Merge pull request #11 from csgroup-oss/copy-keycloak-attributes-to-config

Copy OAuth2 attributes to config

Author: jgaucher-cs

.pre-commit-config.yaml

@@ -48,7 +48,7 @@ repos:
       - id: prettier
         files: \.(js|ts|jsx|tsx|css|less|html|json|markdown|md|yaml|yml)$
   - repo: https://github.com/hadialqattan/pycln
-    rev: v2.2.1
+    rev: v2.6.0
     hooks:
       - id: pycln
         args: [--config=pyproject.toml]

README.md

@@ -66,6 +66,7 @@ uvicorn app.main:app --host localhost --port 9999 --reload --log-config=log_conf
 | APIKM_CONTACT_URL              | Contact url displayed in the swagger front page                                                           | `"https://github.com/csgroup-oss/apikey-manager/"`                 |
 | APIKM_CONTACT_EMAIL            | Contact email displayed in the swagger front page                                                         | `"support@csgroup.space"`                                          |
 | APIKM_OPENAPI_URL              | The URL where the OpenAPI schema will be served from                                                      | `"/openapi.json"`                                                  |
+| APIKM_OAUTH2_ATTRIBUTES        | OAuth2 attributes to save as key/values in the API key "config" dict                                      | `"attr1,attr2"`                                                    |
 
 ### Endpoints
 

app/auth/apikey_crud.py

@@ -128,7 +128,7 @@ def renew_key(
         with self.engine.connect() as conn:
             t = self.t_apitoken
             resp = conn.execute(
-                select(t.c["is_active", "expiration_date"]).where(
+                select(t.c["is_active", "config"]).where(
                     (t.c.api_key == self.__hash(api_key)) & (t.c.user_id == user_id)
                 )
             ).first()
@@ -139,10 +139,12 @@ def renew_key(
                     status_code=HTTP_404_NOT_FOUND, detail="API key not found"
                 )
 
+            old_active = resp[0]
+            old_config = resp[1]
             response_lines = []
 
             # Previously revoked key. Issue a text warning and reactivate it.
-            if not resp[0]:
+            if not old_active:
                 response_lines.append(
                     "This API key was revoked and has been reactivated."
                 )
@@ -167,6 +169,10 @@ def renew_key(
             LOGGER.debug("Sync user info of `user_id` with KeyCLoak")
             kc_info = self.kcutil.get_user_info(user_id)
 
+            # Merge the old config with the new valuesread from the oauth2 attributes.
+            # NOTE: the new values have higher priority than the old config.
+            new_config = old_config | kc_info.attributes
+
             conn.execute(
                 t.update()
                 .where(t.c.api_key == self.__hash(api_key))
@@ -176,6 +182,7 @@ def renew_key(
                     latest_sync_date=datetime.now(UTC),
                     is_active=True,
                     expiration_date=parsed_expiration_date,
+                    config=new_config,
                 )
             )
 
@@ -248,11 +255,18 @@ def check_key(self, api_key: str) -> dict | None:
             if latest_sync_date.utcoffset() is None:
                 latest_sync_date = latest_sync_date.replace(tzinfo=timezone.utc)
 
+            # If the apikey info has not been updated from keycloak for a long time
             if settings.keycloak_sync_freq > 0 and datetime.now(UTC) > (
                 latest_sync_date + timedelta(seconds=settings.keycloak_sync_freq)
             ):
                 LOGGER.debug(f"Sync user info of `{response['user_id']}` with KeyCLoak")
                 kc_info = self.kcutil.get_user_info(response["user_id"])
+
+                # Merge the old config with the new valuesread from the oauth2
+                # attributes.
+                # NOTE: the new values have higher priority than the old config.
+                new_config = response["config"] | kc_info.attributes
+
                 # Update the database
                 conn.execute(
                     t.update()
@@ -261,12 +275,14 @@ def check_key(self, api_key: str) -> dict | None:
                         user_active=kc_info.is_enabled,
                         iam_roles=kc_info.roles,
                         latest_sync_date=datetime.now(UTC),
+                        config=new_config,
                     )
                 )
                 conn.commit()
 
