refactor: Remove auto_refresh_token in favour of automatic refresh on expiry

2 years ago · 56712fe308
6 changed files with 99 additions and 137 deletions
--- a/poetry.lock
+++ b/poetry.lock
@ -598,6 +598,21 @@ files = [
 flake8 = ">=3"
 pydocstyle = ">=2.1"

+[[package]]
+name = "freezegun"
+version = "1.2.2"
+description = "Let your Python tests travel through time"
+category = "dev"
+optional = false
+python-versions = ">=3.6"
+files = [
+    {file = "freezegun-1.2.2-py3-none-any.whl", hash = "sha256:ea1b963b993cb9ea195adbd893a48d573fda951b0da64f60883d7e988b606c9f"},
+    {file = "freezegun-1.2.2.tar.gz", hash = "sha256:cd22d1ba06941384410cd967d8a99d5ae2442f57dfafeff2fda5de8dc5c05446"},
+]
+
+[package.dependencies]
+python-dateutil = ">=2.7"
+
 [[package]]
 name = "identify"
 version = "2.5.18"
@ -1275,6 +1290,21 @@ pytest = ">=4.6"
 [package.extras]
 testing = ["fields", "hunter", "process-tests", "pytest-xdist", "six", "virtualenv"]

+[[package]]
+name = "python-dateutil"
+version = "2.8.2"
+description = "Extensions to the standard Python datetime module"
+category = "dev"
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
+files = [
+    {file = "python-dateutil-2.8.2.tar.gz", hash = "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86"},
+    {file = "python_dateutil-2.8.2-py2.py3-none-any.whl", hash = "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"},
+]
+
+[package.dependencies]
+six = ">=1.5"
+
 [[package]]
 name = "python-jose"
 version = "3.3.0"
@ -2109,4 +2139,4 @@ docs = ["Sphinx", "alabaster", "commonmark", "m2r2", "mock", "readthedocs-sphinx
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.7"
-content-hash = "45f461f05bdc8da0d12a858c57782cc3a24fb4fb91175e6e0a290cd0304c10e9"
+content-hash = "70bb30bae9ff3d8b6c54553f755b2f31725701f379ae9aeb4a2a5658d2f6d51a"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -73,6 +73,7 @@ cryptography = "^37.0.4"
 codespell = "^2.1.0"
 darglint = "^1.8.1"
 twine = "^4.0.2"
+freezegun = "^1.2.2"

 [build-system]
 requires = ["poetry-core>=1.0.0"]
--- a/src/keycloak/keycloak_admin.py
+++ b/src/keycloak/keycloak_admin.py
@ -81,6 +81,7 @@ class KeycloakAdmin:

    PAGE_SIZE = 100

+    _auto_refresh_token = None
    _connection = None

    def __init__(
@ -146,8 +147,8 @@ class KeycloakAdmin:
            user_realm_name=user_realm_name,
            custom_headers=custom_headers,
            timeout=timeout,
-            auto_refresh_token=auto_refresh_token or [],
        )
+        self.auto_refresh_token = auto_refresh_token

    @property
    @deprecation.deprecated(
@ -450,7 +451,7 @@ class KeycloakAdmin:
        :returns: List of methods for automatic token refresh
        :rtype: list
        """
-        return self.connection.auto_refresh_token
+        return self._auto_refresh_token

    @auto_refresh_token.setter
    @deprecation.deprecated(
@ -460,7 +461,7 @@ class KeycloakAdmin:
        details="Use the self.connection.custom_headers property instead",
    )
    def auto_refresh_token(self, value):
-        self.connection.auto_refresh_token = value
+        self._auto_refresh_token = value or []

    def __fetch_all(self, url, query=None):
        """Paginate over get requests.
@ -572,9 +573,6 @@ class KeycloakAdmin:
        :return: RealmRepresentation
        :rtype: dict
        """
-        import debugpy
-
-        debugpy.breakpoint()
        params_path = {"realm-name": realm_name}
        data_raw = self.connection.raw_get(urls_patterns.URL_ADMIN_REALM.format(**params_path))
        return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
--- a/src/keycloak/keycloak_openid.py
+++ b/src/keycloak/keycloak_openid.py
@ -29,7 +29,6 @@ class to handle authentication and token manipulation.

 import json
 from datetime import datetime, timedelta
-from typing import Iterable

 from jose import jwt

@ -698,7 +697,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
    _client_id = None
    _verify = None
    _client_secret_key = None
-    _auto_refresh_token = None
    _connection = None
    _custom_headers = None
    _user_realm_name = None
@ -717,7 +715,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        client_secret_key=None,
        custom_headers=None,
        user_realm_name=None,
-        auto_refresh_token=None,
        timeout=60,
    ):
        """Init method.
@ -745,12 +742,12 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        :type custom_headers: dict
        :param user_realm_name: The realm name of the user, if different from realm_name
        :type user_realm_name: str
-        :param auto_refresh_token: list of methods that allows automatic token refresh.
-            Ex: ['get', 'put', 'post', 'delete']
-        :type auto_refresh_token: list
        :param timeout: connection timeout in seconds
        :type timeout: int
        """
+        # token is renewed when it hits 90% of its lifetime. This is to account for any possible
+        # clock skew.
+        self.token_renewal_fraction = 0.9
        self.server_url = server_url
        self.username = username
        self.password = password
@ -760,12 +757,8 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        self.client_id = client_id
        self.verify = verify
        self.client_secret_key = client_secret_key
-        self.auto_refresh_token = auto_refresh_token or []
        self.user_realm_name = user_realm_name
        self.timeout = timeout
-        # token is renewed when it hits 90% of its lifetime. This is to account for any possible
-        # clock skew.
-        self.token_renewal_fraction = 0.9

        if self.token is None:
            self.get_token()
@ -929,31 +922,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
            # merge custom headers to main headers
            self.headers.update(self.custom_headers)

-    @property
-    def auto_refresh_token(self):
-        """Get auto refresh token.
-
-        :returns: List of methods for automatic token refresh
-        :rtype: list
-        """
-        return self._auto_refresh_token
-
-    @auto_refresh_token.setter
-    def auto_refresh_token(self, value):
-        allowed_methods = {"get", "post", "put", "delete"}
-        if not isinstance(value, Iterable):
-            raise TypeError(
-                "Expected a list of strings among {allowed}".format(allowed=allowed_methods)
-            )
-        if not all(method in allowed_methods for method in value):
-            raise TypeError(
-                "Unexpected method in auto_refresh_token, accepted methods are {allowed}".format(
-                    allowed=allowed_methods
-                )
-            )
-
-        self._auto_refresh_token = value
-
    def get_token(self):
        """Get admin token.

@ -995,7 +963,7 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):

        :raises KeycloakPostError: In case the refresh token request failed.
        """
-        refresh_token = self.token.get("refresh_token", None)
+        refresh_token = self.token.get("refresh_token", None) if self.token else None
        if refresh_token is None:
            self.get_token()
        else:
@ -1033,9 +1001,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        """
        self._refresh_if_required()
        r = super().raw_get(*args, **kwargs)
-        if "get" in self.auto_refresh_token and r.status_code == 401:
-            self.refresh_token()
-            return super().raw_get(*args, **kwargs)
        return r

    def raw_post(self, *args, **kwargs):
@ -1053,9 +1018,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        """
        self._refresh_if_required()
        r = super().raw_post(*args, **kwargs)
-        if "post" in self.auto_refresh_token and r.status_code == 401:
-            self.refresh_token()
-            return super().raw_post(*args, **kwargs)
        return r

    def raw_put(self, *args, **kwargs):
@ -1073,9 +1035,6 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        """
        self._refresh_if_required()
        r = super().raw_put(*args, **kwargs)
-        if "put" in self.auto_refresh_token and r.status_code == 401:
-            self.refresh_token()
-            return super().raw_put(*args, **kwargs)
        return r

    def raw_delete(self, *args, **kwargs):
@ -1093,7 +1052,4 @@ class KeycloakOpenIDConnectionManager(ConnectionManager):
        """
        self._refresh_if_required()
        r = super().raw_delete(*args, **kwargs)
-        if "delete" in self.auto_refresh_token and r.status_code == 401:
-            self.refresh_token()
-            return super().raw_delete(*args, **kwargs)
        return r
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -6,6 +6,7 @@ import uuid
 from datetime import datetime, timedelta
 from typing import Tuple

