[DOP-21268] - implement KeycloakAuthProvider

Author: maxim-lixakov

.env.docker

@@ -18,32 +18,20 @@ SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
 # Postgres
 SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@db:5432/syncmaster
 
-# Keycloack (MTS)
-SYNCMASTER__AUTH__KEYCLOAK_SERVER_URL=https://isso.mts.ru/auth/
-SYNCMASTER__AUTH__KEYCLOAK_REALM_NAME=mts
-SYNCMASTER__AUTH__KEYCLOAK_CLIENT_ID=syncmaster_dev
-SYNCMASTER__AUTH__KEYCLOAK_CLIENT_SECRET=secret
-SYNCMASTER__AUTH__KEYCLOAK_REDIRECT_URI=http://localhost:8000/callback
-SYNCMASTER__AUTH__KEYCLOAK_ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
-SYNCMASTER__AUTH__KEYCLOAK_SCOPE=email
+# KEYCLOAK Auth
+SYNCMASTER__AUTH__SERVER_URL=http://keycloak:8080/
+SYNCMASTER__AUTH__REALM_NAME=fastapi-realm
+SYNCMASTER__AUTH__CLIENT_ID=fastapi-client
+SYNCMASTER__AUTH__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
+SYNCMASTER__AUTH__REDIRECT_URI=http://localhost:8000/v1/auth/callback
+SYNCMASTER__AUTH__ADMIN_REDIRECT_URI=http://localhost:8000/v1/auth/callback
+SYNCMASTER__AUTH__SCOPE=email
 SYNCMASTER__AUTH__KEYCLOAK_INTROSPECTION_DELAY=60
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
-SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=https://isso.mts.ru/auth/realms/mts/protocol/openid-connect/token
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak_provider.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=http://keycloak:8080/realms/fastapi-realm/protocol/openid-connect/token
 
-
-SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080/auth/
-SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi-realm
-SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi-client
-SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
-SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/callback
-SYNCMASTER__AUTH__KEYCLOAK__ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
-SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
-SYNCMASTER__AUTH__KEYCLOAK__INTROSPECTION_DELAY=60
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
-SYNCMASTER__AUTH__KEYCLOAK__TOKEN_URL=http://localhost:8080/auth/realms/fastapi-realm/protocol/openid-connect/token
-
-
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+# Dummy Auth
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
 
 # RabbitMQ

.env.local

@@ -19,7 +19,7 @@ export SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
 export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster
 
 # Auth
-export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
 
 # RabbitMQ

poetry.lock

@@ -68,6 +68,7 @@ python-json-logger = {version = "*", optional = true}
 asyncpg = { version = ">=0.29,<0.31", optional = true }
 apscheduler = { version = "^3.10.4", optional = true }
 starlette-exporter = {version = "^0.23.0", optional = true}
+itsdangerous = {version = "*", optional = true}
 python-keycloak =  {version = "^4.7.0", optional = true}
 devtools = {version = "*", optional = true}
 
@@ -90,6 +91,7 @@ backend = [
     "python-json-logger",
     "asyncpg",
     "devtools",
+    "itsdangerous",
     "python-keycloak",
     # migrations only
     "celery",
@@ -185,6 +187,10 @@ ignore_missing_imports = true
 module = "pyarrow.*"
 ignore_missing_imports = true
 
+[[tool.mypy.overrides]]
+module = "keycloak.*"
+ignore_missing_imports = true
+
 [[tool.mypy.overrides]]
 module = "avro.*"
 ignore_missing_imports = true

pyproject.toml

@@ -1,17 +1,25 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from typing import Annotated
+from typing import TYPE_CHECKING, Annotated
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 
 from syncmaster.backend.dependencies import Stub
 from syncmaster.backend.providers.auth import AuthProvider
+from syncmaster.backend.utils.state import validate_state
 from syncmaster.errors.registration import get_error_responses
 from syncmaster.errors.schemas.invalid_request import InvalidRequestSchema
 from syncmaster.errors.schemas.not_authorized import NotAuthorizedSchema
 from syncmaster.schemas.v1.auth import AuthTokenSchema
 
+if TYPE_CHECKING:
+    from syncmaster.backend.providers.auth import (
+        DummyAuthProvider,
+        KeycloakAuthProvider,
+    )
+
 router = APIRouter(
     prefix="/auth",
     tags=["Auth"],
@@ -20,11 +28,11 @@
 
