OpenMetadata/ingestion/src/metadata/utils/credentials.py

#  Copyright 2021 Collate
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#  http://www.apache.org/licenses/LICENSE-2.0
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
"""
Credentials helper module
"""
import base64
import json
import os
import tempfile
from typing import Dict

from cryptography.hazmat.primitives import serialization

from metadata.generated.schema.security.credentials.gcsCredentials import (
    GCSCredentials,
    GCSCredentialsPath,
    GCSValues,
)
from metadata.utils.logger import utils_logger

logger = utils_logger()

GOOGLE_CREDENTIALS = "GOOGLE_APPLICATION_CREDENTIALS"


class InvalidGcsConfigException(Exception):
    """
    Raised when we have errors trying to set GCS credentials
    """


class InvalidPrivateKeyException(Exception):
    """
    If the key cannot be serialised
    """


def validate_private_key(private_key: str) -> None:
    """
    Make sure that a private key can be properly parsed
    by cryptography backends
    :param private_key: key to validate
    """
    try:
        serialization.load_pem_private_key(private_key.encode(), password=None)
    except ValueError as err:
        msg = f"Cannot serialise key: {err}"
        raise InvalidPrivateKeyException(msg) from err


def create_credential_tmp_file(credentials: dict) -> str:
    """
    Given a credentials' dict, store it in a tmp file
    :param credentials: dictionary to store
    :return: path to find the file
    """
    with tempfile.NamedTemporaryFile(delete=False) as temp_file:
        cred_json = json.dumps(credentials, indent=4, separators=(",", ": "))
        temp_file.write(cred_json.encode())

        return temp_file.name


def build_google_credentials_dict(gcs_values: GCSValues) -> Dict[str, str]:
    """
    Given GCSValues, build a dictionary as the JSON file
    downloaded from GCS with the service_account
    :param gcs_values: GCS credentials
    :return: Dictionary with credentials
    """

    private_key_str = gcs_values.privateKey.get_secret_value()
    validate_private_key(private_key_str)

    return {
        "type": gcs_values.type,
        "project_id": gcs_values.projectId,
        "private_key_id": gcs_values.privateKeyId,
        "private_key": private_key_str,
        "client_email": gcs_values.clientEmail,
        "client_id": gcs_values.clientId,
        "auth_uri": str(gcs_values.authUri),
        "token_uri": str(gcs_values.tokenUri),
        "auth_provider_x509_cert_url": str(gcs_values.authProviderX509CertUrl),
        "client_x509_cert_url": str(gcs_values.clientX509CertUrl),
    }


def set_google_credentials(gcs_credentials: GCSCredentials) -> None:
    """
    Set GCS credentials environment variable
    :param gcs_credentials: GCSCredentials
    """
    if os.environ.get(GOOGLE_CREDENTIALS):
        return

    if isinstance(gcs_credentials.gcsConfig, GCSCredentialsPath):
        os.environ[GOOGLE_CREDENTIALS] = str(gcs_credentials.gcsConfig.__root__)
        return

    if gcs_credentials.gcsConfig.projectId is None:
        logger.info(
            "No credentials available, using the current environment permissions authenticated via gcloud SDK."
        )
        return

    if isinstance(gcs_credentials.gcsConfig, GCSValues):
        if (
            gcs_credentials.gcsConfig.projectId
            and not gcs_credentials.gcsConfig.privateKey
        ):
            logger.info(
                "Overriding default projectid, using the current environment permissions authenticated via gcloud SDK."
            )
            return
        credentials_dict = build_google_credentials_dict(gcs_credentials.gcsConfig)

        tmp_credentials_file = create_credential_tmp_file(credentials=credentials_dict)
        os.environ[GOOGLE_CREDENTIALS] = tmp_credentials_file
        return

    raise InvalidGcsConfigException(
        f"Error trying to set GCS credentials with {gcs_credentials}."
        " Check https://docs.open-metadata.org/openmetadata/connectors/database/bigquery "
    )


def generate_http_basic_token(username, password):
    """
    Generates a HTTP basic token from username and password
    Returns a token string (not a byte)
    """
    token = base64.b64encode(f"{username}:{password}".encode("utf-8")).decode("utf-8")
    return token
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`# Copyright 2021 Collate`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`"""`
			`Credentials helper module`
			`"""`
Fix #8495: Update pipeline sources for pipeline as edge lineage (#8556) 2022-11-08 14:13:49 +05:30			`import base64`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`import json`
			`import os`
			`import tempfile`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`from typing import Dict`

			`from cryptography.hazmat.primitives import serialization`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00
			`from metadata.generated.schema.security.credentials.gcsCredentials import (`
			`GCSCredentials,`
			`GCSCredentialsPath,`
			`GCSValues,`
			`)`
Issue 4660: Bigquery ADC FIx (#5241) * fixed-bigquery-adc 2022-06-01 13:52:55 +05:30			`from metadata.utils.logger import utils_logger`

			`logger = utils_logger()`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00
			`GOOGLE_CREDENTIALS = "GOOGLE_APPLICATION_CREDENTIALS"`


			`class InvalidGcsConfigException(Exception):`
			`"""`
			`Raised when we have errors trying to set GCS credentials`
			`"""`


Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`class InvalidPrivateKeyException(Exception):`
			`"""`
			`If the key cannot be serialised`
			`"""`


