[DOP-29537] added OAuth2GatewayProvider

Author: Marat Akhmetov

docs/changelog/next_release/283.feature.rst

@@ -0,0 +1,2 @@
+Added OAuth2GatewayProvide
+-- by :github:user:`marashka`

syncmaster/server/providers/auth/__init__.py

@@ -3,9 +3,8 @@
 from syncmaster.server.providers.auth.base_provider import AuthProvider
 from syncmaster.server.providers.auth.dummy_provider import DummyAuthProvider
 from syncmaster.server.providers.auth.keycloak_provider import KeycloakAuthProvider
+from syncmaster.server.providers.auth.oauth2_gateway_provider import (
+    OAuth2GatewayProvider,
+)
 
-__all__ = [
-    "AuthProvider",
-    "DummyAuthProvider",
-    "KeycloakAuthProvider",
-]
+__all__ = ["AuthProvider", "DummyAuthProvider", "KeycloakAuthProvider", "OAuth2GatewayProvider"]

syncmaster/server/providers/auth/dummy_provider.py

@@ -107,7 +107,7 @@ async def get_token_authorization_code_grant(
         client_id: str | None = None,
         client_secret: str | None = None,
     ) -> dict[str, Any]:
-        raise NotImplementedError("Authorization code grant is not supported by DummyAuthProvider")
+        raise NotImplementedError(f"Authorization code grant is not supported by {self.__class__.__name__}.")
 
     async def logout(self, user: User, refresh_token: str | None) -> None:
-        raise NotImplementedError("Logout is not supported by DummyAuthProvider")
+        raise NotImplementedError(f"Logout is not supported by {self.__class__.__name__}.")

syncmaster/server/providers/auth/keycloak_provider.py

@@ -52,7 +52,7 @@ async def get_token_password_grant(
         client_id: str | None = None,
         client_secret: str | None = None,
     ) -> dict[str, Any]:
-        raise NotImplementedError("Password grant is not supported by KeycloakAuthProvider.")
+        raise NotImplementedError(f"Password grant is not supported by {self.__class__.__name__}.")
 
     async def get_token_authorization_code_grant(
         self,

syncmaster/server/providers/auth/oauth2_gateway_provider.py

@@ -0,0 +1,67 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+import logging
+from typing import Any
+
+from fastapi import Request
+
+from syncmaster.db.models import User
+from syncmaster.exceptions import EntityNotFoundError
+from syncmaster.exceptions.auth import AuthorizationError
+from syncmaster.server.providers.auth.keycloak_provider import (
+    KeycloakAuthProvider,
+    KeycloakOperationError,
+)
+
+log = logging.getLogger(__name__)
+
+
+class OAuth2GatewayProvider(KeycloakAuthProvider):
+    async def get_current_user(self, access_token: str | None, request: Request) -> User:  # noqa: WPS231, WPS217
+
+        if not access_token:
+            log.debug("No access token found in request")
+            raise AuthorizationError("Missing auth credentials")
+
+        try:
+            token_info = await self.keycloak_openid.a_introspect(access_token)
+        except KeycloakOperationError as e:
+            log.info("Failed to introspect token: %s", e)
+            raise AuthorizationError("Invalid token payload")
+
+        if token_info["active"] is False:
+            raise AuthorizationError("Token is not active")
+
+        # these names are hardcoded in keycloak:
+        # https://github.com/keycloak/keycloak/blob/3ca3a4ad349b4d457f6829eaf2ae05f1e01408be/core/src/main/java/org/keycloak/representations/IDToken.java
+        # TODO: make sure which fields are guaranteed
+        login = token_info["preferred_username"]
+        email = token_info.get("email")
+        first_name = token_info.get("given_name")
+        middle_name = token_info.get("middle_name")
+        last_name = token_info.get("family_name")
+
+        async with self._uow:
+            try:
+                user = await self._uow.user.read_by_username(login)
+            except EntityNotFoundError:
+                user = await self._uow.user.create(
+                    username=login,
+                    email=email,
+                    first_name=first_name,
+                    middle_name=middle_name,
+                    last_name=last_name,
+                )
+        return user
+
+    async def get_token_authorization_code_grant(
+        self,
+        code: str,
+        scopes: list[str] | None = None,
+        client_id: str | None = None,
+        client_secret: str | None = None,
+    ) -> dict[str, Any]:
+        raise NotImplementedError(f"Authorization code grant is not supported by {self.__class__.__name__}.")
+
+    async def logout(self, user: User, refresh_token: str | None) -> None:
+        raise NotImplementedError(f"Logout is not supported by {self.__class__.__name__}.")

