appmesh 1.4.5__py3-none-any.whl → 1.4.7__py3-none-any.whl

appmesh/http_client.py

@@ -14,6 +14,7 @@ import requests
 from .app import App
 from .app_run import AppRun
 from .app_output import AppOutput
+from .keycloak import KeycloakClient
 
 
 class AppMeshClient(metaclass=abc.ABCMeta):
@@ -131,6 +132,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         rest_ssl_client_cert=(DEFAULT_SSL_CLIENT_CERT_PATH, DEFAULT_SSL_CLIENT_KEY_PATH) if os.path.exists(DEFAULT_SSL_CLIENT_CERT_PATH) else None,
         rest_timeout=(60, 300),
         jwt_token=None,
+        oauth2_config=None,
     ):
         """Initialize an App Mesh HTTP client for interacting with the App Mesh server via secure HTTPS.
 
@@ -152,8 +154,14 @@ class AppMeshClient(metaclass=abc.ABCMeta):
 
             jwt_token (str, optional): JWT token for API authentication, used in headers to authorize requests where required.
 
+            oauth2 (Dict[str, Any], optional): Keycloak configuration for oauth2 authentication:
+                - server_url: Keycloak server URL (e.g. "https://keycloak.example.com")
+                - realm: Keycloak realm
+                - client_id: Keycloak client ID
+                - client_secret: Keycloak client secret (optional)
         """
 
+        self.session = requests.Session()
         self.server_url = rest_url
         self._jwt_token = jwt_token
         self.ssl_verify = rest_ssl_verify
@@ -161,6 +169,33 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         self.rest_timeout = rest_timeout
         self._forward_to = None
 
+        # Keycloak integration
+        self._keycloak_client = None
+        if oauth2_config:
+            self._keycloak_client = KeycloakClient(
+                server_url=oauth2_config.get("server_url"),
+                realm=oauth2_config.get("realm"),
+                client_id=oauth2_config.get("client_id"),
+                client_secret=oauth2_config.get("client_secret"),
+                ssl_verify=oauth2_config.get("ssl_verify", self.ssl_verify),
+                timeout=oauth2_config.get("timeout", (30, 60)),
+            )
+            
+    def close(self):
+        """Close the session and release resources."""
+        if hasattr(self, 'session'):
+            self.session.close()
+        if self._keycloak_client and hasattr(self._keycloak_client, 'close'):
+            self._keycloak_client.close()
+            
+    def __enter__(self):
+        """Support for context manager protocol."""
+        return self
+        
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        """Support for context manager protocol, ensuring resources are released."""
+        self.close()
+
     @property
     def jwt_token(self) -> str:
         """Get the current JWT (JSON Web Token) used for authentication.
@@ -266,6 +301,12 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             str: JWT token.
         """
+        # Keycloak authentication if configured
+        if self._keycloak_client:
+            self.jwt_token = self._keycloak_client.authenticate(user_name, user_pwd)
+            return self.jwt_token
+
+        # Standard App Mesh authentication
         self.jwt_token = None
         resp = self._request_http(
             AppMeshClient.Method.POST,
@@ -279,38 +320,57 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         if resp.status_code == HTTPStatus.OK:
             if "Access-Token" in resp.json():
                 self.jwt_token = resp.json()["Access-Token"]
-        elif resp.status_code == HTTPStatus.UNAUTHORIZED and "Totp-Challenge" in resp.json():
+        elif resp.status_code == HTTPStatus.PRECONDITION_REQUIRED and "Totp-Challenge" in resp.json():
             challenge = resp.json()["Totp-Challenge"]
-            resp = self._request_http(
-                AppMeshClient.Method.POST,
-                path="/appmesh/totp/validate",
-                header={
-                    "Username": base64.b64encode(user_name.encode()).decode(),
-                    "Totp-Challenge": base64.b64encode(challenge.encode()).decode(),
-                    "Totp": totp_code,
-                    "Expire-Seconds": self._parse_duration(timeout_seconds),
-                },
-            )
-            if resp.status_code == HTTPStatus.OK:
-                if "Access-Token" in resp.json():
-                    self.jwt_token = resp.json()["Access-Token"]
-            else:
-                raise Exception(resp.text)
+            self.validate_totp(user_name, challenge, totp_code, timeout_seconds)
         else:
             raise Exception(resp.text)
         return self.jwt_token
 
