[DOP-21268] - refactor auth configuration settings (add providers)

Author: maxim-lixakov

.env.docker

@@ -15,6 +15,34 @@ SYNCMASTER__WORKER__LOGGING__PRESET=json
 # Postgres
 SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@db:5432/syncmaster
 
+# Keycloack (MTS)
+SYNCMASTER__AUTH__KEYCLOAK_SERVER_URL=https://isso.mts.ru/auth/
+SYNCMASTER__AUTH__KEYCLOAK_REALM_NAME=mts
+SYNCMASTER__AUTH__KEYCLOAK_CLIENT_ID=syncmaster_dev
+SYNCMASTER__AUTH__KEYCLOAK_CLIENT_SECRET=secret
+SYNCMASTER__AUTH__KEYCLOAK_REDIRECT_URI=http://localhost:8000/callback
+SYNCMASTER__AUTH__KEYCLOAK_ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
+SYNCMASTER__AUTH__KEYCLOAK_SCOPE=email
+SYNCMASTER__AUTH__KEYCLOAK_INTROSPECTION_DELAY=60
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=https://isso.mts.ru/auth/realms/mts/protocol/openid-connect/token
+
+
+SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080/auth/
+SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi-realm
+SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi-client
+SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
+SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/callback
+SYNCMASTER__AUTH__KEYCLOAK__ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
+SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
+SYNCMASTER__AUTH__KEYCLOAK__INTROSPECTION_DELAY=60
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK__TOKEN_URL=http://localhost:8080/auth/realms/fastapi-realm/protocol/openid-connect/token
+
+
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
+
 # RabbitMQ
 SYNCMASTER__BROKER__URL=amqp://guest:guest@rabbitmq:5672/
 

.env.local

@@ -15,6 +15,10 @@ export SYNCMASTER__WORKER__LOGGING__PRESET=json
 # Postgres
 export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster
 
+# Auth
+export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
+
 # RabbitMQ
 export SYNCMASTER__BROKER__URL=amqp://guest:guest@localhost:5672/
 

docker-compose.test.yml

@@ -153,6 +153,19 @@ services:
       retries: 3
     profiles: [hive, hdfs, all]
 
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    command: start-dev
+    restart: unless-stopped
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    ports:
+      - 8080:8080
+    volumes:
+      - keycloak_data:/opt/keycloak/data
+    profiles: [keycloak, all]
+
   test-hive:
     image: mtsrus/hadoop:hadoop2.7.3-hive2.3.9
     restart: unless-stopped

poetry.lock

@@ -67,6 +67,8 @@ coloredlogs = {version = "*", optional = true}
 python-json-logger = {version = "*", optional = true}
 asyncpg = { version = ">=0.29,<0.31", optional = true }
 apscheduler = { version = "^3.10.4", optional = true }
+python-keycloak =  {version = "^4.7.0", optional = true}
+devtools = {version = "*", optional = true}
 
 [tool.poetry.extras]
 backend = [
@@ -85,6 +87,8 @@ backend = [
     "coloredlogs",
     "python-json-logger",
     "asyncpg",
+    "devtools",
+    "python-keycloak",
     # migrations only
     "celery",
     "apscheduler",

pyproject.toml

@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-import uuid
+from typing import Type
 
 from fastapi import FastAPI, HTTPException
 from fastapi.exceptions import RequestValidationError
@@ -15,6 +15,7 @@
     validation_exception_handler,
 )
 from syncmaster.backend.middlewares import apply_middlewares
+from syncmaster.backend.providers.auth import AuthProvider
 from syncmaster.backend.services.unit_of_work import UnitOfWork
 from syncmaster.db.factory import create_session_factory, get_uow
 from syncmaster.exceptions import SyncmasterError
@@ -44,6 +45,9 @@ def application_factory(settings: Settings) -> FastAPI:
         },
     )
 
+    auth_class: type[AuthProvider] = settings.auth.provider  # type: ignore[assignment]
+    auth_class.setup(application)
+
     apply_middlewares(application, settings)
     return application
 

syncmaster/backend/__init__.py

@@ -5,13 +5,12 @@
 from fastapi import APIRouter, Depends
 from fastapi.security import OAuth2PasswordRequestForm
 
-from syncmaster.backend.api.v1.auth.utils import sign_jwt
 from syncmaster.backend.dependencies import Stub
+from syncmaster.backend.providers.auth import AuthProvider
 from syncmaster.backend.services import UnitOfWork
 from syncmaster.errors.registration import get_error_responses
 from syncmaster.errors.schemas.invalid_request import InvalidRequestSchema
 from syncmaster.errors.schemas.not_authorized import NotAuthorizedSchema
-from syncmaster.exceptions import EntityNotFoundError
 from syncmaster.schemas.v1.auth import AuthTokenSchema
 from syncmaster.settings import Settings
 
@@ -24,18 +23,18 @@
 
 @router.post("/token")
 async def login(
+    auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
     settings: Annotated[Settings, Depends(Stub(Settings))],
-    form_data: OAuth2PasswordRequestForm = Depends(),
     unit_of_work: UnitOfWork = Depends(UnitOfWork),
+    form_data: OAuth2PasswordRequestForm = Depends(),
 ) -> AuthTokenSchema:
     """This is the test auth method!!! Not for production!!!!"""
-    try:
-        user = await unit_of_work.user.read_by_username(username=form_data.username)
-    except EntityNotFoundError:
-        async with unit_of_work:
-            user = await unit_of_work.user.create(
-                username=form_data.username,
-                is_active=True,
-            )
-    token = sign_jwt(user_id=user.id, settings=settings)
-    return AuthTokenSchema(access_token=token, refresh_token="refresh_token")
+    token = await auth_provider.get_token(
+        grant_type=form_data.grant_type,
+        login=form_data.username,
+        password=form_data.password,
+        scopes=form_data.scopes,
+        client_id=form_data.client_id,
+        client_secret=form_data.client_secret,
+    )
+    return AuthTokenSchema.parse_obj(token)

syncmaster/backend/api/v1/auth/router.py syncmaster/backend/api/v1/auth.pysyncmaster/backend/api/v1/auth/router.py renamed to syncmaster/backend/api/v1/auth.py

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 from fastapi import APIRouter
 
-from syncmaster.backend.api.v1.auth.router import router as auth_router
+from syncmaster.backend.api.v1.auth import router as auth_router
 from syncmaster.backend.api.v1.connections import router as connection_router
 from syncmaster.backend.api.v1.groups import router as group_router
 from syncmaster.backend.api.v1.queue import router as queue_router