16527 - check token cache endpoint before generating new service account token (#2369)

Author: bolyachevets

auth-api/requirements.txt

@@ -57,6 +57,8 @@ pyrsistent==0.19.3
 python-dotenv==1.0.0
 python-jose==3.3.0
 pytz==2022.7.1
+python-memcached==1.59
+redis==4.3.6
 requests==2.31.0
 rsa==4.9
 semver==2.13.0

auth-api/requirements/dev.txt

@@ -23,3 +23,4 @@ FreezeGun
 lovely-pytest-docker
 Faker
 pytest-asyncio==0.21.0
+mock

auth-api/requirements/prod.txt

@@ -31,3 +31,5 @@ launchdarkly-server-sdk
 protobuf~=3.19.5
 aiohttp
 orjson
+python-memcached
+redis

auth-api/src/auth_api/config.py

@@ -97,6 +97,17 @@ class _Config:  # pylint: disable=too-few-public-methods
     KEYCLOAK_ADMIN_USERNAME = os.getenv('SBC_AUTH_ADMIN_CLIENT_ID')
     KEYCLOAK_ADMIN_SECRET = os.getenv('SBC_AUTH_ADMIN_CLIENT_SECRET')
 
+    # keycloak service account token lifepan
+    try:
+        CACHE_DEFAULT_TIMEOUT = int(os.getenv('ACCESS_TOKEN_LIFESPAN'))
+    except:  # pylint:disable=bare-except # noqa: B901, E722
+        CACHE_DEFAULT_TIMEOUT = 300
+
+    CACHE_MEMCACHED_SERVERS = os.getenv('CACHE_MEMCACHED_SERVERS')
+
+    CACHE_REDIS_HOST = os.getenv('CACHE_REDIS_HOST')
+    CACHE_REDIS_PORT = os.getenv('CACHE_REDIS_PORT')
+
     # Service account details
     KEYCLOAK_SERVICE_ACCOUNT_ID = os.getenv('SBC_AUTH_ADMIN_CLIENT_ID')
     KEYCLOAK_SERVICE_ACCOUNT_SECRET = os.getenv('SBC_AUTH_ADMIN_CLIENT_SECRET')

auth-api/src/auth_api/services/rest_service.py

@@ -30,6 +30,7 @@
 
 from auth_api.exceptions import ServiceUnavailableException
 from auth_api.utils.enums import AuthHeaderType, ContentType
+from auth_api.utils.cache import cache
 
 RETRY_ADAPTER = HTTPAdapter(max_retries=Retry(total=5, backoff_factor=1, status_forcelist=[404]))
 
@@ -163,11 +164,13 @@ def get(endpoint, token=None,  # pylint: disable=too-many-arguments
         return response
 
     @staticmethod
+    @cache.cached(query_string=True)
     def get_service_account_token(config_id='KEYCLOAK_SERVICE_ACCOUNT_ID',
                                   config_secret='KEYCLOAK_SERVICE_ACCOUNT_SECRET') -> str:
         """Generate a service account token."""
         kc_service_id = current_app.config.get(config_id)
         kc_secret = current_app.config.get(config_secret)
+
         issuer_url = current_app.config.get('JWT_OIDC_ISSUER')
         token_url = issuer_url + '/protocol/openid-connect/token'
         auth_response = requests.post(token_url, auth=(kc_service_id, kc_secret), headers={

auth-api/src/auth_api/utils/cache.py

@@ -12,8 +12,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """Bring in the common cache."""
+import os
 from flask_caching import Cache
 
+cache_servers = os.environ.get('CACHE_MEMCACHED_SERVERS')
 
-# lower case name as used by convention in most Flask apps
-cache = Cache(config={'CACHE_TYPE': 'simple'})  # pylint: disable=invalid-name
+if cache_servers:
+    cache = Cache(config={'CACHE_TYPE': 'MemcachedCache',
+                          'CACHE_MEMCACHED_SERVERS': cache_servers.split(',')})
+else:
+
+    redis_host = os.environ.get('CACHE_REDIS_HOST')
+    redis_port = os.environ.get('CACHE_REDIS_PORT')
+
+    if redis_host and redis_port:
+        cache = Cache(config={'CACHE_TYPE': 'RedisCache',
+                              'CACHE_REDIS_HOST': redis_host,
+                              'CACHE_REDIS_PORT': redis_port})
+
+    else:
+        cache = Cache(config={'CACHE_TYPE': 'simple'})  # pylint: disable=invalid-name

auth-api/tests/conftest.py

@@ -28,6 +28,11 @@
 from auth_api.models import db as _db
 
 
+def mock_token(config_id='', config_secret=''):
+    """Mock token generator."""
+    return 'TOKEN....'
+
+
 @pytest.fixture(scope='session')
 def app():
     """Return a session-wide application configured in TEST mode."""

