Migrate to connexion v3

[sudiptob2]

This PR is created based on #36052

Todo

• Taks 1 - Refactor get_api_endpoints() as it can not return blueprint in connexion v3
• Taks 2 - Find a way to replace the Legacy environ_overrides method from the old version of Connexion to fix the problem in tests.
• Task 3 - Fix unit tests that use app

Taks 1 - Refactor get_api_endpoints()

Problem Definiton

Ref: Github Pull Request #36052 VladaZakharova commented on Jan 18

In the init_api_auth_provider method, we update the base path as follows:

def init_api_auth_provider(connexion_app: connexion.FlaskApp):
    """Initialize the API offered by the auth manager."""
    auth_mgr = get_auth_manager()
    blueprint = auth_mgr.get_api_endpoints(connexion_app)
    if blueprint:
        base_paths.append(blueprint.url_prefix if blueprint.url_prefix else "")
        flask_app = connexion_app.app
        flask_app.extensions["csrf"].exempt(blueprint)

However, the blueprint object obtained from auth_mgr.get_api_endpoints(connexion_app) will always be None if we are using ConnexionV3.

Proposed solution

Ref vincbeck commented on Jan 18

• Rename get_api_endpoints to set_api_endpoints. The return type should be updated to None. Documentation should be updated as well to something like "Set API endpoint(s) definition for the auth manager.". This is a breaking change but nobody uses this interface yet, so it is a good time to do it.
• This piece of code flask_app.extensions["csrf"].exempt(blueprint) should be moved in the set_api_endpoints method using appbuilder.app.extensions["csrf"].exempt(api.blueprint) Ref: Migrate to connexion v3 #37638 (comment)

How to test

• Run client tests python ./clients/python/test_python_client.py

Subtasks

• Hanlde logic for base_paths.append(blueprint.url_prefix if blueprint.url_prefix else "")
• Make sure the base path for the CSRF exemption is correct. Ref: Migrate to connexion v3 #37638 (comment)
• Handle swagger-ui installation, Ref: Migrate to connexion v3 #37638 (comment)
• Solve favicon.ico problem in the swagger UI.

Task 2 - Replace envrion_overrides argument

Problem Definition

Ref: Github Pull Request #36052 commented on Feb 6

Find a way to replace legacy environ_overrides method from old version of Connexion to fix the problem in tests
TypeError: get() got an unexpected keyword argument 'environ_overrides'. Contact @RobbeSneyders for some help. Currently we didn't find anything in their documentation regarding new way how to override env variables.

Solution

• Use headers to send {'REMOTE_USER:"user"} instead of using environ_overirdes argument inside testclient.method. Accordinly update the authentication part in tests/test_utils/remote_user_api_auth_backend.py to user_id = request.headers.get("REMOTE_USER")

[sudiptob2]

Hi @vincbeck

We have defined the scope of Task 1 in the PR description. Thank you for your previous comments and suggestions to complete this task. There is a part of the proposed solution that we are still unclear.
Refferening to VladaZakharova commented 2 weeks ago

Blueprint is now can't be retrieved from connexion app and there will be always None.
Find a way to add csrf extension to a newly created blueprint using connexion: to retrieve blueprint object from connexion_app variable to save the current logic (flask_app.extensions["csrf"].exempt(blueprint)) or find a way to add this extension on connexion level(check the documentation for available options).

In a recent comment RobbeSneyders commented 2 days ago suggested

The most future-proof solution would be to move the csfr protection to a middleware such as this one. The skif_if_scope parameter seems to be a replacement for the exempt functionality you're using.

So, should we still consider moving flask_app.extensions["csrf"].exempt(blueprint) in the set_api_endpoints method using appbuilder.app.extensions["csrf"].exempt(api.blueprint) ?

