zmp-authentication-provider 0.1.0__tar.gz

zmp_authentication_provider-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Cloud Z MP
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

zmp_authentication_provider-0.1.0/PKG-INFO

@@ -0,0 +1,26 @@
+Metadata-Version: 2.3
+Name: zmp-authentication-provider
+Version: 0.1.0
+Summary: This is a library project for the authentication using the basic auth and oidc
+Author: Kilsoo Kang
+Author-email: kilsoo75@gmail.com
+Requires-Python: >=3.12,<4.0
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: cryptography (>=45.0.3,<46.0.0)
+Requires-Dist: fastapi (>=0.115.11,<0.116.0)
+Requires-Dist: motor (>=3.7.0,<4.0.0)
+Requires-Dist: pydantic (>=2.10.6)
+Requires-Dist: pydantic-settings (>=2.9.1,<3.0.0)
+Requires-Dist: pyjwt (>=2.10.1,<3.0.0)
+Requires-Dist: pymongo (>=4.12.0,<5.0.0)
+Requires-Dist: python-dotenv (>=1.0.1,<2.0.0)
+Requires-Dist: requests (>=2.32.3,<3.0.0)
+Project-URL: Bug Tracker, https://github.com/cloudz-mp/zmp-authentication-provider/issues
+Project-URL: Documentation, https://github.com/cloudz-mp/zmp-authentication-provider
+Project-URL: Homepage, https://github.com/cloudz-mp
+Project-URL: Repository, https://github.com/cloudz-mp/zmp-authentication-provider
+Description-Content-Type: text/markdown
+
+

zmp_authentication_provider-0.1.0/pyproject.toml

@@ -0,0 +1,80 @@
+[project]
+name = "zmp-authentication-provider"
+version = "0.1.0"
+description = "This is a library project for the authentication using the basic auth and oidc"
+authors = [
+    {name = "Kilsoo Kang",email = "kilsoo75@gmail.com"}
+]
+readme = "README.md"
+requires-python = ">=3.12,<4.0"
+dependencies = [
+    "pydantic (>=2.10.6)",
+    "pydantic-settings (>=2.9.1,<3.0.0)",
+    "fastapi (>=0.115.11,<0.116.0)",
+    "python-dotenv (>=1.0.1,<2.0.0)",
+    "pyjwt (>=2.10.1,<3.0.0)",
+    "requests (>=2.32.3,<3.0.0)",
+    "cryptography (>=45.0.3,<46.0.0)",
+    "pymongo (>=4.12.0,<5.0.0)",
+    "motor (>=3.7.0,<4.0.0)",
+]
+
+[project.urls]
+homepage = "https://github.com/cloudz-mp"
+repository = "https://github.com/cloudz-mp/zmp-authentication-provider"
+documentation = "https://github.com/cloudz-mp/zmp-authentication-provider"
+"Bug Tracker" = "https://github.com/cloudz-mp/zmp-authentication-provider/issues"
+
+[tool.poetry]
+packages = [{include = "zmp_authentication_provider", from = "src"}]
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.3.5"
+pytest-cov = "^6.0.0"
+pytest-watcher = "^0.4.3"
+pytest-asyncio = "^0.25.3"
+certifi = "^2025.1.31"
+ruff = "^0.11.0"
+
+[tool.poetry.group.quality.dependencies]
+pre-commit = "^4.1.0"
+
+[build-system]
+requires = ["poetry-core>=2.0.0,<3.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.pytest-watcher]
+now = true
+delay = 0.1
+runner_args = ["--ff", "-x", "-v", "--tb", "short"]
+patterns = ["*.py"]
+
+[tool.ruff]
+lint.select = [
+    "E",    # pycodestyle
+    "F",    # pyflakes
+    "I",    # isort
+    "D",    # pydocstyle
+    "D401", # First line should be in imperative mood
+    "T201",
+    "UP",
+]
+lint.ignore = [
+    "UP006",
+    "UP007",
+    # We actually do want to import from typing_extensions
+    "UP035",
+    # Relax the convention by _not_ requiring documentation for every function parameter.
+    "D417",
+    "E501",
+    "T201",
+]
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = ["D", "UP"]
+[tool.ruff.lint.pydocstyle]
+convention = "google"
+
+[dependency-groups]
+dev = [
+    "langgraph-cli[inmem]>=0.1.71",
+]

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/auth/__init__.py

@@ -0,0 +1,6 @@
+"""Auth module for the AIops Pilot."""
+
+from .basic_auth import get_current_user_for_basicauth
+from .oauth2_keycloak import get_current_user
+
+__all__ = ["get_current_user", "get_current_user_for_basicauth"]

