Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOP-21482] - implement unit tests for KeycloakAuthProvider #133

Merged
merged 5 commits into from
Nov 19, 2024
Merged

[DOP-21482] - implement unit tests for KeycloakAuthProvider #133

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
74fba53
[DOP-21482] - implement unit tests for KeycloakAuthProvider
maxim-lixakov Nov 18, 2024
c7ff5a6
[DOP-21482] - move keycloak test configs to fixtures
maxim-lixakov Nov 18, 2024
f751a87
[DOP-21482] - removed keycloak settings from TestSettings
maxim-lixakov Nov 19, 2024
6775a5c
[DOP-21482] - add test with expired access_token
maxim-lixakov Nov 19, 2024
07d71c0
[DOP-21482] - add cookie comparison
maxim-lixakov Nov 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .env.docker
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@db:5432/syncm

# TODO: add to KeycloakAuthProvider documentation about creating new realms, add users, etc.
# KEYCLOAK Auth
SYNCMASTER__AUTH__SERVER_URL=http://keycloak:8080/
SYNCMASTER__AUTH__SERVER_URL=http://keycloak:8080
SYNCMASTER__AUTH__REALM_NAME=manually_created
SYNCMASTER__AUTH__CLIENT_ID=manually_created
SYNCMASTER__AUTH__CLIENT_SECRET=generated_by_keycloak
Expand Down
11 changes: 10 additions & 1 deletion .env.local
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,16 @@ export SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
# Postgres
export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster

# Auth
# Keycloack Auth
export SYNCMASTER__AUTH__SERVER_URL=http://keycloak:8080
export SYNCMASTER__AUTH__REALM_NAME=manually_created
export SYNCMASTER__AUTH__CLIENT_ID=manually_created
export SYNCMASTER__AUTH__CLIENT_SECRET=generated_by_keycloak
export SYNCMASTER__AUTH__REDIRECT_URI=http://localhost:8000/auth/callback
export SYNCMASTER__AUTH__SCOPE=email
export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak_provider.KeycloakAuthProvider

# Dummy Auth
export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=secret

Expand Down
45 changes: 32 additions & 13 deletions poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ onetl = {extras = ["spark", "s3", "hdfs"], version = "^0.12.0"}
faker = ">=28.4.1,<34.0.0"
coverage = "^7.6.1"
gevent = "^24.2.1"
responses = "*"

[tool.poetry.group.dev.dependencies]
mypy = "^1.11.2"
Expand Down
2 changes: 2 additions & 0 deletions syncmaster/backend/providers/auth/keycloak_provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ async def get_current_user(self, access_token: str, *args, **kwargs) -> Any:
self.redirect_to_auth(request.url.path)

try:
# if user is disabled or blocked in Keycloak after the token is issued, he will
# remain authorized until the token expires (not more than 15 minutes in MTS SSO)
token_info = self.keycloak_openid.decode_token(token=access_token)
except Exception as e:
log.info("Access token is invalid or expired: %s", e)
Expand Down
7 changes: 4 additions & 3 deletions tests/conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@

pytest_plugins = [
"tests.test_unit.test_transfers.transfer_fixtures",
"tests.test_unit.test_auth.auth_fixtures",
"tests.test_unit.test_runs.run_fixtures",
"tests.test_unit.test_connections.connection_fixtures",
"tests.test_unit.test_scheduler.scheduler_fixtures",
Expand Down Expand Up @@ -64,9 +65,9 @@ def event_loop():
loop.close()


@pytest.fixture(scope="session")
def settings():
return Settings()
@pytest.fixture(scope="session", params=[{}])
def settings(request: pytest.FixtureRequest) -> Settings:
return Settings.parse_obj(request.param)


@pytest.fixture(scope="session")
Expand Down
Empty file added tests/test_unit/test_auth/__init__.py
View file
Open in desktop
Empty file.
7 changes: 7 additions & 0 deletions tests/test_unit/test_auth/auth_fixtures/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
from tests.test_unit.test_auth.auth_fixtures.keycloak_fixture import (
create_session_cookie,
mock_keycloak_realm,
mock_keycloak_token_refresh,
mock_keycloak_well_known,
rsa_keys,
)
158 changes: 158 additions & 0 deletions tests/test_unit/test_auth/auth_fixtures/keycloak_fixture.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
import json
import time
from base64 import b64encode

import pytest
import responses
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
from itsdangerous import TimestampSigner
from jose import jwt


