charmlibs-interfaces-istio-request-auth 0.0.1__tar.gz

charmlibs_interfaces_istio_request_auth-0.0.1/.gitignore

@@ -0,0 +1,184 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+cos-tool*
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.coverage-*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+.report/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+.idea/
+
+# PyPI configuration file
+.pypirc
+
+# packed charms
+.packed
+
+# temporary directory for packing charms
+.tmp
+
+# uv.lock from example libraries as we don't commit these
+.example/**/uv.lock
+.tutorial/**/uv.lock
+interfaces/.example/**/uv.lock

charmlibs_interfaces_istio_request_auth-0.0.1/CHANGELOG.md

@@ -0,0 +1,11 @@
+## 0.0.1 - 22 April 2026
+
+Initial release.
+
+The initial `istio-request-auth` interface library provides the following features:
+
+- Lets charms share their trusted JWT issuers and header-claim mappings as jwt_rules with the `istio-ingress-k8s` charms
+- Lets charms specify multiple trusted issuers and their corresponding header-claim mappings as a list of jwt_rules
+- Provides convienience data models for describing JWTRules
+- Models the top level data bag as datamodel
+

charmlibs_interfaces_istio_request_auth-0.0.1/PKG-INFO

@@ -0,0 +1,30 @@
+Metadata-Version: 2.4
+Name: charmlibs-interfaces-istio-request-auth
+Version: 0.0.1
+Summary: The charmlibs.interfaces.istio_request_auth package.
+Project-URL: Documentation, https://documentation.ubuntu.com/charmlibs/reference/charmlibs/interfaces/istio-request-auth
+Project-URL: Repository, https://github.com/canonical/charmlibs/tree/main/interfaces/istio-request-auth
+Project-URL: Issues, https://github.com/canonical/charmlibs/issues
+Project-URL: Changelog, https://github.com/canonical/charmlibs/blob/main/interfaces/istio-request-auth/CHANGELOG.md
+Author: Service Mesh
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Requires-Dist: ops
+Requires-Dist: pydantic>=2
+Description-Content-Type: text/markdown
+
+# charmlibs.interfaces.istio_request_auth
+
+The `istio-request-auth` interface library.
+
+To install, add `charmlibs-interfaces-istio-request-auth` to your Python dependencies. Then in your Python code, import as:
+
+```py
+from charmlibs.interfaces import istio_request_auth
+```
+
+See the [reference documentation](https://documentation.ubuntu.com/charmlibs/reference/charmlibs/interfaces/istio-request-auth) for more.

charmlibs_interfaces_istio_request_auth-0.0.1/README.md

@@ -0,0 +1,11 @@
+# charmlibs.interfaces.istio_request_auth
+
+The `istio-request-auth` interface library.
+
+To install, add `charmlibs-interfaces-istio-request-auth` to your Python dependencies. Then in your Python code, import as:
+
+```py
+from charmlibs.interfaces import istio_request_auth
+```
+
+See the [reference documentation](https://documentation.ubuntu.com/charmlibs/reference/charmlibs/interfaces/istio-request-auth) for more.

