Configure system tests to work with Tiled autz

Author: DiamondJoseph

pyproject.toml

@@ -13,7 +13,7 @@ classifiers = [
 ]
 description = "Lightweight bluesky-as-a-service wrapper application. Also usable as a library."
 dependencies = [
-    "tiled[client]>=0.2.0",
+    "tiled[client]@git+https://git@github.com/zohebshaikh/tiled@v0.4.17",
     "bluesky[plotting]>=1.14.0",                     # plotting includes matplotlib, required for BestEffortCallback in run plans
     "ophyd-async>=0.13.5",
     "aioca",

tests/system_tests/compose.yaml

@@ -19,10 +19,56 @@ services:
         target: /etc/rabbitmq/enabled_plugins
 
   tiled:
-    image: ghcr.io/bluesky/tiled:0.2.0
+    image: ghcr.io/zohebshaikh/tiled:0.4.17
     ports:
       - "8407:8000"
+    volumes:
+      - ./services/tiled_config:/deploy/config
+    command: ["tiled", "serve", "config", "--host", "0.0.0.0", "--port", "8000"]
+    depends_on:
+      keycloak:
+        condition: service_healthy
+
+  keycloak:
+    image: keycloak/keycloak:26.4
     environment:
-      - TILED_SINGLE_USER_API_KEY=${TILED_SINGLE_USER_API_KEY}
+      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
+      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
+    command: ["start-dev"]
     volumes:
-    - ./services/tiled_config:/deploy/config
+      - ./services/keycloak_config/:/mnt
+    post_start:
+      - command: bash /mnt/startup.sh
+    ports:
+      - 8081:8080
+    healthcheck:
+      test: /opt/keycloak/bin/kcadm.sh config credentials --server http://keycloak:8080 --realm master --user admin --password admin
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+
+  opa:
+    image: openpolicyagent/opa
+    volumes:
+      - ./services/opa_config/config.yaml:/mnt/config.yaml
+      - ./services/opa_config/opa_data/bundle.tar.gz:/mnt/bundle.tar.gz
+    environment:
+      - ISSUER=http://keycloak:8080/realms/master
+    command:
+      [
+        "run",
+        "--server",
+        "--addr",
+        ":8181",
+        "-b",
+        "/mnt/bundle.tar.gz",
+        "--config-file",
+        "/mnt/config.yaml",
+      ]
+    entrypoint: "/opa"
+    ports:
+      - 8181:8181
+    depends_on:
+      keycloak:
+        condition: service_healthy

tests/system_tests/config.yaml

@@ -17,4 +17,8 @@ numtracker:
   url: http://localhost:8406/graphql
 tiled:
   enabled: true
-  url: http://localhost:8407/
+  url: http://localhost:8407/api/v1
+oidc:
+  well_known_url: "http://localhost:8081/realms/master/.well-known/openid-configuration"
+  client_id: "blueapi"
+  client_audience: "blueapi"

tests/system_tests/services/keycloak_config/blueapi-ci.json

@@ -0,0 +1,142 @@
+{
+  "clientId": "blueapi",
+  "name": "Blueapi",
+  "description": "Service account client used to run automated system tests for Blueapi.",
+  "rootUrl": "",
+  "adminUrl": "",
+  "baseUrl": "",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "secret": "secret",
+  "redirectUris": [
+    "/*"
+  ],
+  "webOrigins": [
+    "/*"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": false,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": false,
+  "serviceAccountsEnabled": true,
+  "publicClient": false,
+  "frontchannelLogout": true,
+  "protocol": "openid-connect",
+  "attributes": {
+    "realm_client": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "client.secret.creation.time": "1748358661",
+    "backchannel.logout.session.required": "true",
+    "standard.token.exchange.enabled": "false",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "display.on.consent.screen": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "dpop.bound.access.tokens": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "protocolMappers": [
+    {
+      "name": "Client Host",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-usersessionmodel-note-mapper",
+      "consentRequired": false,
+      "config": {
+        "user.session.note": "clientHost",
+        "introspection.token.claim": "true",
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "access.token.claim": "true",
+        "claim.name": "clientHost",
+        "jsonType.label": "String"
+      }
+    },
+    {
+      "name": "alice",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-hardcoded-claim-mapper",
+      "consentRequired": false,
+      "config": {
+        "introspection.token.claim": "true",
+        "claim.value": "alice",
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "lightweight.claim": "false",
+        "access.token.claim": "true",
+        "claim.name": "fedid",
+        "jsonType.label": "String",
+        "access.tokenResponse.claim": "false"
+      }
+    },
+    {
+      "name": "Client ID",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-usersessionmodel-note-mapper",
+      "consentRequired": false,
+      "config": {
+        "user.session.note": "client_id",
+        "introspection.token.claim": "true",
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "access.token.claim": "true",
+        "claim.name": "client_id",
+        "jsonType.label": "String"
+      }
+    },
+    {
+      "name": "Client IP Address",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-usersessionmodel-note-mapper",
+      "consentRequired": false,
+      "config": {
+        "user.session.note": "clientAddress",
+        "introspection.token.claim": "true",
+        "userinfo.token.claim": "true",
+        "id.token.claim": "true",
+        "access.token.claim": "true",
+        "claim.name": "clientAddress",
+        "jsonType.label": "String"
+      }
+    },
+    {
+      "name": "blueapi",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-audience-mapper",
+      "consentRequired": false,
+      "config": {
+        "id.token.claim": "false",
+        "lightweight.claim": "false",
+        "introspection.token.claim": "true",
+        "access.token.claim": "true",
+        "included.custom.audience": "blueapi",
+        "userinfo.token.claim": "false"
+      }
+    }
+  ],
+  "defaultClientScopes": [
+    "web-origins",
+    "service_account",
+    "acr",
+    "roles",
+    "profile",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "organization",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

