diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml deleted file mode 100644 index 352a0a9..0000000 --- a/.forgejo/workflows/build.yaml +++ /dev/null @@ -1,93 +0,0 @@ -on: - push: - workflow_dispatch: - inputs: - verbose: - description: "Verbose" - required: false - default: false - type: boolean - -jobs: - build: - runs-on: container - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@v4 - with: - version: "0.5.16" - - - name: Install - run: uv sync - - - name: Run tests (API call) - run: .venv/bin/pytest -s tests/basic.py - - - name: Get version with git describe - id: version - run: | - echo "version=$(git describe)" >> $GITHUB_OUTPUT - echo "$VERSION" - - - name: Check if the container should be built - id: builder - env: - RUN: ${{ toJSON(inputs.build || !contains(steps.version.outputs.version, '-')) }} - run: | - echo "run=$RUN" >> $GITHUB_OUTPUT - echo "Run build: $RUN" - - - name: Set the version in pyproject.toml (workaround for uv not supporting dynamic version) - if: fromJSON(steps.builder.outputs.run) - env: - VERSION: ${{ steps.version.outputs.version }} - run: sed "s/0.0.0/$VERSION/" -i pyproject.toml - - - name: Workaround for bug of podman-login - if: fromJSON(steps.builder.outputs.run) - run: | - mkdir -p $HOME/.docker - echo "{ \"auths\": {} }" > $HOME/.docker/config.json - - - name: Log in to the container registry (with another workaround) - if: fromJSON(steps.builder.outputs.run) - uses: actions/podman-login@v1 - with: - registry: ${{ vars.REGISTRY }} - username: ${{ secrets.REGISTRY_USER }} - password: ${{ secrets.REGISTRY_PASSWORD }} - auth_file_path: /tmp/auth.json - - - name: Build the container image - if: fromJSON(steps.builder.outputs.run) - uses: actions/buildah-build@v1 - with: - image: oidc-fastapi-test - oci: true - labels: oidc-fastapi-test - tags: latest ${{ steps.version.outputs.version }} - containerfiles: | - ./Containerfile - - - name: Push the image to the registry - if: fromJSON(steps.builder.outputs.run) - uses: actions/push-to-registry@v2 - with: - registry: "docker://${{ vars.REGISTRY }}/${{ vars.ORGANISATION }}" - image: oidc-fastapi-test - tags: latest ${{ steps.version.outputs.version }} - - - name: Build wheel - if: fromJSON(steps.builder.outputs.run) - run: uv build --wheel - - - name: Publish Python package (home) - if: fromJSON(steps.builder.outputs.run) - env: - LOCAL_PYPI_TOKEN: ${{ secrets.LOCAL_PYPI_TOKEN }} - run: uv publish --publish-url https://code.philo.ydns.eu/api/packages/philorg/pypi --token $LOCAL_PYPI_TOKEN - continue-on-error: true diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml deleted file mode 100644 index a56a9ce..0000000 --- a/.forgejo/workflows/test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -on: - push: - workflow_dispatch: - inputs: - verbose: - description: "Verbose" - required: false - default: false - type: boolean - -jobs: - test: - runs-on: container - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@v4 - with: - version: "0.5.16" - - - name: Install - run: uv sync - - - name: Run tests (API call) - run: .venv/bin/pytest -s tests/basic.py diff --git a/.woodpecker/build.yaml b/.woodpecker/build.yaml new file mode 100644 index 0000000..3af8132 --- /dev/null +++ b/.woodpecker/build.yaml @@ -0,0 +1,63 @@ +when: + - event: manual + - event: tag + +depends_on: + - test + +steps: + python_sync: + image: code.philo.ydns.eu/philorg/uv + volumes: + - uv-cache:/uv-cache + environment: + UV_CACHE_DIR: /uv-cache + UV_LINK_MODE: copy + commands: + - uv sync + + python_build: + image: code.philo.ydns.eu/philorg/uv + volumes: + - uv-cache:/uv-cache + environment: + UV_CACHE_DIR: /uv-cache + UV_LINK_MODE: copy + commands: + - uv build --wheel + - uv cache prune --ci + + python_publish: + image: code.philo.ydns.eu/philorg/uv + environment: + OWNER: philorg + REGISTRY_URL: https://code.philo.ydns.eu + REGISTRY_TOKEN: + from_secret: registry_token + commands: + - uv publish --publish-url $REGISTRY_URL/api/packages/$OWNER/pypi --token $REGISTRY_TOKEN dist/*.whl + failure: ignore + + container_build_publish: + image: quay.io/podman/stable:latest + # Caution: This image is built daily. It might fill up your image store quickly. + #pull: true + volumes: + - containers:/var/lib/containers + - uv:/root/.cache/uv + # Fill in the trusted checkbox in Woodpecker's settings as well + privileged: true + environment: + registry: code.philo.ydns.eu + org: philorg + container_name: oidc-fastapi-test + registry_token: + from_secret: registry_token + commands: + # Login at the registry + - podman login -u __token__ --password $registry_token $registry + # Build the container image + - podman build --volume=/var/lib/containers:/var/lib/containers --tag $registry/$org/$container_name:latest --tag $registry/$org/$container_name:$CI_COMMIT_TAG . + # Push the image + - podman push $registry/$org/$container_name:latest + - podman push $registry/$org/$container_name:$CI_COMMIT_TAG diff --git a/.woodpecker/test.yaml b/.woodpecker/test.yaml new file mode 100644 index 0000000..d8816b2 --- /dev/null +++ b/.woodpecker/test.yaml @@ -0,0 +1,21 @@ +when: + - event: push + branch: main + - event: manual + - event: tag + +steps: + sync: + image: code.philo.ydns.eu/philorg/uv + volumes: + - uv-cache:/uv-cache + environment: + UV_CACHE_DIR: /uv-cache + UV_LINK_MODE: copy + commands: + - uv sync + + test: + image: code.philo.ydns.eu/philorg/uv + commands: + - .venv/bin/pytest -s tests/basic.py diff --git a/Containerfile b/Containerfile index 2e3fd28..357cc84 100644 --- a/Containerfile +++ b/Containerfile @@ -1,6 +1,7 @@ -FROM docker.io/library/python:alpine +FROM docker.io/library/python:3.13-slim COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/ +COPY --from=docker.io/python:3.13 /usr/bin/git /usr/local/bin/git COPY . /app diff --git a/README.md b/README.md index 9e00474..c7f8741 100644 --- a/README.md +++ b/README.md @@ -52,31 +52,59 @@ given by the OIDC providers. For example: ```yaml -oidc: - secret_key: "ASecretNoOneKnows" - show_session_details: yes +secret_key: AVeryWellKeptSecret +debug_token: no +show_token: yes +log: yes + +auth: providers: - id: auth0 name: Okta / Auth0 - url: "https://" - client_id: "" - client_secret: "client_secret_generated_by_auth0" - hint: "A hint for test credentials" + url: https:// + public_key_url: https:///pem + client_id: + client_secret: client_secret_generated_by_auth0 + hint: A hint for test credentials - id: keycloak name: Keycloak at somewhere - url: "https://" - account_url_template: "/account" - client_id: "" - client_secret: "client_secret_generated_by_keycloak" - hint: "User: foo, password: foofoo" + url: https:// + info_url: https://philo.ydns.eu/auth/realms/test + account_url_template: /account + client_id: + client_secret: + hint: A hint for test credentials + code_challenge_method: S256 + resource_provider_scopes: + - get:time + - get:bs + resource_providers: + - id: + name: A third party resource provider + base_url: https://some.example.com/ + verify_ssl: yes + resources: + - name: Public RS2 + resource_name: public + url: resource/public + - name: BS RS2 + resource_name: bs + url: resource/bs + - name: Time RS2 + resource_name: time + url: resource/time - id: codeberg + disabled: no name: Codeberg - url: "https://codeberg.org" - account_url_template: "/user/settings" - client_id: "" - client_secret: "client_secret_generated_by_codeberg" + url: https://codeberg.org + account_url_template: /user/settings + client_id: + client_secret: client_secret_generated_by_codeberg + info_url: https://codeberg.org/login/oauth/keys + session_key: sub + skip_verify_signature: no resources: - name: List of repos id: repos @@ -99,3 +127,5 @@ with the setting file in the current working directory: ```sh podman run -p 8000:80 --env OIDC_TEST_CONFIG_FILE=/app/settings.yaml --mount type=bind,source=settings.yaml,destination=/app/settings.yaml code.philo.ydns.eu/philorg/oidc-fastapi-test:latest ``` + +[![status-badge](https://code.philo.ydns.eu/woodpecker/api/badges/22/status.svg)](https://code.philo.ydns.eu/woodpecker/repos/22) diff --git a/pyproject.toml b/pyproject.toml index b1e6504..c44e9f3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [project] name = "oidc-fastapi-test" -version = "0.0.0" -# dynamic = ["version"] +#version = "0.0.0" +dynamic = ["version"] description = "Add your description here" readme = "README.md" requires-python = ">=3.13" @@ -24,14 +24,21 @@ dependencies = [ oidc-test = "oidc_test.main:main" [dependency-groups] -dev = ["ipdb>=0.13.13", "pytest>=8.3.4"] +dev = ["dunamai>=1.23.0", "ipdb>=0.13.13", "pytest>=8.3.4"] [build-system] -requires = ["hatchling"] +requires = ["hatchling", "uv-dynamic-versioning"] build-backend = "hatchling.build" +[tool.hatch.version] +source = "uv-dynamic-versioning" + [tool.hatch.build.targets.wheel] packages = ["src/oidc_test"] +package = true + +[tool.uv-dynamic-versioning] +style = "semver" [tool.uv] package = true diff --git a/src/oidc_test/__init__.py b/src/oidc_test/__init__.py index e69de29..f154022 100644 --- a/src/oidc_test/__init__.py +++ b/src/oidc_test/__init__.py @@ -0,0 +1,11 @@ +import importlib.metadata + +try: + from dunamai import Version, Style + + __version__ = Version.from_git().serialize(style=Style.SemVer, dirty=True) +except (ImportError, RuntimeError): + # __name__ could be used if the package name is the same + # as the directory - not the case here + # __version__ = importlib.metadata.version(__name__) + __version__ = importlib.metadata.version("oidc-fastapi-test") diff --git a/src/oidc_test/auth/provider.py b/src/oidc_test/auth/provider.py index c614805..ce288a6 100644 --- a/src/oidc_test/auth/provider.py +++ b/src/oidc_test/auth/provider.py @@ -61,28 +61,34 @@ class Provider(AuthProviderSettings): if self.info_url is not None: try: provider_info = await client.get(self.info_url) - except Exception: + except Exception as err: + logger.debug("Provider_info: cannot connect") + logger.exception(err) raise NoPublicKey try: self.info = provider_info.json() except JSONDecodeError: + logger.debug("Provider_info: cannot decode json response") raise NoPublicKey if "public_key" in self.info: # For Keycloak try: public_key = str(self.info["public_key"]) except KeyError: + logger.debug("Provider_info: cannot get public_key") raise NoPublicKey elif "keys" in self.info: # For Forgejo/Gitea try: public_key = str(self.info["keys"][0]["n"]) except KeyError: + logger.debug("Provider_info: cannot get key 0.n") raise NoPublicKey if self.public_key_url is not None: resp = await client.get(self.public_key_url) public_key = resp.text if public_key is None: + logger.debug("Provider_info: cannot determine public key") raise NoPublicKey self.public_key = "\n".join( ["-----BEGIN PUBLIC KEY-----", public_key, "-----END PUBLIC KEY-----"] diff --git a/src/oidc_test/auth/utils.py b/src/oidc_test/auth/utils.py index 7dd0e3d..c51b039 100644 --- a/src/oidc_test/auth/utils.py +++ b/src/oidc_test/auth/utils.py @@ -5,10 +5,8 @@ import logging from fastapi import HTTPException, Request, Depends, status from fastapi.security import OAuth2PasswordBearer from authlib.integrations.starlette_client import OAuth, OAuthError, StarletteOAuth2App -from jwt import ExpiredSignatureError, InvalidKeyError, DecodeError, PyJWTError - -# from authlib.oauth1.auth import OAuthToken from authlib.oauth2.rfc6749 import OAuth2Token +from jwt import ExpiredSignatureError, InvalidKeyError, DecodeError, PyJWTError from oidc_test.auth.provider import Provider from oidc_test.models import User @@ -22,7 +20,7 @@ logger = logging.getLogger("oidc-test") async def fetch_token(name, request): assert name is not None assert request is not None - logger.warn("TODO: fetch_token") + logger.warning("TODO: fetch_token") ... # if name in oidc_providers: # model = OAuth2Token @@ -34,7 +32,10 @@ async def fetch_token(name, request): async def update_token( - provider_id, token, refresh_token: str | None = None, access_token: str | None = None + provider_id, + token, + refresh_token: str | None = None, + access_token: str | None = None, ): """Update the token in the database""" provider = providers[provider_id] diff --git a/log_conf.yaml b/src/oidc_test/log_conf.yaml similarity index 100% rename from log_conf.yaml rename to src/oidc_test/log_conf.yaml diff --git a/src/oidc_test/main.py b/src/oidc_test/main.py index f930e48..e882cda 100644 --- a/src/oidc_test/main.py +++ b/src/oidc_test/main.py @@ -6,6 +6,9 @@ from typing import Annotated from pathlib import Path from datetime import datetime import logging +import logging.config +import importlib.resources +from yaml import safe_load from urllib.parse import urlencode from contextlib import asynccontextmanager @@ -26,6 +29,7 @@ from authlib.oauth2.rfc6749 import OAuth2Token # from fastapi.security import OpenIdConnect # from pkce import generate_code_verifier, generate_pkce_pair +from oidc_test import __version__ from oidc_test.registry import registry from oidc_test.auth.provider import NoPublicKey, Provider from oidc_test.auth.utils import ( @@ -46,6 +50,15 @@ from oidc_test.resource_server import resource_server logger = logging.getLogger("oidc-test") +if settings.log: + assert __package__ is not None + with ( + importlib.resources.path(__package__) as package_path, + open(package_path / settings.log_config_file) as f, + ): + logging_config = safe_load(f) + logging.config.dictConfig(logging_config) + templates = Jinja2Templates(Path(__file__).parent / "templates") @@ -96,7 +109,7 @@ async def home( "show_token": settings.show_token, "user": user, "now": datetime.now(), - "auth_provider": provider, + "__version__": __version__, } if provider is None or token is None: context["providers"] = providers @@ -105,26 +118,29 @@ async def home( context["access_token_parsed"] = None context["refresh_token_parsed"] = None context["resources"] = None + context["auth_provider"] = None else: + context["auth_provider"] = provider context["access_token"] = token["access_token"] try: access_token_parsed = provider.decode(token["access_token"], verify_signature=False) + context["access_token_parsed"] = access_token_parsed + context["access_token_scope"] = access_token_parsed.get("scope") except PyJWTError as err: - access_token_parsed = {"Cannot parse": err.__class__.__name__} - try: - context["access_token_scope"] = access_token_parsed["scope"] - except KeyError: + context["access_token_parsed"] = {"Cannot parse": err.__class__.__name__} context["access_token_scope"] = None - context["id_token_parsed"] = provider.decode(token["id_token"], verify_signature=False) - context["access_token_parsed"] = access_token_parsed - context["resources"] = registry.resources - context["resource_providers"] = provider.resource_providers try: - context["refresh_token_parsed"] = provider.decode( - token["refresh_token"], verify_signature=False - ) + id_token_parsed = provider.decode(token["id_token"], verify_signature=False) + context["id_token_parsed"] = id_token_parsed + except PyJWTError as err: + context["id_token_parsed"] = {"Cannot parse": err.__class__.__name__} + try: + refresh_token_parsed = provider.decode(token["refresh_token"], verify_signature=False) + context["refresh_token_parsed"] = refresh_token_parsed except PyJWTError as err: context["refresh_token_parsed"] = {"Cannot parse": err.__class__.__name__} + context["resources"] = registry.resources + context["resource_providers"] = provider.resource_providers return templates.TemplateResponse(name="home.html", request=request, context=context) @@ -294,7 +310,13 @@ async def refresh( refresh_token=token["refresh_token"], grant_type="refresh_token", ) - await update_token(provider.id, new_token) + try: + await update_token(provider.id, new_token) + except PyJWTError as err: + logger.info(f"Cannot refresh token: {err.