[DOP-21268] - implement KeycloakAuthProvider

Author: maxim-lixakov

.env.docker

@@ -43,7 +43,7 @@ SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAu
 SYNCMASTER__AUTH__KEYCLOAK__TOKEN_URL=http://localhost:8080/auth/realms/fastapi-realm/protocol/openid-connect/token
 
 
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
 
 # RabbitMQ

.env.local

@@ -19,7 +19,7 @@ export SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
 export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster
 
 # Auth
-export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
 
 # RabbitMQ

pyproject.toml

@@ -183,6 +183,10 @@ ignore_missing_imports = true
 module = "pyarrow.*"
 ignore_missing_imports = true
 
+[[tool.mypy.overrides]]
+module = "keycloak.*"
+ignore_missing_imports = true
+
 [[tool.mypy.overrides]]
 module = "avro.*"
 ignore_missing_imports = true

syncmaster/backend/api/v1/auth.py

@@ -3,10 +3,12 @@
 from typing import Annotated
 
 from fastapi import APIRouter, Depends
+from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 
 from syncmaster.backend.dependencies import Stub
 from syncmaster.backend.providers.auth import AuthProvider
+from syncmaster.backend.providers.auth.keycloak_provider import KeycloakAuthProvider
 from syncmaster.errors.registration import get_error_responses
 from syncmaster.errors.schemas.invalid_request import InvalidRequestSchema
 from syncmaster.errors.schemas.not_authorized import NotAuthorizedSchema
@@ -20,7 +22,7 @@
 
 
 @router.post("/token")
-async def login(
+async def token(
     auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
     form_data: OAuth2PasswordRequestForm = Depends(),
 ) -> AuthTokenSchema:
@@ -33,3 +35,30 @@ async def login(
         client_secret=form_data.client_secret,
     )
     return AuthTokenSchema.parse_obj(token)
+
+
+@router.get("/login")
+async def login(
+    auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
+):
+    return RedirectResponse(url="/")
+
+
+@router.get("/callback")
+async def auth_callback(
+    code: str,
+    auth_provider: Annotated[KeycloakAuthProvider, Depends(Stub(KeycloakAuthProvider))],
+) -> AuthTokenSchema:
+    token = await auth_provider.get_token(
+        grant_type="authorization_code",
+        code=code,
+        redirect_uri=auth_provider.settings.redirect_uri,
+    )
+    access_token = token["access_token"]
+    # Optionally, save the refresh_token, expires_in, etc.
+    # Use the access_token to get the current user
+    await auth_provider.get_current_user(access_token)
+    # Create a session, set cookies, redirect as needed
+    response = RedirectResponse(url="/")
+    response.set_cookie(key="access_token", value=access_token, httponly=True)
+    return AuthTokenSchema.parse_obj(token)

syncmaster/backend/providers/auth/__init__.py

@@ -1,3 +1,3 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from syncmaster.backend.providers.auth.base import AuthProvider
+from syncmaster.backend.providers.auth.base_provider import AuthProvider

syncmaster/backend/providers/auth/base.py …/backend/providers/auth/base_provider.pysyncmaster/backend/providers/auth/base.py renamed to syncmaster/backend/providers/auth/base_provider.py syncmaster/backend/providers/auth/base.py renamed to syncmaster/backend/providers/auth/base_provider.py

@@ -77,6 +77,8 @@ async def get_token(
         scopes: list[str] | None = None,
         client_id: str | None = None,
         client_secret: str | None = None,
+        *args,
+        **kwargs,
     ) -> dict[str, Any]:
         """
         This method should perform authentication and return JWT token.

…ncmaster/backend/providers/auth/dummy.py …backend/providers/auth/dummy_provider.pysyncmaster/backend/providers/auth/dummy.py renamed to syncmaster/backend/providers/auth/dummy_provider.py syncmaster/backend/providers/auth/dummy.py renamed to syncmaster/backend/providers/auth/dummy_provider.py