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/auth/basic_auth.py

@@ -0,0 +1,47 @@
+"""Basic auth module for the AIops Pilot."""
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+
+from zmp_authentication_provider.scheme.auth_model import BasicAuthUser
+from zmp_authentication_provider.service.auth_service import AuthService
+from zmp_authentication_provider.setting import auth_default_settings
+
+basic_security = HTTPBasic()
+
+
+def verify_basic_auth_user(service: AuthService, credentials: HTTPBasicCredentials):
+    """Verify the basic auth user."""
+    user = service.get_basic_auth_user_by_username(credentials.username)
+
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=f"{credentials.username} not found",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    if user.password != credentials.password:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Password is incorrect",
+            headers={"WWW-Authenticate": "Basic"},
+        )
+
+    return BasicAuthUser(username=credentials.username, password=credentials.password)
+
+
+def get_current_user_for_basicauth(
+    request: Request,
+    credentials: HTTPBasicCredentials = Depends(basic_security),
+) -> BasicAuthUser:
+    """Get the current user for basic auth."""
+    service = getattr(request.state, auth_default_settings.service_name, None)
+    if not service:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Service '{auth_default_settings.service_name}' not available in the request state. "
+            "You should set the service in the request state.",
+        )
+
+    return verify_basic_auth_user(service=service, credentials=credentials)

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/auth/oauth2_keycloak.py

@@ -0,0 +1,109 @@
+"""OAuth2 Keycloak module for the AIops Pilot."""
+
+import logging
+
+import jwt
+import requests
+from fastapi import Depends
+from fastapi.security import OAuth2AuthorizationCodeBearer
+from jwt import ExpiredSignatureError, InvalidIssuedAtError, InvalidKeyError, PyJWTError
+from jwt.algorithms import RSAAlgorithm
+
+from zmp_authentication_provider.exceptions import (
+    AuthError,
+    OauthTokenValidationException,
+)
+from zmp_authentication_provider.scheme.auth_model import TokenData
+from zmp_authentication_provider.setting import keycloak_settings
+
+log = logging.getLogger(__name__)
+
+# KeyCloak Configuration using the settings
+KEYCLOAK_SERVER_URL = keycloak_settings.server_url
+KEYCLOAK_REALM = keycloak_settings.realm
+KEYCLOAK_CLIENT_ID = keycloak_settings.client_id
+KEYCLOAK_CLIENT_SECRET = keycloak_settings.client_secret
+ALGORITHM = keycloak_settings.algorithm
+KEYCLOAK_REDIRECT_URI = keycloak_settings.redirect_uri
+
+HTTP_CLIENT_SSL_VERIFY = keycloak_settings.http_client_ssl_verify
+
+# KeyCloak Endpoints
+KEYCLOAK_REALM_ROOT_URL = (
+    f"{KEYCLOAK_SERVER_URL}/realms/{KEYCLOAK_REALM}/protocol/openid-connect"
+)
+KEYCLOAK_JWKS_ENDPOINT = f"{KEYCLOAK_REALM_ROOT_URL}/certs"
+KEYCLOAK_AUTH_ENDPOINT = f"{KEYCLOAK_REALM_ROOT_URL}/auth"
+KEYCLOAK_TOKEN_ENDPOINT = KEYCLOAK_REFRESH_ENDPOINT = f"{KEYCLOAK_REALM_ROOT_URL}/token"
+KEYCLOAK_USER_ENDPOINT = f"{KEYCLOAK_REALM_ROOT_URL}/userinfo"
+KEYCLOAK_END_SESSION_ENDPOINT = f"{KEYCLOAK_REALM_ROOT_URL}/logout"
+
+
+def get_public_key():
+    """Get the public key."""
+    response = requests.get(
+        KEYCLOAK_JWKS_ENDPOINT, verify=HTTP_CLIENT_SSL_VERIFY
+    )  # verify=False: because of the SKCC self-signed certificate
+    jwks = response.json()
+
+    public_key = None
+    try:
+        public_key = RSAAlgorithm.from_jwk(jwks["keys"][0])
+    except InvalidKeyError as ike:
+        log.error(f"InvalidKeyError: {ike}")
+
+    return public_key
+
+
+PUBLIC_KEY = get_public_key()
+# oauth2_token_scheme = OAuth2PasswordBearer(tokenUrl=KEYCLOAK_TOKEN_ENDPOINT)
+
+oauth2_auth_scheme = OAuth2AuthorizationCodeBearer(
+    authorizationUrl=KEYCLOAK_AUTH_ENDPOINT,
+    tokenUrl=KEYCLOAK_TOKEN_ENDPOINT,
+    refreshUrl=KEYCLOAK_USER_ENDPOINT,
+    # scopes={"openid": "openid", "profile": "profile", "email": "email"}
+)
+
+
+def verify_token(token: str) -> TokenData:
+    """Verify the token."""
+    try:
+        payload = jwt.decode(
+            jwt=token,
+            key=PUBLIC_KEY,
+            algorithms=[ALGORITHM],
+            audience=KEYCLOAK_CLIENT_ID,
+            options={"verify_aud": False, "verify_iat": False},
+            leeway=60,
+        )
+        """
+            # if not options["verify_signature"]:
+            # options.setdefault("verify_exp", False)
+            # options.setdefault("verify_nbf", False)
+            # options.setdefault("verify_iat", False)
+            # options.setdefault("verify_aud", False)
+            # options.setdefault("verify_iss", False)
+        """
+        if payload is None:
+            raise OauthTokenValidationException(
+                AuthError.INVALID_TOKEN, details="jwt docode failed"
+            )
+
+        token_data = TokenData(username=payload.get("preferred_username"), **payload)
+    except ExpiredSignatureError as ese:
+        log.error(f"ExpiredSignatureError: {ese}")
+        raise OauthTokenValidationException(AuthError.INVALID_TOKEN, details=str(ese))
+    except InvalidIssuedAtError as iiae:
+        log.error(f"InvalidIssuedAtError: {iiae}")
+        raise OauthTokenValidationException(AuthError.INVALID_TOKEN, details=str(iiae))
+    except PyJWTError as jwte:
+        log.error(f"JWTError: {jwte}")
+        raise OauthTokenValidationException(AuthError.INVALID_TOKEN, details=str(jwte))
+
+    return token_data
+
+
+async def get_current_user(token: str = Depends(oauth2_auth_scheme)) -> TokenData:
+    """Get the current user from the token."""
+    return verify_token(token)

