RubyGems - kessel-sdk - Versions diffs - 1.0.0 → 1.1.0 - Mend

kessel-sdk 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f43583b533d5d6a129442d7ec9ace5ff0a868873825202638b49fe249aa84dc4
-  data.tar.gz: 3df5445af055fc5f47f092dce4c374a1aa55fa7a62e5d33d85759d4563c2a03f
+  metadata.gz: d150b6fc61112dddb8c412f6335ab567d09d44c47397dafcc7a81b0ec36743fa
+  data.tar.gz: c79b0372619792f47b8909fe559944af8d19e0a33f67c8ac3525f2b44b3693fb
 SHA512:
-  metadata.gz: fc5b79adf8619a5a3e7046f915fb0216da469f98e389a3d4cf7b938959fe6376d9626d7592bdd4d275c8716e2ebdcc5cfc9fae4dc7f73c0b87a0952fb9199682
-  data.tar.gz: 0bae7e47c009b42b469dbda597785837d0a476b00b10d775c441653da7ec2019f682c20e2ddb6839d7155ee7f200897009b93651b99f9f60bfb89df777cc3c45
+  metadata.gz: 269123d3b2699c7dc0d8ad3329dbc7d03751c3dda6ff6a52e908f2a242867d7d4fc69770a1da37fb35972d17a9d7e588607bb97364530005822285c55769eb44
+  data.tar.gz: 6623de8660da4b3ed71deb2ae2fa4a96093a543a6fdba3c06796d48e2aa124b2eaf06603564e50ab25c663566374503d5f9230e4d3bb10f290cf0667e17c426e

data/README.md CHANGED Viewed

@@ -1,5 +1,7 @@
 # Kessel SDK for Ruby
+[![CI](https://github.com/project-kessel/kessel-sdk-ruby/actions/workflows/ci.yml/badge.svg)](https://github.com/project-kessel/kessel-sdk-ruby/actions/workflows/ci.yml)
 A Ruby gRPC library for connecting to [Project Kessel](https://github.com/project-kessel) services. This provides the foundational gRPC client library for Kessel Inventory API, with plans for a higher-level SDK with fluent APIs, OAuth support, and advanced features in future releases.
 ## Installation
@@ -22,6 +24,15 @@ Or install it yourself as:
 gem install kessel-sdk
 ```
+## Authentication (Optional)
+The SDK supports OAuth 2.0 Client Credentials flow. To use authentication features, add the OpenID Connect gem:
+```ruby
+gem 'kessel-sdk'
+gem 'openid_connect', '~> 2.0'  # Optional - only for authentication
+```
 ## Usage
 This library provides direct access to Kessel Inventory API gRPC services. All generated classes are available under the `Kessel::Inventory` module.
@@ -130,11 +141,22 @@ All protobuf message classes are generated and available. Key classes include:
 See the `examples/` directory for complete working examples.
+## Type Safety
+This library includes RBS type signatures for enhanced type safety in Ruby. The type definitions are located in the `sig/` directory and cover:
+- Core library interfaces
+- Configuration structures
+- OAuth authentication classes
+- gRPC client builders
+To use with type checkers like Steep or Sorbet, ensure the `sig/` directory is in your type checking configuration.
 ## Development
 ### Prerequisites
-- Ruby 3.3 or higher
+- Ruby 3.3 or higher
 - [buf](https://buf.build) for protobuf/gRPC code generation
 Install buf:
@@ -158,6 +180,22 @@ bundle install
 buf generate
 ```
+### Testing
+```bash
+# Run tests
+bundle exec rspec
+# Run with coverage
+COVERAGE=1 bundle exec rspec
+# Run linting
+bundle exec rubocop
+# Security audit
+bundle exec bundle-audit
+```
 ### Code Generation
 This library uses [buf](https://buf.build) to generate Ruby gRPC code from the official Kessel Inventory API protobuf definitions hosted at `buf.build/project-kessel/inventory-api`.