__class__.__name__}") + raise HTTPException( + status.HTTP_510_NOT_EXTENDED, f"Token refresh error: {err.__class__.__name__}" + ) return RedirectResponse(url=request.url_for("home")) diff --git a/src/oidc_test/resource_server.py b/src/oidc_test/resource_server.py index a4d5368..ddc5762 100644 --- a/src/oidc_test/resource_server.py +++ b/src/oidc_test/resource_server.py @@ -1,9 +1,10 @@ from typing import Annotated, Any import logging +from json import JSONDecodeError from authlib.oauth2.rfc6749 import OAuth2Token -from httpx import AsyncClient -from jwt.exceptions import ExpiredSignatureError, InvalidTokenError +from httpx import AsyncClient, HTTPError +from jwt.exceptions import DecodeError, ExpiredSignatureError, InvalidTokenError from fastapi import FastAPI, HTTPException, Depends, Request, status from fastapi.middleware.cors import CORSMiddleware @@ -75,6 +76,7 @@ async def get_resource( resource_url = resource_provider.get_resource_url(resource_name) async with AsyncClient(verify=resource_provider.verify_ssl) as client: try: + logger.debug(f"GET request to {resource_url}") resp = await client.get( resource_url, headers={ @@ -83,6 +85,10 @@ async def get_resource( "auth_provider": user.auth_provider_id, }, ) + except HTTPError as err: + raise HTTPException( + status.HTTP_503_SERVICE_UNAVAILABLE, err.__class__.__name__ + ) except Exception as err: raise HTTPException( status.HTTP_500_INTERNAL_SERVER_ERROR, err.__class__.__name__ @@ -150,7 +156,7 @@ async def get_auth_provider_resource( ) -> ProcessResult: if token is None: raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No auth token") - access_token = token["access_token"] + access_token = token async with AsyncClient() as client: resp = await client.get( url=provider.get_resource_url(resource_name), @@ -164,9 +170,19 @@ async def get_auth_provider_resource( # Only a demo, real application would really process the response resp_length = len(resp.text) if resp_length > 1024: - return ProcessResult(msg=f"The resource is too long ({resp_length} bytes) to show here") + return ProcessResult( + msg=f"The resource is too long ({resp_length} bytes) to show in this demo, here is just the begining in raw format", + start=resp.text[:100] + "...", + ) else: - return ProcessResult(**resp.json()) + try: + resp_json = resp.json() + except JSONDecodeError: + return ProcessResult(msg="The resource is not formatted in JSON", text=resp.text) + if isinstance(resp_json, dict): + return ProcessResult(**resp.json()) + elif isinstance(resp_json, list): + return ProcessResult(**{str(i): line for i, line in enumerate(resp_json)}) # @resource_server.get("/public") diff --git a/src/oidc_test/settings.py b/src/oidc_test/settings.py index e549fd4..ad80c06 100644 --- a/src/oidc_test/settings.py +++ b/src/oidc_test/settings.py @@ -104,6 +104,7 @@ class Settings(BaseSettings): auth: AuthSettings = AuthSettings() secret_key: str = "".join(random.choice(string.ascii_letters) for _ in range(16)) log: bool = False + log_config_file: str = "log_conf.yaml" insecure: Insecure = Insecure() cors_origins: list[str] = [] debug_token: bool = False diff --git a/src/oidc_test/static/styles.css b/src/oidc_test/static/styles.css index 2baa748..1e8dc03 100644 --- a/src/oidc_test/static/styles.css +++ b/src/oidc_test/static/styles.css @@ -21,6 +21,12 @@ hr { .hidden { display: none; } +.version { + position: absolute; + font-size: 75%; + top: 0.3em; + right: 0.3em; +} .center { text-align: center; } diff --git a/src/oidc_test/templates/base.html b/src/oidc_test/templates/base.html index 4cb56f5..157e26f 100644 --- a/src/oidc_test/templates/base.html +++ b/src/oidc_test/templates/base.html @@ -5,6 +5,7 @@ +
v. {{ __version__}}

