Move authenticators to settings and call as such

Author: DiamondJoseph

tiled/_tests/test_access_control.py

@@ -76,7 +76,7 @@ def context(tmpdir_module):
     config = {
         "allow_anonymous_access": True,
         "secret_keys": ["SECRET"],
-        "providers": [
+        "authenticators": [
             {
                 "provider": "toy",
                 "authenticator": "tiled.authenticators:DictionaryAuthenticator",
@@ -355,7 +355,7 @@ def test_service_principal_access(tmpdir):
     "Test that a service principal can work with SimpleAccessPolicy."
     config = {
         "secret_keys": ["SECRET"],
-        "providers": [
+        "authenticators": [
             {
                 "provider": "toy",
                 "authenticator": "tiled.authenticators:DictionaryAuthenticator",

tiled/_tests/test_authentication.py

@@ -40,7 +40,7 @@ def config(sqlite_or_postgresql_database_uri):
     )
     return {
         "secret_keys": ["SECRET"],
-        "providers": [
+        "authenticators": [
             {
                 "provider": "toy",
                 "authenticator": "tiled.authenticators:DictionaryAuthenticator",
@@ -256,7 +256,7 @@ def test_multiple_providers(enter_username_password, config, monkeypatch):
 
     This mechanism is used to support "Login with ORCID or Google or ...."
     """
-    config["authentication"]["providers"].extend(
+    config["authenticators"].extend(
         [
             {
                 "provider": "second",
@@ -289,7 +289,7 @@ def test_multiple_providers_name_collision(config):
     """
     Check that we enforce unique provider names.
     """
-    config["authentication"]["providers"] = [
+    config["authenticators"] = [
         {
             "provider": "some_name",
             "authenticator": "tiled.authenticators:DictionaryAuthenticator",

tiled/_tests/test_catalog.py

@@ -372,7 +372,7 @@ async def test_access_control(tmpdir):
     config = {
         "allow_anonymous_access": True,
         "secret_keys": ["SECRET"],
-        "providers": [
+        "authenticators": [
             {
                 "provider": "toy",
                 "authenticator": "tiled.authenticators:DictionaryAuthenticator",

tiled/_tests/test_openapi.py

@@ -9,7 +9,7 @@
 tree = MapAdapter({})
 config = {
     "secret_keys": ["SECRET"],
-    "providers": [
+    "authenticators": [
         {
             "provider": "toy",
             "authenticator": "tiled.authenticators:DictionaryAuthenticator",

tiled/_tests/test_server.py

@@ -89,7 +89,7 @@ def multiuser_server(tmpdir):
     )
     config = {
         "secret_keys": ["SECRET"],
-        "providers": [
+        "authenticators": [
             {
                 "provider": "toy",
                 "authenticator": "tiled.authenticators:DictionaryAuthenticator",
@@ -152,17 +152,17 @@ def test_internal_authentication_mode_with_password_clients(multiuser_server):
     response = httpx.get(
         multiuser_server + "/api/v1/", headers={"user-agent": "python-tiled/0.1.0b16"}
     )
-    actual_mode = response.json()["authentication"]["providers"][0]["mode"]
+    actual_mode = response.json()["authenticators"][0]["mode"]
     assert actual_mode == "password"
 
     # Mock new client
     response = httpx.get(
         multiuser_server + "/api/v1/", headers={"user-agent": "python-tiled/0.1.0b17"}
     )
-    actual_mode = response.json()["authentication"]["providers"][0]["mode"]
+    actual_mode = response.json()["authenticators"][0]["mode"]
     assert actual_mode == "internal"
 
     # Mock unknown client
     response = httpx.get(multiuser_server + "/api/v1/", headers={})
-    actual_mode = response.json()["authentication"]["providers"][0]["mode"]
+    actual_mode = response.json()["authenticators"][0]["mode"]
     assert actual_mode == "internal"

tiled/server/app.py

@@ -105,16 +105,15 @@ def custom_openapi(app):
 
 
 def build_app(
-    tree,
-    authentication=None,
+    tree: MapAdapter,
     server_settings: Optional[Settings] = None,
     query_registry: Optional[QueryRegistry] = None,
     serialization_registry: Optional[SerializationRegistry] = None,
     deserialization_registry: Optional[SerializationRegistry] = None,
     compression_registry: Optional[CompressionRegistry] = None,
     validation_registry: Optional[ValidationRegistry] = None,
     tasks=None,
-    scalable=False,
+    scalable: bool = False,
 ):
     """
     Serve a Tree
@@ -125,12 +124,7 @@ def build_app(
     server_settings: Settings, optional
         Dict of other server configuration.
     """
-    authentication = authentication or {}
-    authenticators: dict[str, Union[ExternalAuthenticator, InternalAuthenticator]] = {
-        spec["provider"]: spec["authenticator"]
-        for spec in authentication.get("providers", [])
-    }
-    server_settings = server_settings or {}
+    server_settings = server_settings or get_settings()
     query_registry = query_registry or default_query_registry
     serialization_registry = serialization_registry or default_serialization_registry
     deserialization_registry = (

tiled/server/settings.py

@@ -7,6 +7,18 @@
 from pydantic.dataclasses import dataclass
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+from tiled.server.protocols import ExternalAuthenticator, InternalAuthenticator
+
+
+class Admin(BaseModel):
+    provider: str
+    id: str
+
+
+class AuthenticatorInfo(BaseModel):
+    provider: str
+    authenticator: InternalAuthenticator | ExternalAuthenticator
+
 
 # hashable cache key for use in tiled.authn_database.connection_pool
 @dataclass(unsafe_hash=True)
@@ -31,7 +43,7 @@ class Settings(BaseSettings):
     tree: Any = None
     allow_anonymous_access: bool = False
     allow_origins: List[str] = Field(default_factory=list)
-    authenticator: Any = None
+    authenticators: list[AuthenticatorInfo] = Field(default_factory=list)
     # These 'single user' settings are only applicable if authenticator is None.
     single_user_api_key: str = secrets.token_hex(32)
     # The first key will be used for encryption. Each key will be tried in turn for decryption.