+    def validate_totp(self, username: str, challenge: str, code: str, timeout: Union[int, str] = DURATION_ONE_WEEK_ISO) -> str:
+        """Validate TOTP challenge and obtain a new JWT token.
+
+        Args:
+            username (str): Username to validate
+            challenge (str): Challenge string from server
+            code (str): TOTP code to validate
+            timeout (Union[int, str], optional): Token expiry timeout.
+                Accepts ISO 8601 duration format (e.g., 'P1Y2M3DT4H5M6S', 'P1W') or seconds.
+                Defaults to DURATION_ONE_WEEK_ISO.
+
+        Returns:
+            str: New JWT token if validation succeeds
+
+        Raises:
+            Exception: If validation fails or server returns error
+        """
+        resp = self._request_http(
+            AppMeshClient.Method.POST,
+            path="/appmesh/totp/validate",
+            header={
+                "Username": base64.b64encode(username.encode()).decode(),
+                "Totp": code,
+                "Totp-Challenge": base64.b64encode(challenge.encode()).decode(),
+                "Expire-Seconds": self._parse_duration(timeout),
+            },
+        )
+        if resp.status_code == HTTPStatus.OK:
+            if "Access-Token" in resp.json():
+                self.jwt_token = resp.json()["Access-Token"]
+                return self.jwt_token
+        raise Exception(resp.text)
+
     def logoff(self) -> bool:
         """Log out of the current session from the server.
 
         Returns:
             bool: logoff success or failure.
         """
-        resp = self._request_http(AppMeshClient.Method.POST, path="/appmesh/self/logoff")
-        if resp.status_code != HTTPStatus.OK:
-            raise Exception(resp.text)
-        self.jwt_token = None
-        return resp.status_code == HTTPStatus.OK
+        if self.jwt_token:
+            resp = self._request_http(AppMeshClient.Method.POST, path="/appmesh/self/logoff")
+            self.jwt_token = None
+            return resp.status_code == HTTPStatus.OK
+        return True
 
     def authentication(self, token: str, permission: Optional[str] = None, audience: Optional[str] = None) -> bool:
         """Deprecated: Use authenticate() instead."""
@@ -351,6 +411,12 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             str: The new JWT token if renew success, the old token will be blocked.
         """
+        # Refresh the Keycloak token
+        if self._keycloak_client:
+            self.jwt_token = self._keycloak_client.refresh_tokens()
+            return self.jwt_token
+
+        # Refresh the App Mesh token
         assert self.jwt_token
         resp = self._request_http(
             AppMeshClient.Method.POST,
@@ -934,7 +1000,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
 
         with open(file=local_file, mode="rb") as fp:
             encoder = MultipartEncoder(fields={"filename": os.path.basename(remote_file), "file": ("filename", fp, "application/octet-stream")})
-            header = {"File-Path": remote_file, "Content-Type": encoder.content_type}
+            header = {"File-Path": parse.quote(remote_file), "Content-Type": encoder.content_type}
 
             # Include file attributes (permissions, owner, group) if requested
             if apply_file_attributes:
@@ -1101,6 +1167,10 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             requests.Response: HTTP response
         """
+        # Try to refresh token via Keycloak if using Keycloak and token needs refreshing
+        if self._keycloak_client and self.jwt_token and not self._keycloak_client.validate_token():
+            self.jwt_token = self._keycloak_client.get_active_token()
+
         rest_url = parse.urljoin(self.server_url, path)
 
         header = {} if header is None else header
@@ -1114,16 +1184,16 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         header[self.HTTP_HEADER_KEY_USER_AGENT] = self.HTTP_USER_AGENT
 
         if method is AppMeshClient.Method.GET:
-            return requests.get(url=rest_url, params=query, headers=header, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
+            return self.session.get(url=rest_url, params=query, headers=header, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
         elif method is AppMeshClient.Method.POST:
-            return requests.post(
+            return self.session.post(
                 url=rest_url, params=query, headers=header, data=json.dumps(body) if type(body) in (dict, list) else body, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout
             )
         elif method is AppMeshClient.Method.POST_STREAM:
-            return requests.post(url=rest_url, params=query, headers=header, data=body, cert=self.ssl_client_cert, verify=self.ssl_verify, stream=True, timeout=self.rest_timeout)
+            return self.session.post(url=rest_url, params=query, headers=header, data=body, cert=self.ssl_client_cert, verify=self.ssl_verify, stream=True, timeout=self.rest_timeout)
         elif method is AppMeshClient.Method.DELETE:
-            return requests.delete(url=rest_url, headers=header, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
+            return self.session.delete(url=rest_url, headers=header, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
         elif method is AppMeshClient.Method.PUT:
-            return requests.put(url=rest_url, params=query, headers=header, json=body, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
+            return self.session.put(url=rest_url, params=query, headers=header, json=body, cert=self.ssl_client_cert, verify=self.ssl_verify, timeout=self.rest_timeout)
         else:
             raise Exception("Invalid http method", method)

