agentauthlayer 0.1.0__py3-none-any.whl

agent_auth/__init__.py

@@ -0,0 +1,48 @@
+"""agent_auth — reusable authentication and authorization primitives for Agent Auth."""
+
+from agent_auth.auth import principal_fields, principal_from_agent, principal_from_user
+from agent_auth.client import AuthAPIClient
+from agent_auth.context import AuthContext
+from agent_auth.delegation import DelegationGrant
+from agent_auth.exceptions import (
+    AgentAuthError,
+    AgentNotFoundError,
+    AuthServiceError,
+    InvalidTokenError,
+    PermissionDeniedError,
+    RevokedTokenError,
+)
+from agent_auth.models import Agent, TokenClaims, TokenRecord, User, UserClaims
+from agent_auth.policy import PolicyDecision, PolicyEvaluator, PolicyRequest, PolicyStatement, RoleDefinition, require_permission
+from agent_auth.principals import AgentPrincipal, Principal, SystemPrincipal, UserPrincipal, user_scopes_for_role
+
+__all__ = [
+    "Agent",
+    "AgentAuthError",
+    "AgentNotFoundError",
+    "AgentPrincipal",
+    "AuthAPIClient",
+    "AuthContext",
+    "AuthServiceError",
+    "DelegationGrant",
+    "InvalidTokenError",
+    "PermissionDeniedError",
+    "PolicyDecision",
+    "PolicyEvaluator",
+    "PolicyRequest",
+    "PolicyStatement",
+    "Principal",
+    "RevokedTokenError",
+    "RoleDefinition",
+    "SystemPrincipal",
+    "TokenClaims",
+    "TokenRecord",
+    "User",
+    "UserClaims",
+    "UserPrincipal",
+    "principal_fields",
+    "principal_from_agent",
+    "principal_from_user",
+    "require_permission",
+    "user_scopes_for_role",
+]

agent_auth/__main__.py

@@ -0,0 +1,4 @@
+from agent_auth.cli import main
+
+if __name__ == "__main__":
+    main()

agent_auth/agents.py

@@ -0,0 +1,40 @@
+from __future__ import annotations
+
+from typing import Protocol, TypeVar
+
+
+AgentT = TypeVar("AgentT")
+
+
+class AgentStore(Protocol[AgentT]):
+    def save(self, agent: AgentT) -> AgentT:
+        ...
+
+    def get(self, agent_id: str) -> AgentT | None:
+        ...
+
+    def list_all(self, project_id: str | None = None) -> list[AgentT]:
+        ...
+
+
+class AgentIdentityService:
+    """Core agent lifecycle orchestration over a configured agent store."""
+
+    def __init__(self, store: AgentStore[AgentT]):
+        self.store = store
+
+    def save(self, agent: AgentT) -> AgentT:
+        return self.store.save(agent)
+
+    def get(self, agent_id: str) -> AgentT | None:
+        return self.store.get(agent_id)
+
+    def list_agents(self, project_id: str | None = None) -> list[AgentT]:
+        return self.store.list_all(project_id=project_id)
+
+    def update_scopes(self, agent_id: str, scopes: list[str]) -> AgentT | None:
+        agent = self.store.get(agent_id)
+        if not agent:
+            return None
+        agent.scopes = scopes
+        return self.store.save(agent)

agent_auth/audit.py

@@ -0,0 +1,51 @@
+"""agent_auth audit logger — pluggable, default prints to stderr."""
+
+from __future__ import annotations
+
+import json
+import logging
+import sys
+from datetime import datetime, timezone
+from typing import Any, Protocol
+
+logger = logging.getLogger("agent_auth.audit")
+
+
+class AuditBackend(Protocol):
+    """Interface that any custom audit backend must implement."""
+
+    def log(self, event: dict[str, Any]) -> None: ...
+
+
+class StderrAuditBackend:
+    """Default backend — writes JSON lines to stderr."""
+
+    def log(self, event: dict[str, Any]) -> None:
+        line = json.dumps(event, default=str)
+        print(line, file=sys.stderr)
+
+
+class InMemoryAuditBackend:
+    """Keeps events in a list — useful for testing."""
+
+    def __init__(self) -> None:
+        self.events: list[dict[str, Any]] = []
+
+    def log(self, event: dict[str, Any]) -> None:
+        self.events.append(event)
+
+
+class AuditLogger:
+    """Thin wrapper around a backend that stamps every event."""
+
+    def __init__(self, backend: AuditBackend | None = None) -> None:
+        self._backend: AuditBackend = backend or StderrAuditBackend()
+
+    def record(self, event_type: str, **details: Any) -> None:
+        event = {
+            "event": event_type,
+            "ts": datetime.now(timezone.utc).isoformat(),
+            **details,
+        }
+        self._backend.log(event)
+        logger.debug("audit: %s", event)

agent_auth/auth.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from agent_auth.principals import AgentPrincipal, Principal, UserPrincipal, user_scopes_for_role
+
+
+def principal_from_agent(*, agent_id: str, role: str | None = None, scopes: list[str] | None = None, owner: str | None = None, status: str | None = None) -> AgentPrincipal:
+    return AgentPrincipal(
+        principal_id=agent_id,
+        principal_type='agent',
+        role=role,
+        scopes=list(scopes or []),
+        owner=owner,
+        status=status,
+    )
+
+
+def principal_from_user(*, user_id: str, email: str, role: str, scopes: list[str] | None = None, status: str | None = None) -> UserPrincipal:
+    effective_scopes = list(scopes) if scopes is not None else user_scopes_for_role(role)
+    return UserPrincipal(
+        principal_id=user_id,
+        principal_type='user',
+        role=role,
+        scopes=effective_scopes,
+        email=email,
+        status=status,
+    )
+
+
+def principal_fields(principal: Principal) -> tuple[str, str, list[str], str | None, str | None]:
+    return (
+        principal.principal_id,
+        principal.principal_type,
+        list(principal.scopes),
+        principal.role,
+        principal.email,
+    )