+import freezegun
 import pytest
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@ -152,6 +153,23 @@ def admin(env: KeycloakTestEnv):
    )


+@pytest.fixture
+@freezegun.freeze_time("2023-02-25 10:00:00")
+def admin_frozen(env: KeycloakTestEnv):
+    """Fixture for initialized KeycloakAdmin class, with time frozen.
+
+    :param env: Keycloak test environment
+    :type env: KeycloakTestEnv
+    :returns: Keycloak admin
+    :rtype: KeycloakAdmin
+    """
+    return KeycloakAdmin(
+        server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
+        username=env.KEYCLOAK_ADMIN,
+        password=env.KEYCLOAK_ADMIN_PASSWORD,
+    )
+
+
@pytest.fixture
 def oid(env: KeycloakTestEnv, realm: str, admin: KeycloakAdmin):
    """Fixture for initialized KeycloakOpenID class.
--- a/tests/test_keycloak_admin.py
+++ b/tests/test_keycloak_admin.py
@ -3,7 +3,9 @@
 import copy
 from typing import Tuple

+import freezegun
 import pytest
+from dateutil import parser as datetime_parser

 import keycloak
 from keycloak import KeycloakAdmin, KeycloakOpenID
@ -22,31 +24,6 @@ def test_keycloak_version():
    assert keycloak.__version__, keycloak.__version__


-def test_keycloak_admin_bad_init(env):
-    """Test keycloak admin bad init.
-
-    :param env: Environment fixture
-    :type env: KeycloakTestEnv
-    """
-    with pytest.raises(TypeError) as err:
-        KeycloakAdmin(
-            server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
-            username=env.KEYCLOAK_ADMIN,
-            password=env.KEYCLOAK_ADMIN_PASSWORD,
-            auto_refresh_token=1,
-        )
-    assert err.match("Expected a list of strings")
-
-    with pytest.raises(TypeError) as err:
-        KeycloakAdmin(
-            server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
-            username=env.KEYCLOAK_ADMIN,
-            password=env.KEYCLOAK_ADMIN_PASSWORD,
-            auto_refresh_token=["patch"],
-        )
-    assert err.match("Unexpected method in auto_refresh_token")
-
-
 def test_keycloak_admin_init(env):
    """Test keycloak admin init.

@ -2187,16 +2164,17 @@ def test_events(admin: KeycloakAdmin, realm: str):
    assert events == list()


-def test_auto_refresh(admin: KeycloakAdmin, realm: str):
+@freezegun.freeze_time("2023-02-25 10:00:00")
+def test_auto_refresh(admin_frozen: KeycloakAdmin, realm: str):
    """Test auto refresh token.

-    :param admin: Keycloak Admin client
-    :type admin: KeycloakAdmin
+    :param admin_frozen: Keycloak Admin client with time frozen in place
+    :type admin_frozen: KeycloakAdmin
    :param realm: Keycloak realm
    :type realm: str
    """
+    admin = admin_frozen
    # Test get refresh
-    admin.auto_refresh_token = list()
    admin.connection.custom_headers = {
        "Authorization": "Bearer bad",
        "Content-Type": "application/json",
@ -2206,65 +2184,46 @@ def test_auto_refresh(admin: KeycloakAdmin, realm: str):
        admin.get_realm(realm_name=realm)
    assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')

