Api change (#2888)

* token authorization update

* update token

* token authorization plugin test

* fix format

* add key file generation at default

* fix format

* updated token plugin

* fixed file delete

* fixed imports

* added custom expection

* fix format

* token handler

* fix doc

* fixed handler

* added integration tests

* Added integration tests

* updating token auth

* small changes to token auth

* fixing changes

* changed keyfile to dictionary and updated readme and tests

* remove comments

* changes to tests

* added config file

* reduce time for expiration test

* change test to mnist

* removing install from src

* final test change

* Fix spellcheck

---------

Co-authored-by: Ubuntu <ubuntu@ip-172-31-11-32.us-west-2.compute.internal>
Co-authored-by: Matthias Reso <13337103+mreso@users.noreply.github.com>

Author: 3 people

docs/token_authorization_api.md

@@ -0,0 +1,50 @@
+# TorchServe token authorization API
+
+## Configuration
+1. Enable token authorization by adding the provided plugin at start using the `--plugins-path` command.
+2. Torchserve will enable token authorization if the plugin is provided. In the current working directory a file `key_file.json` will be generated.
+    1. Example key file:
+
+```python
+  {
+  "management": {
+    "key": "B-E5KSRM",
+    "expiration time": "2024-02-16T21:12:24.801167Z"
+  },
+  "inference": {
+    "key": "gNRuA7dS",
+    "expiration time": "2024-02-16T21:12:24.801148Z"
+  },
+  "API": {
+    "key": "yv9uQajP"
+  }
+}
+```
+
+3. There are 3 keys and each have a different use.
+    1. Management key: Used for management APIs. Example:
+    `curl http://localhost:8081/models/densenet161 -H "Authorization: Bearer I_J_ItMb"`
+    2. Inference key: Used for inference APIs. Example:
+    `curl http://127.0.0.1:8080/predictions/densenet161 -T examples/image_classifier/kitten.jpg -H "Authorization: Bearer FINhR1fj"`
+    3. API key: Used for the token authorization API. Check section 4 for API use.
+4. The plugin also includes an API in order to generate a new key to replace either the management or inference key.
+    1. Management Example:
+    `curl localhost:8081/token?type=management -H "Authorization: Bearer m4M-5IBY"` will replace the current management key in the key_file with a new one and will update the expiration time.
+    2. Inference example:
+    `curl localhost:8081/token?type=inference -H "Authorization: Bearer m4M-5IBY"`
+
+    Users will have to use either one of the APIs above.
+
+5. When users shut down the server the key_file will be deleted.
+
+
+## Customization
+Torchserve offers various ways to customize the token authorization to allow owners to reach the desired result.
+1. Time to expiration is set to default at 60 minutes but can be changed in the config.properties by adding `token_expiration_min`. Ex:`token_expiration_min=30`
+2. The token authorization code is consolidated in the plugin and thus can be changed without impacting the frontend or end result. The only thing the user cannot change is:
+    1. The urlPattern for the plugin must be 'token' and the class name must not change
+    2. The `generateKeyFile`, `checkTokenAuthorization`, and `setTime` functions return type and signature must not change. However, the code in the functions can be modified depending on user necessity.
+
+## Notes
+1. DO NOT MODIFY THE KEY FILE. Modifying the key file might impact reading and writing to the file thus preventing new keys from properly being displayed in the file.
+2. 3 tokens allow the owner with the most flexibility in use and enables them to adapt the tokens to their use. Owners of the server can provide users with the inference token if users should not mess with models. The owner can also provide owners with the management key if owners want users to add and remove models.

frontend/archive/src/main/java/org/pytorch/serve/archive/model/InvalidKeyException.java

