Merge pull request #307 from ral-facilities/release/v3.0.0

Release `v3.0.0`

Author: VKTB

.env.example

@@ -11,10 +11,13 @@ AUTHENTICATION__PUBLIC_KEY_PATH=./keys/jwt-key.pub
 AUTHENTICATION__JWT_ALGORITHM=RS256
 AUTHENTICATION__ACCESS_TOKEN_VALIDITY_MINUTES=5
 AUTHENTICATION__REFRESH_TOKEN_VALIDITY_DAYS=7
-AUTHENTICATION__ACTIVE_USERNAMES_PATH=./active_usernames.txt
+AUTHENTICATION__USERS_CONFIG_PATH=./users_config.yaml
 MAINTENANCE__MAINTENANCE_PATH=./maintenance/maintenance.json
 MAINTENANCE__SCHEDULED_MAINTENANCE_PATH=./maintenance/scheduled_maintenance.json
 LDAP_SERVER__URL=ldaps://ldap.example.com:636
 LDAP_SERVER__REALM=LDAP.EXAMPLE.COM
 LDAP_SERVER__CERTIFICATE_VALIDATION=true
 LDAP_SERVER__CA_CERTIFICATE_FILE_PATH=./ldap_server_certs/cacert.pem
+OIDC_PROVIDERS__keycloak__DISPLAY_NAME=keycloak
+OIDC_PROVIDERS__keycloak__CONFIGURATION_URL=http://localhost:9004/realms/testrealm/.well-known/openid-configuration
+OIDC_PROVIDERS__keycloak__CLIENT_ID=test-client-id

.github/workflows/.ci.yml

@@ -21,17 +21,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Install python-ldap system dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev
 
       - name: Set up Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
-          python-version: "3.12"
+          python-version: "3.13"
           cache: "pip"
 
       - name: Install dependencies
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Create logging configuration file
         run: cp logging.example.ini logging.ini
@@ -72,27 +72,56 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
+  e2e-tests:
+    needs: [unit-tests]
+    name: End-to-End Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+      - name: Create logging configuration file
+        run: cp logging.example.ini logging.ini
+
+      - name: Setup keycloak
+        run: |
+          docker compose up --detach keycloak
+
+      - name: Run e2e tests
+        run: |
+          docker build --file Dockerfile --target test --tag ldap-jwt-auth:test .
+          docker run \
+            --name ldap-jwt-auth \
+            --volume ./logging.ini:/app/logging.ini \
+            --add-host localhost:host-gateway \
+            ldap-jwt-auth:test \
+            pytest --config-file test/pytest.ini test/e2e -v
+
+      - name: Output docker logs (keycloak)
+        if: failure()
+        run: docker logs keycloak
+
   docker:
     # This job triggers only if all the other jobs succeed. It builds the Docker image
     # and if run manually from Github Actions, it pushes to Harbor.
-    needs: [linting, unit-tests]
+    needs: [linting, unit-tests, e2e-tests]
     name: Docker
     runs-on: ubuntu-latest
     env:
       PUSH_DOCKER_IMAGE_TO_HARBOR: ${{ inputs.push-docker-image-to-harbor != null && inputs.push-docker-image-to-harbor || 'false' }}
     steps:
       - name: Check out repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ vars.HARBOR_URL }}/auth-api
 
       - name: Login to Harbor
         if: ${{ fromJSON(env.PUSH_DOCKER_IMAGE_TO_HARBOR) }}
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ vars.HARBOR_URL }}
           username: ${{ secrets.HARBOR_USERNAME }}

.github/workflows/release-build.yml

@@ -13,18 +13,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Login to Harbor
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ vars.HARBOR_URL }}
           username: ${{ secrets.HARBOR_USERNAME }}
           password: ${{ secrets.HARBOR_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ vars.HARBOR_URL }}/auth-api
           tags: |

.gitignore

@@ -1,5 +1,5 @@
 logging.ini
-/active_usernames.txt
+/users_config.yaml
 keys/*
 !keys/.keep
 ldap_server_certs/*

.pylintrc

@@ -59,10 +59,11 @@ ignore-paths=
 # Emacs file locks
 ignore-patterns=^\.#
 
-# List of module names for which member attributes should not be checked
-# (useful for modules/projects where namespaces are manipulated during runtime
-# and thus existing member attributes cannot be deduced by static analysis). It
-# supports qualified module names, as well as Unix pattern matching.
+# List of module names for which member attributes should not be checked and
+# will not be imported (useful for modules/projects where namespaces are
+# manipulated during runtime and thus existing member attributes cannot be
+# deduced by static analysis). It supports qualified module names, as well as
+# Unix pattern matching.
 ignored-modules=
 
