Remove config use of authentication

Author: DiamondJoseph

docs/source/explanations/security.md

@@ -50,8 +50,7 @@ TILED_SINGLE_USER_API_KEY=YOUR_SECRET tiled serve ...
 or via the configuration parameter
 
 ```yaml
-authentication:
-  single_user_api_key: "..."
+single_user_api_key: "..."
 ```
 
 When the secret is set manually it this way, it is *not* logged in the terminal.
@@ -102,16 +101,14 @@ tiled serve config ...
 include the configuration:
 
 ```yaml
-authentication:
-  allow_anonymous_access: true
+allow_anonymous_access: true
 ```
 
 This is a complete working example:
 
 ```yaml
 # config.yml
-authentication:
-  allow_anonymous_access: true
+allow_anonymous_access: true
 trees:
   - path: /
     tree: tiled.examples.generated_minimal:tree
@@ -175,20 +172,18 @@ pip install pamela
 The configuration file(s) should include:
 
 ```yaml
-authentication:
-  authenticator: tiled.authenticators:PAMAuthenticator
+authenticator: tiled.authenticators:PAMAuthenticator
 ```
 
 Here is a complete working example:
 
 ```yaml
 # pam_config.yml
-authentication:
-  providers:
-    - authenticator: tiled.authenticators:PAMAuthenticator
-      # This 'provider' can be any string; it is used to differentiate
-      # authentication providers when multiple ones are supported.
-      provider: local
+providers:
+  - authenticator: tiled.authenticators:PAMAuthenticator
+    # This 'provider' can be any string; it is used to differentiate
+    # authentication providers when multiple ones are supported.
+    provider: local
 trees:
   - path: /
     tree: tiled.examples.generated_minimal:tree
@@ -248,19 +243,18 @@ pip install httpx
 The configuration file(s) must include the following.
 
 ```yaml
-authentication:
-  providers:
-  - provider: example.com
-    authenticator: tiled.authenticators:OIDCAuthenticator
-    args:
-      # Values should come from your OIDC provider configuration
-      # The audience claim is checked by the OIDC Client (Tiled)
-      # It checks that the Authentication header that you are passed has not been intercepted
-      # And that elevated claims from other services do not apply here
-      audience: tiled  # something unique to ensure received headers are for you
-      client_id: tiled_client
-      client_secret: ${OIDC_CLIENT_SECRET} # referencing an environment variable
-      well_known_uri: example.com/.well-known/openid-configuration
+providers:
+- provider: example.com
+  authenticator: tiled.authenticators:OIDCAuthenticator
+  args:
+    # Values should come from your OIDC provider configuration
+    # The audience claim is checked by the OIDC Client (Tiled)
+    # It checks that the Authentication header that you are passed has not been intercepted
+    # And that elevated claims from other services do not apply here
+    audience: tiled  # something unique to ensure received headers are for you
+    client_id: tiled_client
+    client_secret: ${OIDC_CLIENT_SECRET} # referencing an environment variable
+    well_known_uri: example.com/.well-known/openid-configuration
 ```
 
 There are example configurations for ORCID and Google in the directory
@@ -279,15 +273,14 @@ should only for used for development and demos.
 
 ```yaml
 # dictionary_config.yml
-authentication:
-  providers:
-  - provider: toy
-    authenticator: tiled.authenticators:DictionaryAuthenticator
-    args:
-      users_to_passwords:
-        alice: ${ALICE_PASSWORD}
-        bob: ${BOB_PASSWORD}
-        cara: ${CARA_PASSWORD}
+providers:
+- provider: toy
+  authenticator: tiled.authenticators:DictionaryAuthenticator
+  args:
+    users_to_passwords:
+      alice: ${ALICE_PASSWORD}
+      bob: ${BOB_PASSWORD}
+      cara: ${CARA_PASSWORD}
 trees:
   - path: /
     tree: tiled.examples.generated_minimal:tree
@@ -301,10 +294,9 @@ The ``DummyAuthenticator`` accepts *any* username and password combination.
 