data/lib/kessel/auth.rb ADDED Viewed

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+require 'grpc'
+require 'kessel/version'
+module Kessel
+  # OpenID Connect authentication module for Kessel services.
+  #
+  # This module provides OIDC Client Credentials flow authentication
+  # with automatic discovery. Works seamlessly with OIDC-compliant providers.
+  #
+  # @example Basic usage
+  #   auth = Kessel::Auth::OAuth2ClientCredentials.new.new(
+  #     client_id: 'my-app',
+  #     client_secret: 'secret',
+  #     token_endpoint: 'https://my-domain/auth/realms/my-realm/protocol/openid-connect/token'
+  #   )
+  #   token = auth.get_token
+  #
+  # @author Project Kessel
+  # @since 1.0.0
+  module Auth
+    EXPIRATION_WINDOW = 300 # 5 minutes in seconds
+    DEFAULT_EXPIRES_IN = 3600 # 1 hour in seconds
+    # Exception raised when OAuth functionality is requested but dependencies are missing.
+    class OAuthDependencyError < StandardError
+      # Creates a new OAuth dependency error.
+      #
+      # @param message [String] Error message describing the missing dependency
+      def initialize(message = 'OAuth functionality requires the openid_connect gem')
+        super
+      end
+    end
+    # Exception raised when OAuth authentication fails.
+    class OAuthAuthenticationError < StandardError
+      # Creates a new OAuth authentication error.
+      #
+      # @param message [String] Error message describing the authentication failure
+      def initialize(message = 'OAuth authentication failed')
+        super
+      end
+    end
+    OIDCDiscoveryMetadata = Struct.new(:token_endpoint)
+    RefreshTokenResponse = Struct.new(:access_token, :expires_at)
+    def fetch_oidc_discovery(provider_url)
+      check_dependencies!
+      discovery = ::OpenIDConnect::Discovery::Provider::Config.discover!(provider_url)
+      OIDCDiscoveryMetadata.new(discovery.token_endpoint)
+    rescue StandardError => e
+      raise OAuthAuthenticationError, "Failed to discover OIDC configuration from #{provider_url}: #{e.message}"
+    end
+    # Checks if the openid_connect gem is available.
+    #
+    # @raise [OAuthDependencyError] if openid_connect gem is missing
+    # @api private
+    private
+    def check_dependencies!
+      require 'openid_connect'
+    rescue LoadError
+      raise OAuthDependencyError,
+            'OAuth functionality requires the openid_connect gem. Add "gem \'openid_connect\'" to your Gemfile.'
+    end
+    # OpenID Connect Client Credentials flow implementation using discovery.
+    #
+    # This provides a secure OIDC Client Credentials flow implementation with
+    # automatic endpoint discovery. Works seamlessly with OIDC-compliant providers
+    # that support discovery.
+    #
+    # @example
+    #   oauth = OAuth2ClientCredentials.new(
+    #     client_id: 'kessel-client',
+    #     client_secret: 'super-secret-key',
+    #     token_endpoint: 'https://my-domain/auth/realms/my-realm/protocol/openid-connect/token'
+    #   )
+    #
+    #   # Get current access token (automatically cached and refreshed)
+    #   token = oauth.get_token
+    class OAuth2ClientCredentials
+      include Kessel::Auth
+      # Creates a new OIDC client with specified token endpoint.
+      #
+      # @param client_id [String] OIDC client identifier
+      # @param client_secret [String] OIDC client secret
+      # @param token_endpoint [String] OIDC token endpoint URL
+      #
+      # @raise [OAuthDependencyError] if the openid_connect gem is not available
+      # @raise [OAuthAuthenticationError] if authentication fails
+      #
+      # @example
+      #   oauth = OAuth2ClientCredentials.new(
+      #     client_id: 'my-app',
+      #     client_secret: 'secret',
+      #     token_endpoint: 'https://my-domain/auth/realms/my-realm/protocol/openid-connect/token'
+      #   )
+      def initialize(client_id:, client_secret:, token_endpoint:)
+        check_dependencies!
+        @client_id = client_id
+        @client_secret = client_secret
+        @token_endpoint = token_endpoint
+        @token_mutex = Mutex.new
+      end
+      # Gets the current access token with automatic caching and refresh.
+      #
+      # Uses OIDC Client Credentials flow with automatic token caching,
+      # expiration checking, and refresh logic.
+      #
+      # @return [RefreshTokenResponse] A valid access token
+      # @raise [OAuthAuthenticationError] if token acquisition fails
+      #
+      # @example
+      #   token = oauth.get_token
+      #   # Use token in Authorization header: "Bearer #{token}"
+      def get_token(force_refresh: false)
+        return @cached_token if !force_refresh && token_valid?
+        @token_mutex.synchronize do
+          @cached_token = nil if force_refresh
+          # Double-check: another thread might have refreshed the token
+          return @cached_token if token_valid?
+          @cached_token = refresh
+          return @cached_token
+        rescue StandardError => e
+          raise OAuthAuthenticationError, "Failed to obtain client credentials token: #{e.message}"
+        end
+      end
+      private
+      def refresh
+        client = create_oidc_client
+        request_params = {
+          grant_type: 'client_credentials',
+          client_id: @client_id,
+          client_secret: @client_secret
+        }
+        token_data = client.access_token!(request_params)
+        RefreshTokenResponse.new(
+          access_token: token_data.access_token,
+          expires_at: Time.now + (token_data.expires_in || DEFAULT_EXPIRES_IN)
+        ).freeze
+      end
+      # Checks if we have a valid cached token.
+      #
+      # @return [Boolean] true if token exists and not expired
+      def token_valid?
+        return false unless @cached_token
+        expires_at = @cached_token['expires_at']
+        return false unless expires_at
+        Time.now.to_i + EXPIRATION_WINDOW < expires_at.to_i
+      rescue StandardError
+        false
+      end
+      # Creates an OIDC client using discovered configuration.
+      #
+      # @return [OpenIDConnect::Client] Configured OIDC client
+      # @api private
+      def create_oidc_client
+        ::OpenIDConnect::Client.new(
+          identifier: @client_id,
+          secret: @client_secret,
+          token_endpoint: @token_endpoint
+        )
+      end
+    end
+  end
+end