 # Python code to execute, usually for sys.path manipulation such as
@@ -86,9 +87,13 @@ load-plugins=
 # Pickle collected data for later comparisons.
 persistent=yes
 
+# Resolve imports to .pyi stubs if available. May reduce no-member messages and
+# increase not-an-iterable messages.
+prefer-stubs=no
+
 # Minimum Python version to use for version dependent checks. Will default to
 # the version used to run pylint.
-py-version=3.12
+py-version=3.13
 
 # Discover python modules and packages in the file system subtree.
 recursive=no
@@ -99,10 +104,6 @@ recursive=no
 # source root.
 source-roots=
 
-# When enabled, pylint would attempt to guess common misconfiguration and emit
-# user-friendly hints instead of false-positive error messages.
-suggestion-mode=yes
-
 # Allow loading of arbitrary C extensions. Extensions are imported into the
 # active Python interpreter and may run arbitrary code.
 unsafe-load-any-extension=no
@@ -229,6 +230,11 @@ name-group=
 # not require a docstring.
 no-docstring-rgx=^_
 
+# Regular expression matching correct parameter specification variable names.
+# If left empty, parameter specification variable names will be checked with
+# the set naming style.
+#paramspec-rgx=
+
 # List of decorators that produce properties, such as abc.abstractproperty. Add
 # to this list to register other decorators that produce valid properties.
 # These decorators are taken in consideration only for invalid-name.
@@ -242,6 +248,10 @@ property-classes=abc.abstractproperty
 # variable names will be checked with the set naming style.
 #typevar-rgx=
 
+# Regular expression matching correct type variable tuple names. If left empty,
+# type variable tuple names will be checked with the set naming style.
+#typevartuple-rgx=
+
 # Naming style matching correct variable names.
 variable-naming-style=snake_case
 
@@ -302,6 +312,9 @@ max-locals=15
 # Maximum number of parents for a class (see R0901).
 max-parents=7
 
+# Maximum number of positional arguments for function / method.
+max-positional-arguments=5
+
 # Maximum number of public methods for a class (see R0904).
 max-public-methods=20
 
@@ -336,7 +349,9 @@ indent-after-paren=4
 # tab).
 indent-string='    '
 
-# Maximum number of characters on a single line.
+# Maximum number of characters on a single line. Pylint's default of 100 is
+# based on PEP 8's guidance that teams may choose line lengths up to 99
+# characters.
 max-line-length=120
 
 # Maximum number of lines in a module.
@@ -448,6 +463,9 @@ timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.
 
 [MISCELLANEOUS]
 
+# Whether or not to search for fixme's in docstrings.
+check-fixme-in-docstring=no
+
 # List of note tags to take in consideration, separated by a comma.
 notes=FIXME,
       XXX,
@@ -468,6 +486,11 @@ max-nested-blocks=5
 # printed.
 never-returning-functions=sys.exit,argparse.parse_error
 
+# Let 'consider-using-join' be raised when the separator to join on would be
+# non-empty (resulting in expected fixes of the type: ``"- " + " -
+# ".join(items)``)
+suggest-join-with-non-empty-separator=yes
+
 
 [REPORTS]
 
@@ -482,10 +505,10 @@ evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor
 # used to format the message information. See doc for all details.
 msg-template=
 
-# Set the output format. Available formats are: text, parseable, colorized,
-# json2 (improved json format), json (old json format) and msvs (visual
-# studio). You can also give a reporter class, e.g.
-# mypackage.mymodule.MyReporterClass.
+# Set the output format. Available formats are: 'text', 'parseable',
+# 'colorized', 'json2' (improved json format), 'json' (old json format), msvs
+# (visual studio) and 'github' (GitHub actions). You can also give a reporter
+# class, e.g. mypackage.mymodule.MyReporterClass.
 #output-format=
 
 # Tells whether to display a full report or only the messages.
@@ -587,7 +610,7 @@ ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace
 # of finding the hint is based on edit distance.
 missing-member-hint=yes
 
-# The minimum edit distance a name should have in order to be considered a
+# The maximum edit distance a name should have in order to be considered a
 # similar match for a missing member name.
 missing-member-hint-distance=1
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.11-alpine3.22@sha256:9b8808206f4a956130546a32cbdd8633bc973b19db2923b7298e6f90cc26db08 AS base
+FROM python:3.13.10-alpine3.23@sha256:65fe04ddc51a8ccbf14ecb882903251e4a124914673001b03c393eb65dd9502a AS base
 
 # Install python-ldap system dependencies
 RUN apk add --no-cache build-base openldap-dev