 
 @router.post("/token")
-async def login(
-    auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
+async def token(
+    auth_provider: Annotated["DummyAuthProvider", Depends(Stub(AuthProvider))],
     form_data: OAuth2PasswordRequestForm = Depends(),
 ) -> AuthTokenSchema:
-    token = await auth_provider.get_token(
+    token = await auth_provider.get_token_password_grant(
         grant_type=form_data.grant_type,
         login=form_data.username,
         password=form_data.password,
@@ -33,3 +41,21 @@ async def login(
         client_secret=form_data.client_secret,
     )
     return AuthTokenSchema.parse_obj(token)
+
+
+@router.get("/callback")
+async def auth_callback(
+    request: Request,
+    code: str,
+    state: str,
+    auth_provider: Annotated["KeycloakAuthProvider", Depends(Stub(AuthProvider))],
+):
+    original_redirect_url = validate_state(state)
+    if not original_redirect_url:
+        raise HTTPException(status_code=400, detail="Invalid state parameter")
+    token = await auth_provider.get_token_authorization_code_grant(
+        code=code,
+        redirect_uri=auth_provider.settings.redirect_uri,
+    )
+    request.session["access_token"] = token["access_token"]
+    return RedirectResponse(url=original_redirect_url)

syncmaster/backend/api/v1/auth.py

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
 
+from syncmaster.backend.dependencies.get_access_token import get_access_token
 from syncmaster.backend.dependencies.stub import Stub

syncmaster/backend/dependencies/__init__.py

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+from fastapi import Request
+from fastapi.security.utils import get_authorization_scheme_param
+
+
+async def get_access_token(request: Request):
+    authorization = request.headers.get("Authorization")
+    scheme, token = get_authorization_scheme_param(authorization)
+    if not authorization or scheme.lower() != "bearer":
+        return None
+    return token

syncmaster/backend/dependencies/get_access_token.py

@@ -5,11 +5,13 @@
 
 from fastapi import HTTPException, Request, Response, status
 from fastapi.exceptions import RequestValidationError
+from fastapi.responses import RedirectResponse
 from pydantic import ValidationError
 
 from syncmaster.errors.base import APIErrorSchema, BaseErrorSchema
 from syncmaster.errors.registration import get_response_for_exception
 from syncmaster.exceptions import ActionNotAllowedError, SyncmasterError
+from syncmaster.exceptions.auth import AuthorizationError
 from syncmaster.exceptions.connection import (
     ConnectionDeleteError,
     ConnectionNotFoundError,
@@ -31,6 +33,7 @@
     QueueDeleteError,
     QueueNotFoundError,
 )
+from syncmaster.exceptions.redirect import RedirectException
 from syncmaster.exceptions.run import (
     CannotConnectToTaskQueueError,
     CannotStopRunError,
@@ -119,6 +122,14 @@ async def syncmsater_exception_handler(request: Request, exc: SyncmasterError):
             content=content,
         )
 
+    if isinstance(exc, RedirectException):
+        return RedirectResponse(url=exc.redirect_url)
+
+    if isinstance(exc, AuthorizationError):
+        content.code = "unauthorized"
+        content.message = "Not authenticated"
+        return exception_json_response(status=status.HTTP_401_UNAUTHORIZED, content=content)
+
     if isinstance(exc, ConnectionDeleteError):
         content.code = "conflict"
         return exception_json_response(status=status.HTTP_409_CONFLICT, content=content)

syncmaster/backend/handler.py

@@ -9,6 +9,7 @@
     apply_monitoring_metrics_middleware,
 )
 from syncmaster.backend.middlewares.request_id import apply_request_id_middleware
+from syncmaster.backend.middlewares.session import apply_session_middleware
 from syncmaster.settings import Settings
 
 
@@ -24,5 +25,6 @@ def apply_middlewares(
     apply_cors_middleware(application, settings.server.cors)
     apply_monitoring_metrics_middleware(application, settings.server.monitoring)
     apply_request_id_middleware(application, settings.server.request_id)
+    apply_session_middleware(application)
 
     return application

syncmaster/backend/middlewares/__init__.py

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+import secrets
+
+from fastapi import FastAPI
+from starlette.middleware.sessions import SessionMiddleware
+
+
+def apply_session_middleware(app: FastAPI) -> FastAPI:
+    """Add SessionMiddleware middleware to the application."""
+    secret_key = secrets.token_urlsafe(32)
+    app.add_middleware(SessionMiddleware, secret_key=secret_key)
+    return app