 ```yaml
 # dummy_config.yml
-authentication:
-  providers:
-  - provider: toy
-    authenticator: tiled.authenticators:DummyAuthenticator
+providers:
+- provider: toy
+  authenticator: tiled.authenticators:DummyAuthenticator
 trees:
   - path: /
     tree: tiled.examples.generated_minimal:tree
@@ -326,8 +318,7 @@ To make such entries visible to *anonymous*, unauthenticated users as well,
 include the configuration:
 
 ```yaml
-authentication:
-  allow_anonymous_access: true
+allow_anonymous_access: true
 ```
 
 See also {doc}`../reference/service-configuration`.

docs/source/how-to/direct-client.md

@@ -56,7 +56,7 @@ client = from_context(context)
 From a configuration file:
 
 ```py
-config = parse_configs("path/to/config.yml")
+config: Settings = parse_config("path/to/config.yml")
 app = build_app_from_config(config)
 context = Context.from_app(app)
 client = from_context(context)

docs/source/reference/authentication.md

@@ -195,10 +195,9 @@ These are tuned, respectively, by the following configuration parameters,
 given in units of seconds. The default values are shown.
 
 ```yaml
-authentication:
-    refresh_token_max_age: 604800  # one week
-    session_max_age: 31536000  # 365 days
-    access_token_max_age: 900  # 15 minutes
+refresh_token_max_age: 604800  # one week
+session_max_age: 31536000  # 365 days
+access_token_max_age: 900  # 15 minutes
 ```
 
 and may also be set via the environment:
@@ -237,28 +236,25 @@ With ``python``:
 Apply it by including the configuration
 
 ```yaml
-authentication:
-    secret_keys:
-        - "SECRET"
+secret_keys:
+- "SECRET"
 ```
 
 or by setting the ``TILED_SECRET_KEYS`` environment variable.
 
 If you prefer, you can extract the keys from the environment like:
 
 ```yaml
-authentication:
-    secret_keys:
-        - "${SECRET}"  # will be replaced by the environment variable
+secret_keys:
+- "${SECRET}"  # will be replaced by the environment variable
 ```
 
 To rotate keys with a smooth transition, provide multiple keys
 
 ```yaml
-authentication:
-    secret_keys:
-        - "NEW_SECRET"
-        - "OLD_SECRET"
+secret_keys:
+- "NEW_SECRET"
+- "OLD_SECRET"
 ```
 
 or set ``TILED_SECRET_KEYS`` as a json list, e.g.

docs/source/reference/service.md

@@ -115,8 +115,7 @@ See {doc}`../explanations/structures` for more context.
 .. autosummary::
    :toctree: generated
 
-   tiled.config.parse_configs
-   tiled.config.construct_build_app_kwargs
+   tiled.config.parse_config
 ```
 ## HTTP Server Application
 

example_configs/google_auth.yml

@@ -1,15 +1,14 @@
 # Must set environment variables GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET to run.
-authentication:
-  providers:
-  - provider: google
-    authenticator: tiled.authenticators:OIDCAuthenticator
-    args:
-      audience: tiled  # something unique to ensure received headers are for you
-      # These values come from https://console.cloud.google.com/apis/credential
-      client_id: ${GOOGLE_CLIENT_ID}
-      client_secret: ${GOOGLE_CLIENT_SECRET}
-      well_known_uri: https://accounts.google.com/.well-known/openid-configuration
-      confirmation_message: "You have logged in with Google as {id}."
+providers:
+- provider: google
+  authenticator: tiled.authenticators:OIDCAuthenticator
+  args:
+    audience: tiled  # something unique to ensure received headers are for you
+    # These values come from https://console.cloud.google.com/apis/credential
+    client_id: ${GOOGLE_CLIENT_ID}
+    client_secret: ${GOOGLE_CLIENT_SECRET}
+    well_known_uri: https://accounts.google.com/.well-known/openid-configuration
+    confirmation_message: "You have logged in with Google as {id}."
 trees:
  # Just some arbitrary example data...
  # The point of this example is the authenticaiton above.

