Add keycloak and oidc

.github/workflows/ci.yml

@@ -31,6 +31,27 @@ jobs:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
     with:
       DRY_RUN: true
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: checkout
+      # From https://github.com/actions/checkout/issues/438#issuecomment-1114110354
+      # Required to fetch enough depth for diffs with master in the pre-commit step.
+      # Alternative is to use the checkout action with fetch-depth: 0, but that would
+      # fetch the whole history, potentially slowing down the CI pipeline.
+      run: |
+        commits=${{ github.event.pull_request.commits }}
+        if [[ -n "$commits" ]]; then
+          # Prepare enough depth for diffs with master
+          git fetch --depth="$(( commits + 1 ))"
+        fi
+    - uses: actions/setup-python@v3
+      with:
+          python-version: '3.11'
+    - uses: pre-commit/[email protected]
+      with:
+        extra_args: '--from-ref origin/master --to-ref ${{ github.sha }}'
   build:
     name: Build
     uses: dargmuesli/github-actions/.github/workflows/[email protected]

.pre-commit-config.yaml

@@ -0,0 +1,20 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+  - repo: https://github.com/psf/black
+    rev: 24.8.0
+    hooks:
+      - id: black
+  - repo: https://github.com/pycqa/flake8
+    rev: '7.1.1'
+    hooks:
+      - id: flake8
+        language: python
+        language_version: python3.11

