Add SS API key auth

[Hwesta]

Storage service now requires auth for the API. Add flags for storage service user and API key and use them when calling the API.

[sevein]

👍

[hakamine]

I am getting a "Host/IP not authorized" error (not when invoking the SS API but the AM API). Running tools from the same host (and both the host IP and 127.0.0.1 are in the REST API whitelist) .

INFO      2016-06-02 18:49:26  transfer.py:431  Current unit: unknown.  Assuming new run.
DEBUG     2016-06-02 18:49:26  transfer.py:109  URL: http://127.0.0.1:8000/api/v2/location/28df51f4-e736-466b-a1b0-9075ed76b653/browse/; params: {u'username': '<SSUSER>', u'api_key': '<SSKEY>'};
DEBUG     2016-06-02 18:49:26  transfer.py:111  Response: <Response [200]>
DEBUG     2016-06-02 18:49:26  transfer.py:258  Entries: ['aut-test-1']
DEBUG     2016-06-02 18:49:26  transfer.py:264  New transfer candidates: set(['aut-test-1'])
INFO      2016-06-02 18:49:26  transfer.py:305  Starting with aut-test-1
INFO      2016-06-02 18:49:26  transfer.py:182  Error when trying to run /opt/archivematica/automation-tools/transfers/get-accession-number
INFO      2016-06-02 18:49:26  transfer.py:308  Accession ID: None
DEBUG     2016-06-02 18:49:26  transfer.py:320  URL: http://127.0.0.1/api/transfer/start_transfer/; Params: {u'username': '<AMUSER>', u'api_key': '<AMKEY>'}; Data: {u'paths[]': ['MjhkZjUxZjQtZTczNi00NjZiLWExYjAtOTA3NWVkNzZiNjUzOmF1dC10ZXN0LTE='], u'type': u'standard', u'name': 'aut-test-1', u'row_ids[]': [u''], u'accession': None}
DEBUG     2016-06-02 18:49:26  transfer.py:322  Response: <Response [403]>
ERROR     2016-06-02 18:49:26  transfer.py:329  Unable to start transfer.
ERROR     2016-06-02 18:49:26  transfer.py:330  Response: {u'message': u'Host/IP  not authorized.', u'error': True}

In the dashboard log, getting the following:

DEBUG     2016-06-02 22:47:06  archivematica.dashboard:views:authenticate_request:55:  API called by invalid IP
DEBUG     2016-06-02 22:49:26  archivematica.dashboard:views:authenticate_request:55:  API called by invalid IP

This is logged by https://github.com/artefactual/archivematica/blob/qa/1.5.x/src/dashboard/src/components/api/views.py#L55 Note how in the logs the client_ip value is not shown. The dashboard gets the client_ip from https://github.com/artefactual/archivematica/blob/qa/1.5.x/src/dashboard/src/components/api/views.py#L52

I am testing with an archivematica instance running on gunicorn/nginx (replacing apache/mod_wsgi) not sure if this could be related.

[hakamine]

Confirmed the error reported above is related to gunicorn configuration (so not related with the code in this PR). Must use TCP sockets instead of unix sockets with gunicorn in order to allow whitelisting using REMOTE_ADDR to work ( ref https://github.com/benoitc/gunicorn/issues/797 )

[hakamine]

The ss user and ss key are required parameters, would the automated transfers tool be able to work with AM 1.4.x / SS 0.7.x? Will the 0.7.x SS api just ignore the extra parameters passed to it?

[Hwesta]

Earlier versions of the SS will just ignore the extra parameters. I can make --ss-user and --ss-apy-key optional arguments in automation tools, or they can be left as required and populated with stubs for older versions.

[hakamine]

:+1: for leaving the code as it is (I guess it's easier just to add a few lines to the README clarifying this)

[Hwesta]

Updated the README with documentation on the SS auth stuff, and more detail about finding API keys.

[hakamine]

README TOC ! :100: :cool: