PyPI - aixtools - Versions diffs - 0.2.5__tar.gz → 0.2.7__tar.gz - Mend

aixtools 0.2.5tar.gz → 0.2.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of aixtools might be problematic. Click here for more details.

Files changed (97) hide show

{aixtools-0.2.5 → aixtools-0.2.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aixtools
-Version: 0.2.5
+Version: 0.2.7
 Summary: Tools for AI exploration and debugging
 Requires-Python: >=3.11.2
 Description-Content-Type: text/markdown

{aixtools-0.2.5 → aixtools-0.2.7}/aixtools/_version.py RENAMED Viewed

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
-__version__ = version = '0.2.5'
-__version_tuple__ = version_tuple = (0, 2, 5)
+__version__ = version = '0.2.7'
+__version_tuple__ = version_tuple = (0, 2, 7)
-__commit_id__ = commit_id = 'g7354090ce'
+__commit_id__ = commit_id = 'gb47ecb535'

{aixtools-0.2.5 → aixtools-0.2.7}/aixtools/a2a/google_sdk/utils.py RENAMED Viewed

@@ -1,3 +1,5 @@
+"""Utilities for handling A2A SDK agent cards and connections."""
 import asyncio
 import httpx
@@ -8,13 +10,34 @@ from a2a.utils import AGENT_CARD_WELL_KNOWN_PATH, PREV_AGENT_CARD_WELL_KNOWN_PAT
 from aixtools.a2a.google_sdk.remote_agent_connection import RemoteAgentConnection
 from aixtools.context import DEFAULT_SESSION_ID, DEFAULT_USER_ID, SessionIdTuple
+from aixtools.logging.logging_config import get_logger
+logger = get_logger(__name__)
+DEFAULT_A2A_TIMEOUT = 60.0
 class AgentCardLoadFailedError(Exception):
     pass
+async def get_agent_card(client: httpx.AsyncClient, address: str) -> AgentCard:
+    """Retrieve the agent card from the given agent address."""
+    for card_path in [AGENT_CARD_WELL_KNOWN_PATH, PREV_AGENT_CARD_WELL_KNOWN_PATH]:
+        try:
+            card_resolver = A2ACardResolver(client, address, card_path)
+            card = await card_resolver.get_agent_card()
+            card.url = address
+            return card
+        except Exception as e:
+            logger.warning(f"Error retrieving agent card from {address} at path {card_path}: {e}")
+    raise AgentCardLoadFailedError(f"Failed to load agent card from {address}")
 class _AgentCardResolver:
+    """Helper class to resolve and manage agent cards and their connections."""
     def __init__(self, client: httpx.AsyncClient):
         self._httpx_client = client
         self._a2a_client_factory = ClientFactory(ClientConfig(httpx_client=self._httpx_client))
@@ -25,17 +48,13 @@ class _AgentCardResolver:
         self.clients[card.name] = remote_connection
     async def retrieve_card(self, address: str):
-        for card_path in [AGENT_CARD_WELL_KNOWN_PATH, PREV_AGENT_CARD_WELL_KNOWN_PATH]:
-            try:
-                card_resolver = A2ACardResolver(self._httpx_client, address, card_path)
-                card = await card_resolver.get_agent_card()
-                card.url = address
-                self.register_agent_card(card)
-                return
-            except Exception as e:
-                print(f"Error retrieving agent card from {address} at path {card_path}: {e}")
-        raise AgentCardLoadFailedError(f"Failed to load agent card from {address}")
+        try:
+            card = await get_agent_card(self._httpx_client, address)
+            self.register_agent_card(card)
+            return
+        except Exception as e:
+            logger.error(f"Error retrieving agent card from {address}: {e}")
+            return
     async def get_a2a_clients(self, agent_hosts: list[str]) -> dict[str, RemoteAgentConnection]:
         async with asyncio.TaskGroup() as task_group:
@@ -45,15 +64,19 @@ class _AgentCardResolver:
         return self.clients
-async def get_a2a_clients(ctx: SessionIdTuple, agent_hosts: list[str]) -> dict[str, RemoteAgentConnection]:
+async def get_a2a_clients(
+    ctx: SessionIdTuple, agent_hosts: list[str], *, timeout: float = DEFAULT_A2A_TIMEOUT
+) -> dict[str, RemoteAgentConnection]:
+    """Get A2A clients for all agents defined in the configuration."""
     headers = {
         "user-id": ctx[0],
         "session-id": ctx[1],
     }
-    httpx_client = httpx.AsyncClient(headers=headers, timeout=60.0)
+    httpx_client = httpx.AsyncClient(headers=headers, timeout=timeout, follow_redirects=True)
     return await _AgentCardResolver(httpx_client).get_a2a_clients(agent_hosts)
 def get_session_id_tuple(context: RequestContext) -> SessionIdTuple:
+    """Get the user_id, session_id tuple from the request context."""
     headers = context.call_context.state.get("headers", {})
     return headers.get("user-id", DEFAULT_USER_ID), headers.get("session-id", DEFAULT_SESSION_ID)