example_configs/multiple_providers.yml

@@ -1,26 +1,25 @@
-authentication:
-  providers:
-  - provider: one
-    authenticator: tiled.authenticators:DictionaryAuthenticator
-    args:
-      users_to_passwords:
-        alice: ${ALICE_PASSWORD}
-        bob: ${BOB_PASSWORD}
-        cara: ${CARA_PASSWORD}
-  - provider: two
-    authenticator: tiled.authenticators:DictionaryAuthenticator
-    args:
-      users_to_passwords:
-        alice: ${ALICE_PASSWORD}
-        bob: ${BOB_PASSWORD}
-        cara: ${CARA_PASSWORD}
-  - provider: three
-    authenticator: tiled.authenticators:DictionaryAuthenticator
-    args:
-      users_to_passwords:
-        alice: ${ALICE_PASSWORD}
-        bob: ${BOB_PASSWORD}
-        cara: ${CARA_PASSWORD}
+providers:
+- provider: one
+  authenticator: tiled.authenticators:DictionaryAuthenticator
+  args:
+    users_to_passwords:
+      alice: ${ALICE_PASSWORD}
+      bob: ${BOB_PASSWORD}
+      cara: ${CARA_PASSWORD}
+- provider: two
+  authenticator: tiled.authenticators:DictionaryAuthenticator
+  args:
+    users_to_passwords:
+      alice: ${ALICE_PASSWORD}
+      bob: ${BOB_PASSWORD}
+      cara: ${CARA_PASSWORD}
+- provider: three
+  authenticator: tiled.authenticators:DictionaryAuthenticator
+  args:
+    users_to_passwords:
+      alice: ${ALICE_PASSWORD}
+      bob: ${BOB_PASSWORD}
+      cara: ${CARA_PASSWORD}
 trees:
   - path: /
     tree: tiled.examples.toy_authentication:tree

example_configs/orcid_auth.yml

@@ -1,15 +1,14 @@
 # Must set environment variables ORCID_CLIENT_ID and ORCID_CLIENT_SECRET to run.
-authentication:
-  providers:
-  - provider: orcid
-    authenticator: tiled.authenticators:OIDCAuthenticator
-    args:
-      audience: tiled  # something unique to ensure received headers are for you
-      # These values come from https://orcid.org/developer-tools
-      client_id: ${ORCID_CLIENT_ID}
-      client_secret: ${ORCID_CLIENT_SECRET}
-      well_known_uri: https://orcid.org/.well-known/openid-configuration
-      confirmation_message: "You have logged in with ORCID as {id}."
+providers:
+- provider: orcid
+  authenticator: tiled.authenticators:OIDCAuthenticator
+  args:
+    audience: tiled  # something unique to ensure received headers are for you
+    # These values come from https://orcid.org/developer-tools
+    client_id: ${ORCID_CLIENT_ID}
+    client_secret: ${ORCID_CLIENT_SECRET}
+    well_known_uri: https://orcid.org/.well-known/openid-configuration
+    confirmation_message: "You have logged in with ORCID as {id}."
 trees:
  # Just some arbitrary example data...
  # The point of this example is the authenticaiton above.

example_configs/saml.yml

@@ -1,30 +1,29 @@
 # Use this configuration with this demo docker container as the idp.
 