charmlibs_interfaces_istio_request_auth-0.0.1/pyproject.toml

@@ -0,0 +1,74 @@
+[project]
+name = "charmlibs-interfaces-istio-request-auth"
+description = "The charmlibs.interfaces.istio_request_auth package."
+readme = "README.md"
+requires-python = ">=3.10"
+authors = [
+    {name="Service Mesh"},
+]
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: Apache Software License",
+    "Intended Audience :: Developers",
+    "Operating System :: POSIX :: Linux",
+    "Development Status :: 5 - Production/Stable",
+]
+dynamic = ["version"]
+dependencies = [
+    "ops",
+    "pydantic>=2",
+]
+
+[dependency-groups]
+lint = [  # installed for `just lint interfaces/istio-request-auth` (unit, functional, and integration are also installed)
+    # "typing_extensions",
+]
+unit = [  # installed for `just unit interfaces/istio-request-auth`
+    "ops[testing]",
+]
+functional = [  # installed for `just functional interfaces/istio-request-auth`
+]
+integration = [  # installed for `just integration interfaces/istio-request-auth`
+    "jubilant",
+]
+
+[project.urls]
+"Documentation" = "https://documentation.ubuntu.com/charmlibs/reference/charmlibs/interfaces/istio-request-auth"
+"Repository" = "https://github.com/canonical/charmlibs/tree/main/interfaces/istio-request-auth"
+"Issues" = "https://github.com/canonical/charmlibs/issues"
+"Changelog" = "https://github.com/canonical/charmlibs/blob/main/interfaces/istio-request-auth/CHANGELOG.md"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/charmlibs"]
+
+[tool.hatch.version]
+path = "src/charmlibs/interfaces/istio_request_auth/_version.py"
+
+[tool.ruff]
+extend = "../../pyproject.toml"
+src = ["src", "tests/unit", "tests/functional", "tests/integration"]  # correctly sort local imports in tests
+
+[tool.ruff.lint.extend-per-file-ignores]
+# add additional per-file-ignores here to avoid overriding repo-level config
+"tests/**/*" = [
+    # "E501",  # line too long
+]
+
+[tool.pyright]
+extends = "../../pyproject.toml"
+include = ["src", "tests"]
+pythonVersion = "3.10"  # check no python > 3.10 features are used
+
+[tool.charmlibs.functional]
+ubuntu = []  # ubuntu versions to run functional tests with, e.g. "24.04" (defaults to just "latest")
+pebble = []  # pebble versions to run functional tests with, e.g. "v1.0.0", "master" (defaults to no pebble versions)
+sudo = false  # whether to run functional tests with sudo (defaults to false)
+
+[tool.charmlibs.integration]
+# tags to run integration tests with (defaults to running once with no tag, i.e. tags = [''])
+# Available in CI in tests/integration/pack.sh and integration tests as CHARMLIBS_TAG
+tags = []  # Not used by the pack.sh and integration tests generated by the template

charmlibs_interfaces_istio_request_auth-0.0.1/src/charmlibs/interfaces/istio_request_auth/__init__.py

@@ -0,0 +1,105 @@
+# Copyright 2025 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Istio request authentication interface library.
+
+This library provides the provider and requirer sides of the ``istio-request-auth``
+relation interface for configuring Istio
+`RequestAuthentication <https://istio.io/latest/docs/reference/config/security/request_authentication/>`_
+resources via relation data (JWT rules, JWKS endpoints, claim-to-header mapping).
+
+What is this library for?
+=========================
+
+The `istio-ingress-k8s <https://github.com/canonical/istio-ingress-k8s-operator/>`_ charm
+wraps a `Kubernetes Gateway API <https://gateway-api.sigs.k8s.io/>`_ of class ``istio``. It
+can connect to an OAuth 2.0 provider like the ``oauth2-proxy`` charm via the ``forward-auth``
+relation to forward requests via an authentication stack for user authentication.
+
+Istio also natively supports validating a pre-generated JWT against an issuer using a
+``RequestAuthentication`` Kubernetes resource. This means a request containing a JWT in
+the header can be natively authenticated by Istio instead of taking a detour via the
+authentication stack, and the claims from the token are parsed and added as headers to
+the downstream request. The `RequestAuthentication` resource is purely an Istio concept
+offered by the CRDs native to Istio. Hence the interface is named with an `istio-` prefix.
+
+For applications to take advantage of this feature, they need to tell Istio which issuers
+they trust and which headers they want the claims in the token to be mapped to. To enable
+this information exchange and add the appropriate ``RequestAuthentication`` resource, the
+``istio-request-auth`` interface library is introduced.
+
+Security note
+=============
+
+If a requirer is connected but has not provided valid (non-empty) ``jwt_rules``, no
+``RequestAuthentication`` resource is created.  This could allow unauthenticated
+traffic.  The provider exposes :meth:`~IstioRequestAuthProvider.get_connected_apps`
+so the ingress charm can detect such applications and drop their ingress until valid
+rules are provided.
+
+Requirer usage::
+
+    from charmlibs.interfaces.istio_request_auth import (
+        ClaimToHeader,
+        JWTRule,
+        IstioRequestAuthRequirer,
+    )
+
+    class MyAppCharm(CharmBase):
+        def __init__(self, *args):
+            super().__init__(*args)
+            self.request_auth = IstioRequestAuthRequirer(self)
+
+        def _publish_rules(self):
+            self.request_auth.publish_data([
+                JWTRule(
+                    issuer="https://accounts.example.com",
+                    claim_to_headers=[
+                        ClaimToHeader(header="x-user-email", claim="email"),
+                    ],
+                ),
+            ])
+
+Provider usage::
+
+    from charmlibs.interfaces.istio_request_auth import IstioRequestAuthProvider
+
+    class MyIngressCharm(CharmBase):
+        def __init__(self, *args):
+            super().__init__(*args)
+            self.request_auth = IstioRequestAuthProvider(self)
+
+        def _reconcile(self):
+            valid = self.request_auth.get_data()
+            connected = self.request_auth.get_connected_apps()
+            invalid_apps = connected - set(valid.keys())
+            # Drop ingress for invalid_apps, create RequestAuthentication for valid
+"""
+
+from ._istio_request_auth import (
+    ClaimToHeader,
+    FromHeader,
+    IstioRequestAuthProvider,
+    IstioRequestAuthRequirer,
+    JWTRule,
+)
+from ._version import __version__ as __version__
+
+__all__ = [
+    'ClaimToHeader',
+    'FromHeader',
+    'IstioRequestAuthProvider',
+    'IstioRequestAuthRequirer',
+    'JWTRule',
+]

