From 2da72f399b4d36a866d2d42e05681dd8d04b1a2b Mon Sep 17 00:00:00 2001
From: Antoine Lambert <anlambert@softwareheritage.org>
Date: Tue, 29 Jun 2021 18:04:08 +0200
Subject: [PATCH] cli: Add commands to generate and revoke bearer tokens
Migrate auth command group from swh-web-client package to the
swh-auth package.
Related to T3385
---
docs/cli.rst | 8 +++
docs/index.rst | 1 +
setup.py | 8 +--
swh/auth/cli.py | 110 +++++++++++++++++++++++++++++---
swh/auth/keycloak.py | 21 +++---
swh/auth/tests/test_cli.py | 93 +++++++++++++++++++++++++++
swh/auth/tests/test_keycloak.py | 7 ++
7 files changed, 227 insertions(+), 21 deletions(-)
create mode 100644 docs/cli.rst
create mode 100644 swh/auth/tests/test_cli.py
diff --git a/docs/cli.rst b/docs/cli.rst
new file mode 100644
index 0000000..9931b86
--- /dev/null
+++ b/docs/cli.rst
@@ -0,0 +1,8 @@
+.. _swh-auth-cli:
+
+Command-line interface
+======================
+
+.. click:: swh.auth.cli:auth
+ :prog: swh auth
+ :nested: full
diff --git a/docs/index.rst b/docs/index.rst
index c8f7297..28c50c6 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -8,5 +8,6 @@ Reference Documentation
.. toctree::
:maxdepth: 2
+ cli
django
/apidoc/swh.auth
diff --git a/setup.py b/setup.py
index e9ca471..0fcb566 100755
--- a/setup.py
+++ b/setup.py
@@ -55,10 +55,10 @@ setup(
"testing": parse_requirements("test"),
},
include_package_data=True,
- # entry_points="""
- # [swh.cli.subcommands]
- # <cli-name>=swh.<module>.cli
- # """,
+ entry_points="""
+ [swh.cli.subcommands]
+ auth=swh.auth.cli
+ """,
classifiers=[
"Programming Language :: Python :: 3",
"Intended Audience :: Developers",
diff --git a/swh/auth/cli.py b/swh/auth/cli.py
index 07c279b..10068ac 100644
--- a/swh/auth/cli.py
+++ b/swh/auth/cli.py
@@ -1,19 +1,111 @@
+# Copyright (C) 2021 The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+# WARNING: do not import unnecessary things here to keep cli startup time under
+# control
+
+import sys
+
import click
+from click.core import Context
-from swh.core.cli import CONTEXT_SETTINGS
from swh.core.cli import swh as swh_cli_group
+CONTEXT_SETTINGS = dict(help_option_names=["-h", "--help"])
-@swh_cli_group.group(name="foo", context_settings=CONTEXT_SETTINGS)
+
+@swh_cli_group.group(name="auth", context_settings=CONTEXT_SETTINGS)
+@click.option(
+ "--oidc-server-url",
+ "oidc_server_url",
+ default="https://auth.softwareheritage.org/auth/",
+ help=(
+ "URL of OpenID Connect server (default to "
+ '"https://auth.softwareheritage.org/auth/")'
+ ),
+)
+@click.option(
+ "--realm-name",
+ "realm_name",
+ default="SoftwareHeritage",
+ help=(
+ "Name of the OpenID Connect authentication realm "
+ '(default to "SoftwareHeritage")'
+ ),
+)
+@click.option(
+ "--client-id",
+ "client_id",
+ default="swh-web",
+ help=("OpenID Connect client identifier in the realm " '(default to "swh-web")'),
+)
@click.pass_context
-def foo_cli_group(ctx):
- """Foo main command.
+def auth(ctx: Context, oidc_server_url: str, realm_name: str, client_id: str):
+ """
+ Software Heritage Authentication tools.
+
+ This CLI eases the retrieval of a bearer token to authenticate
+ a user querying Software Heritage Web APIs.
