feat(change token genertion towards tb api) (#4060) (patch)

# Description

Add google oauth auth header to trailblazer requests

cg/apps/tb/api.py

@@ -4,8 +4,8 @@
 import logging
 from typing import Any
 
-from google.auth import jwt
-from google.auth.crypt import RSASigner
+from google.auth.transport.requests import Request
+from google.oauth2 import service_account
 
 from cg.apps.tb.dto.create_job_request import CreateJobRequest
 from cg.apps.tb.dto.summary_response import AnalysisSummary, SummariesResponse
@@ -46,14 +46,17 @@ class TrailblazerAPI:
     def __init__(self, config: dict):
         self.service_account = config["trailblazer"]["service_account"]
         self.service_account_auth_file = config["trailblazer"]["service_account_auth_file"]
+        self.google_client_id = config["trailblazer"]["google_client_id"]
         self.host = config["trailblazer"]["host"]
 
     @property
     def auth_header(self) -> dict:
-        signer = RSASigner.from_service_account_file(self.service_account_auth_file)
-        payload = {"email": self.service_account}
-        jwt_token = jwt.encode(signer=signer, payload=payload).decode("ascii")
-        return {"Authorization": f"Bearer {jwt_token}"}
+        credentials = service_account.IDTokenCredentials.from_service_account_file(
+            self.service_account_auth_file,
+            target_audience=self.google_client_id,
+        )
+        credentials.refresh(Request())
+        return {"Authorization": f"Bearer {credentials.token}"}
 
     def query_trailblazer(
         self, command: str, request_body: dict, method: str = APIMethods.POST

cg/models/cg_config.py

@@ -129,6 +129,7 @@ class ClientConfig(BaseModel):
 class TrailblazerConfig(BaseModel):
     service_account: str
     service_account_auth_file: str
+    google_client_id: str
     host: str
 
 

cg/server/app_config.py

@@ -21,6 +21,7 @@ class AppConfig(BaseSettings):
     trailblazer_host: str = "trailblazer_host"
     trailblazer_service_account: str = "service_account"
     trailblazer_service_account_auth_file: str = "auth_file.json"
+    trailblazer_google_client_id: str = "google_client_id"
     freshdesk_url: str = "https://company.freshdesk.com"
     freshdesk_api_key: str = "freshdesk_api_key"
     freshdesk_order_email_id: int = 10

cg/server/ext.py

@@ -68,11 +68,13 @@ def __init__(self, app=None):
     def init_app(self, app):
         service_account: str = app.config["trailblazer_service_account"]
         service_account_auth_file: str = app.config["trailblazer_service_account_auth_file"]
+        google_client_id: str = app.config["trailblazer_google_client_id"]
         host: str = app.config["trailblazer_host"]
         config = {
             "trailblazer": {
                 "service_account": service_account,
                 "service_account_auth_file": service_account_auth_file,
+                "google_client_id": google_client_id,
                 "host": host,
             }
         }

tests/conftest.py

@@ -2185,6 +2185,7 @@ def context_config(
             "host": "https://trailblazer.scilifelab.se/",
             "service_account": "SERVICE",
             "service_account_auth_file": "trailblazer-auth.json",
+            "google_client_id": "client_id",
         },
         "arnold": {"api_url": "https://arnold.scilifelab.se/"},
         "janus": {"host": "https://janus.sys.scilifelab.se/"},

tests/server/conftest.py

@@ -25,6 +25,7 @@
 os.environ["GOOGLE_OAUTH_CLIENT_SECRET"] = "dummy_value"
 os.environ["TRAILBLAZER_SERVICE_ACCOUNT"] = "dummy_value"
 os.environ["TRAILBLAZER_SERVICE_ACCOUNT_AUTH_FILE"] = "dummy_value"
+os.environ["TRAILBLAZER_GOOGLE_CLIENT_ID"] = "dummy_value"
 os.environ["TRAILBLAZER_HOST"] = "dummy_value"
 os.environ["CG_SECRET_KEY"] = "dummy_value"
 os.environ["GUNICORN_BIND"] = "0.0.0.0:8000"