charmlibs_interfaces_istio_request_auth-0.0.1/src/charmlibs/interfaces/istio_request_auth/_istio_request_auth.py

@@ -0,0 +1,221 @@
+# Copyright 2025 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Istio request authentication interface implementation.
+
+Migrated from charmed-service-mesh-helpers interfaces/request_auth.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import TYPE_CHECKING
+
+from ops.framework import Object
+from pydantic import BaseModel, ConfigDict, Field
+
+if TYPE_CHECKING:
+    from ops import CharmBase
+
+logger = logging.getLogger(__name__)
+
+
+class ClaimToHeader(BaseModel):
+    """Maps a JWT claim to a request header."""
+
+    model_config = ConfigDict(frozen=True)
+
+    header: str = Field(description='Target request header name')
+    claim: str = Field(description='JWT claim name to extract')
+
+
+class FromHeader(BaseModel):
+    """Specifies a header location from which to extract a JWT."""
+
+    model_config = ConfigDict(frozen=True)
+
+    name: str = Field(description='Header name')
+    prefix: str | None = None
+
+
+class JWTRule(BaseModel):
+    """A single JWT validation rule provided by the requiring app."""
+
+    model_config = ConfigDict(frozen=True)
+
+    # The following fields mirror the JWTRule entry in the RequestAuthentication CRD.
+    # For details check https://istio.io/latest/docs/reference/config/security/request_authentication/#JWTRule
+    issuer: str = Field(description='Issuer URL for token validation')
+    jwks_uri: str | None = None
+    audiences: list[str] | None = None
+    forward_original_token: bool | None = None
+    # claim_to_headers allows mapping a single claim to multiple headers or
+    # multiple claims to the same header (concatenated with comma; missing
+    # claims are skipped).
+    claim_to_headers: list[ClaimToHeader] | None = None
+    # from_headers allows defining multiple potential header sources.
+    # The first one with a valid token will be used.
+    from_headers: list[FromHeader] | None = None
+
+
+class _RequestAuthData(BaseModel):
+    """Top-level databag model for the istio-request-auth relation.
+
+    Each field maps directly to a top-level key in the Juju application databag.
+    Use ``ops.Relation.load`` / ``ops.Relation.save`` to (de)serialise.
+
+    ``jwt_rules`` defaults to ``None``.  When it is missing, ``None``, or an
+    empty list the provider side treats the relation as not-ready and skips
+    the application.
+    """
+
+    model_config = ConfigDict(frozen=True)
+
+    jwt_rules: list[JWTRule] | None = Field(
+        default=None,
+        description='List of JWT validation rules. Missing or empty means not ready.',
+    )
+
+
+class IstioRequestAuthProvider(Object):
+    """Provider side of the istio-request-auth interface.
+
+    Used by the ingress charm to read JWT authentication rules from all related
+    applications.
+
+    Applications that are connected but have not provided valid (non-empty)
+    ``jwt_rules`` are excluded from :meth:`get_data` but included in
+    :meth:`get_connected_apps`.  Consumers can compare the two sets to
+    identify applications that have not yet provided data::
+
+        valid = provider.get_data()
+        connected = provider.get_connected_apps()
+        apps_without_data = connected - set(valid.keys())
+    """
+
+    def __init__(
+        self,
+        charm: CharmBase,
+        relation_name: str = 'istio-request-auth',
+    ):
+        """Initialize the IstioRequestAuthProvider.
+
+        Args:
+            charm: The charm that owns this provider.
+            relation_name: Name of the relation (default: "istio-request-auth").
+        """
+        super().__init__(charm, relation_name)
+        self._charm = charm
+        self._relation_name = relation_name
+
+    @property
+    def is_ready(self) -> bool:
