cardo-python-utils 0.5.dev11__tar.gz → 0.5.dev13__tar.gz

{cardo_python_utils-0.5.dev11/cardo_python_utils.egg-info → cardo_python_utils-0.5.dev13}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev11
+Version: 0.5.dev13
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev11 → cardo_python_utils-0.5.dev13/cardo_python_utils.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev11
+Version: 0.5.dev13
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev11 → cardo_python_utils-0.5.dev13}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cardo-python-utils"
-version = "0.5.dev11"
+version = "0.5.dev13"
 description = "Python library enhanced with a wide range of functions for different scenarios."
 readme = "README.rst"
 requires-python = ">=3.8"

{cardo_python_utils-0.5.dev11 → cardo_python_utils-0.5.dev13}/python_utils/django/keycloak/api/ninja.py

@@ -1,34 +1,77 @@
-from typing import Literal
+import logging
+from typing import Literal, Optional
 
 from jwt.exceptions import InvalidTokenError
 
 from django.conf import settings
+from django.http import HttpRequest
 from ninja.security import HttpBearer
 from ninja.errors import AuthenticationError, HttpError
 
-from .utils import create_or_update_user, decode_jwt
+from .utils import (
+    acreate_or_update_user,
+    create_or_update_user,
+    decode_jwt,
+    TokenPayload,
+)
+
+logger = logging.getLogger()
 
 
 class AuthBearer(HttpBearer):
-    def authenticate(self, request, token):
+    def __call__(self, request: HttpRequest):
+        token = self._get_token(request)
+        if not token:
+            return None
+
+        return self.authenticate(request, token)
+
+    def authenticate(self, request: HttpRequest, token: str) -> TokenPayload:
+        payload = self._decode_token(token)
+
+        username = self._get_username(payload)
+
+        user = create_or_update_user(username, payload)
+
+        self._verify_scopes(request, payload)
+
+        request.user = user
+
+        # The return value is stored in request.auth
+        return payload
+
+    def _get_token(self, request: HttpRequest) -> Optional[str]:
+        """
+        This part of the token validation is similar to what 
+        django-ninja is doing in HttpBearer.__call__
+        """
+        headers = request.headers
+        auth_value = headers.get(self.header)
+        if not auth_value:
+            return None
+        parts = auth_value.split(" ")
+
+        if parts[0].lower() != self.openapi_scheme:
+            if settings.DEBUG:
+                logger.error(f"Unexpected auth - '{auth_value}'")
+            return None
+
+        return " ".join(parts[1:])
+
+    def _decode_token(self, token: str) -> TokenPayload:
         try:
-            payload = decode_jwt(token)
+            return decode_jwt(token)
         except InvalidTokenError as e:
             raise AuthenticationError(f"Invalid token: {str(e)}") from e
 
+    def _get_username(self, payload: TokenPayload) -> str:
         try:
-            username = payload["preferred_username"]
+            return payload["preferred_username"]
         except KeyError as e:
             raise AuthenticationError(
-                "Invalid token: preferred_username not present."
+                "Invalid token: 'preferred_username' claim not present."
             ) from e
 
-        user = create_or_update_user(username, payload)
-
-        self._verify_scopes(request, payload)
-
-        return user
-
     def _verify_scopes(self, request, token_payload):
         allowed_scopes = self._get_view_allowed_scopes(request)
 
@@ -68,6 +111,33 @@ class AuthBearer(HttpBearer):
         )
 
 
+class AuthBearerAsync(AuthBearer):
+    """
+    Same as AuthBearer, but with async __call__ and authenticate methods.
+    """
+
+    async def __call__(self, request: HttpRequest):
+        token = self._get_token(request)
+        if not token:
+            return None
+
+        return await self.authenticate(request, token)
+
+    async def authenticate(self, request: HttpRequest, token: str) -> TokenPayload:
+        payload = self._decode_token(token)
+
+        username = self._get_username(payload)
+
+        user = await acreate_or_update_user(username, payload)
+
+        self._verify_scopes(request, payload)
+
+        request.user = user
+
+        # The return value is stored in request.auth
+        return payload
+
+
 def allowed_scopes(scopes: list[str] | Literal["*"]):
     """
     A decorator that attaches a list of required scopes to a view function

{cardo_python_utils-0.5.dev11 → cardo_python_utils-0.5.dev13}/python_utils/django/keycloak/api/utils.py

@@ -6,6 +6,7 @@ from jwt import decode, PyJWKClient
 
 jwks_client = PyJWKClient(getattr(settings, "JWKS_URL", ""))
 
+User = get_user_model()
 
 class TokenPayload(TypedDict, total=False):
     exp: int
@@ -43,35 +44,68 @@ def decode_jwt(token: str) -> TokenPayload:
     )
 
 
-def create_or_update_user(username: str, payload: TokenPayload):
+def get_user_data_from_payload(payload: TokenPayload) -> dict:
     """
-    Create or update a user based on the JWT payload.
+    Extract user data from the JWT payload.
     """
-    user_model = get_user_model()
     user_data = {
         "first_name": payload.get("given_name") or "",
         "last_name": payload.get("family_name") or "",
         "email": payload.get("email") or "",
         "is_staff": payload.get("is_staff", False),
     }
-    if hasattr(user_model, "is_demo"):
+
+    if hasattr(User, "is_demo"):
         user_data["is_demo"] = payload.get("is_demo", False)
 
