cardo-python-utils 0.5.dev34__py3-none-any.whl → 0.5.dev35__py3-none-any.whl

{cardo_python_utils-0.5.dev34.dist-info → cardo_python_utils-0.5.dev35.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev34
+Version: 0.5.dev35
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev34.dist-info → cardo_python_utils-0.5.dev35.dist-info}/RECORD

@@ -1,4 +1,4 @@
-cardo_python_utils-0.5.dev34.dist-info/licenses/LICENSE,sha256=N-YtxDy8n5A1Mo7JKKItNIlboiK_pMOZ48ojx76jo3g,1046
+cardo_python_utils-0.5.dev35.dist-info/licenses/LICENSE,sha256=N-YtxDy8n5A1Mo7JKKItNIlboiK_pMOZ48ojx76jo3g,1046
 python_utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 python_utils/choices.py,sha256=_sLNkSnQqhg55gGKNRsOQCJ75W6gnz8J8Q00528MEYk,2548
 python_utils/data_structures.py,sha256=ZqkZYPy20zyGYOVhwb9qst4vF_P7X2A9z5E36rMUC6I,16820
@@ -11,16 +11,16 @@ python_utils/math.py,sha256=p_v8a9nVSe9426nR8H_SM8hOQrkzESVpCnn3gntw7TA,5603
 python_utils/text.py,sha256=pw9CZeM_Lcw-6k4GyR-4D1Wix8A7F_V1u1IIZTIazW4,3792
 python_utils/time.py,sha256=7Wei3uJ02Bk-BFRf-e1axoG418XQOhrXPvTwNZgTdnw,9614
 python_utils/types_hinting.py,sha256=QVWzmXRgNxhvln14tEX_FbQYryuVYhjWJ0dVOnlF6G4,120
-python_utils/django/README.md,sha256=nebCSS4joARr7F1rlJtKNO7S0Y9ctM3IJCmya0zInGM,4068
+python_utils/django/README.md,sha256=3_Cj0r7t8--FXls5tpDuSqM4TedvP4GZ527qHK1iL54,4749
 python_utils/django/__init__.py,sha256=uXyqF-_5gZAlSIKoQkUTedAeBjnUHqh6lR6SzA1DEOM,64
 python_utils/django/apps.py,sha256=rgGdSsvptNVQ5QOEfYTdX7eA9EBgEPqq3LKIBLxaFLo,103
-python_utils/django/oidc_settings.py,sha256=I6-dpo7vxI8Z7UQyyzDm0N1uLKCcOpgS337JlCpWpqU,2838
+python_utils/django/oidc_settings.py,sha256=Moc3ZEOIb40sCcvJtl4Xo51SjC__9Ki85sRhFuoX9dg,3926
 python_utils/django/settings.py,sha256=tapr6NaZyYBN8XRq6CmzhLiTtdW_4v1XiytZP4rDLf4,646
 python_utils/django/tenant_context.py,sha256=cbCggpUUB1BUcUtoqbriEgtc5ZyYtuaU7aWPiobg4uU,2980
 python_utils/django/admin/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-python_utils/django/admin/auth.py,sha256=Gd5CCZ-0FDPNi3-8fcDOr37fnS7K2kjm7B6xpzmROME,2783
+python_utils/django/admin/auth.py,sha256=c3BunWJZKCvp0px27jCrqj_BtY7lkS7ATpjxbqdZQMA,2809
 python_utils/django/admin/user_group.py,sha256=7bt9IyE1o4u0u97vrbRWra6698SBsRrEh_9It1djn4k,6060
-python_utils/django/admin/views.py,sha256=Po2Kr7GyavxBtmPIyg-N8yLdQTas9tzRDV50clLJ_Ms,1784
+python_utils/django/admin/views.py,sha256=D4Ez-RkZa_c7O8AN1ljosBBJWieSodrY2TAZ7-uw3e0,756
 python_utils/django/admin/templates/__init__.py,sha256=LxCKcnJ1Ty48CFDJ8XtAZYTW45xDw5o7H4GLsRo6iQk,53
 python_utils/django/admin/templates/user_groups_changelist.html,sha256=KbO6bsH-nh3DDYCq4UB8j25NdjLP_nh_GuGZ4lYSarM,182
 python_utils/django/api/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -48,7 +48,7 @@ python_utils/django/storage/__init__.py,sha256=mNn2YmD7pkXhBLHMM1444BLsCMq78YdYx
 python_utils/django/storage/tenant_aware_storage.py,sha256=5dDes6xLv7_R8hIBbFIzRvPL7HL9K_RM-G6LI8qUSxM,2550
 python_utils/django/tests/__init__.py,sha256=Nkt0a7LEHyjLvuEBZ7113VjjAWJlyZlMy-H-JZ5tNcs,252
 python_utils/django/tests/conftest.py,sha256=PTA2QAqOMtmeVE87C1FOTC2d_4FSRw_i1vMgLoxKkwA,3176
-cardo_python_utils-0.5.dev34.dist-info/METADATA,sha256=YdNukdBcqMLicjJSBpH8FxHu8KZleVmrl2ip4enTyhM,3007
-cardo_python_utils-0.5.dev34.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-cardo_python_utils-0.5.dev34.dist-info/top_level.txt,sha256=zAx6OfEsjJs8BEW3okSiG_j9gpkI69xWShzum6oBgKI,13
-cardo_python_utils-0.5.dev34.dist-info/RECORD,,
+cardo_python_utils-0.5.dev35.dist-info/METADATA,sha256=bIG6Xl8SLFcXMEuER43lVrmovSysxNX5dmjSOMhBp5I,3007
+cardo_python_utils-0.5.dev35.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+cardo_python_utils-0.5.dev35.dist-info/top_level.txt,sha256=zAx6OfEsjJs8BEW3okSiG_j9gpkI69xWShzum6oBgKI,13
+cardo_python_utils-0.5.dev35.dist-info/RECORD,,