+        """Check if any related application has provided valid request auth data.
+
+        Returns:
+            True if at least one requirer has published non-empty jwt_rules.
+        """
+        return bool(self.get_data())
+
+    def get_connected_apps(self) -> set[str]:
+        """Return the names of all applications connected over the relation.
+
+        This includes apps that have not yet provided valid data.
+        """
+        apps: set[str] = set()
+        for relation in self._charm.model.relations.get(self._relation_name, []):
+            if relation.app:
+                apps.add(relation.app.name)
+        return apps
+
+    def get_data(self) -> dict[str, list[JWTRule]]:
+        """Retrieve valid JWT rules from all related applications.
+
+        Uses ``ops.Relation.load`` to deserialise each application's databag
+        into :class:`RequestAuthData`.  Only applications whose databag
+        contains a non-empty ``jwt_rules`` list are included.
+
+        Returns:
+            A dict mapping application name to its list of ``JWTRule`` objects.
+        """
+        result: dict[str, list[JWTRule]] = {}
+        relations = self._charm.model.relations.get(self._relation_name, [])
+
+        for relation in relations:
+            if not relation.app:
+                continue
+
+            app_name = relation.app.name
+
+            try:
+                data = relation.load(_RequestAuthData, relation.app)
+            except Exception as e:
+                logger.exception(
+                    'Failed to parse databag from application %s: %s',
+                    app_name,
+                    e,
+                )
+                continue
+
+            if not data.jwt_rules:
+                logger.warning(
+                    'Application %s has not provided jwt_rules',
+                    app_name,
+                )
+                continue
+
+            result[app_name] = data.jwt_rules
+
+        return result
+
+
+class IstioRequestAuthRequirer(Object):
+    """Requirer side of the istio-request-auth interface.
+
+    Used by downstream applications to publish their JWT authentication rules
+    to the ingress charm.
+    """
+
+    def __init__(
+        self,
+        charm: CharmBase,
+        relation_name: str = 'istio-request-auth',
+    ):
+        """Initialize the IstioRequestAuthRequirer.
+
+        Args:
+            charm: The charm that owns this requirer.
+            relation_name: Name of the relation (default: "istio-request-auth").
+        """
+        super().__init__(charm, relation_name)
+        self._charm = charm
+        self._relation_name = relation_name
+
+    def publish_data(self, jwt_rules: list[JWTRule]) -> None:
+        """Publish JWT rules to the provider.
+
+        Uses ``ops.Relation.save`` to write a :class:`RequestAuthData` instance
+        to the application databag so ``jwt_rules`` appears as a top-level key.
+
+        Args:
+            jwt_rules: The JWT validation rules to publish.
+        """
+        if not self._charm.unit.is_leader():
+            logger.debug('Not leader, skipping request auth data publication')
+            return
+
+        data = _RequestAuthData(jwt_rules=jwt_rules)
+
+        for relation in self._charm.model.relations.get(self._relation_name, []):
+            relation.save(data, self._charm.app)

charmlibs_interfaces_istio_request_auth-0.0.1/src/charmlibs/interfaces/istio_request_auth/_version.py

@@ -0,0 +1,15 @@
+# Copyright 2025 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+__version__ = '0.0.1'

charmlibs_interfaces_istio_request_auth-0.0.1/tests/unit/conftest.py

@@ -0,0 +1,15 @@
+# Copyright 2025 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Fixtures for unit tests, typically mocking out parts of the external system."""