Authenticate/Authorise on resources (#5)

* Added PyJWT

* Resource API now requires authentication/authorisation

* Greeting makes use of the new read fixture

Author: MrMatAP

README.md

@@ -228,12 +228,18 @@ Configure the following clients as needed:
 * Access Type: confidential (but if it wasn't Keycloak, should be public)
 * Flow: Device Authorization Grant
 
-Keycloaks default polling interval during the device authorization flow is set to a rather long 600s. I strongly
-suggest to reduce that to 5s in the realm settings.
+Keycloak's default polling interval during the device authorization flow is set to a rather long 600s. I strongly
+suggest reducing that to 5s in the realm settings.
 
 ### Test Client
 
 * Suggested client_id: mrmat-python-api-flask-test
 * Access Type: confidential
 * Flow: Client Credentials Grant (Keycloak: "Service Accounts Enabled")
 
+### Scopes
+
+The resource API uses two scopes that need to be defined within the IDP:
+
+* mrmat-python-api-flask-resource-write - Permit create/modify/remove of resources
+* mrmat-python-api-flask-resource-read  - Permit reading resources

mrmat_python_api_flask/apis/resource/v1/api.py

@@ -23,6 +23,8 @@
 """Blueprint for the Resource API in V1
 """
 
+from typing import Tuple
+
 from werkzeug.local import LocalProxy
 from flask import Blueprint, request, g, current_app
 from marshmallow import ValidationError
@@ -34,59 +36,69 @@
 logger = LocalProxy(lambda: current_app.logger)
 
 
+def _extract_identity() -> Tuple:
+    return g.oidc_token_info['sub'], g.oidc_token_info['preferred_username']
+
+
 @bp.route('/', methods=['GET'])
-@oidc.accept_token(require_token=True)
+@oidc.accept_token(require_token=True, scopes_required=['mrmat-python-api-flask-resource-read'])
 def get_all():
-    logger.error('Error')
-    logger.warning('Warning')
-    logger.info('Info')
-    logger.debug(f'Called by {g.oidc_token_info["sub"]}')
+    identity = _extract_identity()
+    logger.info(f'Called by {identity[1]} ({identity[0]}')
     a = Resource.query.all()
     return {'resources': resources_schema.dump(a)}, 200
 
 
 @bp.route('/<i>', methods=['GET'])
-@oidc.accept_token(require_token=True)
+@oidc.accept_token(require_token=True, scopes_required=['mrmat-python-api-flask-resource-read'])
 def get_one(i: int):
+    identity = _extract_identity()
+    logger.info(f'Called by {identity[1]} ({identity[0]}')
     resource = Resource.query.filter(Resource.id == i).first_or_404()
     if resource is None:
         return {'status': 404, 'message': f'Unable to find entry with identifier {i} in database'}, 404
     return resource_schema.dump(resource), 200
 
 
 @bp.route('/', methods=['POST'])
-@oidc.accept_token(require_token=True)
+@oidc.accept_token(require_token=True, scopes_required=['mrmat-python-api-flask-resource-write'])
 def create():
+    identity = _extract_identity()
+    logger.info(f'Called by {identity[1]} ({identity[0]}')
     try:
         json_body = request.get_json()
         if not json_body:
             return {'message': 'No input data provided'}, 400
         body = resource_schema.load(request.get_json())
     except ValidationError as ve:
         return ve.messages, 422
-    resource = Resource(owner=body['owner'], name=body['name'])
+    resource = Resource(owner=identity[0], name=body['name'])
     db.session.add(resource)
     db.session.commit()
     return resource_schema.dump(resource), 201
 
 
 @bp.route('/<i>', methods=['PUT'])
-@oidc.accept_token(require_token=True)
+@oidc.accept_token(require_token=True, scopes_required=['mrmat-python-api-flask-resource-write'])
 def modify(i: int):
+    identity = _extract_identity()
+    logger.info(f'Called by {identity[1]} ({identity[0]}')
     body = resource_schema.load(request.get_json())
     resource = Resource.query.filter(Resource.id == i).one()
     if resource is None:
         return {'status': 404, 'message': 'Unable to find requested resource'}, 404
-    resource.owner = body['owner']
+    resource.owner = identity[0]
     resource.name = body['name']
     db.session.add(resource)
     db.session.commit()
     return resource_schema.dump(resource), 200
 
