groups[dirac_group].Users:
         raise PermissionError(
@@ -320,7 +317,7 @@ async def exchange_token(
     access_payload: AccessTokenPayload = {
         "sub": sub,
         "vo": vo,
-        "iss": issuer,
+        "iss": settings.token_issuer,
         "dirac_properties": list(properties),
         "jti": str(uuid4()),
         "preferred_username": preferred_username,

diracx-routers/tests/auth/test_standard.py

@@ -613,6 +613,7 @@ async def test_refresh_token_invalid(test_client, auth_httpx_mock: HTTPXMock):
     ).decode()
 
     new_auth_settings = AuthSettings(
+        token_issuer="https://iam-auth.web.cern.ch/",
         token_algorithm="EdDSA",
         token_key=pem,
         state_key=Fernet.generate_key(),

diracx-testing/src/diracx/testing/utils.py

@@ -100,6 +100,7 @@ def test_auth_settings(
     from diracx.core.settings import AuthSettings
 
     yield AuthSettings(
+        token_issuer=ISSUER,
         token_algorithm="EdDSA",
         token_key=private_key_pem,
         state_key=fernet_key,

run_local.sh

@@ -38,6 +38,7 @@ export DIRACX_OS_DB_JOBPARAMETERSDB='{"sqlalchemy_dsn": "sqlite+aiosqlite:///'${
 export DIRACX_SERVICE_AUTH_TOKEN_KEY="file://${signing_key}"
 export DIRACX_SERVICE_AUTH_STATE_KEY="${state_key}"
 hostname_lower=$(hostname | tr -s '[:upper:]' '[:lower:]')
+export DIRACX_SERVICE_AUTH_TOKEN_ISSUER="http://${hostname_lower}:8000"
 export DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS='["http://'"$hostname_lower"':8000/docs/oauth2-redirect"]'
 export DIRACX_SANDBOX_STORE_BUCKET_NAME=sandboxes
 export DIRACX_SANDBOX_STORE_AUTO_CREATE_BUCKET=true