[vincbeck]

Hi @vincbeck

We have defined the scope of Task 1 in the PR description. Thank you for your previous comments and suggestions to complete this task. There is a part of the proposed solution that we are still unclear. Refferening to VladaZakharova commented 2 weeks ago

Blueprint is now can't be retrieved from connexion app and there will be always None.
Find a way to add csrf extension to a newly created blueprint using connexion: to retrieve blueprint object from connexion_app variable to save the current logic (flask_app.extensions["csrf"].exempt(blueprint)) or find a way to add this extension on connexion level(check the documentation for available options).

In a recent comment RobbeSneyders commented 2 days ago suggested

The most future-proof solution would be to move the csfr protection to a middleware such as this one. The skif_if_scope parameter seems to be a replacement for the exempt functionality you're using.

So, should we still consider moving flask_app.extensions["csrf"].exempt(blueprint) in the set_api_endpoints method using appbuilder.app.extensions["csrf"].exempt(api.blueprint) ?

Yes

[sudiptob2]

Refinement: Returning flask_app instead of connexion_app

Ref: #37555 (comment) Mentions: @vincbeck

We investigated the usage of create_app() method and found a few places where we need to call connexion_app.run()
If we return flask_app from the create_app() method then maybe it is not possible to handle those use cases. Therefore, we should return connexion_app. There might be other ways to handle this, let me know your opinion.
Usage 1:

airflow/airflow/cli/commands/webserver_command.py

Lines 356 to 358 in 0f4babe

	app = create_app(testing=conf.getboolean("core", "unit_test_mode"))
	app.run(
	debug=True,

Usage 2:

airflow/airflow/cli/commands/internal_api_command.py

Lines 74 to 76 in 0f4babe

	app = create_app(testing=conf.getboolean("core", "unit_test_mode"))
	app.run(
	debug=True, # nosec

[Satoshi-Sh]

Problem

Due to the upgrade of connextion v3, we cannot access blueprints( they moved the blueprint registration code inside their codebase). We used the returned blueprint to make exemptions to accept HTTP(S) requests without "csrf token" in the header. When the auth-token is in the header, the client doesn't include a csrf token. That's why we get csrf token missing error with test_python_client.py

@RobbeSneyders suggested utilizing the middleware library asgi-csrf to do the same without using blueprints.

def skip_api_paths(scope)
    return scope["path"].startswith("/api/")

app = asgi_csrf(
    app,
    signing_secret="secret-goes-here",
    skip_if_scope=skip_api_paths
)

This is a sample code to make csrf-token exemption.

• What the score will be in the airflow project?
• I'm not sure about siginig_secret. Do I need to generate it or can get it from somewhere?

[potiuk]

What the score will be in the airflow project?

I assume the scope :) ?. I believe the scope is the base URL of Airflow webserver (not 100% sure how asg-csrf does it but that's what I understand it should be. The CSRF tokens we have are generated in the webserver views - and those are generated at the "base URL" (and anything that's deeper in the path) - and those csrf tokens are then used by the browser to make the calls to the API.

I'm not sure about siginig_secret. Do I need to generate it or can get it from somewhere?

We should use https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#secret-key - this is done usually by:

conf.get_mandatory_value("webserver", "secret_key")

[Satoshi-Sh]

Yes, it's scope. I have this now.

# asgi-csrf skip_if_scope
    def skip_api_paths(scope):
        return scope["path"].startswith("/api/v1")

    flask_app = asgi_csrf(
        flask_app,
        signing_secret=conf.get_mandatory_value("webserver", "secret_key"),
        skip_if_scope=skip_api_paths,
    )

After using asgi_csrf, I get a different error.
RuntimeError: A secret key is required to use CSRF. INFO: "POST /api/v1/dags/exmple_bash_operator/dagRuns HTTP/1.1" instead of something like CSRF token is missing on the same endpoint.

I hope I'm in the right direction to solve the issue. Here is my pull request to Sudipto's forked repo.

[sudiptob2]

Yes, it's scope. I have this now.