 
 @bp.route('/<i>', methods=['DELETE'])
-@oidc.accept_token(require_token=True)
+@oidc.accept_token(require_token=True, scopes_required=['mrmat-python-api-flask-resource-write'])
 def remove(i: int):
+    identity = _extract_identity()
+    logger.info(f'Called by {identity[1]} ({identity[0]}')
     resource = Resource.query.filter(Resource.id == i).one()
     if resource is None:
         return {'status': 410, 'message': 'Unable to find requested resource'}, 410

test-requirements.txt

@@ -4,3 +4,4 @@ pylint==2.8.3       # GPL-2.0-or-later
 flake8~=3.8.4       # MIT
 pytest~=6.2.2       # MIT
 pytest-cov~=2.11.1  # MIT
+pyjwt==2.1.0        # MIT

tests/conftest.py

@@ -25,6 +25,9 @@
 import json
 import pytest
 
+from typing import Optional, List, Dict
+
+import jwt
 import oauthlib.oauth2
 import requests_oauthlib
 
@@ -34,7 +37,28 @@
 
 
 @pytest.fixture
-def test_config():
+def test_config() -> Optional[Dict]:
+    """Read the test configuration file the FLASK_CONFIG environment variable points to
+
+    A token can only be obtained if the configuration file pointed to by the FLASK_CONFIG environment variable
+    contains required entries to set up OIDC for testing. An empty dict is returned if these are not present.
+    The following are required:
+
+    {
+        "web": {                This entry is required to be the very first entry. If you don't like that,
+                                then externalize it into a separate file and point to it via OIDC_CLIENT_SECRETS
+            "client_id":        Server side client_id
+            "client_secret":    Server-side client_secret
+            ...
+        },
+        "client": {
+            "client_id":        Test client client_id
+            "client_secret":    Test client secret
+            "preferred_name":   Asserted preferred_name of the client_id
+        "OIDC_CLIENT_SECRETS":  Point this to the same place as FLASK_CONFIG (to reduce the number of config files
+    Returns:
+        A dictionary of configuration or None if not configuration file is set
+    """
     if 'FLASK_CONFIG' not in os.environ:
         LOGGER.info('Missing test configuration via FLASK_CONFIG environment variable. Tests are limited')
         return None
@@ -60,39 +84,57 @@ def client():
         yield client
 
 
-@pytest.fixture
-def oidc_token(test_config):
+def oidc_token(config: Dict, scope: Optional[List]):
     """Obtain an OIDC token to be used for client testing.
-
-    A token can only be obtained if the configuration file pointed to by the FLASK_CONFIG environment variable
-    contains required entries to set up OIDC for testing. An empty dict is returned if these are not present.
-    The following are required:
-
-    {
-        "web": {                This entry is required to be the very first entry. If you don't like that,
-                                then externalize it into a separate file and point to it via OIDC_CLIENT_SECRETS
-            "client_id":        Server side client_id
-            "client_secret":    Server-side client_secret
-            ...
-        },
-        "client": {
-            "client_id":        Test client client_id
-            "client_secret":    Test client secret
-            "preferred_name":   Asserted preferred_name of the client_id
-        "OIDC_CLIENT_SECRETS":  Point this to the same place as FLASK_CONFIG (to reduce the number of config files
-
-    Yields:
+    Args:
+        config: Test configuration
+        scope: Optional scope to request a token for. Defaults to ['openid']
+    Returns:
         A dictionary containing the access token or None if configuration is lacking
     """
-    if test_config is None or 'client' not in test_config:
+    if test_config is None or 'client' not in config:
         LOGGER.info('Missing OIDC test client configuration. Tests will be limited')
         return None
     for key in ['client_id', 'client_secret', 'preferred_name']:
-        if key not in test_config['client']:
+        if key not in config['client']:
             LOGGER.info(f'Missing {key} in test client configuration. Tests will be limited')
             return None
-    client = oauthlib.oauth2.BackendApplicationClient(client_id=test_config['client']['client_id'])
+    if scope is None:
+        scope = ['openid']
+    elif 'openid' not in scope:
+        scope.insert(0, 'openid')
+    client = oauthlib.oauth2.BackendApplicationClient(client_id=config['client']['client_id'], scope=scope)
     oauth = requests_oauthlib.OAuth2Session(client=client)
-    return oauth.fetch_token(token_url=test_config['web']['token_uri'],
-                             client_id=test_config['client']['client_id'],
-                             client_secret=test_config['client']['client_secret'])
+    return oauth.fetch_token(token_url=config['web']['token_uri'],
+                             client_id=config['client']['client_id'],
+                             client_secret=config['client']['client_secret'])
+
+
+@pytest.fixture
+def oidc_token_read(test_config) -> Dict:
+    """ Return an OIDC token with scope 'mrmat-python-api-flask-resource-read'
+
+    Args:
+        test_config: The test configuration as per the test_config fixture
+
+    Returns:
+        A Dict containing the desired token structure
+    """
+    token = oidc_token(test_config, ['mrmat-python-api-flask-resource-read'])
+    token['jwt'] = jwt.decode(token['access_token'], options={"verify_signature": False})
+    return token
+
+
+@pytest.fixture
+def oidc_token_write(test_config) -> Dict:
+    """ Return an OIDC token with scope 'mrmat-python-api-flask-resource-write'
+
+    Args:
+        test_config: The test configuration as per the test_config fixture
+
+    Returns:
+        A Dict containing the desired token structure
+    """
+    token = oidc_token(test_config, ['mrmat-python-api-flask-resource-write'])
+    token['jwt'] = jwt.decode(token['access_token'], options={"verify_signature": False})
+    return token

