boto3-refresh-session 4.0.0__tar.gz → 5.0.0__tar.gz

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/PKG-INFO

@@ -1,9 +1,9 @@
 Metadata-Version: 2.3
 Name: boto3-refresh-session
-Version: 4.0.0
+Version: 5.0.0
 Summary: A simple Python package for refreshing the temporary security credentials in a boto3.session.Session object automatically.
 License: MIT
-Keywords: boto3,botocore,aws,sts,credentials,token,refresh
+Keywords: boto3,botocore,aws,sts,credentials,token,refresh,iot,x509
 Author: Mike Letts
 Author-email: lettsmt@gmail.com
 Maintainer: Michael Letts
@@ -15,6 +15,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: awscrt
 Requires-Dist: boto3
 Requires-Dist: botocore
 Requires-Dist: requests
@@ -120,8 +121,11 @@ Description-Content-Type: text/markdown
 ## 😛 Features
 
 - Drop-in replacement for `boto3.session.Session`
-- Supports automatic credential refresh methods for STS
-- Supports custom authentication methods with automatic refresh for complicated authentication flows
+- Supports automatic credential refresh for: 
+  - **STS**
+  - **IoT Core** 
+    - X.509 certificates w/ role aliases over mTLS (PEM files and PKCS#11)
+  - Custom authentication methods
 - Natively supports all parameters supported by `boto3.session.Session`
 - [Tested](https://github.com/michaelthomasletts/boto3-refresh-session/tree/main/tests), [documented](https://michaelthomasletts.github.io/boto3-refresh-session/index.html), and [published to PyPI](https://pypi.org/project/boto3-refresh-session/)
 - Future releases will include support for IoT (coming soon)
@@ -140,6 +144,10 @@ Please review [this PR](https://github.com/michaelthomasletts/boto3-refresh-sess
 
 The `ecs` module has been dropped. For additional details and rationale, please review [this PR](https://github.com/michaelthomasletts/boto3-refresh-session/pull/78).
 
+#### 😛 v5.0.0
+
+Support for IoT Core via X.509 certificate-based authentication (over HTTPS) is now available!
+
 #### ☎️ Delayed Responses
 
 I am currently grappling with a very serious medical condition. Accordingly, expect delayed responses to issues and requests until my health stabilizes.
@@ -301,3 +309,56 @@ pip install boto3-refresh-session
   ```
 
 </details>
+
+<details>
+  <summary><strong>IoT Core X.509 (click to expand)</strong></summary>
+
+  ### IoT Core X.509
+
+  AWS IoT Core can vend temporary AWS credentials through the **credentials provider** when you connect with an X.509 certificate and a **role alias**. `boto3-refresh-session` makes this flow seamless by automatically refreshing credentials over **mTLS**.
+
+  For additional information on the exact parameters that `IOTX509RefreshableSession` takes, [check this documentation](https://github.com/michaelthomasletts/boto3-refresh-session/blob/main/boto3_refresh_session/methods/iot/x509.py).
+
+  ### PEM file
+
+  ```python
+  import boto3_refresh_session as brs
+
+  # PEM certificate + private key example
+  session = brs.RefreshableSession(
+      method="iot",
+      endpoint="<your-credentials-endpoint>.credentials.iot.<region>.amazonaws.com",
+      role_alias="<your-role-alias>",
+      certificate="/path/to/certificate.pem",
+      private_key="/path/to/private-key.pem",
+      thing_name="<your-thing-name>",       # optional, if used in policies
+      duration_seconds=3600,                # optional, capped by role alias
+      region_name="us-east-1",
+  )
+
+  # Now you can use the session like any boto3 session
+  s3 = session.client("s3")
+  print(s3.list_buckets())
+  ```
+
+  ### PKCS#11
+
+  ```python
+  session = brs.RefreshableSession(
+      method="iot",
+      endpoint="<your-credentials-endpoint>.credentials.iot.<region>.amazonaws.com",
+      role_alias="<your-role-alias>",
+      certificate="/path/to/certificate.pem",
+      pkcs11={
+          "pkcs11_lib": "/usr/local/lib/softhsm/libsofthsm2.so",
+          "user_pin": "1234",
+          "slot_id": 0,
+          "token_label": "MyToken",
+          "private_key_label": "MyKey",
+      },
+      thing_name="<your-thing-name>",
+      region_name="us-east-1",
+  )
+  ```
+
+</details>

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/README.md

@@ -95,8 +95,11 @@
 ## 😛 Features
 
 - Drop-in replacement for `boto3.session.Session`
-- Supports automatic credential refresh methods for STS
-- Supports custom authentication methods with automatic refresh for complicated authentication flows
+- Supports automatic credential refresh for: 
+  - **STS**
+  - **IoT Core** 
+    - X.509 certificates w/ role aliases over mTLS (PEM files and PKCS#11)
+  - Custom authentication methods
 - Natively supports all parameters supported by `boto3.session.Session`
 - [Tested](https://github.com/michaelthomasletts/boto3-refresh-session/tree/main/tests), [documented](https://michaelthomasletts.github.io/boto3-refresh-session/index.html), and [published to PyPI](https://pypi.org/project/boto3-refresh-session/)
 - Future releases will include support for IoT (coming soon)
@@ -115,6 +118,10 @@ Please review [this PR](https://github.com/michaelthomasletts/boto3-refresh-sess
 
 The `ecs` module has been dropped. For additional details and rationale, please review [this PR](https://github.com/michaelthomasletts/boto3-refresh-session/pull/78).
 
+#### 😛 v5.0.0
+
+Support for IoT Core via X.509 certificate-based authentication (over HTTPS) is now available!
+
 #### ☎️ Delayed Responses
 
 I am currently grappling with a very serious medical condition. Accordingly, expect delayed responses to issues and requests until my health stabilizes.
@@ -275,4 +282,57 @@ pip install boto3-refresh-session
   )
   ```
 
