Merge pull request #25 from SyntaxArc/keycloak

Keycloak

Author: HosseinNejatiJavaremi

archipy/adapters/keycloak/adapters.py

@@ -352,19 +352,16 @@ def has_role(self, token: str, role_name: str) -> bool:
         """
         # Not caching this result as token validation is time-sensitive
         try:
-            token_info = self.openid_adapter.decode_token(
-                token,
-                key=self.get_public_key(),
-            )
+            user_info = self.get_userinfo(token)
 
             # Check realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             roles = realm_access.get("roles", [])
             if role_name in roles:
                 return True
 
             # Check client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 client_roles = client.get("roles", [])
                 if role_name in client_roles:
@@ -387,19 +384,16 @@ def has_any_of_roles(self, token: str, role_names: set[str]) -> bool:
             True if user has any of the roles, False otherwise
         """
         try:
-            token_info = self.openid_adapter.decode_token(
-                token,
-                key=self.get_public_key(),
-            )
+            user_info = self.get_userinfo(token)
 
             # Check realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             roles = set(realm_access.get("roles", []))
             if role_names.intersection(roles):
                 return True
 
             # Check client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 client_roles = set(client.get("roles", []))
                 if role_names.intersection(client_roles):
@@ -422,20 +416,17 @@ def has_all_roles(self, token: str, role_names: set[str]) -> bool:
             True if user has all of the roles, False otherwise
         """
         try:
-            token_info = self.openid_adapter.decode_token(
-                token,
-                key=self.get_public_key(),
-            )
+            user_info = self.get_userinfo(token)
 
             # Get all user roles
             all_roles = set()
 
             # Add realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             all_roles.update(realm_access.get("roles", []))
 
             # Add client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 all_roles.update(client.get("roles", []))
 
@@ -1349,19 +1340,16 @@ async def has_role(self, token: str, role_name: str) -> bool:
         """
         # Not caching this result as token validation is time-sensitive
         try:
-            token_info = await self.openid_adapter.a_decode_token(
-                token,
-                key=await self.get_public_key(),
-            )
+            user_info = await self.get_userinfo(token)
 
             # Check realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             roles = realm_access.get("roles", [])
             if role_name in roles:
                 return True
 
             # Check client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 client_roles = client.get("roles", [])
                 if role_name in client_roles:
@@ -1384,19 +1372,16 @@ async def has_any_of_roles(self, token: str, role_names: set[str]) -> bool:
             True if user has any of the roles, False otherwise
         """
         try:
-            token_info = await self.openid_adapter.a_decode_token(
-                token,
-                key=await self.get_public_key(),
-            )
+            user_info = await self.get_userinfo(token)
 
             # Check realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             roles = set(realm_access.get("roles", []))
             if role_names.intersection(roles):
                 return True
 
             # Check client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 client_roles = set(client.get("roles", []))
                 if role_names.intersection(client_roles):
@@ -1419,20 +1404,17 @@ async def has_all_roles(self, token: str, role_names: set[str]) -> bool:
             True if user has all of the roles, False otherwise
         """
         try:
-            token_info = await self.openid_adapter.a_decode_token(
-                token,
-                key=await self.get_public_key(),
-            )
+            user_info = await self.get_userinfo(token)
 
             # Get all user roles
             all_roles = set()
 
             # Add realm roles
-            realm_access = token_info.get("realm_access", {})
+            realm_access = user_info.get("realm_access", {})
             all_roles.update(realm_access.get("roles", []))
 
             # Add client roles
-            resource_access = token_info.get("resource_access", {})
+            resource_access = user_info.get("resource_access", {})
             for client in resource_access.values():
                 all_roles.update(client.get("roles", []))
 

