Merge pull request #505 from radofuchs/LCORE_287_authorized_openshift_compatibility

LCORE-287: update documentation for authorized endpoint to align with openshift

Author: tisnik

docs/openapi.json

@@ -689,7 +689,17 @@
                         }
                     },
                     "400": {
-                        "description": "Missing or invalid credentials provided by client",
+                        "description": "Missing or invalid credentials provided by client for the noop and noop-with-token authentication modules",
+                        "content": {
+                            "application/json": {
+                                "schema": {
+                                    "$ref": "#/components/schemas/UnauthorizedResponse"
+                                }
+                            }
+                        }
+                    },
+                    "401": {
+                        "description": "Missing or invalid credentials provided by client for the k8s authentication module",
                         "content": {
                             "application/json": {
                                 "schema": {
@@ -922,19 +932,27 @@
                             "John Doe",
                             "Adam Smith"
                         ]
+                    },
+                    "skip_userid_check": {
+                        "type": "boolean",
+                        "title": "Skip User Id Check",
+                        "description": "Whether to skip the user ID check",
+                        "examples": [true, false]
                     }
                 },
                 "type": "object",
                 "required": [
                     "user_id",
-                    "username"
+                    "username",
+                    "skip_userid_check"
                 ],
                 "title": "AuthorizedResponse",
                 "description": "Model representing a response to an authorization request.\n\nAttributes:\n    user_id: The ID of the logged in user.\n    username: The name of the logged in user.",
                 "examples": [
                     {
                         "user_id": "123e4567-e89b-12d3-a456-426614174000",
-                        "username": "user1"
+                        "username": "user1",
+                        "skip_userid_check": false
                     }
                 ]
             },

docs/openapi.md

@@ -397,7 +397,8 @@ Returns:
 | Status Code | Description | Component |
 |-------------|-------------|-----------|
 | 200 | The user is logged-in and authorized to access OLS | [AuthorizedResponse](#authorizedresponse) |
-| 400 | Missing or invalid credentials provided by client | [UnauthorizedResponse](#unauthorizedresponse) |
+| 400 | Missing or invalid credentials provided by client for noop and noop-with-token | [UnauthorizedResponse](#unauthorizedresponse) |
+| 401 | Missing or invalid credentials provided by client for k8s | [UnauthorizedResponse](#unauthorizedresponse) |
 | 403 | User is not authorized | [ForbiddenResponse](#forbiddenresponse) |
 ## GET `/metrics`
 
@@ -515,6 +516,7 @@ Attributes:
 |-------|------|-------------|
 | user_id | string | User ID, for example UUID |
 | username | string | User name |
+| skip_userid_check | bool | Whether to skip user_id check |
 
 
 ## CORSConfiguration

docs/output.md

@@ -397,7 +397,8 @@ Returns:
 | Status Code | Description | Component |
 |-------------|-------------|-----------|
 | 200 | The user is logged-in and authorized to access OLS | [AuthorizedResponse](#authorizedresponse) |
-| 400 | Missing or invalid credentials provided by client | [UnauthorizedResponse](#unauthorizedresponse) |
+| 400 | Missing or invalid credentials provided by client for noop and noop-with-token | [UnauthorizedResponse](#unauthorizedresponse) |
+| 401 | Missing or invalid credentials provided by client for k8s | [UnauthorizedResponse](#unauthorizedresponse) |
 | 403 | User is not authorized | [ForbiddenResponse](#forbiddenresponse) |
 ## GET `/metrics`
 
@@ -509,12 +510,14 @@ Model representing a response to an authorization request.
 Attributes:
     user_id: The ID of the logged in user.
     username: The name of the logged in user.
+    skip_userid_check: Whether to skip user_id check
 
 
 | Field | Type | Description |
 |-------|------|-------------|
 | user_id | string | User ID, for example UUID |
 | username | string | User name |
+| skip_userid_check | bool | skip user_id check |
 
 
 ## CORSConfiguration

src/app/endpoints/authorized.py

@@ -20,7 +20,13 @@
         "model": AuthorizedResponse,
     },
     400: {
-        "description": "Missing or invalid credentials provided by client",
+        "description": "Missing or invalid credentials provided by client for the noop and"
+        "noop-with-token authentication modules",
+        "model": UnauthorizedResponse,
+    },
+    401: {
+        "description": "Missing or invalid credentials provided by client for the"
+        "k8s authentication module",
         "model": UnauthorizedResponse,
     },
     403: {
@@ -44,5 +50,7 @@ async def authorized_endpoint_handler(
         AuthorizedResponse: Contains the user ID and username of the authenticated user.
     """
     # Ignore the user token, we should not return it in the response
-    user_id, user_name, _ = auth
-    return AuthorizedResponse(user_id=user_id, username=user_name)
+    user_id, user_name, skip_userid_check, _ = auth
+    return AuthorizedResponse(
+        user_id=user_id, username=user_name, skip_userid_check=skip_userid_check
+    )

src/app/endpoints/feedback.py

@@ -110,7 +110,7 @@ async def feedback_endpoint_handler(
     """
     logger.debug("Feedback received %s", str(feedback_request))
 