python_utils/django/README.md

@@ -111,15 +111,35 @@ KEYCLOAK_USER_GROUP_MODEL = "myapp.UserGroup"
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", f"{JWT_AUDIENCE}_confidential")
 
 OIDC_RP_CLIENT_ID = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
-OIDC_RP_CLIENT_SECRET = None
 OIDC_RP_SIGN_ALGO = "RS256"
 OIDC_CREATE_USER = True
+OIDC_AUTHENTICATE_CLASS = "python_utils.django.admin.views.TenantAwareOIDCAuthenticationRequestView"
 
 LOGIN_REDIRECT_URL = "/admin"
 SESSION_COOKIE_AGE = 60 * 30  # 30 minutes
 SESSION_SAVE_EVERY_REQUEST = True  # Extend session on each request
 ```
 
+## urls.py file
+
+The views of the `mozilla-django-oidc` package need to be exposed as well, for the OIDC auth:
+
+```python3
+urlpatterns.append(path("oidc/", include("mozilla_django_oidc.urls")))
+```
+
+## admin.py file
+
+The Django Admin Panel needs to be configured to automatically redirect to the OIDC login page:
+
+```python3
+from python_utils.django.admin.auth import has_admin_site_permission
+from python_utils.django.admin.views import TenantAwareOIDCAuthenticationRequestView
+
+admin.site.login = TenantAwareOIDCAuthenticationRequestView.as_view()
+admin.site.has_permission = has_admin_site_permission
+```
+
 ## With django-ninja
 
 If using `django-ninja`, apart from the settings configured above, auth utils are provided in the django/api/ninja.py module.

python_utils/django/admin/auth.py

@@ -18,23 +18,18 @@ class AdminAuthenticationBackend(OIDCAuthenticationBackend):
     own Keycloak realm.
     """
 
-    @property
-    def OIDC_OP_TOKEN_ENDPOINT(self):
-        """Dynamically get the token endpoint for the current tenant."""
-
-        return get_oidc_op_token_endpoint()
-
-    @property
-    def OIDC_OP_USER_ENDPOINT(self):
-        """Dynamically get the userinfo endpoint for the current tenant."""
-
-        return get_oidc_op_user_endpoint()
-
-    @property
-    def OIDC_OP_JWKS_ENDPOINT(self):
-        """Dynamically get the JWKS endpoint for the current tenant."""
-
-        return get_oidc_op_jwks_endpoint()
+    def get_settings(self, attr, *args):
+        if attr == "OIDC_OP_TOKEN_ENDPOINT":
+            return get_oidc_op_token_endpoint()
+        if attr == "OIDC_OP_USER_ENDPOINT":
+            return get_oidc_op_user_endpoint()
+        if attr == "OIDC_OP_JWKS_ENDPOINT":
+            return get_oidc_op_jwks_endpoint()
+        if attr == "OIDC_RP_CLIENT_SECRET":
+            # The explicit return of None is needed to prevent the parent class from raising an error
+            return None
+
+        return super().get_settings(attr, *args)
 
     def get_token(self, payload):
         # Instead of passing client_id and client_secret,

python_utils/django/admin/views.py

@@ -5,16 +5,9 @@ These views override the default mozilla-django-oidc views to dynamically
 resolve OIDC endpoints based on the current tenant context.
 """
 
-from mozilla_django_oidc.views import (
-    OIDCAuthenticationCallbackView,
-    OIDCAuthenticationRequestView,
-    OIDCLogoutView,
-)
+from mozilla_django_oidc.views import OIDCAuthenticationRequestView
 
-from ..oidc_settings import (
-    get_oidc_op_authorization_endpoint,
-    get_oidc_op_logout_endpoint,
-)
+from ..oidc_settings import get_oidc_op_authorization_endpoint
 
 
 class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
@@ -24,40 +17,8 @@ class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
     Dynamically resolves the authorization endpoint based on the current tenant.
     """
 
-    @property
-    def OIDC_OP_AUTH_ENDPOINT(self):
-        """Dynamically get the authorization endpoint for the current tenant."""
-        return get_oidc_op_authorization_endpoint()
-
     def get_settings(self, attr, *args):
         if attr == "OIDC_OP_AUTHORIZATION_ENDPOINT":
