oidc-fastapi-test/src/oidc_test/settings.py

from os import environ
import string
import random
from typing import Type, Tuple
from pathlib import Path

from pydantic import BaseModel, computed_field, AnyUrl
from pydantic_settings import (
    BaseSettings,
    SettingsConfigDict,
    PydanticBaseSettingsSource,
    YamlConfigSettingsSource,
)
from starlette.requests import Request


class Resource(BaseModel):
    """A resource with an URL that can be accessed with an OAuth2 access token"""

    resource_name: str
    name: str
    url: str


class AuthProviderSettings(BaseModel):
    """Auth provider, can also be a resource server"""

    id: str
    name: str
    url: str
    client_id: str
    client_secret: str = ""
    # For PKCE (not implemented yet)
    code_challenge_method: str | None = None
    hint: str = "No hint"
    resources: list[Resource] = []
    account_url_template: str | None = None
    info_url: str | None = (
        None  # Used eg. for Keycloak's public key (see https://stackoverflow.com/questions/54318633/getting-keycloaks-public-key)
    )
    public_key: str | None = None
    public_key_url: str | None = None
    signature_alg: str = "RS256"
    resource_provider_scopes: list[str] = []
    session_key: str = "sid"
    skip_verify_signature: bool = True
    disabled: bool = False

    @computed_field
    @property
    def openid_configuration(self) -> str:
        return self.url + "/.well-known/openid-configuration"

    @computed_field
    @property
    def token_url(self) -> str:
        return "auth/" + self.id

    def get_account_url(self, request: Request, user: dict) -> str | None:
        if self.account_url_template:
            if not (self.url.endswith("/") or self.account_url_template.startswith("/")):
                sep = "/"
            else:
                sep = ""
            return self.url + sep + self.account_url_template.format(request=request, user=user)
        else:
            return None


class ResourceProvider(BaseModel):
    id: str
    name: str
    base_url: AnyUrl
    resources: list[Resource] = []


class AuthSettings(BaseModel):
    show_session_details: bool = False
    providers: list[AuthProviderSettings] = []
    swagger_provider: str = ""


class Insecure(BaseModel):
    """Warning: changing these defaults are only suitable for debugging"""

    skip_verify_signature: bool = False


class DB(BaseModel):
    host: str = "localhost"
    port: int = 5432
    db: str = "oidc-test"
    user: str = "oidc-test"
    password: str = "oidc-test"
    debug: bool = False
    pool_size: int = 10
    max_overflow: int = 10
    echo: bool = False

    @property
    def sqla_url(self):
        return (
            f"postgresql+asyncpg://{self.user}:{self.password}@{self.host}:{self.port}/{self.db}"
        )

    def get_pg_url(self):
        return f"postgresql://{self.user}:{self.password}@{self.host}:{self.port}/{self.db}"


class Settings(BaseSettings):
    """Settings wil be read from an .env file"""

    model_config = SettingsConfigDict(env_nested_delimiter="__")

    auth: AuthSettings = AuthSettings()
    resource_providers: list[ResourceProvider] = []
    secret_key: str = "".join(random.choice(string.ascii_letters) for _ in range(16))
    log: bool = False
    insecure: Insecure = Insecure()
    db: DB = DB()
    cors_origins: list[str] = []
    debug_token: bool = False
    show_token: bool = False

    @classmethod
    def settings_customise_sources(
        cls,
        settings_cls: Type[BaseSettings],
        init_settings: PydanticBaseSettingsSource,
        env_settings: PydanticBaseSettingsSource,
        dotenv_settings: PydanticBaseSettingsSource,
        file_secret_settings: PydanticBaseSettingsSource,
    ) -> Tuple[PydanticBaseSettingsSource, ...]:
        return (
            init_settings,
            env_settings,
            file_secret_settings,
            YamlConfigSettingsSource(
                settings_cls,
                Path(
                    Path(
                        environ.get("OIDC_TEST_SETTINGS_FILE", Path.cwd() / "settings.yaml"),
                    )
                ),
            ),
            dotenv_settings,
        )


