azul-client 9.0.24__py3-none-any.whl

azul_client/oidc/callback.py

@@ -0,0 +1,73 @@
+"""A simple server that obtains the code generated by Keycloak.
+
+A url is presented to the user, they navigate to it in a browser and proceed with authentication.
+Then keycloak will redirect the browser to this web server and we extract the code generated by keycloak.
+"""
+
+import sys
+import urllib.parse
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+
+class OIDCResponseServer(BaseHTTPRequestHandler):
+    """Server to receive oidc callback to enable code exchange with PKCE."""
+
+    expected_path = ""
+    expected_state = ""
+    token_code = None
+
+    def do_GET(self):
+        """Handle get request from users browser."""
+        # expected like http://127.0.0.1:8080/authorisation-code/callback?code=XXXX&state=YYYY
+        try:
+            if not self.path.startswith(f"{OIDCResponseServer.expected_path}?"):
+                raise Exception(f"bad path '{self.path}' not start with '{self.expected_path}?'")
+            parsed = urllib.parse.urlparse(self.path)
+            qs = urllib.parse.parse_qs(parsed.query)
+            if OIDCResponseServer.expected_state != qs["state"][0]:
+                raise Exception("Returned state does not match")
+            OIDCResponseServer.token_code = qs["code"][0]
+
+        except Exception as e:
+            self.send_response(400)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            self.wfile.write(bytes("<html><head><title>Azul Client Auth</title></head>", "utf-8"))
+            self.wfile.write(bytes("<body>", "utf-8"))
+            self.wfile.write(bytes("<p>Failure</p>", "utf-8"))
+            self.wfile.write(bytes(f"<p>{str(e)}</p>", "utf-8"))
+            self.wfile.write(bytes("</body></html>", "utf-8"))
+
+        else:
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+            self.wfile.write(bytes("<html><head><title>Azul Client Auth</title></head>", "utf-8"))
+            self.wfile.write(bytes("<body>", "utf-8"))
+            self.wfile.write(bytes("<p>Success</p>", "utf-8"))
+            self.wfile.write(bytes("<p>You may now close this tab.</p>", "utf-8"))
+            self.wfile.write(bytes("</body></html>", "utf-8"))
+
+
+def receive_code(
+    expected_state: str, *, path: str = "/authorisation-code/callback", hostname: str = "localhost", port: int = 8080
+):
+    """Receive one http request from users browser, parse code and shut down."""
+    OIDCResponseServer.expected_path = path
+    OIDCResponseServer.expected_state = expected_state
+    server = HTTPServer((hostname, port), OIDCResponseServer)
+    print("Server started at http://%s:%s. Waiting for oauth callback." % (hostname, port), file=sys.stderr)
+
+    try:
+        while not OIDCResponseServer.token_code:
+            server.handle_request()
+    except KeyboardInterrupt:
+        pass
+    server.server_close()
+    print("Server stopped.")
+    return OIDCResponseServer.token_code
+
+
+if __name__ == "__main__":
+    code = receive_code("51998", path="/test")
+    print(f"{code=}")

azul_client/oidc/oidc.py

@@ -0,0 +1,215 @@
+"""Auth handling."""
+
+import base64
+import hashlib
+import json
+import os
+import random
+import re
+import sys
+import time
+import urllib.parse
+
+import httpx
+
+from azul_client import config
+
+from . import callback
+
+
+def _get_json(resp: httpx.Response, dbg: str) -> dict:
+    """Try to read json data out of the web request."""
+    if resp.status_code != 200:
+        raise Exception(f"Failed to fetch {dbg} - Code: {resp.status_code} - Content:\n{resp.content[:1000]}")
+    if "application/json" not in resp.headers.get("content-type"):
+        raise Exception(
+            f"Failed to fetch {dbg} - response mime is not json ({resp.headers.get('content-type')}). "
+            f"Is '{resp.url}' the correct endpoint? - "
+            f"Content:\n{resp.content[:1000]}"
+        )
+    try:
+        data = resp.json()
+    except json.decoder.JSONDecodeError:
+        raise Exception(
+            f"Failed to fetch {dbg} - response was not json. "
+            f"Is '{resp.url}' the correct endpoint? - "
+            f"Content:\n{resp.content[:1000]}"
+        )
+    return data
+
+
+class OIDC:
+    """Handle authentication with Azul api."""
+
+    def __init__(self, cfg: config.Config) -> None:
+        self.cfg = cfg
+        self._oidc_info = None
+        # Requests used to force retries on status codes [500, 502, 503, 504]
+        verify = True
+        if not self.cfg.azul_verify_ssl:
+            print("NO VERIFY SSL", file=sys.stderr)
+            verify = False
+        # Setup client with retries.
+        self._verify = verify
+        self._local_client = httpx.Client(
+            timeout=httpx.Timeout(timeout=self.cfg.max_timeout),
+        )
+
+    def _get_oidc_info(self):
+        """Return oidc json document containing locations of required resources for auth."""
+        if not self._oidc_info:
+            self._fetch_well_known()
+        return self._oidc_info
+
+    def _get_authorization_endpoint(self):
+        return self._get_oidc_info()["authorization_endpoint"]
+
+    def _get_token_endpoint(self):
+        return self._get_oidc_info()["token_endpoint"]
+
+    def _fetch_well_known(self):
+        resp = self._local_client.get(self.cfg.oidc_url, timeout=httpx.Timeout(timeout=self.cfg.oidc_timeout))
+        self._oidc_info = _get_json(resp, "well known")
+
+    @config._lock_azul_config
+    def get_client(self):
+        """Return a httpx client object with an up to date authorization token."""
+        out_client = httpx.Client(
+            headers={"authorization": "Bearer " + self._get_access_token()},
+            mounts={
+                "http://": httpx.HTTPTransport(retries=5),
+                "https://": httpx.HTTPTransport(retries=5),
+            },
+            timeout=httpx.Timeout(timeout=self.cfg.max_timeout),
+            verify=self._verify,
+        )
+        return out_client
+
+    def _via_service_token(self):
+        """Retrieve a token from OIDC provider using service account flow."""
+        resp = self._local_client.post(
+            self._get_token_endpoint(),
+            data={
+                "response_type": "token",
+                "client_id": self.cfg.auth_client_id,
+                "client_secret": os.environ.get("AZUL_CLIENT_SECRET") or self.cfg.auth_client_secret,
+                "grant_type": "client_credentials",
+                "scope": self.cfg.auth_scopes,
+            },
+            timeout=httpx.Timeout(timeout=self.cfg.oidc_timeout),
+        )
+        return _get_json(resp, "via service token")
+
+    def _via_code_callback(self):
+        """Retrieve a token from OIDC provider using code callback."""
+        # prove that requestor of token is same as receiver with code challenge and verify
+        code_verifier = base64.urlsafe_b64encode(os.urandom(40)).decode("utf-8")
+        code_verifier = re.sub("[^a-zA-Z0-9]+", "", code_verifier)
+
+        code_challenge = hashlib.sha256(code_verifier.encode("utf-8")).digest()
+        code_challenge = base64.urlsafe_b64encode(code_challenge).decode("utf-8")
+        code_challenge = code_challenge.replace("=", "")
+
+        port = 8080
+        callback_url = f"http://localhost:{port}/client/callback"
+
+        state = str(random.randint(1000000, 9999999))  # nosec B311
+        params = {
+            "response_type": "code",
+            "client_id": self.cfg.auth_client_id,
+            "redirect_uri": callback_url,
+            "state": state,
+            "scope": self.cfg.auth_scopes,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+        }
+        url_ask_user = self._get_authorization_endpoint() + "?" + urllib.parse.urlencode(params)
+        print(f"Please navigate to the following url to continue authentication:\n{url_ask_user}", file=sys.stderr)
+        code = callback.receive_code(state, path="/client/callback", hostname="localhost", port=port)
+        if not code:
+            raise Exception("No token retrieval code was returned")
+
+        resp = self._local_client.post(
+            self._get_token_endpoint(),
+            data={
+                "grant_type": "authorization_code",
+                "code": code,
+                "client_id": self.cfg.auth_client_id,
+                "state": state,
+                "scope": self.cfg.auth_scopes,
+                "redirect_uri": callback_url,
+                "code_verifier": code_verifier,
+            },
+            timeout=httpx.Timeout(timeout=self.cfg.oidc_timeout),
+        )
+        return _get_json(resp, "via code callback")
+
+    def _via_refresh(self, tk: dict):
+        """Obtain new tokens using previously issued refresh token."""
+        refresh_token = tk.get("refresh_token", None)
+        # Full re-auth if there is no refresh token
+        if not refresh_token:
+            return self._get_token_non_refresh()
+        # need to refresh the current token
+        resp = self._local_client.post(
+            self._get_token_endpoint(),
+            data={
+                "grant_type": "refresh_token",
+                "client_id": self.cfg.auth_client_id,
+                "refresh_token": refresh_token,
+                "scope": self.cfg.auth_scopes,
+            },
+            timeout=httpx.Timeout(timeout=self.cfg.oidc_timeout),
+        )
+        if 400 <= resp.status_code < 500:
+            # maybe refresh token has expired, retry full auth
+            return None
+        return _get_json(resp, "via refresh")
+
+    def _get_token_non_refresh(self):
+        # use auth method nominated in config
+        atype = self.cfg.auth_type
+        if atype == "none":
+            # no access token is required
+            tk = {}
+        elif atype == "callback":
+            tk = self._via_code_callback()
+        elif atype == "service":
+            tk = self._via_service_token()
+        else:
+            raise NotImplementedError(atype)
+        return tk
+
+    def _get_token(self):
+        """Get auth tokens to Azul."""
+        if self.cfg.auth_type == "none":
+            # no access token is required
+            return {}
+
+        if self.cfg.auth_token:
+            if time.time() > self.cfg.auth_token_time + 60:
+                # refresh the token
+                tk = self._via_refresh(self.cfg.auth_token)
+                if not tk:
+                    # maybe refresh token has expired
+                    print("Warning - Refresh token likely has expired.", file=sys.stderr)
+                    tk = self._get_token_non_refresh()
+
+            elif time.time() < self.cfg.auth_token_time + 60:
+                # return current token
+                return self.cfg.auth_token
+        else:
+            tk = self._get_token_non_refresh()
+
+        self.cfg.auth_token = tk
+        self.cfg.auth_token_time = int(time.time())
+        # save updated token to config file
+        self.cfg.save()
+        return tk
+
+    def _get_access_token(self) -> str:
+        """Get valid access token to authenticate with Azul."""
+        token = self._get_token().get("access_token", "none")
+        if not token and self.cfg.auth_type != "none":
+            raise Exception("Token required but was not found")
+        return token

