Fix Authentication issues introduced in 0.14.3, and other minor fixes (#256)

Revert 0.14.3 changes to Authentication handling which introduced basicAuth support but resulted in some NiFi connections appearing incorrectly as Anonymous
Added simpler basicAuth control to force it via a config switch without changing tokenAuth and other Authorization header behavior during normal usage
nipyapi.config.global_force_basic_auth is now available for use for this purpose
Secured Registry users will now require the authorization policy to retrieve the swagger so we may use it to validate which version of Registry is in use for feature enablement
Moved all Security controls in config.py to a common area at the foot of the file
Removed auth_type from security.service_login as it is now redundant
Added controls to handle certificate checking behavior which has become more strict in recently versions of Python3, ssl_verify and check_hostname are now handled
security.set_service_auth_token now has an explicit flag for ssl host checking as well
Fix oversight where improved model serialisation logic was not correctly applied to Registry
Removed unusused parameter refresh from parameters.update_parameter_context
Reduced unecessary complexity in utils.dump with no change in functionality
Updated client gen mustache templates to reflect refactored security and api client code
Minor linting and docstring and codestyle improvements
Set pyUp to ignore Watchdog as it must stay between versions to statisfy py2 and py3 compatibility
If Client is not instantiated, optimistically instantiate for version checking

Author: Chaffelson

nipyapi/config.py

@@ -9,6 +9,7 @@
 from __future__ import absolute_import
 import logging
 import os
+import ssl
 import urllib3
 from nipyapi.nifi import configuration as nifi_config
 from nipyapi.registry import configuration as registry_config
@@ -34,32 +35,6 @@
 # Set Default Host for NiFi-Registry
 registry_config.host = 'http://' + default_host + ':18080/nifi-registry-api'
 
-
-# Set Default Auth Types
-# Set list to the Auth type you want to use
-# Currently basicAuth trumps tokenAuth if both are enabled
-default_auth = ['tokenAuth']
-# NiFi valid options: ['tokenAuth', 'basicAuth']
-# Registry valid options: ['tokenAuth', 'basicAuth', 'Authorization']
-nifi_config.enabled_auth = default_auth  # tokenAuth was default before 0.14.2
-
-
-# Set SSL Handling
-# When operating with self signed certs, your log can fill up with
-# unnecessary warnings
-# Set to True by default, change to false if necessary
-global_ssl_verify = True
-
-nifi_config.verify_ssl = global_ssl_verify
-registry_config.verify_ssl = global_ssl_verify
-if not global_ssl_verify:
-    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-if os.getenv('NIFI_CA_CERT') is not None:
-    nifi_config.ssl_ca_cert = os.getenv('NIFI_CA_CERT')
-    nifi_config.cert_file = os.getenv('NIFI_CLIENT_CERT')
-    nifi_config.key_file = os.getenv('NIFI_CLIENT_KEY')
-
 # ---  Project Root ------
 # Is is helpful to have a reference to the root directory of the project
 PROJECT_ROOT_DIR = os.path.abspath(os.path.dirname(__file__))
@@ -140,6 +115,43 @@
 # If called for during policy setup, particularly bootstrap_policies
 default_proxy_user = 'CN=localhost, OU=nifi'
 
+# Auth handling
+# If set, NiPyAPI will always include the Basic Authorization header
+global_force_basic_auth = False
+nifi_config.username = default_nifi_username
+nifi_config.password = default_nifi_password
+nifi_config.force_basic_auth = global_force_basic_auth
+registry_config.username = default_registry_username
+registry_config.password = default_registry_password
+registry_config.force_basic_auth = global_force_basic_auth
+
+# Set SSL Handling
+# When operating with self signed certs, your log can fill up with
+# unnecessary warnings
+# Set to True by default, change to false if necessary
+global_ssl_verify = True
+
+nifi_config.verify_ssl = global_ssl_verify
+registry_config.verify_ssl = global_ssl_verify
+if not global_ssl_verify:
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# Enforce no host checking when SSL context is disabled
+global_ssl_host_check = False
+if not global_ssl_host_check:
+    nifi_config.ssl_context = ssl.create_default_context()
+    nifi_config.ssl_context.check_hostname = False
+    nifi_config.ssl_context.verify_mode = ssl.CERT_NONE
+
+    registry_config.ssl_context = ssl.create_default_context()
+    registry_config.ssl_context.check_hostname = False
+    registry_config.ssl_context.verify_mode = ssl.CERT_NONE
+
+if os.getenv('NIFI_CA_CERT') is not None:
+    nifi_config.ssl_ca_cert = os.getenv('NIFI_CA_CERT')
+    nifi_config.cert_file = os.getenv('NIFI_CLIENT_CERT')
+    nifi_config.key_file = os.getenv('NIFI_CLIENT_KEY')
 
