oidc-fastapi-test/src/oidc_test/settings.py

from os import environ
import string
import random
from typing import Type, Tuple, Any
from pathlib import Path
import logging

from jwt import decode
from pydantic import BaseModel, computed_field, AnyUrl
from pydantic_settings import (
    BaseSettings,
    SettingsConfigDict,
    PydanticBaseSettingsSource,
    YamlConfigSettingsSource,
)
from starlette.requests import Request

from .models import User

logger = logging.getLogger("oidc-test")


class Resource(BaseModel):
    """A resource with an URL that can be accessed with an OAuth2 access token"""

    id: str
    name: str


class OIDCProvider(BaseModel):
    """OIDC provider, can also be a resource server"""

    id: str
    name: str
    url: str
    client_id: str
    client_secret: str = ""
    # For PKCE (not implemented yet)
    code_challenge_method: str | None = None
    hint: str = "No hint"
    resources: list[Resource] = []
    account_url_template: str | None = None
    info_url: str | None = (
        None  # Used eg. for Keycloak's public key (see https://stackoverflow.com/questions/54318633/getting-keycloaks-public-key)
    )
    info: dict[str, str | int] | None = None  # Info fetched from info_url, eg. public key
    public_key: str | None = None
    signature_alg: str = "RS256"
    resource_provider_scopes: list[str] = []

    @computed_field
    @property
    def openid_configuration(self) -> str:
        return self.url + "/.well-known/openid-configuration"

    @computed_field
    @property
    def token_url(self) -> str:
        return "auth/" + self.id

    def get_account_url(self, request: Request, user: User) -> str | None:
        if self.account_url_template:
            if not (self.url.endswith("/") or self.account_url_template.startswith("/")):
                sep = "/"
            else:
                sep = ""
            return self.url + sep + self.account_url_template.format(request=request, user=user)
        else:
            return None

    def get_public_key(self) -> str:
        """Return the public key formatted for decoding token"""
        public_key = self.public_key or (self.info is not None and self.info["public_key"])
        if public_key is None:
            raise AttributeError(f"Cannot get public key for {self.name}")
        return f"""
        -----BEGIN PUBLIC KEY-----
        {public_key}
        -----END PUBLIC KEY-----
        """

    def decode(self, token: str, verify_signature: bool = True) -> dict[str, Any]:
        """Decode the token with signature check"""
        if settings.debug_token:
            decoded = decode(
                token,
                self.get_public_key(),
                algorithms=[self.signature_alg],
                audience=["account", "oidc-test", "oidc-test-web"],
                options={
                    "verify_signature": False,
                    "verify_aud": False,
                },  # not settings.insecure.skip_verify_signature},
            )
            logger.debug(str(decoded))
        return decode(
            token,
            self.get_public_key(),
            algorithms=[self.signature_alg],
            audience=["account", "oidc-test", "oidc-test-web"],
            options={
                "verify_signature": verify_signature,
            },  # not settings.insecure.skip_verify_signature},
        )


class ResourceProvider(BaseModel):
    id: str
    name: str
    base_url: AnyUrl
    resources: list[Resource] = []


class OIDCSettings(BaseModel):
    show_session_details: bool = False
    providers: list[OIDCProvider] = []
    swagger_provider: str = ""


class Insecure(BaseModel):
    """Warning: changing these defaults are only suitable for debugging"""

    skip_verify_signature: bool = False


class Settings(BaseSettings):
    """Settings wil be read from an .env file"""

    model_config = SettingsConfigDict(env_nested_delimiter="__")

    oidc: OIDCSettings = OIDCSettings()
    resource_providers: list[ResourceProvider] = []
    secret_key: str = "".join(random.choice(string.ascii_letters) for _ in range(16))
    log: bool = False
    insecure: Insecure = Insecure()
    cors_origins: list[str] = []
    debug_token: bool = False
    show_token: bool = False