-    admin.auto_refresh_token = ["get"]
-    del admin.token["refresh_token"]
-    assert admin.get_realm(realm_name=realm)
-
-    # Test bad refresh token
-    admin.connection.custom_headers = {
-        "Authorization": "Bearer bad",
-        "Content-Type": "application/json",
-    }
-    admin.token["refresh_token"] = "bad"
-    with pytest.raises(KeycloakPostError) as err:
-        admin.get_realm(realm_name="test-refresh")
-    assert err.match(
-        '400: b\'{"error":"invalid_grant","error_description":"Invalid refresh token"}\''
-    )
-    admin.realm_name = "master"
-    admin.get_token()
-    admin.realm_name = realm
+    # Freeze time to simulate the access token expiring
+    with freezegun.freeze_time("2023-02-25 10:05:00"):
+        assert admin.connection.expires_at < datetime_parser.parse("2023-02-25 10:05:00")
+        assert admin.get_realm(realm_name=realm)
+        assert admin.connection.expires_at > datetime_parser.parse("2023-02-25 10:05:00")
+
+    # Test bad refresh token, but first make sure access token has expired again
+    with freezegun.freeze_time("2023-02-25 10:10:00"):
+        admin.connection.custom_headers = {"Content-Type": "application/json"}
+        admin.connection.token["refresh_token"] = "bad"
+        with pytest.raises(KeycloakPostError) as err:
+            admin.get_realm(realm_name="test-refresh")
+        assert err.match(
+            '400: b\'{"error":"invalid_grant","error_description":"Invalid refresh token"}\''
+        )
+        admin.connection.get_token()

    # Test post refresh
-    admin.connection.custom_headers = {
-        "Authorization": "Bearer bad",
-        "Content-Type": "application/json",
-    }
-    with pytest.raises(KeycloakAuthenticationError) as err:
-        admin.create_realm(payload={"realm": "test-refresh"})
-    assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
-
-    admin.auto_refresh_token = ["get", "post"]
-    admin.realm_name = "master"
-    admin.user_logout(user_id=admin.get_user_id(username=admin.username))
-    assert admin.create_realm(payload={"realm": "test-refresh"}) == b""
-    admin.realm_name = realm
+    with freezegun.freeze_time("2023-02-25 10:15:00"):
+        assert admin.connection.expires_at < datetime_parser.parse("2023-02-25 10:15:00")
+        admin.connection.token = None
+        assert admin.create_realm(payload={"realm": "test-refresh"}) == b""
+        assert admin.connection.expires_at > datetime_parser.parse("2023-02-25 10:15:00")

    # Test update refresh
-    admin.connection.custom_headers = {
-        "Authorization": "Bearer bad",
-        "Content-Type": "application/json",
-    }
-    with pytest.raises(KeycloakAuthenticationError) as err:
-        admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"})
-    assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
-
-    admin.auto_refresh_token = ["get", "post", "put"]
-    assert (
-        admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"}) == dict()
-    )
+    with freezegun.freeze_time("2023-02-25 10:25:00"):
+        assert admin.connection.expires_at < datetime_parser.parse("2023-02-25 10:25:00")
+        admin.connection.token = None
+        assert (
+            admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"})
+            == dict()
+        )
+        assert admin.connection.expires_at > datetime_parser.parse("2023-02-25 10:25:00")

    # Test delete refresh
-    admin.connection.custom_headers = {
-        "Authorization": "Bearer bad",
-        "Content-Type": "application/json",
-    }
-    with pytest.raises(KeycloakAuthenticationError) as err:
-        admin.delete_realm(realm_name="test-refresh")
-    assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
-
-    admin.auto_refresh_token = ["get", "post", "put", "delete"]
-    assert admin.delete_realm(realm_name="test-refresh") == dict()
+    with freezegun.freeze_time("2023-02-25 10:35:00"):
+        assert admin.connection.expires_at < datetime_parser.parse("2023-02-25 10:35:00")
+        admin.connection.token = None
+        assert admin.delete_realm(realm_name="test-refresh") == dict()
+        assert admin.connection.expires_at > datetime_parser.parse("2023-02-25 10:35:00")


 def test_get_required_actions(admin: KeycloakAdmin, realm: str):