Enhanced OpenRemoteClient to allow specifying the default realm rather than defaulting to the hardcoded "master"

dominiquekleeven · dominiquekleeven · commit 0f9f4345d190 · 2025-08-07T10:32:13.000+02:00
diff --git a/src/service_ml_forecast/clients/openremote/models.py b/src/service_ml_forecast/clients/openremote/models.py
@@ -79,7 +79,5 @@ class AssetDatapointQuery(BaseModel):
 class Realm(BaseModel):
     """Realm model."""
 
-    id: str
     name: str
     displayName: str
-    enabled: bool
diff --git a/src/service_ml_forecast/clients/openremote/openremote_client.py b/src/service_ml_forecast/clients/openremote/openremote_client.py
@@ -31,8 +31,6 @@
     Realm,
 )
 
-MASTER_REALM = "master"
-
 
 class OAuthTokenResponse(BaseModel):
     """Response model for OpenRemote OAuth token."""
@@ -56,6 +54,7 @@ class OpenRemoteClient:
     Args:
         openremote_url: The URL of the OpenRemote API.
         keycloak_url: The URL of the Keycloak API.
+        realm: The default realm to use for the OpenRemote API.
         service_user: The service user for the OpenRemote API.
         service_user_secret: The service user secret for the OpenRemote API.
         timeout: Timeout in seconds for HTTP requests. Defaults to 30 seconds.
@@ -70,12 +69,14 @@ def __init__(
         self,
         openremote_url: str,
         keycloak_url: str,
+        realm: str,
         service_user: str,
         service_user_secret: str,
         timeout: float = 60.0,
     ):
         self.openremote_url: str = openremote_url
         self.keycloak_url: str = keycloak_url
+        self.realm: str = realm
         self.service_user: str = service_user
         self.service_user_secret: str = service_user_secret
         self.oauth_token: OAuthTokenResponse | None = None
@@ -93,7 +94,7 @@ def __authenticate(self) -> bool:
         return False
 
     def __get_token(self) -> OAuthTokenResponse | None:
-        url = f"{self.keycloak_url}/realms/master/protocol/openid-connect/token"
+        url = f"{self.keycloak_url}/realms/{self.realm}/protocol/openid-connect/token"
 
         data = OAuthTokenRequest(
             grant_type="client_credentials",
@@ -149,18 +150,22 @@ def health_check(self) -> bool:
                 return False
 
     def get_asset_datapoint_period(
-        self, asset_id: str, attribute_name: str, realm: str = MASTER_REALM
+        self, asset_id: str, attribute_name: str, realm: str | None = None
     ) -> AssetDatapointPeriod | None:
         """Retrieve the datapoints timestamp period of a given asset attribute.
 
         Args:
             asset_id: The ID of the asset.
             attribute_name: The name of the attribute.
+            realm: The realm to retrieve assets from defaulting to the configured realm.
 
         Returns:
             AssetDatapointPeriod | None: The datapoints timestamp period of the asset attribute
         """
 
+        if realm is None:
+            realm = self.realm
+
         query = f"?assetId={asset_id}&attributeName={attribute_name}"
         url = f"{self.openremote_url}/api/{realm}/asset/datapoint/periods{query}"
 
@@ -181,7 +186,7 @@ def get_historical_datapoints(
         attribute_name: str,
         from_timestamp: int,
         to_timestamp: int,
-        realm: str = MASTER_REALM,
+        realm: str | None = None,
     ) -> list[AssetDatapoint] | None:
         """Retrieve the historical data points of a given asset attribute.
 
@@ -193,11 +198,14 @@ def get_historical_datapoints(
             attribute_name: The name of the attribute.
             from_timestamp: Epoch timestamp in milliseconds.
             to_timestamp: Epoch timestamp in milliseconds.
-            realm: The realm to retrieve assets from defaulting to MASTER_REALM.
+            realm: The realm to retrieve assets from defaulting to the configured realm.
         Returns:
             list[AssetDatapoint] | None: List of historical data points or None
         """
 
+        if realm is None:
+            realm = self.realm
+
         params = f"{asset_id}/{attribute_name}"
         url = f"{self.openremote_url}/api/{realm}/asset/datapoint/{params}"
 
@@ -219,19 +227,22 @@ def get_historical_datapoints(
                 return None
 
     def write_predicted_datapoints(
-        self, asset_id: str, attribute_name: str, datapoints: list[AssetDatapoint], realm: str = MASTER_REALM
+        self, asset_id: str, attribute_name: str, datapoints: list[AssetDatapoint], realm: str | None = None
     ) -> bool:
         """Write the predicted data points of a given asset attribute.
 