# asgi-csrf skip_if_scope
    def skip_api_paths(scope):
        return scope["path"].startswith("/api/v1")

    flask_app = asgi_csrf(
        flask_app,
        signing_secret=conf.get_mandatory_value("webserver", "secret_key"),
        skip_if_scope=skip_api_paths,
    )

After using asgi_csrf, I get a different error. RuntimeError: A secret key is required to use CSRF. INFO: "POST /api/v1/dags/exmple_bash_operator/dagRuns HTTP/1.1" instead of something like CSRF token is missing on the same endpoint.

I hope I'm in the right direction to solve the issue. Here is my pull request to Sudipto's forked repo.

It is possible to avoid this error using the following tweak for the time being. asgi-csrf looks for SECRET_KEY variable to be set. But it still does not solve the problem of missing CSRF token. In my opinion, it wont be this simple to add asgi_csrf middleware.

    # asgi-csrf skip_if_scope
    flask_app.config['SECRET_KEY'] = conf.get_mandatory_value("webserver", "secret_key")

    def skip_api_paths(scope):
        return scope["path"].startswith("/api/v1")

    asgi_csrf(
        flask_app,
        signing_secret=conf.get_mandatory_value("webserver", "secret_key"),
        skip_if_scope=skip_api_paths,
    )

@potiuk
Can we get a demo/explanation session in the next meeting regarding how the CSRF protection works in airflow, especially in the context of this PR?

[sudiptob2]

We might be able to handle csrf exemption logic in the following way.

    @connexion_app.app.before_request
    def before_request():
        """Exempts the view function associated with '/api/v1' requests from CSRF protection."""
        if request.path.startswith("/api/v1"):  # TODO: make sure this path is correct
            view_function = flask_app.view_functions.get(request.endpoint)
            if view_function:
                # Exempt the view function from CSRF protection
                connexion_app.app.extensions["csrf"].exempt(view_function)

I implemented it here, asking for a review @vincbeck @potiuk @Satoshi-Sh

[Satoshi-Sh]

Nicely done, @sudiptob2 . I checked it with test_python_client.py. The first error is the same as before this update and the second one is just error 404 instead of the csrf issues. I'm not sure if this has something to do with our missing base_paths.append(blueprint.url_prefix if blueprint.url_prefix else "") , or maybe it's related to issue 2 or something else.

Once todo about the scope is done, we can go ahead to the second bug.

[potiuk]

cc: @VladaZakharova - just adding you for awareness :)

[potiuk]

Can we get a demo/explanation session in the next meeting regarding how the CSRF protection works in airflow, especially in the context of this PR?

Once I do a bit of homework on it myself :)

[sudiptob2]

Nicely done, @sudiptob2 . I checked it with test_python_client.py. The first error is the same as before this update and the second one is just error 404 instead of the csrf issues. I'm not sure if this has something to do with our missing base_paths.append(blueprint.url_prefix if blueprint.url_prefix else "") , or maybe it's related to issue 2 or something else.

Once todo about the scope is done, we can go ahead to the second bug.

Hi @Satoshi-Sh,
Did you load example dags while testing? You can use the following command to runing breeze.

breeze start-airflow --dev-mode --load-example-dags --backend postgres

base_paths.append(blueprint.url_prefix if blueprint.url_prefix else "") , or maybe it's related to issue 2 or something else.

This has to be handled in subtask 1 so that reviewers can easily review it.

[potiuk]

Hi @potiuk. Great to hear that you found the issue. Let me know if there is anything else I can help with.

Hey @RobbeSneyders Thanks for the offer. We got the PR green finally (HURRAY!). What - I think, you could help with is to validate some of our assumptions. Due to the length of this PR and comments and number of commits in that, I will open a new PR and ask some concrete questions and explain our decisions there and ask you for comments - and I will involve other maintainers as well.

[potiuk]

Continued in #39055

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.