credentials are scoped

Author: ehigham

hail/src/main/scala/is/hail/io/fs/AzureStorageFS.scala

@@ -12,6 +12,7 @@ import is.hail.shadedazure.com.azure.storage.blob.models.{
   BlobItem, BlobRange, BlobStorageException, ListBlobsOptions,
 }
 import is.hail.shadedazure.com.azure.storage.blob.specialized.BlockBlobClient
+import is.hail.utils.FastSeq
 
 import scala.collection.JavaConverters._
 import scala.collection.mutable
@@ -58,6 +59,9 @@ object AzureStorageFS {
   private val AZURE_HTTPS_URI_REGEX =
     "^https:\\/\\/([a-z0-9_\\-\\.]+)\\.blob\\.core\\.windows\\.net\\/([a-z0-9_\\-\\.]+)(\\/.*)?".r
 
+  val RequiredOAuthScopes: IndexedSeq[String] =
+    FastSeq("https://storage.azure.com/.default")
+
   def parseUrl(filename: String): AzureStorageFSURL = {
     AZURE_HTTPS_URI_REGEX
       .findFirstMatchIn(filename)

hail/src/main/scala/is/hail/io/fs/GoogleStorageFS.scala

@@ -44,6 +44,9 @@ object GoogleStorageFS {
 
   private[this] val GCS_URI_REGEX = "^gs:\\/\\/([a-z0-9_\\-\\.]+)(\\/.*)?".r
 
+  val RequiredOAuthScopes: IndexedSeq[String] =
+    FastSeq("https://www.googleapis.com/auth/devstorage.read_write")
+
   def parseUrl(filename: String): GoogleStorageFSURL = {
     val scheme = filename.split(":")(0)
     if (scheme == null || scheme != "gs") {

hail/src/main/scala/is/hail/io/fs/RouterFS.scala

@@ -52,13 +52,18 @@ object RouterFS {
   def buildRoutes(cloudConfig: CloudStorageFSConfig, env: Map[String, String] = sys.env): FS =
     new RouterFS(
       IndexedSeq.concat(
-        cloudConfig.google.map { case GoogleStorageFSConfig(path, maybeRequesterPaysConfig) =>
-          new GoogleStorageFS(GoogleCloudCredentials(path), maybeRequesterPaysConfig)
+        cloudConfig.google.map { case GoogleStorageFSConfig(path, mRPConfig) =>
+          new GoogleStorageFS(
+            GoogleCloudCredentials(path, GoogleStorageFS.RequiredOAuthScopes, env),
+            mRPConfig,
+          )
         },
         cloudConfig.azure.map { case AzureStorageFSConfig(path) =>
-          val cred = AzureCloudCredentials(path)
-          if (env.contains("HAIL_TERRA")) new TerraAzureStorageFS(cred)
-          else new AzureStorageFS(cred)
+          if (env.contains("HAIL_TERRA")) {
+            val creds = AzureCloudCredentials(path, TerraAzureStorageFS.RequiredOAuthScopes, env)
+            new TerraAzureStorageFS(creds)
+          } else
+            new AzureStorageFS(AzureCloudCredentials(path, AzureStorageFS.RequiredOAuthScopes, env))
         },
         FastSeq(new HadoopFS(new SerializableHadoopConfiguration(new Configuration()))),
       )

hail/src/main/scala/is/hail/io/fs/TerraAzureStorageFS.scala

@@ -15,6 +15,9 @@ import org.json4s.jackson.JsonMethods
 
 object TerraAzureStorageFS {
   private val TEN_MINUTES_IN_MS = 10 * 60 * 1000
+
+  val RequiredOAuthScopes: IndexedSeq[String] =
+    FastSeq("https://management.azure.com/.default")
 }
 
 class TerraAzureStorageFS(credential: AzureCloudCredentials) extends AzureStorageFS(credential) {
@@ -55,8 +58,7 @@ class TerraAzureStorageFS(credential: AzureCloudCredentials) extends AzureStorag
     val url =
       s"$workspaceManagerUrl/api/workspaces/v1/$workspaceId/resources/controlled/azure/storageContainer/$containerResourceId/getSasToken"
     val req = new HttpPost(url)
-    val token = credential.accessToken(FastSeq("https://management.azure.com/.default"))
-    req.addHeader("Authorization", s"Bearer $token")
+    req.addHeader("Authorization", s"Bearer ${credential.accessToken}")
 
     val tenHoursInSeconds = 10 * 3600
     val expiration = System.currentTimeMillis() + tenHoursInSeconds * 1000

hail/src/main/scala/is/hail/services/BatchClient.scala

@@ -1,11 +1,13 @@
 package is.hail.services
 
 import is.hail.expr.ir.ByteArrayBuilder
-import is.hail.services.requests.{BatchServiceRequester, Requester}
+import is.hail.services.oauth2.CloudCredentials
+import is.hail.services.requests.Requester
 import is.hail.utils._
 
 import scala.util.Random
 
+import java.net.URL
 import java.nio.charset.StandardCharsets
 import java.nio.file.Path
 