auth-api/tests/unit/api/test_task.py

@@ -16,6 +16,7 @@
 Test-Suite to ensure that the /tasks endpoint is working as expected.
 """
 import json
+import mock
 
 import datetime as dt
 import pytest
@@ -35,6 +36,8 @@
 from tests.utilities.factory_utils import (
     factory_auth_header, factory_task_model, factory_task_service, factory_user_model, factory_user_model_with_contact,
     patch_token_info)
+from tests.conftest import mock_token
+
 
 current_dt = dt.datetime.now()
 current_date_str = current_dt.strftime('%Y-%m-%d')
@@ -128,6 +131,7 @@ def test_fetch_tasks_end_of_day(client, jwt, session):
     assert rv.status_code == http_status.HTTP_200_OK
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_put_task_org(client, jwt, session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that the task can be updated."""
     # 1. Create User
@@ -185,6 +189,7 @@ def test_put_task_org(client, jwt, session, keycloak_mock, monkeypatch):  # pyli
     assert rv.json.get('orgStatus') == OrgStatus.ACTIVE.value
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_put_task_org_on_hold(client, jwt, session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that the task can be updated."""
     # 1. Create User
@@ -244,6 +249,7 @@ def test_put_task_org_on_hold(client, jwt, session, keycloak_mock, monkeypatch):
     assert rv.json.get('orgStatus') == OrgStatus.PENDING_STAFF_REVIEW.value
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_put_task_product(client, jwt, session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that the task can be updated."""
     # 1. Create User
@@ -344,6 +350,7 @@ def test_fetch_task(client, jwt, session):  # pylint:disable=unused-argument
     (TestJwtClaims.public_bceid_user, AccessType.GOVN.value, TaskAction.AFFIDAVIT_REVIEW.value),
     (TestJwtClaims.public_user_role, AccessType.GOVN.value, TaskAction.ACCOUNT_REVIEW.value),
 ])
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_tasks_on_account_creation(client, jwt, session, keycloak_mock,  # pylint:disable=unused-argument
                                    monkeypatch, user_token, access_type, expected_task_action):
     """Assert that tasks are created."""

auth-api/tests/unit/api/test_user.py

@@ -21,6 +21,7 @@
 import pytest
 import time
 import uuid
+import mock
 
 from sqlalchemy import event
 
@@ -47,6 +48,7 @@
     factory_invitation_anonymous, factory_membership_model, factory_org_model, factory_product_model,
     factory_user_model, patch_token_info)
 from tests.utilities.sqlalchemy import clear_event_listeners
+from tests.conftest import mock_token
 
 KEYCLOAK_SERVICE = KeycloakService()
 
@@ -59,6 +61,7 @@ def test_add_user(client, jwt, session):  # pylint:disable=unused-argument
     assert schema_utils.validate(rv.json, 'user_response')[0]
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_add_user_staff_org(client, jwt, session, keycloak_mock, monkeypatch):
     """Assert that adding and removing membership to a staff org occurs."""
     # Create a user and org
@@ -686,6 +689,7 @@ def test_delete_unknown_user_returns_404(client, jwt, session):  # pylint:disabl
 
 
 @pytest.mark.parametrize('environment', ['test', None])
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_delete_user_as_only_admin_returns_400(client, jwt, session, keycloak_mock,
                                                monkeypatch, environment):  # pylint:disable=unused-argument
     """Test if the user is the only owner of a team assert status is 400."""
@@ -717,6 +721,7 @@ def test_delete_user_as_only_admin_returns_400(client, jwt, session, keycloak_mo
 
 
 @pytest.mark.parametrize('environment', ['test', None])
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_delete_user_is_member_returns_204(client, jwt, session, keycloak_mock,
                                            monkeypatch, environment):  # pylint:disable=unused-argument
     """Test if the user is the member of a team assert status is 204."""

