token handler

Author: udaij12

docs/token_authorization_api.md

@@ -1,8 +1,8 @@
 # TorchServe token authorization API
 
-## Customer Use
+## Configuration
 1. Enable token authorization by adding the provided plugin at start using the `--plugin-path` command.
-2. Torchserve will enable token authorization if the plugin is provided. In the model server home folder a file `key_file.txt` will be generated.
+2. Torchserve will enable token authorization if the plugin is provided. In the current working directory a file `key_file.txt` will be generated.
     1. Example key file:
 
     `Management Key: aadJv_R6 --- Expiration time: 2024-01-16T22:23:32.952499Z`
@@ -11,19 +11,19 @@
 
     `API Key: xryL_Vzs`
 3. There are 3 keys and each have a different use.
-    1. Management key: Used for management apis. Example:
+    1. Management key: Used for management APIs. Example:
     `curl http://localhost:8081/models/densenet161 -H "Authorization: Bearer aadJv_R6"`
-    2. Inference key: Used for inference apis. Example:
+    2. Inference key: Used for inference APIs. Example:
     `curl http://127.0.0.1:8080/predictions/densenet161 -T examples/image_classifier/kitten.jpg -H "Authorization: Bearer poZXAlqe"`
-    3. API key: Used for the token authorization api. Check section 4 for api use.
+    3. API key: Used for the token authorization API. Check section 4 for API use.
     4. 3 tokens allow the owner with the most flexibility in use and enables them to adapt the tokens to their use. Owners of the server can provide users with the inference token if users should not mess with models. The owner can also provide owners with the management key if owners want users to add and remove models.
-4. The plugin also includes an api in order to generate a new key to replace either the management or inference key.
+4. The plugin also includes an API in order to generate a new key to replace either the management or inference key.
     1. Management Example:
     `curl localhost:8081/token?type=management -H "Authorization: Bearer xryL_Vzs"` will replace the current management key in the key_file with a new one and will update the expiration time.
     2. Inference example:
     `curl localhost:8081/token?type=inference -H "Authorization: Bearer xryL_Vzs"`
 
-    Users will have to use either one of the apis above.
+    Users will have to use either one of the APIs above.
 
 5. When users shut down the server the key_file will be deleted.
 

frontend/archive/src/main/java/org/pytorch/serve/archive/model/s3/InvalidKeyException.java frontend/archive/src/main/java/org/pytorch/serve/archive/model/InvalidKeyException.java

@@ -83,11 +83,6 @@ public static void main(String[] args) {
             ConfigManager.init(arguments);
             ConfigManager configManager = ConfigManager.getInstance();
             PluginsManager.getInstance().initialize();
-            Map<String, ModelServerEndpoint> plugins =
-                    PluginsManager.getInstance().getManagementEndpoints();
-            if (plugins.containsKey("token")) {
-                configManager.setupTokenClass();
-            }
             MetricCache.init();
             InternalLoggerFactory.setDefaultFactory(Slf4JLoggerFactory.INSTANCE);
             ModelServer modelServer = new ModelServer(configManager);

frontend/server/src/main/java/org/pytorch/serve/ModelServer.java

@@ -10,13 +10,15 @@
 import org.pytorch.serve.http.HttpRequestHandler;
 import org.pytorch.serve.http.HttpRequestHandlerChain;
 import org.pytorch.serve.http.InvalidRequestHandler;
+import org.pytorch.serve.http.TokenAuthorizationHandler;
 import org.pytorch.serve.http.api.rest.ApiDescriptionRequestHandler;
 import org.pytorch.serve.http.api.rest.InferenceRequestHandler;
 import org.pytorch.serve.http.api.rest.ManagementRequestHandler;
 import org.pytorch.serve.http.api.rest.PrometheusMetricsRequestHandler;
 import org.pytorch.serve.servingsdk.impl.PluginsManager;
 import org.pytorch.serve.util.ConfigManager;
 import org.pytorch.serve.util.ConnectorType;
+import org.pytorch.serve.util.TokenType;
 import org.pytorch.serve.workflow.api.http.WorkflowInferenceRequestHandler;
 import org.pytorch.serve.workflow.api.http.WorkflowMgmtRequestHandler;
 