+# --- URL Encoding
 # URL Encoding bypass characters will not be encoded during submission
 default_safe_chars = ''

nipyapi/nifi/api_client.py

@@ -523,6 +523,8 @@ def update_params_for_auth(self, headers, querys, auth_settings):
                     raise ValueError(
                         'Authentication token must be in `query` or `header`'
                     )
+        if config.force_basic_auth:
+            headers['Authorization'] = config.get_basic_auth_token()
 
     def __deserialize_file(self, response):
         """

nipyapi/nifi/apis/access_api.py

@@ -130,7 +130,7 @@ def create_access_token_with_http_info(self, **kwargs):
             select_header_content_type(['application/x-www-form-urlencoded'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/token', 'POST',
                                         path_params,
@@ -228,7 +228,7 @@ def create_access_token_from_ticket_with_http_info(self, **kwargs):
             select_header_content_type(['text/plain'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/kerberos', 'POST',
                                         path_params,
@@ -326,7 +326,7 @@ def create_download_token_with_http_info(self, **kwargs):
             select_header_content_type(['application/x-www-form-urlencoded'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/download-token', 'POST',
                                         path_params,
@@ -424,7 +424,7 @@ def create_ui_extension_token_with_http_info(self, **kwargs):
             select_header_content_type(['application/x-www-form-urlencoded'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/ui-extension-token', 'POST',
                                         path_params,
@@ -522,7 +522,7 @@ def get_access_status_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access', 'GET',
                                         path_params,
@@ -542,7 +542,7 @@ def get_access_status_with_http_info(self, **kwargs):
     def get_login_config(self, **kwargs):
         """
         Retrieves the access configuration for this NiFi
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -567,7 +567,7 @@ def get_login_config(self, **kwargs):
     def get_login_config_with_http_info(self, **kwargs):
         """
         Retrieves the access configuration for this NiFi
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -620,7 +620,7 @@ def get_login_config_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/config', 'GET',
                                         path_params,
@@ -718,7 +718,7 @@ def knox_callback_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/knox/callback', 'GET',
                                         path_params,
@@ -816,7 +816,7 @@ def knox_logout_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/knox/logout', 'GET',
                                         path_params,
@@ -914,7 +914,7 @@ def knox_request_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/knox/request', 'GET',
                                         path_params,
@@ -1012,7 +1012,7 @@ def log_out_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/logout', 'DELETE',
                                         path_params,
@@ -1110,7 +1110,7 @@ def oidc_callback_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/oidc/callback', 'GET',
                                         path_params,
@@ -1208,7 +1208,7 @@ def oidc_exchange_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/oidc/exchange', 'POST',
                                         path_params,
@@ -1306,7 +1306,7 @@ def oidc_logout_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/oidc/logout', 'GET',
                                         path_params,
@@ -1404,7 +1404,7 @@ def oidc_request_with_http_info(self, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/access/oidc/request', 'GET',
                                         path_params,

nipyapi/nifi/apis/connections_api.py

@@ -43,7 +43,7 @@ def __init__(self, api_client=None):
     def delete_connection(self, id, **kwargs):
         """
         Deletes a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -72,7 +72,7 @@ def delete_connection(self, id, **kwargs):
     def delete_connection_with_http_info(self, id, **kwargs):
         """
         Deletes a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -141,7 +141,7 @@ def delete_connection_with_http_info(self, id, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/connections/{id}', 'DELETE',
                                         path_params,
@@ -161,7 +161,7 @@ def delete_connection_with_http_info(self, id, **kwargs):
     def get_connection(self, id, **kwargs):
         """
         Gets a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -187,7 +187,7 @@ def get_connection(self, id, **kwargs):
     def get_connection_with_http_info(self, id, **kwargs):
         """
         Gets a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -247,7 +247,7 @@ def get_connection_with_http_info(self, id, **kwargs):
             select_header_content_type(['*/*'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/connections/{id}', 'GET',
                                         path_params,
@@ -267,7 +267,7 @@ def get_connection_with_http_info(self, id, **kwargs):
     def update_connection(self, id, body, **kwargs):
         """
         Updates a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -294,7 +294,7 @@ def update_connection(self, id, body, **kwargs):
     def update_connection_with_http_info(self, id, body, **kwargs):
         """
         Updates a connection
-
+        
         This method makes a synchronous HTTP request by default. To make an
         asynchronous HTTP request, please define a `callback` function
         to be invoked when receiving the response.
@@ -360,7 +360,7 @@ def update_connection_with_http_info(self, id, body, **kwargs):
             select_header_content_type(['application/json'])
 
         # Authentication setting
-        auth_settings = ['tokenAuth', 'basicAuth']
+        auth_settings = ['tokenAuth']
 
         return self.api_client.call_api('/connections/{id}', 'PUT',
                                         path_params,