"""
+ from swh.auth.keycloak import KeycloakOpenIDConnect
+ ctx.ensure_object(dict)
+ ctx.obj["oidc_client"] = KeycloakOpenIDConnect(
+ oidc_server_url, realm_name, client_id
+ )
-@foo_cli_group.command()
-@click.option("--bar", help="Something")
+
+@auth.command("generate-token")
+@click.argument("username")
@click.pass_context
-def bar(ctx, bar):
- """Do something."""
- click.echo("bar")
+def generate_token(ctx: Context, username: str):
+ """
+ Generate a new bearer token for a Web API authentication.
+
+ Login with USERNAME, create a new OpenID Connect session and get
+ bearer token.
+
+ Users will be prompted for their password, then the token will be printed
+ to standard output.
+
+ The created OpenID Connect session is an offline one so the provided
+ token has a much longer expiration time than classical OIDC
+ sessions (usually several dozens of days).
+ """
+ from getpass import getpass
+
+ from swh.auth.keycloak import KeycloakError, keycloak_error_message
+
+ password = getpass()
+
+ try:
+ oidc_info = ctx.obj["oidc_client"].login(
+ username, password, scope="openid offline_access"
+ )
+ print(oidc_info["refresh_token"])
+ except KeycloakError as ke:
+ print(keycloak_error_message(ke))
+ sys.exit(1)
+
+
+@auth.command("revoke-token")
+@click.argument("token")
+@click.pass_context
+def revoke_token(ctx: Context, token: str):
+ """
+ Revoke a bearer token used for a Web API authentication.
+
+ Use TOKEN to logout from an offline OpenID Connect session.
+
+ The token is definitely revoked after that operation.
+ """
+ from swh.auth.keycloak import KeycloakError, keycloak_error_message
+
+ try:
+ ctx.obj["oidc_client"].logout(token)
+ print("Token successfully revoked.")
+ except KeycloakError as ke:
+ print(keycloak_error_message(ke))
+ sys.exit(1)
diff --git a/swh/auth/keycloak.py b/swh/auth/keycloak.py
index 8bf627d..cb45d37 100644
--- a/swh/auth/keycloak.py
+++ b/swh/auth/keycloak.py
@@ -110,7 +110,7 @@ class KeycloakOpenIDConnect:
)
def login(
- self, username: str, password: str, **extra_params: str
+ self, username: str, password: str, scope: str = "openid", **extra_params: str
) -> Dict[str, Any]:
"""
Get OpenID Connect authentication tokens using Direct Access Grant flow.
@@ -126,7 +126,7 @@ class KeycloakOpenIDConnect:
"""
return self._keycloak.token(
grant_type="password",
- scope="openid",
+ scope=scope,
username=username,
password=password,
**extra_params,
@@ -233,9 +233,14 @@ def keycloak_error_message(keycloak_error: KeycloakError) -> str:
"""Transform a keycloak exception into an error message.
