PyPI - cardo-python-utils - Versions diffs - 0.5.dev34__tar.gz → 0.5.dev35__tar.gz - Mend

cardo-python-utils 0.5.dev34tar.gz → 0.5.dev35tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

{cardo_python_utils-0.5.dev34/cardo_python_utils.egg-info → cardo_python_utils-0.5.dev35}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev34
+Version: 0.5.dev35
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev35/cardo_python_utils.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev34
+Version: 0.5.dev35
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev35}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "cardo-python-utils"
-version = "0.5.dev34"
+version = "0.5.dev35"
 description = "Python library enhanced with a wide range of functions for different scenarios."
 readme = "README.rst"
 requires-python = ">=3.8"

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev35}/python_utils/django/README.md RENAMED Viewed

@@ -111,15 +111,35 @@ KEYCLOAK_USER_GROUP_MODEL = "myapp.UserGroup"
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", f"{JWT_AUDIENCE}_confidential")
 OIDC_RP_CLIENT_ID = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
-OIDC_RP_CLIENT_SECRET = None
 OIDC_RP_SIGN_ALGO = "RS256"
 OIDC_CREATE_USER = True
+OIDC_AUTHENTICATE_CLASS = "python_utils.django.admin.views.TenantAwareOIDCAuthenticationRequestView"
 LOGIN_REDIRECT_URL = "/admin"
 SESSION_COOKIE_AGE = 60 * 30  # 30 minutes
 SESSION_SAVE_EVERY_REQUEST = True  # Extend session on each request
 ```
+## urls.py file
+The views of the `mozilla-django-oidc` package need to be exposed as well, for the OIDC auth:
+```python3
+urlpatterns.append(path("oidc/", include("mozilla_django_oidc.urls")))
+```
+## admin.py file
+The Django Admin Panel needs to be configured to automatically redirect to the OIDC login page:
+```python3
+from python_utils.django.admin.auth import has_admin_site_permission
+from python_utils.django.admin.views import TenantAwareOIDCAuthenticationRequestView
+admin.site.login = TenantAwareOIDCAuthenticationRequestView.as_view()
+admin.site.has_permission = has_admin_site_permission
+```
 ## With django-ninja
 If using `django-ninja`, apart from the settings configured above, auth utils are provided in the django/api/ninja.py module.

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev35}/python_utils/django/admin/auth.py RENAMED Viewed

@@ -18,23 +18,18 @@ class AdminAuthenticationBackend(OIDCAuthenticationBackend):
     own Keycloak realm.
     """
-    @property
-    def OIDC_OP_TOKEN_ENDPOINT(self):
-        """Dynamically get the token endpoint for the current tenant."""
-        return get_oidc_op_token_endpoint()
-    @property
-    def OIDC_OP_USER_ENDPOINT(self):
-        """Dynamically get the userinfo endpoint for the current tenant."""
-        return get_oidc_op_user_endpoint()
-    @property
-    def OIDC_OP_JWKS_ENDPOINT(self):
-        """Dynamically get the JWKS endpoint for the current tenant."""
-        return get_oidc_op_jwks_endpoint()
+    def get_settings(self, attr, *args):
+        if attr == "OIDC_OP_TOKEN_ENDPOINT":
+            return get_oidc_op_token_endpoint()
+        if attr == "OIDC_OP_USER_ENDPOINT":
+            return get_oidc_op_user_endpoint()
+        if attr == "OIDC_OP_JWKS_ENDPOINT":
+            return get_oidc_op_jwks_endpoint()
+        if attr == "OIDC_RP_CLIENT_SECRET":
+            # The explicit return of None is needed to prevent the parent class from raising an error
+            return None
+        return super().get_settings(attr, *args)
     def get_token(self, payload):
         # Instead of passing client_id and client_secret,

cardo_python_utils-0.5.dev35/python_utils/django/admin/views.py ADDED Viewed

@@ -0,0 +1,24 @@
+"""
+Tenant-aware OIDC views for mozilla-django-oidc.
+These views override the default mozilla-django-oidc views to dynamically
+resolve OIDC endpoints based on the current tenant context.
+"""
+from mozilla_django_oidc.views import OIDCAuthenticationRequestView
+from ..oidc_settings import get_oidc_op_authorization_endpoint
+class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
+    """
+    Tenant-aware OIDC authentication request view.
+    Dynamically resolves the authorization endpoint based on the current tenant.
+    """
+    def get_settings(self, attr, *args):
+        if attr == "OIDC_OP_AUTHORIZATION_ENDPOINT":
+            return get_oidc_op_authorization_endpoint()
+        return super().get_settings(attr, *args)

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev35}/python_utils/django/oidc_settings.py RENAMED Viewed

