feat(backend): Phase 1-4 全新開發完成，37/37 TDD 通過

[Phase 0 Reset] - 清除舊版 app/、alembic/versions/、雜亂測試腳本 - 新 requirements.txt (移除 caldav/redis/keycloak-lib，加入 apscheduler/croniter/docker/paramiko/ping3/dnspython) [Phase 1 資料庫] - 9 張資料表 SQLAlchemy Models：tenants / accounts / schedules / schedule_logs / tenant_schedule_results / account_schedule_results / servers / server_status_logs / system_status_logs - Alembic migration 001_create_all_tables (已套用到 10.1.0.20:5433/virtual_mis) - seed.py：schedules 初始 3 筆 / servers 初始 4 筆 [Phase 2 CRUD API] - GET/POST/PUT/DELETE: /api/v1/tenants / accounts / servers / schedules - /api/v1/system-status - 帳號編碼自動產生 (prefix + seq_no 4碼左補0) - 燈號 (lights) 從最新排程結果取得 [Phase 3 Watchdog] - APScheduler interval 3分鐘，原子 UPDATE status=Going 防重複執行 - 手動觸發 API: POST /api/v1/schedules/{id}/run [Phase 4 Service Clients] - KeycloakClient：vmis-admin realm，REST API (不用 python-keycloak) - MailClient：Docker Mailserver @ 10.1.0.254:8080，含 MX DNS 驗證 - DockerClient：docker-py 本機 + paramiko SSH 遠端 compose - NextcloudClient：OCS API user/quota - SystemChecker：功能驗證 (traefik routers>0 / keycloak token / SMTP EHLO / DB SELECT 1 / ping) [TDD] - 37 tests / 37 passed (2.11s) - SQLite in-memory + StaticPool，無需外部 DB Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 13:10:15 +08:00
parent 22611f7f73
commit 42d1420f9c
52 changed files with 2934 additions and 0 deletions
--- a/backend/app/services/keycloak_client.py
+++ b/backend/app/services/keycloak_client.py
@@ -0,0 +1,95 @@
+"""
+KeycloakClient — 直接呼叫 Keycloak REST API，不使用 python-keycloak 套件。
+管理租戶 realm 及帳號的建立/查詢。
+"""
+import logging
+from typing import Optional
+import httpx
+
+from app.core.config import settings
+
+logger = logging.getLogger(__name__)
+
+TIMEOUT = 10.0
+
+
+class KeycloakClient:
+    def __init__(self):
+        self._base = settings.KEYCLOAK_URL.rstrip("/")
+        self._admin_token: Optional[str] = None
+
+    def _get_admin_token(self) -> str:
+        """取得 vmis-admin realm 的 admin access token"""
+        url = f"{self._base}/realms/{settings.KEYCLOAK_ADMIN_REALM}/protocol/openid-connect/token"
+        resp = httpx.post(
+            url,
+            data={
+                "grant_type": "client_credentials",
+                "client_id": settings.KEYCLOAK_ADMIN_CLIENT_ID,
+                "client_secret": settings.KEYCLOAK_ADMIN_CLIENT_SECRET,
+            },
+            timeout=TIMEOUT,
+        )
+        resp.raise_for_status()
+        return resp.json()["access_token"]
+
+    def _headers(self) -> dict:
+        if not self._admin_token:
+            self._admin_token = self._get_admin_token()
+        return {"Authorization": f"Bearer {self._admin_token}"}
+
+    def _admin_url(self, path: str) -> str:
+        return f"{self._base}/admin/realms/{path}"
+
+    def realm_exists(self, realm: str) -> bool:
+        try:
+            resp = httpx.get(self._admin_url(realm), headers=self._headers(), timeout=TIMEOUT)
+            return resp.status_code == 200
+        except Exception:
+            return False
+
+    def create_realm(self, realm: str, display_name: str) -> bool:
+        payload = {
+            "realm": realm,
+            "displayName": display_name,
+            "enabled": True,
+            "loginTheme": "keycloak",
+        }
+        resp = httpx.post(
+            f"{self._base}/admin/realms",
+            json=payload,
+            headers=self._headers(),
+            timeout=TIMEOUT,
+        )
+        return resp.status_code in (201, 204)
+
+    def get_user_uuid(self, realm: str, username: str) -> Optional[str]:
+        resp = httpx.get(
+            self._admin_url(f"{realm}/users"),
+            params={"username": username, "exact": "true"},
+            headers=self._headers(),
+            timeout=TIMEOUT,
+        )
+        resp.raise_for_status()
+        users = resp.json()
+        return users[0]["id"] if users else None
+
+    def create_user(self, realm: str, username: str, email: str, password: Optional[str]) -> Optional[str]:
+        payload = {
+            "username": username,
+            "email": email,
+            "enabled": True,
+            "emailVerified": True,
+        }
+        if password:
+            payload["credentials"] = [{"type": "password", "value": password, "temporary": True}]
+        resp = httpx.post(
+            self._admin_url(f"{realm}/users"),
+            json=payload,
+            headers=self._headers(),
+            timeout=TIMEOUT,
+        )
+        if resp.status_code == 201:
+            location = resp.headers.get("Location", "")
+            return location.rstrip("/").split("/")[-1]
+        return None