			`def validate_private_key(private_key: str) -> None:`
			`"""`
			`Make sure that a private key can be properly parsed`
			`by cryptography backends`
			`:param private_key: key to validate`
			`"""`
			`try:`
			`serialization.load_pem_private_key(private_key.encode(), password=None)`
			`except ValueError as err:`
Fix#6027: Fix logging in metadata package modules except ingestion and orm_profiler (#6970) * Fix logging in metadata package modules except ingestion and orm_profiler * Reduce log level to _get_columns_with_constraints method 2022-08-29 06:46:06 +02:00			`msg = f"Cannot serialise key: {err}"`
Added fixes according to pylint (#8009) Co-authored-by: Onkar Ravgan <onkarravgan@Onkars-MacBook-Pro.local> 2022-10-10 16:23:47 +05:30			`raise InvalidPrivateKeyException(msg) from err`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00

Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`def create_credential_tmp_file(credentials: dict) -> str:`
			`"""`
			`Given a credentials' dict, store it in a tmp file`
			`:param credentials: dictionary to store`
			`:return: path to find the file`
			`"""`
Added fixes according to pylint (#8009) Co-authored-by: Onkar Ravgan <onkarravgan@Onkars-MacBook-Pro.local> 2022-10-10 16:23:47 +05:30			`with tempfile.NamedTemporaryFile(delete=False) as temp_file:`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`cred_json = json.dumps(credentials, indent=4, separators=(",", ": "))`
Added fixes according to pylint (#8009) Co-authored-by: Onkar Ravgan <onkarravgan@Onkars-MacBook-Pro.local> 2022-10-10 16:23:47 +05:30			`temp_file.write(cred_json.encode())`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00
Added fixes according to pylint (#8009) Co-authored-by: Onkar Ravgan <onkarravgan@Onkars-MacBook-Pro.local> 2022-10-10 16:23:47 +05:30			`return temp_file.name`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00

Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`def build_google_credentials_dict(gcs_values: GCSValues) -> Dict[str, str]:`
			`"""`
			`Given GCSValues, build a dictionary as the JSON file`
			`downloaded from GCS with the service_account`
			`:param gcs_values: GCS credentials`
			`:return: Dictionary with credentials`
			`"""`

			`private_key_str = gcs_values.privateKey.get_secret_value()`
			`validate_private_key(private_key_str)`

			`return {`
			`"type": gcs_values.type,`
			`"project_id": gcs_values.projectId,`
			`"private_key_id": gcs_values.privateKeyId,`
			`"private_key": private_key_str,`
			`"client_email": gcs_values.clientEmail,`
			`"client_id": gcs_values.clientId,`
			`"auth_uri": str(gcs_values.authUri),`
			`"token_uri": str(gcs_values.tokenUri),`
			`"auth_provider_x509_cert_url": str(gcs_values.authProviderX509CertUrl),`
			`"client_x509_cert_url": str(gcs_values.clientX509CertUrl),`
			`}`


Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`def set_google_credentials(gcs_credentials: GCSCredentials) -> None:`
			`"""`
			`Set GCS credentials environment variable`
			`:param gcs_credentials: GCSCredentials`
			`"""`
			`if os.environ.get(GOOGLE_CREDENTIALS):`
			`return`

			`if isinstance(gcs_credentials.gcsConfig, GCSCredentialsPath):`
			`os.environ[GOOGLE_CREDENTIALS] = str(gcs_credentials.gcsConfig.__root__)`
			`return`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00
Issue 4660: Bigquery ADC FIx (#5241) * fixed-bigquery-adc 2022-06-01 13:52:55 +05:30			`if gcs_credentials.gcsConfig.projectId is None:`
			`logger.info(`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`"No credentials available, using the current environment permissions authenticated via gcloud SDK."`
Issue 4660: Bigquery ADC FIx (#5241) * fixed-bigquery-adc 2022-06-01 13:52:55 +05:30			`)`
			`return`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`if isinstance(gcs_credentials.gcsConfig, GCSValues):`
Add Specific Projectid support feature (#7591) 2022-09-20 17:36:10 +05:30			`if (`
			`gcs_credentials.gcsConfig.projectId`
			`and not gcs_credentials.gcsConfig.privateKey`
			`):`
			`logger.info(`
			`"Overriding default projectid, using the current environment permissions authenticated via gcloud SDK."`
			`)`
			`return`
Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) Fix #6787 - GCS credentials marked as required + validate privateKey (#6804) 2022-08-19 11:19:20 +02:00			`credentials_dict = build_google_credentials_dict(gcs_credentials.gcsConfig)`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00
			`tmp_credentials_file = create_credential_tmp_file(credentials=credentials_dict)`
			`os.environ[GOOGLE_CREDENTIALS] = tmp_credentials_file`
			`return`

			`raise InvalidGcsConfigException(`
			`f"Error trying to set GCS credentials with {gcs_credentials}."`
Fix (#6984) doc links in OpenMetaData (#6986) * Fix doc links in OpenMetaData * Link updated * remove unwanted file * changes as per comments * Changes as per comments 2022-08-29 19:38:54 +05:30			`" Check https://docs.open-metadata.org/openmetadata/connectors/database/bigquery "`
Fix #4032 - Bigquery properties & GCS Credentials (#4202) Fix #4032 - Bigquery properties & GCS Credentials (#4202) 2022-04-19 12:31:34 +02:00			`)`
Fix #8495: Update pipeline sources for pipeline as edge lineage (#8556) 2022-11-08 14:13:49 +05:30

			`def generate_http_basic_token(username, password):`
			`"""`
			`Generates a HTTP basic token from username and password`
			`Returns a token string (not a byte)`
			`"""`
			`token = base64.b64encode(f"{username}:{password}".encode("utf-8")).decode("utf-8")`
			`return token`