Feat/t 100 keycloak authentication

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
       uses: docker/setup-buildx-action@v1
 
     - name: Cache Docker layers
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: /tmp/.buildx-cache
         key: ${{ runner.os }}-buildx-${{ github.sha }}
@@ -25,6 +25,9 @@ jobs:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
 
+    - name: Fix realm_config directory permission
+      run: sudo chown -R 1000:1000 dev/docker/realm_config
+
     - name: Build and run containers
       run: |
         docker compose \
@@ -41,7 +44,6 @@ jobs:
         pip install --upgrade pip
         pip install uv
         uv sync 
-
     - name: Run tests
       run: |
         uv run pytest -rs

dev/docker/.env.dev

@@ -3,4 +3,9 @@ MINIO_PASSWORD=minio123
 POSTGRES_USER=root
 POSTGRES_PASSWORD=root
 PGADMIN_USER=admin@admin.com
-PGADMIN_PASSWORD=root
+PGADMIN_PASSWORD=root
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=admin
+KEYCLOAK_CLIENT_SECRET=w9pOmNyAnO6B3SlPcmYr10Nq7iwIn5ze
+TEST_USERNAME=test
+TEST_PASSWORD=test

dev/docker/docker-compose.yml

@@ -12,6 +12,10 @@ services:
       - ../../tests/mock_data:/code/data
       - ../../data/index:/code/index
       - ../../src:/code/src
+      - ../../dev/docker:/code/dev/docker
+    depends_on:
+      keycloak:
+        condition: service_healthy
     ports:
       - '8081:5000'
     entrypoint: 
@@ -27,6 +31,7 @@ services:
     environment:
       - DATABASE_HOST=pg_container
       - DATABASE_PORT=5432
+      - HOST=keycloak
     networks:
       - dbnetwork
 
@@ -66,6 +71,31 @@ services:
     networks:
       - dbnetwork
 
+  # Service for keycloak
+  # This container runs keycloak image for authentication of some api ends.
+  keycloak: 
+    container_name: keycloak
+    image: quay.io/keycloak/keycloak:24.0 
+    restart: always
+    environment: 
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_HOSTNAME: keycloak
+      KC_HEALTH_ENABLED: true
+    ports: 
+      - "8080:8080"
+    volumes: 
+      - ./realm_config:/opt/keycloak/data
+    command: start-dev
+    healthcheck:
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/keycloak/8080 && echo -e 'GET /health/ready HTTP/1.1\\r\\nHost: keycloak\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q '200 OK'"]
+      interval: 10s
+      timeout: 30s
+      retries: 3
+      start_period: 50s
+    networks: 
+      - dbnetwork
+
 networks:
   dbnetwork:
     name: dbnetwork

pyproject.toml

@@ -37,6 +37,8 @@ dependencies = [
     "tqdm>=4.66.5",
     "ujson>=5.10.0",
     "uvicorn>=0.32.0",
+    "python-keycloak>=5.1.1",
+    "python-dotenv>=1.0.1"
 ]
 
 [project.urls]
@@ -53,4 +55,4 @@ dev-dependencies = [
     "pytest>=8.3.3",
     "xarray>=2024.7.0",
     "zarr>=2.18.2",
-]
+]

src/api/create.py

@@ -131,10 +131,10 @@ def create_cpf_summary(self, data_path: Path):
         df["context"] = [Json(base_context)] * len(df)
         df = df.drop_duplicates(subset=["name"])
         df["name"] = df["name"].apply(
-                lambda x: models.ShotModel.__fields__.get("cpf_" + x.lower()).alias
-                if models.ShotModel.__fields__.get("cpf_" + x.lower())
-                else x
-            )
+            lambda x: models.ShotModel.__fields__.get("cpf_" + x.lower()).alias
+            if models.ShotModel.__fields__.get("cpf_" + x.lower())
+            else x
+        )
         df.to_sql("cpf_summary", self.uri, if_exists="append")
 
     def create_scenarios(self, data_path: Path):
@@ -147,6 +147,7 @@ def create_scenarios(self, data_path: Path):
         data = pd.DataFrame(dict(id=ids, name=scenarios)).set_index("id")
         data = data.dropna()
         data["context"] = [Json(base_context)] * len(data)
+
         data.to_sql("scenarios", self.uri, if_exists="append")
 
     def create_shots(self, data_path: Path):

