MobileTeleSystems
diff --git a/‎.env.docker‎
Lines changed: 31 additions & 0 deletions b/‎.env.docker‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.env.local‎
Lines changed: 7 additions & 0 deletions b/‎.env.local‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docker-compose.test.yml‎
Lines changed: 13 additions & 0 deletions b/‎docker-compose.test.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎poetry.lock‎
Lines changed: 212 additions & 121 deletions b/‎poetry.lock‎
Lines changed: 212 additions & 121 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎syncmaster/backend/__init__.py‎
Lines changed: 5 additions & 1 deletion b/‎syncmaster/backend/__init__.py‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎syncmaster/backend/api/v1/auth.py‎
Lines changed: 35 additions & 0 deletions b/‎syncmaster/backend/api/v1/auth.py‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎syncmaster/backend/api/v1/auth/router.py‎
Lines changed: 0 additions & 41 deletions b/‎syncmaster/backend/api/v1/auth/router.py‎
Lines changed: 0 additions & 41 deletions
diff --git a/‎syncmaster/backend/api/v1/auth/utils.py‎
Lines changed: 0 additions & 26 deletions b/‎syncmaster/backend/api/v1/auth/utils.py‎
Lines changed: 0 additions & 26 deletions
diff --git a/‎syncmaster/backend/api/v1/router.py‎
Lines changed: 1 addition & 1 deletion b/‎syncmaster/backend/api/v1/router.py‎
Lines changed: 1 addition & 1 deletion
@@ -12,9 +12,40 @@ SYNCMASTER__SERVER__LOGGING__PRESET=colored
 SYNCMASTER__WORKER__LOGGING__SETUP=True
 SYNCMASTER__WORKER__LOGGING__PRESET=json
 
+# Encrypt / Decrypt credentials data
+SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
+
 # Postgres
 SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@db:5432/syncmaster
 
+# Keycloack (MTS)
+SYNCMASTER__AUTH__KEYCLOAK_SERVER_URL=https://isso.mts.ru/auth/
+SYNCMASTER__AUTH__KEYCLOAK_REALM_NAME=mts
+SYNCMASTER__AUTH__KEYCLOAK_CLIENT_ID=syncmaster_dev
+SYNCMASTER__AUTH__KEYCLOAK_CLIENT_SECRET=secret
+SYNCMASTER__AUTH__KEYCLOAK_REDIRECT_URI=http://localhost:8000/callback
+SYNCMASTER__AUTH__KEYCLOAK_ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
+SYNCMASTER__AUTH__KEYCLOAK_SCOPE=email
+SYNCMASTER__AUTH__KEYCLOAK_INTROSPECTION_DELAY=60
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=https://isso.mts.ru/auth/realms/mts/protocol/openid-connect/token
+
+
+SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080/auth/
+SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi-realm
+SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi-client
+SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
+SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/callback
+SYNCMASTER__AUTH__KEYCLOAK__ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
+SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
+SYNCMASTER__AUTH__KEYCLOAK__INTROSPECTION_DELAY=60
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK__TOKEN_URL=http://localhost:8080/auth/realms/fastapi-realm/protocol/openid-connect/token
+
+
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
+
 # RabbitMQ
 SYNCMASTER__BROKER__URL=amqp://guest:guest@rabbitmq:5672/
 
 
@@ -12,9 +12,16 @@ export SYNCMASTER__SERVER__LOGGING__PRESET=colored
 export SYNCMASTER__WORKER__LOGGING__SETUP=True
 export SYNCMASTER__WORKER__LOGGING__PRESET=json
 
+# Encrypt / Decrypt credentials data
+export SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
+
 # Postgres
 export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster
 
+# Auth
+export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
+
 # RabbitMQ
 export SYNCMASTER__BROKER__URL=amqp://guest:guest@localhost:5672/
 
 
@@ -153,6 +153,19 @@ services:
       retries: 3
     profiles: [hive, hdfs, all]
 