@@ -8,17 +8,30 @@ import json
 import os
 import requests
+from django.conf import settings
 from .tenant_context import TenantContext
 KEYCLOAK_SERVER_URL = os.getenv("KEYCLOAK_SERVER_URL", None)
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", None)
+OIDC_CLIENT_AUTH_METHOD = getattr(settings, "OIDC_CLIENT_AUTH_METHOD", "client_assertion")
+if OIDC_CLIENT_AUTH_METHOD not in ("client_assertion", "client_secret"):
+    raise ValueError(
+        f"Invalid OIDC_CLIENT_AUTH_METHOD: {OIDC_CLIENT_AUTH_METHOD}. "
+        f"Supported methods are 'client_assertion' and 'client_secret'."
+    )
 KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS: dict[str, str] = json.loads(
     os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS", "{}")
 )
 KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials"
 KEYCLOAK_CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS: dict[str, str] = json.loads(
+    os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS", "{}")
+)
 def get_oidc_op_base_url() -> str:
     """Get the base URL for the OIDC provider (Keycloak realm URL)."""
@@ -65,20 +78,38 @@ def get_confidential_client_service_account_token() -> str:
     return token
+def get_confidential_client_secret() -> str:
+    """
+    Retrieves the Keycloak confidential client secret for the current tenant.
+    """
+    tenant = TenantContext.get()
+    client_secret = KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS.get(tenant)
+    if not client_secret:
+        raise ValueError(f"Keycloak confidential client secret for tenant {tenant} not found.")
+    return client_secret
 def get_oidc_confidential_client_token(**kwargs) -> dict:
     """
     Obtains token for an OIDC confidential client with the client credentials grant,
     using a service account token for authentication.
     """
+    data = {
+        "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
+        **kwargs,
+    }
+    if OIDC_CLIENT_AUTH_METHOD == "client_secret":
+        data["client_id"] = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
+        data["client_secret"] = get_confidential_client_secret()
+    else:
+        data["client_assertion_type"] = KEYCLOAK_CLIENT_ASSERTION_TYPE
+        data["client_assertion"] = get_confidential_client_service_account_token()
     response = requests.post(
         get_oidc_op_token_endpoint(),
-        data={
-            "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
-            "client_assertion_type": KEYCLOAK_CLIENT_ASSERTION_TYPE,
-            "client_assertion": get_confidential_client_service_account_token(),
-            **kwargs,
-        },
+        data=data,
     )
     response.raise_for_status()

cardo_python_utils-0.5.dev34/python_utils/django/admin/views.py DELETED Viewed

@@ -1,63 +0,0 @@
-"""
-Tenant-aware OIDC views for mozilla-django-oidc.
-These views override the default mozilla-django-oidc views to dynamically
-resolve OIDC endpoints based on the current tenant context.
-"""
-from mozilla_django_oidc.views import (
-    OIDCAuthenticationCallbackView,
-    OIDCAuthenticationRequestView,
-    OIDCLogoutView,
-)
-from ..oidc_settings import (
-    get_oidc_op_authorization_endpoint,
-    get_oidc_op_logout_endpoint,
-)
-class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
-    """
-    Tenant-aware OIDC authentication request view.
-    Dynamically resolves the authorization endpoint based on the current tenant.
-    """
-    @property
-    def OIDC_OP_AUTH_ENDPOINT(self):
-        """Dynamically get the authorization endpoint for the current tenant."""
-        return get_oidc_op_authorization_endpoint()
-    def get_settings(self, attr, *args):
-        if attr == "OIDC_OP_AUTHORIZATION_ENDPOINT":
-            return self.OIDC_OP_AUTH_ENDPOINT
-        return super().get_settings(attr, *args)
-class TenantAwareOIDCAuthenticationCallbackView(OIDCAuthenticationCallbackView):
-    """
-    Tenant-aware OIDC authentication callback view.
-    Uses the tenant-aware authentication backend.
-    """
-    pass
-class TenantAwareOIDCLogoutView(OIDCLogoutView):
-    """
-    Tenant-aware OIDC logout view.
-    Dynamically resolves the logout endpoint based on the current tenant.
-    """
-    @property
-    def OIDC_OP_LOGOUT_ENDPOINT(self):
-        """Dynamically get the logout endpoint for the current tenant."""
-        return get_oidc_op_logout_endpoint()
-    def get_settings(self, attr, *args):
-        if attr == "OIDC_OP_LOGOUT_ENDPOINT":
-            return self.OIDC_OP_LOGOUT_ENDPOINT
-        return super().get_settings(attr, *args)