ashb commented on code in PR #47885:
URL: https://github.com/apache/airflow/pull/47885#discussion_r2001879948
##########
airflow/api_fastapi/execution_api/app.py:
##########
@@ -34,10 +37,33 @@
logger = structlog.get_logger(logger_name=__name__)
-@asynccontextmanager
-async def lifespan(app: FastAPI):
- """Context manager for the lifespan of the FastAPI app. For now does
nothing."""
+def _jwt_validator():
+ from airflow.configuration import conf
+
+ required_claims = frozenset(["aud", "exp", "iat"])
+
+ if issuer := conf.get("api_auth", "jwt_issuer", fallback=None):
+ required_claims = required_claims | {"iss"}
+ validator = JWTValidator(
+ required_claims=required_claims,
+ issuer=issuer,
+ leeway=conf.getint("api_auth", "jwt_leeway"),
+ audience=conf.get_mandatory_list_value("execution_api",
"jwt_audience"),
+ **get_sig_validation_args(make_secret_key_if_needed=False),
+ )
+ return validator
+
+
[email protected]
+async def lifespan(app: FastAPI, registry: svcs.Registry):
app.state.lifespan_called = True
+
+ # According to svcs's docs this shouldn't be needed, but something about
SubApps is odd, and we need to
+ # record this here
+ app.state.svcs_registry = registry
+
+ # Create an app scoped validator, so that we don't have to fetch it every
time
+ registry.register_value(JWTValidator, _jwt_validator(),
ping=JWTValidator.status)
Review Comment:
This is a low-impact way of introducing svcs to see what it feels like and
if it's worth using larger (for instance using it for DB session management)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
