appmesh 1.4.8__py3-none-any.whl → 1.5.1__py3-none-any.whl

appmesh/http_client.py

@@ -3,14 +3,18 @@
 import abc
 import base64
 import json
+import logging
 import os
 from datetime import datetime
 from enum import Enum, unique
 from http import HTTPStatus
+import threading
 from typing import Optional, Tuple, Union
 from urllib import parse
 import aniso8601
+import jwt
 import requests
+import time
 from .app import App
 from .app_run import AppRun
 from .app_output import AppOutput
@@ -102,6 +106,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
     DURATION_ONE_WEEK_ISO = "P1W"
     DURATION_TWO_DAYS_ISO = "P2D"
     DURATION_TWO_DAYS_HALF_ISO = "P2DT12H"
+    TOKEN_REFRESH_INTERVAL = 60
 
     DEFAULT_SSL_CA_CERT_PATH = "/opt/appmesh/ssl/ca.pem"
     DEFAULT_SSL_CLIENT_CERT_PATH = "/opt/appmesh/ssl/client.pem"
@@ -113,6 +118,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
     HTTP_USER_AGENT = "appmesh/python"
     HTTP_HEADER_KEY_USER_AGENT = "User-Agent"
     HTTP_HEADER_KEY_X_TARGET_HOST = "X-Target-Host"
+    HTTP_HEADER_KEY_X_FILE_PATH = "X-File-Path"
 
     @unique
     class Method(Enum):
@@ -131,7 +137,8 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         rest_ssl_client_cert=(DEFAULT_SSL_CLIENT_CERT_PATH, DEFAULT_SSL_CLIENT_KEY_PATH) if os.path.exists(DEFAULT_SSL_CLIENT_CERT_PATH) else None,
         rest_timeout=(60, 300),
         jwt_token=None,
-        oauth2_config=None,
+        oauth2=None,
+        auto_refresh_token=False,
     ):
         """Initialize an App Mesh HTTP client for interacting with the App Mesh server via secure HTTPS.
 
@@ -154,12 +161,18 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             jwt_token (str, optional): JWT token for API authentication, used in headers to authorize requests where required.
 
             oauth2 (Dict[str, Any], optional): Keycloak configuration for oauth2 authentication:
-                - auth_server_url: Keycloak server URL (e.g. "https://keycloak.example.com")
+                - server_url: Keycloak server URL (e.g. "https://keycloak.example.com/auth/")
                 - realm: Keycloak realm
                 - client_id: Keycloak client ID
                 - client_secret: Keycloak client secret (optional)
-        """
+                Using this parameter enables Keycloak integration for authentication. The 'python-keycloak' package
+                will be imported on-demand only when this parameter is, make sure package is installed (pip3 install python-keycloak).
 
+            auto_refresh_token (bool, optional): Enable automatic token refresh before expiration.
+                When enabled, a background timer will monitor token expiration and attempt to refresh
+                the token before it expires. This works with both native App Mesh tokens and Keycloak tokens.
+        """
+        self._ensure_logging_configured()
         self.session = requests.Session()
         self.auth_server_url = rest_url
         self._jwt_token = jwt_token
@@ -169,27 +182,131 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         self._forward_to = None
 
         # Keycloak integration
-        self._keycloak_client = None
-        if oauth2_config:
-            from .keycloak import KeycloakClient  # lazy import
-
-            self._keycloak_client = KeycloakClient(
-                auth_server_url=oauth2_config.get("auth_server_url"),
-                realm=oauth2_config.get("realm"),
-                client_id=oauth2_config.get("client_id"),
-                client_secret=oauth2_config.get("client_secret"),
-                ssl_verify=oauth2_config.get("ssl_verify", self.ssl_verify),
-                timeout=oauth2_config.get("timeout", (30, 60)),
-            )
+        self._keycloak_openid = None
+        if oauth2:
+            try:
+                from keycloak import KeycloakOpenID
+
+                self._keycloak_openid = KeycloakOpenID(
+                    server_url=oauth2.get("auth_server_url"),
+                    client_id=oauth2.get("client_id"),
+                    realm_name=oauth2.get("realm"),
+                    client_secret_key=oauth2.get("client_secret"),
+                    verify=self.ssl_verify,
+                    timeout=rest_timeout,
+                )
+            except ImportError:
+                logging.error("Keycloak package not installed. Install with: pip install python-keycloak")
+                raise Exception("Keycloak integration requested but python-keycloak package is not installed")
+
+        # Token auto-refresh
+        self._token_refresh_timer = None
+        self._auto_refresh_token = auto_refresh_token
+        if auto_refresh_token and jwt_token:
+            self._schedule_token_refresh()
+
+    @staticmethod
+    def _ensure_logging_configured():
+        """Ensure logging is configured. If no handlers are configured, add a default console handler."""
+        if not logging.root.handlers:
+            logging.basicConfig(level=logging.INFO, format="%(asctime)s - %(name)s - %(levelname)s - %(message)s", datefmt="%Y-%m-%d %H:%M:%S")
+
+    def _check_and_refresh_token(self):
+        """Check and refresh token if needed, then schedule next check.
+
+        This method is triggered by the refresh timer and will:
+        1. Check if token needs refresh based on expiration time
+        2. Refresh the token if needed
+        3. Schedule the next refresh check
+        """
+        if not self.jwt_token:
+            return
+
+        # Check if token needs refresh
+        needs_refresh = True
+        time_to_expiry = float("inf")
+
+        # Check token expiration directly from JWT
+        try:
+            decoded_token = jwt.decode(self.jwt_token if isinstance(self.jwt_token, str) else self.jwt_token.get("access_token", ""), options={"verify_signature": False})
+            expiry = decoded_token.get("exp", 0)
+            current_time = time.time()
+            time_to_expiry = expiry - current_time
+            # Refresh if token expires within 5 minutes
+            needs_refresh = time_to_expiry < 300
+        except Exception as e:
+            logging.debug("Failed to parse JWT token for expiration check: %s", str(e))
+
+        # Refresh token if needed
+        if needs_refresh:
+            try:
+                self.renew_token()
+                logging.info("Token successfully refreshed")
+            except Exception as e:
+                logging.error("Token refresh failed: %s", str(e))
+
+        # Schedule next check if auto-refresh is still enabled
+        if self._auto_refresh_token and self.jwt_token:
+            self._schedule_token_refresh(time_to_expiry)
+
+    def _schedule_token_refresh(self, time_to_expiry=None):
+        """Schedule next token refresh check.
+
+        Args:
+            time_to_expiry (float, optional): Time in seconds until token expiration.
+                When provided, helps calculate optimal refresh timing.
+
+        Calculates appropriate check interval:
+        - If token expires soon (within 5 minutes), refresh immediately
+        - Otherwise schedule refresh for the earlier of:
+          1. 5 minutes before expiration
+          2. 60 seconds from now
+        """
+        # Cancel existing timer if any
+        if self._token_refresh_timer:
+            self._token_refresh_timer.cancel()
+            self._token_refresh_timer = None
+
+        try:
+            # Default to checking after 60 seconds
+            check_interval = self.TOKEN_REFRESH_INTERVAL
+
+            # Calculate more precise check time if expiry is known
+            if time_to_expiry is not None:
+                if time_to_expiry <= 300:  # Expires within 5 minutes
+                    check_interval = 1  # Almost immediate refresh
+                else:
+                    # Check at earlier of 5 minutes before expiry or regular interval
+                    check_interval = min(time_to_expiry - 300, self.TOKEN_REFRESH_INTERVAL)
+
+            # Create timer to execute refresh check
+            self._token_refresh_timer = threading.Timer(check_interval, self._check_and_refresh_token)
+            self._token_refresh_timer.daemon = True
+            self._token_refresh_timer.start()
+            logging.debug("Auto-refresh: Next token check scheduled in %.1f seconds", check_interval)
+        except Exception as e:
+            logging.error("Auto-refresh: Failed to schedule token refresh: %s", str(e))
 
     def close(self):
         """Close the session and release resources."""
+        # Cancel token refresh timer
+        if hasattr(self, "_token_refresh_timer") and self._token_refresh_timer:
+            self._token_refresh_timer.cancel()
+            self._token_refresh_timer = None
+
+        # Close the session
         if hasattr(self, "session") and self.session:
             self.session.close()
             self.session = None
-        if self._keycloak_client and hasattr(self._keycloak_client, "close"):
-            self._keycloak_client.close()
-            self._keycloak_client = None
+
+        # Logout from Keycloak if needed
+        if hasattr(self, "_keycloak_openid") and self._keycloak_openid and hasattr(self, "_jwt_token") and self._jwt_token and isinstance(self._jwt_token, dict) and "refresh_token" in self._jwt_token:
+            try:
+                self._keycloak_openid.logout(self._jwt_token.get("refresh_token"))
+            except Exception as e:
+                logging.warning("Failed to logout from Keycloak: %s", str(e))
+            finally:
+                self._keycloak_openid = None
 
     def __enter__(self):
         """Support for context manager protocol."""
@@ -312,8 +429,17 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             str: JWT token.
         """
         # Keycloak authentication if configured
-        if self._keycloak_client:
-            self.jwt_token = self._keycloak_client.authenticate(user_name, user_pwd)
+        if self._keycloak_openid:
+            self.jwt_token = self._keycloak_openid.token(
+                username=user_name,
+                password=user_pwd,
+                totp=totp_code if totp_code else None,
+                grant_type="password",  # grant type for token request: "password" / "client_credentials" / "refresh_token"
+                scope="openid",  # what information to include in the token, such as "openid profile email"
+            )
+
+            if self._auto_refresh_token:
+                self._schedule_token_refresh()
             return self.jwt_token
 
