clear-skies 1.22.31__py3-none-any.whl → 2.0.1__py3-none-any.whl

clearskies/schema.py

@@ -0,0 +1,82 @@
+from __future__ import annotations
+
+from collections import OrderedDict
+from typing import TYPE_CHECKING, Self
+
+if TYPE_CHECKING:
+    from clearskies import Column
+
+
+class Schema:
+    """
+    Define a schema by extending and declaring columns.
+
+    ```python
+    from clearskies.schema import Schema
+    from clearskies.validators import Required, Unique
+
+    import clearskies.columns
+
+
+    class Person(Schema):
+        id = clearskies.columns.Uuid()
+        name = clearskies.columns.String(validators=[Required()])
+        date_of_birth = clearskies.columns.Datetime(validators=[Required(), InThePast()])
+        email = clearskies.columns.Email()
+    ```
+    """
+
+    id_column_name: str = ""
+    _columns: dict[str, Column] = {}
+
+    @classmethod
+    def destination_name(cls: type[Self]) -> str:
+        raise NotImplementedError()
+
+    def __init__(self):
+        self._data = {}
+
+    @classmethod
+    def get_columns(cls: type[Self], overrides={}) -> dict[str, Column]:
+        """
+        Return an ordered dictionary with the configuration for the columns.
+
+        Generally, this method is meant for internal use.  It just pulls the column configuration
+        information out of class attributes.  It doesn't return the fully prepared columns,
+        so you probably can't use the return value of this function.  For that, see
+        `model.columns()`.
+        """
+        # no caching if we have overrides
+        if cls._columns and not overrides:
+            return cls._columns
+
+        overrides = {**overrides}
+        columns: dict[str, Column] = OrderedDict()
+        for attribute_name in dir(cls):
+            attribute = getattr(cls, attribute_name)
+            # use duck typing instead of isinstance to decide which attribute is a column.
+            # We have to do this to avoid circular imports.
+            if not hasattr(attribute, "from_backend") and not hasattr(attribute, "to_backend"):
+                continue
+
+            if attribute_name in overrides:
+                columns[attribute_name] = overrides[attribute_name]
+                del overrides[attribute_name]
+            columns[attribute_name] = attribute
+
+        for attribute_name, column in overrides.items():
+            columns[attribute_name] = column  # type: ignore
+
+        if not overrides:
+            cls._columns = columns
+
+        # now go through and finalize everything.  We have to do this after setting cls._columns, because finalization
+        # sometimes depends on fetching the list of columns, so if we do it before caching the answer, we may end up
+        # creating circular loops.  I don't *think* this will cause painful side-effects, but we'll find out!
+        for column_name, column in cls._columns.items():
+            column.finalize_configuration(cls, column_name)
+
+        return columns
+
+    def __bool__(self):
+        return False

clearskies/secrets/__init__.py

@@ -1,34 +1,6 @@
-from .akeyless import AKeyless, AKeylessAdditionalConfig
-from . import additional_configs
-from ..binding_config import BindingConfig
-
-
-def akeyless(*args, **kwargs):
-    return BindingConfig(AKeyless, *args, **kwargs)
-
-
-def akeyless_aws_iam_auth(access_id=None, api_host=None):
-    return AKeylessAdditionalConfig("aws_iam", access_id=access_id, api_host=api_host)
-
-
-def akeyless_saml_auth(access_id=None, api_host=None, profile=None):
-    return AKeylessAdditionalConfig("saml", access_id=access_id, api_host=api_host, profile=profile)
-
-
-def akeyless_jwt_auth(jwt_env_key, access_id=None, api_host=None):
-    return AKeylessAdditionalConfig("jwt", jwt_env_key=jwt_env_key, access_id=access_id, api_host=api_host)
-
-
-def akeyless_access_key_auth(access_id=None, api_host=None):
-    return AKeylessAdditionalConfig("access_key", access_id=access_id, api_host=api_host)
-
+# from .akeyless import AKeyless, AKeylessAdditionalConfig
+from clearskies.secrets.secrets import Secrets
 