@@ -9,7 +9,7 @@
 from fastapi import Depends, FastAPI
 
 from syncmaster.backend.dependencies import Stub
-from syncmaster.backend.providers.auth.base import AuthProvider
+from syncmaster.backend.providers.auth.base_provider import AuthProvider
 from syncmaster.backend.services import UnitOfWork
 from syncmaster.backend.utils.jwt import decode_jwt, sign_jwt
 from syncmaster.db.models import User

syncmaster/backend/providers/auth/keycloak.py

@@ -0,0 +1,102 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+
+import logging
+from typing import Annotated, Any
+
+from fastapi import Depends, FastAPI
+from keycloak import KeycloakOpenID
+
+from syncmaster.backend.dependencies import Stub
+from syncmaster.backend.providers.auth.base_provider import AuthProvider
+from syncmaster.backend.services import UnitOfWork
+from syncmaster.db.models import User
+from syncmaster.exceptions import EntityNotFoundError
+from syncmaster.exceptions.auth import AuthorizationError
+from syncmaster.settings.auth.keycloak import KeycloakAuthProviderSettings
+
+log = logging.getLogger(__name__)
+
+
+class KeycloakAuthProvider(AuthProvider):
+    def __init__(
+        self,
+        settings: Annotated[KeycloakAuthProviderSettings, Depends(Stub(KeycloakAuthProviderSettings))],
+        unit_of_work: Annotated[UnitOfWork, Depends()],
+    ) -> None:
+        self.settings = settings
+        self._uow = unit_of_work
+        self.keycloak_openid = KeycloakOpenID(
+            server_url=self.settings.server_url,
+            client_id=self.settings.client_id,
+            realm_name=self.settings.realm_name,
+            client_secret_key=self.settings.client_secret.get_secret_value(),
+            verify=self.settings.verify_ssl,
+        )
+        self.public_key = (
+            "-----BEGIN PUBLIC KEY-----\n" + self.keycloak_openid.public_key() + "\n-----END PUBLIC KEY-----"
+        )
+        self.options = {
+            "verify_signature": self.settings.verify_signature,
+            "verify_aud": self.settings.verify_aud,
+            "verify_exp": self.settings.verify_exp,
+        }
+
+    @classmethod
+    def setup(cls, app: FastAPI) -> FastAPI:
+        settings = KeycloakAuthProviderSettings.parse_obj(app.state.settings.auth.dict(exclude={"provider"}))
+        log.info("Using %s provider with settings:\n%s", cls.__name__, settings)
+        app.dependency_overrides[AuthProvider] = cls
+        app.dependency_overrides[KeycloakAuthProviderSettings] = lambda: settings
+        return app
+
+    async def get_current_user(self, access_token: str) -> User:
+        if not access_token:
+            raise AuthorizationError("Missing auth credentials")
+        try:
+            token_info = self.keycloak_openid.decode_token(
+                access_token,
+                key=self.public_key,
+                options=self.options,
+            )
+        except Exception as e:
+            raise AuthorizationError("Invalid token") from e
+        user_id = token_info.get("sub")
+        login = token_info.get("username")
+        if not user_id:
+            raise AuthorizationError("Invalid token payload")
+        # Fetch user from database using user_id or create new one
+        async with self._uow:
+            try:
+                user = await self._uow.user.read_by_username(login)
+            except EntityNotFoundError:
+                # Create new user if not exists
+                user = await self._uow.user.create(
+                    username=token_info.get("preferred_username"),
+                    is_active=True,
+                )
+        if not user.is_active:
+            raise AuthorizationError(f"User {user.username!r} is disabled")
+        return user
+
+    async def get_token(
+        self,
+        grant_type: str | None = None,
+        code: str | None = None,
+        redirect_uri: str | None = None,
+        scopes: list[str] | None = None,
+        client_id: str | None = None,
+        client_secret: str | None = None,
+    ) -> dict[str, Any]:
+        if grant_type != "authorization_code" or not code:
+            raise AuthorizationError("Invalid grant type or missing code")
+        try:
+            redirect_uri = redirect_uri or self.settings.redirect_uri
+            token = self.keycloak_openid.token(
+                grant_type=grant_type,
+                code=code,
+                redirect_uri=redirect_uri,
+            )
+            return token
+        except Exception as e:
+            raise AuthorizationError("Failed to get token") from e

syncmaster/backend/providers/auth/keycloak_provider.py

@@ -16,7 +16,7 @@ class AuthSettings(BaseModel):
 
     .. code-block:: bash
 
-        SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+        SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 
         # pass access_key.secret_key = "secret" to DummyAuthProviderSettings
         SYNCMASTER__AUTH__ACCESS_KEY__SECRET_KEY=secret