PyPI - cardo-python-utils - Versions diffs - 0.5.dev34__tar.gz → 0.5.dev36__tar.gz - Mend

cardo-python-utils 0.5.dev34tar.gz → 0.5.dev36tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

{cardo_python_utils-0.5.dev34/cardo_python_utils.egg-info → cardo_python_utils-0.5.dev36}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev34
+Version: 0.5.dev36
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36/cardo_python_utils.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cardo-python-utils
-Version: 0.5.dev34
+Version: 0.5.dev36
 Summary: Python library enhanced with a wide range of functions for different scenarios.
 Author-email: CardoAI <hello@cardoai.com>
 License: MIT

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "cardo-python-utils"
-version = "0.5.dev34"
+version = "0.5.dev36"
 description = "Python library enhanced with a wide range of functions for different scenarios."
 readme = "README.rst"
 requires-python = ">=3.8"

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36}/python_utils/django/README.md RENAMED Viewed

@@ -46,9 +46,7 @@ DATABASES = {
 DEVELOPMENT_TENANT = "development"
 # This is required to use the tenant context when routing database queries
-DATABASE_ROUTERS = [
-    "python_utils.django.db.routers.TenantAwareRouter"
-]
+DATABASE_ROUTERS = ["python_utils.django.db.routers.TenantAwareRouter"]
 # If using celery, set the task class to TenantAwareTask:
 CELERY_TASK_CLS = "python_utils.django.celery.TenantAwareTask"
@@ -111,15 +109,70 @@ KEYCLOAK_USER_GROUP_MODEL = "myapp.UserGroup"
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", f"{JWT_AUDIENCE}_confidential")
 OIDC_RP_CLIENT_ID = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
-OIDC_RP_CLIENT_SECRET = None
 OIDC_RP_SIGN_ALGO = "RS256"
 OIDC_CREATE_USER = True
+OIDC_AUTHENTICATE_CLASS = "python_utils.django.admin.views.TenantAwareOIDCAuthenticationRequestView"
 LOGIN_REDIRECT_URL = "/admin"
 SESSION_COOKIE_AGE = 60 * 30  # 30 minutes
 SESSION_SAVE_EVERY_REQUEST = True  # Extend session on each request
 ```
+## urls.py file
+The views of the `mozilla-django-oidc` package need to be exposed as well, for the OIDC auth:
+```python3
+urlpatterns.append(path("oidc/", include("mozilla_django_oidc.urls")))
+```
+## admin.py file
+The Django Admin Panel needs to be configured to automatically redirect to the OIDC login page:
+```python3
+from python_utils.django.admin.auth import has_admin_site_permission
+from python_utils.django.admin.views import TenantAwareOIDCAuthenticationRequestView
+admin.site.login = TenantAwareOIDCAuthenticationRequestView.as_view()
+admin.site.has_permission = has_admin_site_permission
+```
 ## With django-ninja
 If using `django-ninja`, apart from the settings configured above, auth utils are provided in the django/api/ninja.py module.
+## Testing
+In order for tests to work, create the following autouse fixtures:
+```python3
+import pytest
+from python_utils.django.tenant_context import TenantContext
+# Add this, if the test utils of the package are needed
+pytest_plugins = ["python_utils.django.tests"]
+@pytest.fixture(scope="session", autouse=True)
+def test_database() -> str:
+    return "default"
+@pytest.fixture(scope="session", autouse=True)
+def set_tenant_context_session(test_database):
+    """Set tenant context for the entire test session."""
+    TenantContext.set(test_database)
+    yield
+    TenantContext.clear()
+@pytest.fixture(autouse=True)
+def set_tenant_context(set_tenant_context_session, test_database):
+    """Ensure tenant context is set for each test (depends on session fixture)."""
+    # Re-set in case it was cleared between tests
+    if not TenantContext.is_set():
+        TenantContext.set(test_database)
+    yield
+```

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36}/python_utils/django/admin/auth.py RENAMED Viewed

@@ -18,23 +18,18 @@ class AdminAuthenticationBackend(OIDCAuthenticationBackend):
     own Keycloak realm.
     """
-    @property
-    def OIDC_OP_TOKEN_ENDPOINT(self):
-        """Dynamically get the token endpoint for the current tenant."""
-        return get_oidc_op_token_endpoint()
-    @property
-    def OIDC_OP_USER_ENDPOINT(self):
-        """Dynamically get the userinfo endpoint for the current tenant."""
-        return get_oidc_op_user_endpoint()
-    @property
-    def OIDC_OP_JWKS_ENDPOINT(self):
-        """Dynamically get the JWKS endpoint for the current tenant."""
-        return get_oidc_op_jwks_endpoint()
+    def get_settings(self, attr, *args):
+        if attr == "OIDC_OP_TOKEN_ENDPOINT":
+            return get_oidc_op_token_endpoint()
+        if attr == "OIDC_OP_USER_ENDPOINT":
+            return get_oidc_op_user_endpoint()
+        if attr == "OIDC_OP_JWKS_ENDPOINT":
+            return get_oidc_op_jwks_endpoint()
+        if attr == "OIDC_RP_CLIENT_SECRET":