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/db/basic_auth_user_repository.py

@@ -0,0 +1,180 @@
+"""BasicAuthUserRepository class for the basic auth user."""
+
+from __future__ import annotations
+
+import datetime
+import logging
+
+import pymongo
+from bson import ObjectId
+from bson.errors import InvalidId
+from motor.motor_asyncio import AsyncIOMotorCollection
+from pymongo.errors import DuplicateKeyError
+from pymongo.results import InsertOneResult
+
+from zmp_authentication_provider.exceptions import (
+    InvalidObjectIDException,
+    ObjectNotFoundException,
+)
+from zmp_authentication_provider.scheme.auth_model import BasicAuthUser
+from zmp_authentication_provider.utils.encryption_utils import decrypt, encrypt
+
+log = logging.getLogger(__name__)
+
+DEFAULT_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S%z"
+"""Default time format and time zone %Y-%m-%dT%H:%M:%S%z"""
+DEFAULT_TIME_ZONE = datetime.UTC
+"""Default time zone is UTC(+00:00)"""
+
+
+class BasicAuthUserRepository:
+    """BasicAuthUserRepository class."""
+
+    def __init__(self, *, collection: AsyncIOMotorCollection):
+        """Initialize the repository with MongoDB database."""
+        self._collection = collection
+
+    def __call__(self) -> BasicAuthUserRepository:
+        """Create indexes for the collection."""
+        indexes = self._collection.list_indexes()
+
+        unique_index_name = "unique_key_username"
+
+        unique_index_exists = False
+        for index in indexes:
+            if index["name"] == unique_index_name and index.get("unique", True):
+                unique_index_exists = True
+                break
+
+        if not unique_index_exists:
+            self._collection.create_index(
+                "username", name=unique_index_name, unique=True
+            )
+
+        return self
+
+    def insert(self, basic_auth_user: BasicAuthUser) -> str:
+        """Insert a basic auth user."""
+        if basic_auth_user.created_at is None:
+            basic_auth_user.created_at = datetime.now(DEFAULT_TIME_ZONE)
+
+        # encrypt the token data
+        basic_auth_user.password = encrypt(basic_auth_user.password).hex()
+
+        basic_auth_user_dict = basic_auth_user.model_dump(by_alias=True, exclude=["id"])
+        basic_auth_user_dict.update({"created_at": basic_auth_user.created_at})
+
+        try:
+            result: InsertOneResult = self._collection.insert_one(basic_auth_user_dict)
+        except DuplicateKeyError as e:
+            raise ValueError(f"BasicAuthUser already exists: {e}")
+
+        return str(result.inserted_id)
+
+    def find(self) -> list[BasicAuthUser]:
+        """Find all basic auth users."""
+        cursor = self._collection.find().sort("created_at", pymongo.DESCENDING)
+        basic_auth_users = []
+        for document in cursor:
+            if document is not None:
+                basic_auth_user = BasicAuthUser(**document)
+                # decrypt the token data
+                basic_auth_user.password = decrypt(
+                    bytes.fromhex(basic_auth_user.password)
+                )
+                basic_auth_users.append(basic_auth_user)
+
+        return basic_auth_users
+        # return [BasicAuthUser(**document) for document in cursor if document is not None]
+
+    def update(self, basic_auth_user: BasicAuthUser) -> BasicAuthUser:
+        """Update a basic auth user."""
+        try:
+            query = {"_id": ObjectId(basic_auth_user.id)}
+        except InvalidId as e:
+            raise InvalidObjectIDException(e)
+
+        if basic_auth_user.updated_at is None:
+            basic_auth_user.updated_at = datetime.now(DEFAULT_TIME_ZONE)
+
+        # encrypt the token data
+        basic_auth_user.password = encrypt(basic_auth_user.password).hex()
+
+        basic_auth_user_dict = basic_auth_user.model_dump(
+            by_alias=True, exclude=["id", "created_at"]
+        )
+        basic_auth_user_dict.update({"updated_at": basic_auth_user.updated_at})
+        update = {"$set": basic_auth_user_dict}
+        # update = {"$set": basic_auth_user.model_dump(by_alias=True, exclude=['id', 'created_at'])}
+
+        log.debug(f"Update basic_auth_user: {basic_auth_user.id}")
+        log.debug(f"Update data: {update}")
+
+        document = self._collection.find_one_and_update(
+            query, update=update, return_document=pymongo.ReturnDocument.AFTER
+        )
+
+        if document is None:
+            raise ObjectNotFoundException(object_id=basic_auth_user.id)
+
+        updated = BasicAuthUser(**document)
+
+        # decrypt the token data
+        updated.password = decrypt(bytes.fromhex(updated.password))
+        return updated
+
+    def find_by_id(self, basic_auth_user_id: str) -> BasicAuthUser:
+        """Find a basic auth user by id."""
+        if not basic_auth_user_id:
+            raise InvalidObjectIDException("BasicAuthUser id is required")
+
+        try:
+            query = {"_id": ObjectId(basic_auth_user_id)}
+        except InvalidId as e:
+            raise InvalidObjectIDException(e)
+
+        document = self._collection.find_one(query)
+
+        if document is None:
+            raise ObjectNotFoundException(object_id=basic_auth_user_id)
+
+        basic_auth_user = BasicAuthUser(**document)
+
+        # decrypt the token data
+        basic_auth_user.password = decrypt(bytes.fromhex(basic_auth_user.password))
+        return basic_auth_user
+
+    def find_by_username(self, basic_auth_username: str) -> BasicAuthUser:
+        """Find a basic auth user by username."""
+        if not basic_auth_username:
+            raise InvalidObjectIDException("BasicAuthUser username is required")
+
+        document = self._collection.find_one({"username": basic_auth_username})
+
+        if document is None:
+            raise ObjectNotFoundException(object_id=basic_auth_username)
+
+        basic_auth_user = BasicAuthUser(**document)
+
+        # decrypt the token data
+        basic_auth_user.password = decrypt(bytes.fromhex(basic_auth_user.password))
+        return basic_auth_user
+
+    def delete_by_id(self, basic_auth_user_id: str) -> bool:
+        """Delete a basic auth user by id."""
+        if not basic_auth_user_id:
+            raise InvalidObjectIDException("BasicAuthUser id is required")
+
+        try:
+            query = {"_id": ObjectId(basic_auth_user_id)}
+        except InvalidId as e:
+            raise InvalidObjectIDException(e)
+
+        result = self._collection.find_one_and_delete(query)
+
+        if result is None:
+            raise ObjectNotFoundException(
+                f"BasicAuthUser not found: {basic_auth_user_id}"
+            )
+
+        return True