         # Standard App Mesh authentication
@@ -323,18 +449,22 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             path="/appmesh/login",
             header={
                 "Authorization": "Basic " + base64.b64encode((user_name + ":" + user_pwd).encode()).decode(),
-                "Expire-Seconds": self._parse_duration(timeout_seconds),
-                **({"Audience": audience} if audience else {}),
+                "X-Expire-Seconds": str(self._parse_duration(timeout_seconds)),
+                **({"X-Audience": audience} if audience else {}),
+                # **({"X-Totp-Code": totp_code} if totp_code else {}),
             },
         )
         if resp.status_code == HTTPStatus.OK:
-            if "Access-Token" in resp.json():
-                self.jwt_token = resp.json()["Access-Token"]
-        elif resp.status_code == HTTPStatus.PRECONDITION_REQUIRED and "Totp-Challenge" in resp.json():
-            challenge = resp.json()["Totp-Challenge"]
+            if "access_token" in resp.json():
+                self.jwt_token = resp.json()["access_token"]
+        elif resp.status_code == HTTPStatus.PRECONDITION_REQUIRED and "totp_challenge" in resp.json():
+            challenge = resp.json()["totp_challenge"]
             self.validate_totp(user_name, challenge, totp_code, timeout_seconds)
         else:
             raise Exception(resp.text)
+
+        if self._auto_refresh_token:
+            self._schedule_token_refresh()
         return self.jwt_token
 
     def validate_totp(self, username: str, challenge: str, code: str, timeout: Union[int, str] = DURATION_ONE_WEEK_ISO) -> str:
@@ -357,17 +487,16 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         resp = self._request_http(
             AppMeshClient.Method.POST,
             path="/appmesh/totp/validate",
-            header={
-                "Username": base64.b64encode(username.encode()).decode(),
-                "Totp": code,
-                "Totp-Challenge": base64.b64encode(challenge.encode()).decode(),
-                "Expire-Seconds": self._parse_duration(timeout),
+            body={
+                "user_name": username,
+                "totp_code": code,
+                "totp_challenge": challenge,
+                "expire_seconds": self._parse_duration(timeout),
             },
         )
-        if resp.status_code == HTTPStatus.OK:
-            if "Access-Token" in resp.json():
-                self.jwt_token = resp.json()["Access-Token"]
-                return self.jwt_token
+        if resp.status_code == HTTPStatus.OK and "access_token" in resp.json():
+            self.jwt_token = resp.json()["access_token"]
+            return self.jwt_token
         raise Exception(resp.text)
 
     def logoff(self) -> bool:
@@ -376,15 +505,30 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             bool: logoff success or failure.
         """
-        if self.jwt_token:
+        result = False
+        # Handle Keycloak logout if configured
+        if self._keycloak_openid and self.jwt_token and isinstance(self.jwt_token, dict) and "refresh_token" in self.jwt_token:
+            refresh_token = self.jwt_token.get("refresh_token")
+            self._keycloak_openid.logout(refresh_token)
+            self.jwt_token = None
+            result = True
+
+        # Standard App Mesh logout
+        if self.jwt_token and isinstance(self.jwt_token, str):
             resp = self._request_http(AppMeshClient.Method.POST, path="/appmesh/self/logoff")
             self.jwt_token = None
-            return resp.status_code == HTTPStatus.OK
-        return True
+            result = resp.status_code == HTTPStatus.OK
+
+        # Cancel token refresh timer
+        if self._token_refresh_timer:
+            self._token_refresh_timer.cancel()
+            self._token_refresh_timer = None
+
+        return result
 
     def authentication(self, token: str, permission: Optional[str] = None, audience: Optional[str] = None) -> bool:
         """Deprecated: Use authenticate() instead."""
-        return self.authenticate(token, permission)
+        return self.authenticate(token, permission, audience)
 
     def authenticate(self, token: str, permission: Optional[str] = None, audience: Optional[str] = None) -> bool:
         """Authenticate with a token and verify permission if specified.
@@ -403,8 +547,8 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         old_token = self.jwt_token
         self.jwt_token = token
         headers = {
-            **({"Audience": audience} if audience else {}),
-            **({"Auth-Permission": permission} if permission else {}),
+            **({"X-Audience": audience} if audience else {}),
+            **({"X-Permission": permission} if permission else {}),
         }
         resp = self._request_http(AppMeshClient.Method.POST, path="/appmesh/auth", header=headers)
         if resp.status_code != HTTPStatus.OK:
@@ -419,27 +563,44 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             timeout_seconds (int | str, optional): token expire timeout of seconds. support ISO 8601 durations (e.g., 'P1Y2M3DT4H5M6S' 'P1W').
 