appmesh/keycloak.py

@@ -0,0 +1,232 @@
+# Keycloak authentication client for App Mesh Python SDK
+
+import base64
+import json
+import time
+from typing import Dict, Optional, Tuple, Any
+import requests
+
+
+class KeycloakClient:
+    """
+    Client for authenticating with Keycloak and obtaining tokens for App Mesh.
+
+    This class handles the OAuth2/OIDC workflow with Keycloak, including:
+    - Direct authentication with username/password
+    - Token refresh
+    - Token validation
+    """
+
+    def __init__(
+        self,
+        server_url: str,
+        realm: str,
+        client_id: str,
+        client_secret: Optional[str] = None,
+        ssl_verify: bool = True,
+        timeout: Tuple[int, int] = (10, 60),
+        token_refresh_threshold: int = 30,
+    ):
+        """Initialize Keycloak client.
+
+        Args:
+            server_url (str): Keycloak server URL (e.g. https://keycloak.example.com/auth)
+            realm (str): Keycloak realm name
+            client_id (str): Client ID registered in Keycloak
+            client_secret (Optional[str], optional): Client secret if using confidential client. Defaults to None.
+            ssl_verify (bool, optional): Verify SSL certificates. Defaults to True.
+            timeout (Tuple[int, int], optional): Connection and read timeouts. Defaults to (10, 60).
+            token_refresh_threshold (int, optional): Seconds before token expiry to trigger refresh. Defaults to 30.
+        """
+        self.server_url = server_url.rstrip("/")
+        self.realm = realm
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.ssl_verify = ssl_verify
+        self.timeout = timeout
+        self.token_refresh_threshold = token_refresh_threshold
+
+        # Token storage
+        self.access_token = None
+        self.refresh_token = None
+        self.token_expires_at = 0
+
+        # Construct the token endpoint URL
+        self.token_endpoint = f"{self.server_url}/realms/{self.realm}/protocol/openid-connect/token"
+        self.userinfo_endpoint = f"{self.server_url}/realms/{self.realm}/protocol/openid-connect/userinfo"
+        
+        # Create a session for connection pooling
+        self.session = requests.Session()
+
+    def authenticate(self, username: str, password: str) -> str:
+        """Authenticate with username and password.
+
+        Args:
+            username (str): Username
+            password (str): Password
+
+        Returns:
+            str: Access token
+
+        Raises:
+            Exception: If authentication fails
+        """
+        data = {
+            "client_id": self.client_id,
+            "grant_type": "password",
+            "username": username,
+            "password": password,
+        }
+
+        if self.client_secret:
+            data["client_secret"] = self.client_secret
+
+        try:
+            response = self.session.post(self.token_endpoint, data=data, verify=self.ssl_verify, timeout=self.timeout)
+
+            if response.status_code != 200:
+                raise Exception(f"Authentication failed: {response.text}")
+
+            token_data = response.json()
+            self._update_token_data(token_data)
+            return self.access_token
+
+        except requests.RequestException as e:
+            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
+
+    def refresh_tokens(self) -> str:
+        """Refresh the access token using the refresh token.
+
+        Returns:
+            str: New access token
+
+        Raises:
+            Exception: If refresh fails
+        """
+        if not self.refresh_token:
+            raise Exception("No refresh token available")
+
+        data = {
+            "client_id": self.client_id,
+            "grant_type": "refresh_token",
+            "refresh_token": self.refresh_token,
+        }
+
+        if self.client_secret:
+            data["client_secret"] = self.client_secret
+
+        try:
+            response = self.session.post(self.token_endpoint, data=data, verify=self.ssl_verify, timeout=self.timeout)
+
+            if response.status_code != 200:
+                raise Exception(f"Token refresh failed: {response.text}")
+
+            token_data = response.json()
+            self._update_token_data(token_data)
+            return self.access_token
+
+        except requests.RequestException as e:
+            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
+
+    def validate_token(self) -> bool:
+        """Check if the current token is valid and not expired.
+
+        Returns:
+            bool: True if valid, False otherwise
+        """
+        if not self.access_token:
+            return False
+
+        # Check if the token is expired based on our local expiry time
+        if time.time() > self.token_expires_at:
+            return False
+
+        return True
+
+    def get_active_token(self) -> str:
+        """Get a valid access token, refreshing if necessary.
+
+        Returns:
+            str: Valid access token
+
+        Raises:
+            Exception: If no valid token can be obtained
+        """
+        if self.validate_token():
+            return self.access_token
+
+        if self.refresh_token:
+            try:
+                return self.refresh_tokens()
+            except Exception:
+                pass
+
+        raise Exception("No valid token available and unable to refresh")
+
+    def get_user_info(self) -> Dict[str, Any]:
+        """Get information about the authenticated user.
+
+        Returns:
+            Dict[str, Any]: User information
+
+        Raises:
+            Exception: If request fails
+        """
+        if not self.access_token:
+            raise Exception("Not authenticated")
+
+        headers = {"Authorization": f"Bearer {self.access_token}"}
+
+        try:
+            response = self.session.get(self.userinfo_endpoint, headers=headers, verify=self.ssl_verify, timeout=self.timeout)
+
+            if response.status_code != 200:
+                raise Exception(f"Failed to get user info: {response.text}")
+
+            return response.json()
+
+        except requests.RequestException as e:
+            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
+
+    def _update_token_data(self, token_data: Dict[str, Any]) -> None:
+        """Update the stored token data.
+
+        Args:
+            token_data (Dict[str, Any]): Token data from Keycloak
+        """
+        self.access_token = token_data["access_token"]
+        self.refresh_token = token_data.get("refresh_token")
+
+        # Calculate token expiration time with configurable buffer
+        expires_in = token_data.get("expires_in", 300)
+        self.token_expires_at = time.time() + expires_in - self.token_refresh_threshold
+
+    def close(self) -> None:
+        """Close the session and release resources."""
+        if hasattr(self, 'session'):
+            self.session.close()
+
+    @staticmethod
+    def decode_token(token: str) -> Dict[str, Any]:
+        """Decode a JWT token without verification.
+
+        Args:
+            token (str): JWT token
+
+        Returns:
+            Dict[str, Any]: Decoded token payload
+        """
+        parts = token.split(".")
+        if len(parts) != 3:
+            raise Exception("Invalid token format")
+
+        # Decode the payload (second part)
+        payload = parts[1]
+        # Add padding if necessary
+        payload += "=" * (4 - len(payload) % 4) if len(payload) % 4 else ""
+
+        try:
+            decoded = base64.b64decode(payload)
+            return json.loads(decoded)
+        except Exception as e:
+            raise Exception(f"Failed to decode token: {str(e)}")