+</details>
+
+<details>
+  <summary><strong>IoT Core X.509 (click to expand)</strong></summary>
+
+  ### IoT Core X.509
+
+  AWS IoT Core can vend temporary AWS credentials through the **credentials provider** when you connect with an X.509 certificate and a **role alias**. `boto3-refresh-session` makes this flow seamless by automatically refreshing credentials over **mTLS**.
+
+  For additional information on the exact parameters that `IOTX509RefreshableSession` takes, [check this documentation](https://github.com/michaelthomasletts/boto3-refresh-session/blob/main/boto3_refresh_session/methods/iot/x509.py).
+
+  ### PEM file
+
+  ```python
+  import boto3_refresh_session as brs
+
+  # PEM certificate + private key example
+  session = brs.RefreshableSession(
+      method="iot",
+      endpoint="<your-credentials-endpoint>.credentials.iot.<region>.amazonaws.com",
+      role_alias="<your-role-alias>",
+      certificate="/path/to/certificate.pem",
+      private_key="/path/to/private-key.pem",
+      thing_name="<your-thing-name>",       # optional, if used in policies
+      duration_seconds=3600,                # optional, capped by role alias
+      region_name="us-east-1",
+  )
+
+  # Now you can use the session like any boto3 session
+  s3 = session.client("s3")
+  print(s3.list_buckets())
+  ```
+
+  ### PKCS#11
+
+  ```python
+  session = brs.RefreshableSession(
+      method="iot",
+      endpoint="<your-credentials-endpoint>.credentials.iot.<region>.amazonaws.com",
+      role_alias="<your-role-alias>",
+      certificate="/path/to/certificate.pem",
+      pkcs11={
+          "pkcs11_lib": "/usr/local/lib/softhsm/libsofthsm2.so",
+          "user_pin": "1234",
+          "slot_id": 0,
+          "token_label": "MyToken",
+          "private_key_label": "MyKey",
+      },
+      thing_name="<your-thing-name>",
+      region_name="us-east-1",
+  )
+  ```
+
 </details>

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/__init__.py

@@ -3,12 +3,13 @@ __all__ = []
 from . import exceptions, session
 from .exceptions import *
 from .methods.custom import *
+from .methods.iot import *
 from .methods.sts import *
 from .session import *
 