tests/resource_api_client.py

@@ -27,34 +27,40 @@
 
 class ResourceAPIClient:
     client: FlaskClient
+    token: Dict
 
-    def __init__(self, client: FlaskClient):
+    _headers: Dict = {}
+
+    def __init__(self, client: FlaskClient, token: Optional[Dict]):
         self.client = client
+        self.token = token
+        if token is not None:
+            self._headers = {'Authorization': f'Bearer {token["access_token"]}'}
 
     def get_all(self) -> Tuple:
-        resp: Response = self.client.get('/api/resource/v1/')
+        resp: Response = self.client.get('/api/resource/v1/', headers=self._headers)
         resp_body = self._parse_body(resp)
         return resp, resp_body
 
     def get_one(self, i: Optional[int]) -> Tuple:
-        resp: Response = self.client.get(f'/api/resource/v1/{i}')
+        resp: Response = self.client.get(f'/api/resource/v1/{i}', headers=self._headers)
         resp_body = self._parse_body(resp)
         return resp, resp_body
 
-    def create(self, name: str, owner: str) -> Tuple:
-        req_body = {'owner': owner, 'name': name}
-        resp: Response = self.client.post('/api/resource/v1/', json=req_body)
+    def create(self, name: str) -> Tuple:
+        req_body = {'name': name}
+        resp: Response = self.client.post('/api/resource/v1/', json=req_body, headers=self._headers)
         resp_body = self._parse_body(resp)
         return resp, resp_body
 
-    def modify(self, i: Optional[int], name: str, owner: str) -> Tuple:
-        req_body = {'owner': owner, 'name': name}
-        resp: Response = self.client.put(f'/api/resource/v1/{i}', json=req_body)
+    def modify(self, i: Optional[int], name: str) -> Tuple:
+        req_body = {'name': name}
+        resp: Response = self.client.put(f'/api/resource/v1/{i}', json=req_body, headers=self._headers)
         resp_body = self._parse_body(resp)
         return resp, resp_body
 
     def remove(self, i: Optional[int]) -> Tuple:
-        resp: Response = self.client.delete(f'/api/resource/v1/{i}')
+        resp: Response = self.client.delete(f'/api/resource/v1/{i}', headers=self._headers)
         resp_body = self._parse_body(resp)
         return resp, resp_body
 

tests/test_greeting_v3.py

@@ -27,10 +27,11 @@
 from flask.testing import FlaskClient
 
 
-def test_greeting_v3(client: FlaskClient, test_config: Dict, oidc_token: Optional[Dict]):
-    if oidc_token is None:
+def test_greeting_v3(client: FlaskClient, test_config: Dict, oidc_token_read: Optional[Dict]):
+    if oidc_token_read is None:
         pytest.skip('Skip test because there is no OIDC client configuration')
-    rv: Response = client.get('/api/greeting/v3/', headers={'Authorization': f'Bearer {oidc_token["access_token"]}'})
+    rv: Response = client.get('/api/greeting/v3/',
+                              headers={'Authorization': f'Bearer {oidc_token_read["access_token"]}'})
     assert rv.status_code == 200
     json_body = rv.get_json()
     assert 'message' in json_body