test

.github/workflows/ci.yml

@@ -42,6 +42,21 @@ jobs:
       poetry-version: ${{ matrix.poetry-version }}
       mint-database: ${{ matrix.mint-database }}
 
+  tests_keycloak_auth:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        python-version: ["3.10"]
+        poetry-version: ["1.8.5"]
+        mint-database: ["./test_data/test_mint", "postgres://cashu:cashu@localhost:5432/cashu"]
+    uses: ./.github/workflows/tests_keycloak_auth.yml
+    with:
+      os: ${{ matrix.os }}
+      python-version: ${{ matrix.python-version }}
+      poetry-version: ${{ matrix.poetry-version }}
+      mint-database: ${{ matrix.mint-database }}
+
   regtest:
     uses: ./.github/workflows/regtest.yml
     strategy:

.github/workflows/tests_keycloak_auth.yml

@@ -0,0 +1,72 @@
+name: tests_keycloak
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        default: "3.10.4"
+        type: string
+      poetry-version:
+        default: "1.8.5"
+        type: string
+      mint-database:
+        default: ""
+        type: string
+      os:
+        default: "ubuntu-latest"
+        type: string
+
+jobs:
+  poetry:
+    name: Run tests with Keycloak (db ${{ inputs.mint-database }})
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Start PostgreSQL service
+        if: contains(inputs.mint-database, 'postgres')
+        run: |
+          docker run -d --name postgres \
+            -e POSTGRES_USER=cashu \
+            -e POSTGRES_PASSWORD=cashu \
+            -e POSTGRES_DB=cashu \
+            -p 5432:5432 postgres:16.4
+          until docker exec postgres pg_isready; do sleep 1; done
+
+      - name: Prepare environment
+        uses: ./.github/actions/prepare
+        with:
+          python-version: ${{ inputs.python-version }}
+          poetry-version: ${{ inputs.poetry-version }}
+
+      - name: Start Keycloak with Backup
+        run: |
+          docker compose -f keycloak/docker-compose-restore.yml up -d postgres
+          docker compose -f keycloak/docker-compose-restore.yml up -d keycloak
+          until curl -s http://localhost:8080/realms/master; do sleep 1; done
+
+      - name: Verify Keycloak Import
+        run: |
+          docker logs $(docker ps -q --filter "ancestor=quay.io/keycloak/keycloak:25.0.6") | grep "Imported"
+
+      - name: Run tests
+        env:
+          MINT_BACKEND_BOLT11_SAT: FakeWallet
+          WALLET_NAME: test_wallet
+          MINT_HOST: localhost
+          MINT_PORT: 3337
+          MINT_TEST_DATABASE: ${{ inputs.mint-database }}
+          TOR: false
+          MINT_REQUIRE_AUTH: TRUE
+          MINT_AUTH_OICD_DISCOVERY_URL: http://localhost:8080/realms/nutshell/.well-known/openid-configuration
+          MINT_AUTH_OICD_CLIENT_ID: cashu-client
+        run: |
+          poetry run pytest tests/test_wallet_auth.py -v --cov=mint --cov-report=xml
+
+      - name: Stop and clean up Docker Compose
+        run: |
+          docker compose -f keycloak/docker-compose-restore.yml down
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3

cashu/wallet/auth/auth.py

@@ -68,7 +68,25 @@ def __init__(
     # overload with_db
     @classmethod
     async def with_db(cls, *args, **kwargs) -> "WalletAuth":
-        """Create a new wallet with a database."""
+        """Create a new wallet with a database.
+        Keyword arguments:
+            url (str): Mint url.
+            db (str): Wallet db location.
+            name (str, optional): Wallet name. Defaults to "auth".
+            username (str, optional): OpenID username. When set, the username and
+                password flow will be used to authenticate. If a username is already
+                stored in the database, it will be used. Will be stored in the
+                database if not already stored.
+            password (str, optional): OpenID password. Used if username is set. Will
+                be read from the database if already stored. Will be stored in the
+                database if not already stored.
+            client_id (str, optional): OpenID client id. Defaults to "cashu-client".
+            client_secret (str, optional): OpenID client secret. Defaults to "".
+            access_token (str, optional): OpenID access token. Defaults to None.
+            refresh_token (str, optional): OpenID refresh token. Defaults to None.
+        Returns:
+            WalletAuth: WalletAuth instance.
+        """
 
         url: str = kwargs.get("url", "")
         db = kwargs.get("db", "")

cashu/wallet/auth/openid_connect/openid_client.py

@@ -33,7 +33,7 @@ def __init__(
         discovery_url: str,
         client_id: str,
         client_secret: str = "",
-        auth_flow: AuthorizationFlow = AuthorizationFlow.DEVICE_CODE,
+        auth_flow: Optional[AuthorizationFlow] = None,
         username: Optional[str] = None,
         password: Optional[str] = None,
         access_token: Optional[str] = None,
@@ -44,7 +44,7 @@ def __init__(
         self.discovery_url: str = discovery_url
         self.client_id: str = client_id
         self.client_secret: str = client_secret
-        self.auth_flow: AuthorizationFlow = auth_flow
+        self.auth_flow: Optional[AuthorizationFlow] = auth_flow
         self.username: Optional[str] = username
         self.password: Optional[str] = password
         self.access_token: Optional[str] = access_token
@@ -87,6 +87,14 @@ async def determine_auth_flow(self) -> AuthorizationFlow:
 
         supported_flows = self.oidc_config.get("grant_types_supported", [])
 
+        # if self.auth_flow is already set, check if it is supported
+        if self.auth_flow:
+            if self.auth_flow.value not in supported_flows:
+                raise ValueError(
+                    f"Authentication flow {self.auth_flow.value} not supported by the OIDC configuration."
+                )
+            return self.auth_flow
+
         if AuthorizationFlow.DEVICE_CODE.value in supported_flows:
             self.auth_flow = AuthorizationFlow.DEVICE_CODE
         elif AuthorizationFlow.AUTHORIZATION_CODE.value in supported_flows:

keycloak/docker-compose-restore.yml

@@ -0,0 +1,45 @@
+services:
+  postgres:
+    image: postgres:16.4
+    volumes:
+      - ./postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    networks:
+      - keycloak_network
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.6
+    command: start --import-realm
+    volumes:
+      - ./keycloak-export:/opt/keycloak/data/import
+    environment:
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_PORT: 8080
+      KC_HOSTNAME_STRICT_BACKCHANNEL: false
+      KC_HTTP_ENABLED: true
+      KC_HOSTNAME_STRICT_HTTPS: false
+      KC_HEALTH_ENABLED: true
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+    ports:
+      - 8080:8080
+    restart: always
+    depends_on:
+      - postgres
+    networks:
+      - keycloak_network
+
+volumes:
+  postgres_data:
+    driver: local
+
+networks:
+  keycloak_network:
+    driver: bridge

keycloak/docker-compose.yml

@@ -12,7 +12,9 @@ services:
 
   keycloak:
     image: quay.io/keycloak/keycloak:25.0.6
-    command: start
+    command: start --import-realm
+    volumes:
+      - ./keycloak-export:/opt/keycloak/data/import
     environment:
       KC_HOSTNAME: localhost
       KC_HOSTNAME_PORT: 8080