-    user = user_model.objects.filter(username=username).first()
-    if user:
-        update_needed = False
+    return user_data
+
+
+def update_user_from_user_data(user, user_data: dict) -> bool:
+    update_needed = False
+
+    for field, value in user_data.items():
+        if getattr(user, field) != value:
+            setattr(user, field, value)
+            update_needed = True
 
-        for field, value in user_data.items():
-            if getattr(user, field) != value:
-                setattr(user, field, value)
-                update_needed = True
+    return update_needed
+
+
+def create_or_update_user(username: str, payload: TokenPayload):
+    """
+    Create or update a user based on the JWT payload.
+    """
+    user_data = get_user_data_from_payload(payload)
+
+    user = User.objects.filter(username=username).first()
+    if user:
+        update_needed = update_user_from_user_data(user, user_data)
 
         if update_needed:
             user.save(update_fields=list(user_data.keys()))
 
         return user
     else:
-        return user_model.objects.create(
+        return User.objects.create(
+            username=username,
+            **user_data,
+        )
+
+
+async def acreate_or_update_user(username: str, payload: TokenPayload):
+    user_data = get_user_data_from_payload(payload)
+
+    user = await User.objects.filter(username=username).afirst()
+    if user:
+        update_needed = update_user_from_user_data(user, user_data)
+
+        if update_needed:
+            await user.asave(update_fields=list(user_data.keys()))
+
+        return user
+    else:
+        return await User.objects.acreate(
             username=username,
             **user_data,
         )

{cardo_python_utils-0.5.dev11 → cardo_python_utils-0.5.dev13}/python_utils/django/keycloak/service.py

@@ -1,9 +1,11 @@
 from django.apps import apps
 from django.conf import settings
+from django.db import models
 from keycloak import KeycloakAdmin
 from keycloak import KeycloakOpenIDConnection
 from keycloak.exceptions import KeycloakGetError
 
+
 def _get_user_group_model():
     """
     Dynamically get the UserGroup model.
@@ -76,7 +78,7 @@ class KeycloakService:
         return KeycloakAdmin(connection=keycloak_connection)
 
     def _process_group_recursively(
-        self, group, existing_groups_by_id, reported_group_ids
+        self, group: dict, existing_groups_by_id: dict[str, models.Model], reported_group_ids: set[str]
     ):
         group_id = str(group["id"])
         reported_group_ids.add(group_id)
@@ -100,6 +102,74 @@ class KeycloakService:
                 )
 
 
+class KeycloakServiceAsync(KeycloakService):
+    """
+    Async version of KeycloakService.
+    """
+
+    async def sync_user_groups(self, raise_exceptions: bool = False):
+        print("Syncing user groups from Keycloak...")
+
+        try:
+            groups = self._keycloak_admin.get_groups(full_hierarchy=True)
+        except KeycloakGetError as e:
+            print(f"Failed to fetch groups from Keycloak: {str(e)}")
+            if raise_exceptions:
+                raise e
+
+            return
+
+        # Process existing and new groups
+        existing_groups = self._user_group_model.objects.all()
+        existing_groups_by_id = {
+            str(group.id): group async for group in existing_groups
+        }
+
+        reported_group_ids = set()
+        for group in groups:
+            await self._process_group_recursively(
+                group, existing_groups_by_id, reported_group_ids
+            )
+
+        # Identify deleted groups
+        deleted_groups = self._user_group_model.objects.exclude(
+            id__in=reported_group_ids
+        )
+        if await deleted_groups.aexists():
+            paths = [
+                path async for path in deleted_groups.values_list("path", flat=True)
+            ]
+            print(f"Deleting groups no longer present in Keycloak: {paths}")
+
+            await deleted_groups.adelete()
+
+    async def _process_group_recursively(
+        self, group: dict, existing_groups_by_id: dict[str, models.Model], reported_group_ids: set[str]
+    ):
+        group_id = str(group["id"])
+        reported_group_ids.add(group_id)
+
+        if group_id in existing_groups_by_id:
+            existing_group = existing_groups_by_id[group_id]
+            if existing_group.path != group["path"]:
+                print(
+                    f"Updating group path from {existing_group.path} to {group['path']}..."
+                )
+                existing_group.path = group["path"]
+                await existing_group.asave()
+        else:
+            print(f"Creating new group with path {group['path']}...")
+            await self._user_group_model.objects.acreate(
+                id=group_id, path=group["path"]
+            )
+
+        if subgroups := group.get("subGroups"):
+            for subgroup in subgroups:
+                await self._process_group_recursively(
+                    subgroup, existing_groups_by_id, reported_group_ids
+                )
+
+
 class AuthServiceBase:
     @staticmethod
     def _get_all_level_paths(path: str) -> list[str]:
@@ -128,3 +198,21 @@ class AuthServiceBase:
             user_groups = UserGroup.objects.filter(path__in=all_group_paths)
 
         return user_groups
+
+
+class AuthServiceBaseAsync(AuthServiceBase):
+    @classmethod
+    async def _get_user_groups_from_paths(cls, group_paths: list[str]):
+        all_group_paths = set()
+        for path in group_paths:
+            all_group_paths.update(cls._get_all_level_paths(path))
+
+        UserGroup = _get_user_group_model()
+        user_groups = UserGroup.objects.filter(path__in=all_group_paths)
+
+        # If a group is missing/has been renamed in Keycloak, sync the groups
+        if await user_groups.acount() != len(all_group_paths):
+            await KeycloakServiceAsync().sync_user_groups()
+            user_groups = UserGroup.objects.filter(path__in=all_group_paths)
+
+        return user_groups