+            # The explicit return of None is needed to prevent the parent class from raising an error
+            return None
+        return super().get_settings(attr, *args)
     def get_token(self, payload):
         # Instead of passing client_id and client_secret,

cardo_python_utils-0.5.dev36/python_utils/django/admin/views.py ADDED Viewed

@@ -0,0 +1,24 @@
+"""
+Tenant-aware OIDC views for mozilla-django-oidc.
+These views override the default mozilla-django-oidc views to dynamically
+resolve OIDC endpoints based on the current tenant context.
+"""
+from mozilla_django_oidc.views import OIDCAuthenticationRequestView
+from ..oidc_settings import get_oidc_op_authorization_endpoint
+class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
+    """
+    Tenant-aware OIDC authentication request view.
+    Dynamically resolves the authorization endpoint based on the current tenant.
+    """
+    def get_settings(self, attr, *args):
+        if attr == "OIDC_OP_AUTHORIZATION_ENDPOINT":
+            return get_oidc_op_authorization_endpoint()
+        return super().get_settings(attr, *args)

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36}/python_utils/django/oidc_settings.py RENAMED Viewed

@@ -8,17 +8,30 @@ import json
 import os
 import requests
+from django.conf import settings
 from .tenant_context import TenantContext
 KEYCLOAK_SERVER_URL = os.getenv("KEYCLOAK_SERVER_URL", None)
 KEYCLOAK_CONFIDENTIAL_CLIENT_ID = os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_ID", None)
+OIDC_CLIENT_AUTH_METHOD = getattr(settings, "OIDC_CLIENT_AUTH_METHOD", "client_assertion")
+if OIDC_CLIENT_AUTH_METHOD not in ("client_assertion", "client_secret"):
+    raise ValueError(
+        f"Invalid OIDC_CLIENT_AUTH_METHOD: {OIDC_CLIENT_AUTH_METHOD}. "
+        f"Supported methods are 'client_assertion' and 'client_secret'."
+    )
 KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS: dict[str, str] = json.loads(
     os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SERVICE_ACCOUNT_TOKEN_FILE_PATHS", "{}")
 )
 KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials"
 KEYCLOAK_CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
+KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS: dict[str, str] = json.loads(
+    os.getenv("KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS", "{}")
+)
 def get_oidc_op_base_url() -> str:
     """Get the base URL for the OIDC provider (Keycloak realm URL)."""
@@ -65,20 +78,38 @@ def get_confidential_client_service_account_token() -> str:
     return token
+def get_confidential_client_secret() -> str:
+    """
+    Retrieves the Keycloak confidential client secret for the current tenant.
+    """
+    tenant = TenantContext.get()
+    client_secret = KEYCLOAK_CONFIDENTIAL_CLIENT_SECRETS.get(tenant)
+    if not client_secret:
+        raise ValueError(f"Keycloak confidential client secret for tenant {tenant} not found.")
+    return client_secret
 def get_oidc_confidential_client_token(**kwargs) -> dict:
     """
     Obtains token for an OIDC confidential client with the client credentials grant,
     using a service account token for authentication.
     """
+    data = {
+        "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
+        **kwargs,
+    }
+    if OIDC_CLIENT_AUTH_METHOD == "client_secret":
+        data["client_id"] = KEYCLOAK_CONFIDENTIAL_CLIENT_ID
+        data["client_secret"] = get_confidential_client_secret()
+    else:
+        data["client_assertion_type"] = KEYCLOAK_CLIENT_ASSERTION_TYPE
+        data["client_assertion"] = get_confidential_client_service_account_token()
     response = requests.post(
         get_oidc_op_token_endpoint(),
-        data={
-            "grant_type": KEYCLOAK_CLIENT_CREDENTIALS_GRANT_TYPE,
-            "client_assertion_type": KEYCLOAK_CLIENT_ASSERTION_TYPE,
-            "client_assertion": get_confidential_client_service_account_token(),
-            **kwargs,
-        },
+        data=data,
     )
     response.raise_for_status()

{cardo_python_utils-0.5.dev34 → cardo_python_utils-0.5.dev36}/python_utils/django/tenant_context.py RENAMED Viewed

@@ -1,22 +1,27 @@
 import logging
 import sys
 from contextlib import ContextDecorator
-from threading import local
+from contextvars import ContextVar
 from typing import Optional
 from .settings import DATABASES
 logger = logging.getLogger(__name__)
-thread_namespace = local()
+# ContextVar propagates automatically to async threads via sync_to_async
+_tenant_var: ContextVar[Optional[str]] = ContextVar('tenant', default=None)
 class TenantContext(ContextDecorator):
     """
     Context manager that sets the current tenant.
     This class can be used in several ways:
-    1. As a context manager:
+    1. As a context manager (sync and async):
         with TenantContext('tenant'):