aixtools-0.2.7/aixtools/auth/auth.py ADDED Viewed

@@ -0,0 +1,149 @@
+"""
+Module that manages OAuth2 functions for authentication
+"""
+import enum
+import logging
+import jwt
+from fastapi import HTTPException
+from jwt import ExpiredSignatureError, InvalidAudienceError, InvalidIssuerError, InvalidSignatureError, PyJWKClient
+from aixtools.utils import config
+logger = logging.getLogger(__name__)
+class AuthTokenErrorCode(str, enum.Enum):
+    """Enum for error codes returned by the AuthTokenError exception."""
+    TOKEN_EXPIRED = "Token expired"
+    INVALID_AUDIENCE = "Token not for expected audience"
+    INVALID_ISSUER = "Token not for expected issuer"
+    INVALID_SIGNATURE = "Token signature error"
+    INVALID_TOKEN = "Invalid token"
+    JWT_ERROR = "Generic JWT error"
+    MISSING_GROUPS_ERROR = "Missing authorized groups"
+    INVALID_TOKEN_SCOPE = "Token scope does not match configured scope"
+class AuthTokenError(Exception):
+    """Exception raised for authentication token errors."""
+    def __init__(self, error_code: AuthTokenErrorCode, msg: str = None):
+        self.error_code = error_code
+        error_msg = error_code.value if msg is None else msg
+        super().__init__(error_msg)
+    def to_http_exception(self, required_scope: str = None, realm: str = "MCP") -> HTTPException:
+        """
+        Returns an HTTPException with 401 status for all AuthTokenErrorCode,
+        including MCP JSON body and WWW-Authenticate header.
+        """
+        status_code = 401
+        www_error = (
+            "insufficient_scope" if self.error_code == AuthTokenErrorCode.INVALID_TOKEN_SCOPE else "invalid_token"
+        )
+        header_value = f'Bearer realm="{realm}", error="{www_error}", error_description="{self.error_code.value}"'
+        if self.error_code == AuthTokenErrorCode.INVALID_TOKEN_SCOPE and required_scope:
+            header_value += f', scope="{required_scope}"'
+        detail = {"error": {"code": self.error_code.name, "message": self.error_code.value}}
+        if self.error_code == AuthTokenErrorCode.INVALID_TOKEN_SCOPE and required_scope:
+            detail["error"]["required_scope"] = required_scope
+        return HTTPException(status_code=status_code, detail=detail, headers={"WWW-Authenticate": header_value})
+class AccessTokenVerifier:
+    """
+    Verifies Microsoft SSO JWT token against the configured Tenant ID, Audience, API ID and Issuer URL.
+    """
+    def __init__(self):
+        tenant_id = config.APP_TENANT_ID
+        self.api_id = config.APP_API_ID
+        self.issuer_url = f"https://sts.windows.net/{tenant_id}/"
+        self.authorized_groups = set(config.APP_AUTHORIZED_GROUPS.split(",")) if config.APP_AUTHORIZED_GROUPS else set()
+        if not self.authorized_groups:
+            logger.warning("No authorized groups configured")
+        # Azure AD endpoints
+        jwks_url = f"https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys"
+        self.jwks_client = PyJWKClient(
+            uri=jwks_url,
+            # cache keys url response to reduce SSO server network calls,
+            # as public keys are not expected to change frequently
+            cache_jwk_set=True,
+            # cache resolved public keys
+            cache_keys=True,
+            # cache url response for 10 hours
+            lifespan=36000,
+        )
+        logger.info("Using JWKS: %s", jwks_url)
+    def verify(self, token: str) -> dict:
+        """
+        Verifies The JWT access token and returns decoded claims as a dictionary if the token is
+        valid, otherwise raises an AuthTokenError
+        """
+        try:
+            signing_key = self.jwks_client.get_signing_key_from_jwt(token)
+            logger.info("Verifying JWT token")
+            claims = jwt.decode(
+                token,
+                signing_key.key,
+                algorithms=["RS256"],
+                audience=self.api_id,
+                issuer=self.issuer_url,
+                # ensure audience verification is carried out
+                options={"verify_aud": True},
+            )
+            logger.info("Verified JWT token")
+            return claims
+        except ExpiredSignatureError as e:
+            raise AuthTokenError(AuthTokenErrorCode.TOKEN_EXPIRED) from e
+        except InvalidAudienceError as e:
+            raise AuthTokenError(AuthTokenErrorCode.INVALID_AUDIENCE) from e
+        except InvalidIssuerError as e:
+            raise AuthTokenError(AuthTokenErrorCode.INVALID_ISSUER) from e
+        except InvalidSignatureError as e:
+            raise AuthTokenError(AuthTokenErrorCode.INVALID_SIGNATURE) from e
+        except jwt.exceptions.PyJWTError as e:
+            raise AuthTokenError(AuthTokenErrorCode.JWT_ERROR) from e
+    def authorize_claims(self, claims: dict, expected_scope: str):
+        """
+        Authorize claims based on token scope, expected scope and authorized groups
+        claims: decoded JWT claims
+        expected_scope: expected scope for the token
+        Raises AuthTokenError if authorization fails.
+        """
+        logger.info("Checking JWT token claims")
+        if expected_scope:
+            token_scopes = claims.get("scp", "").split()
+            if expected_scope not in token_scopes:
+                logger.error("Expected token scope: %s, got: %s", expected_scope, token_scopes)
+                raise AuthTokenError(
+                    AuthTokenErrorCode.INVALID_TOKEN_SCOPE,
+                    f"Expected token scope: {expected_scope}, got: {token_scopes}",
+                )
+        if not self.authorized_groups:
+            logger.info("Authorized JWT token, no authorized groups configured")
+            return
+        groups = claims.get("groups", [])
+        if self.authorized_groups & set(groups):
+            logger.info("Authorized JWT token, against %s", groups)
+            return
+        logger.error("Could not find any group in JWT token, matching: %s", self.authorized_groups)
+        raise AuthTokenError(
+            AuthTokenErrorCode.MISSING_GROUPS_ERROR,
+            f"Could not find any group in JWT token, matching: {self.authorized_groups}",
+        )