@@ -0,0 +1,32 @@
+package org.pytorch.serve.archive.model;
+
+public class InvalidKeyException extends ModelException {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Constructs an {@code InvalidKeyException} with the specified detail message.
+     *
+     * @param message The detail message (which is saved for later retrieval by the {@link
+     *     #getMessage()} method)
+     */
+    public InvalidKeyException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs an {@code InvalidKeyException} with the specified detail message and cause.
+     *
+     * <p>Note that the detail message associated with {@code cause} is <i>not</i> automatically
+     * incorporated into this exception's detail message.
+     *
+     * @param message The detail message (which is saved for later retrieval by the {@link
+     *     #getMessage()} method)
+     * @param cause The cause (which is saved for later retrieval by the {@link #getCause()}
+     *     method). (A null value is permitted, and indicates that the cause is nonexistent or
+     *     unknown.)
+     */
+    public InvalidKeyException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

frontend/server/src/main/java/org/pytorch/serve/ServerInitializer.java

@@ -10,6 +10,7 @@
 import org.pytorch.serve.http.HttpRequestHandler;
 import org.pytorch.serve.http.HttpRequestHandlerChain;
 import org.pytorch.serve.http.InvalidRequestHandler;
+import org.pytorch.serve.http.TokenAuthorizationHandler;
 import org.pytorch.serve.http.api.rest.ApiDescriptionRequestHandler;
 import org.pytorch.serve.http.api.rest.InferenceRequestHandler;
 import org.pytorch.serve.http.api.rest.ManagementRequestHandler;
@@ -18,6 +19,7 @@
 import org.pytorch.serve.servingsdk.impl.PluginsManager;
 import org.pytorch.serve.util.ConfigManager;
 import org.pytorch.serve.util.ConnectorType;
+import org.pytorch.serve.util.TokenType;
 import org.pytorch.serve.workflow.api.http.WorkflowInferenceRequestHandler;
 import org.pytorch.serve.workflow.api.http.WorkflowMgmtRequestHandler;
 import org.slf4j.Logger;
@@ -63,6 +65,9 @@ public void initChannel(Channel ch) {
         HttpRequestHandlerChain httpRequestHandlerChain = apiDescriptionRequestHandler;
         if (ConnectorType.ALL.equals(connectorType)
                 || ConnectorType.INFERENCE_CONNECTOR.equals(connectorType)) {
+            httpRequestHandlerChain =
+                    httpRequestHandlerChain.setNextHandler(
+                            new TokenAuthorizationHandler(TokenType.INFERENCE));
             httpRequestHandlerChain =
                     httpRequestHandlerChain.setNextHandler(
                             new InferenceRequestHandler(
@@ -80,6 +85,9 @@ public void initChannel(Channel ch) {
         }
         if (ConnectorType.ALL.equals(connectorType)
                 || ConnectorType.MANAGEMENT_CONNECTOR.equals(connectorType)) {
+            httpRequestHandlerChain =
+                    httpRequestHandlerChain.setNextHandler(
+                            new TokenAuthorizationHandler(TokenType.MANAGEMENT));
             httpRequestHandlerChain =
                     httpRequestHandlerChain.setNextHandler(
                             new ManagementRequestHandler(

frontend/server/src/main/java/org/pytorch/serve/http/TokenAuthorizationHandler.java