README.md

@@ -17,9 +17,22 @@ Digital replacement for the drinks tally list featuring a touchscreen, user mana
 docker compose -f docker-compose.dev.yml up
 ```
 
-- Reading mails via mailpit: http://localhost:8025/
+Reading mails via mailpit: http://localhost:8025/
 
+The project is using poetry. Install the dependencies with:
 
+```sh
+poetry install
+```
+
+Python `pre-commit` helps to detect and fix common issues before committing. Install the git hooks with:
+
+```sh
+pre-commit install
+```
+
+It is also being run in the CI pipeline. If you see any rules that don't make sense for us, feel free
+to adjust the `.pre-commit-config.yaml` file or comment out invocation in the `ci.yml` file.
 
 This project is deployed within the [drinks-touch_stack](https://github.com/flipdot/drinks-touch_stack/) in accordance to the [DargStack template](https://github.com/dargstack/dargstack_template/) to make deployment a breeze.
 

compose.dev.yaml

@@ -37,6 +37,22 @@ services:
       - ./docker/flipdot.schema:/assets/openldap/custom/schema/flipdot.schema
       - ./docker/flipdot.ldif:/assets/openldap/custom/ldif/flipdot.ldif
 
+  keycloak:
+    image: "quay.io/keycloak/keycloak:25.0.4"
+    environment:
+        KEYCLOAK_ADMIN: admin
+        KEYCLOAK_ADMIN_PASSWORD: admin
+    ports:
+        - "8080:8080"
+    command: "start-dev --proxy-headers xforwarded --import-realm"
+    volumes:
+      - keycloak:/opt/keycloak/data
+      # To update the realm, stop keycloak and run:
+      # docker compose -f compose.dev.yaml run -it keycloak export --file /opt/keycloak/data/import/flipdot.json --realm flipdot
+      # Attention: The file it exports isn't importable.
+      # Explanation at https://github.com/flipdot/drinks-touch/pull/213#discussion_r1769129578
+      - ./keycloak/realms/:/opt/keycloak/data/import
+
 
   hackertool:
     image: osixia/phpldapadmin:latest
@@ -56,4 +72,7 @@ services:
       MP_SMTP_AUTH_ALLOW_INSECURE: true
     ports:
       - 8025:8025
-      - 1025:1025
+      - 1025:1025
+
+volumes:
+  keycloak:

drinks_touch/config.py

@@ -8,15 +8,35 @@
 LDAP_USER = os.environ.get("LDAP_USER", "cn=admin,dc=flipdot,dc=org")
 LDAP_PW = os.environ.get("LDAP_PW", "admin")
 
+
+OIDC_DISCOVERY_URL = os.environ.get(
+    "OIDC_DISCOVERY_URL",
+    "http://localhost:8080/realms/flipdot/.well-known/openid-configuration",
+)
+OIDC_CLIENT_ID = os.environ.get("OIDC_CLIENT_ID", "drinks-touch")
+# Client secret default from the shipped realm.json
+OIDC_CLIENT_SECRET = os.environ.get(
+    "OIDC_CLIENT_SECRET", "ozlsD9WZi8PfsnYwPO3UFoIUBjPyS4Bd"
+)
+
+# Refresh the token X seconds before it expires
+OIDC_REFRESH_BUFFER = 10
+
 SENTRY_DSN = os.environ.get("SENTRY_DSN", "")
 
-POSTGRES_CONNECTION_STRING = os.environ.get("POSTGRES_CONNECTION_STRING", "postgresql://drinks:drinks@localhost/drinks")
+POSTGRES_CONNECTION_STRING = os.environ.get(
+    "POSTGRES_CONNECTION_STRING", "postgresql://drinks:drinks@localhost/drinks"
+)
 
 MAIL_FROM = os.environ.get("MAIL_FROM", "flipdot-noti@mailpit")
 MAIL_PW = os.environ.get("MAIL_PW", "pw")
 MAIL_HOST = os.environ.get("MAIL_HOST", "localhost")
 MAIL_PORT = os.environ.get("MAIL_PORT", 1025)
-MAIL_USE_STARTTLS = os.environ.get("MAIL_USE_STARTTLS", "False") in ["True", "true", "1"]
+MAIL_USE_STARTTLS = os.environ.get("MAIL_USE_STARTTLS", "False") in [
+    "True",
+    "true",
+    "1",
+]
 
 SCANNER_DEVICE_PATH = os.environ.get("SCANNER_DEVICE_PATH", "/dev/ttyACM0")
 

drinks_touch/game.py

@@ -10,8 +10,8 @@
 import threading
 import time
 
+
 import config
-import debug
 import env
 from barcode.barcode_reader import run as run_barcode_reader
 from barcode.barcode_worker import Worker as BarcodeWorker
@@ -23,17 +23,22 @@
 from stats.stats import run as stats_send
 from users.sync import sync_recharges
 from webserver.webserver import run as run_webserver
-import os
 import sentry_sdk
-from ldap3.utils.log import set_library_log_detail_level, set_library_log_activation_level, OFF, BASIC, NETWORK, EXTENDED
+from ldap3.utils.log import (
+    set_library_log_detail_level,
+    set_library_log_activation_level,
+    EXTENDED,
+)
 
 with contextlib.redirect_stdout(None):
     import pygame
 
 sentry_sdk.init(config.SENTRY_DSN)
 
-logging.basicConfig(level=getattr(logging, config.LOGLEVEL),
-                    format="[%(asctime)s][%(levelname)s][%(filename)s:%(lineno)d] %(message)s")
+logging.basicConfig(
+    level=getattr(logging, config.LOGLEVEL),
+    format="[%(asctime)s][%(levelname)s][%(filename)s:%(lineno)d] %(message)s",
+)
 logging.Formatter.converter = time.gmtime
 
 # ldap log level
@@ -64,7 +69,7 @@ def handle_events():
 def stats_loop():
     i = 0
     while True:
-        #stats_send()
+        # stats_send()
         send_low_balances()
         if env.is_pi():
             sync_recharges()
@@ -77,7 +82,7 @@ def stats_loop():
 
 # Rendering #
 def main(argv):
-    locale.setlocale(locale.LC_ALL, 'de_DE.UTF-8')
+    locale.setlocale(locale.LC_ALL, "de_DE.UTF-8")
 
     if "--webserver" in argv:
         run_webserver()
@@ -101,25 +106,18 @@ def main(argv):
 
     # Barcode Scanner #
     barcode_worker = BarcodeWorker()
-    barcode_thread = threading.Thread(
-        target=run_barcode_reader,
-        args=(barcode_worker,)
-    )
+    barcode_thread = threading.Thread(target=run_barcode_reader, args=(barcode_worker,))
     barcode_thread.daemon = True
     barcode_thread.start()
 
     # webserver needs to be a main thread #
     web_thread = subprocess.Popen([sys.argv[0], "--webserver"])
 
-    event_thread = threading.Thread(
-        target=handle_events
-    )
+    event_thread = threading.Thread(target=handle_events)
     event_thread.daemon = True
     event_thread.start()
 
-    stats_thread = threading.Thread(
-        target=stats_loop
-    )
+    stats_thread = threading.Thread(target=stats_loop)
     stats_thread.daemon = True
     stats_thread.start()
 
@@ -144,7 +142,9 @@ def main(argv):
         for e in events:
             e.t = t
             e.dt = dt
-            if e.type == pygame.QUIT or (e.type == pygame.KEYDOWN and e.key == pygame.K_ESCAPE):
+            if e.type == pygame.QUIT or (
+                e.type == pygame.KEYDOWN and e.key == pygame.K_ESCAPE
+            ):
                 done = True
                 break
             event_queue.put(e, True)