         Returns:
-            str: The new JWT token if renew success, the old token will be blocked.
+            str: The new JWT token. The old token will be invalidated.
+
+        Raises:
+            Exception: If token renewal fails or no token exists to renew
         """
-        # Refresh the Keycloak token
-        if self._keycloak_client:
-            self.jwt_token = self._keycloak_client.refresh_tokens()
+        # Ensure token exists
+        if not self.jwt_token:
+            raise Exception("No token to renew")
+
+        try:
+            # Handle Keycloak token (dictionary format)
+            if self._keycloak_openid and isinstance(self.jwt_token, dict) and "refresh_token" in self.jwt_token:
+                new_token = self._keycloak_openid.refresh_token(self.jwt_token.get("refresh_token"))
+                self.jwt_token = new_token
+
+            # Handle App Mesh token (string format)
+            elif isinstance(self.jwt_token, str):
+                resp = self._request_http(
+                    AppMeshClient.Method.POST,
+                    path="/appmesh/token/renew",
+                    header={"X-Expire-Seconds": str(self._parse_duration(timeout))},
+                )
+                if resp.status_code == HTTPStatus.OK:
+                    if "access_token" in resp.json():
+                        new_token = resp.json()["access_token"]
+                        self.jwt_token = new_token
+                    else:
+                        raise Exception("Token renewal response missing access_token")
+                else:
+                    raise Exception(resp.text)
+            else:
+                raise Exception("Unsupported token format")
+
             return self.jwt_token
 
-        # Refresh the App Mesh token
-        assert self.jwt_token
-        resp = self._request_http(
-            AppMeshClient.Method.POST,
-            path="/appmesh/token/renew",
-            header={
-                "Expire-Seconds": self._parse_duration(timeout),
-            },
-        )
-        if resp.status_code == HTTPStatus.OK:
-            if "Access-Token" in resp.json():
-                self.jwt_token = resp.json()["Access-Token"]
-                return self.jwt_token
-        raise Exception(resp.text)
+        except Exception as e:
+            logging.error("Token renewal failed: %s", str(e))
+            raise Exception(f"Token renewal failed: {str(e)}") from e
 
     def get_totp_secret(self) -> str:
         """Generate TOTP secret for the current user and return MFA URI.
@@ -449,7 +610,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         """
         resp = self._request_http(method=AppMeshClient.Method.POST, path="/appmesh/totp/secret")
         if resp.status_code == HTTPStatus.OK:
-            totp_uri = base64.b64decode(resp.json()["Mfa-Uri"]).decode()
+            totp_uri = base64.b64decode(resp.json()["mfa_uri"]).decode()
             return self._parse_totp_uri(totp_uri).get("secret")
         raise Exception(resp.text)
 
@@ -465,11 +626,11 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         resp = self._request_http(
             method=AppMeshClient.Method.POST,
             path="/appmesh/totp/setup",
-            header={"Totp": totp_code},
+            header={"X-Totp-Code": totp_code},
         )
         if resp.status_code == HTTPStatus.OK:
-            if "Access-Token" in resp.json():
-                self.jwt_token = resp.json()["Access-Token"]
+            if "access_token" in resp.json():
+                self.jwt_token = resp.json()["access_token"]
                 return self.jwt_token
         else:
             raise Exception(resp.text)
@@ -576,8 +737,8 @@ class AppMeshClient(metaclass=abc.ABCMeta):
                 "timeout": str(timeout),
             },
         )
-        out_position = int(resp.headers["Output-Position"]) if "Output-Position" in resp.headers else None
-        exit_code = int(resp.headers["Exit-Code"]) if "Exit-Code" in resp.headers else None
+        out_position = int(resp.headers["X-Output-Position"]) if "X-Output-Position" in resp.headers else None
+        exit_code = int(resp.headers["X-Exit-Code"]) if "X-Exit-Code" in resp.headers else None
         return AppOutput(status_code=resp.status_code, output=resp.text, out_position=out_position, exit_code=exit_code)
 
     def check_app_health(self, app_name: str) -> bool:
@@ -728,7 +889,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         resp = self._request_http(
             method=AppMeshClient.Method.POST,
             path=f"/appmesh/user/{user_name}/passwd",
-            header={"New-Password": base64.b64encode(new_password.encode())},
+            body={"new_password": base64.b64encode(new_password.encode()).decode()},
         )
         if resp.status_code != HTTPStatus.OK:
             raise Exception(resp.text)
@@ -817,6 +978,9 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             dict: user definition.
         """
+        if self._keycloak_openid and isinstance(self.jwt_token, dict) and "access_token" in self.jwt_token:
+            return self._keycloak_openid.userinfo(self.jwt_token.get("access_token"))
+
         resp = self._request_http(method=AppMeshClient.Method.GET, path="/appmesh/user/self")
         if resp.status_code != HTTPStatus.OK:
             raise Exception(resp.text)
@@ -970,7 +1134,7 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             local_file (str): the local file path to be downloaded.
             apply_file_attributes (bool): whether to apply file attributes (permissions, owner, group) to the local file.
         """
-        resp = self._request_http(AppMeshClient.Method.GET, path="/appmesh/file/download", header={"File-Path": remote_file})
+        resp = self._request_http(AppMeshClient.Method.GET, path="/appmesh/file/download", header={self.HTTP_HEADER_KEY_X_FILE_PATH: remote_file})
         resp.raise_for_status()
 