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/exceptions.py

@@ -0,0 +1,120 @@
+"""Exceptions for AIOps Pilot."""
+
+from enum import Enum
+from http import HTTPStatus
+from typing import Optional
+
+from bson.errors import InvalidId
+from fastapi import HTTPException
+from pydantic import BaseModel
+
+
+class Error(BaseModel):
+    """Error model."""
+
+    http_status: Optional[int]
+    code: Optional[str]
+    message: Optional[str]
+
+
+class AuthError(Enum):
+    """Auth error model."""
+
+    ID_NOT_FOUND = Error(
+        code="E001",
+        http_status=HTTPStatus.NOT_FOUND,
+        message="The item {document}:'{object_id}' was not found",
+    )
+    """The keyword arguments '{document}' and '{object_id}' should be present in the message string"""
+
+    INVALID_OBJECTID = Error(
+        code="E002",
+        http_status=HTTPStatus.BAD_REQUEST,
+        message="The input value was invalid. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    BAD_REQUEST = Error(
+        code="E003",
+        http_status=HTTPStatus.BAD_REQUEST,
+        message="Bad request. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    INVALID_TOKEN = Error(
+        code="E004",
+        http_status=HTTPStatus.UNAUTHORIZED,
+        message="Invalid token. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    PERMISSION_DENIED = Error(
+        code="E005",
+        http_status=HTTPStatus.FORBIDDEN,
+        message="Permission denied. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    TOKEN_DATA_TOO_LARGE = Error(
+        code="E006",
+        http_status=HTTPStatus.BAD_REQUEST,
+        message="The token data for the client cookie is too large. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    SESSION_EXPIRED = Error(
+        code="E007",
+        http_status=HTTPStatus.UNAUTHORIZED,
+        message="The session is expired. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    OAUTH_IDP_ERROR = Error(
+        code="E008",
+        http_status=HTTPStatus.UNAUTHORIZED,
+        message="OAuth IDP error. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+    INTERNAL_SERVER_ERROR = Error(
+        code="E500",
+        http_status=HTTPStatus.INTERNAL_SERVER_ERROR,
+        message="Internal server error. Details: {details}",
+    )
+    """The keyword argument '{details}' should be present in the message string"""
+
+
+class AuthBackendException(HTTPException):
+    """Auth backend exception."""
+
+    def __init__(self, error: AuthError, **kwargs):
+        """Initialize the AIOps backend exception."""
+        self.status_code = error.value.http_status
+        self.code = error.value.code
+        self.detail = error.value.message.format(**kwargs)
+        super().__init__(status_code=self.status_code, detail=self.detail)
+
+
+class OauthTokenValidationException(HTTPException):
+    """Oauth token validation exception."""
+
+    def __init__(self, error: AuthError, **kwargs):
+        """Initialize the Oauth token validation exception."""
+        self.status_code = error.value.http_status
+        self.code = error.value.code
+        self.detail = error.value.message.format(**kwargs)
+        super().__init__(status_code=self.status_code, detail=self.detail)
+
+
+class ObjectNotFoundException(Exception):
+    """Object not found exception."""
+
+    def __init__(self, object_id: str):
+        """Initialize the object not found exception."""
+        self.object_id = object_id
+        self.message = f"The ID '{object_id}' was not found"
+        super().__init__(self.message)
+
+
+class InvalidObjectIDException(InvalidId):
+    """Invalid ObjectId exception."""

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/routes/auth.py

@@ -0,0 +1,286 @@
+"""Auth routes."""
+
+import logging
+import sys
+
+import requests
+from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi.responses import HTMLResponse, RedirectResponse
+
+from zmp_authentication_provider.auth.basic_auth import get_current_user_for_basicauth
+from zmp_authentication_provider.auth.oauth2_keycloak import (
+    KEYCLOAK_AUTH_ENDPOINT,
+    KEYCLOAK_CLIENT_ID,
+    KEYCLOAK_CLIENT_SECRET,
+    KEYCLOAK_END_SESSION_ENDPOINT,
+    KEYCLOAK_REDIRECT_URI,
+    KEYCLOAK_TOKEN_ENDPOINT,
+    KEYCLOAK_USER_ENDPOINT,
+    TokenData,
+    get_current_user,
+    oauth2_auth_scheme,
+)
+from zmp_authentication_provider.exceptions import (
+    AuthBackendException,
+    AuthError,
+)
+from zmp_authentication_provider.scheme.auth_model import BasicAuthUser
+from zmp_authentication_provider.setting import auth_default_settings
+
+log = logging.getLogger(__name__)
+
+router = APIRouter(
+    prefix="/auth",
+    tags=["auth"],
+)
+
+
+@router.get(
+    "/home", 
+    summary="Home page", 
+    response_class=HTMLResponse
+)
+def home(request: Request):  # , csrf_token: str = Depends(csrf_scheme)):
+    """Get home page."""
+    # check the session_id in the cookie
+    csrf_token = request.cookies.get("csrftoken")
+    session_id = request.cookies.get("session_id")
+
+    if csrf_token and session_id:
+        user_info = request.session.get("user_info")
+        if not user_info:
+            request.session.clear()
+            raise AuthBackendException(
+                AuthError.SESSION_EXPIRED,
+                code=401,
+                details="Session data has been lost "
+                "because the server has been restared."
+                "Please login again",
+            )
+        else:
+            username = user_info.get("preferred_username") if user_info else "Ooops!!"
+            log.debug(f"session_data: {username}")
+            return HTMLResponse(content=f"<p>Hello, {username}!!</p>")
+    else:
+        return RedirectResponse(url=f"{auth_default_settings.application_endpoint}/login")
+
+
+@router.get(
+    "/login", 
+    summary="API to login into the keyclaok using the browser",
+    response_class=RedirectResponse
+)
+def login():
+    """Login."""
+    return RedirectResponse(
+        url=f"{KEYCLOAK_AUTH_ENDPOINT}?response_type=code"
+        f"&client_id={KEYCLOAK_CLIENT_ID}"
+        f"&redirect_uri={KEYCLOAK_REDIRECT_URI}"
+        f"&scope=openid profile email"
+    )
+
+
+@router.get(
+    "/logout",
+    summary="API to logout from the keyclaok",
+    response_class=RedirectResponse
+)
+def logout(
+    request: Request,
+    # csrf_token: str = Depends(csrf_scheme),
+    # session_id: str = Depends(session_id_scheme)
+):
+    """Logout."""
+    csrf_token = request.cookies.get("csrftoken")
+    session_id = request.cookies.get("session_id")
+    if not csrf_token or not session_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No csrf token in cookie and session id in cookie",
+        )
+
+    else:
+        refresh_token = request.session.get("refresh_token")
+
+        # if not session_id and not refresh_token:
+        if refresh_token:
+            data = {
+                "client_id": KEYCLOAK_CLIENT_ID,
+                "client_secret": KEYCLOAK_CLIENT_SECRET,
+                "refresh_token": refresh_token,
+            }
+            headers = {"Content-Type": "application/x-www-form-urlencoded"}
+            idp_response = requests.post(
+                KEYCLOAK_END_SESSION_ENDPOINT,
+                data=data,
+                headers=headers,
+                verify=auth_default_settings.http_client_ssl_verify,
+            )  # verify=False: because of the SKCC self-signed certificate
+
+            if idp_response.status_code != 204:
+                raise AuthBackendException(
+                    AuthError.OAUTH_IDP_ERROR,
+                    details=f"Failed to logout.({idp_response.reason})",
+                )
+
+        request.session.clear()
+
+        redirect_response = RedirectResponse(url=f"{auth_default_settings.application_endpoint}/")
+        redirect_response.delete_cookie(key="csrftoken")
+
+        return redirect_response
+
+
+@router.post(
+    "/oauth2/logout",
+    summary="API to logout from the keyclaok only OAuth2"
+)
+def logout_only_oauth(
+    refresh_token: str | None, access_token: str = Depends(oauth2_auth_scheme)
+):
+    """Logout only OAuth2."""
+    data = {
+        "client_id": KEYCLOAK_CLIENT_ID,
+        "client_secret": KEYCLOAK_CLIENT_SECRET,
+        "refresh_token": refresh_token,
+    }
+    headers = {"Content-Type": "application/x-www-form-urlencoded", "Accept": "*/*"}
+    idp_response = requests.post(
+        KEYCLOAK_END_SESSION_ENDPOINT,
+        data=data,
+        headers=headers,