@@ -88,9 +90,29 @@ object JobGroupStates {
 }
 
 object BatchClient {
+
+  private[this] def BatchServiceScopes(env: Map[String, String]): Array[String] =
+    env.get("HAIL_CLOUD") match {
+      case Some("gcp") =>
+        Array(
+          "https://www.googleapis.com/auth/userinfo.profile",
+          "https://www.googleapis.com/auth/userinfo.email",
+          "openid",
+        )
+      case Some("azure") =>
+        env.get("HAIL_AZURE_OAUTH_SCOPE").toArray
+      case Some(cloud) =>
+        throw new IllegalArgumentException(s"Unknown cloud: '$cloud'.")
+      case None =>
+        throw new IllegalArgumentException(s"HAIL_CLOUD must be set.")
+    }
+
   def apply(deployConfig: DeployConfig, credentialsFile: Path, env: Map[String, String] = sys.env)
     : BatchClient =
-    new BatchClient(BatchServiceRequester(deployConfig, credentialsFile, env))
+    new BatchClient(Requester(
+      new URL(deployConfig.baseUrl("batch")),
+      CloudCredentials(credentialsFile, BatchServiceScopes(env), env),
+    ))
 }
 
 case class BatchClient private (req: Requester) extends Logging with AutoCloseable {

hail/src/main/scala/is/hail/services/oauth2.scala

@@ -2,7 +2,9 @@ package is.hail.services
 
 import is.hail.services.oauth2.AzureCloudCredentials.EnvVars.AzureApplicationCredentials
 import is.hail.services.oauth2.GoogleCloudCredentials.EnvVars.GoogleApplicationCredentials
-import is.hail.shadedazure.com.azure.core.credential.{TokenCredential, TokenRequestContext}
+import is.hail.shadedazure.com.azure.core.credential.{
+  AccessToken, TokenCredential, TokenRequestContext,
+}
 import is.hail.shadedazure.com.azure.identity.{
   ClientSecretCredentialBuilder, DefaultAzureCredentialBuilder,
 }
@@ -12,6 +14,7 @@ import scala.collection.JavaConverters._
 
 import java.io.Serializable
 import java.nio.file.{Files, Path}
+import java.time.OffsetDateTime
 
 import com.google.auth.oauth2.{GoogleCredentials, ServiceAccountCredentials}
 import org.json4s.Formats
@@ -20,38 +23,25 @@ import org.json4s.jackson.JsonMethods
 object oauth2 {
 
   sealed trait CloudCredentials extends Product with Serializable {
-    def accessToken(scopes: IndexedSeq[String]): String
+    def accessToken: String
   }
 
-  def CloudCredentials(credentialsPath: Path, env: Map[String, String] = sys.env)
-    : CloudCredentials =
+  def CloudCredentials(
+    keyPath: Path,
+    scopes: IndexedSeq[String],
+    env: Map[String, String] = sys.env,
+  ): CloudCredentials =
     env.get("HAIL_CLOUD") match {
-      case Some("gcp") => GoogleCloudCredentials(Some(credentialsPath))
-      case Some("azure") => AzureCloudCredentials(Some(credentialsPath))
+      case Some("gcp") => GoogleCloudCredentials(Some(keyPath), scopes, env)
+      case Some("azure") => AzureCloudCredentials(Some(keyPath), scopes, env)
       case Some(cloud) => throw new IllegalArgumentException(s"Unknown cloud: '$cloud'")
       case None => throw new IllegalArgumentException(s"HAIL_CLOUD must be set.")
     }
 