"""
- msg_dict = json.loads(keycloak_error.error_message.decode())
- error_msg = msg_dict["error"]
- error_desc = msg_dict.get("error_description")
- if error_desc:
- error_msg = f"{error_msg}: {error_desc}"
- return error_msg
+ try:
+ # keycloak error wrapped in a JSON document
+ msg_dict = json.loads(keycloak_error.error_message.decode())
+ error_msg = msg_dict["error"]
+ error_desc = msg_dict.get("error_description")
+ if error_desc:
+ error_msg = f"{error_msg}: {error_desc}"
+ return error_msg
+ except Exception:
+ # fallback: return error message string
+ return keycloak_error.error_message
diff --git a/swh/auth/tests/test_cli.py b/swh/auth/tests/test_cli.py
new file mode 100644
index 0000000..e22848e
--- /dev/null
+++ b/swh/auth/tests/test_cli.py
@@ -0,0 +1,93 @@
+# Copyright (C) 2020-2021 The Software Heritage developers
+# See the AUTHORS file at the top-level directory of this distribution
+# License: GNU General Public License version 3, or any later version
+# See top-level LICENSE file for more information
+
+from click.testing import CliRunner
+import pytest
+
+from swh.auth.cli import auth
+from swh.auth.tests.sample_data import OIDC_PROFILE
+
+runner = CliRunner()
+
+
+@pytest.fixture()
+def keycloak_oidc(keycloak_oidc, mocker):
+ def _keycloak_oidc(server_url, realm_name, client_id):
+ keycloak_oidc.server_url = server_url
+ keycloak_oidc.realm_name = realm_name
+ keycloak_oidc.client_id = client_id
+ return keycloak_oidc
+
+ keycloak_oidc_client = mocker.patch("swh.auth.keycloak.KeycloakOpenIDConnect")
+ keycloak_oidc_client.side_effect = _keycloak_oidc
+ return keycloak_oidc
+
+
+def _run_auth_command(command, keycloak_oidc, input=None):
+ server_url = "http://localhost:5080/auth"
+ realm_name = "realm-test"
+ client_id = "client-test"
+ result = runner.invoke(
+ auth,
+ [
+ "--oidc-server-url",
+ server_url,
+ "--realm-name",
+ realm_name,
+ "--client-id",
+ client_id,
+ *command,
+ ],
+ input=input,
+ )
+ assert keycloak_oidc.server_url == server_url
+ assert keycloak_oidc.realm_name == realm_name
+ assert keycloak_oidc.client_id == client_id
+ return result
+
+
+@pytest.fixture
+def user_credentials():
+ return {"username": "foo", "password": "bar"}
+
+
+def test_auth_generate_token_ok(keycloak_oidc, mocker, user_credentials):
+ mock_getpass = mocker.patch("getpass.getpass")
+ mock_getpass.return_value = user_credentials["password"]
+
+ command = ["generate-token", user_credentials["username"]]
+ result = _run_auth_command(
+ command, keycloak_oidc, input=f"{user_credentials['password']}\n"
+ )
+ assert result.exit_code == 0
+ assert result.output[:-1] == OIDC_PROFILE["refresh_token"]
+
+
+def test_auth_generate_token_error(keycloak_oidc, mocker, user_credentials):
+ keycloak_oidc.set_auth_success(False)
+ mock_getpass = mocker.patch("getpass.getpass")
+ mock_getpass.return_value = user_credentials["password"]
+
+ command = ["generate-token", user_credentials["username"]]
+ result = _run_auth_command(
+ command, keycloak_oidc, input=f"{user_credentials['password']}\n"
+ )
+ assert result.exit_code == 1
+ assert result.output[:-1] == "invalid_grant: Invalid user credentials"
+
+
+def test_auth_remove_token_ok(keycloak_oidc):
+ command = ["revoke-token", OIDC_PROFILE["refresh_token"]]
+ result = _run_auth_command(command, keycloak_oidc)
+ assert result.exit_code == 0
+ assert result.output[:-1] == "Token successfully revoked."
+
+
+def test_auth_remove_token_error(keycloak_oidc):
+ keycloak_oidc.set_auth_success(False)
+ command = ["revoke-token", OIDC_PROFILE["refresh_token"]]
+ result = _run_auth_command(command, keycloak_oidc)
+ assert result.exit_code == 1
+ assert result.output[:-1] == "invalid_grant: Invalid user credentials"
diff --git a/swh/auth/tests/test_keycloak.py b/swh/auth/tests/test_keycloak.py
index 33b7abe..b8f23a1 100644
--- a/swh/auth/tests/test_keycloak.py
+++ b/swh/auth/tests/test_keycloak.py
@@ -173,3 +173,10 @@ def test_auth_keycloak_error_message(error_dict, expected_result):
actual_result = keycloak_error_message(exception)
assert actual_result == expected_result
+
+
+def test_auth_keycloak_error_message_string():
+ """Conversion from KeycloakError to error message should work with detail or not"""
+ error_message = "Can't connect to server "
+ exception = KeycloakError(error_message=error_message)
+ assert keycloak_error_message(exception) == error_message
--
GitLab