@@ -0,0 +1,103 @@
+package org.pytorch.serve.http;
+
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.QueryStringDecoder;
+import java.lang.reflect.*;
+import org.pytorch.serve.archive.DownloadArchiveException;
+import org.pytorch.serve.archive.model.InvalidKeyException;
+import org.pytorch.serve.archive.model.ModelException;
+import org.pytorch.serve.archive.workflow.WorkflowException;
+import org.pytorch.serve.util.ConfigManager;
+import org.pytorch.serve.util.TokenType;
+import org.pytorch.serve.wlm.WorkerInitializationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A class handling token check for all inbound HTTP requests
+ *
+ * <p>This class //
+ */
+public class TokenAuthorizationHandler extends HttpRequestHandlerChain {
+
+    private static final Logger logger = LoggerFactory.getLogger(TokenAuthorizationHandler.class);
+    private static TokenType tokenType;
+    private static Boolean tokenEnabled = false;
+    private static Class<?> tokenClass;
+    private static Object tokenObject;
+    private static Double timeToExpirationMinutes = 60.0;
+
+    /** Creates a new {@code InferenceRequestHandler} instance. */
+    public TokenAuthorizationHandler(TokenType type) {
+        tokenType = type;
+    }
+
+    @Override
+    public void handleRequest(
+            ChannelHandlerContext ctx,
+            FullHttpRequest req,
+            QueryStringDecoder decoder,
+            String[] segments)
+            throws ModelException, DownloadArchiveException, WorkflowException,
+                    WorkerInitializationException {
+        if (tokenEnabled) {
+            if (tokenType == TokenType.MANAGEMENT) {
+                if (req.toString().contains("/token")) {
+                    checkTokenAuthorization(req, "token");
+                } else {
+                    checkTokenAuthorization(req, "management");
+                }
+            } else if (tokenType == TokenType.INFERENCE) {
+                checkTokenAuthorization(req, "inference");
+            }
+        }
+        chain.handleRequest(ctx, req, decoder, segments);
+    }
+
+    public static void setupTokenClass() {
+        try {
+            tokenClass = Class.forName("org.pytorch.serve.plugins.endpoint.Token");
+            tokenObject = tokenClass.getDeclaredConstructor().newInstance();
+            Method method = tokenClass.getMethod("setTime", Double.class);
+            Double time = ConfigManager.getInstance().getTimeToExpiration();
+            if (time != 0.0) {
+                timeToExpirationMinutes = time;
+            }
+            method.invoke(tokenObject, timeToExpirationMinutes);
+            method = tokenClass.getMethod("generateKeyFile", String.class);
+            if ((boolean) method.invoke(tokenObject, "token")) {
+                logger.info("TOKEN CLASS IMPORTED SUCCESSFULLY");
+            }
+        } catch (NoSuchMethodException
+                | IllegalAccessException
+                | InstantiationException
+                | InvocationTargetException
+                | ClassNotFoundException e) {
+            e.printStackTrace();
+            logger.error("TOKEN CLASS IMPORTED UNSUCCESSFULLY");
+            throw new IllegalStateException("Unable to import token class", e);
+        }
+        tokenEnabled = true;
+    }
+
+    private void checkTokenAuthorization(FullHttpRequest req, String type) throws ModelException {
+
+        try {
+            Method method =
+                    tokenClass.getMethod(
+                            "checkTokenAuthorization",
+                            io.netty.handler.codec.http.FullHttpRequest.class,
+                            String.class);
+            boolean result = (boolean) (method.invoke(tokenObject, req, type));
+            if (!result) {
+                throw new InvalidKeyException(
+                        "Token Authentication failed. Token either incorrect, expired, or not provided correctly");
+            }
+        } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
+            e.printStackTrace();
+            throw new InvalidKeyException(
+                    "Token Authentication failed. Token either incorrect, expired, or not provided correctly");
+        }
+    }
+}

frontend/server/src/main/java/org/pytorch/serve/http/api/rest/ApiDescriptionRequestHandler.java

@@ -30,7 +30,6 @@ public void handleRequest(
             String[] segments)
             throws ModelException, DownloadArchiveException, WorkflowException,
                     WorkerInitializationException {
-
         if (isApiDescription(segments)) {
             String path = decoder.path();
             if (("/".equals(path) && HttpMethod.OPTIONS.equals(req.method()))

frontend/server/src/main/java/org/pytorch/serve/servingsdk/impl/PluginsManager.java

@@ -5,6 +5,7 @@
 import java.util.Map;
 import java.util.ServiceLoader;
 import org.pytorch.serve.http.InvalidPluginException;
+import org.pytorch.serve.http.TokenAuthorizationHandler;
 import org.pytorch.serve.servingsdk.ModelServerEndpoint;
 import org.pytorch.serve.servingsdk.annotations.Endpoint;
 import org.pytorch.serve.servingsdk.annotations.helpers.EndpointTypes;
@@ -30,6 +31,9 @@ public void initialize() {
         logger.info("Initializing plugins manager...");
         inferenceEndpoints = initInferenceEndpoints();
         managementEndpoints = initManagementEndpoints();
+        if (managementEndpoints.containsKey("token")) {
+            TokenAuthorizationHandler.setupTokenClass();
+        }
     }
 