archipy/helpers/utils/keycloak_utils.py

@@ -0,0 +1,212 @@
+from fastapi import Depends, Request, Security
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from archipy.adapters.keycloak.adapters import AsyncKeycloakAdapter, KeycloakAdapter
+from archipy.models.errors import InvalidArgumentError, PermissionDeniedError, TokenExpiredError, UnauthenticatedError
+from archipy.models.types.language_type import LanguageType
+
+# Enhanced security scheme with OpenAPI documentation
+security = HTTPBearer(scheme_name="OAuth2", description="OAuth2 Access Token", auto_error=False)
+
+# Default language for errors
+DEFAULT_LANG = LanguageType.FA
+
+
+class KeycloakUtils:
+    @staticmethod
+    def _get_keycloak_adapter() -> KeycloakAdapter:
+        return KeycloakAdapter()
+
+    @staticmethod
+    def _get_async_keycloak_adapter() -> AsyncKeycloakAdapter:
+        return AsyncKeycloakAdapter()
+
+    @classmethod
+    # Synchronous decorator
+    def fastapi_auth(
+        cls,
+        resource_type_param: str | None = None,
+        resource_type: str | None = None,
+        required_roles: set[str] | None = None,
+        all_roles_required: bool = False,
+        required_permissions: list[tuple[str, str]] | None = None,
+        admin_roles: set[str] | None = None,
+        lang: LanguageType = DEFAULT_LANG,
+    ):
+        """FastAPI decorator for Keycloak authentication and resource-based authorization.
+
+        Args:
+            resource_type_param: The parameter name in the path (e.g., 'user_uuid', 'employee_uuid')
+            resource_type: The type of resource being accessed (e.g., 'users', 'employees')
+            required_roles: Set of role names that the user must have
+            all_roles_required: If True, user must have all specified roles; if False, any role is sufficient
+            required_permissions: List of (resource, scope) tuples to check
+            admin_roles: Set of roles that grant administrative access to all resources
+            lang: Language for error messages
+        Raises:
+            UnauthenticatedError: If no valid Authorization header is provided
+            InvalidTokenError: If token is invalid
+            TokenExpiredError: If token is expired
+            PermissionDeniedError: If user lacks required roles, permissions, or resource access
+            InvalidArgumentError: If resource_type_param is missing when resource_type is provided
+        """
+
+        def dependency(
+            request: Request,
+            token: HTTPAuthorizationCredentials | None = Security(security),
+            keycloak: KeycloakAdapter = Depends(cls._get_keycloak_adapter),
+        ):
+            if token is None:
+                raise UnauthenticatedError()
+            token_str = token.credentials  # Extract the token string
+            # Validate token
+            if not keycloak.validate_token(token_str):
+                token_info = keycloak.introspect_token(token_str)
+                if not token_info.get("active", False):
+                    raise TokenExpiredError(lang=lang)
+
+            # Get user info from token
+            user_info = keycloak.get_userinfo(token_str)
+            token_info = keycloak.get_token_info(token_str)
+
+            # Resource-based authorization if resource type is provided
+            if resource_type and resource_type_param:
+                # Extract resource UUID from path parameters
+                resource_uuid = request.path_params.get(resource_type_param)
+                if not resource_uuid:
+                    raise InvalidArgumentError(argument_name=resource_type_param, lang=lang)
+
+                # Verify resource exists and user has access
+                user_uuid = user_info.get("sub")
+
+                # Check if resource exists
+                resource_user = keycloak.get_user_by_id(resource_uuid)
+                if not resource_user:
+                    raise PermissionDeniedError(lang=lang)
+
+                # Authorization check: either owns the resource or has admin privileges
+                has_admin_privileges = admin_roles and keycloak.has_any_of_roles(token_str, admin_roles)
+                if user_uuid != resource_uuid and not has_admin_privileges:
+                    raise PermissionDeniedError(
+                        lang=lang,
+                        additional_data={"resource_type": resource_type, "resource_id": resource_uuid},
+                    )
+
+            # Check additional roles if specified
+            if required_roles:
+                if all_roles_required:
+                    if not keycloak.has_all_roles(token_str, required_roles):
+                        raise PermissionDeniedError(lang=lang)
+                elif not keycloak.has_any_of_roles(token_str, required_roles):
+                    raise PermissionDeniedError(lang=lang)
+
+            # Check permissions if specified
+            if required_permissions:
+                for resource, scope in required_permissions:
+                    if not keycloak.check_permissions(token_str, resource, scope):