    @classmethod
    def settings_customise_sources(
        cls,
        settings_cls: Type[BaseSettings],
        init_settings: PydanticBaseSettingsSource,
        env_settings: PydanticBaseSettingsSource,
        dotenv_settings: PydanticBaseSettingsSource,
        file_secret_settings: PydanticBaseSettingsSource,
    ) -> Tuple[PydanticBaseSettingsSource, ...]:
        return (
            init_settings,
            env_settings,
            file_secret_settings,
            YamlConfigSettingsSource(
                settings_cls,
                Path(
                    Path(
                        environ.get("OIDC_TEST_SETTINGS_FILE", Path.cwd() / "settings.yaml"),
                    )
                ),
            ),
            dotenv_settings,
        )


settings = Settings()


oidc_providers_settings: dict[str, OIDCProvider] = dict(
    [(provider.id, provider) for provider in settings.oidc.providers]
)
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`from os import environ`
Refactor 2025-01-02 11:23:53 +01:00			`import string`
			`import random`
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00			`from typing import Type, Tuple, Any`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`from pathlib import Path`
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00			`import logging`
Refactor 2025-01-02 11:23:53 +01:00
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`from jwt import decode`
Add resource provider settings 2025-01-20 04:35:33 +01:00			`from pydantic import BaseModel, computed_field, AnyUrl`
Refactor 2025-01-02 11:23:53 +01:00			`from pydantic_settings import (`
			`BaseSettings,`
Add basic test 2025-01-10 19:18:57 +01:00			`SettingsConfigDict,`
Refactor 2025-01-02 11:23:53 +01:00			`PydanticBaseSettingsSource,`
			`YamlConfigSettingsSource,`
			`)`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`from starlette.requests import Request`

			`from .models import User`
Refactor 2025-01-02 11:23:53 +01:00
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00			`logger = logging.getLogger("oidc-test")`

Refactor 2025-01-02 11:23:53 +01:00
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`class Resource(BaseModel):`
			`"""A resource with an URL that can be accessed with an OAuth2 access token"""`

List of resources for OIDC providers 2025-01-19 14:26:54 +01:00			`id: str`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`name: str`


Refactor 2025-01-02 11:23:53 +01:00			`class OIDCProvider(BaseModel):`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`"""OIDC provider, can also be a resource server"""`

Add provider id field, relaxing name 2025-01-10 00:09:12 +01:00			`id: str`
			`name: str`
			`url: str`
			`client_id: str`
Refactor 2025-01-02 11:23:53 +01:00			`client_secret: str = ""`
Cosmetic 2025-01-16 05:43:26 +01:00			`# For PKCE (not implemented yet)`
Remove OAuthToken from db (use authlib dict); basic OAuth2 service provider with Forgejo 2025-01-18 06:20:44 +01:00			`code_challenge_method: str \| None = None`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`hint: str = "No hint"`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`resources: list[Resource] = []`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`account_url_template: str \| None = None`
Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`info_url: str \| None = (`
			`None # Used eg. for Keycloak's public key (see https://stackoverflow.com/questions/54318633/getting-keycloaks-public-key)`
			`)`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`info: dict[str, str \| int] \| None = None # Info fetched from info_url, eg. public key`
Fetch provider info at boot time: get public key from there instead of in settings 2025-01-29 14:03:33 +01:00			`public_key: str \| None = None`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`signature_alg: str = "RS256"`
Add self resouce provider 2025-02-04 02:27:32 +01:00			`resource_provider_scopes: list[str] = []`
Refactor 2025-01-02 11:23:53 +01:00
			`@computed_field`
			`@property`
Container, bug fixes 2025-01-09 23:41:32 +01:00			`def openid_configuration(self) -> str:`
Refactor 2025-01-02 11:23:53 +01:00			`return self.url + "/.well-known/openid-configuration"`

			`@computed_field`
			`@property`
			`def token_url(self) -> str:`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`return "auth/" + self.id`
Refactor 2025-01-02 11:23:53 +01:00
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`def get_account_url(self, request: Request, user: User) -> str \| None:`
			`if self.account_url_template:`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`if not (self.url.endswith("/") or self.account_url_template.startswith("/")):`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`sep = "/"`
			`else:`
			`sep = ""`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`return self.url + sep + self.account_url_template.format(request=request, user=user)`
Add user self-care link & setting for supporting providers 2025-01-26 19:08:49 +01:00			`else:`
			`return None`