{appmesh-1.4.5.dist-info → appmesh-1.4.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: appmesh
-Version: 1.4.5
+Version: 1.4.7
 Summary: Client SDK for App Mesh
 Home-page: https://github.com/laoshanxi/app-mesh
 Author: laoshanxi
@@ -28,13 +28,14 @@ Dynamic: requires-dist
 Dynamic: requires-python
 Dynamic: summary
 
-[![language.badge]][language.url] [![standard.badge]][standard.url] [![release.badge]][release.url] [![pypi.badge]][pypi.url] [![unittest.badge]][unittest.url] [![docker.badge]][docker.url] [![cockpit.badge]][cockpit.url]
+[![language.badge]][language.url] [![standard.badge]][standard.url] [![unittest.badge]][unittest.url] [![docker.badge]][docker.url] [![cockpit.badge]][cockpit.url]
 [![Documentation Status](https://readthedocs.org/projects/app-mesh/badge/?version=latest)](https://app-mesh.readthedocs.io/en/latest/?badge=latest) [![Join the chat at https://gitter.im/app-mesh/community](https://badges.gitter.im/app-mesh/community.svg)](https://gitter.im/app-mesh/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 <a href="https://scan.coverity.com/projects/laoshanxi-app-mesh">
   <img alt="Coverity Scan Build Status"
        src="https://img.shields.io/coverity/scan/21528.svg"/>
 </a>
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/laoshanxi/app-mesh/badge)](https://api.securityscorecards.dev/projects/github.com/laoshanxi/app-mesh)
+[![release.badge]][release.url] [![pypi.badge]][pypi.url] [![npm.badge]][npm.url]
 