 __all__.extend(session.__all__)
 __all__.extend(exceptions.__all__)
-__version__ = "4.0.0"
+__version__ = "5.0.0"
 __title__ = "boto3-refresh-session"
 __author__ = "Mike Letts"
 __maintainer__ = "Mike Letts"

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/exceptions.py

@@ -1,5 +1,7 @@
 __all__ = ["BRSError", "BRSWarning"]
 
+import warnings
+
 
 class BRSError(Exception):
     """The base exception for boto3-refresh-session.
@@ -39,3 +41,9 @@ class BRSWarning(UserWarning):
 
     def __repr__(self) -> str:
         return f"{self.__class__.__name__}({self.message!r})"
+
+    @classmethod
+    def warn(cls, message: str, *, stacklevel: int = 2):
+        """Emits a BRSWarning with a consistent stacklevel."""
+
+        warnings.warn(cls(message), stacklevel=stacklevel)

boto3_refresh_session-5.0.0/boto3_refresh_session/methods/__init__.py

@@ -0,0 +1,10 @@
+__all__ = []
+
+from . import custom, iot, sts
+from .custom import *
+from .iot import *
+from .sts import *
+
+__all__.extend(custom.__all__)
+__all__.extend(iot.__all__)
+__all__.extend(sts.__all__)

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/methods/custom.py

@@ -71,7 +71,7 @@ class CustomRefreshableSession(BaseRefreshableSession, registry_key="custom"):
         **kwargs,
     ):
         if "refresh_method" in kwargs:
-            BRSWarning(
+            BRSWarning.warn(
                 "'refresh_method' cannot be set manually. "
                 "Reverting to 'custom'."
             )

boto3_refresh_session-5.0.0/boto3_refresh_session/methods/iot/__init__.py

@@ -0,0 +1,7 @@
+__all__ = []
+
+from . import core
+from .core import IoTRefreshableSession
+from .x509 import IOTX509RefreshableSession
+
+__all__.extend(core.__all__)

boto3_refresh_session-4.0.0/boto3_refresh_session/methods/iot/core.typed → boto3_refresh_session-5.0.0/boto3_refresh_session/methods/iot/core.py

@@ -6,28 +6,16 @@ from typing import get_args
 
 from ...exceptions import BRSError
 from ...utils import (
-    BaseRefreshableSession, 
-    BRSSession,
-    CredentialProvider, 
-    IoTAuthenticationMethod, 
-    Registry,
+    BaseIoTRefreshableSession,
+    BaseRefreshableSession,
+    IoTAuthenticationMethod,
 )
 
 
-class BaseIoTRefreshableSession(
-    Registry[IoTAuthenticationMethod],
-    CredentialProvider,
-    BRSSession,
-    registry_key="__iot_sentinel__",
-):
-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-
-
 class IoTRefreshableSession(BaseRefreshableSession, registry_key="iot"):
     def __new__(
         cls,
-        authentication_method: IoTAuthenticationMethod = "certificate",
+        authentication_method: IoTAuthenticationMethod = "x509",
         **kwargs,
     ) -> BaseIoTRefreshableSession:
         if authentication_method not in (

