build: add auth token for worker, update vars in tf

l3vels · Nov 2, 2023 · 23064a9 · 23064a9
1 parent e27fe13
commit 23064a9
Show file tree

Hide file tree

Showing 11 changed files with 107 additions and 57 deletions.
diff --git a/.github/workflows/deploy_server.yml b/.github/workflows/deploy_server.yml
@@ -5,14 +5,12 @@ on:
     branches:
       - main
     paths:
-      - 'apps/server/**'
-
+      - "apps/server/**"
 
 env:
   ACR_REPOSITORY: "l3-api"
   TR_DIRECTORY: "apps/server/terraform"
 
-
 jobs:
   Build:
     name: Build Application Container
@@ -24,17 +22,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-      
-      - name: 'Build and push image'
+
+      - name: "Build and push image"
         uses: azure/docker-login@v1
         with:
           login-server: ${{ vars.ACR_REGISTRY }}
           username: ${{ secrets.AZURE_USERNAME }}
           password: ${{ secrets.AZURE_PASSWORD }}
       - run: |
-           docker build -t ${{ vars.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ github.sha }} -f apps/server/docker/Dockerfile apps/server
-           docker push ${{ vars.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ github.sha }}
-           echo "TAG_NAME=${{ github.sha }}" >> $GITHUB_ENV
+          docker build -t ${{ vars.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ github.sha }} -f apps/server/docker/Dockerfile apps/server
+          docker push ${{ vars.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ github.sha }}
+          echo "TAG_NAME=${{ github.sha }}" >> $GITHUB_ENV
 
   Init_dev:
     runs-on: ubuntu-latest
@@ -44,15 +42,15 @@ jobs:
       ENVIRONMENT: dev
     defaults:
       run:
-        shell: bash        
+        shell: bash
     steps:
       - name: Checkout
         uses: actions/[email protected]
-        
+
       - name: Change file name
-        run: | 
-          mv ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/varfiles/${{ env.ENVIRONMENT  }}.tfvars  ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars 
-      
+        run: |
+          mv ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/varfiles/${{ env.ENVIRONMENT  }}.tfvars  ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars
+
       - name: Update task_container_version
         run: |
           TFVARS="${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars"
@@ -93,11 +91,12 @@ jobs:
           echo -e "AWS_SECRET_ACCESS_KEY = \"${{ secrets.AWS_SECRET_ACCESS_KEY }}\"\n" >> $TFVARS
           echo -e "AWS_REGION = \"${{ vars.AWS_REGION }}\"\n" >> $TFVARS
           echo -e "AWS_S3_BUCKET = \"${{ vars.AWS_S3_BUCKET }}\"\n" >> $TFVARS
-          
+          echo -e "AUTH_TOKEN = \"${{ vars.AUTH_TOKEN }}\"\n" >> $TFVARS
+
       - name: Display .auto.tfvars file content
         run: |
           cat ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars
-  
+
       - name: Upload file
         uses: actions/upload-artifact@v2
         with:
@@ -114,8 +113,8 @@ jobs:
       tf_vars_file: varfiles/dev.tfvars
       gh_environment: dev
       task_container_name: "l3-api"
-      task_container_version: #${{ github.sha }} temp 
-      # task_container_version: "1fe3d215f1ac2e6be5d43b4e1522b9dc43aefd36" 
+      task_container_version: #${{ github.sha }} temp
+      # task_container_version: "1fe3d215f1ac2e6be5d43b4e1522b9dc43aefd36"
       task_container_registry: ${{ vars.ACR_REGISTRY }}
     secrets:
       cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
@@ -156,15 +155,15 @@ jobs:
       ENVIRONMENT: prod
     defaults:
       run:
-        shell: bash        
+        shell: bash
     steps:
       - name: Checkout
         uses: actions/[email protected]
-        
+
       - name: Change file name
-        run: | 
-          mv ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/varfiles/${{ env.ENVIRONMENT  }}.tfvars  ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars 
-            
+        run: |
+          mv ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/varfiles/${{ env.ENVIRONMENT  }}.tfvars  ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars
+
       - name: Update task_container_version
         run: |
           TFVARS="${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars"
@@ -205,17 +204,17 @@ jobs:
           echo -e "AWS_SECRET_ACCESS_KEY = \"${{ secrets.AWS_SECRET_ACCESS_KEY }}\"\n" >> $TFVARS
           echo -e "AWS_REGION = \"${{ vars.AWS_REGION }}\"\n" >> $TFVARS
           echo -e "AWS_S3_BUCKET = \"${{ vars.AWS_S3_BUCKET }}\"\n" >> $TFVARS
-          
+          echo -e "AUTH_TOKEN = \"${{ vars.AUTH_TOKEN }}\"\n" >> $TFVARS
+
       - name: Display .auto.tfvars file content
         run: |
           cat ${{ github.workspace }}/${{ env.TR_DIRECTORY }}/${{ env.ENVIRONMENT  }}.auto.tfvars
-  
+
       - name: Upload file
         uses: actions/upload-artifact@v2
         with:
           name: my-artifact
           path: ${{ github.workspace }}/${{ env.TR_DIRECTORY  }}/${{ env.ENVIRONMENT  }}.auto.tfvars
-
 