+        verify=auth_default_settings.http_client_ssl_verify,
+    )  # verify=False: because of the SKCC self-signed certificate
+
+    if idp_response.status_code != 204:
+        raise AuthBackendException(
+            AuthError.OAUTH_IDP_ERROR,
+            details=f"Failed to logout.({idp_response.reason})",
+        )
+
+    return {"result": "success"}
+
+
+@router.get(
+    "/oauth2/callback", 
+    summary="Keycloak OAuth2 callback for the redirect URI"
+)
+def callback(request: Request, code: str):
+    """Keycloak OAuth2 callback for the redirect URI."""
+    data = {
+        "grant_type": "authorization_code",
+        "code": code,
+        "redirect_uri": KEYCLOAK_REDIRECT_URI,
+        "client_id": KEYCLOAK_CLIENT_ID,
+        "client_secret": KEYCLOAK_CLIENT_SECRET,
+    }
+    headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/json",
+    }
+    idp_response = requests.post(
+        KEYCLOAK_TOKEN_ENDPOINT,
+        data=data,
+        headers=headers,
+        verify=auth_default_settings.http_client_ssl_verify,
+    )  # verify=False: because of the SKCC self-signed certificate
+
+    if idp_response.status_code != 200:
+        raise AuthBackendException(
+            AuthError.OAUTH_IDP_ERROR,
+            details=f"Failed to obtain token.({idp_response.reason})",
+        )
+
+    tokens = idp_response.json()
+
+    access_token = tokens.get("access_token")
+    refresh_token = tokens.get("refresh_token")
+    # id_token = tokens.get("id_token")
+
+    headers = {"Authorization": f"Bearer {access_token}", "Accept": "application/json"}
+    idp_response = requests.get(
+        KEYCLOAK_USER_ENDPOINT,
+        headers=headers,
+        verify=auth_default_settings.http_client_ssl_verify,
+    )  # verify=False: because of the SKCC self-signed certificate
+    if idp_response.status_code != 200:
+        raise AuthBackendException(
+            AuthError.OAUTH_IDP_ERROR,
+            details=f"Failed to fetch user info.({idp_response.reason})",
+        )
+    user_info = idp_response.json()
+
+    log.debug(f"user_info: {user_info}")
+
+    # because the max size of the cookie is 4kb, the session middleware saves the session data in the client side cookie in default
+    # so, if the session data size is over than 4kb, the session data will be lost or occur the error in client side
+    # request.session['access_token'] = access_token
+    # request.session['id_token'] = id_token
+    request.session["refresh_token"] = refresh_token
+    request.session["user_info"] = user_info
+
+    total_bytes = _get_size(request.session)
+
+    if total_bytes > 4096:
+        log.debug(f"Total bytes: {total_bytes}")
+        log.warning(f"The session data size({total_bytes}) is over than 4kb.")
+        raise AuthBackendException(
+            AuthError.TOKEN_DATA_TOO_LARGE,
+            details=f"The session data size is {total_bytes} bytes. It is over than 4kb.",
+        )
+
+    # If the same-site of cookie is 'lax', the cookie will be sent only if the request is same-site request
+    # If the same-site of cookie is 'strict', the cookie will not be sent
+    # return RedirectResponse(url=f"{ALERT_SERVICE_ENDPOINT}/home")
+
+    return tokens
+
+
+def _get_size(obj, seen=None):
+    """Recursively find the size of objects including nested objects."""
+    size = sys.getsizeof(obj)
+    if seen is None:
+        seen = set()
+    obj_id = id(obj)
+    if obj_id in seen:
+        return 0
+    # Mark as seen
+    seen.add(obj_id)
+    # Recursively add sizes of referred objects
+    if isinstance(obj, dict):
+        size += sum([_get_size(v, seen) for v in obj.values()])
+        size += sum([_get_size(k, seen) for k in obj.keys()])
+    elif hasattr(obj, "__dict__"):
+        size += _get_size(obj.__dict__, seen)
+    elif isinstance(obj, list | tuple | set):
+        size += sum([_get_size(i, seen) for i in obj])
+    return size
+
+
+@router.get(
+    "/users/me", 
+    summary="Get the current user info from IDP(Keycloak)"
+)
+def read_users_me(token: str = Depends(oauth2_auth_scheme)):
+    """Get the current user info from IDP(Keycloak)."""
+    headers = {"Authorization": f"Bearer {token}", "Accept": "application/json"}
+    idp_response = requests.get(
+        KEYCLOAK_USER_ENDPOINT,
+        headers=headers,
+        verify=auth_default_settings.http_client_ssl_verify,
+    )  # verify=False: because of the SKCC self-signed certificate
+    if idp_response.status_code != 200:
+        raise AuthBackendException(
+            AuthError.OAUTH_IDP_ERROR,
+            details=f"Failed to fetch user info: {idp_response.reason}",
+        )
+    return idp_response.json()
+
+
+@router.get(
+    "/users/oauth_user", 
+    summary="Get the current user info from Token"
+)
+def read_oauth_user(oauth_user: TokenData = Depends(get_current_user)):
+    """Get the current user info from Token."""
+    return oauth_user

