fix: added policies to RefreshToken DB

[Stellatsuu]

Closes: #524

Issue found:

Policies were added by mint_token after insert_token (in DB) from exchange_token was called, so they were never added to the DB, only to the JWT. RefreshTokens DB was also missing a Policy column.

Changes:

• RefreshTokens now has a policies column (updates to the DB tablecolumns might be needed)
• Policies are now added before inserting the token in the DB in the exchange_token function.
• mint_token function doesn't need to enrich the token anymore since the payloads already have the policies inside them, from exchange_token function.
• Removed unnecessary arguments from enrich_token function (?). I'm not sure if they are really unnecessary -> see about the lack of usage of enrich_token, : fix: added policies to RefreshToken DB #950 (comment)

Results:

made with a temporary change in BaseAccessPolicy.enrich_token to return {}, {"TemporaryRefreshPolicy"}

• In the DB, RefreshToken table:

| 019ed007e31a7ec0980b77d7bf880d28 | CREATED | vo:diracAdmin | diracAdmin:CiRBRkFFNjIzOS0wRkIzLTRFQUEtQUJGRC0zQ0MxRDQ1MzJBNDESBWxvY2Fs | {"wms": {"PolicySpecific": "TemporaryRefreshPolicy"}, "sandbox": {"PolicySpecific": "TemporaryRefreshPolicy"}} |

• In the JWT, refresh token payload:

{
  "jti": "019ed007-e31a-7ec0-980b-77d7bf880d28",
  "exp": 1781628238,
  "dirac_policies": {
    "sandbox": {
      "PolicySpecific": "TemporaryRefreshPolicy"
    },
    "wms": {
      "PolicySpecific": "TemporaryRefreshPolicy"
    }
  },
  "legacy_exchange": false
} 

[Stellatsuu]

@aldbr I have a question:

Is it normal that none of the policies (WMSAccessPolicy, SandboxAccessPolicy, LollygagAccessPolicy and MyPilotsAccessPolicy) implements this function?:

diracx/diracx-routers/src/diracx/routers/access_policies.py

Lines 93 to 104 in ebce8ad

	def enrich_tokens(
	access_payload: AccessTokenPayload, refresh_payload: RefreshTokenPayload | None
	) -> tuple[dict, dict]:
	"""Add content to access or refresh payload when issuing a token.
	Content can be whatever is desired inside the access or refresh payload.
	:param access_payload: access token payload
	:param refresh_payload: refresh token payload
	:returns: extra content for both payload
	"""
	return {}, {}

The only one having it is AlwaysAllowAccessPolicy, used for the tests. Even by adding the policies to the DB, they would only be empty dicts without this function implemented no?

Since all the work for adding policies to token is done here:

diracx/diracx-routers/src/diracx/routers/auth/token.py

Lines 56 to 76 in ebce8ad

	dirac_access_policies = {}
	dirac_refresh_policies = {}
	for policy_name, policy in all_access_policies.items():
	access_extra, refresh_extra = policy.enrich_tokens(
	access_payload, refresh_payload
	)
	if access_extra:
	dirac_access_policies[policy_name] = access_extra
	if refresh_extra:
	dirac_refresh_policies[policy_name] = refresh_extra
	# Create the access token
	access_payload.dirac_policies = dirac_access_policies
	access_token = create_token(access_payload, settings)
	# Create the refresh token
	if refresh_payload:
	refresh_payload.dirac_policies = dirac_refresh_policies
	refresh_token = create_token(refresh_payload, settings)
	elif existing_refresh_token:
	refresh_token = existing_refresh_token

[read-the-docs-community]

Documentation build overview

📚 diracx | 🛠️ Build #33197422 | 📁 Comparing 98aea44 against latest (ebce8ad)

  🔍 Preview build  

4 files changed

± admin/explanations/architecture_diagram/index.html
± admin/explanations/chart-structure/index.html
± admin/how-to/upgrading/index.html
± admin/reference/values/index.html

[chrisburr]

Is it normal that none of the policies (WMSAccessPolicy, SandboxAccessPolicy, LollygagAccessPolicy and MyPilotsAccessPolicy) implements this function?:

Yes, this is there as something that we know we will need but that we don't yet have a use for.