   Plan_prod:
     needs: Init_Prod
@@ -256,4 +255,4 @@ jobs:
       azure_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      github_personal_access_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+      github_personal_access_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/apps/server/.env.example b/apps/server/.env.example
@@ -26,6 +26,9 @@ AWS_SECRET_ACCESS_KEY=
 AWS_REGION=
 AWS_S3_BUCKET=
 
+# Auth token for worker
+AUTH_TOKEN=secret
+
 # Optionally configure to enable GitHub Authentication
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=

diff --git a/apps/server/config.py b/apps/server/config.py
@@ -1,4 +1,5 @@
 import os
+
 from dotenv import load_dotenv
 
 load_dotenv(override=False)
@@ -35,6 +36,8 @@ class Config:
     AWS_REGION = os.environ.get("AWS_REGION")
     AWS_S3_BUCKET = os.environ.get("AWS_S3_BUCKET")
 
+    AUTH_TOKEN = os.environ.get("AUTH_TOKEN")
+
     SENTRY_DSN = os.environ.get("SENTRY_DSN")
 
     TEST_USER_EMAIL = os.environ.get("TEST_USER_EMAIL")

diff --git a/apps/server/controllers/fine_tuning.py b/apps/server/controllers/fine_tuning.py
@@ -10,15 +10,18 @@
 from services.fine_tuning import check_fine_tuning, fine_tune_openai_model
 from typings.auth import UserAccount
 from typings.fine_tuning import FineTuningInput, FineTuningOutput
-from utils.auth import authenticate
+from utils.auth import authenticate, authenticate_by_auth_token
 from utils.fine_tuning import (convert_fine_tunings_to_fine_tuning_list,
                                convert_model_to_response)
 
 router = APIRouter()
 
 
 @router.post(
-    "/{fine_tuning_id}/check", status_code=200, response_model=FineTuningOutput
+    "/{fine_tuning_id}/check",
+    status_code=200,
+    response_model=FineTuningOutput,
+    dependencies=[Depends(authenticate_by_auth_token)],
 )
 def check_fine_tuning_status(fine_tuning_id: UUID):
     check_fine_tuning(db.session, fine_tuning_id)
@@ -93,10 +96,12 @@ def update_fine_tuning(
         raise HTTPException(status_code=404, detail="Fine-tuning not found")
 
 
-@router.get("/pending", response_model=List[FineTuningOutput])
-def get_pending_fine_tunings(
-    auth: UserAccount = Depends(authenticate),
-) -> List[FineTuningOutput]:
+@router.get(
+    "/pending",
+    response_model=List[FineTuningOutput],
+    dependencies=[Depends(authenticate_by_auth_token)],
+)
+def get_pending_fine_tunings() -> List[FineTuningOutput]:
     """
     Get all pending fine-tunings for worker.
 

diff --git a/apps/server/controllers/schedule.py b/apps/server/controllers/schedule.py
@@ -5,20 +5,22 @@
 
 from exceptions import ScheduleNotFoundException
 from models.schedule import ScheduleModel
-from typings.auth import UserAccount
-from typings.schedule import (
-    ScheduleConfigInput,
-    ScheduleWithConfigsOutput,
-    ScheduleStatus,
-)
-from utils.auth import authenticate
-from utils.schedule import convert_model_to_response, convert_schedules_to_schedule_list
 from services.schedule import execute_scheduled_run
+from typings.auth import UserAccount
+from typings.schedule import (ScheduleConfigInput, ScheduleStatus,
+                              ScheduleWithConfigsOutput)
+from utils.auth import authenticate, authenticate_by_auth_token
+from utils.schedule import (convert_model_to_response,
+                            convert_schedules_to_schedule_list)
 
 router = APIRouter()
 
 
-@router.post("/{schedule_id}/run", status_code=200)
+@router.post(
+    "/{schedule_id}/run",
+    status_code=200,
+    dependencies=[Depends(authenticate_by_auth_token)],
+)
 def run_schedule(schedule_id: str):
     schedule = ScheduleModel.get_schedule_by_id(db, schedule_id, None)
 
@@ -124,7 +126,7 @@ def get_schedules(
     return convert_schedules_to_schedule_list(db_schedules)
 
 
-@router.get("/due")
+@router.get("/due", dependencies=[Depends(authenticate_by_auth_token)])
 def get_due_schedules():
     schedules = ScheduleModel.get_due_schedules(db.session)
     return convert_schedules_to_schedule_list(schedules)

diff --git a/apps/server/terraform/main.tf b/apps/server/terraform/main.tf
@@ -60,5 +60,6 @@ module "backend" {
     AWS_SECRET_ACCESS_KEY          = var.AWS_SECRET_ACCESS_KEY
     AWS_REGION                     = var.AWS_REGION
     AWS_S3_BUCKET                  = var.AWS_S3_BUCKET
+    AUTH_TOKEN                     = var.AUTH_TOKEN
   }
 }
diff --git a/apps/server/terraform/variables-container.tf b/apps/server/terraform/variables-container.tf
@@ -80,6 +80,9 @@ variable "AWS_REGION" {
 variable "AWS_S3_BUCKET" {
   type = string
 }
+variable "AUTH_TOKEN" {
+  type = string
+}
 