             # do something
+        async with TenantContext('tenant'):
+            # do something async
     2. As a decorator:
         @TenantContext('tenant')
@@ -33,23 +38,32 @@ class TenantContext(ContextDecorator):
     def __init__(self, tenant: str):
         self.tenant = tenant
+        self._token = None
     def __enter__(self):
-        TenantContext.set(self.tenant)
+        self._token = TenantContext.set(self.tenant)
+        return self
     def __exit__(self, exc_type, exc_val, exc_tb):
-        TenantContext.clear()
+        TenantContext.clear(self._token)
+    async def __aenter__(self):
+        self._token = TenantContext.set(self.tenant)
+        return self
+    async def __aexit__(self, exc_type, exc_val, exc_tb):
+        TenantContext.clear(self._token)
     @staticmethod
     def is_set() -> bool:
-        return hasattr(thread_namespace, TenantContext.field_name)
+        return _tenant_var.get() is not None
     @staticmethod
     def get() -> Optional[str]:
-        try:
-            return getattr(thread_namespace, TenantContext.field_name)
-        except AttributeError as e:
-            raise RuntimeError("Tenant context is not set.") from e
+        tenant = _tenant_var.get()
+        if tenant is None:
+            raise RuntimeError("Tenant context is not set.")
+        return tenant
     @staticmethod
     def set(tenant):
@@ -66,24 +80,23 @@ class TenantContext(ContextDecorator):
                 logger.error("ERROR: TENANT CONTEXT ALREADY SET")
                 logger.error(f"Current tenant: {TenantContext.get()}, new tenant: {tenant}")
                 return sys.exit(1)
             else:
-                # Normally in a request-response cycle, or a single task, the
-                # tenant context is set only once. But there is an exception
-                # for the migrate command, which sets the tenant context
-                # multiple times to the same value.
-                logger.info("Tenant context already set to %s", tenant)
-                return
+                # If the tenant is already set to the same value, we do nothing and return None.
+                return None
         if tenant not in DATABASES:
             logger.error(f"Tenant '{tenant}' not found in DATABASES settings.")
             return sys.exit(1)
-        setattr(thread_namespace, TenantContext.field_name, tenant)
+        token = _tenant_var.set(tenant)
         logger.info(f"Tenant context set to {tenant}")
+        return token
     @staticmethod
-    def clear():
+    def clear(token=None):
         if TenantContext.is_set():
-            delattr(thread_namespace, TenantContext.field_name)
-            logger.info("Tenant context cleared")
+            if token is not None:
+                _tenant_var.reset(token)
+            else:
+                _tenant_var.set(None)
+            logger.info("Tenant context cleared")

cardo_python_utils-0.5.dev34/python_utils/django/admin/views.py DELETED Viewed

@@ -1,63 +0,0 @@
-"""
-Tenant-aware OIDC views for mozilla-django-oidc.
-These views override the default mozilla-django-oidc views to dynamically
-resolve OIDC endpoints based on the current tenant context.
-"""
-from mozilla_django_oidc.views import (
-    OIDCAuthenticationCallbackView,
-    OIDCAuthenticationRequestView,
-    OIDCLogoutView,
-)
-from ..oidc_settings import (
-    get_oidc_op_authorization_endpoint,
-    get_oidc_op_logout_endpoint,
-)
-class TenantAwareOIDCAuthenticationRequestView(OIDCAuthenticationRequestView):
-    """
-    Tenant-aware OIDC authentication request view.
-    Dynamically resolves the authorization endpoint based on the current tenant.
-    """
-    @property
-    def OIDC_OP_AUTH_ENDPOINT(self):
-        """Dynamically get the authorization endpoint for the current tenant."""
-        return get_oidc_op_authorization_endpoint()
-    def get_settings(self, attr, *args):
-        if attr == "OIDC_OP_AUTHORIZATION_ENDPOINT":
-            return self.OIDC_OP_AUTH_ENDPOINT
-        return super().get_settings(attr, *args)
-class TenantAwareOIDCAuthenticationCallbackView(OIDCAuthenticationCallbackView):
-    """
-    Tenant-aware OIDC authentication callback view.
-    Uses the tenant-aware authentication backend.
-    """
-    pass
-class TenantAwareOIDCLogoutView(OIDCLogoutView):
-    """
-    Tenant-aware OIDC logout view.
-    Dynamically resolves the logout endpoint based on the current tenant.
-    """
-    @property
-    def OIDC_OP_LOGOUT_ENDPOINT(self):
-        """Dynamically get the logout endpoint for the current tenant."""
-        return get_oidc_op_logout_endpoint()
-    def get_settings(self, attr, *args):
-        if attr == "OIDC_OP_LOGOUT_ENDPOINT":
-            return self.OIDC_OP_LOGOUT_ENDPOINT
-        return super().get_settings(attr, *args)