         # Write the file content locally
@@ -981,15 +1145,15 @@ class AppMeshClient(metaclass=abc.ABCMeta):
 
         # Apply file attributes (permissions, owner, group) if requested
         if apply_file_attributes:
-            if "File-Mode" in resp.headers:
-                os.chmod(path=local_file, mode=int(resp.headers["File-Mode"]))
-            if "File-User" in resp.headers and "File-Group" in resp.headers:
-                file_uid = int(resp.headers["File-User"])
-                file_gid = int(resp.headers["File-Group"])
+            if "X-File-Mode" in resp.headers:
+                os.chmod(path=local_file, mode=int(resp.headers["X-File-Mode"]))
+            if "X-File-User" in resp.headers and "X-File-Group" in resp.headers:
+                file_uid = int(resp.headers["X-File-User"])
+                file_gid = int(resp.headers["X-File-Group"])
                 try:
                     os.chown(path=local_file, uid=file_uid, gid=file_gid)
                 except PermissionError:
-                    print(f"Warning: Unable to change owner/group of {local_file}. Operation requires elevated privileges.")
+                    logging.warning(f"Warning: Unable to change owner/group of {local_file}. Operation requires elevated privileges.")
 
     def upload_file(self, local_file: str, remote_file: str, apply_file_attributes: bool = True) -> None:
         """Upload a local file to the remote server. Optionally, the remote file will have the same permission as the local file.
@@ -1010,14 +1174,14 @@ class AppMeshClient(metaclass=abc.ABCMeta):
 
         with open(file=local_file, mode="rb") as fp:
             encoder = MultipartEncoder(fields={"filename": os.path.basename(remote_file), "file": ("filename", fp, "application/octet-stream")})
-            header = {"File-Path": parse.quote(remote_file), "Content-Type": encoder.content_type}
+            header = {self.HTTP_HEADER_KEY_X_FILE_PATH: parse.quote(remote_file), "Content-Type": encoder.content_type}
 
             # Include file attributes (permissions, owner, group) if requested
             if apply_file_attributes:
                 file_stat = os.stat(local_file)
-                header["File-Mode"] = str(file_stat.st_mode & 0o777)  # Mask to keep only permission bits
-                header["File-User"] = str(file_stat.st_uid)
-                header["File-Group"] = str(file_stat.st_gid)
+                header["X-File-Mode"] = str(file_stat.st_mode & 0o777)  # Mask to keep only permission bits
+                header["X-File-User"] = str(file_stat.st_uid)
+                header["X-File-Group"] = str(file_stat.st_gid)
 
             # Upload file with or without attributes
             # https://stackoverflow.com/questions/22567306/python-requests-file-upload
@@ -1032,11 +1196,11 @@ class AppMeshClient(metaclass=abc.ABCMeta):
     ########################################
     # Application run
     ########################################
-    def _parse_duration(self, timeout) -> str:
+    def _parse_duration(self, timeout) -> int:
         if isinstance(timeout, int):
-            return str(timeout)
+            return timeout
         elif isinstance(timeout, str):
-            return str(int(aniso8601.parse_duration(timeout).total_seconds()))
+            return int(aniso8601.parse_duration(timeout).total_seconds())
         else:
             raise TypeError(f"Invalid timeout type: {str(timeout)}")
 
@@ -1072,8 +1236,8 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             body=app.json(),
             path=path,
             query={
-                "timeout": self._parse_duration(max_time_seconds),
-                "lifecycle": self._parse_duration(life_cycle_seconds),
+                "timeout": str(self._parse_duration(max_time_seconds)),
+                "lifecycle": str(self._parse_duration(life_cycle_seconds)),
             },
         )
         if resp.status_code != HTTPStatus.OK:
@@ -1152,16 +1316,16 @@ class AppMeshClient(metaclass=abc.ABCMeta):
             body=app.json(),
             path=path,
             query={
-                "timeout": self._parse_duration(max_time_seconds),
-                "lifecycle": self._parse_duration(life_cycle_seconds),
+                "timeout": str(self._parse_duration(max_time_seconds)),
+                "lifecycle": str(self._parse_duration(life_cycle_seconds)),
             },
         )
         exit_code = None
         if resp.status_code == HTTPStatus.OK:
             if stdout_print:
                 print(resp.text, end="")
-            if "Exit-Code" in resp.headers:
-                exit_code = int(resp.headers.get("Exit-Code"))
+            if "X-Exit-Code" in resp.headers:
+                exit_code = int(resp.headers.get("X-Exit-Code"))
         elif stdout_print:
             print(resp.text)
 
@@ -1180,18 +1344,12 @@ class AppMeshClient(metaclass=abc.ABCMeta):
         Returns:
             requests.Response: HTTP response
         """
-        # Try to refresh token via Keycloak if using Keycloak and token needs refreshing
-        if self._keycloak_client and self.jwt_token and not self._keycloak_client.validate_token():
-            try:
-                self.jwt_token = self._keycloak_client.get_active_token()
-            except Exception as e:
-                print(f"Token refresh failed: {str(e)}")
-
         rest_url = parse.urljoin(self.auth_server_url, path)
 
         header = {} if header is None else header
         if self.jwt_token:
-            header["Authorization"] = "Bearer " + self.jwt_token
+            token = self.jwt_token["access_token"] if isinstance(self.jwt_token, dict) and "access_token" in self.jwt_token else self.jwt_token
+            header["Authorization"] = "Bearer " + token
         if self.forward_to and len(self.forward_to) > 0:
             if ":" in self.forward_to:
                 header[self.HTTP_HEADER_KEY_X_TARGET_HOST] = self.forward_to

appmesh/tcp_client.py

@@ -153,7 +153,7 @@ class AppMeshClientTCP(AppMeshClient):
             local_file (str): the local file path to be downloaded.
             apply_file_attributes (bool): whether to apply file attributes (permissions, owner, group) to the local file.
         """
-        header = {"File-Path": remote_file}
+        header = {AppMeshClient.HTTP_HEADER_KEY_X_FILE_PATH: remote_file}
         header[self.HTTP_HEADER_KEY_X_RECV_FILE_SOCKET] = "true"
         resp = self._request_http(AppMeshClient.Method.GET, path="/appmesh/file/download", header=header)
 
@@ -169,11 +169,11 @@ class AppMeshClientTCP(AppMeshClient):
                 fp.write(chunk_data)
 
         if apply_file_attributes:
-            if "File-Mode" in resp.headers:
-                os.chmod(path=local_file, mode=int(resp.headers["File-Mode"]))
-            if "File-User" in resp.headers and "File-Group" in resp.headers:
-                file_uid = int(resp.headers["File-User"])
-                file_gid = int(resp.headers["File-Group"])
+            if "X-File-Mode" in resp.headers:
+                os.chmod(path=local_file, mode=int(resp.headers["X-File-Mode"]))
+            if "X-File-User" in resp.headers and "X-File-Group" in resp.headers:
+                file_uid = int(resp.headers["X-File-User"])
+                file_gid = int(resp.headers["X-File-Group"])
                 try:
                     os.chown(path=local_file, uid=file_uid, gid=file_gid)
                 except PermissionError:
@@ -195,14 +195,14 @@ class AppMeshClientTCP(AppMeshClient):
             raise FileNotFoundError(f"Local file not found: {local_file}")
 
         with open(file=local_file, mode="rb") as fp:
-            header = {"File-Path": remote_file, "Content-Type": "text/plain"}
+            header = {AppMeshClient.HTTP_HEADER_KEY_X_FILE_PATH: remote_file, "Content-Type": "text/plain"}
             header[self.HTTP_HEADER_KEY_X_SEND_FILE_SOCKET] = "true"
 
             if apply_file_attributes:
                 file_stat = os.stat(local_file)
-                header["File-Mode"] = str(file_stat.st_mode & 0o777)  # Mask to keep only permission bits
-                header["File-User"] = str(file_stat.st_uid)
-                header["File-Group"] = str(file_stat.st_gid)
+                header["X-File-Mode"] = str(file_stat.st_mode & 0o777)  # Mask to keep only permission bits
+                header["X-File-User"] = str(file_stat.st_uid)
+                header["X-File-Group"] = str(file_stat.st_gid)
 
             resp = self._request_http(AppMeshClient.Method.POST, path="/appmesh/file/upload", header=header)
 

{appmesh-1.4.8.dist-info → appmesh-1.5.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: appmesh
-Version: 1.4.8
+Version: 1.5.1
 Summary: Client SDK for App Mesh
 Home-page: https://github.com/laoshanxi/app-mesh
 Author: laoshanxi

