Merge pull request #1 from WIPACrepo/initial

initial version

Author: dsschult

.github/workflows/ci.yaml

@@ -0,0 +1,125 @@
+name: wipac ci/cd
+
+on:
+  push:
+    branches:
+      - '**'
+    tags-ignore:
+      - '**'
+
+env:
+  py_version: '3.12'
+
+jobs:
+
+  flake8:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/ruff-action@v3
+
+  py-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.versions.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: versions
+        uses: WIPACrepo/wipac-dev-py-versions-action@v2.5
+
+  pip-install:
+    needs: [py-versions]
+    runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 4
+      fail-fast: false
+      matrix:
+        version: ${{ fromJSON(needs.py-versions.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.version }}
+      - run: |
+          pip install --upgrade pip wheel setuptools
+          pip install .
+
+  docker-build:
+    name: "Docker Image"
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Project
+      uses: actions/checkout@v4
+    - name: Build Docker Image
+      uses: docker/build-push-action@v4
+      with:
+        context: .
+        push: false
+
+  release:
+    if: ${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}
+    needs: [flake8, pip-install, docker-build]
+    runs-on: ubuntu-latest
+    concurrency: release
+
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+
+    steps:
+      # Note: we need to checkout the repository at the workflow sha in case during the workflow
+      # the branch was updated. To keep PSR working with the configured release branches,
+      # we force a checkout of the desired release branch but at the workflow sha HEAD.
+      - name: Setup | Checkout Repository at workflow sha
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.sha }}
+
+      - name: Setup | Force correct release branch on workflow sha
+        run: |
+          git checkout -B ${{ github.ref_name }} ${{ github.sha }}
+
+      - name: Action | Semantic Version Release
+        id: release
+        # Adjust tag with desired version if applicable.
+        uses: python-semantic-release/python-semantic-release@v9.8.1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_committer_name: "github-actions"
+          git_committer_email: "actions@users.noreply.github.com"
+
+      - name: Publish | Upload to GitHub Release Assets
+        uses: python-semantic-release/publish-action@v9.16.1
+        if: steps.release.outputs.released == 'true'
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release.outputs.tag }}
+
+      - name: Docker meta
+        id: docker_meta
+        if: steps.release.outputs.released == 'true'
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/wipacrepo/oauth2-proxy
+          tags: |
+            type=semver,pattern={{major}},value=${{ steps.release.outputs.tag }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.release.outputs.tag }}
+            type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ steps.release.outputs.tag }}
+      - name: Login to GitHub Container Registry
+        if: steps.release.outputs.released == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push Docker Image
+        if: steps.release.outputs.released == 'true'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+          push: true

Dockerfile

@@ -0,0 +1,23 @@
+FROM python:3.13
+
+RUN groupadd -g 1000 app && useradd -m -g 1000 -u 1000 app
+
+RUN mkdir /app
+WORKDIR /app
+
+COPY src /app/src
+COPY pyproject.toml /app/pyproject.toml
+
+RUN chown -R app:app /app
+
+USER app
+
+ENV VIRTUAL_ENV=/app/venv
+
+RUN python3.13 -m venv $VIRTUAL_ENV
+
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+RUN --mount=source=.git,target=.git,type=bind pip install -e .
+
+CMD ["python", "-m", "oauth2_proxy"]

README.md

@@ -1,2 +1,31 @@
 # oauth2-proxy
 Python version of oauth2-proxy
+
+A very limited version of [https://github.com/oauth2-proxy/oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy)
+written in Python.  Primarily meant for debugging, as it gives much more detailed logging.
+
+## Basic Config
+
+Primary env variables:
+
+* OPENID_CLIENT_ID
+* OPENID_CLIENT_SECRET
+* OPENID_URL
+* OPENID_SCOPES
+* OPENID_AUDIENCE
+
+Some host config using env variables:
+
+* FULL_URL - external base url, for redirects to work
+* HOST - bind host, set to an empty string for all interfaces
+* PORT - bind port
+
+## API Routes
+
+Handles API routes (returning 401 instead of a login redirect) using env variables:
+
+* API_ROUTES - string separated regexp patterns
+* API_TOKEN_LEEWAY - extra leeway for validating token expiration
+
+`API_TOKEN_LEEWAY` is usually unnecessary, but may be useful in an environment
+with clock skew between the OpenID server and this server.

