add initial implementation of auth gateway with models, routes, and session management

2026-03-17 22:36:17 +00:00 · 2026-03-16 09:47:02 -03:00
parent 963ed54c86
commit d84cf0a174
32 changed files with 1532 additions and 0 deletions
--- a/containers/auth-gateway/auth_gateway/models/init.py
+++ b/containers/auth-gateway/auth_gateway/models/init.py
@@ -0,0 +1 @@
+"""Auth gateway data models."""
--- a/containers/auth-gateway/auth_gateway/models/applications.py
+++ b/containers/auth-gateway/auth_gateway/models/applications.py
@@ -0,0 +1,20 @@
+from pydantic import BaseModel, Field
+
+
+class StaticRouteModel(BaseModel):
+    path_prefix: str
+    root: str
+    strip_prefix: str | None = None
+    cache_control: str | None = None
+
+
+class ApplicationModel(BaseModel):
+    id: str
+    name: str
+    hosts: list[str] = Field(default_factory=list)
+    upstream: str
+    static_routes: list[StaticRouteModel] = Field(default_factory=list)
+
+
+class ApplicationsFileModel(BaseModel):
+    entries: list[ApplicationModel] = Field(default_factory=list)
--- a/containers/auth-gateway/auth_gateway/models/auth.py
+++ b/containers/auth-gateway/auth_gateway/models/auth.py
@@ -0,0 +1,65 @@
+from typing import Annotated, Literal
+
+from pydantic import BaseModel, Field
+
+
+class IPRuleModel(BaseModel):
+    address: str
+    prefix_length: int | None = None
+    action: Literal["allow", "deny"]
+    description: str | None = ""
+
+
+class TotpMethodModel(BaseModel):
+    type: Literal["totp"]
+    totp_secret: str | None = None
+    session_expiration_minutes: int | None = None
+
+
+class LocalPasswordMethodModel(BaseModel):
+    type: Literal["local_password"]
+    session_expiration_minutes: int = 720
+
+
+class OIDCMethodModel(BaseModel):
+    type: Literal["oidc"]
+    provider: str
+    client_id: str
+    client_secret: str
+    allowed_domains: list[str] = Field(default_factory=list)
+    allowed_emails: list[str] = Field(default_factory=list)
+    session_expiration_minutes: int = 720
+
+
+class IPAddressMethodModel(BaseModel):
+    type: Literal["ip_address"]
+    rules: list[IPRuleModel] = Field(default_factory=list)
+
+
+AuthMethodModel = Annotated[
+    TotpMethodModel | LocalPasswordMethodModel | OIDCMethodModel | IPAddressMethodModel,
+    Field(discriminator="type"),
+]
+
+
+class UserModel(BaseModel):
+    email: str | None = ""
+    password_hash: str | None = None
+    totp_secret: str | None = ""
+
+
+class GroupModel(BaseModel):
+    users: list[str] = Field(default_factory=list)
+
+
+class PolicyModel(BaseModel):
+    policy_type: Literal["bypass", "deny", "protected"]
+    groups: list[str] = Field(default_factory=list)
+    methods: list[str] = Field(default_factory=list)
+
+
+class AuthPoliciesFileModel(BaseModel):
+    auth_methods: dict[str, AuthMethodModel] = Field(default_factory=dict)
+    groups: dict[str, GroupModel] = Field(default_factory=dict)
+    users: dict[str, UserModel] = Field(default_factory=dict)
+    policies: dict[str, PolicyModel] = Field(default_factory=dict)
--- a/containers/auth-gateway/auth_gateway/models/routes.py
+++ b/containers/auth-gateway/auth_gateway/models/routes.py
@@ -0,0 +1,16 @@
+from pydantic import BaseModel, Field
+
+
+class RoutePolicyBindingModel(BaseModel):
+    id: str | None = None
+    path_prefix: str
+    policy: str
+
+
+class AppRoutesModel(BaseModel):
+    routes: list[RoutePolicyBindingModel] = Field(default_factory=list)
+    default_policy: str | None = None
+
+
+class RoutesFileModel(BaseModel):
+    entries: dict[str, AppRoutesModel] = Field(default_factory=dict)
--- a/containers/auth-gateway/auth_gateway/models/runtime.py
+++ b/containers/auth-gateway/auth_gateway/models/runtime.py
@@ -0,0 +1,13 @@
+from auth_gateway.models.applications import ApplicationModel
+from auth_gateway.models.auth import AuthMethodModel, GroupModel, PolicyModel, UserModel
+from auth_gateway.models.routes import AppRoutesModel
+from pydantic import BaseModel, Field
+
+
+class RuntimeConfig(BaseModel):
+    applications: dict[str, ApplicationModel] = Field(default_factory=dict)
+    routes_by_app: dict[str, AppRoutesModel] = Field(default_factory=dict)
+    auth_methods: dict[str, AuthMethodModel] = Field(default_factory=dict)
+    users: dict[str, UserModel] = Field(default_factory=dict)
+    groups: dict[str, GroupModel] = Field(default_factory=dict)
+    policies: dict[str, PolicyModel] = Field(default_factory=dict)
--- a/containers/auth-gateway/auth_gateway/models/session.py
+++ b/containers/auth-gateway/auth_gateway/models/session.py
@@ -0,0 +1,26 @@
+from datetime import datetime
+
+from pydantic import BaseModel, Field
+
+
+class SessionRecord(BaseModel):
+    session_id: str
+    created_at: datetime
+    updated_at: datetime
+    expires_at: datetime
+    username: str | None = None
+    email: str | None = None
+    subject: str | None = None
+    groups: list[str] = Field(default_factory=list)
+    auth_factors: list[str] = Field(default_factory=list)
+    metadata: dict = Field(default_factory=dict)
+
+
+class OIDCStateRecord(BaseModel):
+    state: str
+    nonce: str
+    method_name: str
+    host: str
+    next_url: str
+    created_at: datetime
+    expires_at: datetime