{appmesh-1.4.8.dist-info → appmesh-1.5.1.dist-info}/RECORD

@@ -3,12 +3,11 @@ appmesh/app.py,sha256=9Q-SOOej-MH13BU5Dv2iTa-p-sECCJQp6ZX9DjWWmwE,10526
 appmesh/app_output.py,sha256=JK_TMKgjvaw4n_ys_vmN5S4MyWVZpmD7NlKz_UyMIM8,1015
 appmesh/app_run.py,sha256=9ISKGZ3k3kkbQvSsPfRfkOLqD9xhbqNOM7ork9F4w9c,1712
 appmesh/appmesh_client.py,sha256=0ltkqHZUq094gKneYmC0bEZCP0X9kHTp9fccKdWFWP0,339
-appmesh/http_client.py,sha256=S90Ldndx3wfUYE2Ln31fnKKBNXbDROQd3FAzFTEdZtA,48314
-appmesh/keycloak.py,sha256=BJZ35FPO0C2wDeDhCcd6cE4ba9BF4UZ-4o5QelmbGHg,8036
-appmesh/tcp_client.py,sha256=RkHl5s8jE333BJOgxJqJ_fvjbdRQza7ciV49vLT6YO4,10923
+appmesh/http_client.py,sha256=BMnzxZE2N-P3tLGkf0LKrqCJRWCPYciw-gXj5z_YTbE,55783
+appmesh/tcp_client.py,sha256=Id1aIKVWncTSZiKRVa4sgwo1tFX2wRqOLiTnI9-dNkE,11001
 appmesh/tcp_messages.py,sha256=w1Kehz_aX4X2CYAUsy9mFVJRhxnLQwwc6L58W4YkQqs,969
 appmesh/tcp_transport.py,sha256=-XDTQbsKL3yCbguHeW2jNqXpYgnCyHsH4rwcaJ46AS8,8645
-appmesh-1.4.8.dist-info/METADATA,sha256=_Lmle-Icw-PkTf5yUvx3wHgaH0usfqAcVD2eePzjYS8,11663
-appmesh-1.4.8.dist-info/WHEEL,sha256=52BFRY2Up02UkjOa29eZOS2VxUrpPORXg1pkohGGUS8,91
-appmesh-1.4.8.dist-info/top_level.txt,sha256=-y0MNQOGJxUzLdHZ6E_Rfv5_LNCkV-GTmOBME_b6pg8,8
-appmesh-1.4.8.dist-info/RECORD,,
+appmesh-1.5.1.dist-info/METADATA,sha256=86gy_IbptvkM4JXYK0zBX-soylSlBA8ggkx6hoIiJZA,11663
+appmesh-1.5.1.dist-info/WHEEL,sha256=pxyMxgL8-pra_rKaQ4drOZAegBVuX-G_4nRHjjgWbmo,91
+appmesh-1.5.1.dist-info/top_level.txt,sha256=-y0MNQOGJxUzLdHZ6E_Rfv5_LNCkV-GTmOBME_b6pg8,8
+appmesh-1.5.1.dist-info/RECORD,,

{appmesh-1.4.8.dist-info → appmesh-1.5.1.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (76.0.0)
+Generator: setuptools (79.0.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

