fix: do not call dataservice through network from itself (#597)

bases/renku_data_services/data_api/app.py

@@ -159,6 +159,7 @@ def register_all_handlers(app: Sanic, config: Config) -> Sanic:
         session_repo=config.session_repo,
         storage_repo=config.storage_repo,
         rp_repo=config.rp_repo,
+        user_repo=config.kc_user_repo,
         data_connector_repo=config.data_connector_repo,
         data_connector_project_link_repo=config.data_connector_to_project_link_repo,
         data_connector_secret_repo=config.data_connector_secret_repo,

components/renku_data_services/notebooks/blueprints.py

@@ -68,7 +68,6 @@
     renku_2_make_server_name,
 )
 from renku_data_services.notebooks.utils import (
-    get_user_secret,
     merge_node_affinities,
     node_affinity_from_resource_class,
     tolerations_from_resource_class,
@@ -78,6 +77,7 @@
 from renku_data_services.session.db import SessionRepository
 from renku_data_services.storage.db import StorageRepository
 from renku_data_services.users.db import UserRepo
+from renku_data_services.utils.cryptography import get_encryption_key
 
 
 @dataclass(kw_only=True)
@@ -241,6 +241,7 @@ class NotebooksNewBP(CustomBlueprint):
     session_repo: SessionRepository
     rp_repo: ResourcePoolRepository
     storage_repo: StorageRepository
+    user_repo: UserRepo
     data_connector_repo: DataConnectorRepository
     data_connector_project_link_repo: DataConnectorProjectLinkRepository
     data_connector_secret_repo: DataConnectorSecretRepository
@@ -340,7 +341,9 @@ async def _handler(
             data_sources: list[DataSource] = []
             user_secret_key: str | None = None
             if isinstance(user, AuthenticatedAPIUser) and len(dcs_secrets) > 0:
-                user_secret_key = await get_user_secret(self.nb_config.data_service_url, user)
+                secret_key = await self.user_repo.get_or_create_user_secret_key(requested_by=user)
+                user_secret_key = get_encryption_key(secret_key.encode(), user.id.encode()).decode("utf-8")
+
             for cs_id, cs in dcs.items():
                 secret_name = f"{server_name}-ds-{cs_id.lower()}"
                 secret_key_needed = len(dcs_secrets.get(cs_id, [])) > 0

components/renku_data_services/notebooks/utils.py

@@ -1,9 +1,6 @@
 """Utilities for notebooks."""
 
-import httpx
-
 import renku_data_services.crc.models as crc_models
-from renku_data_services.base_models.core import AuthenticatedAPIUser
 from renku_data_services.notebooks.crs import (
     MatchExpression,
     NodeAffinity,
@@ -13,7 +10,6 @@
     RequiredDuringSchedulingIgnoredDuringExecution,
     Toleration,
 )
-from renku_data_services.utils.cryptography import get_encryption_key
 
 
 def merge_node_affinities(
@@ -99,18 +95,3 @@ def tolerations_from_resource_class(resource_class: crc_models.ResourceClass) ->
     for tol in resource_class.tolerations:
         output.append(Toleration(key=tol, operator="Exists"))
     return output
-
-
-async def get_user_secret(data_svc_url: str, user: AuthenticatedAPIUser) -> str | None:
-    """Get the user secret key from the secret service."""
-
-    async with httpx.AsyncClient(timeout=5) as client:
-        response = await client.get(
-            f"{data_svc_url}/user/secret_key",
-            headers={"Authorization": f"Bearer {user.access_token}"},
-        )
-        if response.status_code != 200:
-            return None
-        user_key = response.json()
-
-        return get_encryption_key(user_key["secret_key"].encode(), user.id.encode()).decode("utf-8")