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/scheme/auth_model.py

@@ -0,0 +1,68 @@
+"""Auth model module for the AIops Pilot."""
+
+from datetime import datetime
+from typing import Annotated, List, Optional
+
+from pydantic import BaseModel, BeforeValidator, ConfigDict, Field, field_serializer
+
+PyObjectId = Annotated[str, BeforeValidator(str)]
+
+class AuthBaseModel(BaseModel):
+    """Auth Base Model.
+
+    mongodb objectId _id issues
+
+    refence:
+    https://github.com/tiangolo/fastapi/issues/1515
+    https://github.com/mongodb-developer/mongodb-with-fastapi
+    """
+
+    id: PyObjectId | None = Field(default=None, alias="_id")
+
+    created_at: datetime | None = None
+    updated_at: datetime | None = None
+
+    model_config = ConfigDict(
+        populate_by_name=True,
+        arbitrary_types_allowed=True,
+        extra="forbid",
+    )
+
+    @field_serializer("id")
+    def _serialize_id(self, id: PyObjectId | None) -> str | None:
+        if id is None:
+            return None
+        else:
+            return str(id)
+
+    @field_serializer("created_at", "updated_at")
+    def _serialize_created_updated_at(self, dt: datetime | None) -> str | None:
+        return dt.isoformat(timespec="milliseconds") if dt else None
+
+
+class BasicAuthUser(AuthBaseModel):
+    """Basic auth user model."""
+
+    username: str
+    password: str
+    modifier: Optional[str] = None
+
+
+class TokenData(BaseModel):
+    """Token data model."""
+
+    sub: Optional[str] = None
+    username: Optional[str] = None
+    email: Optional[str] = None
+    given_name: Optional[str] = None
+    family_name: Optional[str] = None
+    # for backward compatibility of keycloak
+    realm_roles: Optional[List[str]] = None
+    """
+    {realm_access: [role1, role2, ...]}
+    """
+    realm_access: Optional[dict] = None
+    """
+    {realm_access: {roles: [role1, role2, ...]}}
+    """
+    resource_access: Optional[dict] = None

