wireguard_webadmin/containers/auth-gateway/auth_gateway/config_loader.py

import json
import logging
from pathlib import Path
from urllib.parse import urlparse

from auth_gateway.models.applications import ApplicationsFileModel
from auth_gateway.models.auth import AuthPoliciesFileModel, OIDCMethodModel, PolicyModel
from auth_gateway.models.routes import RoutesFileModel
from auth_gateway.models.runtime import RuntimeConfig

logger = logging.getLogger(__name__)


def _load_json(path: Path) -> dict | None:
    if not path.exists():
        return None
    with path.open("r", encoding="utf-8") as handle:
        return json.load(handle)


def _is_valid_provider_url(method_name: str, method: OIDCMethodModel) -> bool:
    if not method.provider:
        logger.warning("OIDC method '%s' has no provider URL configured — it will be unavailable.", method_name)
        return False
    parsed = urlparse(method.provider)
    hostname = parsed.hostname or ""
    if parsed.scheme not in {"http", "https"} or not hostname or ".." in hostname:
        logger.warning("OIDC method '%s' has an invalid provider URL ('%s') — it will be unavailable.", method_name, method.provider)
        return False
    return True


def _load_applications(config_dir: Path) -> dict:
    combined = {}
    for filename in ("wireguard_webadmin.json", "applications.json"):
        payload = _load_json(config_dir / filename)
        if not payload:
            continue
        parsed = ApplicationsFileModel.model_validate(payload)
        for entry in parsed.entries:
            if entry.id in combined:
                raise ValueError(f"Duplicate application id detected: '{entry.id}'.")
            combined[entry.id] = entry
    return combined


def load_runtime_config(config_dir: Path) -> RuntimeConfig:
    applications = _load_applications(config_dir)

    routes_payload = _load_json(config_dir / "routes.json") or {}
    auth_payload = _load_json(config_dir / "auth_policies.json") or {}

    routes = RoutesFileModel.model_validate(routes_payload)
    auth = AuthPoliciesFileModel.model_validate(auth_payload)

    valid_auth_methods = {}
    for method_name, method in auth.auth_methods.items():
        if isinstance(method, OIDCMethodModel) and not _is_valid_provider_url(method_name, method):
            continue
        valid_auth_methods[method_name] = method
    auth.auth_methods = valid_auth_methods

    for app_id in routes.entries:
        if app_id not in applications:
            raise ValueError(f"Routes reference unknown application '{app_id}'.")

    for app_id, route_config in routes.entries.items():
        if route_config.default_policy and route_config.default_policy not in auth.policies:
            raise ValueError(f"Application '{app_id}' references unknown default policy '{route_config.default_policy}'.")
        for route in route_config.routes:
            if route.policy not in auth.policies:
                raise ValueError(f"Application '{app_id}' route '{route.path_prefix}' references unknown policy '{route.policy}'.")

    for policy_name, policy in auth.policies.items():
        for group_name in policy.groups:
            if group_name not in auth.groups:
                raise ValueError(f"Policy '{policy_name}' references unknown group '{group_name}'.")
        for method_name in policy.methods:
            if method_name not in auth.auth_methods:
                logger.warning(
                    "Policy '%s' references unavailable method '%s' — policy forced to deny.",
                    policy_name, method_name,
                )
                auth.policies[policy_name] = PolicyModel(policy_type="deny")
                break

    return RuntimeConfig(
        applications=applications,
        routes_by_app=routes.entries,
        auth_methods=auth.auth_methods,
        users=auth.users,
        groups=auth.groups,
        policies=auth.policies,
    )


class RuntimeConfigStore:
    def __init__(self, config_dir: Path):
        self.config_dir = config_dir
        self._runtime_config: RuntimeConfig | None = None
        self._mtimes: dict[str, int] = {}

    def _current_mtimes(self) -> dict[str, int]:
        mtimes = {}
        for filename in (
            "wireguard_webadmin.json",
            "applications.json",
            "routes.json",
            "auth_policies.json",
        ):
            path = self.config_dir / filename
            if path.exists():
                mtimes[filename] = path.stat().st_mtime_ns
        return mtimes

    def get(self) -> RuntimeConfig:
        current_mtimes = self._current_mtimes()
        if self._runtime_config is None or current_mtimes != self._mtimes:
            self._runtime_config = load_runtime_config(self.config_dir)
            self._mtimes = current_mtimes
        return self._runtime_config
add initial implementation of auth gateway with models, routes, and session management 2026-03-16 09:47:02 -03:00			`import json`
			`import logging`
			`from pathlib import Path`
			`from urllib.parse import urlparse`