         Args:
             asset_id: The ID of the asset.
             attribute_name: The name of the attribute.
             datapoints: The data points to write.
-            realm: The realm to write the data points to defaulting to MASTER_REALM.
+            realm: The realm to write the data points to defaulting to the configured realm.
         Returns:
             bool: True if successful
         """
 
+        if realm is None:
+            realm = self.realm
+
         params = f"{asset_id}/{attribute_name}"
         url = f"{self.openremote_url}/api/{realm}/asset/predicted/{params}"
 
@@ -254,7 +265,7 @@ def get_predicted_datapoints(
         attribute_name: str,
         from_timestamp: int,
         to_timestamp: int,
-        realm: str = MASTER_REALM,
+        realm: str | None = None,
     ) -> list[AssetDatapoint] | None:
         """Retrieve the predicted data points of a given asset attribute.
 
@@ -263,11 +274,14 @@ def get_predicted_datapoints(
             attribute_name: The name of the attribute.
             from_timestamp: Epoch timestamp in milliseconds.
             to_timestamp: Epoch timestamp in milliseconds.
-            realm: The realm to retrieve assets from defaulting to MASTER_REALM.
+            realm: The realm to retrieve assets from defaulting to the configured realm.
         Returns:
             list[AssetDatapoint] | None: List of predicted data points or None
         """
 
+        if realm is None:
+            realm = self.realm
+
         params = f"{asset_id}/{attribute_name}"
         url = f"{self.openremote_url}/api/{realm}/asset/predicted/{params}"
 
@@ -289,17 +303,21 @@ def get_predicted_datapoints(
                 return None
 
     def asset_query(
-        self, asset_query: dict[str, Any], query_realm: str, realm: str = MASTER_REALM
+        self, asset_query: dict[str, Any], query_realm: str, realm: str | None = None
     ) -> list[BasicAsset] | None:
         """Perform an asset query.
 
         Args:
             asset_query: The asset query dict to send to the OpenRemote API.
             query_realm: The realm for the asset query.
-            realm: The realm to retrieve assets from defaulting to MASTER_REALM.
+            realm: The realm to retrieve assets from defaulting to the configured realm.
         Returns:
             list[Asset] | None: List of assets or None
         """
+
+        if realm is None:
+            realm = self.realm
+
         url = f"{self.openremote_url}/api/{realm}/asset/query"
         request = self.__build_request("POST", url, data=asset_query)
         with httpx.Client(timeout=self.timeout) as client:
@@ -313,39 +331,40 @@ def asset_query(
                 return None
 
     def get_assets_by_ids(
-        self, asset_ids: list[str], query_realm: str, realm: str = MASTER_REALM
+        self, asset_ids: list[str], query_realm: str, realm: str | None = None
     ) -> list[BasicAsset] | None:
         """Retrieve assets by their IDs.
 
         Args:
             asset_ids: The IDs of the assets to retrieve.
             query_realm: The realm for the asset query.
-            realm: The realm to retrieve assets from defaulting to MASTER_REALM.
+            realm: The realm to retrieve assets from defaulting to the configured realm.
 
         Returns:
             list[Asset] | None: List of assets or None
         """
 
+        if realm is None:
+            realm = self.realm
+
         asset_query = {"recursive": False, "realm": {"name": query_realm}, "ids": asset_ids}
         return self.asset_query(asset_query, query_realm, realm)
 
-    def get_realms(self, realm: str = MASTER_REALM) -> list[Realm] | None:
-        """Retrieves all realms.
-
-        Args:
-            realm: The realm to retrieve realms from defaulting to MASTER_REALM.
+    def get_accessible_realms(self) -> list[Realm] | None:
+        """Retrieves all accessible realms for the current authenticated user.
 
         Returns:
             list[Realm] | None: List of realms or None
         """
 
-        url = f"{self.openremote_url}/api/{realm}/realm"
+        url = f"{self.openremote_url}/api/{self.realm}/realm/accessible"
         request = self.__build_request("GET", url)
 
         with httpx.Client(timeout=self.timeout) as client:
             try:
                 response = client.send(request)
                 response.raise_for_status()
+                self.logger.info(f"Accessible realms: {response.json()}")
 
                 return [Realm(**realm) for realm in response.json()]
 
diff --git a/src/service_ml_forecast/config.py b/src/service_ml_forecast/config.py
@@ -64,10 +64,11 @@ class AppEnvironment(BaseSettings):
     ]  # origins to allow
 