                 response["user_active"] = kc_info.is_enabled
                 response["iam_roles"] = kc_info.roles
+                response["config"] = new_config
 
             if not response["user_active"]:
                 # If user is not active anymore

app/auth/authlib_oauth.py

@@ -132,7 +132,7 @@ async def authlib_oauth(request: Request) -> AuthInfo:
     user_info = kcutil.get_user_info(user_id)
 
     if user_info.is_enabled:
-        return AuthInfo(user_id, user_login, user_info.roles)
+        return AuthInfo(user_id, user_login, user_info.roles, user_info.attributes)
     else:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,

app/auth/keycloak_util.py

@@ -18,6 +18,7 @@
 
 import logging
 from dataclasses import dataclass
+from typing import Any
 
 from keycloak import KeycloakAdmin, KeycloakError, KeycloakOpenIDConnection
 from keycloak.exceptions import KeycloakGetError
@@ -31,6 +32,7 @@
 class KCInfo:
     is_enabled: bool
     roles: list[str]
+    attributes: dict[str, Any]
 
 
 class KCUtil:
@@ -66,14 +68,18 @@ def get_user_info(self, user_id: str) -> KCInfo:
             iam_roles = [
                 role["name"] for role in kadm.get_composite_realm_roles_of_user(user_id)
             ]
-            return KCInfo(user["enabled"], iam_roles)
+            user_attributes = {
+                attr: user.get("attributes", {}).get(attr)
+                for attr in settings.oauth2_attributes
+            }
+            return KCInfo(user["enabled"], iam_roles, user_attributes)
         except KeycloakGetError as error:
             # If the user is not found, this means he was removed from keycloak.
             # Thus we must remove all his api keys from the database.
             if (error.response_code == 404) and (
                 "User not found" in error.response_body.decode("utf-8")
             ):
                 LOGGER.warning(f"User '{user_id}' not found in keycloak.")
-                return KCInfo(False, [])
+                return KCInfo(False, [], {})
 
             raise

app/controllers/auth_controller.py

@@ -84,10 +84,14 @@ async def oidc_auth(token: str | None = Depends(oidc)) -> AuthInfo:
                 audience=api_settings.oidc_client_id,
                 algorithms=["RS256"],
             )
+            user_attributes = {
+                attr: decoded.get(attr) for attr in api_settings.oauth2_attributes
+            }
             return AuthInfo(
                 decoded.get("sub"),
                 decoded.get("preferred_username"),
                 decoded.get("roles"),
+                user_attributes,
             )
         except PyJWTError as e:
             raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail=str(e))
@@ -139,6 +143,7 @@ async def show_me(auth_info: Annotated[AuthInfo, Depends(oidc_auth)]):
         "user_id": auth_info.user_id,
         "user_login": auth_info.user_login,
         "roles": auth_info.roles,
+        "attributes": auth_info.attributes,
     }
 
 
@@ -172,13 +177,18 @@ async def get_new_api_key(
     Returns:
         api_key: a newly generated API key
     """
+    # Merge the config given by the caller with the oauth2 attributes.
+    # NOTE: the values read from oauth2 have higher priority than those
+    # given by the caller.
+    config = (config or {}) | auth_info.attributes
+
     return apikey_crud.create_key(
         name,
         auth_info.user_id,
         auth_info.user_login,
         never_expires,
         auth_info.roles,
-        config or {},
+        config,
         allowed_referers,
     )
 

app/settings.py

@@ -15,13 +15,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import json
 import random
 import string
-from collections.abc import Callable
+from collections.abc import Callable, Sequence
 from dataclasses import dataclass
+from typing import Annotated, Any
 