 # docker run --name=testsamlidp_idp -p 8080:8080 -p 8443:8443 -e SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:8000 -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:8000/auth/provider/saml/code -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:8000/ -d kristophjunge/test-saml-idp
-authentication:
-  providers:
-  - provider: saml
-    authenticator: tiled.authenticators:SAMLAuthenticator
-    args:
-      attribute_name: "email"
-      saml_settings:
-        strict: False
-        debug: False
-        idp:
-          entityId: "http://localhost:8080/simplesaml/saml2/idp/metadata.php"
-          singleSignOnService:
-            url: "http://localhost:8080/simplesaml/saml2/idp/SSOService.php"
-            binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-          singleLogoutService:
-            url: "http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php"
-            binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-          x509cert: "MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ=="
-        sp:
-          entityId: "http://localhost:8000/api"
-          assertionConsumerService:
-            url: "http://localhost:8000/api/auth/provider/saml/code"
-            binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          x509cert: ""
+providers:
+- provider: saml
+  authenticator: tiled.authenticators:SAMLAuthenticator
+  args:
+    attribute_name: "email"
+    saml_settings:
+      strict: False
+      debug: False
+      idp:
+        entityId: "http://localhost:8080/simplesaml/saml2/idp/metadata.php"
+        singleSignOnService:
+          url: "http://localhost:8080/simplesaml/saml2/idp/SSOService.php"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        singleLogoutService:
+          url: "http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        x509cert: "MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMjMxMTQzNDQ3WhcNNDgwNjI1MTQzNDQ3WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUCFozgNb1h1M0jzNRSCjhOBnR+uVbVpaWfXYIR+AhWDdEe5ryY+CgavOg8bfLybyzFdehlYdDRgkedEB/GjG8aJw06l0qF4jDOAw0kEygWCu2mcH7XOxRt+YAH3TVHa/Hu1W3WjzkobqqqLQ8gkKWWM27fOgAZ6GieaJBN6VBSMMcPey3HWLBmc+TYJmv1dbaO2jHhKh8pfKw0W12VM8P1PIO8gv4Phu/uuJYieBWKixBEyy0lHjyixYFCR12xdh4CA47q958ZRGnnDUGFVE1QhgRacJCOZ9bd5t9mr8KLaVBYTCJo5ERE8jymab5dPqe5qKfJsCZiqWglbjUo9twIDAQABo1AwTjAdBgNVHQ4EFgQUxpuwcs/CYQOyui+r1G+3KxBNhxkwHwYDVR0jBBgwFoAUxpuwcs/CYQOyui+r1G+3KxBNhxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAiWUKs/2x/viNCKi3Y6blEuCtAGhzOOZ9EjrvJ8+COH3Rag3tVBWrcBZ3/uhhPq5gy9lqw4OkvEws99/5jFsX1FJ6MKBgqfuy7yh5s1YfM0ANHYczMmYpZeAcQf2CGAaVfwTTfSlzNLsF2lW/ly7yapFzlYSJLGoVE+OHEu8g5SlNACUEfkXw+5Eghh+KzlIN7R6Q7r2ixWNFBC/jWf7NKUfJyX8qIG5md1YUeT6GBW9Bm2/1/RiO24JTaYlfLdKK9TYb8sG5B+OLab2DImG99CJ25RkAcSobWNF5zD0O6lgOo3cEdB/ksCq3hmtlC/DlLZ/D8CJ+7VuZnS1rR2naQ=="
+      sp:
+        entityId: "http://localhost:8000/api"
+        assertionConsumerService:
+          url: "http://localhost:8000/api/auth/provider/saml/code"
+          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        x509cert: ""
 trees:
   - path: /
     tree: tiled.examples.toy_authentication:tree

example_configs/single_catalog_single_user.yml

@@ -1,7 +1,6 @@
-authentication:
-  # The default is false. Set to true to enable any HTTP client that can
-  # connect to _read_. An API key is still required to write.
-  allow_anonymous_access: false
+# The default is false. Set to true to enable any HTTP client that can
+# connect to _read_. An API key is still required to write.
+allow_anonymous_access: false
 trees:
   - path: /
     tree: catalog

example_configs/small_single_user_demo.yml

@@ -1,5 +1,4 @@
-authentication:
-  single_user_api_key: ${TILED_SINGLE_USER_API_KEY}
+single_user_api_key: ${TILED_SINGLE_USER_API_KEY}
 trees:
   - tree: tiled.examples.generated_minimal:tree
     path: /