     private boolean validateEndpointPlugin(Annotation a, EndpointTypes type) {

frontend/server/src/main/java/org/pytorch/serve/util/ConfigManager.java

@@ -107,6 +107,7 @@ public final class ConfigManager {
     private static final String TS_WORKFLOW_STORE = "workflow_store";
     private static final String TS_CPP_LOG_CONFIG = "cpp_log_config";
     private static final String TS_OPEN_INFERENCE_PROTOCOL = "ts_open_inference_protocol";
+    private static final String TS_TOKEN_EXPIRATION_TIME_MIN = "token_expiration_min";
 
     // Configuration which are not documented or enabled through environment variables
     private static final String USE_NATIVE_IO = "use_native_io";
@@ -859,6 +860,17 @@ public boolean isSnapshotDisabled() {
         return snapshotDisabled;
     }
 
+    public Double getTimeToExpiration() {
+        if (prop.getProperty(TS_TOKEN_EXPIRATION_TIME_MIN) != null) {
+            try {
+                return Double.valueOf(prop.getProperty(TS_TOKEN_EXPIRATION_TIME_MIN));
+            } catch (NumberFormatException e) {
+                logger.error("Token expiration not a valid integer");
+            }
+        }
+        return 0.0;
+    }
+
     public boolean isSSLEnabled(ConnectorType connectorType) {
         String address = prop.getProperty(TS_INFERENCE_ADDRESS, "http://127.0.0.1:8080");
         switch (connectorType) {

frontend/server/src/main/java/org/pytorch/serve/util/TokenType.java

@@ -0,0 +1,7 @@
+package org.pytorch.serve.util;
+
+public enum TokenType {
+    INFERENCE,
+    MANAGEMENT,
+    TOKEN_API
+}

frontend/server/src/main/java/org/pytorch/serve/workflow/api/http/WorkflowInferenceRequestHandler.java

@@ -80,6 +80,7 @@ public void handleRequest(
             String[] segments)
             throws ModelException, DownloadArchiveException, WorkflowException,
                     WorkerInitializationException {
+
         if ("wfpredict".equalsIgnoreCase(segments[1])) {
             if (segments.length < 3) {
                 throw new ResourceNotFoundException();

frontend/server/src/main/java/org/pytorch/serve/workflow/api/http/WorkflowMgmtRequestHandler.java

@@ -63,6 +63,7 @@ public void handleRequest(
             String[] segments)
             throws ModelException, DownloadArchiveException, WorkflowException,
                     WorkerInitializationException {
+
         if (isManagementReq(segments)) {
             if (!"workflows".equals(segments[1])) {
                 throw new ResourceNotFoundException();

plugins/endpoints/build.gradle

@@ -1,6 +1,7 @@
 dependencies {
     implementation "com.google.code.gson:gson:${gson_version}"
     implementation "org.pytorch:torchserve-plugins-sdk:${torchserve_sdk_version}"
+    implementation "io.netty:netty-all:4.1.53.Final"
 }
 
 project.ext{
@@ -16,4 +17,3 @@ jar {
     exclude "META-INF//LICENSE*"
     exclude "META-INF//NOTICE*"
 }
-