-from pydantic import field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import BeforeValidator, field_validator
+from pydantic_settings import BaseSettings, NoDecode, SettingsConfigDict
 from slowapi import Limiter
 from slowapi.util import get_remote_address
 
@@ -31,6 +33,21 @@ class AuthInfo:
     user_id: str
     user_login: str
     roles: list[str]
+    attributes: dict[str, Any]
+
+
+def str_to_list(value: Any) -> list:
+    """
+    Convert into a list a comma-separated str (e.g. 'attr1,attr2') or
+    json representation str (e.g. '["attr1", "attr2"]')
+    """
+    if isinstance(value, str):
+        if value.startswith("["):
+            return json.loads(value)
+        else:
+            return [v.strip() for v in value.split(",")]
+    else:
+        return value
 
 
 class ApiSettings(BaseSettings):
@@ -99,6 +116,13 @@ class ApiSettings(BaseSettings):
 
     auth_function: Callable | None = None
 
+    # List of optional OAuth2 attributes to save as key/values in the API key "config"
+    # dict. The list is given as a comma-separated str (e.g. 'attr1,attr2') or json
+    # representation str (e.g. '["attr1", "attr2"]')
+    oauth2_attributes: Annotated[
+        Sequence[str], BeforeValidator(str_to_list), NoDecode
+    ] = []
+
     model_config = SettingsConfigDict(env_prefix="APIKM_", env_file=".env")
 
     @field_validator("cors_allow_methods")

deploy/helm/apikeymanager/Chart.yaml

@@ -32,13 +32,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 0.1.0-dev0.g3df33f1ac
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 1.0.0
+appVersion: 0.1.0-dev0.g3df33f1ac
 
 maintainers:
   - name: CS GROUP

deploy/helm/apikeymanager/README.md

@@ -1,6 +1,6 @@
 # apikeymanager
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+![Version: 0.1.0-dev0.g3df33f1ac](https://img.shields.io/badge/Version-0.1.0--dev0.g3df33f1ac-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0-dev0.g3df33f1ac](https://img.shields.io/badge/AppVersion-0.1.0--dev0.g3df33f1ac-informational?style=flat-square)
 
 Helm chart for APIKeyManager
 
@@ -25,6 +25,7 @@ Helm chart for APIKeyManager
 | config.debug | bool | `false` | DEBUG mode (display SQL queries) |
 | config.default_apikey_ttl_hour | int | `360` | Default lifetime of an API Key (in hour) |
 | config.keycloak_sync_freq | int | `300` | Sync frequency of a user with data stored in Keycloak (in seconds) |
+| config.oauth2_attributes | string | `""` | OAuth2 attributes to save as key/values in the API key "config" dict |
 | config.oidc_client_id | string | `""` | OIDC CLient ID |
 | config.oidc_client_secret | string | `""` | OIDC Secret used to sync user info from Keycloak |
 | config.oidc_endpoint | string | `""` | OIDC End Point |
@@ -38,7 +39,7 @@ Helm chart for APIKeyManager
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"ghcr.io/csgroup-oss/apikey-manager"` | Image repository |
-| image.tag | string | `"1.0.0"` | Image tag |
+| image.tag | string | `"0.1.dev0.g3df33f1ac"` | Image tag |
 | imagePullSecrets[0] | object | `{"name":"ghcr-k8s"}` | Image pull secrets |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |

deploy/helm/apikeymanager/templates/deployment.yaml

@@ -106,6 +106,8 @@ spec:
               value: {{  .Values.config.contact_email | quote }}
             - name: "APIKM_OPENAPI_URL"
               value: {{  .Values.config.openapi_url | quote }}
+            - name: "APIKM_OAUTH2_ATTRIBUTES"
+              value: {{  .Values.config.oauth2_attributes | quote }}
           {{- range $key, $val := .Values.env }}
             - name: {{ $key }}
               value: {{ $val | quote }}