settings = Settings()
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`from os import environ`
Refactor 2025-01-02 11:23:53 +01:00			`import string`
			`import random`
Refactor most code, isolate authlib somehow 2025-02-09 06:20:48 +01:00			`from typing import Type, Tuple`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`from pathlib import Path`
Refactor 2025-01-02 11:23:53 +01:00
Add resource provider settings 2025-01-20 04:35:33 +01:00			`from pydantic import BaseModel, computed_field, AnyUrl`
Refactor 2025-01-02 11:23:53 +01:00			`from pydantic_settings import (`
			`BaseSettings,`
Add basic test 2025-01-10 19:18:57 +01:00			`SettingsConfigDict,`
Refactor 2025-01-02 11:23:53 +01:00			`PydanticBaseSettingsSource,`
			`YamlConfigSettingsSource,`
			`)`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`from starlette.requests import Request`

Refactor 2025-01-02 11:23:53 +01:00
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`class Resource(BaseModel):`
			`"""A resource with an URL that can be accessed with an OAuth2 access token"""`

Add resource provided registry and plugin system 2025-02-11 17:27:49 +01:00			`resource_name: str`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`name: str`
Continue refactor; fetch resources from the providers' settings 2025-02-10 02:05:34 +01:00			`url: str`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00

Refactor most code, isolate authlib somehow 2025-02-09 06:20:48 +01:00			`class AuthProviderSettings(BaseModel):`
			`"""Auth provider, can also be a resource server"""`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00
Add provider id field, relaxing name 2025-01-10 00:09:12 +01:00			`id: str`
			`name: str`
			`url: str`
			`client_id: str`
Refactor 2025-01-02 11:23:53 +01:00			`client_secret: str = ""`
Cosmetic 2025-01-16 05:43:26 +01:00			`# For PKCE (not implemented yet)`
Remove OAuthToken from db (use authlib dict); basic OAuth2 service provider with Forgejo 2025-01-18 06:20:44 +01:00			`code_challenge_method: str \| None = None`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`hint: str = "No hint"`
Refactor; add services in settings 2025-01-19 01:48:00 +01:00			`resources: list[Resource] = []`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`account_url_template: str \| None = None`
Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`info_url: str \| None = (`
			`None # Used eg. for Keycloak's public key (see https://stackoverflow.com/questions/54318633/getting-keycloaks-public-key)`
			`)`
Fetch provider info at boot time: get public key from there instead of in settings 2025-01-29 14:03:33 +01:00			`public_key: str \| None = None`
Continue refactor; fetch resources from the providers' settings 2025-02-10 02:05:34 +01:00			`public_key_url: str \| None = None`
Decode access token, refactor 2025-02-02 15:54:44 +01:00			`signature_alg: str = "RS256"`
Add self resouce provider 2025-02-04 02:27:32 +01:00			`resource_provider_scopes: list[str] = []`
Continue refactor; fetch resources from the providers' settings 2025-02-10 02:05:34 +01:00			`session_key: str = "sid"`
			`skip_verify_signature: bool = True`
Add role protection to resource servers, remove hardcoded resources 2025-02-13 18:15:26 +01:00			`disabled: bool = False`
Refactor 2025-01-02 11:23:53 +01:00
			`@computed_field`
			`@property`
Container, bug fixes 2025-01-09 23:41:32 +01:00			`def openid_configuration(self) -> str:`
Refactor 2025-01-02 11:23:53 +01:00			`return self.url + "/.well-known/openid-configuration"`

			`@computed_field`
			`@property`
			`def token_url(self) -> str:`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`return "auth/" + self.id`
Refactor 2025-01-02 11:23:53 +01:00
Continue refactor 2025-02-10 14:14:32 +01:00			`def get_account_url(self, request: Request, user: dict) -> str \| None:`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`if self.account_url_template:`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`if not (self.url.endswith("/") or self.account_url_template.startswith("/")):`
Fix account url, use template for settings 2025-01-26 23:37:56 +01:00			`sep = "/"`
			`else:`
			`sep = ""`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`return self.url + sep + self.account_url_template.format(request=request, user=user)`
Add user self-care link & setting for supporting providers 2025-01-26 19:08:49 +01:00			`else:`
			`return None`

Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00
Cleanup 2025-01-20 01:16:17 +01:00			`class ResourceProvider(BaseModel):`
			`id: str`
			`name: str`
Add resource provider settings 2025-01-20 04:35:33 +01:00			`base_url: AnyUrl`
Cleanup 2025-01-20 01:16:17 +01:00			`resources: list[Resource] = []`


Refactor most code, isolate authlib somehow 2025-02-09 06:20:48 +01:00			`class AuthSettings(BaseModel):`
Refactor 2025-01-02 11:23:53 +01:00			`show_session_details: bool = False`
Refactor most code, isolate authlib somehow 2025-02-09 06:20:48 +01:00			`providers: list[AuthProviderSettings] = []`
Refactor 2025-01-02 11:23:53 +01:00			`swagger_provider: str = ""`


Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`class Insecure(BaseModel):`
			`"""Warning: changing these defaults are only suitable for debugging"""`

			`skip_verify_signature: bool = False`


Add postgres db (messy) 2025-02-17 02:42:38 +01:00			`class DB(BaseModel):`
			`host: str = "localhost"`
			`port: int = 5432`
			`db: str = "oidc-test"`
			`user: str = "oidc-test"`
			`password: str = "oidc-test"`
			`debug: bool = False`
			`pool_size: int = 10`
			`max_overflow: int = 10`
			`echo: bool = False`

			`@property`
			`def sqla_url(self):`
			`return (`
			`f"postgresql+asyncpg://{self.user}:{self.password}@{self.host}:{self.port}/{self.db}"`
			`)`

			`def get_pg_url(self):`
			`return f"postgresql://{self.user}:{self.password}@{self.host}:{self.port}/{self.db}"`


Refactor 2025-01-02 11:23:53 +01:00			`class Settings(BaseSettings):`
			`"""Settings wil be read from an .env file"""`

Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`model_config = SettingsConfigDict(env_nested_delimiter="__")`

Refactor most code, isolate authlib somehow 2025-02-09 06:20:48 +01:00			`auth: AuthSettings = AuthSettings()`
Add resource provider settings 2025-01-20 04:35:33 +01:00			`resource_providers: list[ResourceProvider] = []`
Refactor 2025-01-02 11:23:53 +01:00			`secret_key: str = "".join(random.choice(string.ascii_letters) for _ in range(16))`
Get more user info from provider's userinfo endpoint 2025-01-13 05:37:55 +01:00			`log: bool = False`
Resource server: read the required scope in access token 2025-01-30 20:40:04 +01:00			`insecure: Insecure = Insecure()`
Add postgres db (messy) 2025-02-17 02:42:38 +01:00			`db: DB = DB()`
Add cors origins setting 2025-01-31 00:12:50 +01:00			`cors_origins: list[str] = []`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`debug_token: bool = False`
Display full token info 2025-02-08 01:55:36 +01:00			`show_token: bool = False`
Refactor 2025-01-02 11:23:53 +01:00
			`@classmethod`
			`def settings_customise_sources(`
			`cls,`
			`settings_cls: Type[BaseSettings],`
			`init_settings: PydanticBaseSettingsSource,`
			`env_settings: PydanticBaseSettingsSource,`
			`dotenv_settings: PydanticBaseSettingsSource,`
			`file_secret_settings: PydanticBaseSettingsSource,`
			`) -> Tuple[PydanticBaseSettingsSource, ...]:`
			`return (`
			`init_settings,`
			`env_settings,`
			`file_secret_settings,`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`YamlConfigSettingsSource(`
			`settings_cls,`
			`Path(`
			`Path(`
Migrate all resources to json contents; improve token decoding & logging error messages 2025-02-07 16:09:49 +01:00			`environ.get("OIDC_TEST_SETTINGS_FILE", Path.cwd() / "settings.yaml"),`
Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00			`)`
			`),`
			`),`
Refactor 2025-01-02 11:23:53 +01:00			`dotenv_settings,`
			`)`


			`settings = Settings()`