-    user_id, _, _ = auth
+    user_id, _, _, _ = auth
     try:
         store_feedback(user_id, feedback_request.model_dump(exclude={"model_config"}))
     except Exception as e:
@@ -195,7 +195,7 @@ async def update_feedback_status(
     Returns:
         FeedbackStatusUpdateResponse: Indicates whether feedback is enabled.
     """
-    user_id, _, _ = auth
+    user_id, _, _, _ = auth
     requested_status = feedback_update_request.get_value()
 
     with feedback_status_lock:

src/app/endpoints/query.py

@@ -180,7 +180,7 @@ async def query_endpoint_handler(
     # log Llama Stack configuration
     logger.info("Llama stack config: %s", configuration.llama_stack_configuration)
 
-    user_id, _, token = auth
+    user_id, _, _, token = auth
 
     user_conversation: UserConversation | None = None
     if query_request.conversation_id:

src/app/endpoints/streaming_query.py

@@ -556,7 +556,7 @@ async def streaming_query_endpoint_handler(  # pylint: disable=too-many-locals
     # log Llama Stack configuration
     logger.info("Llama stack config: %s", configuration.llama_stack_configuration)
 
-    user_id, _user_name, token = auth
+    user_id, _user_name, _skip_userid_check, token = auth
 
     user_conversation: UserConversation | None = None
     if query_request.conversation_id:

src/auth/interface.py

@@ -9,15 +9,26 @@
 
 from fastapi import Request
 
-from constants import DEFAULT_USER_NAME, DEFAULT_USER_UID, NO_USER_TOKEN
+from constants import (
+    DEFAULT_USER_NAME,
+    DEFAULT_SKIP_USER_ID_CHECK,
+    DEFAULT_USER_UID,
+    NO_USER_TOKEN,
+)
 
 UserID = str
 UserName = str
+SkipUserIdCheck = bool
 Token = str
 
-AuthTuple = tuple[UserID, UserName, Token]
+AuthTuple = tuple[UserID, UserName, SkipUserIdCheck, Token]
 
-NO_AUTH_TUPLE: AuthTuple = (DEFAULT_USER_UID, DEFAULT_USER_NAME, NO_USER_TOKEN)
+NO_AUTH_TUPLE: AuthTuple = (
+    DEFAULT_USER_UID,
+    DEFAULT_USER_NAME,
+    DEFAULT_SKIP_USER_ID_CHECK,
+    NO_USER_TOKEN,
+)
 
 
 class AuthInterface(ABC):  # pylint: disable=too-few-public-methods

src/auth/jwk_token.py

@@ -118,6 +118,7 @@ def __init__(
         """Initialize the required allowed paths for authorization checks."""
         self.virtual_path: str = virtual_path
         self.config: JwkConfiguration = config
+        self.skip_userid_check = False
 
     async def __call__(self, request: Request) -> AuthTuple:
         """Authenticate the JWT in the headers against the keys from the JWK url."""
@@ -190,4 +191,4 @@ async def __call__(self, request: Request) -> AuthTuple:
 
         logger.info("Successfully authenticated user %s (ID: %s)", username, user_id)
 
-        return user_id, username, user_token
+        return user_id, username, self.skip_userid_check, user_token

src/auth/k8s.py

@@ -11,7 +11,6 @@
 from kubernetes.config import ConfigException
 
 from configuration import configuration
-from auth.utils import extract_user_token
 from auth.interface import AuthInterface
 from constants import DEFAULT_VIRTUAL_PATH
 
@@ -227,18 +226,33 @@ class K8SAuthDependency(AuthInterface):  # pylint: disable=too-few-public-method
     def __init__(self, virtual_path: str = DEFAULT_VIRTUAL_PATH) -> None:
         """Initialize the required allowed paths for authorization checks."""
         self.virtual_path = virtual_path
+        self.skip_userid_check = False
 
-    async def __call__(self, request: Request) -> tuple[str, str, str]:
+    async def __call__(self, request: Request) -> tuple[str, str, bool, str]:
         """Validate FastAPI Requests for authentication and authorization.
 
         Args:
             request: The FastAPI request object.
 
         Returns:
             The user's UID and username if authentication and authorization succeed
-            user_id check is skipped with noop auth to allow consumers provide user_id
+            user_id check should never be skipped with K8s authentication
+            If user_id check should be skipped - always return False for k8s
+            User's token
         """
-        token = extract_user_token(request.headers)
+        authorization_header = request.headers.get("Authorization")
+        if not authorization_header:
+            raise HTTPException(
+                status_code=401, detail="Unauthorized: No auth header found"
+            )
+
+        token = _extract_bearer_token(authorization_header)
+        if not token:
+            raise HTTPException(
+                status_code=401,
+                detail="Unauthorized: Bearer token not found or invalid",
+            )
+
         user_info = get_user_info(token)
         if user_info is None:
             raise HTTPException(
@@ -267,4 +281,9 @@ async def __call__(self, request: Request) -> tuple[str, str, str]:
             logger.error("API exception during SubjectAccessReview: %s", e)
             raise HTTPException(status_code=403, detail="Internal server error") from e
 
-        return user_info.user.uid, user_info.user.username, token
+        return (
+            user_info.user.uid,
+            user_info.user.username,
+            self.skip_userid_check,
+            token,
+        )