@@ -59,6 +61,9 @@ public void initChannel(Channel ch) {
         HttpRequestHandlerChain httpRequestHandlerChain = apiDescriptionRequestHandler;
         if (ConnectorType.ALL.equals(connectorType)
                 || ConnectorType.INFERENCE_CONNECTOR.equals(connectorType)) {
+            httpRequestHandlerChain =
+                    httpRequestHandlerChain.setNextHandler(
+                            new TokenAuthorizationHandler(TokenType.INFERENCE));
             httpRequestHandlerChain =
                     httpRequestHandlerChain.setNextHandler(
                             new InferenceRequestHandler(
@@ -68,6 +73,9 @@ public void initChannel(Channel ch) {
         }
         if (ConnectorType.ALL.equals(connectorType)
                 || ConnectorType.MANAGEMENT_CONNECTOR.equals(connectorType)) {
+            httpRequestHandlerChain =
+                    httpRequestHandlerChain.setNextHandler(
+                            new TokenAuthorizationHandler(TokenType.MANAGEMENT));
             httpRequestHandlerChain =
                     httpRequestHandlerChain.setNextHandler(
                             new ManagementRequestHandler(

frontend/server/src/main/java/org/pytorch/serve/ServerInitializer.java

@@ -0,0 +1,107 @@
+package org.pytorch.serve.http;
+
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.http.FullHttpRequest;
+import io.netty.handler.codec.http.QueryStringDecoder;
+import java.lang.reflect.*;
+import org.pytorch.serve.archive.DownloadArchiveException;
+import org.pytorch.serve.archive.model.InvalidKeyException;
+import org.pytorch.serve.archive.model.ModelException;
+import org.pytorch.serve.archive.workflow.WorkflowException;
+import org.pytorch.serve.util.ConfigManager;
+import org.pytorch.serve.util.TokenType;
+import org.pytorch.serve.wlm.WorkerInitializationException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A class handling inbound HTTP requests to the inference API.
+ *
+ * <p>This class //
+ */
+public class TokenAuthorizationHandler extends HttpRequestHandlerChain {
+
+    private static final Logger logger = LoggerFactory.getLogger(TokenAuthorizationHandler.class);
+    private static TokenType tokenType;
+    private static Boolean tokenEnabled;
+    private static Class<?> tokenClass;
+    private static Object tokenObject;
+    private static Integer timeToExpirationMinutes = 60;
+
+    /** Creates a new {@code InferenceRequestHandler} instance. */
+    public TokenAuthorizationHandler(TokenType type) {
+        tokenType = type;
+    }
+
+    @Override
+    public void handleRequest(
+            ChannelHandlerContext ctx,
+            FullHttpRequest req,
+            QueryStringDecoder decoder,
+            String[] segments)
+            throws ModelException, DownloadArchiveException, WorkflowException,
+                    WorkerInitializationException {
+        ConfigManager configManager = ConfigManager.getInstance();
+        if (tokenType == TokenType.MANAGEMENT) {
+            if (req.toString().contains("/token")) {
+                checkTokenAuthorization(req, 0);
+            } else {
+                checkTokenAuthorization(req, 1);
+            }
+        } else if (tokenType == TokenType.INFERENCE) {
+            checkTokenAuthorization(req, 2);
+        }
+        chain.handleRequest(ctx, req, decoder, segments);
+    }
+
+    public static void setupTokenClass() {
+        try {
+            tokenClass = Class.forName("org.pytorch.serve.plugins.endpoint.Token");
+            tokenObject = tokenClass.getDeclaredConstructor().newInstance();
+            Method method = tokenClass.getMethod("setTime", Integer.class);
+            Integer time = ConfigManager.getInstance().getTimeToExpiration();
+            if (time == 0) {
+                timeToExpirationMinutes = time;
+            }
+            method.invoke(tokenObject, timeToExpirationMinutes);
+            method = tokenClass.getMethod("generateKeyFile", Integer.class);
+            if ((boolean) method.invoke(tokenObject, 0)) {
+                logger.info("TOKEN CLASS IMPORTED SUCCESSFULLY");
+            }
+        } catch (ClassNotFoundException e) {
+            logger.error("TOKEN CLASS IMPORTED UNSUCCESSFULLY");
+            e.printStackTrace();
+            return;
+        } catch (NoSuchMethodException
+                | IllegalAccessException
+                | InstantiationException
+                | InvocationTargetException e) {
+            e.printStackTrace();
+            logger.error("TOKEN CLASS IMPORTED UNSUCCESSFULLY");
+            return;
+        }
+        tokenEnabled = true;
+    }
+
+    private void checkTokenAuthorization(FullHttpRequest req, Integer type) throws ModelException {
+
+        if (tokenEnabled) {
+            try {
+                Method method =
+                        tokenClass.getMethod(
+                                "checkTokenAuthorization",
+                                io.netty.handler.codec.http.FullHttpRequest.class,
+                                Integer.class);
+                boolean result = (boolean) (method.invoke(tokenObject, req, type));
+                if (!result) {
+                    throw new InvalidKeyException(
+                            "Token Authenticaation failed. Token either incorrect, expired, or not provided correctly");
+                }
+            } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
+                e.printStackTrace();
+                throw new InvalidKeyException(
+                        "Token Authenticaation failed. Token either incorrect, expired, or not provided correctly");
+            }
+        }
+    }
+}

frontend/server/src/main/java/org/pytorch/serve/http/TokenAuthorizationHandler.java