data/lib/kessel/grpc.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+require 'kessel/auth'
+require 'grpc'
+module Kessel
+  module GRPC
+    def oauth2_call_credentials(auth)
+      call_credentials_proc = proc do |metadata|
+        token = auth.get_token
+        metadata.merge('authorization' => "Bearer #{token.access_token}")
+      end
+      ::GRPC::Core::CallCredentials.new(call_credentials_proc)
+    end
+  end
+end

data/lib/kessel/version.rb CHANGED Viewed

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
 module Kessel
   module Inventory
-    VERSION = "1.0.0".freeze
+    VERSION = '1.1.0'
   end
 end

data/lib/kessel-sdk.rb CHANGED Viewed

@@ -1,3 +1,9 @@
-Dir.glob(File.join(__dir__, '**', '*_services_pb.rb')).sort.each do |file|
+# frozen_string_literal: true
+require 'kessel/version'
+require 'kessel/grpc'
+require 'kessel/auth'
+Dir.glob(File.join(__dir__, '**', '*_services_pb.rb')).each do |file|
   require file.sub(__dir__ + File::SEPARATOR, '')
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kessel-sdk
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Project Kessel
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-16 00:00:00.000000000 Z
+date: 2025-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -24,6 +24,174 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.73.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.57'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.57'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rackup
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: steep
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.10.0
+- !ruby/object:Gem::Dependency
+  name: typeprof
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.30.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.30.1
 description: This is the official Ruby SDK for [Project Kessel](https://github.com/project-kessel),
   a system for unifying APIs and experiences with fine-grained authorization, common
   inventory, and CloudEvents.
@@ -41,6 +209,8 @@ files:
 - lib/google/api/field_behavior_pb.rb
 - lib/google/api/http_pb.rb
 - lib/kessel-sdk.rb
+- lib/kessel/auth.rb
+- lib/kessel/grpc.rb
 - lib/kessel/inventory/v1/health_pb.rb
 - lib/kessel/inventory/v1/health_services_pb.rb
 - lib/kessel/inventory/v1beta1/authz/check_pb.rb
@@ -94,8 +264,8 @@ licenses:
 - Apache-2.0
 metadata:
   homepage_uri: https://github.com/project-kessel/kessel-sdk-ruby
-  source_code_uri: https://github.com/project-kessel/kessel-sdk-ruby
   bug_tracker_uri: https://github.com/project-kessel/kessel-sdk-ruby/issues
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths: