Merge pull request #105 from pvarki/keycloak

Initial KeyCloak integration

Author: rambo

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.4.0
+current_version = 1.5.0
 commit = False
 tag = False
 

.gitignore

@@ -1,6 +1,9 @@
 # IDE settings
 .idea
 
+*.ipynb
+
+
 # ci artefacts
 pytest*.xml
 

docker/container-init.sh

@@ -2,8 +2,9 @@
 set -e
 # Make sure fakeproduct api endpoint points to correct IP, 127.0.01 is this containers localhost...
 sed 's/.*localmaeher.*//g' /etc/hosts >/etc/hosts.new && cat /etc/hosts.new >/etc/hosts
-echo "$(getent hosts host.docker.internal | awk '{ print $1 }') fake.localmaeher.pvarki.fi" >>/etc/hosts
-echo "$(getent hosts host.docker.internal | awk '{ print $1 }') tak.localmaeher.pvarki.fi" >>/etc/hosts
+echo "$(getent ahostsv4 host.docker.internal | awk '{ print $1 }') fake.localmaeher.dev.pvarki.fi" >>/etc/hosts
+echo "$(getent ahostsv4 host.docker.internal | awk '{ print $1 }') tak.localmaeher.dev.pvarki.fi" >>/etc/hosts
+echo "$(getent ahostsv4 host.docker.internal | awk '{ print $1 }') kc.localmaeher.dev.pvarki.fi" >>/etc/hosts
 
 # Make sure the persistent directories exist
 test -d /data/persistent/private || ( mkdir -p /data/persistent/private && chmod og-rwx /data/persistent/private )

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "rasenmaeher_api"
-version = "1.4.0"
+version = "1.5.0"
 description = "python-rasenmaeher-api"
 authors = [
     "Aciid <703382+Aciid@users.noreply.github.com>",
@@ -47,6 +47,7 @@ disallow_untyped_decorators=false
 junit_family="xunit2"
 addopts="--cov=rasenmaeher_api --cov-fail-under=65 --cov-branch"
 asyncio_mode="strict"
+asyncio_default_fixture_loop_scope = "session"
 
 [tool.pylint.MASTER]
 extension-pkg-allow-list = "pydantic"
@@ -84,12 +85,14 @@ pyopenssl = "^23.1"
 libpvarki = { git="https://github.com/pvarki/python-libpvarki.git", tag="1.9.0"}
 openapi-readme = "^0.2"
 python-multipart = "^0.0.6"
-aiohttp = "^3.8"
+aiohttp = ">=3.11.10,<4.0"
+pyjwt = ">=2.10.1"
 aiodns = "^3.0"
 brotli = "^1.0"
 cchardet = { version="^2.1", python="<=3.10"}
 filelock = "^3.12"
 gino = "^1.0"
+python-keycloak = "^4.2.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^7.4"
@@ -100,7 +103,7 @@ black = "^23.7"
 bandit = "^1.7"
 mypy = "^1.5"
 pre-commit = "^3.3"
-pytest-asyncio = ">=0.21,<1.0" # caret behaviour on 0.x is to lock to 0.x.*
+pytest-asyncio = ">=0.23,<1.0" # caret behaviour on 0.x is to lock to 0.x.*
 bump2version = "^1.0"
 detect-secrets = "^1.2"
 httpx = ">=0.23,<1.0" # caret behaviour on 0.x is to lock to 0.x.*

pyproject.toml

@@ -1,2 +1,2 @@
 """ python-rasenmaeher-api """
-__version__ = "1.4.0"  # NOTE Use `bump2version --config-file patch` to bump versions correctly
+__version__ = "1.5.0"  # NOTE Use `bump2version --config-file patch` to bump versions correctly

src/rasenmaeher_api/__init__.py

@@ -10,18 +10,27 @@
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.dialects.postgresql import UUID as saUUID
 import sqlalchemy as sa
+from sqlalchemy.sql import func
 
 from .base import ORMBaseModel, utcnow, db
 from .people import Person
 from .errors import ForbiddenOperation, CallsignReserved, NotFound, Deleted, PoolInactive
 from ..rmsettings import RMSettings
 
 LOGGER = logging.getLogger(__name__)
-CODE_CHAR_COUNT = 8  # TODO: Make configurable ??
 CODE_ALPHABET = string.ascii_uppercase + string.digits
 CODE_MAX_ATTEMPTS = 100
 
 
+def generate_code() -> str:
+    """Generate a code"""
+    settings = RMSettings.singleton()
+    code = "".join(secrets.choice(CODE_ALPHABET) for _ in range(settings.code_size))
+    if settings.code_avoid_confusion:
+        code = code.replace("0", "O").replace("1", "I")
+    return code
+
+
 class EnrollmentPool(ORMBaseModel):  # pylint: disable=R0903
     """Enrollment pools aka links, pk is UUID and comes from basemodel"""
 