boto3_refresh_session-5.0.0/boto3_refresh_session/methods/iot/x509.py

@@ -0,0 +1,336 @@
+__all__ = ["IOTX509RefreshableSession"]
+
+import json
+import re
+from pathlib import Path
+from typing import cast
+from urllib.parse import ParseResult, urlparse
+
+from awscrt.exceptions import AwsCrtError
+from awscrt.http import HttpClientConnection, HttpRequest
+from awscrt.io import (
+    ClientBootstrap,
+    ClientTlsContext,
+    DefaultHostResolver,
+    EventLoopGroup,
+    Pkcs11Lib,
+    TlsConnectionOptions,
+    TlsContextOptions,
+)
+
+from ...exceptions import BRSError, BRSWarning
+from ...utils import (
+    PKCS11,
+    AWSCRTResponse,
+    Identity,
+    TemporaryCredentials,
+    refreshable_session,
+)
+from .core import BaseIoTRefreshableSession
+
+
+@refreshable_session
+class IOTX509RefreshableSession(
+    BaseIoTRefreshableSession, registry_key="x509"
+):
+    """A :class:`boto3.session.Session` object that automatically refreshes
+    temporary credentials returned by the IoT Core credential provider.
+
+    Parameters
+    ----------
+    endpoint : str
+        The endpoint URL for the IoT Core credential provider. Must contain
+        '.credentials.iot.'.
+    role_alias : str
+        The IAM role alias to use when requesting temporary credentials.
+    certificate : str | bytes
+        The X.509 certificate to use when requesting temporary credentials.
+        ``str`` represents the file path to the certificate, while ``bytes``
+        represents the actual certificate data.
+    thing_name : str, optional
+        The name of the IoT thing to use when requesting temporary
+        credentials. Default is None.
+    private_key : str | bytes | None, optional
+        The private key to use when requesting temporary credentials. ``str``
+        represents the file path to the private key, while ``bytes``
+        represents the actual private key data. Optional only if ``pkcs11``
+        is provided. Default is None.
+    pkcs11 : PKCS11, optional
+        The PKCS#11 library to use when requesting temporary credentials. If
+        provided, ``private_key`` must be None.
+    ca : str | bytes | None, optional
+        The CA certificate to use when verifying the IoT Core endpoint. ``str``
+        represents the file path to the CA certificate, while ``bytes``
+        represents the actual CA certificate data. Default is None.
+    verify_peer : bool, optional
+        Whether to verify the CA certificate when establishing the TLS
+        connection. Default is True.
+    timeout : float | int | None, optional
+        The timeout for the TLS connection in seconds. Default is 10.0.
+    duration_seconds : int | None, optional
+        The duration for which the temporary credentials are valid, in
+        seconds. Cannot exceed the value declared in the IAM policy.
+        Default is None.
+
+    Notes
+    -----
+    Gavin Adams at AWS was a major influence on this implementation.
+    Thank you, Gavin!
+    """
+
+    def __init__(
+        self,
+        endpoint: str,
+        role_alias: str,
+        certificate: str | bytes,
+        thing_name: str | None = None,
+        private_key: str | bytes | None = None,
+        pkcs11: PKCS11 | None = None,
+        ca: str | bytes | None = None,
+        verify_peer: bool = True,
+        timeout: float | int | None = None,
+        duration_seconds: int | None = None,
+        **kwargs,
+    ):
+        # initializing BRSSession
+        super().__init__(refresh_method="iot-x509", **kwargs)
+
+        # initializing public attributes
+        self.endpoint = self._normalize_iot_credential_endpoint(
+            endpoint=endpoint
+        )
+        self.role_alias = role_alias
+        self.certificate = certificate
+        self.thing_name = thing_name
+        self.private_key = private_key
+        self.pkcs11 = pkcs11
+        self.ca = ca
+        self.verify_peer = verify_peer
+        self.timeout = 10.0 if timeout is None else timeout
+        self.duration_seconds = duration_seconds
+
+        # loading X.509 certificate if presented as a string, which
+        # is presumed to be the file path.
+        # if presented as bytes then self.certificate is presumed to be
+        # the actual certificate itself