 # App Mesh: Advanced Application Management Platform
 
@@ -148,7 +149,7 @@ Refer to the [Installation doc](https://app-mesh.readthedocs.io/en/latest/Instal
 [standard.url]:   https://en.wikipedia.org/wiki/C%2B%2B#Standardization
 [standard.badge]: https://img.shields.io/badge/C%2B%2B-11%2F14%2F17-blue.svg
 [release.url]:    https://github.com/laoshanxi/app-mesh/releases
-[release.badge]:  https://img.shields.io/github/v/release/laoshanxi/app-mesh.svg
+[release.badge]:  https://img.shields.io/github/v/release/laoshanxi/app-mesh?label=Github%20package
 [docker.url]:     https://hub.docker.com/repository/docker/laoshanxi/appmesh
 [docker.badge]:   https://img.shields.io/docker/pulls/laoshanxi/appmesh.svg
 [cockpit.url]:    https://github.com/laoshanxi/app-mesh-ui
@@ -157,3 +158,5 @@ Refer to the [Installation doc](https://app-mesh.readthedocs.io/en/latest/Instal
 [unittest.badge]: https://img.shields.io/badge/UnitTest-Catch2-blue?logo=appveyor
 [pypi.badge]: https://img.shields.io/pypi/v/appmesh?label=PyPI%3Aappmesh
 [pypi.url]: https://pypi.org/project/appmesh/
+[npm.badge]: https://img.shields.io/npm/v/appmesh?label=npm%3Aappmesh
+[npm.url]: https://www.npmjs.com/package/appmesh

{appmesh-1.4.5.dist-info → appmesh-1.4.7.dist-info}/RECORD

@@ -3,11 +3,12 @@ appmesh/app.py,sha256=9Q-SOOej-MH13BU5Dv2iTa-p-sECCJQp6ZX9DjWWmwE,10526
 appmesh/app_output.py,sha256=JK_TMKgjvaw4n_ys_vmN5S4MyWVZpmD7NlKz_UyMIM8,1015
 appmesh/app_run.py,sha256=9ISKGZ3k3kkbQvSsPfRfkOLqD9xhbqNOM7ork9F4w9c,1712
 appmesh/appmesh_client.py,sha256=0ltkqHZUq094gKneYmC0bEZCP0X9kHTp9fccKdWFWP0,339
-appmesh/http_client.py,sha256=dsQfcjC3U429yDJHhP5SFsoySTDbyRM3rToxi7ooGJA,44363
+appmesh/http_client.py,sha256=dtrZryrkJ-dmT_NQE5v0fZPE00-PCD9VB9xL1Wu8ORI,47403
+appmesh/keycloak.py,sha256=siyifDaH3EASIti8s0DzxBo477m8eCRmzKwK6dqGRDY,7497
 appmesh/tcp_client.py,sha256=RkHl5s8jE333BJOgxJqJ_fvjbdRQza7ciV49vLT6YO4,10923
 appmesh/tcp_messages.py,sha256=w1Kehz_aX4X2CYAUsy9mFVJRhxnLQwwc6L58W4YkQqs,969
 appmesh/tcp_transport.py,sha256=UMGby2oKV4k7lyXZUMSOe2Je34fb1w7nTkxEpatKLKg,7256
-appmesh-1.4.5.dist-info/METADATA,sha256=ozlyIACS7JpSX1Va_RS6tE1WY3h1AR0xqAen1R1Bu08,11501
-appmesh-1.4.5.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-appmesh-1.4.5.dist-info/top_level.txt,sha256=-y0MNQOGJxUzLdHZ6E_Rfv5_LNCkV-GTmOBME_b6pg8,8
-appmesh-1.4.5.dist-info/RECORD,,
+appmesh-1.4.7.dist-info/METADATA,sha256=Tinrv6mkVtpVQi-ZZm_rTpCWLu-NoTEUvL-dBAQVaZg,11663
+appmesh-1.4.7.dist-info/WHEEL,sha256=jB7zZ3N9hIM9adW7qlTAyycLYW9npaWKLRzaoVcLKcM,91
+appmesh-1.4.7.dist-info/top_level.txt,sha256=-y0MNQOGJxUzLdHZ6E_Rfv5_LNCkV-GTmOBME_b6pg8,8
+appmesh-1.4.7.dist-info/RECORD,,

{appmesh-1.4.5.dist-info → appmesh-1.4.7.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.8.0)
+Generator: setuptools (75.8.2)
 Root-Is-Purelib: true
 Tag: py3-none-any