 __all__ = [
-    "AKeyless",
-    "additional_configs",
-    "akeyless",
-    "akeyless_aws_iam_auth",
-    "akeyless_saml_auth",
-    "akeyless_jwt_auth",
-    "akeyless_access_key_auth",
+    "Secrets",
 ]

clearskies/secrets/additional_configs/mysql_connection_dynamic_producer.py

@@ -14,7 +14,9 @@ class MySQLConnectionDynamicProducer(clearskies.di.additional_config.AdditionalC
     def provide_connection_details(self, environment, secrets):
         if not secrets:
             raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer but AKeyless itself wasn't configured.  Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
+                "I was asked to connect to a database via an AKeyless dynamic producer, \
+                 but AKeyless itself wasn't configured. \
+                Try setting the AKeyless auth method via clearskies.secrets.akeyless_[jwt|saml|aws_iam]_auth()"
             )
 
         producer_name = (
@@ -24,21 +26,30 @@ class MySQLConnectionDynamicProducer(clearskies.di.additional_config.AdditionalC
         )
         if not producer_name:
             raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, but I wasn't told the path to the dynamic producer.  This can be set in an environment variable named 'akeyless_mysql_dynamic_producer' or it can be set in the configuration via the producer_name kwarg."
+                "I was asked to connect to a database via an AKeyless dynamic producer, \
+                but I wasn't told the path to the dynamic producer. \
+                This can be set in an environment variable named 'akeyless_mysql_dynamic_producer'\
+                or it can be set in the configuration via the producer_name kwarg."
             )
         database_name = (
             self._database_name if self._database_name is not None else environment.get("db_database", silent=True)
         )
         if not database_name:
             raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, but I wasn't told the name of the database.  This can be set in an environment variable named 'db_database' or it can be set in the configuration via the database_name kwarg."
+                "I was asked to connect to a database via an AKeyless dynamic producer, \
+                but I wasn't told the name of the database. \
+                This can be set in an environment variable named 'db_database' \
+                or it can be set in the configuration via the database_name kwarg."
             )
         database_host = (
             self._database_host if self._database_host is not None else environment.get("db_host", silent=True)
         )
         if not database_host:
             raise ValueError(
-                "I was asked to connect to a database via an AKeyless dynamic producer, but I wasn't told the host name of the database.  This can be set in an environment variable named 'db_host' or it can be set in the configuration via the database_host kwarg."
+                "I was asked to connect to a database via an AKeyless dynamic producer, \
+                but I wasn't told the host name of the database. \
+                This can be set in an environment variable named 'db_host' \
+                or it can be set in the configuration via the database_host kwarg."
             )
         credentials = secrets.get_dynamic_secret(producer_name)
 

clearskies/secrets/additional_configs/mysql_connection_dynamic_producer_via_ssh_cert_bastion.py

@@ -1,9 +1,10 @@
-import clearskies.di
-from pathlib import Path
+import os
 import socket
 import subprocess
-import os
 import time
+from pathlib import Path
+
+import clearskies.di
 
 
 class MySQLConnectionDynamicProducerViaSSHCertBastion(clearskies.di.additional_config.AdditionalConfig):
@@ -93,7 +94,11 @@ class MySQLConnectionDynamicProducerViaSSHCertBastion(clearskies.di.additional_c
         if default is not None:
             return default
         raise ValueError(
-            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion with certificate auth, but I wasn't given a required configuration value: '{config_key_name}'.  This can be set in the call to `clearskies.backends.akeyless.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the '{config_key_name}' argument, or by setting an environment variable named '{environment_key_name}'."
+            f"I was asked to connect to a database via an AKeyless dynamic producer through an SSH bastion"
+            "with certificate auth, but I wasn't given a required configuration value: '{config_key_name}'."
+            "This can be set in the call to "
+            "`clearskies.backends.akeyless.mysql_connection_dynamic_producer_via_ssh_cert_bastion()` by providing the "
+            "'{config_key_name}' argument, or by setting an environment variable named '{environment_key_name}'."
         )
 