-  def CloudScopes(env: Map[String, String] = sys.env): Array[String] =
-    env.get("HAIL_CLOUD") match {
-      case Some("gcp") =>
-        Array(
-          "https://www.googleapis.com/auth/userinfo.profile",
-          "https://www.googleapis.com/auth/userinfo.email",
-          "openid",
-        )
-      case Some("azure") =>
-        sys.env.get("HAIL_AZURE_OAUTH_SCOPE").toArray
-      case Some(cloud) =>
-        throw new IllegalArgumentException(s"Unknown cloud: '$cloud'.")
-      case None =>
-        throw new IllegalArgumentException(s"HAIL_CLOUD must be set.")
-    }
-
   case class GoogleCloudCredentials(value: GoogleCredentials) extends CloudCredentials {
-    override def accessToken(scopes: IndexedSeq[String]): String = {
+    override def accessToken: String = {
       value.refreshIfExpired()
-      value.createScoped(scopes.asJava).getAccessToken.getTokenValue
+      value.getAccessToken.getTokenValue
     }
   }
 
@@ -60,40 +50,68 @@ object oauth2 {
       val GoogleApplicationCredentials = "GOOGLE_APPLICATION_CREDENTIALS"
     }
 
-    def apply(keyPath: Option[Path], env: Map[String, String] = sys.env): GoogleCloudCredentials =
-      GoogleCloudCredentials(
-        keyPath.orElse(env.get(GoogleApplicationCredentials).map(Path.of(_))) match {
-          case Some(path) => using(Files.newInputStream(path))(ServiceAccountCredentials.fromStream)
-          case None => GoogleCredentials.getApplicationDefault
-        }
-      )
+    def apply(keyPath: Option[Path], scopes: IndexedSeq[String], env: Map[String, String] = sys.env)
+      : GoogleCloudCredentials =
+      GoogleCloudCredentials {
+        val creds: GoogleCredentials =
+          keyPath.orElse(env.get(GoogleApplicationCredentials).map(Path.of(_))) match {
+            case Some(path) =>
+              using(Files.newInputStream(path))(ServiceAccountCredentials.fromStream)
+            case None =>
+              GoogleCredentials.getApplicationDefault
+          }
+
+        creds.createScoped(scopes: _*)
+      }
   }
 
   sealed trait AzureCloudCredentials extends CloudCredentials {
+
     def value: TokenCredential
+    def scopes: IndexedSeq[String]
+
+    @transient private[this] var token: AccessToken = _
+
+    override def accessToken: String = {
+      refreshIfRequired()
+      token.getToken
+    }
+
+    private[this] def refreshIfRequired(): Unit =
+      if (!isExpired) token.getToken
+      else synchronized {
+        if (isExpired) {
+          token = value.getTokenSync(new TokenRequestContext().setScopes(scopes.asJava))
+        }
+
+        token.getToken
+      }
 
-    override def accessToken(scopes: IndexedSeq[String]): String =
-      value.getTokenSync(new TokenRequestContext().setScopes(scopes.asJava)).getToken
+    private[this] def isExpired: Boolean =
+      token == null || OffsetDateTime.now.plusHours(1).isBefore(token.getExpiresAt)
   }
 
   object AzureCloudCredentials {
     object EnvVars {
       val AzureApplicationCredentials = "AZURE_APPLICATION_CREDENTIALS"
     }
 
-    def apply(keyPath: Option[Path], env: Map[String, String] = sys.env): AzureCloudCredentials =
+    def apply(keyPath: Option[Path], scopes: IndexedSeq[String], env: Map[String, String] = sys.env)
+      : AzureCloudCredentials =
       keyPath.orElse(env.get(AzureApplicationCredentials).map(Path.of(_))) match {
-        case Some(path) => AzureClientSecretCredentials(path)
-        case None => AzureDefaultCredentials
+        case Some(path) => AzureClientSecretCredentials(path, scopes)
+        case None => AzureDefaultCredentials(scopes)
       }
   }
 
-  private case object AzureDefaultCredentials extends AzureCloudCredentials {
+  private case class AzureDefaultCredentials(scopes: IndexedSeq[String])
+      extends AzureCloudCredentials {
     @transient override lazy val value: TokenCredential =
       new DefaultAzureCredentialBuilder().build()
   }
 
