matlab-proxy processes created by the jupyter-matlab-proxy package use token authentication by default.

rashedmyt · Prabhakar Kumar · commit f341ce47b24e · 2023-10-05T09:50:17.000Z
fixes #63
diff --git a/src/jupyter_matlab_proxy/__init__.py b/src/jupyter_matlab_proxy/__init__.py
@@ -1,10 +1,42 @@
-# Copyright 2020-2021 The MathWorks, Inc.
+# Copyright 2020-2023 The MathWorks, Inc.
 
-import inspect
+import os
 from pathlib import Path
+
+from matlab_proxy.util.mwi import environment_variables as mwi_env
+from matlab_proxy.util.mwi import token_auth as mwi_token_auth
+
 from jupyter_matlab_proxy.jupyter_config import config
 
 
+def _get_auth_token():
+    """
+    Generate auth token and token hash if the matlab-proxy token authentication
+    is not explicitly disabled
+
+    Returns:
+        None: If token authentication is explicitly disabled
+        dict: For all other cases, a token and a token_hash is returned as dictionary
+    """
+    mwi_enable_auth_token = os.getenv(mwi_env.get_env_name_enable_mwi_auth_token(), "")
+
+    # Return None if token authentication is explicitly disabled
+    if mwi_enable_auth_token.lower() == "false":
+        return None
+
+    # Enable token authentication by default
+    original_env = os.environ.copy()
+    os.environ[mwi_env.get_env_name_enable_mwi_auth_token()] = "True"
+    auth_token = mwi_token_auth.generate_mwi_auth_token_and_hash()
+
+    # Cleanup environment variables
+    os.environ = original_env
+    return auth_token
+
+
+_mwi_auth_token = _get_auth_token()
+
+
 def _get_env(port, base_url):
     """Returns a dict containing environment settings to launch the MATLAB Desktop
 
@@ -16,14 +48,26 @@ def _get_env(port, base_url):
     Returns:
         [Dict]: Containing environment settings to launch the MATLAB Desktop.
     """
-    from matlab_proxy.util.mwi import environment_variables as mwi_env
 
-    return {
+    env = {
         mwi_env.get_env_name_app_port(): str(port),
         mwi_env.get_env_name_base_url(): f"{base_url}matlab",
         mwi_env.get_env_name_app_host(): "127.0.0.1",
     }
 
+    # Add token authentication related information to the environment variables
+    # dictionary passed to the matlab-proxy process if token authentication is
+    # not explicitly disabled.
+    if _mwi_auth_token:
+        env.update(
+            {
+                mwi_env.get_env_name_enable_mwi_auth_token(): "True",
+                mwi_env.get_env_name_mwi_auth_token(): _mwi_auth_token.get("token"),
+            }
+        )
+
+    return env
+
 
 def setup_matlab():
     """This method is run by jupyter-server-proxy package with instruction to launch the MATLAB Desktop
@@ -42,7 +86,8 @@ def setup_matlab():
     logger.debug(f"Icon_path:  {icon_path}")
     logger.debug(f"Launch Command: {matlab_proxy.get_executable_name()}")
     logger.debug(f"Extension Name: {config['extension_name']}")
-    return {
+
+    jsp_config = {
         "command": [
             matlab_proxy.get_executable_name(),
             "--config",
@@ -53,3 +98,13 @@ def setup_matlab():
         "absolute_url": True,
         "launcher_entry": {"title": "Open MATLAB", "icon_path": icon_path},
     }
+
+    # Add token_hash information to the request_headers_override option to
+    # ensure requests from jupyter to matlab-proxy are automatically authenticated.
+    # We are using token_hash instead of raw token for better security.
+    if _mwi_auth_token:
+        jsp_config["request_headers_override"] = {
+            "mwi_auth_token": _mwi_auth_token.get("token_hash")
+        }
+
+    return jsp_config
diff --git a/tests/unit/test_jupyter_server_proxy.py b/tests/unit/test_jupyter_server_proxy.py
@@ -1,23 +1,61 @@
-# Copyright 2020-2021 The MathWorks, Inc.
+# Copyright 2020-2023 The MathWorks, Inc.
 