-            return self.OIDC_OP_AUTH_ENDPOINT
-        return super().get_settings(attr, *args)
-
-
-class TenantAwareOIDCAuthenticationCallbackView(OIDCAuthenticationCallbackView):
-    """
-    Tenant-aware OIDC authentication callback view.
-
-    Uses the tenant-aware authentication backend.
-    """
-
-    pass
+            return get_oidc_op_authorization_endpoint()
 
-
-class TenantAwareOIDCLogoutView(OIDCLogoutView):
-    """
-    Tenant-aware OIDC logout view.
-
-    Dynamically resolves the logout endpoint based on the current tenant.
-    """
-
-    @property
-    def OIDC_OP_LOGOUT_ENDPOINT(self):
-        """Dynamically get the logout endpoint for the current tenant."""
-        return get_oidc_op_logout_endpoint()
-
-    def get_settings(self, attr, *args):
-        if attr == "OIDC_OP_LOGOUT_ENDPOINT":
-            return self.OIDC_OP_LOGOUT_ENDPOINT
         return super().get_settings(attr, *args)

python_utils/django/oidc_settings.py

@@ -8,17 +8,30 @@ import json
 import os
 import requests
 
+from django.conf import settings
 from .tenant_context import TenantContext
 
 
 KEYCLOAK_SERVER_URL = os.getenv("KEYCLOAK_SERVER_URL", None)
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", None)
+
+OIDC_CLIENT_AUTH_METHOD = getattr(settings, "OIDC_CLIENT_AUTH_METHOD", "client_assertion")
+if OIDC_CLIENT_AUTH_METHOD not in ("client_assertion", "client_secret"):
+    raise ValueError(
+        f"Invalid OIDC_CLIENT_AUTH_METHOD: {OIDC_CLIENT_AUTH_METHOD}. "
+        f"Supported methods are 'client_assertion' and 'client_secret'."
+    )
+
 KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS: dict[str, str] = json.loads(
     os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS", "{}")
 )
 KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials"
 KEYCLOAK_CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 
+KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS: dict[str, str] = json.loads(
+    os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS", "{}")
+)
+
 
 def get_oidc_op_base_url() -> str:
     """Get the base URL for the OIDC provider (Keycloak realm URL)."""
@@ -65,20 +78,38 @@ def get_confidential_client_service_account_token() -> str:
     return token
 
 
+def get_confidential_client_secret() -> str:
+    """
+    Retrieves the Keycloak confidential client secret for the current tenant.
+    """
+    tenant = TenantContext.get()
+    client_secret = KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS.get(tenant)
+    if not client_secret:
+        raise ValueError(f"Keycloak confidential client secret for tenant {tenant} not found.")
+
+    return client_secret
+
+
 def get_oidc_confidential_client_token(**kwargs) -> dict:
     """
     Obtains token for an OIDC confidential client with the client credentials grant,
     using a service account token for authentication.
     """
 
+    data = {
+        "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
+        **kwargs,
+    }
+    if OIDC_CLIENT_AUTH_METHOD == "client_secret":
+        data["client_id"] = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
+        data["client_secret"] = get_confidential_client_secret()
+    else:
+        data["client_assertion_type"] = KEYCLOAK_CLIENT_ASSERTION_TYPE
+        data["client_assertion"] = get_confidential_client_service_account_token()
+
     response = requests.post(
         get_oidc_op_token_endpoint(),
-        data={
-            "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
-            "client_assertion_type": KEYCLOAK_CLIENT_ASSERTION_TYPE,
-            "client_assertion": get_confidential_client_service_account_token(),
-            **kwargs,
-        },
+        data=data,
     )
     response.raise_for_status()