azul_client-9.0.24.dist-info/METADATA

@@ -0,0 +1,102 @@
+Metadata-Version: 2.4
+Name: azul-client
+Version: 9.0.24
+Summary: Interact with Azul using your terminal instead of clicking in the UI a thousand times!
+Home-page: https://www.asd.gov.au/
+Author: Azul
+Author-email: azul@asd.gov.au
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+Requires-Dist: cart
+Requires-Dist: malpz
+Requires-Dist: click
+Requires-Dist: pendulum
+Requires-Dist: rich
+Requires-Dist: httpx
+Requires-Dist: pydantic>2
+Requires-Dist: pydantic-settings
+Requires-Dist: tenacity
+Requires-Dist: azul-bedrock
+Requires-Dist: filelock
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# Azul Client
+
+Azul client is a near complete client for Azul's RestAPI.
+
+Interact with Azul using your terminal instead of clicking in the UI a thousand times!
+
+Tested on ubuntu 22.04.
+
+## Install
+
+`pip install azul-client`
+
+## Setup
+
+Azul Client requires a config file located at ~/.azul.ini
+
+A default config will be generated on first run.
+
+You will need to adjust the config options as appropriate.
+
+```yaml
+[default]
+azul_url = http://localhost
+oidc_url = http://keycloak/.well-known/openid-configuration
+auth_type = callback
+auth_scopes =
+auth_client_id = azul-web
+auth_client_secret =
+azul_verify_ssl = True
+auth_token = {}
+auth_token_time = 0
+max_timeout = 300.0
+oidc_timeout = 10.0
+```
+
+### Root CA
+
+If you have extra Root CAs, you will need to make httpx aware of them or it will complain.
+
+Ubuntu - `export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt`
+
+Red Hat - `export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt`
+
+Alternatively you can point to a certificate directory
+
+`export SSL_CERT_DIR=/etc/ssl/certs`
+
+This can be added to your ~/.bashrc to prevent you from having to do it for every terminal session.
+
+## Usage
+
+For usage guidance refer to the [API](./docs/api.md) and [CLI](./docs/cli.md) documentation.
+
+## Integration test suite
+
+The integration test suite is in the tests/integration folder.
+
+The `setUpModule` method in the file `tests/integration/__init__.py` creates all files in azul that need to be available for querying and uploading child/dataless.
+It also waits for those uploaded files to be available in Azul which means during tests you can assume those files exist.
+
+It also exports the sha256's of the files it uploaded to ensure the tests can import those sha256's for their testing.
+
+NOTE - the first time you run the test suite particularly if you've added new files to the module it may be slow. But all subsequent runs will be much faster.