plugins/endpoints/src/main/java/org/pytorch/serve/plugins/endpoint/Token.java

@@ -0,0 +1,223 @@
+package org.pytorch.serve.plugins.endpoint;
+
+// import java.util.Properties;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonObject;
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.QueryStringDecoder;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.security.SecureRandom;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.pytorch.serve.servingsdk.Context;
+import org.pytorch.serve.servingsdk.ModelServerEndpoint;
+import org.pytorch.serve.servingsdk.annotations.Endpoint;
+import org.pytorch.serve.servingsdk.annotations.helpers.EndpointTypes;
+import org.pytorch.serve.servingsdk.http.Request;
+import org.pytorch.serve.servingsdk.http.Response;
+
+// import org.pytorch.serve.util.TokenType;
+
+@Endpoint(
+        urlPattern = "token",
+        endpointType = EndpointTypes.MANAGEMENT,
+        description = "Token authentication endpoint")
+public class Token extends ModelServerEndpoint {
+    private static String apiKey;
+    private static String managementKey;
+    private static String inferenceKey;
+    private static Instant managementExpirationTimeMinutes;
+    private static Instant inferenceExpirationTimeMinutes;
+    private static Double timeToExpirationMinutes;
+    private SecureRandom secureRandom = new SecureRandom();
+    private Base64.Encoder baseEncoder = Base64.getUrlEncoder();
+    private String fileName = "key_file.json";
+
+    @Override
+    public void doGet(Request req, Response rsp, Context ctx) throws IOException {
+        String queryResponse = parseQuery(req);
+        String test = "";
+        if ("management".equals(queryResponse)) {
+            generateKeyFile("management");
+        } else if ("inference".equals(queryResponse)) {
+            generateKeyFile("inference");
+        } else {
+            test = "{\n\t\"Error\": " + queryResponse + "\n}\n";
+        }
+        rsp.getOutputStream().write(test.getBytes(StandardCharsets.UTF_8));
+    }
+
+    // parses query and either returns management/inference or a wrong type error
+    public String parseQuery(Request req) {
+        QueryStringDecoder decoder = new QueryStringDecoder(req.getRequestURI());
+        Map<String, List<String>> parameters = decoder.parameters();
+        List<String> values = parameters.get("type");
+        if (values != null && !values.isEmpty()) {
+            if ("management".equals(values.get(0)) || "inference".equals(values.get(0))) {
+                return values.get(0);
+            } else {
+                return "WRONG TYPE";
+            }
+        }
+        return "NO TYPE PROVIDED";
+    }
+
+    public String generateKey() {
+        byte[] randomBytes = new byte[6];
+        secureRandom.nextBytes(randomBytes);
+        return baseEncoder.encodeToString(randomBytes);
+    }
+
+    public Instant generateTokenExpiration() {
+        long secondsToAdd = (long) (timeToExpirationMinutes * 60);
+        return Instant.now().plusSeconds(secondsToAdd);
+    }
+
+    // generates a key file with new keys depending on the parameter provided
+    public boolean generateKeyFile(String type) throws IOException {
+        String userDirectory = System.getProperty("user.dir") + "/" + fileName;
+        File file = new File(userDirectory);
+        if (!file.createNewFile() && !file.exists()) {
+            return false;
+        }
+        if (apiKey == null) {
+            apiKey = generateKey();
+        }
+        switch (type) {
+            case "management":
+                managementKey = generateKey();
+                managementExpirationTimeMinutes = generateTokenExpiration();
+                break;
+            case "inference":
+                inferenceKey = generateKey();
+                inferenceExpirationTimeMinutes = generateTokenExpiration();
+                break;
+            default:
+                managementKey = generateKey();
+                inferenceKey = generateKey();
+                inferenceExpirationTimeMinutes = generateTokenExpiration();
+                managementExpirationTimeMinutes = generateTokenExpiration();
+        }
+
+        JsonObject parentObject = new JsonObject();
+
+        JsonObject managementObject = new JsonObject();
+        managementObject.addProperty("key", managementKey);
+        managementObject.addProperty("expiration time", managementExpirationTimeMinutes.toString());
+        parentObject.add("management", managementObject);
+
+        JsonObject inferenceObject = new JsonObject();
+        inferenceObject.addProperty("key", inferenceKey);
+        inferenceObject.addProperty("expiration time", inferenceExpirationTimeMinutes.toString());
+        parentObject.add("inference", inferenceObject);
+
+        JsonObject apiObject = new JsonObject();
+        apiObject.addProperty("key", apiKey);
+        parentObject.add("API", apiObject);
+
+        Files.write(
+                Paths.get(fileName),
+                new GsonBuilder()
+                        .setPrettyPrinting()
+                        .create()
+                        .toJson(parentObject)
+                        .getBytes(StandardCharsets.UTF_8));
+
+        if (!setFilePermissions()) {
+            try {
+                Files.delete(Paths.get(fileName));
+            } catch (IOException e) {
+                return false;
+            }
+            return false;
+        }
+        return true;
+    }
+
+    public boolean setFilePermissions() {
+        Path path = Paths.get(fileName);
+        try {
+            Set<PosixFilePermission> permissions = PosixFilePermissions.fromString("rw-------");
+            Files.setPosixFilePermissions(path, permissions);
+        } catch (Exception e) {
+            return false;
+        }
+        return true;
+    }
+
+    // checks the token provided in the http with the saved keys depening on parameters
+    public boolean checkTokenAuthorization(FullHttpRequest req, String type) {
+        String key;
+        Instant expiration;
+        switch (type) {
+            case "token":
+                key = apiKey;
+                expiration = null;
+                break;
+            case "management":
+                key = managementKey;
+                expiration = managementExpirationTimeMinutes;
+                break;
+            default:
+                key = inferenceKey;
+                expiration = inferenceExpirationTimeMinutes;
+        }
+
+        String tokenBearer = req.headers().get("Authorization");
+        if (tokenBearer == null) {
+            return false;
+        }
+        String[] arrOfStr = tokenBearer.split(" ", 2);
+        if (arrOfStr.length == 1) {
+            return false;
+        }
+        String token = arrOfStr[1];
+
+        if (token.equals(key)) {
+            if (expiration != null && isTokenExpired(expiration)) {
+                return false;
+            }
+        } else {
+            return false;
+        }
+        return true;
+    }
+
+    public boolean isTokenExpired(Instant expirationTime) {
+        return !(Instant.now().isBefore(expirationTime));
+    }
+
+    public String getManagementKey() {
+        return managementKey;
+    }
+
+    public String getInferenceKey() {
+        return inferenceKey;
+    }
+
+    public String getKey() {
+        return apiKey;
+    }
+
+    public Instant getInferenceExpirationTime() {
+        return inferenceExpirationTimeMinutes;
+    }
+
+    public Instant getManagementExpirationTime() {
+        return managementExpirationTimeMinutes;
+    }
+
+    public void setTime(Double time) {
+        timeToExpirationMinutes = time;
+    }
+}