src/api/environment.py

@@ -1,9 +1,20 @@
 import os
 
 host = os.environ.get("DATABASE_HOST", "localhost")
-
+keycloak_host = os.environ.get("KEYCLOAK_HOST", "localhost")
 # Location of the database
 DB_NAME = "mast_db"
 SQLALCHEMY_DATABASE_URL = f"postgresql://root:root@{host}:5432/{DB_NAME}"
 # Echo SQL statements
 SQLALCHEMY_DEBUG = os.environ.get("SQLALCHEMY_DEBUG", False)
+
+# Keycloak server url
+SERVER_URL = f"http://{keycloak_host}:8080"
+# Realm name within keycloak
+REALM_NAME = "realm1"
+# Client name withing keycloak
+CLIENT_NAME = "fair-mast"
+
+TEST_PASSWORD = "test"
+
+UNAUTHORIZED_USER = "test1"

src/api/main.py

@@ -9,25 +9,36 @@
 import pandas as pd
 import sqlmodel
 import ujson
+from dotenv import load_dotenv
 from fastapi import Depends, FastAPI, HTTPException, Query, Request, Response, status
 from fastapi.encoders import jsonable_encoder
 from fastapi.exceptions import RequestValidationError
 from fastapi.responses import JSONResponse
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
 from fastapi_pagination import add_pagination
 from fastapi_pagination.cursor import CursorPage
 from fastapi_pagination.ext.sqlalchemy import paginate
+from keycloak import KeycloakOpenID
+from keycloak.exceptions import (
+    KeycloakAuthenticationError,
+    KeycloakAuthorizationConfigError,
+)
 from sqlalchemy.orm import Session
 from strawberry.asgi import GraphQL
 from strawberry.http import GraphQLHTTPResponse
 from strawberry.types import ExecutionResult
 
 from . import crud, graphql, models
 from .database import get_db
+from .environment import CLIENT_NAME, REALM_NAME, SERVER_URL
 
 templates = Jinja2Templates(directory="src/api/templates")
 
+load_dotenv("dev/docker/.env.dev")
+CLIENT_SECRET = os.getenv("KEYCLOAK_CLIENT_SECRET")
+
 
 class JSONLDGraphQL(GraphQL):
     async def process_result(
@@ -78,6 +89,38 @@ def fixup_context(d):
 app.add_websocket_route("/graphql", graphql_app)
 add_pagination(app)
 
+keycloak_id = KeycloakOpenID(
+    server_url=SERVER_URL,
+    realm_name=REALM_NAME,
+    client_id=CLIENT_NAME,
+    client_secret_key=CLIENT_SECRET,
+    verify=True,
+)
+security = HTTPBasic()
+
+
+def authenticate_user_by_role(credentials: HTTPBasicCredentials = Depends(security)):
+    try:
+        token = keycloak_id.token(
+            username=credentials.username,
+            password=credentials.password,
+            grant_type="password",
+        )
+
+        user_info = keycloak_id.userinfo(token=token["access_token"])
+        user_roles = (
+            user_info.get("resource_access", {}).get(CLIENT_NAME, {}).get("roles", {})
+        )
+        if "fair-mast-admins" not in user_roles:
+            raise KeycloakAuthorizationConfigError(
+                error_message="Forbidden user: Access not sufficient", response_code=403
+            )
+        return user_info
+    except KeycloakAuthenticationError as e:
+        raise KeycloakAuthenticationError(
+            error_message=f"Invalid username or password: {e}", response_code=401
+        )
+
 
 @app.exception_handler(RequestValidationError)
 async def validation_exception_handler(request: Request, exc: RequestValidationError):
@@ -303,6 +346,21 @@ def get_shots(db: Session = Depends(get_db), params: QueryParams = Depends()):
     return paginate(db, query)
 
 
+@app.post("/json/shots", description="Post data to shot table")
+def post_shots(
+    shot_data: list[dict],
+    db: Session = Depends(get_db),
+    _: HTTPBasicCredentials = Depends(authenticate_user_by_role),
+):
+    try:
+        engine = db.get_bind()
+        df = pd.DataFrame(shot_data)
+        df.to_sql("shots", engine, if_exists="append", index=False)
+        return shot_data
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=f"Error:{str(e)}")
+
+
 @app.get("/json/shots/aggregate")
 def get_shots_aggregate(
     request: Request,
@@ -377,6 +435,21 @@ def get_signals(db: Session = Depends(get_db), params: QueryParams = Depends()):
     return paginate(db, query)
 