-  private case class AzureClientSecretCredentials(path: Path) extends AzureCloudCredentials {
+  private case class AzureClientSecretCredentials(path: Path, scopes: IndexedSeq[String])
+      extends AzureCloudCredentials {
     @transient override lazy val value: TokenCredential =
       using(Files.newInputStream(path)) { is =>
         implicit val fmts: Formats = defaultJSONFormats

hail/src/main/scala/is/hail/services/requests.scala

@@ -1,10 +1,9 @@
 package is.hail.services
 
-import is.hail.services.oauth2.{CloudCredentials, CloudScopes}
+import is.hail.services.oauth2.CloudCredentials
 import is.hail.utils.{log, _}
 
 import java.net.URL
-import java.nio.file.Path
 
 import org.apache.http.{HttpEntity, HttpEntityEnclosingRequest}
 import org.apache.http.client.config.RequestConfig
@@ -30,15 +29,7 @@ object requests {
 
   private[this] val TIMEOUT_MS = 5 * 1000
 
-  def BatchServiceRequester(conf: DeployConfig, keyFile: Path, env: Map[String, String] = sys.env)
-    : Requester =
-    Requester(
-      new URL(conf.baseUrl("batch")),
-      CloudCredentials(keyFile, env),
-      CloudScopes(env),
-    )
-
-  def Requester(baseUrl: URL, cred: CloudCredentials, scopes: IndexedSeq[String]): Requester = {
+  def Requester(baseUrl: URL, cred: CloudCredentials): Requester = {
 
     val httpClient: CloseableHttpClient = {
       log.info("creating HttpClient")
@@ -67,7 +58,7 @@ object requests {
 
     def request(req: HttpUriRequest, body: Option[HttpEntity] = None): JValue = {
       log.info(s"request ${req.getMethod} ${req.getURI}")
-      req.addHeader("Authorization", s"Bearer ${cred.accessToken(scopes)}")
+      req.addHeader("Authorization", s"Bearer ${cred.accessToken}")
       body.foreach(entity => req.asInstanceOf[HttpEntityEnclosingRequest].setEntity(entity))
       retryTransientErrors {
         using(httpClient.execute(req)) { resp =>

hail/src/test/scala/is/hail/io/fs/AzureStorageFSSuite.scala

@@ -16,7 +16,8 @@ class AzureStorageFSSuite extends FSSuite {
     }
   }
 
-  lazy val fs = new AzureStorageFS(AzureCloudCredentials(None))
+  override lazy val fs: FS =
+    new AzureStorageFS(AzureCloudCredentials(None, AzureStorageFS.RequiredOAuthScopes))
 
   @Test def testMakeQualified(): Unit = {
     val qualifiedFileName = "https://account.blob.core.windows.net/container/path"

hail/src/test/scala/is/hail/io/fs/GoogleStorageFSSuite.scala

@@ -17,7 +17,8 @@ class GoogleStorageFSSuite extends TestNGSuite with FSSuite {
     }
   }
 
-  lazy val fs = new GoogleStorageFS(GoogleCloudCredentials(None), None)
+  override lazy val fs: FS =
+    new GoogleStorageFS(GoogleCloudCredentials(None, GoogleStorageFS.RequiredOAuthScopes), None)
 
   @Test def testMakeQualified(): Unit = {
     val qualifiedFileName = "gs://bucket/path"

hail/src/test/scala/is/hail/services/BatchClientSuite.scala

@@ -6,29 +6,31 @@ import java.nio.file.Path
 
 import org.scalatestplus.testng.TestNGSuite
 import org.testng.annotations.Test
+import sourcecode.FullName
 
 class BatchClientSuite extends TestNGSuite {
   @Test def testBasic(): Unit =
-    using(BatchClient(DeployConfig.get(), Path.of("/test-gsa-key/key.json"))) { client =>
+    using(BatchClient(DeployConfig.get(), Path.of("/tmp/test-gsa-key/key.json"))) { client =>
       val jobGroup = client.run(
         BatchRequest(
           billing_project = "test",
-          n_jobs = 1,
+          n_jobs = 0,
           token = tokenUrlSafe,
+          attributes = Map("name" -> s"Test ${implicitly[FullName].value}"),
         ),
         JobGroupRequest(
-          job_group_id = 0,
+          job_group_id = 1,
           absolute_parent_id = 0,
         ),
         FastSeq(
           JobRequest(
-            job_id = 0,
+            job_id = 1,
             always_run = false,
             in_update_job_group_id = 0,
             in_update_parent_ids = Array(),
             process = BashJob(
               image = "ubuntu:22.04",
-              command = Array("/bin/bash", "-c", "'hello, world!"),
+              command = Array("/bin/bash", "-c", "echo 'hello, hail!'"),
             ),
           )
         ),