plugins/endpoints/src/main/resources/META-INF/services/org.pytorch.serve.servingsdk.ModelServerEndpoint

@@ -1 +1,2 @@
 org.pytorch.serve.plugins.endpoint.ExecutionParameters
+org.pytorch.serve.plugins.endpoint.Token

plugins/gradle/wrapper/gradle-wrapper.properties

@@ -3,4 +3,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.3-all.zip

plugins/settings.gradle

@@ -9,5 +9,4 @@
 
 rootProject.name = 'plugins'
 include 'endpoints'
-include 'DDBEndPoint'
-
+// include 'DDBEndPoint'

test/pytest/test_data/0.png

@@ -0,0 +1,218 @@
+import json
+import os
+import shutil
+import subprocess
+import tempfile
+import time
+from pathlib import Path
+
+import pytest
+import requests
+import test_utils
+
+ROOT_DIR = os.path.join(tempfile.gettempdir(), "workspace")
+REPO_ROOT = os.path.join(os.path.dirname(os.path.abspath(__file__)), "../../")
+data_file_zero = os.path.join(REPO_ROOT, "test/pytest/test_data/0.png")
+config_file = os.path.join(REPO_ROOT, "test/resources/config_token.properties")
+
+
+# Set up token plugin
+def get_plugin_jar():
+    new_folder_path = os.path.join(ROOT_DIR, "plugins-path")
+    plugin_folder = os.path.join(REPO_ROOT, "plugins")
+    os.makedirs(new_folder_path, exist_ok=True)
+    os.chdir(plugin_folder)
+    subprocess.run(["./gradlew", "formatJava"])
+    result = subprocess.run(["./gradlew", "build"])
+    jar_path = os.path.join(plugin_folder, "endpoints/build/libs")
+    jar_file = [file for file in os.listdir(jar_path) if file.endswith(".jar")]
+    if jar_file:
+        shutil.move(
+            os.path.join(jar_path, jar_file[0]),
+            os.path.join(new_folder_path, jar_file[0]),
+        )
+    os.chdir(REPO_ROOT)
+
+
+# Parse json file and return key
+def read_key_file(type):
+    json_file_path = os.path.join(REPO_ROOT, "key_file.json")
+    with open(json_file_path) as json_file:
+        json_data = json.load(json_file)
+
+    options = {
+        "management": json_data.get("management", {}).get("key", "NOT_PRESENT"),
+        "inference": json_data.get("inference", {}).get("key", "NOT_PRESENT"),
+        "token": json_data.get("API", {}).get("key", "NOT_PRESENT"),
+    }
+    key = options.get(type, "Invalid data type")
+    return key
+
+
+@pytest.fixture(scope="module")
+def setup_torchserve():
+    get_plugin_jar()
+    MODEL_STORE = os.path.join(ROOT_DIR, "model_store/")
+    PLUGIN_STORE = os.path.join(ROOT_DIR, "plugins-path")
+
+    Path(test_utils.MODEL_STORE).mkdir(parents=True, exist_ok=True)
+
+    test_utils.start_torchserve(no_config_snapshots=True, plugin_folder=PLUGIN_STORE)
+
+    key = read_key_file("management")
+    header = {"Authorization": f"Bearer {key}"}
+
+    params = (
+        ("model_name", "mnist"),
+        ("url", "mnist.mar"),
+        ("initial_workers", "1"),
+        ("synchronous", "true"),
+    )
+    response = requests.post(
+        "http://localhost:8081/models", params=params, headers=header
+    )
+    file_content = Path(f"{REPO_ROOT}/key_file.json").read_text()
+    print(file_content)
+
+    yield "test"
+
+    test_utils.stop_torchserve()
+
+
+@pytest.fixture(scope="module")
+def setup_torchserve_expiration():
+    get_plugin_jar()
+    MODEL_STORE = os.path.join(ROOT_DIR, "model_store/")
+    PLUGIN_STORE = os.path.join(ROOT_DIR, "plugins-path")
+
+    Path(test_utils.MODEL_STORE).mkdir(parents=True, exist_ok=True)
+
+    test_utils.start_torchserve(
+        snapshot_file=config_file, no_config_snapshots=True, plugin_folder=PLUGIN_STORE
+    )
+
+    key = read_key_file("management")
+    header = {"Authorization": f"Bearer {key}"}
+
+    params = (
+        ("model_name", "mnist"),
+        ("url", "mnist.mar"),
+        ("initial_workers", "1"),
+        ("synchronous", "true"),
+    )
+    response = requests.post(
+        "http://localhost:8081/models", params=params, headers=header
+    )
+    file_content = Path(f"{REPO_ROOT}/key_file.json").read_text()
+    print(file_content)