agent_auth/cli.py

@@ -0,0 +1,28 @@
+import argparse
+import sys
+import uvicorn
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Agent Auth Platform CLI - Manage and run the control plane.",
+        prog="agent-auth"
+    )
+    subparsers = parser.add_subparsers(dest="command", help="Available commands")
+
+    # The "ui" command (like "mlflow ui")
+    ui_parser = subparsers.add_parser("ui", help="Launch the integrated Auth API and React Dashboard")
+    ui_parser.add_argument("--host", default="0.0.0.0", help="Host to bind to (default: 0.0.0.0)")
+    ui_parser.add_argument("--port", type=int, default=8002, help="Port to bind to (default: 8002)")
+    ui_parser.add_argument("--reload", action="store_true", help="Enable auto-reload for development")
+
+    args = parser.parse_args()
+
+    if args.command == "ui":
+        print(f"Starting Agent Auth UI & Control Plane on http://{args.host}:{args.port}")
+        uvicorn.run("auth_app.main:app", host=args.host, port=args.port, reload=args.reload)
+    else:
+        parser.print_help()
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()

agent_auth/client.py

@@ -0,0 +1,107 @@
+from __future__ import annotations
+
+import os
+from typing import Any
+
+import requests
+
+from agent_auth.context import AuthContext
+from agent_auth.exceptions import (
+    AgentNotFoundError,
+    AuthServiceError,
+    InvalidTokenError,
+    PermissionDeniedError,
+    RevokedTokenError,
+)
+
+
+class AuthAPIClient:
+    """Thin SDK client for talking to the Agent Auth control plane."""
+
+    def __init__(self, base_url: str | None = None, token: str | None = None, timeout: int = 30) -> None:
+        self.base_url = (base_url or os.getenv("AGENT_AUTH_URL") or "http://127.0.0.1:8002").rstrip("/")
+        self.token = token or os.getenv("AGENT_AUTH_TOKEN")
+        self.timeout = timeout
+
+    def _headers(self) -> dict[str, str]:
+        headers = {"Content-Type": "application/json"}
+        if self.token:
+            headers["Authorization"] = f"Bearer {self.token}"
+        return headers
+
+    def _request(self, method: str, path: str, json: dict[str, Any] | None = None) -> Any:
+        response = requests.request(
+            method,
+            f"{self.base_url}{path}",
+            json=json,
+            headers=self._headers(),
+            timeout=self.timeout,
+        )
+
+        if response.ok:
+            if not response.content:
+                return None
+            return response.json()
+
+        detail = None
+        try:
+            detail = response.json().get("detail")
+        except Exception:
+            detail = response.text or "Request failed"
+
+        if response.status_code == 401:
+            if detail and ("revoked" in detail.lower() or "inactive" in detail.lower()):
+                raise RevokedTokenError(detail)
+            raise InvalidTokenError(detail or "Invalid token")
+        if response.status_code == 403:
+            raise PermissionDeniedError(detail or "Permission denied")
+        if response.status_code == 404 and path.startswith("/agents/"):
+            raise AgentNotFoundError(detail or "Agent not found")
+        raise AuthServiceError(detail or f"Request failed with status {response.status_code}")
+
+    def health(self) -> dict[str, Any]:
+        return self._request("GET", "/health")
+
+    def create_agent(self, agent_id: str, name: str, owner: str, role: str, scopes: list[str], project_id: str | None = None) -> dict[str, Any]:
+        payload = {
+            "agent_id": agent_id,
+            "name": name,
+            "owner": owner,
+            "role": role,
+            "scopes": scopes,
+        }
+        if project_id:
+            payload["project_id"] = project_id
+        return self._request("POST", "/agents", json=payload)
+
+    def get_agent(self, agent_id: str) -> dict[str, Any]:
+        return self._request("GET", f"/agents/{agent_id}")
+
+    def issue_token(self, agent_id: str) -> dict[str, Any]:
+        return self._request("POST", "/auth/token", json={"agent_id": agent_id})
+
+    def sync_tools(self, permissions: list[dict[str, str]]) -> dict[str, Any]:
+        return self._request("POST", "/policy/permissions/sync", json={"permissions": permissions})
+
+    def evaluate(self, principal_id: str, action: str, resource: str | None = None, granted_scopes: list[str] | None = None, role: str | None = None, context: dict[str, str] | None = None) -> dict[str, Any]:
+        return self._request(
+            "POST",
+            "/policy/evaluate",
+            json={
+                "principal_id": principal_id,
+                "action": action,
+                "resource": resource,
+                "granted_scopes": granted_scopes or [],
+                "role": role,
+                "context": context or {},
+            },
+        )
+
+    def auth_context(self, principal_id: str, scopes: list[str], role: str | None = None, principal_type: str = "agent", email: str | None = None) -> AuthContext:
+        return AuthContext(
+            principal_id=principal_id,
+            principal_type=principal_type,
+            scopes=scopes,
+            role=role,
+            email=email,
+        )

agent_auth/context.py

@@ -0,0 +1,21 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+
+@dataclass(slots=True)
+class AuthContext:
+    principal_id: str
+    principal_type: str
+    jti: str
+    scopes: list[str] = field(default_factory=list)
+    role: str | None = None
+    email: str | None = None
+
+    @property
+    def subject_id(self) -> str:
+        return self.principal_id
+
+    @property
+    def subject_type(self) -> str:
+        return self.principal_type