@@ -81,7 +90,7 @@ async def _generate_unused_code(cls) -> str:
         attempt = 0
         while True:
             attempt += 1
-            code = "".join(secrets.choice(CODE_ALPHABET) for _ in range(CODE_CHAR_COUNT))
+            code = generate_code()
             try:
                 await EnrollmentPool.by_invitecode(code)
             except NotFound:
@@ -184,7 +193,7 @@ async def list(cls, by_pool: Optional[EnrollmentPool] = None) -> AsyncGenerator[
     @classmethod
     async def by_callsign(cls, callsign: str) -> Self:
         """Get by callsign"""
-        obj = await Enrollment.query.where(Enrollment.callsign == callsign).gino.first()
+        obj = await Enrollment.query.where(func.lower(Enrollment.callsign) == func.lower(callsign)).gino.first()
         if not obj:
             raise NotFound()
         if obj.deleted:
@@ -227,7 +236,7 @@ async def _generate_unused_code(cls) -> str:
         attempt = 0
         while True:
             attempt += 1
-            code = "".join(secrets.choice(CODE_ALPHABET) for _ in range(CODE_CHAR_COUNT))
+            code = generate_code()
             try:
                 await Enrollment.by_approvecode(code)
             except NotFound:

src/rasenmaeher_api/db/enrollments.py

@@ -8,7 +8,7 @@
 import sqlalchemy as sa
 from multikeyjwt import Issuer
 
-from .base import ORMBaseModel, utcnow
+from .base import ORMBaseModel, utcnow, db
 from .errors import ForbiddenOperation, NotFound, Deleted, TokenReuse
 
 LOGGER = logging.getLogger(__name__)
@@ -30,19 +30,23 @@ class LoginCode(ORMBaseModel):  # pylint: disable=R0903
     @classmethod
     async def use_code(cls, code: str, auditmeta: Optional[Dict[str, Any]] = None) -> str:
         """Exchange the code for JWT, if it was already used raise error that is also 403, return JWT with the claims"""
-        obj = await LoginCode.by_code(code)
-        if obj.used_on:
-            LOGGER.error("{} was used on {}".format(obj.code, obj.used_on))
-            raise TokenReuse()
-        if not auditmeta:
-            auditmeta = {}
-        await obj.update(used_on=utcnow, auditmeta=auditmeta).apply()
-        return Issuer.singleton().issue(obj.claims)
+        async with db.acquire() as conn:
+            async with conn.transaction():  # do it in a transaction to avoid data races
+                obj = await LoginCode.by_code(code)
+                if obj.used_on:
+                    LOGGER.error("{} was used on {}".format(obj.code, obj.used_on))
+                    raise TokenReuse()
+                if not auditmeta:
+                    auditmeta = {}
+                await obj.update(used_on=utcnow, auditmeta=auditmeta).apply()
+                return Issuer.singleton().issue(obj.claims)
 
     @classmethod
     async def by_code(cls, code: str) -> Self:
         """Get by token"""
-        obj = await LoginCode.query.where(LoginCode.code == code).gino.first()
+        async with db.acquire() as conn:
+            async with conn.transaction():  # do it in a transaction to avoid data races
+                obj = await LoginCode.query.where(LoginCode.code == code).gino.first()
         if not obj:
             raise NotFound()
         if obj.deleted:
@@ -55,20 +59,22 @@ async def create_for_claims(cls, claims: Dict[str, Any], auditmeta: Optional[Dic
         """Create a new one with random code for the given claims"""
         # TODO: Do this in a transaction to avoid race conditions
         attempt = 0
-        while True:
-            attempt += 1
-            code = "".join(secrets.choice(CODE_ALPHABET) for _ in range(CODE_CHAR_COUNT))
-            try:
-                await LoginCode.by_code(code)
-            except NotFound:
-                break
-            if attempt > CODE_MAX_ATTEMPTS:
-                raise RuntimeError("Can't find unused code")
-        if not auditmeta:
-            auditmeta = {}
-        dbobj = LoginCode(code=code, claims=claims, auditmeta=auditmeta)
-        await dbobj.create()
-        return code
+        async with db.acquire() as conn:
+            async with conn.transaction():  # do it in a transaction to avoid data races
+                while True:
+                    attempt += 1
+                    code = "".join(secrets.choice(CODE_ALPHABET) for _ in range(CODE_CHAR_COUNT))
+                    try:
+                        await LoginCode.by_code(code)
+                    except NotFound:
+                        break
+                    if attempt > CODE_MAX_ATTEMPTS:
+                        raise RuntimeError("Can't find unused code")
+                if not auditmeta:
+                    auditmeta = {}
+                dbobj = LoginCode(code=code, claims=claims, auditmeta=auditmeta)
+                await dbobj.create()
+                return code
 
     async def delete(self) -> bool:
         """Deletion of enrollments is not allowed"""

src/rasenmaeher_api/db/logincodes.py

@@ -102,10 +102,5 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
             return
 
         # Get and release connection
-        scope["connection"] = await self.gino.acquire(lazy=True)
-        try:
+        async with self.gino.acquire(lazy=True):
             await self.app(scope, receive, send)
-        finally:
-            conn = scope.pop("connection", None)
-            if conn is not None:
-                await conn.release()