Decode access token, refactor 2025-02-02 15:54:44 +01:00			`def get_public_key(self) -> str:`
Fetch provider info at boot time: get public key from there instead of in settings 2025-01-29 14:03:33 +01:00			`"""Return the public key formatted for decoding token"""`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`public_key = self.public_key or (self.info is not None and self.info["public_key"])`
Fetch provider info at boot time: get public key from there instead of in settings 2025-01-29 14:03:33 +01:00			`if public_key is None:`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`raise AttributeError(f"Cannot get public key for {self.name}")`
Add resource provider 2025-01-28 19:48:35 +01:00			`return f"""`
			`-----BEGIN PUBLIC KEY-----`
Fetch provider info at boot time: get public key from there instead of in settings 2025-01-29 14:03:33 +01:00			`{public_key}`
Add resource provider 2025-01-28 19:48:35 +01:00			`-----END PUBLIC KEY-----`
			`"""`
Refactor 2025-01-02 11:23:53 +01:00
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00			`def decode(self, token: str, verify_signature: bool = True) -> dict[str, Any]:`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`"""Decode the token with signature check"""`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`if settings.debug_token:`
			`decoded = decode(`
			`token,`
			`self.get_public_key(),`
			`algorithms=[self.signature_alg],`
			`audience=["account", "oidc-test", "oidc-test-web"],`
			`options={`
			`"verify_signature": False,`
			`"verify_aud": False,`
			`}, # not settings.insecure.skip_verify_signature},`
			`)`
			`logger.debug(str(decoded))`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`return decode(`
			`token,`
			`self.get_public_key(),`
			`algorithms=[self.signature_alg],`
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00			`audience=["account", "oidc-test", "oidc-test-web"],`
			`options={`
			`"verify_signature": verify_signature,`
			`}, # not settings.insecure.skip_verify_signature},`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`)`

Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00
Cleanup 2025-01-20 01:16:17 +01:00			`class ResourceProvider(BaseModel):`
			`id: str`
			`name: str`
Add resource provider settings 2025-01-20 04:35:33 +01:00			`base_url: AnyUrl`
Cleanup 2025-01-20 01:16:17 +01:00			`resources: list[Resource] = []`


Refactor 2025-01-02 11:23:53 +01:00			`class OIDCSettings(BaseModel):`
			`show_session_details: bool = False`
			`providers: list[OIDCProvider] = []`
			`swagger_provider: str = ""`


Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`class Insecure(BaseModel):`
			`"""Warning: changing these defaults are only suitable for debugging"""`

			`skip_verify_signature: bool = False`


Refactor 2025-01-02 11:23:53 +01:00			`class Settings(BaseSettings):`
			`"""Settings wil be read from an .env file"""`

Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`model_config = SettingsConfigDict(env_nested_delimiter="__")`

Refactor 2025-01-02 11:23:53 +01:00			`oidc: OIDCSettings = OIDCSettings()`
Add resource provider settings 2025-01-20 04:35:33 +01:00			`resource_providers: list[ResourceProvider] = []`
Refactor 2025-01-02 11:23:53 +01:00			`secret_key: str = "".join(random.choice(string.ascii_letters) for _ in range(16))`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`log: bool = False`
Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`insecure: Insecure = Insecure()`
Add cors origins setting 2025-01-31 00:12:50 +01:00			`cors_origins: list[str] = []`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`debug_token: bool = False`
Display full token info 2025-02-08 01:55:36 +01:00			`show_token: bool = False`
Refactor 2025-01-02 11:23:53 +01:00
			`@classmethod`
			`def settings_customise_sources(`
			`cls,`
			`settings_cls: Type[BaseSettings],`
			`init_settings: PydanticBaseSettingsSource,`
			`env_settings: PydanticBaseSettingsSource,`
			`dotenv_settings: PydanticBaseSettingsSource,`
			`file_secret_settings: PydanticBaseSettingsSource,`
			`) -> Tuple[PydanticBaseSettingsSource, ...]:`
			`return (`
			`init_settings,`
			`env_settings,`
			`file_secret_settings,`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`YamlConfigSettingsSource(`
			`settings_cls,`
			`Path(`
			`Path(`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`environ.get("OIDC_TEST_SETTINGS_FILE", Path.cwd() / "settings.yaml"),`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`)`
			`),`
			`),`
Refactor 2025-01-02 11:23:53 +01:00			`dotenv_settings,`
			`)`


			`settings = Settings()`
Get roles from access token, remove user info inspection, refreactorings 2025-02-06 13:30:35 +01:00

			`oidc_providers_settings: dict[str, OIDCProvider] = dict(`
			`[(provider.id, provider) for provider in settings.oidc.providers]`
			`)`