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    command: start-dev
+    restart: unless-stopped
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    ports:
+      - 8080:8080
+    volumes:
+      - keycloak_data:/opt/keycloak/data
+    profiles: [keycloak, all]
+
   test-hive:
     image: mtsrus/hadoop:hadoop2.7.3-hive2.3.9
     restart: unless-stopped
 
@@ -61,13 +61,15 @@ python-multipart = { version = ">=0.0.9,<0.0.18", optional = true }
 celery = { version = "^5.4.0", optional = true }
 onetl = { version = "^0.12.0", extras = ["spark"], optional = true }
 # due to not supporting MacOS 14.x https://www.psycopg.org/psycopg3/docs/news.html#psycopg-3-1-20
-psycopg = { version = ">=3.1.0,<3.2.4", extras = ["binary"], optional = true }
+psycopg = { version = ">=3.1.0, <3.1.20", extras = ["binary"], optional = true }
 uuid6 = "^2024.7.10"
 coloredlogs = {version = "*", optional = true}
 python-json-logger = {version = "*", optional = true}
 asyncpg = { version = ">=0.29,<0.31", optional = true }
 apscheduler = { version = "^3.10.4", optional = true }
 starlette-exporter = {version = "^0.23.0", optional = true}
+python-keycloak =  {version = "^4.7.0", optional = true}
+devtools = {version = "*", optional = true}
 
 [tool.poetry.extras]
 backend = [
@@ -87,6 +89,8 @@ backend = [
     "coloredlogs",
     "python-json-logger",
     "asyncpg",
+    "devtools",
+    "python-keycloak",
     # migrations only
     "celery",
     "apscheduler",
 
@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-import uuid
+from typing import Type
 
 from fastapi import FastAPI, HTTPException
 from fastapi.exceptions import RequestValidationError
@@ -15,6 +15,7 @@
     validation_exception_handler,
 )
 from syncmaster.backend.middlewares import apply_middlewares
+from syncmaster.backend.providers.auth import AuthProvider
 from syncmaster.backend.services.unit_of_work import UnitOfWork
 from syncmaster.db.factory import create_session_factory, get_uow
 from syncmaster.exceptions import SyncmasterError
@@ -44,6 +45,9 @@ def application_factory(settings: Settings) -> FastAPI:
         },
     )
 
+    auth_class: type[AuthProvider] = settings.auth.provider  # type: ignore[assignment]
+    auth_class.setup(application)
+
     apply_middlewares(application, settings)
     return application
 
 
@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+from typing import Annotated
+
+from fastapi import APIRouter, Depends
+from fastapi.security import OAuth2PasswordRequestForm
+
+from syncmaster.backend.dependencies import Stub
+from syncmaster.backend.providers.auth import AuthProvider
+from syncmaster.errors.registration import get_error_responses
+from syncmaster.errors.schemas.invalid_request import InvalidRequestSchema
+from syncmaster.errors.schemas.not_authorized import NotAuthorizedSchema
+from syncmaster.schemas.v1.auth import AuthTokenSchema
+
+router = APIRouter(
+    prefix="/auth",
+    tags=["Auth"],
+    responses=get_error_responses(include={NotAuthorizedSchema, InvalidRequestSchema}),
+)
+
+
+@router.post("/token")
+async def login(
+    auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
+    form_data: OAuth2PasswordRequestForm = Depends(),
+) -> AuthTokenSchema:
+    token = await auth_provider.get_token(
+        grant_type=form_data.grant_type,
+        login=form_data.username,
+        password=form_data.password,
+        scopes=form_data.scopes,
+        client_id=form_data.client_id,
+        client_secret=form_data.client_secret,
+    )
+    return AuthTokenSchema.parse_obj(token)
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 from fastapi import APIRouter
 
-from syncmaster.backend.api.v1.auth.router import router as auth_router
+from syncmaster.backend.api.v1.auth import router as auth_router
 from syncmaster.backend.api.v1.connections import router as connection_router
 from syncmaster.backend.api.v1.groups import router as group_router
 from syncmaster.backend.api.v1.queue import router as queue_router