appmesh/keycloak.py

@@ -1,248 +0,0 @@
-# Keycloak authentication client for App Mesh Python SDK
-
-import base64
-import json
-import time
-from typing import Dict, Optional, Tuple, Any
-import requests
-
-
-class KeycloakClient:
-    """
-    Client for authenticating with Keycloak and obtaining tokens for App Mesh.
-
-    This class handles the OAuth2/OIDC workflow with Keycloak, including:
-    - Direct authentication with username/password
-    - Token refresh
-    - Token validation
-    """
-
-    def __init__(
-        self,
-        auth_server_url: str,
-        realm: str,
-        client_id: str,
-        client_secret: Optional[str] = None,
-        ssl_verify: bool = True,
-        timeout: Tuple[int, int] = (10, 60),
-        token_refresh_threshold: int = 30,
-    ):
-        """Initialize Keycloak client.
-
-        Args:
-            auth_server_url (str): Keycloak server URL (e.g. https://keycloak.example.com/auth)
-            realm (str): Keycloak realm name
-            client_id (str): Client ID registered in Keycloak
-            client_secret (Optional[str], optional): Client secret if using confidential client. Defaults to None.
-            ssl_verify (bool, optional): Verify SSL certificates. Defaults to True.
-            timeout (Tuple[int, int], optional): Connection and read timeouts. Defaults to (10, 60).
-            token_refresh_threshold (int, optional): Seconds before token expiry to trigger refresh. Defaults to 30.
-        """
-        self.auth_server_url = auth_server_url.rstrip("/")
-        self.realm = realm
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.ssl_verify = ssl_verify
-        self.timeout = timeout
-        self.token_refresh_threshold = token_refresh_threshold
-
-        # Token storage
-        self.access_token = None
-        self.refresh_token = None
-        self.token_expires_at = 0
-
-        # Construct the token endpoint URL
-        self.token_endpoint = f"{self.auth_server_url}/realms/{self.realm}/protocol/openid-connect/token"
-        self.userinfo_endpoint = f"{self.auth_server_url}/realms/{self.realm}/protocol/openid-connect/userinfo"
-
-        # Create a session for connection pooling
-        self.session = requests.Session()
-
-    def __enter__(self):
-        """Support for context manager protocol."""
-        return self
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        """Clean up resources when exiting context."""
-        self.close()
-
-    def __del__(self):
-        """Ensure resources are properly released when the object is garbage collected."""
-        try:
-            self.close()
-        except Exception:
-            pass  # Avoid exceptions during garbage collection
-
-    def authenticate(self, username: str, password: str) -> str:
-        """Authenticate with username and password.
-
-        Args:
-            username (str): Username
-            password (str): Password
-
-        Returns:
-            str: Access token
-
-        Raises:
-            Exception: If authentication fails
-        """
-        data = {
-            "client_id": self.client_id,
-            "grant_type": "password",
-            "username": username,
-            "password": password,
-        }
-
-        if self.client_secret:
-            data["client_secret"] = self.client_secret
-
-        try:
-            response = self.session.post(self.token_endpoint, data=data, verify=self.ssl_verify, timeout=self.timeout)
-
-            if response.status_code != 200:
-                raise Exception(f"Authentication failed: {response.text}")
-
-            token_data = response.json()
-            self._update_token_data(token_data)
-            return self.access_token
-
-        except requests.RequestException as e:
-            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
-
-    def refresh_tokens(self) -> str:
-        """Refresh the access token using the refresh token.
-
-        Returns:
-            str: New access token
-
-        Raises:
-            Exception: If refresh fails
-        """
-        if not self.refresh_token:
-            raise Exception("No refresh token available")
-
-        data = {
-            "client_id": self.client_id,
-            "grant_type": "refresh_token",
-            "refresh_token": self.refresh_token,
-        }
-
-        if self.client_secret:
-            data["client_secret"] = self.client_secret
-
-        try:
-            response = self.session.post(self.token_endpoint, data=data, verify=self.ssl_verify, timeout=self.timeout)
-
-            if response.status_code != 200:
-                raise Exception(f"Token refresh failed: {response.text}")
-
-            token_data = response.json()
-            self._update_token_data(token_data)
-            return self.access_token
-
-        except requests.RequestException as e:
-            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
-
-    def validate_token(self) -> bool:
-        """Check if the current token is valid and not expired.
-
-        Returns:
-            bool: True if valid, False otherwise
-        """
-        if not self.access_token:
-            return False
-
-        # Check if the token is expired based on our local expiry time
-        if time.time() > self.token_expires_at:
-            return False
-
-        return True
-
-    def get_active_token(self) -> str:
-        """Get a valid access token, refreshing if necessary.
-
-        Returns:
-            str: Valid access token
-
-        Raises:
-            Exception: If no valid token can be obtained
-        """
-        if self.validate_token():
-            return self.access_token
-
-        if self.refresh_token:
-            try:
-                return self.refresh_tokens()
-            except Exception:
-                pass
-
-        raise Exception("No valid token available and unable to refresh")
-
-    def get_user_info(self) -> Dict[str, Any]:
-        """Get information about the authenticated user.
-
-        Returns:
-            Dict[str, Any]: User information
-
-        Raises:
-            Exception: If request fails
-        """
-        if not self.access_token:
-            raise Exception("Not authenticated")
-
-        headers = {"Authorization": f"Bearer {self.access_token}"}
-
-        try:
-            response = self.session.get(self.userinfo_endpoint, headers=headers, verify=self.ssl_verify, timeout=self.timeout)
-
-            if response.status_code != 200:
-                raise Exception(f"Failed to get user info: {response.text}")
-
-            return response.json()
-
-        except requests.RequestException as e:
-            raise Exception(f"Failed to connect to Keycloak: {str(e)}")
-
-    def _update_token_data(self, token_data: Dict[str, Any]) -> None:
-        """Update the stored token data.
-
-        Args:
-            token_data (Dict[str, Any]): Token data from Keycloak
-        """
-        self.access_token = token_data["access_token"]
-        self.refresh_token = token_data.get("refresh_token")
-
-        # Calculate token expiration time with configurable buffer
-        expires_in = token_data.get("expires_in", 300)
-        self.token_expires_at = time.time() + expires_in - self.token_refresh_threshold
-
-    def close(self) -> None:
-        """Close the session and release resources."""
-        if hasattr(self, "session") and self.session:
-            self.session.close()
-            self.session = None
-
-    @staticmethod
-    def decode_token(token: str) -> Dict[str, Any]:
-        """Decode a JWT token without verification.
-
-        Args:
-            token (str): JWT token
-
-        Returns:
-            Dict[str, Any]: Decoded token payload
-        """
-        parts = token.split(".")
-        if len(parts) != 3:
-            raise Exception("Invalid token format")
-
-        # Decode the payload (second part)
-        payload = parts[1]
-        # Add padding if necessary
-        payload += "=" * (4 - len(payload) % 4) if len(payload) % 4 else ""
-
-        try:
-            decoded = base64.b64decode(payload)
-            return json.loads(decoded)
-        except Exception as e:
-            raise Exception(f"Failed to decode token: {str(e)}")