Feature/kc 26 (#251)

* upg keycloak python library

* fix tests

* fix namespace use

* update poetry.lock for gatewayApi

* fix test config

* f-string fix for logs

* Enhace logging for token.py

* constructs the JWK URL directly from the same internal KC_SERVER_URL

* Update gatewayJobScheduler for Keycloak 26

* fix version mismatch for proxies arg for python-keycloak and httpx

* temp set keycloak ssl verify to false for scheduler

* Fix 404 when namespace has no Keycloak group

* Set verify back to True

* Prevent accidental route deletions on Keycloak errors. abort sync and add logging in NamespaceService

* Refactor Keycloak integration in gatewayJobScheduler

- don't silence errors in namespace.py
- raise error if transform_data_by_ns hits an exception
- Use a single Keycloak admin instance.
- Added Keycloak connection validation in sync_routes function.
- add sanity check before syncing
- Updated tests to ensure proper mocking of Keycloak interactions.

* Revert changes

* Use OIDCDiscovery for jwk again

* Fix Keycloak realm base URL by adding slash before /realms

* Test for Keycloak realm base URL with or without trailing slash

* remove deprecated search_in_subgroups

* stop using deprecated dev-dependencies

---------

Co-authored-by: ikethecoder <ikethecoder@copeconsulting.ca>
Co-authored-by: Russell Vinegar <russell.vinegar@gov.bc.ca>

Author: 3 people

microservices/gatewayApi/auth/token.py

@@ -1,3 +1,4 @@
+import logging
 import requests
 import time
 from authlib.jose import JsonWebToken
@@ -7,18 +8,29 @@
 from flask import current_app, g
 from config import Config
 
+logger = logging.getLogger(__name__)
+
+
+def realm_base_url(server_url: str, realm: str) -> str:
+    """Build Keycloak realm base URL, normalizing server_url with or without trailing slash."""
+    return f"{server_url.rstrip('/')}/realms/{realm}"
+
+
 def OIDCDiscovery(base_url):
     conf = Config()
 
     # Fetch the openid metadata so we may know the jwk endpoint uri
     server_metadata_url = f"{base_url}/.well-known/openid-configuration"
+    logger.info(f"Fetching OIDC metadata from: {server_metadata_url}")
     server_metadata_r = requests.get(server_metadata_url)
     if server_metadata_r.status_code != 200:
         raise Exception(
-            f"Error getting auth server metadata from url: {server_metadata_url}"
-            + ", status_code: {server_metadata_r.status_code}"
+            f"Error getting auth server metadata from url: {server_metadata_url}, "
+            f"status_code: {server_metadata_r.status_code}, "
+            f"response: {server_metadata_r.text[:500]}"
         )
     server_metadata = server_metadata_r.json()
+    logger.info(f"OIDC discovery succeeded. jwks_uri: {server_metadata.get('jwks_uri')}")
     return server_metadata
 
 class OIDCTokenValidator(BearerTokenValidator):
@@ -31,20 +43,23 @@ def __init__(self, token_cls, realm=None):
 
         server_url = conf.data['keycloak']['serverUrl']
         realm = conf.data['keycloak']['realm']
-        baseUrl = "%srealms/%s" % (server_url, realm)
-
+        baseUrl = realm_base_url(server_url, realm)
         self.aud = conf.data['tokenMatch']['aud']
 
         server_metadata = OIDCDiscovery(baseUrl)
 
         # Fetch the public key for validating Bearer token
-        jwk_r = requests.get(server_metadata['jwks_uri'])
+        jwks_uri = server_metadata['jwks_uri']
+        logger.info(f"Fetching JWK from: {jwks_uri}")
+        jwk_r = requests.get(jwks_uri)
         if jwk_r.status_code != 200:
             raise Exception(
-                f"Error getting jwk from url: {server_metadata['jwks_uri']}"
-                + ", status_code: {jwk_r.status_code}"
+                f"Error getting jwk from url: {jwks_uri}, "
+                f"status_code: {jwk_r.status_code}, "
+                f"response: {jwk_r.text[:500]}"
             )
         self.jwk = jwk_r.json()
+        logger.info("JWK fetched successfully")
 
     def authenticate_token(self, token_string):
         jwt = JsonWebToken(['RS256'])

microservices/gatewayApi/clients/keycloak.py

@@ -1,16 +1,20 @@
 
 from flask import current_app as app
-from keycloak import KeycloakAdmin
+from keycloak import KeycloakAdmin, KeycloakOpenIDConnection
 from keycloak.exceptions import KeycloakGetError
 
-def admin_api():
-    conf = app.config['keycloak']
+#     conf = app.config['keycloak']
 
-    keycloak_admin = KeycloakAdmin(server_url=conf['serverUrl'],
+def admin_api(conf):
+
+    keycloak_connection = KeycloakOpenIDConnection(server_url=conf['serverUrl'],
         username=conf['username'],
         password=conf['password'],
         realm_name=conf['realm'],
         client_id=conf['clientId'],
         user_realm_name=conf['userRealm'],
         verify=True)
+
+
+    keycloak_admin = KeycloakAdmin(connection=keycloak_connection)
     return keycloak_admin

microservices/gatewayApi/config/test.json

@@ -31,5 +31,14 @@
     "kubeApiUser": "username"
   },
   "compatibilityApiUrl": "http://compatibility-api",
-   "deckCLI": "deck"
+  "deckCLI": "deck",
+  "keycloak": {
+    "serverUrl": "http://test-keycloak",
+    "realm": "test-realm",
+    "clientId": "test-client",
+    "clientSecret": "test-secret",
+    "userRealm": "test-user-realm",
+    "username": "test-user",
+    "password": "test-password"
+  }
 }