Release v1.0.0 (#19)

* Fix develop dockerfile

* Change keycloak urls

* Fix develop workflow tag

* Fix production workflow

* Change log message

* Change config

* Add health check

* Fix health check

* Add ready health endpoint

* Fix issue

* Change workflow filenames

* Eoepca 910 um keycloak develop an identity api based on keycloak api (#17)

* feat: policies endpoints added, not completely

* feat: working on update policies

* feat: all remaining added, still policy update not working, create and update scope based permission not working

* feat: last resource permissions endpoints added and working

* fix: changed pyyaml version from 5.4.1 to 5.3.1

* feat: endpoints changed

* Update README

* Update config

* Update config

* Update config

* Api testing (#18)

* feat: added client_id as param to enpoints and other fixes

* added changes for permissions endpoints

* Update ci

* Update ci

* Release v1.0.0

---------

Co-authored-by: flaviorosadme <82375986+flaviorosadme@users.noreply.github.com>

.github/workflows/develop-docker-publish.yml → .github/workflows/docker-publish-develop.yml

@@ -6,8 +6,6 @@ name: Docker
 # documentation.
 
 on:
-  schedule:
-    - cron: '29 9 * * *'
   push:
     branches: [ "develop" ]
     # Publish semver tags as releases.
@@ -66,7 +64,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=raw,value=development
+            type=raw,value=develop
             type=ref,event=tag
 
       # Build and push Docker image with Buildx (don't push on PR)
@@ -96,3 +94,23 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+#      - name: Extract metadata (tags, labels) for Docker
+#        id: docker_meta
+#        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+#        with:
+#          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+#
+#      - name: Build and push Docker image
+#        uses: docker/build-push-action@v2
+#        with:
+#          context: "{{defaultContext}}"
+#          push: true
+#          tags: ${{ steps.docker_meta.outputs.tags }}
+#          labels: ${{ steps.docker_meta.outputs.labels }}

.github/workflows/production-docker-publish.yml → .github/workflows/docker-publish-master.yml

@@ -6,14 +6,12 @@ name: Docker
 # documentation.
 
 on:
-  schedule:
-    - cron: '29 9 * * *'
   push:
-    branches: [ "master", "develop" ]
+    branches: [ "master" ]
     # Publish semver tags as releases.
     tags: [ 'v*.*.*' ]
   pull_request:
-    branches: [ "master", "develop" ]
+    branches: [ "master" ]
 
 env:
   # Use docker.io for Docker Hub if empty
@@ -96,3 +94,23 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+#      - name: Extract metadata (tags, labels) for Docker
+#        id: docker_meta
+#        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+#        with:
+#          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+#
+#      - name: Build and push Docker image
+#        uses: docker/build-push-action@v2
+#        with:
+#          context: "{{defaultContext}}"
+#          push: true
+#          tags: ${{ steps.docker_meta.outputs.tags }}
+#          labels: ${{ steps.docker_meta.outputs.labels }}

README.md

@@ -108,21 +108,21 @@ cd um-identity-api
 
     5.1 Run locally with Python
     ```sh
-    pip install -r requirements.txt
-    python src/app.py
+    pip install -r requirements.local.txt
+    python -m "flask" run --host=0.0.0.0 --port=5566
     ```
     5.2 Run locally with Docker
     ```sh
-    docker build . --progress=plain -t um-identity-api:latest
-    docker run --rm -dp 5566:5566 --name um-identity-api --network eoepcanetwork um-identity-api:latest
+    docker build . --progress=plain -t um-identity-api:develop
+    docker run --rm -dp 5566:5566 --name um-identity-api um-identity-api:develop
     ```
     5.3 Run develop branch with Docker
     ```sh
-    docker run --rm -dp 5566:5566 --name um-identity-api --network eoepcanetwork ghcr.io/eoepca/um-identity-api:develop
+    docker run --rm -dp 5566:5566 --name um-identity-api ghcr.io/eoepca/um-identity-api:develop
     ```
     5.4 Run master branch with Docker
     ```sh
-    docker run --rm -dp 5566:5566 --name um-identity-api --network eoepcanetwork ghcr.io/eoepca/um-identity-api:production
+    docker run --rm -dp 5566:5566 --name um-identity-api ghcr.io/eoepca/um-identity-api:production
     ```
 
 ## Documentation

conf/config.ini

@@ -1,10 +1,9 @@
 [Keycloak]
-auth_server_url = http://localhost:8080
+auth_server_url = http://localhost:8080/
 admin_username = admin
-admin_password = admin
-realm = demo
-resource_server_endpoint = https://dummy-service.develop.eoepca.org
+admin_password = CHANGE ME
+realm = master
 [Swagger]
 swagger_url = /swagger-ui
 swagger_api_url = /swagger-ui-api
-swagger_app_name = Identity API
+swagger_app_name = Identity API

requirements.txt

@@ -4,11 +4,12 @@ requests==2.25.1
 flask-swagger-ui==4.11.1
 python-keycloak==3.2.0
 mock==5.0.2
-pyyaml==5.4.1
+pyyaml==5.3.1
 elasticsearch==8.8.0
 lxml==4.9.2
 configparser==5.3.0
 waitress==2.1.2
 python-dotenv==1.0.0
 retry==0.9.2
-identityutils @ git+https://github.com/eoepca/um-identity-service@develop
+flask-healthz==0.0.3
+identityutils @ git+https://github.com/eoepca/um-identity-service@master

src/app.py

@@ -18,12 +18,13 @@
 from identityutils.configuration import load_configuration
 from identityutils.keycloak_client import KeycloakClient
 from retry.api import retry_call
+from flask_healthz import healthz, HealthError
 
 logger.Logger.get_instance().load_configuration(os.path.join(os.path.dirname(__file__), "../conf/logging.yaml"))
 logger = logging.getLogger("IDENTITY_API")
 
 mode = os.environ.get('FLASK_ENV')
-logger.info("mode " + str(mode))
+logger.info("Starting app in mode: " + str(mode))
 if mode == 'develop':
     config_file = "config.develop.ini"
 elif mode == 'demo':
@@ -34,14 +35,18 @@
     config_file = "config.ini"
 config_path = os.path.join(os.path.dirname(__file__), "../conf/", config_file)
 