 locals {
   task_container_env_vars = [ ]

diff --git a/apps/server/utils/auth.py b/apps/server/utils/auth.py
@@ -1,20 +1,25 @@
+from datetime import timedelta
 from typing import Tuple
+
 import gql.transport.exceptions
-from fastapi import HTTPException, Request, Response, Depends
+import requests
+from fastapi import Depends, HTTPException, Request, Response
 from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordBearer
+from fastapi.security.utils import get_authorization_scheme_param
 from fastapi_jwt_auth import AuthJWT
-from typings.auth import UserAccount
-from datetime import timedelta
-from config import Config
 from fastapi_sqlalchemy import db
-from models.user import UserModel
+
+from config import Config
 from models.account import AccountModel
-from typings.user import UserOutput
+from models.user import UserModel
 from typings.account import AccountOutput
-import requests
-from utils.account import convert_model_to_response as convert_model_to_response_account
-from utils.user import convert_model_to_response as convert_model_to_response_user
+from typings.auth import UserAccount
+from typings.user import UserOutput
+from utils.account import \
+    convert_model_to_response as convert_model_to_response_account
+from utils.user import \
+    convert_model_to_response as convert_model_to_response_user
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
 
@@ -43,6 +48,16 @@ def authenticate(
         raise HTTPException(status_code=401, detail="Unauthorized")
 
 
+def authenticate_by_auth_token(
+    request: Request, response: Response
+) -> Tuple[UserOutput, AccountOutput]:
+    authorization = request.headers.get("Authorization", None)
+    _, token = get_authorization_scheme_param(authorization)
+
+    if token != Config.AUTH_TOKEN:
+        raise HTTPException(status_code=401, detail="Invalid auth token")
+
+
 def try_auth_user(
     request: Request, response: Response
 ) -> Tuple[UserOutput, AccountOutput]:

diff --git a/apps/worker/.env.example b/apps/worker/.env.example
@@ -1,4 +1,7 @@
-REDIS_URL=redis://localhost:6379/0
+REDIS_URL=redis://redis:6379/0
 
 # FastAPI server URL
-SERVER_URL=http://localhost:4000
+DEV_SERVER_URL=https://api-dev.l3vels.xyz
+PROD_SERVER_URL=https://api.l3vels.xyz
+
+SERVER_AUTH_TOKEN=secret
diff --git a/apps/worker/config.py b/apps/worker/config.py
@@ -1,4 +1,5 @@
 import os
+
 from dotenv import load_dotenv
 
 load_dotenv(override=False)
@@ -10,3 +11,5 @@ class Config:
     REDIS_URL = os.environ.get("REDIS_URL")
 
     SERVER_URL = os.environ.get("SERVER_URL")
+
+    SERVER_AUTH_TOKEN = os.environ.get("SERVER_AUTH_TOKEN")
diff --git a/apps/worker/main.py b/apps/worker/main.py
@@ -36,7 +36,11 @@
     max_retries=5,
 )
 def execute_scheduled_runs_task():
-    res = requests.get(f"{Config.SERVER_URL}/schedule/due")
+    res = requests.get(
+        f"{Config.SERVER_URL}/schedule/due",
+        headers={"Authorization": f"Bearer {Config.AUTH_TOKEN}"},
+    )
+
     schedules_with_configs = res.json()
 
     for schedule in schedules_with_configs:
@@ -53,7 +57,10 @@ def execute_scheduled_runs_task():
     max_retries=5,
 )
 def execute_single_schedule_task(schedule_id: str):
-    res = requests.post(f"{Config.SERVER_URL}/schedule/{schedule_id}/run")
+    res = requests.post(
+        f"{Config.SERVER_URL}/schedule/{schedule_id}/run",
+        headers={"Authorization": f"Bearer {Config.AUTH_TOKEN}"},
+    )
     return res.json()
 
 
@@ -64,7 +71,10 @@ def execute_single_schedule_task(schedule_id: str):
     max_retries=5,
 )
 def register_fine_tunings_task():
-    res = requests.get(f"{Config.SERVER_URL}/fine-tuning/pending")
+    res = requests.get(
+        f"{Config.SERVER_URL}/fine-tuning/pending",
+        headers={"Authorization": f"Bearer {Config.AUTH_TOKEN}"},
+    )
     fine_tunings = res.json()
 
     for fine_tuning in fine_tunings:
@@ -78,7 +88,10 @@ def register_fine_tunings_task():
     max_retries=5,
 )
 def check_single_fine_tuning_task(fine_tuning_id: str):
-    res = requests.post(f"{Config.SERVER_URL}/fine-tuning/{fine_tuning_id}/check")
+    res = requests.post(
+        f"{Config.SERVER_URL}/fine-tuning/{fine_tuning_id}/check",
+        headers={"Authorization": f"Bearer {Config.AUTH_TOKEN}"},
+    )
     return res