+        if self.certificate and isinstance(self.certificate, str):
+            self.certificate = (
+                Path(self.certificate).expanduser().resolve().read_bytes()
+            )
+
+        # either private_key or pkcs11 must be provided
+        if self.private_key is None and self.pkcs11 is None:
+            raise BRSError(
+                "Either 'private_key' or 'pkcs11' must be provided."
+            )
+
+        # . . . but both cannot be provided!
+        if self.private_key is not None and self.pkcs11 is not None:
+            raise BRSError(
+                "Only one of 'private_key' or 'pkcs11' can be provided."
+            )
+
+        # if the provided private_key is bytes then it's presumed to be
+        # the actual private key. but if it's string then it's presumed
+        # to be the file path
+        if self.private_key and isinstance(self.private_key, str):
+            self.private_key = (
+                Path(self.private_key).expanduser().resolve().read_bytes()
+            )
+
+        # verifying PKCS#11 dict
+        if self.pkcs11:
+            self.pkcs11 = self._validate_pkcs11(pkcs11=self.pkcs11)
+
+        # ca is like many other attributes in that str implies file location
+        if self.ca and isinstance(self.ca, str):
+            self.ca = Path(self.ca).expanduser().resolve().read_bytes()
+
+    def _get_credentials(self) -> TemporaryCredentials:
+        url = urlparse(
+            f"https://{self.endpoint}/role-aliases/{self.role_alias}"
+            "/credentials"
+        )
+        request = HttpRequest("GET", url.path)
+        request.headers.add("host", str(url.hostname))
+        if self.thing_name:
+            request.headers.add("x-amzn-iot-thingname", self.thing_name)
+        if self.duration_seconds:
+            request.headers.add(
+                "x-amzn-iot-credential-duration-seconds",
+                str(self.duration_seconds),
+            )
+        response = AWSCRTResponse()
+        port = 443 if not url.port else url.port
+        connection = (
+            self._mtls_client_connection(url=url, port=port)
+            if not self.pkcs11
+            else self._mtls_pkcs11_client_connection(url=url, port=port)
+        )
+
+        try:
+            stream = connection.request(
+                request, response.on_response, response.on_body
+            )
+            stream.activate()
+            stream.completion_future.result(float(self.timeout))
+        finally:
+            try:
+                connection.close()
+            except Exception:
+                ...
+
+        if response.status_code == 200:
+            credentials = json.loads(response.body.decode("utf-8"))[
+                "credentials"
+            ]
+            return {
+                "access_key": credentials["accessKeyId"],
+                "secret_key": credentials["secretAccessKey"],
+                "token": credentials["sessionToken"],
+                "expiry_time": credentials["expiration"],
+            }
+        else:
+            raise BRSError(
+                "Error getting credentials: "
+                f"{json.loads(response.body.decode())}"
+            )
+
+    def _mtls_client_connection(
+        self, url: ParseResult, port: int
+    ) -> HttpClientConnection:
+        event_loop_group: EventLoopGroup = EventLoopGroup()
+        host_resolver: DefaultHostResolver = DefaultHostResolver(
+            event_loop_group
+        )
+        bootstrap: ClientBootstrap = ClientBootstrap(
+            event_loop_group, host_resolver
+        )
+        tls_ctx_opt = TlsContextOptions.create_client_with_mtls(
+            cert_buffer=self.certificate, key_buffer=self.private_key
+        )
+
+        if self.ca:
+            tls_ctx_opt.override_default_trust_store(self.ca)
+
+        tls_ctx_opt.verify_peer = self.verify_peer
+        tls_ctx = ClientTlsContext(tls_ctx_opt)
+        tls_conn_opt: TlsConnectionOptions = cast(
+            TlsConnectionOptions, tls_ctx.new_connection_options()
+        )
+        tls_conn_opt.set_server_name(str(url.hostname))
+
+        try:
+            connection_future = HttpClientConnection.new(
+                host_name=str(url.hostname),