tests/system_tests/services/keycloak_config/startup.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+export PATH=$PATH:/opt/keycloak/bin
+
+sleep 30
+while ! kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin; do
+    sleep 1
+done
+
+# Add users to Keycloak
+for user in alice bob carol; do
+  kcadm.sh create users -r master -s username="$user" -s enabled=true
+  kcadm.sh set-password -r master --username "$user" --new-password "$user"
+done
+
+allowed_protocol_mappers=$(kcadm.sh get components -q name="Allowed Protocol Mapper Types" --fields id --format csv --noquotes)
+allowed_client_scopes=$(kcadm.sh get components -q name="Allowed Client Scopes" --fields id --format csv --noquotes)
+for i in $allowed_protocol_mappers $allowed_client_scopes;do
+  kcadm.sh delete components/$i
+done
+
+kcreg.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin
+client="ixx-blueapi"
+kcreg.sh get $client >/dev/null 2>&1 || kcreg.sh create --file "/mnt/$client.json"

tests/system_tests/services/opa_config/config.yaml

@@ -0,0 +1,11 @@
+services:
+  ghcr:
+    url: https://ghcr.io
+    type: oci
+bundles:
+  diamond-policies:
+    service: ghcr
+    resource: ghcr.io/diamondjoseph/authz-policy:0.1.15
+    polling:
+      min_delay_seconds: 30
+      max_delay_seconds: 120

tests/system_tests/services/opa_config/opa_data/data.json

@@ -0,0 +1,38 @@
+{
+    "diamond": {
+        "data": {
+            "beamlines": {
+                "adsim": {
+                    "sessions": [
+                        "1"
+                    ]
+                }
+            },
+            "proposals": {
+                "12345": {
+                    "sessions": {
+                        "1": 1
+                    }
+                }
+            },
+            "sessions": {
+                "1": {
+                    "beamline": "adsim",
+                    "proposal_number": 1,
+                    "visit_number": 1
+                }
+            },
+            "subjects": {
+                "alice": {
+                    "permissions": [],
+                    "proposals": [
+                        1
+                    ],
+                    "sessions": [
+                        1
+                    ]
+                }
+            }
+        }
+    }
+}

tests/system_tests/services/tiled_config/config.yml

@@ -1,10 +1,24 @@
 authentication:
-  # Any HTTP client that can connect can read, an API key is still required to write.
-  allow_anonymous_access: true
+  providers:
+    - provider: keycloak_oidc
+      authenticator: tiled.authenticators:ProxiedOIDCAuthenticator
+      args:
+        audience: account
+        client_id: tiled
+        device_flow_client_id: tiled-cli
+        well_known_uri: "http://keycloak:8080/realms/master/.well-known/openid-configuration"
+        confirmation_message: "You have logged in with authn.diamond.ac.uk as {id}."
 trees:
   - path: /
     tree: catalog
     args:
       uri: "sqlite:////storage/catalog.db"
       writable_storage: "sqlite:////storage/catalog.db"
       init_if_not_exists: true
+
+access_control:
+  access_policy: "tiled.access_control.dls:DiamondOpenPolicyAgentAuthorizationPolicy"
+  args:
+    authorization_provider: "http://opa:8181/v1/data/diamond/policy/"
+    token_audience: account
+    empty_access_blob_public: true