     def _create_tunnel(
@@ -115,7 +120,8 @@ class MySQLConnectionDynamicProducerViaSSHCertBastion(clearskies.di.additional_c
 
         if not os.path.isfile(public_key_file_path):
             raise ValueError(
-                f"I was asked to connect to AKeyless SSH with the public key file in '{public_key_file_path}', but this file does not exist"
+                f"I was asked to connect to AKeyless SSH with the public key file in '{public_key_file_path}',"
+                "but this file does not exist"
             )
 
         ssh_certificate = secrets.get_ssh_certificate(cert_issuer_name, bastion_username, public_key_file_path)

clearskies/secrets/akeyless.py

@@ -1,170 +1,110 @@
 import datetime
-from clearskies.di import AdditionalConfig
-from .exceptions import NotFound
-
-
-class AKeylessAdditionalConfig(AdditionalConfig):
-    _allowed_auth_methods = ["aws_iam", "saml", "jwt", "access_key"]
-    _auth_method = None
-    _kwargs = None
-
-    _auth_method_allowed_kwargs = {
-        "aws_iam": [],
-        "saml": ["profile"],
-        "access_key": [],
-        "jwt": ["jwt_env_key"],
-    }
-
-    _validate_kwargs = {
-        "aws_iam": lambda kwargs: "",
-        "saml": lambda kwargs: "",
-        "access_key": lambda kwargs: "",
-        "jwt": lambda kwargs: ""
-        if "jwt_env_key" in kwargs
-        else "Must provide 'jwt_env_key' with the name of the environment variable that contains the JWT when using akeyless_jwt_auth()",
-    }
-
-    def __init__(self, auth_method, **kwargs):
-        if auth_method not in self._allowed_auth_methods:
-            raise ValueError(
-                f"Internal clearskies error: attempt to use unsupported akeyless auth method, {auth_method}"
-            )
-        self._auth_method = auth_method
-        allowed_kwargs = set(["access_id", "api_host", *self._auth_method_allowed_kwargs[auth_method]])
-        error = self._validate_kwargs[auth_method](kwargs)
-        if error:
-            raise ValueError(error)
-        extra_keys = set(kwargs.keys()) - allowed_kwargs
-        if len(extra_keys):
-            raise ValueError(
-                f"Unexpected keys were passed into akeyless_{auth_method}: "
-                + ", ".join(extra_keys)
-                + ". The expected keys are: "
-                + ", ".join(allowed_kwargs)
-            )
-        self._kwargs = kwargs
-
-    def provide_secrets(self, requests, environment):
-        secrets = AKeyless(requests, environment)
-        secrets.configure(access_type=self._auth_method, **self._kwargs)
-        return secrets
-
-
-class AKeyless:
-    _akeyless = None
-    _access_id = None
-    _access_type = None
-    _api_host = None
-    _token_refresh = None
-    _token = None
-    _environment = None
-    _jwt_env_key = None
-    _requests = None
-    _api = None
-
-    def __init__(self, requests, environment):
-        self._requests = requests
-        self._environment = environment
-        import akeyless
-
-        self._akeyless = akeyless
-
-    def configure(self, access_id=None, access_type=None, jwt_env_key=None, api_host=None, profile=None):
-        self._access_id = access_id if access_id is not None else self._environment.get("akeyless_access_id")
-        self._access_type = access_type if access_type is not None else self._environment.get("akeyless_access_type")
-        self._jwt_env_key = jwt_env_key
-        self._api_host = api_host if api_host is not None else self._environment.get("akeyless_api_host", silent=True)
-        self._profile = profile if profile is not None else "default"
-
-        if not self._api_host:
-            self._api_host = "https://api.akeyless.io"
-
-        configuration = self._akeyless.Configuration(host=self._api_host)
-        api_client = self._akeyless.ApiClient(configuration)
-        self._api = self._akeyless.V2Api(api_client)
-
-    def create(self, path, value):
-        self._configure_guard()
-        res = self._api.create_secret(self._akeyless.CreateSecret(name=path, value=str(value), token=self._get_token()))
+from typing import Any
+
+import clearskies.configs
+from clearskies.di import InjectableProperties, inject
+
+
+class Akeyless(clearskies.Configurable, clearskies.di.InjectableProperties):
+    requests = clearskies.di.inject.Requests()
+    environment = clearskies.di.inject.Environment()
+    akeyless = clearskies.di.inject.ByName("akeyless")
+
+    access_id = clearskies.configs.String(required=True, regexp=r"^p-[\d\w]+$")
+    access_type = clearskies.configs.Select(["aws_iam", "saml", "jwt"], required=True)
+    api_host = clearskies.configs.String(default="https://api.akeyless.io")
+    profile = clearskies.configs.String(regexp=r"^[\d\w\-]+$")
+
+    _token_refresh: datetime.datetime = None  # type: ignore
+    _token: str = ""
+    _api: Any = None
+
+    def __init__(self, access_id: str, access_type: str, jwt_env_key: str = "", api_host: str = "", profile: str = ""):
+        self.access_id = access_id
+        self.access_type = access_type
+        self.jwt_env_key = jwt_env_key
+        self.api_host = api_host
+        self.profile = profile
+        if self.access_type == "jwt" and not self.jwt_env_key:
+            raise ValueError("When using the JWT access type for Akeyless you must provide jwt_env_key")
+
+        self.finalize_and_validate_configuration()
+
+    @property
+    def api(self) -> Any:
+        if self._api is None:
+            configuration = self.akeyless.Configuration(host=self.api_host)
+            self._api = self.akeyless.V2Api(self.akeyless.ApiClient(configuration))
+        return self._api
+
+    def create(self, path: str, value: Any) -> bool:
+        res = self.api.create_secret(self.akeyless.CreateSecret(name=path, value=str(value), token=self._get_token()))
         return True
 