+app = Flask(__name__)
+app.secret_key = ''.join(choice(ascii_lowercase) for _ in range(30))  # Random key
+app.config['HEALTHZ'] = {
+    "live": lambda: None,
+    "ready": lambda: None
+}
 
-def identity_api(config, keycloak):
-    api = Flask(__name__)
-    api.secret_key = ''.join(choice(ascii_lowercase) for _ in range(30))  # Random key
-    api.register_blueprint(resources.construct_blueprint(keycloak_client=keycloak))
-    api.register_blueprint(policies.construct_blueprint(keycloak_client=keycloak))
-    api.register_blueprint(permissions.construct_blueprint(keycloak_client=keycloak))
-
+def register_endpoints(config, keycloak):
+    app.register_blueprint(resources.construct_blueprint(keycloak_client=keycloak))
+    app.register_blueprint(policies.construct_blueprint(keycloak_client=keycloak))
+    app.register_blueprint(permissions.construct_blueprint(keycloak_client=keycloak))
+    app.register_blueprint(healthz, url_prefix="/health")
     swagger_spec_resources = json.load(open(os.path.join(os.path.dirname(__file__), "../conf/swagger.json")))
     swaggerui_resources_blueprint = get_swaggerui_blueprint(
         config.get('Swagger', 'swagger_url'),
@@ -51,18 +56,16 @@ def identity_api(config, keycloak):
             'spec': swagger_spec_resources
         },
     )
-    api.register_blueprint(swaggerui_resources_blueprint)
-
-    return api
+    app.register_blueprint(swaggerui_resources_blueprint)
 
 
 def keycloak_client(config):
+    logger.info("config: " + str(config))
     auth_server_url = config.get("Keycloak", "auth_server_url")
     realm = config.get("Keycloak", "realm")
-    logger.info("Starting Keycloak client for: " + str(auth_server_url) + ", realm: " + str(realm))
+    logger.info("Starting Keycloak client for: " + str(auth_server_url) + " realm: " + str(realm))
     return KeycloakClient(server_url=auth_server_url,
                           realm=realm,
-                          resource_server_endpoint=config.get("Keycloak", "resource_server_endpoint"),
                           username=config.get("Keycloak", "admin_username"),
                           password=config.get("Keycloak", "admin_password")
                           )
@@ -73,4 +76,5 @@ def create_app():
     config = load_configuration(config_path)
     keycloak = retry_call(keycloak_client, fargs=[config], exceptions=(KeycloakConnectionError, NewConnectionError),
                           delay=0.5, backoff=1.2, jitter=(1, 2), logger=logger)
-    return identity_api(config, keycloak)
+    register_endpoints(config, keycloak)
+    return app

src/blueprints/permissions.py

@@ -1,8 +1,49 @@
-from flask import Blueprint
+from flask import Blueprint, request
 
 
 def construct_blueprint(keycloak_client):
     keycloak_client = keycloak_client
     permissions = Blueprint('permissions', __name__)
 
+    @permissions.route("/<client_id>/permissions", methods=["GET"])
+    def get_client_authz_permissions(client_id: str):
+        return keycloak_client.get_client_authz_permissions(client_id)
+
+    @permissions.route("/<client_id>/permissions/management", methods=["GET"])
+    def get_client_management_permissions(client_id: str):
+        return keycloak_client.get_client_management_permissions(client_id)
+
+    @permissions.route("/<client_id>/permissions/resources", methods=["GET"])
+    def get_client_resource_permissions(client_id: str):
+        return keycloak_client.get_client_resource_permissions(client_id)
+
+    #@permissions.route("/client_authz_scope_permissions/<client_id>/<scope_id>", methods=["GET"])
+    #def get_client_authz_scope_permissions(client_id: str, scope_id: str):
+    #    return keycloak_client.get_client_authz_scope_permissions(client_id, scope_id)
+
+    #@permissions.route("/client_authz_scope_permissions/<client_id>", methods=["POST"])
+    #def create_client_authz_scope_based_permissions(client_id: str):
+    #    payload = request.get_json()
+    #    return keycloak_client.create_client_authz_scope_based_permission(client_id, payload)
+
+    @permissions.route("/<client_id>/permissions/resources", methods=["POST"])
+    def create_client_authz_resource_based_permission(client_id: str):
+        payload = request.get_json()
+        return keycloak_client.create_client_authz_resource_based_permission(client_id, payload)
+
+    @permissions.route("/<client_id>/permissions/management", methods=["PUT"])
+    def update_client_management_permissions(client_id: str):
+        payload = request.get_json()
+        return keycloak_client.update_client_management_permissions(client_id, payload)
+
+    @permissions.route("/<client_id>/permissions/resources/<permission_id>", methods=["PUT"])
+    def update_client_authz_resource_permission(client_id: str, permission_id):
+        payload = request.get_json()
+        return keycloak_client.update_client_authz_resource_permission(client_id, payload, permission_id)
+
+    #@permissions.route("/<client_id>/permissions/scopes/<scope_id>", methods=["PUT"])
+    #def update_client_authz_scope_permissions(client_id: str, scope_id):
+    #    payload = request.get_json()
+    #    return keycloak_client.update_client_authz_scope_permission(client_id,  payload, scope_id)
+
     return permissions