OIDC-test - FastAPI client

{% block content %} {% endblock %} diff --git a/src/oidc_test/templates/home.html b/src/oidc_test/templates/home.html index 5bccaee..167616f 100644 --- a/src/oidc_test/templates/home.html +++ b/src/oidc_test/templates/home.html @@ -66,12 +66,8 @@ {% endif %}
- {% if resources %} -

- {{ auth_provider.name }} provides these resources: -

+

This application provides all these resources, eventually protected with scope or roles:

{% for name, resource in resources.items() %} {% if resource.default_resource_id %} @@ -91,8 +87,29 @@ {% endfor %}
{% endif %} + {% if auth_provider.resources %} +

{{ auth_provider.name }} is also defined as a provider for these resources:

+
+ {% for resource in auth_provider.resources %} + {% if resource.default_resource_id %} + + {% else %} + + {% endif %} + {% endfor %} +
+ {% endif %} {% if resource_providers %} -

{{ auth_provider.name }} can request resources from third party resource providers:

+

{{ auth_provider.name }} allows this application to request resources from third party resource providers:

{% for resource_provider in resource_providers %}
{{ resource_provider.name }} diff --git a/uv.lock b/uv.lock index 01b64de..0566bb5 100644 --- a/uv.lock +++ b/uv.lock @@ -1,4 +1,5 @@ version = 1 +revision = 1 requires-python = ">=3.13" [[package]] @@ -206,6 +207,18 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/68/1b/e0a87d256e40e8c888847551b20a017a6b98139178505dc7ffb96f04e954/dnspython-2.7.0-py3-none-any.whl", hash = "sha256:b4c34b7d10b51bcc3a5071e7b8dee77939f1e878477eeecc965e9835f63c6c86", size = 313632 }, ] +[[package]] +name = "dunamai" +version = "1.23.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "packaging" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/06/4e/a5c8c337a1d9ac0384298ade02d322741fb5998041a5ea74d1cd2a4a1d47/dunamai-1.23.0.tar.gz", hash = "sha256:a163746de7ea5acb6dacdab3a6ad621ebc612ed1e528aaa8beedb8887fccd2c4", size = 44681 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/21/4c/963169386309fec4f96fd61210ac0a0666887d0fb0a50205395674d20b71/dunamai-1.23.0-py3-none-any.whl", hash = "sha256:a0906d876e92441793c6a423e16a4802752e723e9c9a5aabdc5535df02dbe041", size = 26342 }, +] + [[package]] name = "ecdsa" version = "0.19.0" @@ -482,7 +495,6 @@ wheels = [ [[package]] name = "oidc-fastapi-test" -version = "0.0.0" source = { editable = "." } dependencies = [ { name = "authlib" }, @@ -501,6 +513,7 @@ dependencies = [ [package.dev-dependencies] dev = [ + { name = "dunamai" }, { name = "ipdb" }, { name = "pytest" }, ] @@ -523,6 +536,7 @@ requires-dist = [ [package.metadata.requires-dev] dev = [ + { name = "dunamai", specifier = ">=1.23.0" }, { name = "ipdb", specifier = ">=0.13.13" }, { name = "pytest", specifier = ">=8.3.4" }, ]