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/service/auth_service.py

@@ -0,0 +1,91 @@
+"""AuthService class to handle auth service."""
+
+import logging
+from typing import List
+
+from motor.motor_asyncio import AsyncIOMotorDatabase
+
+from zmp_authentication_provider.db.basic_auth_user_repository import (
+    BasicAuthUserRepository,
+)
+from zmp_authentication_provider.exceptions import (
+    AuthBackendException,
+    AuthError,
+    InvalidObjectIDException,
+    ObjectNotFoundException,
+)
+from zmp_authentication_provider.scheme.auth_model import BasicAuthUser
+from zmp_authentication_provider.setting import auth_default_settings
+
+log = logging.getLogger(__name__)
+
+
+class AuthService:
+    """AuthService class to handle auth service."""
+
+    def __init__(self, *, database: AsyncIOMotorDatabase):
+        """Initialize the repository with MongoDB database."""
+        self._database = database
+        self._basic_auth_user_repository = BasicAuthUserRepository(
+            collection=self._database[auth_default_settings.basic_auth_user_collection]
+        )
+
+        log.info(f"{__name__} AuthService Initialized")
+
+    def create_basic_auth_user(self, user: BasicAuthUser) -> str:
+        """Create a basic auth user."""
+        try:
+            return self._basic_auth_user_repository.insert(user)
+        except ValueError as e:
+            raise AuthBackendException(AuthError.BAD_REQUEST, details=str(e))
+
+    def modify_basic_auth_user(self, user: BasicAuthUser) -> BasicAuthUser:
+        """Update a basic auth user."""
+        try:
+            return self._basic_auth_user_repository.update(user)
+        except ObjectNotFoundException:
+            raise AuthBackendException(
+                AuthError.ID_NOT_FOUND,
+                document=auth_default_settings.basic_auth_user_collection,
+                object_id=user.id,
+            )
+        except InvalidObjectIDException as e:
+            raise AuthBackendException(AuthError.INVALID_OBJECTID, details=str(e))
+
+    def remove_basic_auth_user(self, id: str) -> bool:
+        """Delete a basic auth user by id."""
+        if not id:
+            raise AuthBackendException(AuthError.BAD_REQUEST, details="ID is required")
+
+        try:
+            return self._basic_auth_user_repository.delete_by_id(id)
+        except ObjectNotFoundException:
+            raise AuthBackendException(
+                AuthError.ID_NOT_FOUND,
+                document=auth_default_settings.basic_auth_user_collection,
+                object_id=id,
+            )
+        except InvalidObjectIDException as e:
+            raise AuthBackendException(AuthError.INVALID_OBJECTID, details=str(e))
+
+    def get_basic_auth_user_by_username(self, username: str) -> BasicAuthUser:
+        """Get a basic auth user by username."""
+        if not username:
+            raise AuthBackendException(
+                AuthError.BAD_REQUEST, details="Username is required"
+            )
+
+        try:
+            return self._basic_auth_user_repository.find_by_username(username)
+        except ObjectNotFoundException:
+            raise AuthBackendException(
+                AuthError.ID_NOT_FOUND,
+                document=auth_default_settings.basic_auth_user_collection,
+                object_id=username,
+            )
+        except InvalidObjectIDException as e:
+            raise AuthBackendException(AuthError.INVALID_OBJECTID, details=str(e))
+
+    def get_basic_auth_users(self) -> List[BasicAuthUser]:
+        """Get basic auth users."""
+        return self._basic_auth_user_repository.find()

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/setting.py

@@ -0,0 +1,52 @@
+"""Base settings for MCP and Gateway."""
+
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class KeycloakSettings(BaseSettings):
+    """Settings for Keycloak."""
+
+    model_config: SettingsConfigDict = SettingsConfigDict(
+        env_prefix="KEYCLOAK_", env_file=".env", extra="allow"
+    )
+
+    server_url: str
+    realm: str
+    client_id: str
+    client_secret: str
+    redirect_uri: str
+    algorithm: str = "RS256"
+
+
+keycloak_settings = KeycloakSettings()
+
+
+class AuthDefaultSettings(BaseSettings):
+    """Settings for Basic Auth."""
+
+    model_config: SettingsConfigDict = SettingsConfigDict(
+        env_prefix="AUTH_", env_file=".env", extra="allow"
+    )
+
+    # The name of the auth service
+    service_name: str = "auth_service"
+
+    # The api endpoint of the application which is used to redirect to the login page
+    application_endpoint: str
+
+    # The secret key for the encryption
+    basic_auth_encryption_key: str = (
+        "425df05bf30c8434e8a619563b602a7aa0421011f71727289eee66d310897118"
+    )
+
+    # The collection name for the basic auth user
+    basic_auth_user_collection: str = "basic_auth_user"
+
+    # The http client ssl verify
+    http_client_ssl_verify: bool = True
+
+    # The http client timeout
+    http_client_timeout: int = 30
+
+
+auth_default_settings = AuthDefaultSettings()

zmp_authentication_provider-0.1.0/src/zmp_authentication_provider/utils/encryption_utils.py

@@ -0,0 +1,43 @@
+"""This module contains helper functions for encrypting and decrypting data."""
+
+import os
+from binascii import unhexlify
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import padding
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
+from zmp_authentication_provider.setting import auth_default_settings
+
+str_key = auth_default_settings.aes_secret_key
+key = unhexlify(str_key)  # 256-bit key
+iv = os.urandom(16)  # 128-bit IV
+
+
+def encrypt(data: str) -> bytes:
+    """Encrypt the data."""
+    data_bytes = data.encode("utf-8")
+
+    padder = padding.PKCS7(128).padder()
+    padded_data = padder.update(data_bytes) + padder.finalize()
+
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    encryptor = cipher.encryptor()
+    encrypted_data = encryptor.update(padded_data) + encryptor.finalize()
+
+    return iv + encrypted_data
+
+
+def decrypt(encrypted_data: bytes) -> str:
+    """Decrypt the data."""
+    iv = encrypted_data[:16]
+    encrypted_data = encrypted_data[16:]
+
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    decryptor = cipher.decryptor()
+    padded_data = decryptor.update(encrypted_data) + decryptor.finalize()
+
+    unpadder = padding.PKCS7(128).unpadder()
+    data_bytes = unpadder.update(padded_data) + unpadder.finalize()
+
+    return data_bytes.decode("utf-8")