auth-api/tests/unit/api/test_user_settings.py

@@ -17,6 +17,7 @@
 Test-Suite to ensure that the /users endpoint is working as expected.
 """
 import copy
+import mock
 
 from auth_api import status as http_status
 from auth_api.models import ContactLink as ContactLinkModel
@@ -25,8 +26,10 @@
 from tests.utilities.factory_scenarios import TestJwtClaims, TestOrgInfo, TestUserInfo
 from tests.utilities.factory_utils import (
     factory_auth_header, factory_contact_model, factory_user_model, patch_token_info)
+from tests.conftest import mock_token
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_get_user_settings(client, jwt, session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that get works and adhere to schema."""
     user_model = factory_user_model(user_info=TestUserInfo.user_test)

auth-api/tests/unit/services/test_affidavit.py

@@ -15,6 +15,7 @@
 
 Test suite to ensure that the affidavit service routines are working as expected.
 """
+import mock
 from auth_api.services import Affidavit as AffidavitService
 from auth_api.models import Task as TaskModel
 from auth_api.services import Org as OrgService
@@ -23,6 +24,7 @@
                                   TaskRelationshipStatus)
 from tests.utilities.factory_scenarios import TestAffidavit, TestJwtClaims, TestOrgInfo, TestUserInfo  # noqa: I005
 from tests.utilities.factory_utils import factory_user_model, factory_user_model_with_contact, patch_token_info
+from tests.conftest import mock_token
 
 
 def test_create_affidavit(session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
@@ -56,6 +58,7 @@ def test_create_affidavit_duplicate(session, keycloak_mock, monkeypatch):  # pyl
     assert affidavit3.as_dict().get('status', None) == AffidavitStatus.PENDING.value
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_approve_org(session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that an Affidavit can be approved."""
     user = factory_user_model_with_contact(user_info=TestUserInfo.user_bceid_tester)
@@ -82,6 +85,7 @@ def test_approve_org(session, keycloak_mock, monkeypatch):  # pylint:disable=unu
     assert affidavit['status'] == AffidavitStatus.APPROVED.value
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_task_creation(session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that affidavit reupload creates new task."""
     user = factory_user_model_with_contact()
@@ -102,6 +106,7 @@ def test_task_creation(session, keycloak_mock, monkeypatch):  # pylint:disable=u
     assert TaskModel.find_by_task_for_account(org_id, TaskStatus.OPEN.value) is not None
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 def test_reject_org(session, keycloak_mock, monkeypatch):  # pylint:disable=unused-argument
     """Assert that an Affidavit can be rejected."""
     user = factory_user_model_with_contact(user_info=TestUserInfo.user_bceid_tester)

auth-api/tests/unit/services/test_affiliation.py

@@ -17,6 +17,7 @@
 """
 from unittest.mock import ANY, patch
 
+import mock
 import pytest
 
 from auth_api.exceptions import BusinessException
@@ -33,6 +34,7 @@
 from tests.utilities.factory_utils import (
     convert_org_to_staff_org, factory_entity_service, factory_membership_model, factory_org_service,
     factory_user_model_with_contact, patch_get_firms_parties, patch_token_info)
+from tests.conftest import mock_token
 
 
 @pytest.mark.parametrize('environment', ['test', None])
@@ -163,6 +165,7 @@ def test_create_affiliation_exists(session, auth_mock, environment):  # pylint:d
     assert affiliation
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 @pytest.mark.parametrize('environment', ['test', None])
 def test_create_affiliation_firms(session, auth_mock, monkeypatch, environment):  # pylint:disable=unused-argument
     """Assert that an Affiliation can be created."""
@@ -223,6 +226,7 @@ def test_create_affiliation_staff_sbc_staff(
             affiliation = AffiliationService.create_affiliation(org_id, business_identifier, environment)
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 @pytest.mark.parametrize('environment', ['test', None])
 def test_create_affiliation_firms_party_with_additional_space(session, auth_mock,
                                                               monkeypatch, environment):
@@ -245,6 +249,7 @@ def test_create_affiliation_firms_party_with_additional_space(session, auth_mock
     assert affiliation.as_dict()['organization']['id'] == org_dictionary['id']
 
 
+@mock.patch('auth_api.services.affiliation_invitation.RestService.get_service_account_token', mock_token)
 @pytest.mark.parametrize('environment', ['test', None])
 def test_create_affiliation_firms_party_not_valid(session, auth_mock, monkeypatch,
                                                   environment):