tests/test_unit/test_auth/auth_fixtures/__init__.py

@@ -1,6 +1,7 @@
 from tests.test_unit.test_auth.auth_fixtures.keycloak_fixture import (
     create_session_cookie,
     mock_keycloak_api,
+    mock_keycloak_introspect_token,
     mock_keycloak_logout,
     mock_keycloak_realm,
     mock_keycloak_token_refresh,

tests/test_unit/test_auth/auth_fixtures/keycloak_fixture.py

@@ -181,3 +181,30 @@ def mock_keycloak_logout(settings, mock_keycloak_api):
     logout_url = f"{realm_url}/protocol/openid-connect/logout"
 
     mock_keycloak_api.post(logout_url).respond(status_code=204)
+
+
+@pytest.fixture
+def mock_keycloak_introspect_token(settings, mock_keycloak_api):
+    def _mock_keycloak_introspect_token(user):
+        keycloak_settings = settings.auth.model_dump()["keycloak"]
+        server_url = keycloak_settings["server_url"]
+        realm_name = keycloak_settings["client_id"]
+        realm_url = f"{server_url}/realms/{realm_name}"
+
+        payload = {
+            "preferred_username": user.username,
+            "email": user.email,
+            "given_name": user.first_name,
+            "middle_name": user.middle_name,
+            "family_name": user.last_name,
+            "active": user.is_active,
+        }
+        introspect_url = f"{realm_url}/protocol/openid-connect/token/introspect"
+
+        mock_keycloak_api.post(introspect_url).respond(
+            json=payload,
+            status_code=200,
+            content_type="application/json",
+        )
+
+    return _mock_keycloak_introspect_token

tests/test_unit/test_auth/test_oauth2_gateway.py

@@ -0,0 +1,76 @@
+import pytest
+from httpx import AsyncClient
+
+from syncmaster.server.settings import ServerAppSettings as Settings
+from tests.mocks import MockUser
+
+OAuth2GatewayProvider = "syncmaster.server.providers.auth.oauth2_gateway_provider.OAuth2GatewayProvider"
+pytestmark = [pytest.mark.asyncio, pytest.mark.server]
+
+
+@pytest.mark.parametrize(
+    "settings",
+    [
+        {
+            "auth": {
+                "provider": OAuth2GatewayProvider,
+            },
+        },
+    ],
+    indirect=True,
+)
+async def test_get_keycloak_token_active(
+    client: AsyncClient,
+    simple_user: MockUser,
+    settings: Settings,
+    mock_keycloak_introspect_token,
+):
+
+    mock_keycloak_introspect_token(simple_user)
+
+    headers = {
+        "Authorization": "Bearer token",
+    }
+    response = await client.get(
+        f"/v1/users/{simple_user.id}",
+        headers=headers,
+    )
+
+    assert response.status_code == 200, response.json()
+    assert response.json() == {
+        "id": simple_user.id,
+        "is_superuser": simple_user.is_superuser,
+        "username": simple_user.username,
+    }
+
+
+@pytest.mark.parametrize(
+    "settings",
+    [
+        {
+            "auth": {
+                "provider": OAuth2GatewayProvider,
+            },
+        },
+    ],
+    indirect=True,
+)
+async def test_get_keycloak_token_inactive(
+    client: AsyncClient,
+    simple_user: MockUser,
+    inactive_user: MockUser,
+    settings: Settings,
+    mock_keycloak_introspect_token,
+):
+    mock_keycloak_introspect_token(inactive_user)
+
+    headers = {
+        "Authorization": "Bearer token",
+    }
+
+    response = await client.get(
+        f"/v1/users/{simple_user.id}",
+        headers=headers,
+    )
+    assert response.status_code == 401, response.json()
+    assert response.json() == {"error": {"code": "unauthorized", "details": None, "message": "Not authenticated"}}