pyproject.toml

@@ -0,0 +1,62 @@
+[build-system]
+requires = ["setuptools>=64", "setuptools_scm[toml]>=3.4"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "oauth2-proxy"
+description = "WIPAC - oauth2 proxy"
+readme = "README.md"
+authors = [{name = "WIPAC Developers", email = "developers@icecube.wisc.edu"}]
+keywords = ["transfer"]
+license = {text = "MIT License"}
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+requires-python = ">=3.12"
+dependencies = [
+    "wipac-dev-tools",
+    "wipac-rest-tools",
+]
+dynamic = ["version"]
+
+[project.optional-dependencies]
+tests = ["mypy", "pytest", "pytest-async"]
+
+[project.urls]
+repository = "https://github.com/WIPACrepo/oauth2-proxy"
+
+[tool.setuptools]
+include-package-data = true
+license-files = ["LICENSE"]
+
+[tool.setuptools.packages.find]
+where = ["src"]
+include = ["oauth2*"]
+namespaces = true
+
+[tool.setuptools_scm]
+write_to = "src/oauth2_proxy/version.py"
+
+[tool.ruff]
+exclude = ["env", "*tests", "bin", "docs", "resources"]
+target-version = "py313"
+
+[tool.ruff.lint]
+ignore = ["E203", "E226", "E228", "E231", "E501"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+
+[tool.semantic_release]
+tag_format = "{version}"
+commit_parser = "emoji"
+
+[tool.semantic_release.commit_parser_options]
+major_tags = ["[major]"]
+minor_tags = ["[minor]", "[feature]"]
+patch_tags = ["[patch]", "[fix]", " ", "!", "#", "$", "%", "&", "'", "(", ")", "*", "+", "-", ".", "/", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", ":", ";", "<", "=", ">", "?", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "[", "]", "^", "_", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "{", "|", "}", "~"]

setup.py

@@ -0,0 +1,3 @@
+#!/usr/bin/env python3
+from setuptools import setup
+setup()

setupenv.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+unset PYTHONPATH
+python3 -m virtualenv -p python3 env
+echo "unset PYTHONPATH" >> env/bin/activate
+. env/bin/activate
+pip install -e .[tests]

src/oauth2_proxy/__init__.py

@@ -0,0 +1,5 @@
+try:
+    from .version import __version__
+except ImportError:
+    # package is not installed
+    __version__ = None

src/oauth2_proxy/__main__.py

@@ -0,0 +1,19 @@
+import asyncio
+
+from .config import config_logging
+from .server import Server
+
+
+config_logging()
+
+
+# start server
+async def main():
+    s = Server()
+    await s.start()
+    try:
+        await asyncio.Event().wait()
+    finally:
+        await s.stop()
+
+asyncio.run(main())

src/oauth2_proxy/config.py

@@ -0,0 +1,47 @@
+import dataclasses as dc
+import logging
+
+from wipac_dev_tools import from_environment_as_dataclass
+
+@dc.dataclass(frozen=True)
+class EnvConfig:
+    OPENID_CLIENT_ID: str
+    OPENID_CLIENT_SECRET: str = ''
+    OPENID_URL: str = 'https://keycloak.icecube.wisc.edu/auth/realms/IceCube'
+    OPENID_SCOPES: str = ''
+    OPENID_AUDIENCE: str = ''
+
+    API_ROUTES: str = ''
+    API_TOKEN_LEEWAY: int = 60
+
+    HOST: str = 'localhost'
+    PORT: int = 8080
+    FULL_URL: str = 'http://localhost:8080'
+    COOKIE_SECRET: str = '00000000'
+    DEBUG: bool = False
+
+    CI_TEST: bool = False
+    LOG_LEVEL: str = 'INFO'
+
+    def __post_init__(self) -> None:
+        object.__setattr__(self, 'LOG_LEVEL', self.LOG_LEVEL.upper())  # b/c frozen
+
+ENV = from_environment_as_dataclass(EnvConfig, collection_sep=',')
+
+
+def config_logging():
+    # handle logging
+    setlevel = {
+        'CRITICAL': logging.CRITICAL,  # execution cannot continue
+        'FATAL': logging.CRITICAL,
+        'ERROR': logging.ERROR,  # something is wrong, but try to continue
+        'WARNING': logging.WARNING,  # non-ideal behavior, important event
+        'WARN': logging.WARNING,
+        'INFO': logging.INFO,  # initial debug information
+        'DEBUG': logging.DEBUG  # the things no one wants to see
+    }
+
+    if ENV.LOG_LEVEL not in setlevel:
+        raise Exception('LOG_LEVEL is not a proper log level')
+    logformat = '%(asctime)s %(levelname)s %(name)s %(module)s:%(lineno)s - %(message)s'
+    logging.basicConfig(format=logformat, level=setlevel[ENV.LOG_LEVEL])