+                port=port,
+                bootstrap=bootstrap,
+                tls_connection_options=tls_conn_opt,
+            )
+            return connection_future.result(self.timeout)
+        except AwsCrtError as err:
+            raise BRSError(
+                "Error completing mTLS connection to endpoint "
+                f"'{url.hostname}'"
+            ) from err
+
+    def _mtls_pkcs11_client_connection(
+        self, url: ParseResult, port: int
+    ) -> HttpClientConnection:
+        event_loop_group: EventLoopGroup = EventLoopGroup()
+        host_resolver: DefaultHostResolver = DefaultHostResolver(
+            event_loop_group
+        )
+        bootstrap: ClientBootstrap = ClientBootstrap(
+            event_loop_group, host_resolver
+        )
+
+        if not self.pkcs11:
+            raise BRSError(
+                "Attempting to establish mTLS connection using PKCS#11"
+                "but 'pkcs11' parameter is 'None'!"
+            )
+
+        tls_ctx_opt = TlsContextOptions.create_client_with_mtls_pkcs11(
+            pkcs11_lib=Pkcs11Lib(file=self.pkcs11["pkcs11_lib"]),
+            user_pin=self.pkcs11["user_pin"],
+            slot_id=self.pkcs11["slot_id"],
+            token_label=self.pkcs11["token_label"],
+            private_key_label=self.pkcs11["private_key_label"],
+            cert_file_contents=self.certificate,
+        )
+
+        if self.ca:
+            tls_ctx_opt.override_default_trust_store(self.ca)
+
+        tls_ctx_opt.verify_peer = self.verify_peer
+        tls_ctx = ClientTlsContext(tls_ctx_opt)
+        tls_conn_opt: TlsConnectionOptions = cast(
+            TlsConnectionOptions, tls_ctx.new_connection_options()
+        )
+        tls_conn_opt.set_server_name(str(url.hostname))
+
+        try:
+            connection_future = HttpClientConnection.new(
+                host_name=str(url.hostname),
+                port=port,
+                bootstrap=bootstrap,
+                tls_connection_options=tls_conn_opt,
+            )
+            return connection_future.result(self.timeout)
+        except AwsCrtError as err:
+            raise BRSError("Error completing mTLS connection.") from err
+
+    def get_identity(self) -> Identity:
+        """Returns metadata about the current caller identity.
+
+        Returns
+        -------
+        Identity
+            Dict containing information about the current calleridentity.
+        """
+
+        return self.client("sts").get_caller_identity()
+
+    @staticmethod
+    def _normalize_iot_credential_endpoint(endpoint: str) -> str:
+        if ".credentials.iot." in endpoint:
+            return endpoint
+
+        if ".iot." in endpoint and "-ats." in endpoint:
+            logged_data_endpoint = re.sub(r"^[^. -]+", "***", endpoint)
+            logged_credential_endpoint = re.sub(
+                r"^[^. -]+",
+                "***",
+                (endpoint := endpoint.replace("-ats.iot", ".credentials.iot")),
+            )
+            BRSWarning.warn(
+                "The 'endpoint' parameter you provided represents the data "
+                "endpoint for IoT not the credentials endpoint! The endpoint "
+                "you provided was therefore modified from "
+                f"'{logged_data_endpoint}' -> '{logged_credential_endpoint}'"
+            )
+            return endpoint
+
+        raise BRSError(
+            "Invalid IoT endpoint provided for credentials provider. "
+            "Expected '<id>.credentials.iot.<region>.amazonaws.com'"
+        )
+
+    @staticmethod
+    def _validate_pkcs11(pkcs11: PKCS11) -> PKCS11:
+        if "pkcs11_lib" not in pkcs11:
+            raise BRSError(
+                "PKCS#11 library path must be provided as 'pkcs11_lib'"
+                " in 'pkcs11'."
+            )
+        elif not Path(pkcs11["pkcs11_lib"]).expanduser().resolve().is_file():
+            raise BRSError(
+                f"'{pkcs11['pkcs11_lib']}' is not a valid file path for "
+                "'pkcs11_lib' in 'pkcs11'."
+            )
+        pkcs11.setdefault("user_pin", None)
+        pkcs11.setdefault("slot_id", None)
+        pkcs11.setdefault("token_label", None)
+        pkcs11.setdefault("private_key_label", None)
+        return pkcs11