@@ -59,8 +59,6 @@ public void handleRequest(
             String[] segments)
             throws ModelException, DownloadArchiveException, WorkflowException,
                     WorkerInitializationException {
-        ConfigManager configManager = ConfigManager.getInstance();
-        configManager.checkTokenAuthorization(req, 2);
         if (isInferenceReq(segments)) {
             if (endpointMap.getOrDefault(segments[1], null) != null) {
                 handleCustomEndpoint(ctx, req, segments, decoder);

frontend/server/src/main/java/org/pytorch/serve/http/api/rest/InferenceRequestHandler.java

@@ -32,7 +32,6 @@
 import org.pytorch.serve.openapi.OpenApiUtils;
 import org.pytorch.serve.servingsdk.ModelServerEndpoint;
 import org.pytorch.serve.util.ApiUtils;
-import org.pytorch.serve.util.ConfigManager;
 import org.pytorch.serve.util.JsonUtils;
 import org.pytorch.serve.util.NettyUtils;
 import org.pytorch.serve.util.messages.RequestInput;
@@ -62,15 +61,10 @@ public void handleRequest(
             String[] segments)
             throws ModelException, DownloadArchiveException, WorkflowException,
                     WorkerInitializationException {
-        ConfigManager configManager = ConfigManager.getInstance();
         if (isManagementReq(segments)) {
             if (endpointMap.getOrDefault(segments[1], null) != null) {
-                if (req.toString().contains("/token")) {
-                    configManager.checkTokenAuthorization(req, 0);
-                }
                 handleCustomEndpoint(ctx, req, segments, decoder);
             } else {
-                configManager.checkTokenAuthorization(req, 1);
                 if (!"models".equals(segments[1])) {
                     throw new ResourceNotFoundException();
                 }

frontend/server/src/main/java/org/pytorch/serve/http/api/rest/ManagementRequestHandler.java

@@ -5,6 +5,7 @@
 import java.util.Map;
 import java.util.ServiceLoader;
 import org.pytorch.serve.http.InvalidPluginException;
+import org.pytorch.serve.http.TokenAuthorizationHandler;
 import org.pytorch.serve.servingsdk.ModelServerEndpoint;
 import org.pytorch.serve.servingsdk.annotations.Endpoint;
 import org.pytorch.serve.servingsdk.annotations.helpers.EndpointTypes;
@@ -30,6 +31,9 @@ public void initialize() {
         logger.info("Initializing plugins manager...");
         inferenceEndpoints = initInferenceEndpoints();
         managementEndpoints = initManagementEndpoints();
+        if (managementEndpoints.containsKey("token")) {
+            TokenAuthorizationHandler.setupTokenClass();
+        }
     }
 
     private boolean validateEndpointPlugin(Annotation a, EndpointTypes type) {

frontend/server/src/main/java/org/pytorch/serve/servingsdk/impl/PluginsManager.java

@@ -2,7 +2,6 @@
 
 import com.google.gson.JsonObject;
 import com.google.gson.reflect.TypeToken;
-import io.netty.handler.codec.http.FullHttpRequest;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.util.SelfSignedCertificate;
@@ -46,8 +45,6 @@
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import org.apache.commons.io.IOUtils;
-import org.pytorch.serve.archive.model.InvalidKeyException;
-import org.pytorch.serve.archive.model.ModelException;
 import org.pytorch.serve.metrics.MetricBuilder;
 import org.pytorch.serve.servingsdk.snapshot.SnapshotSerializer;
 import org.pytorch.serve.snapshot.SnapshotSerializerFactory;
@@ -850,95 +847,15 @@ public boolean isSnapshotDisabled() {
         return snapshotDisabled;
     }
 