			`from auth_gateway.models.applications import ApplicationsFileModel`
			`from auth_gateway.models.auth import AuthPoliciesFileModel, OIDCMethodModel, PolicyModel`
			`from auth_gateway.models.routes import RoutesFileModel`
			`from auth_gateway.models.runtime import RuntimeConfig`

			`logger = logging.getLogger(__name__)`


			`def _load_json(path: Path) -> dict \| None:`
			`if not path.exists():`
			`return None`
			`with path.open("r", encoding="utf-8") as handle:`
			`return json.load(handle)`


			`def _is_valid_provider_url(method_name: str, method: OIDCMethodModel) -> bool:`
			`if not method.provider:`
			`logger.warning("OIDC method '%s' has no provider URL configured — it will be unavailable.", method_name)`
			`return False`
			`parsed = urlparse(method.provider)`
			`hostname = parsed.hostname or ""`
			`if parsed.scheme not in {"http", "https"} or not hostname or ".." in hostname:`
			`logger.warning("OIDC method '%s' has an invalid provider URL ('%s') — it will be unavailable.", method_name, method.provider)`
			`return False`
			`return True`


			`def _load_applications(config_dir: Path) -> dict:`
			`combined = {}`
			`for filename in ("wireguard_webadmin.json", "applications.json"):`
			`payload = _load_json(config_dir / filename)`
			`if not payload:`
			`continue`
			`parsed = ApplicationsFileModel.model_validate(payload)`
			`for entry in parsed.entries:`
			`if entry.id in combined:`
			`raise ValueError(f"Duplicate application id detected: '{entry.id}'.")`
			`combined[entry.id] = entry`
			`return combined`


			`def load_runtime_config(config_dir: Path) -> RuntimeConfig:`
			`applications = _load_applications(config_dir)`

			`routes_payload = _load_json(config_dir / "routes.json") or {}`
			`auth_payload = _load_json(config_dir / "auth_policies.json") or {}`

			`routes = RoutesFileModel.model_validate(routes_payload)`
			`auth = AuthPoliciesFileModel.model_validate(auth_payload)`

			`valid_auth_methods = {}`
			`for method_name, method in auth.auth_methods.items():`
			`if isinstance(method, OIDCMethodModel) and not _is_valid_provider_url(method_name, method):`
			`continue`
			`valid_auth_methods[method_name] = method`
			`auth.auth_methods = valid_auth_methods`

			`for app_id in routes.entries:`
			`if app_id not in applications:`
			`raise ValueError(f"Routes reference unknown application '{app_id}'.")`

			`for app_id, route_config in routes.entries.items():`
			`if route_config.default_policy and route_config.default_policy not in auth.policies:`
			`raise ValueError(f"Application '{app_id}' references unknown default policy '{route_config.default_policy}'.")`
			`for route in route_config.routes:`
			`if route.policy not in auth.policies:`
			`raise ValueError(f"Application '{app_id}' route '{route.path_prefix}' references unknown policy '{route.policy}'.")`

			`for policy_name, policy in auth.policies.items():`
			`for group_name in policy.groups:`
			`if group_name not in auth.groups:`
			`raise ValueError(f"Policy '{policy_name}' references unknown group '{group_name}'.")`
			`for method_name in policy.methods:`
			`if method_name not in auth.auth_methods:`
			`logger.warning(`
			`"Policy '%s' references unavailable method '%s' — policy forced to deny.",`
			`policy_name, method_name,`
			`)`
			`auth.policies[policy_name] = PolicyModel(policy_type="deny")`
			`break`

			`return RuntimeConfig(`
			`applications=applications,`
			`routes_by_app=routes.entries,`
			`auth_methods=auth.auth_methods,`
			`users=auth.users,`
			`groups=auth.groups,`
			`policies=auth.policies,`
			`)`


			`class RuntimeConfigStore:`
			`def __init__(self, config_dir: Path):`
			`self.config_dir = config_dir`
			`self._runtime_config: RuntimeConfig \| None = None`
			`self._mtimes: dict[str, int] = {}`

			`def _current_mtimes(self) -> dict[str, int]:`
			`mtimes = {}`
			`for filename in (`
			`"wireguard_webadmin.json",`
			`"applications.json",`
			`"routes.json",`
			`"auth_policies.json",`
			`):`
			`path = self.config_dir / filename`
			`if path.exists():`
			`mtimes[filename] = path.stat().st_mtime_ns`
			`return mtimes`

			`def get(self) -> RuntimeConfig:`
			`current_mtimes = self._current_mtimes()`
			`if self._runtime_config is None or current_mtimes != self._mtimes:`
			`self._runtime_config = load_runtime_config(self.config_dir)`
			`self._mtimes = current_mtimes`
			`return self._runtime_config`