Add authentication

[bio-boris]

This PR adds Basic Authentication to the Elasticsearch client, allowing the service to connect to secured clusters.

The startup script has been updated to use the new authentication variables, resolving the connection issues when pointed at the elastic-next-spike instance. I've deployed and verified this on the next environment.

Next Steps:

Populate a test Elasticsearch instance with actual data + auth to fully verify end-to-end functionality.
Create a user for elastic

Closes #90

[Copilot]

Pull Request Overview

This PR adds authentication support for Elasticsearch connections throughout the application. The changes implement both Basic authentication (username/password) and Bearer token authentication with proper priority handling.

• Adds authentication configuration options for Elasticsearch (username, password, and token)
• Updates all Elasticsearch client code to include authentication headers
• Implements comprehensive test coverage for the new authentication functionality

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/utils/config.py	Adds auth configuration variables and get_elasticsearch_auth_header() function
src/utils/wait_for_service.py	Updates service connection function to accept and use auth tokens
src/server/main.py	Updates service startup to use authentication when connecting to Elasticsearch
src/es_client/query.py	Adds authentication headers to Elasticsearch search requests
tests/helpers/init_elasticsearch.py	Updates test helper to use centralized auth header function
tests/unit/utils/test_config.py	Adds comprehensive tests for authentication header generation
tests/unit/utils/test_wait_for_service.py	Adds tests for service connection with and without authentication
.github/workflows/docker-image.yml	Adds CI/CD workflow for Docker image building

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (23ec7c1) to head (ec06906).

Additional details and impacted files

@@            Coverage Diff            @@
##           develop       #97   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           21        21           
  Lines          660       685   +25     
=========================================
+ Hits           660       685   +25     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bio-boris]

There is no way to test this live right now, as this requires enabling SSL communication to be able to generate API keys.

[MrCreosote]

so with our current elastic search configuration we can't use auth tokens?

[bio-boris]

Correct. We would have to create and distribute SSL certs and enable HTTPS. @jbezouska-ANL were there any plans to enable HTTPS on the backend?

[MrCreosote]

Why this precedence?

[bio-boris]

I picked it arbitrarily.

[MrCreosote]

My thinking is that tokens are more secure than user/pwd so they should be preferred

[bio-boris]

I think if we can get tokens working, we can delete the username and password code too, but since they aren't working yet, I just got it working with what we have.

[MrCreosote]

Might as well leave it if it works and just swap the preference

[bio-boris]

I looked this up the other day and AI says they aren't more secure.

TL;DR: With One Username Per Service, They're Identical
If you have one username per service, then API keys and username/password are literally the same thing security-wise:
Both are:

Base64 encoded strings in headers
Unique per service (no shared credentials)
Equally vulnerable if intercepted
Equally easy to revoke (just disable that one user/key)
Can have identical RBAC permissions

The only remaining differences are cosmetic:

API Key: Authorization: ApiKey <base64(id:key)>
Basic Auth: Authorization: Basic <base64(username:password)>

Both decode to two strings separated by a colon. Both can be scoped, rotated, and revoked independently.

[MrCreosote]

Equally easy to revoke (just disable that one user/key)

I don't think that's true, it's easier to revoke a token than change a password

[bio-boris]

How is it easier? Both will require shutting down and restarting the service?

[MrCreosote]

I assumed it was easier on the ES side, like how in KBase revoking a token is trivial.

If that's not the case and you're saying that passwords and tokens are completely indistinguishable for this use case then we should just drop token support

[bio-boris]

I don't know, I haven't tested it out, I was thinking more from the side of what happens to the service. Ok I will remove it.

[bio-boris]

@MrCreosote Can we merge this?

[MrCreosote]

This one is still open #97 (comment)

[bio-boris]

added timeouts, maybe I should instead add an annotation for bandit to ignore these and not add timeouts, since I don't know what the real timeouts should be?

[bio-boris]

Closing in favor of #100