-    // Imports the token class and sets the expiration time either default or custom
-    // calls generate key file in token api to create 3 keys and logs the result
-    public void setupTokenClass() {
-        try {
-            tokenClass = Class.forName("org.pytorch.serve.plugins.endpoint.Token");
-            tokenObject = tokenClass.getDeclaredConstructor().newInstance();
-            Method method = tokenClass.getMethod("setTime", Integer.class);
-            if (prop.getProperty(TS_TOKEN_EXPIRATION_TIME) != null) {
-                timeToExpiration = Integer.valueOf(prop.getProperty(TS_TOKEN_EXPIRATION_TIME));
-            }
-            method.invoke(tokenObject, timeToExpiration);
-            method = tokenClass.getMethod("generateKeyFile", Integer.class);
-            if ((boolean) method.invoke(tokenObject, 0)) {
-                System.out.println("TOKEN CLASS IMPORTED SUCCESSFULLY");
-                dumpKeyLogs();
-            }
-        } catch (ClassNotFoundException e) {
-            e.printStackTrace();
-        } catch (NoSuchMethodException
-                | IllegalAccessException
-                | InstantiationException
-                | InvocationTargetException e) {
-            e.printStackTrace();
-        }
-        tokenAuthorizationEnabled = true;
-    }
-
-    public void dumpKeyLogs() {
-        String managementKey = "";
-        String inferenceKey = "";
-        String apiKey = "";
-        try {
-            Method method = tokenClass.getMethod("getManagementKey");
-            managementKey = (String) method.invoke(tokenObject);
-            method = tokenClass.getMethod("getInferenceKey");
-            inferenceKey = (String) method.invoke(tokenObject);
-            method = tokenClass.getMethod("getKey");
-            apiKey = (String) method.invoke(tokenObject);
-        } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
-            e.printStackTrace();
-        }
-
-        logger.info("KEY FILE PATH: " + System.getProperty("user.dir") + "/key_file.txt");
-        logger.info("MANAGEMENT KEY: " + managementKey);
-        logger.info("INFERNCE KEY: " + inferenceKey);
-        logger.info("API KEY: " + apiKey);
-        logger.info(
-                "MANAGEMENT API Example: curl http://localhost:8081/models/<model> -H \"Authorization: Bearer "
-                        + managementKey
-                        + "\"");
-        logger.info(
-                "INFERNCE API Example: curl http://127.0.0.1:8080/predictions/<model> -T <examples/image_classifier/kitten.jpg> -H \"Authorization: Bearer "
-                        + inferenceKey
-                        + "\"");
-        logger.info(
-                "API API Example: curl localhost:8081/token?type=management -H \"Authorization: Bearer "
-                        + apiKey
-                        + "\"");
-    }
-
     public boolean isTokenEnabled() {
         return tokenAuthorizationEnabled;
     }
 
-    // Calls the checkTokenAuthorization function in the token plugin
-    // expects two inputs: the fullhttpRequest and an integer which is associated with the type
-    // 0: token api
-    // 1: management api
-    // 2: inference api
-    public void checkTokenAuthorization(FullHttpRequest req, Integer requestType)
-            throws ModelException {
-
-        if (tokenAuthorizationEnabled) {
-            try {
-                Method method =
-                        tokenClass.getMethod(
-                                "checkTokenAuthorization",
-                                io.netty.handler.codec.http.FullHttpRequest.class,
-                                Integer.class);
-                boolean result = (boolean) (method.invoke(tokenObject, req, requestType));
-                if (!result) {
-                    throw new InvalidKeyException(
-                            "Token Authenticaation failed. Token either incorrect, expired, or not provided correctly");
-                }
-                System.out.println("TOKEN AUTHORIZATION WORKED");
-            } catch (NoSuchMethodException | IllegalAccessException | InvocationTargetException e) {
-                e.printStackTrace();
-            }
+    public Integer getTimeToExpiration() {
+        if (prop.getProperty(TS_TOKEN_EXPIRATION_TIME) != null) {
+            return Integer.valueOf(prop.getProperty(TS_TOKEN_EXPIRATION_TIME));
         }
+        return 0;
     }
 
     public boolean isSSLEnabled(ConnectorType connectorType) {

frontend/server/src/main/java/org/pytorch/serve/util/ConfigManager.java

@@ -0,0 +1,7 @@
+package org.pytorch.serve.util;
+
+public enum TokenType {
+    INFERENCE,
+    MANAGEMENT,
+    TOKEN_API
+}

frontend/server/src/main/java/org/pytorch/serve/util/TokenType.java

@@ -1,6 +1,7 @@
 dependencies {
     implementation "com.google.code.gson:gson:${gson_version}"
     implementation "org.pytorch:torchserve-plugins-sdk:${torchserve_sdk_version}"
+    implementation "io.netty:netty-all:4.1.53.Final"
 }
 
 project.ext{
@@ -16,4 +17,3 @@ jar {
     exclude "META-INF//LICENSE*"
     exclude "META-INF//NOTICE*"
 }
-