{aixtools-0.2.5 → aixtools-0.2.7}/aixtools/utils/config.py RENAMED Viewed

@@ -135,5 +135,6 @@ APP_CLIENT_ID = get_variable_env("APP_CLIENT_ID")
 # used for token audience check
 APP_API_ID = get_variable_env("APP_API_ID")
 APP_TENANT_ID = get_variable_env("APP_TENANT_ID")
-# used for token issuer check
-APP_ISSUER_URL = get_variable_env("APP_ISSUER_URL")
+# used for token authorization check
+APP_AUTHORIZED_GROUPS = get_variable_env("APP_AUTHORIZED_GROUPS", allow_empty=True)

aixtools-0.2.5/aixtools/auth/auth.py DELETED Viewed

@@ -1,70 +0,0 @@
-"""
-Module that manages OAuth2 functions for authentication
-"""
-import logging
-import jwt
-from jwt import ExpiredSignatureError, InvalidAudienceError, InvalidIssuerError, PyJWKClient
-from aixtools.utils import config
-logger = logging.getLogger(__name__)
-class AuthTokenError(Exception):
-    """Exception raised for authentication token errors."""
-# pylint: disable=too-few-public-methods
-class AccessTokenVerifier:
-    """
-    Verifies Microsoft SSO JWT token against the configured Tenant ID, Audience, API ID and Issuer URL.
-    """
-    def __init__(self):
-        tenant_id = config.APP_TENANT_ID
-        self.api_id = config.APP_API_ID
-        self.issuer_url = config.APP_ISSUER_URL
-        # Azure AD endpoints
-        jwks_url = f"https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys"
-        self.jwks_client = PyJWKClient(
-            uri=jwks_url,
-            # cache keys url response to reduce SSO server network calls,
-            # as public keys are not expected to change frequently
-            cache_jwk_set=True,
-            # cache resolved public keys
-            cache_keys=True,
-            # cache url response for 10 hours
-            lifespan=36000,
-        )
-        logger.info("Using JWKS: %s", jwks_url)
-    def verify(self, token: str) -> dict:
-        """
-        Verifies The JWT access token and returns decoded claims as a dictionary if the token is
-        valid, otherwise raises an AuthTokenError
-        """
-        try:
-            signing_key = self.jwks_client.get_signing_key_from_jwt(token)
-            claims = jwt.decode(
-                token,
-                signing_key.key,
-                algorithms=["RS256"],
-                audience=self.api_id,
-                issuer=self.issuer_url,
-                # ensure audience verification is carried out
-                options={"verify_aud": True},
-            )
-            return claims
-        except ExpiredSignatureError as e:
-            raise AuthTokenError("Token expired") from e
-        except InvalidAudienceError as e:
-            raise AuthTokenError(f"Token not for expected audience: {e}") from e
-        except InvalidIssuerError as e:
-            raise AuthTokenError(f"Token not for expected issuer: {e}") from e
-        except jwt.exceptions.PyJWTError as e:
-            raise AuthTokenError(f"Invalid token: {e}") from e