-    def get(self, path, silent_if_not_found=False):
-        self._configure_guard()
-
+    def get(self, path: str, silent_if_not_found: bool = False) -> str:
         try:
-            res = self._api.get_secret_value(self._akeyless.GetSecretValue(names=[path], token=self._get_token()))
+            res = self._api.get_secret_value(self.akeyless.GetSecretValue(names=[path], token=self._get_token()))
         except Exception as e:
-            if e.status == 404:
+            if e.status == 404:  # type: ignore
                 if silent_if_not_found:
-                    return None
-                raise NotFound(f"Secret '{path}' not found")
+                    return ""
+                raise KeyError(f"Secret '{path}' not found")
             raise e
         return res[path]
 
-    def get_dynamic_secret(self, path, args=None):
-        self._configure_guard()
-
+    def get_dynamic_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
         kwargs = {
             "name": path,
             "token": self._get_token(),
         }
         if args:
-            kwargs["args"] = args
-
-        res = self._api.get_dynamic_secret_value(self._akeyless.GetDynamicSecretValue(**kwargs))
-        return res
+            kwargs["args"] = args  # type: ignore
 
-    def get_rotated_secret(self, path, args=None):
-        self._configure_guard()
+        return self._api.get_dynamic_secret_value(self.akeyless.GetDynamicSecretValue(**kwargs))
 
+    def get_rotated_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
         kwargs = {
             "names": path,
             "token": self._get_token(),
         }
         if args:
-            kwargs["args"] = args
+            kwargs["args"] = args  # type: ignore
 
-        res = self._api.get_rotated_secret_value(self._akeyless.GetRotatedSecretValue(**kwargs))
+        res = self._api.get_rotated_secret_value(self.akeyless.GetRotatedSecretValue(**kwargs))
         return res
 
-    def list_secrets(self, path):
-        self._configure_guard()
-        res = self._api.list_items(self._akeyless.ListItems(path=path, token=self._get_token()))
+    def list_secrets(self, path: str) -> list[Any]:
+        res = self._api.list_items(self.akeyless.ListItems(path=path, token=self._get_token()))
         if not res.items:
             return []
 
         return [item.item_name for item in res.items]
 
-    def update(self, path, value):
-        self._configure_guard()
+    def update(self, path: str, value: Any) -> None:
         res = self._api.update_secret_val(
-            self._akeyless.UpdateSecretVal(name=path, value=str(value), token=self._get_token())
+            self.akeyless.UpdateSecretVal(name=path, value=str(value), token=self._get_token())
         )
-        return True
 
-    def upsert(self, path, value):
+    def upsert(self, path: str, value: Any) -> None:
         try:
-            if self.update(path, value):
-                return True
+            self.update(path, value)
         except Exception as e:
-            return self.create(path, value)
+            self.create(path, value)
 
     def list_sub_folders(self, main_folder: str) -> list[str]:
         """Return the list of secrets/sub folders in the given folder."""
-        items = self._api.list_items(self._akeyless.ListItems(path=main_folder, token=self._get_token()))
+        items = self._api.list_items(self.akeyless.ListItems(path=main_folder, token=self._get_token()))
 
         # akeyless will return the absolute path and end in a slash but we only want the folder name
         main_folder_string_len = len(main_folder)
         return [sub_folder[main_folder_string_len:-1] for sub_folder in items.folders]
 
-    def get_ssh_certificate(self, cert_issuer, cert_username, path_to_public_file):
-        self._configure_guard()
-
+    def get_ssh_certificate(self, cert_issuer: str, cert_username: str, path_to_public_file: str) -> Any:
         with open(path_to_public_file, "r") as fp:
             public_key = fp.read()
 
         res = self._api.get_ssh_certificate(
-            self._akeyless.GetSSHCertificate(
+            self.akeyless.GetSSHCertificate(
                 cert_username=cert_username,
                 cert_issuer_name=cert_issuer,
                 public_key_data=public_key,
@@ -174,28 +114,24 @@ class AKeyless:
 
         return res.data
 
-    def _configure_guard(self):
-        if not self._access_id:
-            raise ValueError("Must call configure method before using secrets.AKeyless")
-
-    def _get_token(self):
+    def _get_token(self) -> str:
         # AKeyless tokens live for an hour
         if self._token is not None and (self._token_refresh - datetime.datetime.now()).total_seconds() > 10:
             return self._token
 
-        auth_method_name = f"auth_{self._access_type}"
+        auth_method_name = f"auth_{self.access_type}"
         if not hasattr(self, auth_method_name):
-            raise ValueError(f"Requested AKeyless authentication with unsupported auth method: '{self._access_type}'")
+            raise ValueError(f"Requested Akeyless authentication with unsupported auth method: '{self.access_type}'")
 
         self._token_refresh = datetime.datetime.now() + datetime.timedelta(hours=0.5)
         self._token = getattr(self, auth_method_name)()
         return self._token
 
     def auth_aws_iam(self):
-        from akeyless_cloud_id import CloudId
+        from akeyless_cloud_id import CloudId  # type: ignore
 
         res = self._api.auth(
-            self._akeyless.Auth(access_id=self._access_id, access_type="aws_iam", cloud_id=CloudId().generate())
+            self.akeyless.Auth(access_id=self.access_id, access_type="aws_iam", cloud_id=CloudId().generate())
         )
         return res.token
 
@@ -203,39 +139,44 @@ class AKeyless:
         import os
         from pathlib import Path
 
-        os.system(f"akeyless list-items --profile {self._profile} --path /not/a/real/path > /dev/null 2>&1")
+        os.system(f"akeyless list-items --profile {self.profile} --path /not/a/real/path > /dev/null 2>&1")
         home = str(Path.home())
-        with open(f"{home}/.akeyless/.tmp_creds/{self._profile}-{self._access_id}", "r") as creds_file:
+        with open(f"{home}/.akeyless/.tmp_creds/{self.profile}-{self.access_id}", "r") as creds_file:
             credentials = creds_file.read()
 