 
+@app.post("/json/signals", description="post data to signal table")
+def post_signal(
+    signal_data: list[dict],
+    db: Session = Depends(get_db),
+    _: HTTPBasicCredentials = Depends(authenticate_user_by_role),
+):
+    try:
+        engine = db.get_bind()
+        df = pd.DataFrame(signal_data)
+        df.to_sql("signals", engine, if_exists="append", index=False)
+        return signal_data
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=f"Error:{str(e)}")
+
+
 @app.get("/json/signals/aggregate")
 def get_signals_aggregate(
     request: Request,
@@ -435,6 +508,21 @@ def get_cpf_summary(db: Session = Depends(get_db), params: QueryParams = Depends
     return paginate(db, query)
 
 
+@app.post("/json/cpf_summary", description="post data to cpf summary table")
+def post_cpf_summary(
+    cpf_data: list[dict],
+    db: Session = Depends(get_db),
+    _: HTTPBasicCredentials = Depends(authenticate_user_by_role),
+):
+    try:
+        engine = db.get_bind()
+        df = pd.DataFrame(cpf_data)
+        df.to_sql("cpf_summary", engine, if_exists="append", index=False)
+        return cpf_data
+    except Exception as e:
+        raise (HTTPException(status_code=400, detail=f"Error:{str(e)}"))
+
+
 @app.get(
     "/json/scenarios",
     description="Get information on different scenarios.",
@@ -453,6 +541,21 @@ def get_scenarios(
     return paginate(db, query)
 
 
+@app.post("/json/scenarios", description="post data to scenario table")
+def post_scenarios(
+    scenario_data: list[dict],
+    db: Session = Depends(get_db),
+    _: HTTPBasicCredentials = Depends(authenticate_user_by_role),
+):
+    try:
+        engine = db.get_bind()
+        df = pd.DataFrame(scenario_data)
+        df.to_sql("scenarios", engine, if_exists="append", index=False)
+        return scenario_data
+    except Exception as e:
+        raise (HTTPException(status_code=400, detail=f"Error:{str(e)}"))
+
+
 @app.get(
     "/json/sources",
     description="Get information on different sources.",
@@ -469,6 +572,21 @@ def get_sources(db: Session = Depends(get_db), params: QueryParams = Depends()):
     return paginate(db, query)
 
 
+@app.post("/json/sources", description="Post Shot data into database")
+def post_source(
+    source_data: list[dict],
+    db: Session = Depends(get_db),
+    _: HTTPBasicCredentials = Depends(authenticate_user_by_role),
+):
+    try:
+        engine = db.get_bind()
+        df = pd.DataFrame(source_data)
+        df.to_sql("sources", engine, if_exists="append", index=False)
+        return source_data
+    except Exception as e:
+        raise (HTTPException(status_code=400, detail=f"Error:{str(e)}"))
+
+
 @app.get(
     "/json/sources/aggregate",
     response_model=models.SourceModel,

tests/api/conftest.py

@@ -3,6 +3,7 @@
 
 import pytest
 from fastapi.testclient import TestClient
+from requests.auth import HTTPBasicAuth
 from sqlalchemy.orm import sessionmaker
 from sqlalchemy_utils.functions import (
     drop_database,
@@ -12,13 +13,20 @@
 
 from src.api.create import DBCreationClient
 from src.api.database import get_db
+
+# from src.api.environment import TEST_PASSWORD, TEST_USERNAME
 from src.api.main import app, graphql_app
 
 # Set up the database URL
 host = os.environ.get("DATABASE_HOST", "localhost")
 TEST_DB_NAME = "test_db"
 SQLALCHEMY_DATABASE_TEST_URL = f"postgresql://root:root@{host}:5432/{TEST_DB_NAME}"
 
+# TEST_USERNAME = "test"
+# TEST_PASSWORD = "test"
+TEST_USERNAME = os.getenv("TEST_USERNAME")
+TEST_PASSWORD = os.getenv("TEST_PASSWORD")
+
 
 # Fixture to create and drop the database
 @pytest.fixture(scope="session")
@@ -39,6 +47,11 @@ def test_db(data_path):
     drop_database(SQLALCHEMY_DATABASE_TEST_URL)
 
 
+@pytest.fixture()
+def test_auth():
+    return HTTPBasicAuth(username=TEST_USERNAME, password=TEST_PASSWORD)
+
+
 class TestSQLAlchemySession(SchemaExtension):
     def on_request_start(self):
         engine = create_engine(SQLALCHEMY_DATABASE_TEST_URL)