     # OpenRemote Settings
-    ML_OR_URL: str = "http://localhost:8080"  # OpenRemote URL
+    ML_OR_URL: str = "http://localhost:8080"  # OpenRemote Manager URL
     ML_OR_KEYCLOAK_URL: str = "http://localhost:8081/auth"  # OpenRemote Keycloak URL
-    ML_OR_SERVICE_USER: str = "serviceuser"  # OpenRemote service user
-    ML_OR_SERVICE_USER_SECRET: str = "secret"  # OpenRemote service user secret
+    ML_OR_REALM: str = "master"  # OpenRemote realm to use for the OpenRemote Manager API
+    ML_OR_SERVICE_USER: str = "serviceuser"  # OpenRemote Manager service user
+    ML_OR_SERVICE_USER_SECRET: str = "secret"  # OpenRemote Manager service user secret
 
     model_config = SettingsConfigDict(case_sensitive=True, env_file=".env", env_file_encoding="utf-8", extra="ignore")
 
diff --git a/src/service_ml_forecast/dependencies.py b/src/service_ml_forecast/dependencies.py
@@ -16,9 +16,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 """
-This module contains the dependency injectors for the service.
-
-The injectors are used to inject the services into the FastAPI app, or other dependencies.
+This module contains the dependency injectors and constants for the service.
 """
 
 import logging
@@ -35,6 +33,7 @@
 __openremote_client = OpenRemoteClient(
     openremote_url=ENV.ML_OR_URL,
     keycloak_url=ENV.ML_OR_KEYCLOAK_URL,
+    realm=ENV.ML_OR_REALM,
     service_user=ENV.ML_OR_SERVICE_USER,
     service_user_secret=ENV.ML_OR_SERVICE_USER_SECRET,
 )
@@ -66,7 +65,7 @@ def get_openremote_issuers() -> list[str] | None:
     """
     try:
         openremote_service = get_openremote_service()
-        realms = openremote_service.get_realms()
+        realms = openremote_service.get_accessible_realms()
 
         if realms is None:
             return None
@@ -82,13 +81,14 @@ def get_openremote_issuers() -> list[str] | None:
 
 # --- Constants ---
 OPENREMOTE_KC_RESOURCE = "openremote"
+OPENREMOTE_CLIENT_ID = "openremote"
 
 # --- OAuth2 Scheme ---
 # This is used to allow authorization via the Docs and Redoc pages
 # Does not validate the token, this should be done via a middleware or manually
 OAUTH2_SCHEME = OAuth2PasswordBearer(
-    tokenUrl=f"{ENV.ML_OR_KEYCLOAK_URL}/realms/master/protocol/openid-connect/token",
+    tokenUrl=f"{ENV.ML_OR_KEYCLOAK_URL}/realms/{ENV.ML_OR_REALM}/protocol/openid-connect/token",
     scopes={"openid": "OpenID Connect", "profile": "User profile", "email": "User email"},
-    description="Login into the OpenRemote Management -- Expected Client ID: 'openremote'",
+    description=f"Login into the OpenRemote {ENV.ML_OR_REALM}'",
     auto_error=False,
 )
diff --git a/src/service_ml_forecast/services/openremote_service.py b/src/service_ml_forecast/services/openremote_service.py
@@ -236,10 +236,10 @@ def get_assets_by_ids(self, realm: str, asset_ids: list[str]) -> list[BasicAsset
 
         return assets
 
-    def get_realms(self) -> list[Realm] | None:
-        """Get all realms from OpenRemote.
+    def get_accessible_realms(self) -> list[Realm] | None:
+        """Get all accessible realms from OpenRemote for the current authenticated user.
 
         Returns:
             A list of all realms from OpenRemote.
         """
-        return self.client.get_realms()
+        return self.client.get_accessible_realms()
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -35,6 +35,7 @@
 # Mock URLs and credentials
 MOCK_OPENREMOTE_URL = "https://openremote.local"
 MOCK_KEYCLOAK_URL = "https://keycloak.local/auth"
+MOCK_KEYCLOAK_REALM = "master"
 MOCK_SERVICE_USER = "service_user"
 MOCK_SERVICE_USER_SECRET = "service_user_secret"
 MOCK_ACCESS_TOKEN = "mock_access_token"
@@ -69,6 +70,7 @@ def openremote_client() -> OpenRemoteClient | None:
         client = OpenRemoteClient(
             openremote_url=ENV.ML_OR_URL,
             keycloak_url=ENV.ML_OR_KEYCLOAK_URL,
+            realm=ENV.ML_OR_REALM,
             service_user=ENV.ML_OR_SERVICE_USER,
             service_user_secret=ENV.ML_OR_SERVICE_USER_SECRET,
         )
@@ -100,6 +102,7 @@ def mock_openremote_client() -> OpenRemoteClient | None:
         client = OpenRemoteClient(
             openremote_url=MOCK_OPENREMOTE_URL,
             keycloak_url=MOCK_KEYCLOAK_URL,
+            realm=MOCK_KEYCLOAK_REALM,
             service_user=MOCK_SERVICE_USER,
             service_user_secret=MOCK_SERVICE_USER_SECRET,
         )