-import os, inspect
-import matlab_proxy, jupyter_matlab_proxy
+import inspect
+import os
 from pathlib import Path
+
+import matlab_proxy
 from matlab_proxy.util.mwi import environment_variables as mwi_env
+
+import jupyter_matlab_proxy
 from jupyter_matlab_proxy.jupyter_config import config
 
 
+def test_get_auth_token():
+    """Tests if _get_auth_token() function returns a token and token_hash as a dict by default."""
+    r = jupyter_matlab_proxy._get_auth_token()
+    assert r != None
+    assert r.get("token") != None
+    assert r.get("token_hash") != None
+
+
+def test_get_auth_token_with_token_auth_disabled(monkeypatch):
+    """Tests if _get_auth_token() function returns None if token authentication is explicitly disabled."""
+    monkeypatch.setenv(mwi_env.get_env_name_enable_mwi_auth_token(), "False")
+    r = jupyter_matlab_proxy._get_auth_token()
+    assert r == None
+
+
 def test_get_env():
     """Tests if _get_env() method returns the expected enviroment settings as a dict."""
 
     port = 10000
     base_url = "/foo/"
     r = jupyter_matlab_proxy._get_env(port, base_url)
-    assert r[mwi_env.get_env_name_app_port()] == str(port)
-    assert r[mwi_env.get_env_name_base_url()] == f"{base_url}matlab"
+    assert r.get(mwi_env.get_env_name_app_port()) == str(port)
+    assert r.get(mwi_env.get_env_name_base_url()) == f"{base_url}matlab"
+    assert r.get(mwi_env.get_env_name_enable_mwi_auth_token()) == "True"
+    assert r.get(
+        mwi_env.get_env_name_mwi_auth_token()
+    ) == jupyter_matlab_proxy._mwi_auth_token.get("token")
+
+
+def test_get_env_with_token_auth_disabled(monkeypatch):
+    """Tests if _get_env() method returns the expected enviroment settings as a dict
+    when token authentication is explicitly disabled.
+    """
+
+    port = 10000
+    base_url = "/foo/"
+    monkeypatch.setattr(jupyter_matlab_proxy, "_mwi_auth_token", None)
+    r = jupyter_matlab_proxy._get_env(port, base_url)
+    assert r.get(mwi_env.get_env_name_app_port()) == str(port)
+    assert r.get(mwi_env.get_env_name_base_url()) == f"{base_url}matlab"
+    assert r.get(mwi_env.get_env_name_enable_mwi_auth_token()) == None
+    assert r.get(mwi_env.get_env_name_mwi_auth_token()) == None
 
 
-def test_setup_matlab():
+def test_setup_matlab(monkeypatch):
     """Tests for a valid Server Process Configuration Dictionary
 
     This test checks if the jupyter proxy returns the expected Server Process Configuration
@@ -27,6 +65,41 @@ def test_setup_matlab():
     package_path = Path(inspect.getfile(jupyter_matlab_proxy)).parent
     icon_path = package_path / "icon_open_matlab.svg"
 
+    expected_matlab_setup = {
+        "command": [
+            matlab_proxy.get_executable_name(),
+            "--config",
+            config["extension_name"],
+        ],
+        "timeout": 100,
+        "environment": jupyter_matlab_proxy._get_env,
+        "absolute_url": True,
+        "launcher_entry": {
+            "title": "Open MATLAB",
+            "icon_path": icon_path,
+        },
+        "request_headers_override": {
+            "mwi_auth_token": jupyter_matlab_proxy._mwi_auth_token.get("token_hash"),
+        },
+    }
+
+    actual_matlab_setup = jupyter_matlab_proxy.setup_matlab()
+
+    assert expected_matlab_setup == actual_matlab_setup
+    assert os.path.isfile(actual_matlab_setup["launcher_entry"]["icon_path"])
+
+
+def test_setup_matlab_with_token_auth_disabled(monkeypatch):
+    """Tests for a valid Server Process Configuration Dictionary
+
+    This test checks if the jupyter proxy returns the expected Server Process Configuration
+    Dictionary for the Matlab process when token authentication is explicitly disabled.
+    """
+    # Setup
+    package_path = Path(inspect.getfile(jupyter_matlab_proxy)).parent
+    icon_path = package_path / "icon_open_matlab.svg"
+    monkeypatch.setattr(jupyter_matlab_proxy, "_mwi_auth_token", None)
+
     expected_matlab_setup = {
         "command": [
             matlab_proxy.get_executable_name(),