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/methods/sts.py

@@ -45,7 +45,7 @@ class STSRefreshableSession(BaseRefreshableSession, registry_key="sts"):
         **kwargs,
     ):
         if "refresh_method" in kwargs:
-            BRSWarning(
+            BRSWarning.warn(
                 "'refresh_method' cannot be set manually. "
                 "Reverting to 'sts-assume-role'."
             )
@@ -60,7 +60,7 @@ class STSRefreshableSession(BaseRefreshableSession, registry_key="sts"):
         if sts_client_kwargs is not None:
             # overwriting 'service_name' if if appears in sts_client_kwargs
             if "service_name" in sts_client_kwargs:
-                BRSWarning(
+                BRSWarning.warn(
                     "'sts_client_kwargs' cannot contain values for "
                     "'service_name'. Reverting to service_name = 'sts'."
                 )

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/session.py

@@ -36,6 +36,7 @@ class RefreshableSession:
     See Also
     --------
     boto3_refresh_session.methods.custom.CustomRefreshableSession
+    boto3_refresh_session.methods.iot.IOTX509RefreshableSession
     boto3_refresh_session.methods.sts.STSRefreshableSession
     """
 

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/utils/internal.py

@@ -1,4 +1,6 @@
 __all__ = [
+    "AWSCRTResponse",
+    "BaseIoTRefreshableSession",
     "BaseRefreshableSession",
     "BRSSession",
     "CredentialProvider",
@@ -10,6 +12,7 @@ from abc import ABC, abstractmethod
 from functools import wraps
 from typing import Any, Callable, ClassVar, Generic, TypeVar, cast
 
+from awscrt.http import HttpHeaders
 from boto3.session import Session
 from botocore.credentials import (
     DeferredRefreshableCredentials,
@@ -19,6 +22,7 @@ from botocore.credentials import (
 from ..exceptions import BRSWarning
 from .typing import (
     Identity,
+    IoTAuthenticationMethod,
     Method,
     RefreshableTemporaryCredentials,
     RefreshMethod,
@@ -46,7 +50,9 @@ class Registry(Generic[RegistryKey]):
         super().__init_subclass__(**kwargs)
 
         if registry_key in cls.registry:
-            BRSWarning(f"{registry_key!r} already registered. Overwriting.")
+            BRSWarning.warn(
+                f"{registry_key!r} already registered. Overwriting."
+            )
 
         if "sentinel" not in registry_key:
             cls.registry[registry_key] = cls
@@ -202,3 +208,35 @@ class BaseRefreshableSession(
 
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
+
+
+class BaseIoTRefreshableSession(
+    Registry[IoTAuthenticationMethod],
+    CredentialProvider,
+    BRSSession,
+    registry_key="__iot_sentinel__",
+):
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+
+
+class AWSCRTResponse:
+    """Lightweight response collector for awscrt HTTP."""
+
+    def __init__(self):
+        """Initialize to default for when callbacks are called."""
+
+        self.status_code = None
+        self.headers = None
+        self.body = bytearray()
+
+    def on_response(self, http_stream, status_code, headers, **kwargs):
+        """Process awscrt.io response."""
+
+        self.status_code = status_code
+        self.headers = HttpHeaders(headers)
+
+    def on_body(self, http_stream, chunk, **kwargs):
+        """Process awscrt.io body."""
+
+        self.body.extend(chunk)

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/boto3_refresh_session/utils/typing.py

@@ -33,20 +33,23 @@ except ImportError:
     from typing_extensions import NotRequired
 
 #: Type alias for all currently available IoT authentication methods.
-IoTAuthenticationMethod = Literal["certificate", "cognito", "__iot_sentinel__"]
+IoTAuthenticationMethod = Literal["x509", "__iot_sentinel__"]
 
 #: Type alias for all currently available credential refresh methods.
 Method = Literal[
-    "sts",
     "custom",
+    "iot",
+    "sts",
     "__sentinel__",
-]  # TODO: Add iot when implemented
+    "__iot_sentinel__",
+]
 
 #: Type alias for all refresh method names.
 RefreshMethod = Literal[
-    "sts-assume-role",
     "custom",
-]  # TODO: Add iot-certificate and iot-cognito when iot implemented
+    "iot-x509",
+    "sts-assume-role",
+]
 
 #: Type alias for all currently registered credential refresh methods.
 RegistryKey = TypeVar("RegistryKey", bound=str)
@@ -136,7 +139,7 @@ class STSClientParams(TypedDict):
 
 
 class PKCS11(TypedDict):
-    pkcs11_loc: str
+    pkcs11_lib: str
     user_pin: NotRequired[str]
     slot_id: NotRequired[int]
     token_label: NotRequired[str | None]