+                        raise PermissionDeniedError(
+                            lang=lang,
+                            additional_data={"required_permission": f"{resource}#{scope}"},
+                        )
+
+            # Add user info to request state
+            request.state.user_info = user_info
+            request.state.token_info = token_info
+            return user_info
+
+        return dependency
+
+    @classmethod
+    def async_fastapi_auth(
+        cls,
+        resource_type_param: str | None = None,
+        resource_type: str | None = None,
+        required_roles: set[str] | None = None,
+        all_roles_required: bool = False,
+        required_permissions: list[tuple[str, str]] | None = None,
+        admin_roles: set[str] | None = None,
+        lang: LanguageType = DEFAULT_LANG,
+    ):
+        """FastAPI async decorator for Keycloak authentication and resource-based authorization.
+
+        Args:
+            resource_type_param: The parameter name in the path (e.g., 'user_uuid', 'employee_uuid')
+            resource_type: The type of resource being accessed (e.g., 'users', 'employees')
+            required_roles: Set of role names that the user must have
+            all_roles_required: If True, user must have all specified roles; if False, any role is sufficient
+            required_permissions: List of (resource, scope) tuples to check
+            admin_roles: Set of roles that grant administrative access to all resources
+            lang: Language for error messages
+        Raises:
+            UnauthenticatedError: If no valid Authorization header is provided
+            InvalidTokenError: If token is invalid
+            TokenExpiredError: If token is expired
+            PermissionDeniedError: If user lacks required roles, permissions, or resource access
+            InvalidArgumentError: If resource_type_param is missing when resource_type is provided
+        """
+
+        async def dependency(
+            request: Request,
+            token: HTTPAuthorizationCredentials = Security(security),
+            keycloak: AsyncKeycloakAdapter = Depends(cls._get_async_keycloak_adapter),
+        ):
+            if token is None:
+                raise UnauthenticatedError()
+            token_str = token.credentials  # Extract the token string
+            # Validate token
+            if not await keycloak.validate_token(token_str):
+                # TODO
+                token_info = await keycloak.introspect_token(token_str)
+                if not token_info.get("active", False):
+                    raise TokenExpiredError(lang=lang)
+
+            # Get user info from token
+            user_info = await keycloak.get_userinfo(token_str)
+            token_info = await keycloak.get_token_info(token_str)
+
+            # Resource-based authorization if resource type is provided
+            if resource_type and resource_type_param:
+                # Extract resource UUID from path parameters
+                resource_uuid = request.path_params.get(resource_type_param)
+                if not resource_uuid:
+                    raise InvalidArgumentError(argument_name=resource_type_param, lang=lang)
+
+                # Verify resource exists and user has access
+                user_uuid = user_info.get("sub")
+
+                # Check if resource exists
+                resource_user = await keycloak.get_user_by_id(resource_uuid)
+                if not resource_user:
+                    raise PermissionDeniedError(lang=lang)
+
+                # Authorization check: either owns the resource or has admin privileges
+                has_admin_privileges = admin_roles and await keycloak.has_any_of_roles(token_str, admin_roles)
+                if user_uuid != resource_uuid and not has_admin_privileges:
+                    raise PermissionDeniedError(
+                        lang=lang,
+                        additional_data={"resource_type": resource_type, "resource_id": resource_uuid},
+                    )
+
+            # Check additional roles if specified
+            if required_roles:
+                if all_roles_required:
+                    if not await keycloak.has_all_roles(token_str, required_roles):
+                        raise PermissionDeniedError(lang=lang)
+                elif not await keycloak.has_any_of_roles(token_str, required_roles):
+                    raise PermissionDeniedError(lang=lang)
+
+            # Check permissions if specified
+            if required_permissions:
+                for resource, scope in required_permissions:
+                    if not await keycloak.check_permissions(token_str, resource, scope):
+                        raise PermissionDeniedError(
+                            lang=lang,
+                            additional_data={"required_permission": f"{resource}#{scope}"},
+                        )
+
+            # Add user info to request state
+            request.state.user_info = user_info
+            request.state.token_info = token_info
+            return user_info
+
+        return dependency