+
+    yield "test"
+
+    test_utils.stop_torchserve()
+
+
+# Test describe model API with token enabled
+def test_managament_api_with_token(setup_torchserve):
+    key = read_key_file("management")
+    header = {"Authorization": f"Bearer {key}"}
+    response = requests.get("http://localhost:8081/models/mnist", headers=header)
+
+    assert response.status_code == 200, "Token check failed"
+
+
+# Test describe model API with incorrect token and no token
+def test_managament_api_with_incorrect_token(setup_torchserve):
+    # Using random key
+    header = {"Authorization": "Bearer abcd1234"}
+    response = requests.get(f"http://localhost:8081/models/mnist", headers=header)
+
+    assert response.status_code == 400, "Token check failed"
+
+
+# Test inference API with token enabled
+def test_inference_api_with_token(setup_torchserve):
+    key = read_key_file("inference")
+    header = {"Authorization": f"Bearer {key}"}
+
+    response = requests.post(
+        url="http://localhost:8080/predictions/mnist",
+        files={"data": open(data_file_zero, "rb")},
+        headers=header,
+    )
+
+    assert response.status_code == 200, "Token check failed"
+
+
+# Test inference API with incorrect token
+def test_inference_api_with_incorrect_token(setup_torchserve):
+    # Using random key
+    header = {"Authorization": "Bearer abcd1234"}
+
+    response = requests.post(
+        url="http://localhost:8080/predictions/mnist",
+        files={"data": open(data_file_zero, "rb")},
+        headers=header,
+    )
+
+    assert response.status_code == 400, "Token check failed"
+
+
+# Test Token API for regenerating new inference key
+def test_token_inference_api(setup_torchserve):
+    token_key = read_key_file("token")
+    inference_key = read_key_file("inference")
+    header_inference = {"Authorization": f"Bearer {inference_key}"}
+    header_token = {"Authorization": f"Bearer {token_key}"}
+    params = {"type": "inference"}
+
+    # check inference works with current token
+    response = requests.post(
+        url="http://localhost:8080/predictions/mnist",
+        files={"data": open(data_file_zero, "rb")},
+        headers=header_inference,
+    )
+    assert response.status_code == 200, "Token check failed"
+
+    # generate new inference token and check it is different
+    response = requests.get(
+        url="http://localhost:8081/token", params=params, headers=header_token
+    )
+    assert response.status_code == 200, "Token check failed"
+    assert inference_key != read_key_file("inference"), "Key file not updated"
+
+    # check inference does not works with original token
+    response = requests.post(
+        url="http://localhost:8080/predictions/mnist",
+        files={"data": open(data_file_zero, "rb")},
+        headers=header_inference,
+    )
+    assert response.status_code == 400, "Token check failed"
+
+
+# Test Token API for regenerating new management key
+def test_token_management_api(setup_torchserve):
+    token_key = read_key_file("token")
+    management_key = read_key_file("management")
+    header = {"Authorization": f"Bearer {token_key}"}
+    params = {"type": "management"}
+
+    response = requests.get(
+        url="http://localhost:8081/token", params=params, headers=header
+    )
+
+    assert management_key != read_key_file("management"), "Key file not updated"
+    assert response.status_code == 200, "Token check failed"
+
+
+# Test expiration time
+@pytest.mark.module2
+def test_token_expiration_time(setup_torchserve_expiration):
+    key = read_key_file("management")
+    header = {"Authorization": f"Bearer {key}"}
+    response = requests.get("http://localhost:8081/models/mnist", headers=header)
+    assert response.status_code == 200, "Token check failed"
+
+    time.sleep(15)
+
+    response = requests.get("http://localhost:8081/models/mnist", headers=header)
+    assert response.status_code == 400, "Token check failed"