azul_client-9.0.24.dist-info/RECORD

@@ -0,0 +1,23 @@
+azul_client/__init__.py,sha256=NLNKojPMcgSlD4B-56OivmC7Q02wbJHv5Vx4oXLgmrw,77
+azul_client/client.py,sha256=yZNzcsuxoNA0T-GHTKFLXQuzP4-v8u-tMtmQ1Mc0zF0,17450
+azul_client/config.py,sha256=p3exqEQaQmE85KvC05wCUyvgr29ybPMTey7moJG9zok,3652
+azul_client/exceptions.py,sha256=WC8c5RmPpXaxGGEP5XnJD4q_CgFQAF3T6MsoTp9rOtU,1068
+azul_client/api/__init__.py,sha256=KsQG1baHNvWlwvgKks7sUr3_vi_tCjbnEB-bInIKquc,2396
+azul_client/api/base_api.py,sha256=ELIXpNZWIJvX6EOMdoWoOBSD19367mVgWDeCk8uImmo,6638
+azul_client/api/binaries_data.py,sha256=ZhechdW_awfDFf6D2a6ut-tROkiUvCnZnQ_kcUIc3OI,20089
+azul_client/api/binaries_meta.py,sha256=UvebsIKhXxATERJAlPsxvS1-gFT-7vVMETDIPCJGYDA,21237
+azul_client/api/features.py,sha256=Kb_dJ4fVBufyvWjTJhpwmWXRR68-4A3vp10sDwYv-Yc,7089
+azul_client/api/plugins.py,sha256=rk_qO70pNahROT5Pm4KawTNsbPmraUKEARgZK9gfaGI,2033
+azul_client/api/purge.py,sha256=krOkKp-1UkEZXsAX71rnipxtYkHnVFOPHZmgV9tqPE0,2731
+azul_client/api/security.py,sha256=zo6Vxz3HXqM_tZ7DpUH1q4RoRmCRj_mcfRdW7tLNbDw,1234
+azul_client/api/sources.py,sha256=LMPOuQhRv5qnQufQBJLpc1i35NbhEJH7bQrO_e-F9sw,1911
+azul_client/api/statistics.py,sha256=V9NDG5_GKXuMBxqCbdc05Ge1Nutjfdz6Ob64TfHrJsM,711
+azul_client/api/users.py,sha256=neA8e-b7BhOXVj2ertADbXSpznrvY1Z5vv-M5tkMCBM,997
+azul_client/oidc/__init__.py,sha256=6QPY9BzSjW_E8FB5LVuNvJuv2DxcGWaPSQ0UyG7ezHM,50
+azul_client/oidc/callback.py,sha256=PRvaYoiYTxT5T1rP39xeAomGII1BrgGeKnjCx_CGZ2Y,3053
+azul_client/oidc/oidc.py,sha256=_Ni9KGLcEkUWHYPYs0WyO8vop0lRL9IdXbutF01irug,8066
+azul_client-9.0.24.dist-info/METADATA,sha256=KsDNcwjr9cG9Mlb6gaLxjHhTh8GdQ5NGyGArVrpD8Qc,3093
+azul_client-9.0.24.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+azul_client-9.0.24.dist-info/entry_points.txt,sha256=FhUw3GodsTs_lRVuXubJQ-kaYkYA_yX_jYkKfuPQ7jE,48
+azul_client-9.0.24.dist-info/top_level.txt,sha256=C1NP4kqciZywY_uBh4f4CDF-KqYKXe3bYI5ISHwJl7o,12
+azul_client-9.0.24.dist-info/RECORD,,

azul_client-9.0.24.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.2)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

azul_client-9.0.24.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+azul = azul_client.client:cli

azul_client-9.0.24.dist-info/top_level.txt

@@ -0,0 +1 @@
+azul_client