direct PAT (#58)

Author: sfc-gh-yizhang

ingress-cors/README.md

@@ -1,5 +1,5 @@
 # Introduction
-After completing the [common setup](https://docs.snowflake.com/en/developer-guide/snowpark-container-services/tutorials/common-setup), you are ready to create a service. In this tutorial, you will create one service (named echo_service_with_cors) that exposes an endpoint to respond to CORS requests. Then you will create a service locally to send CORS requests to the endpoint: 
+After completing the [common setup](https://docs.snowflake.com/en/developer-guide/snowpark-container-services/tutorials/common-setup), you are ready to create a service. In this tutorial, you will create one service (named echo_service_with_cors) that exposes an endpoint to respond to CORS requests. Then you will create a service locally to send CORS requests to the endpoint using **PAT token authentication**: 
 
 **1. /healthcheck:** this method should respond with "I'm ready!"
 
@@ -15,9 +15,9 @@ At a high-level, this tutorial contains the following steps:
 
 3. Create the service by providing the service specification file and the compute pool in which to run the service.
 
-6. Configure key pair authentication and/or PAT token authentication
+4. Configure PAT token authentication
 
-7. Send CORS requests from localhost 
+5. Send CORS requests from localhost using PAT tokens
 
 <br>
 
@@ -131,6 +131,7 @@ CREATE SERVICE echo_service_with_cors
           - http://localhost:8888
           Access-Control-Allow-Methods:
           - POST
+          - GET
           Access-Control-Allow-Headers:
           - Authorization
           - Content-Type
@@ -169,58 +170,39 @@ Verify that you can access the endpoint by hitting the endpoint in the browser:
 https://ftwoqas5-myorg-myacct.snowflakecomputing.app/healthcheck
 ```
 
-# 4: Configure key pair authentication
- 1. Configure key pair authentication for the user by following the [key pair authentication guide](https://docs.snowflake.com/en/user-guide/key-pair-auth)
+# 4: Configure PAT token authentication
+Configure a PAT token for the user by following the [PAT token guide](https://docs.snowflake.com/LIMITEDACCESS/programmatic-access-tokens)
 
- 2. Configure a PAT token for the user by following the [PAT token guide](https://docs.snowflake.com/LIMITEDACCESS/programmatic-access-tokens)
+# 5: Run the service locally
 
-
-# 5: Spin up the service locally
-In the cors_app folder, using a Python virtual environment, execute:
+## Option 1: Using Docker (Recommended)
+In the cors_app folder, execute:
 ```
-python3 -m venv .  
-source bin/activate 
-pip3 install --upgrade pip
-pip3 install -r requirements.txt
-python3 echo_service.py
+cd cors_app
+docker build -t cors-app .
+docker run -p 8888:8888 cors-app
 ```
 
 Access the endpoint at http://localhost:8888/ui in a web browser. This causes the service to execute the ui() function (see echo_service.py).
 
-<img src="cors_app_ui.png" alt="drawing" width="1200"/>
-
-# 6: Send CORS requests to the endpoint on local browser
-
-There are 4 functionalities the endpoint provides:
-
-  a. Making a GET request with info necessary for programmatic access using key pair authentication
+# 6: Send CORS requests to the endpoint
 
-  b. Making a GET request with info necessary for programmatic access using a PAT token
+The simplified interface now provides **2 main functionalities** using PAT token authentication:
 
-  c. Making a POST request with info necessary for programmatic access using key pair authentication
+  **a. Making a GET request** - Test CORS GET requests with PAT token authentication
+  
+  **b. Making a POST request** - Test CORS POST requests with PAT token authentication
 
-  d. Making a POST request with info necessary for programmatic access using a PAT token
+Simply input the endpoint URL and your PAT token. The interface will:
+- Use Bearer authentication with your PAT token
+- Send custom headers to test CORS configuration
+- Validate Access-Control-Allow-Headers and Access-Control-Expose-Headers
 
-Input the endpoint, user, role, and account URL. The JWT token retrival part (a and c) / PAT token exchange (b and d) will be done automatically. For more information on how to find the account URL, visit [Account identifiers](https://docs.snowflake.com/en/user-guide/admin-account-identifier). The value of Role is automatically capitalized as Snowflake roles are always in uppercase.
-Note that comparing to the [programmatic access tutorial](https://docs.snowflake.com/en/developer-guide/snowpark-container-services/tutorials/tutorial-1#setup), the account and endpoint are both omitted as input, since they can be deduced from the Snowflake Account URL and the GET / POST URL respectively.
-Also note that all 4 functionalities validate Access-Control-Allow-Headers and Access-Control-Expose-Headers as an example. 
+The simplified UI eliminates the complexity of key pair authentication and JWT token exchange, making it easier to test CORS functionality with just PAT tokens.
 