{boto3_refresh_session-4.0.0 → boto3_refresh_session-5.0.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "boto3-refresh-session"
-version = "4.0.0"
+version = "5.0.0"
 description = "A simple Python package for refreshing the temporary security credentials in a boto3.session.Session object automatically."
 authors = [
     {name = "Mike Letts",email = "lettsmt@gmail.com"}
@@ -8,8 +8,8 @@ authors = [
 license = {text = "MIT"}
 readme = "README.md"
 requires-python = ">=3.10"
-dependencies = ["boto3", "botocore", "requests", "typing-extensions"]
-keywords = ["boto3", "botocore", "aws", "sts", "credentials", "token", "refresh"]
+dependencies = ["boto3", "botocore", "requests", "typing-extensions", "awscrt"]
+keywords = ["boto3", "botocore", "aws", "sts", "credentials", "token", "refresh", "iot", "x509"]
 maintainers = [
   {name="Michael Letts", email="lettsmt@gmail.com"},
 ]

boto3_refresh_session-4.0.0/boto3_refresh_session/methods/__init__.py

@@ -1,10 +0,0 @@
-__all__ = []
-
-# TODO: import iot submodules when finished
-from . import custom, sts
-from .custom import CustomRefreshableSession
-from .sts import STSRefreshableSession
-
-# TODO: add iot submodules to __all__ when finished
-__all__.extend(custom.__all__)
-__all__.extend(sts.__all__)

boto3_refresh_session-4.0.0/boto3_refresh_session/methods/iot/__init__.typed

@@ -1,4 +0,0 @@
-from .certificate import IoTCertificateRefreshableSession
-from .core import IoTRefreshableSession
-
-__all__ = ["IoTRefreshableSession"]

boto3_refresh_session-4.0.0/boto3_refresh_session/methods/iot/certificate.typed

@@ -1,57 +0,0 @@
-__all__ = ["IoTCertificateRefreshableSession"]
-
-from pathlib import Path
-from typing import Any
-
-from ...exceptions import BRSError
-from ...utils import (
-    Identity, PKCS11, TemporaryCredentials, refreshable_session
-)
-from .core import BaseIoTRefreshableSession
-
-
-@refreshable_session
-class IoTCertificateRefreshableSession(
-    BaseIoTRefreshableSession, registry_key="certificate"
-):
-    def __init__(
-        self,
-        endpoint: str,
-        role_alias: str,
-        thing_name: str,
-        certificate: str | bytes,
-        private_key: str | bytes | None = None,
-        pkcs11: PKCS11 | None = None,
-        ca: bytes | None = None,
-        verify_peer: bool = True,
-    ):
-        self.endpoint = endpoint
-        self.role_alias = role_alias
-        self.thing_name = thing_name
-        self.certificate = certificate
-        self.private_key = private_key
-        self.pkcs11 = pkcs11
-        self.ca = ca
-        self.verify_peer = verify_peer
-
-        if self.certificate and isinstance(self.certificate, str):
-            with open(Path(self.certificate), "rb") as cert_pem_file:
-                self.certificate = cert_pem_file.read()
-
-        if self.private_key is None and self.pkcs11 is None:
-            raise BRSError(
-                "Either 'private_key' or 'pkcs11' must be provided."
-            )
-
-        if self.private_key is not None and self.pkcs11 is not None:
-            raise BRSError(
-                "Only one of 'private_key' or 'pkcs11' can be provided."
-            )
-
-        if self.private_key and isinstance(self.private_key, str):
-            with open(Path(self.private_key), "rb") as private_key_pem_file:
-                self.private_key = private_key_pem_file.read()
-
-    def _get_credentials(self) -> TemporaryCredentials: ...
-
-    def get_identity(self) -> Identity: ...

boto3_refresh_session-4.0.0/boto3_refresh_session/methods/iot/cognito.typed

@@ -1,17 +0,0 @@
-__all__ = ["IoTCognitoRefreshableSession"]
-
-from typing import Any
-
-from ...utils import Identity, TemporaryCredentials, refreshable_session
-from .core import BaseIoTRefreshableSession
-
-
-@refreshable_session
-class IoTCognitoRefreshableSession(
-    BaseIoTRefreshableSession, registry_key="cognito"
-):
-    def __init__(self): ...
-
-    def _get_credentials(self) -> TemporaryCredentials: ...
-
-    def get_identity(self) -> Identity: ...