         # and now we can turn that into a token
-        response = self._requests.post(
+        response = self.requests.post(
             "https://rest.akeyless.io/",
             data={
                 "cmd": "static-creds-auth",
-                "access-id": self._access_id,
+                "access-id": self.access_id,
                 "creds": credentials.strip(),
             },
         )
         return response.json()["token"]
 
     def auth_jwt(self):
-        if not self._jwt_env_key:
+        if not self.jwt_env_key:
             raise ValueError(
-                "To use AKeyless JWT Auth, you must specify the name of the ENV key to load the JWT from when configuring AKeyless"
+                "To use AKeyless JWT Auth, "
+                "you must specify the name of the ENV key to load the JWT from when configuring AKeyless"
             )
         res = self._api.auth(
-            self._akeyless.Auth(
-                access_id=self._access_id, access_type="jwt", jwt=self._environment.get(self._jwt_env_key)
-            )
+            self.akeyless.Auth(access_id=self.access_id, access_type="jwt", jwt=self.environment.get(self.jwt_env_key))
         )
         return res.token
 
-    def auth_access_key(self):
-        access_key = self._environment.get("akeyless_access_key", silent=True)
-        if not access_key:
-            print(
-                "To use AKeyless access key auth, you must specify your AKeyless access key in the 'akeyless_access_key' environment variable"
-            )
-        res = self._api.auth(self._akeyless.Auth(access_id=self._access_id, access_key=access_key))
-        return res.token
+
+class AkeylessSaml(Akeyless):
+    def __init__(self, access_id: str, api_host: str = "", profile: str = ""):
+        return super().__init__(access_id, "saml", api_host=api_host, profile=profile)
+
+
+class AkeylessJwt(Akeyless):
+    def __init__(self, access_id: str, jwt_env_key: str = "", api_host: str = "", profile: str = ""):
+        return super().__init__(access_id, "jwt", jwt_env_key=jwt_env_key, api_host=api_host, profile=profile)
+
+
+class AkeylessAwsIam(Akeyless):
+    def __init__(self, access_id: str, api_host: str = ""):
+        return super().__init__(access_id, "aws_iam", api_host=api_host)

clearskies/secrets/secrets.py

@@ -1,38 +1,38 @@
-from abc import ABC
+from typing import Any
 
 
 class Secrets:
-    def create(self, path, value):
+    def create(self, path: str, value: str) -> None:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def get(self, path, silent_if_not_found=False):
+    def get(self, path: str, silent_if_not_found: bool = False) -> str:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def get_dynamic_secret(self, path):
+    def get_dynamic_secret(self, path: str, args: dict[str, Any] | None = None) -> Any:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def list_secrets(self, path):
+    def list_secrets(self, path: str) -> list[Any]:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def update(self, path, value):
+    def update(self, path: str, value: Any) -> None:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def upsert(self, path, value):
+    def upsert(self, path: str, value: Any) -> None:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )
 
-    def list_sub_folders(self, path, value):
+    def list_sub_folders(self, path: str) -> list[Any]:
         raise NotImplementedError(
             "It looks like you tried to use the secret system in clearskies, but didn't specify a secret manager."
         )

clearskies/security_header.py

@@ -0,0 +1,15 @@
+from clearskies.configurable import Configurable
+
+
+class SecurityHeader(Configurable):
+    """
+    Attach all the various security headers to endpoints.
+
+    The security header classes can be attached directly to both endpoints and endpoint groups and
+    are used to set all the various security headers.
+    """
+
+    is_cors = False
+
+    def set_headers_for_input_output(self, input_output):
+        raise NotImplementedError()

clearskies/security_headers/__init__.py

@@ -1,11 +1,11 @@
-from .cache_control import cache_control
-from .cors import cors
-from .csp import csp
-from .hsts import hsts
+from clearskies.security_headers.cache_control import CacheControl
+from clearskies.security_headers.cors import Cors
+from clearskies.security_headers.csp import Csp
+from clearskies.security_headers.hsts import Hsts
 
 __all__ = [
-    "cache_control",
-    "cors",
-    "csp",
-    "hsts",
+    "CacheControl",
+    "Cors",
+    "Csp",
+    "Hsts",
 ]