test/pytest/test_token_authorization.py

@@ -54,7 +54,11 @@ def run(self):
 
 
 def start_torchserve(
-    model_store=None, snapshot_file=None, no_config_snapshots=False, gen_mar=True
+    model_store=None,
+    snapshot_file=None,
+    no_config_snapshots=False,
+    gen_mar=True,
+    plugin_folder=None,
 ):
     stop_torchserve()
     crate_mar_file_table()
@@ -63,6 +67,8 @@ def start_torchserve(
     if gen_mar:
         mg.gen_mar(model_store)
     cmd.extend(["--model-store", model_store])
+    if plugin_folder:
+        cmd.extend(["--plugins-path", plugin_folder])
     if snapshot_file:
         cmd.extend(["--ts-config", snapshot_file])
     if no_config_snapshots:

test/pytest/test_utils.py

@@ -0,0 +1 @@
+token_expiration_min=0.25

test/resources/config_token.properties

@@ -3,6 +3,7 @@
 """
 
 import os
+import pathlib
 import platform
 import re
 import subprocess
@@ -48,6 +49,7 @@ def start() -> None:
             try:
                 parent = psutil.Process(pid)
                 parent.terminate()
+                pathlib.Path("key_file.json").unlink(missing_ok=True)
                 if args.foreground:
                     try:
                         parent.wait(timeout=60)

ts/model_server.py

@@ -1187,3 +1187,11 @@ FxGraphCache
 TorchInductor
 fx
 locustapache
+FINhR
+IBY
+ItMb
+checkTokenAuthorization
+fj
+generateKeyFile
+setTime
+urlPattern