@pytest.fixture(scope="session")
def rsa_keys():
# create private & public keys to emulate Keycloak signing
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
public_key = private_key.public_key()

return {
"private_key": private_key,
"private_pem": private_pem,
"public_key": public_key,
}


def get_public_key_pem(public_key):
public_pem = public_key.public_bytes(
encoding=Encoding.PEM,
format=PublicFormat.SubjectPublicKeyInfo,
)
public_pem_str = public_pem.decode("utf-8")
public_pem_str = public_pem_str.replace("-----BEGIN PUBLIC KEY-----\n", "")
public_pem_str = public_pem_str.replace("-----END PUBLIC KEY-----\n", "")
public_pem_str = public_pem_str.replace("\n", "")
return public_pem_str


@pytest.fixture
def create_session_cookie(rsa_keys, settings):
def _create_session_cookie(user, expire_in_msec=1000) -> str:
private_pem = rsa_keys["private_pem"]
session_secret_key = settings.server.session.secret_key

payload = {
"sub": str(user.id),
"preferred_username": user.username,
"email": user.email,
"given_name": user.first_name,
"middle_name": user.middle_name,
"family_name": user.last_name,
"exp": int(time.time()) + (expire_in_msec / 1000),
}

access_token = jwt.encode(payload, private_pem, algorithm="RS256")
refresh_token = "mock_refresh_token"

session_data = {
"access_token": access_token,
"refresh_token": refresh_token,
}

signer = TimestampSigner(session_secret_key)
json_bytes = json.dumps(session_data).encode("utf-8")
base64_bytes = b64encode(json_bytes)
signed_data = signer.sign(base64_bytes)
session_cookie = signed_data.decode("utf-8")

return session_cookie

return _create_session_cookie


@pytest.fixture
def mock_keycloak_well_known(settings):
server_url = settings.auth.server_url
realm_name = settings.auth.client_id
well_known_url = f"{server_url}/realms/{realm_name}/.well-known/openid-configuration"

responses.add(
responses.GET,
well_known_url,
json={
"authorization_endpoint": f"{server_url}/realms/{realm_name}/protocol/openid-connect/auth",
"token_endpoint": f"{server_url}/realms/{realm_name}/protocol/openid-connect/token",
"userinfo_endpoint": f"{server_url}/realms/{realm_name}/protocol/openid-connect/userinfo",
"end_session_endpoint": f"{server_url}/realms/{realm_name}/protocol/openid-connect/logout",
"jwks_uri": f"{server_url}/realms/{realm_name}/protocol/openid-connect/certs",
"issuer": f"{server_url}/realms/{realm_name}",
},
status=200,
content_type="application/json",
)


@pytest.fixture
def mock_keycloak_realm(settings, rsa_keys):
server_url = settings.auth.server_url
realm_name = settings.auth.client_id
realm_url = f"{server_url}/realms/{realm_name}"
public_pem_str = get_public_key_pem(rsa_keys["public_key"])

responses.add(
responses.GET,
realm_url,
json={
"realm": realm_name,
"public_key": public_pem_str,
"token-service": f"{server_url}/realms/{realm_name}/protocol/openid-connect/token",
"account-service": f"{server_url}/realms/{realm_name}/account",
},
status=200,
content_type="application/json",
)


@pytest.fixture
def mock_keycloak_token_refresh(settings, rsa_keys):
server_url = settings.auth.server_url
realm_name = settings.auth.client_id
token_url = f"{server_url}/realms/{realm_name}/protocol/openid-connect/token"

# generate new access and refresh tokens
expires_in = int(time.time()) + 1000
private_pem = rsa_keys["private_pem"]
payload = {
"sub": "mock_user_id",
"preferred_username": "mock_username",
"email": "mock_email@example.com",
"given_name": "Mock",
"middle_name": "User",
"family_name": "Name",
"exp": expires_in,
}

new_access_token = jwt.encode(payload, private_pem, algorithm="RS256")
new_refresh_token = "mock_new_refresh_token"

responses.add(
responses.POST,
token_url,
json={
"access_token": new_access_token,
"refresh_token": new_refresh_token,
"token_type": "bearer",
"expires_in": expires_in,
},
status=200,
content_type="application/json",
)
Loading
Loading