-For a:
-
-<img src="cors_get_with_key_pair.png" alt="drawing" width="600"/>
-
-<br>
-For b:
-
-<img src="cors_get_with_pat.png" alt="drawing" width="600"/>
-
-<br>
-For c:
-
-<img src="cors_post_with_key_pair.png" alt="drawing" width="600"/>
-
-<br>
-For d:
+**Testing endpoints:**
+- GET: Test against `/healthcheck` or other GET endpoints
+- POST: Test against `/echo` endpoint with custom payloads
 
-<img src="cors_post_with_pat.png" alt="drawing" width="600"/>
+Both functionalities validate CORS headers as an example of proper CORS implementation. 
 

ingress-cors/cors_app/Dockerfile

@@ -1,9 +1,8 @@
 ARG BASE_IMAGE=python:3.10-slim-buster
 FROM $BASE_IMAGE
 COPY echo_service.py ./
-COPY generateJWT.py ./
 COPY templates/ ./templates/
 RUN pip install --upgrade pip && \
-    pip install flask cryptography PyJWT requests
+    pip install flask requests
 CMD ["python3", "echo_service.py"]
 

ingress-cors/cors_app/echo_service.py

@@ -1,12 +1,8 @@
-from generateJWT import JWTGenerator
-
 from flask import Flask
 from flask import request
 from flask import jsonify
 from flask import make_response
 from flask import render_template
-from cryptography.hazmat.primitives.serialization import load_pem_private_key
-from cryptography.hazmat.backends import default_backend
 from datetime import timedelta, timezone, datetime
 import logging
 import requests
@@ -16,6 +12,8 @@
 SERVICE_HOST = os.getenv('SERVER_HOST', '0.0.0.0')
 SERVICE_PORT = os.getenv('SERVER_PORT', 8888)
 CHARACTER_NAME = os.getenv('CHARACTER_NAME', 'I')
+SNOWFLAKE_HOST = os.getenv('SNOWFLAKE_HOST')
+SNOWFLAKE_ACCOUNT = os.getenv('SNOWFLAKE_ACCOUNT')
 
 
 def get_logger(logger_name):
@@ -48,7 +46,7 @@ def readiness_probe():
 @app.get("/get")
 def get_func():
     response = make_response("GET success!")
-    response.headers['Access-Control-Allow-Origin'] = 'https://b3efa44-sfengineering-prod2-snowservices-test2.snowflakecomputing.app'
+    response.headers['Access-Control-Allow-Origin'] = 'https://localhost:9999'
     response.headers['Access-Control-Allow-Credentials'] = True
     response.headers['Access-Control-Allow-Headers'] = 'Fake-Header-X,Fake-Header-Y,Fake-Header-Z'
 
@@ -88,74 +86,6 @@ def ui():
 
     return render_template("basic_ui.html")
 
-def get_p8():
-    p8 = ""
-    with open("./rsa_key.p8", 'rb') as pem_in:
-        pemlines = pem_in.read()
-        try:
-            # Try to access the private key without a passphrase.
-            p8 = load_pem_private_key(pemlines, None, default_backend())
-            logger.debug(f"p8: {p8}")
-        except TypeError:
-            logger.error("Failed getting private key. ")
-    return p8
-
-def token_exchange(token, role, endpoint, snowflake_account_url, isPat):
-    scope_role = f'session:role:{role}'
-    scope = f'{scope_role} {endpoint}'
-    
-    if isPat:
-        data = {
-            'grant_type': 'urn:ietf:params:oauth:grant-type:token-exchange',
-            'scope': scope,
-            'subject_token': token,
-            'subject_token_type': 'programmatic_access_token'
-        }
-    else:
-        data = {
-            'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-            'scope': scope,
-            'assertion': token,
-        }
-
-    logger.info(data)
-    response = _do_token_exchange(data, snowflake_account_url)
-    return response.text
-
-def _do_token_exchange(data, snowflake_account_url) -> requests.Response:
-    url = f'{snowflake_account_url}/oauth/token'
-    response = requests.post(url, data=data, verify=False)
-    logger.info("snowflake jwt response code : %s" % response.status_code)
-    assert 200 == response.status_code, "unable to get snowflake token"
-    return response
-
-
-@app.route('/jwt', methods=['POST'])
-def handle_data():
-    if request.method == 'POST':
-        data = request.json
-        logger.debug(f'data when calling /jwt: {data}')
-        # Load the private key from the specified file.
-        user = data.get("user")
-        role = data.get("role")
-        isPat = data.get("isPat")
-        snowflake_account_url = data.get("snowflake_account_url")
-        snowflake_account_hostname = snowflake_account_url[8:]
-        account = snowflake_account_hostname.split('.')[0]
-        logger.debug(f'Account from Snowflake Account URL: {account}')
-        endpoint = data.get("endpoint")
-        key = data.get("key")
-        if isPat:
-            snowflake_jwt = token_exchange(key, role=role, endpoint=endpoint,
-                    snowflake_account_url=snowflake_account_url, isPat=isPat)
-        else:
-            token = JWTGenerator(account, user, key, timedelta(minutes=59),
-                timedelta(minutes=54)).get_token()
-            snowflake_jwt = token_exchange(token, role=role, endpoint=endpoint,
-                    snowflake_account_url=snowflake_account_url, isPat=isPat)
-        
-        return snowflake_jwt
-
 @app.after_request
 def apply_csp(response):
     csp = (